Revelations about the rate at which Australian companies are being compromised were “shocking”, a security specialist has warned in the wake of new breach analysis figures suggesting that most global incidents involve identity theft and are perpetrated by malicious outsiders.
A total of 2.6 billion data records were stolen, lost, or exposed around the world last year, according to the 2018 Gemalto Breach Level Index report. That represented an 88 percent surge compared with the previous year – made even more ominous by the companion finding that the number of breaches (1765) actually decreased by 11 percent over the previous year.
Human error was flagged as a major risk management and security issue, with 1.9 billion records – a 580 percent increase over the previous year – exposed due to accidental loss through improper disposal of records, misconfigured databases and other unintended security issues.
A preponderance of fewer but larger breaches highlights the poor ongoing data-security practices at companies that are aggregating increasingly large caches of personally identifiable information (PII), ANZ regional director Graeme Pyper told CSO Australia.
“Accidental loss is something that can be easily avoided, or should be able to be,” Pyper said. “But you’ve got to be treating customer data, and other sensitive information, with the level of care that we should be providing. It all comes back to doing the basic things correctly.”
Accidental loss was also the major factor in Australian data breaches reported under the new notifiable data breaches (NDB) scheme that came into effect on February 22.
The first quarterly report of the Office of the Australian Information Commissioner (OAIC) noted that 63 data breaches had been reported during the first 38 days of the scheme – with human error to blame in the majority of cases.
This level of breach was “kind of shocking,” Pyper said, “and I wasn’t expecting it to be as high as it was. But I think there is a level of complacency [about security]: when you go to a company and ask where their data is nobody seems to have a strong answer to come back and say ‘we’re doing this and this and this’.”
Increasing visibility of data breach details is filling in the bigger picture about the true extend of cybersecurity, which has been dramatically underreported in the past due to a lack of clear information.
At the reported run rate for NDB breaches, for example, Australian businesses will be on track to suffer around 605 data breaches over the next 12 months – but just 114 breaches were voluntarily reported to the OAIC during fiscal 2016-17.
Incidents unearthed by legislation such as the NDB will support the efforts of organisations like Gemalto – whose Breach Level Index site catalogues most known breaches – and Verizon, whose Data Breach Investigations Report (DBIR) relies on dozens of third parties to submit information about more than 53,000 incidents and 2216 confirmed data breaches.
“We’re always on the lookout for more data,” Verizon principal consultant Chris Tappin recently told CSO Australia. “I know a large number of the incidents we investigate, for larger customers around Australia, don’t ever make the news. Some of the things where there is a financial element never get reported.”
"Hopefully, we will see more data breaches getting reported with the NDB legislation,” Tappin added. “I don’t get the impression that people are taking it that seriously, and it’s going to take a big mainstream media headline, or someone being hit with big fines, for people to sit up and really take notice.”
Based on the surge in breaches and the clear role of human error, Gemalto’s Pyper believes companies hoping to stay out of the data-breach spotlight would be well advised to focus their remediation efforts on teaching employees to spot and avoid potential precursors to a data breach.
“People need to step up and have a little more passion in terms of the security controls they put in place,” he said. “You’ve got to keep reinforcing to individuals what a data breach looks like – and you’ve got to have a really strong, programmatic approach to how you go about educating your employees, and the third-party partners that you deal with on a regular basis.”