Maksim Kabakou - Fotolia
Human error continues to be the main cause of data breaches in Australia, according to the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable data breaches report.
The OAIC received 539 data breach notifications from July to December 2020, an increase of 5% on the previous six months. Nearly two in five breaches were attributed to human error.
“In the past six months, we saw an increase in human error breaches both in terms of the total number of notifications received – up 18% to 204 – and proportionally – up from 34% to 38%,” said Australian information commissioner and privacy commissioner Angelene Falk.
“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.
“Organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising training staff on secure information handling practices,” Falk added.
Malicious or criminal attack accounted for 310 notifications during the period (58%) and system fault was responsible for 25 notifications (5%).
John Donovan, managing director for Australia and New Zealand at Sophos, said the increase in breaches arising from human error was concerning, suggesting that Australian employees were failing to recognise and mitigate emerging cyber threats appearing under remote working conditions.
“The importance of cyber awareness training cannot be underestimated, particularly as so many organisations continue to operate under remote or hybrid working arrangements. Efforts to build a cyber-aware culture must by promoted throughout all levels of organisations and across all sectors,” he said.
Breaches by industry
Health service providers again notified the most data breaches (23%) of any industry sector, followed by finance, which notified 15% of all breaches.
For the first time, the Australian government entered the top five industry sectors by notifications, accounting for 6% of all breaches, with human error the leading cause.
“Ensuring the security of personal information is an area of regulatory focus for the OAIC, particularly in the health and finance industries, which have consistently been the top two sectors to report breaches,” Falk said.
Against this backdrop, the OAIC has called for organisations to have effective systems in place for responding to data breaches.
“Being prepared for a data breach is important for all entities that handle personal information,” Falk said. “Entities must have effective systems for detecting, containing, assessing, notifying and reviewing data breaches.
“Critically, they need to provide individuals with clear and timely information about data breaches, including recommendations on steps they can take to protect themselves from harm. Any unnecessary delay in providing this information undermines the purpose of the Notifiable Data Breaches scheme.”
Falk also encouraged organisations to use the information and guidance provided in the report to help review their processes and ensure they are fit for purpose.
“We are nearing three years of operation of the Notifiable Data Breaches scheme and expect that entities have systems in place to report breaches in line with legislative requirements.
“We also expect organisations to have improved the security of personal information they hold to prevent breaches. We will continue to closely monitor compliance with the scheme and prioritise regulatory action where there are significant failings,” she said.
Read more about cyber security in Australia
- The Australian Cyber Security Centre warns of scammers who are using its name to gain control of personal computers and trick users into revealing personal information.
- The Australian Cyber Security Centre and the Digital Transformation Agency release new cloud security guidelines to support the secure adoption of cloud services across government and industry.
- Australian organisations can address data protection challenges by creating roles such as a data governance lead, classifying data and improving employee awareness of cyber hygiene.
- About four in 10 employees are sharing inappropriate data across mobile devices and half of all security incidents in 2019 occurred through inappropriate IT use, study finds.