Health and finance sectors the most vulnerable to cyber attacks

The Office of the Australian Information Commissioner has published its Notifiable Data Breaches Report for the second half of 2021.

The report sheds light on the scale of breaches, which industries are most vunerable, the causes of breaches and the time organisations take to report them.

We spoke to cybersecurity experts from Sekuro, MyCISO and Seccom Global on the OAIC's key findings and what they mean for IT channel partners.

The January-June 2021 report recorded 446 breaches. This was up 6 percent compared with 436 notifications from January to June 2021.

Contact information was the most common type of personal information involved in breaches, and was included in 396 breaches, followed by identity information, involved in 185 breaches, and financial details, involved in 183 breaches.

Contact information, which includes details such as name, home address, phone number or email address, has been the information most commonly included in breaches since the reporting scheme began in July 2018.

"Notification of a Breach, is a process that flows from various channels in an organisation,"  Organisation’s staff are at the forefront of it - identifying, understanding it’s a breach, confirming it actually is a breach and then appropriately reporting it as a breach," Sekuro chief information and security officer, Prashant Haldankar told CRN. 

Health and finance have been the sectors with the highest notifiable data breaches since the reporting scheme began in July 2018.

The health sector reported 39 data breaches that were caused by malicious or criminal attacks and the finance sector reported 24.

If Australian government agencies were included as their own sector, they would fall only slightly behind the most vulnerable sectors as they filed 28 data breaches during this period according to a Freedom of Information request released earlier this month.

This only accounts for notifications made by federal, and not state, agencies.

The percent of data breaches caused by malicious or criminal attacks dropped by 10 percent from the January to June 2021 report.

The percent of data breaches caused by human error rose by 11 percent from the last report where they made up only 30 percent of total incidents.

Among the top causes of human error breaches were:

1. Personal information emailed to the wrong recipient accounting for 43 percent
2. Unintended release or publication accounting for 21 percent
3. Loss of paperwork or data storage device accounting for 8 percent

MyCISO chief executive officer Dane Meah on data breaches caused by human error

“Accidental data loss as a result of human error, such as lost laptops or accidental data disclosure remains a highly prevalent risk factor for organisations.”

“Protection strategies such as data loss protection, endpoint encryption and user awareness training should be deployed to prevent and mitigate these.”

Data breaches resulting from cybersecurity incidents

Malicious and criminal attacks accounted for 55 percent of data breaches? Is this higher or lower than what you'd expect?

Seccom Global managing director Michael Demery

"I would expect to see numbers similar to this, if not higher. Many of the attacks that we see result from phishing or Malware exploits."

 MyCISO chief executive officer Dane Meah

"Criminal attacks represent a lower than normal percentage of the overall data breaches compared with what we typically see."

Malicious and criminal attacks accounted for 55 percent of data breaches? Is this higher or lower than what you'd expect?

Sekuro chief information and security officer Prashant Haldankar

"I would have expected the malicious and criminal attacks to be higher more so because of the period of this report, i.e., during the pandemic period."

"More online activities (than ever before) started occurring during the pandemic, and that activity provided a breeding ground for online crime, scams and espionage largely facilitated by cyber."

"Prevalence of social media and use of Internet platforms has largely contributed to illicit activities thereby elevating the cyber risk."

"Since the pandemic, Sekuro’s existing and new client requests to review their cyber profile and assist them in securing and uplifting their cyber security posture has grown extensively."

"Many businesses adopted remote working solutions for the first time without necessary security controls in place." 

"Allowing staff to use their personal devices for work without corporate level security and data storage was irregular and inconsistent."

"We saw many instances where such a position allowed plenty of avenues for illicit activities enabling easy options for attackers to gain unauthorised access and with malicious intent."

"We have been busy assisting many clients address the mobility situation and addressing the security shortfall; however it’s not an overnight change."

The most common form of malicious attack were phishing attacks. Is this surprising?

 MyCISO chief executive officer Dane Meah

"Phishing has been a leading cause of breaches for a long time, so no surprise to see it here again.

"Unfortunately most secure email gateways are ineffective at preventing sophisticated phishing attacks, such as Account Takeovers and Vendor Email Compromise attacks, which leverage the trusted brands or people known to the receiver."

Seccom Global managing director Michael Demery

The easiest way to get past an organisation's security controls is still the end user."

"The simplest way to initiate mass social engineering exploits is via email, so this is not surprising."

"However, many organisations still fail to invest in user education despite this information.

Sekuro chief information and security officer Prashant Haldankar:

"Phishing has been a leading cause of breaches for a long time, so no surprise to see it here again."

"Unfortunately most secure email gateways are ineffective at preventing sophisticated phishing attacks, such as Account Takeovers and Vendor Email Compromise attacks, which leverage the trusted brands or people known to the receiver."

How are you preparing clients to thwart or mitigate these attacks [phishing attacks]?

Seccom Global managing director Michael Demery

"It is a combination of education and technical controls."

"Organisations must implement both. Educate the user and implement the technical controls to protect the users and the organisation."

"There are several areas that an organisation can stop an attack before it happens. "

"If you are unsure where to start, look at cyber security frameworks such as Essential Eight, NIST or the ISO 2700 series."

MyCISO chief executive officer Dane Meah

"Newer and more effective prevention, detection and response technologies have emerged which connect to the Microsoft API to analyse threat and user-behavioural data beyond what is normally possible with a secure email gateway."

What are the biggest challenges in preparing for this  [preparing clients to thwart or mitigate these phishing attacks]?

Seccom Global managing director Michael Demery

"The biggest challenge for companies is to cut through all the noise and concentrate on the business areas that will provide the required outcomes.

"Second, to this is cyber security is not set-and-forget. Cyber security requires continual management."

MyCISO chief executive officer Dane Meah

"As with every unsolved threat vector, security leaders need to be prepared to change their thinking and pivot their defensive strategy."

"Those organisations that do will have first-mover advantage whilst the rest will remain vulnerable to higher volumes of these types of cyber incidents."

Data breaches resulting from malicious or criminal attacks

The number of days taken to notify the OAIC of breaches.

OAIC commissioner Angela Falk said, “A key objective of the [data breach notification] scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm.”

“Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”

Seccom Global managing director Michael Demery on delays in reporting breaches

"I found surprising the small number of organisations notifying that they have fallen victim to these attacks [phishing or Malware exploits]."

"From what we have seen, I suggest that many organisations still fail to notify OAIC after being breached." 

Sekuro chief information and security officer Prashant Haldankar on delays in reporting breaches

"Often, we see news in the media that breaches are reported after many months since its first occurrence. Most of the time, the damage has already been done.

"The problem lies in not fully understanding what the data breach notification process entails and how the identification and reporting should work.

"We also don’t have data on how many times a breach occurred but there was a failure in reporting because it wasn’t even classified as a breach.

"The protocols and awareness have to be at a certain maturity state to have a clear and realistic view on the stats."

What are the biggest sales opportunities?

Seccom Global managing director Michael Demery

"The most significant opportunities that will affect end-user information will be in the Cloud and edge computing."

"As many organisations are storing information in the Cloud, the opportunity will come from protecting this information."

MyCISO chief executive officer Dane Meah

"The biggest opportunities exist where there remains the greatest customer challenges.

"This report highlights that Phishing remains largely unsolved and given that email is where many types of cyber incidents begin (Ransomware, Credential Theft, Data Loss, etc), it makes sense to focus the attention on solving email as the primary attack vector."