The Office of the Australian Information Commissioner (“OAIC”) received 539 notifications under the notifiable data breaches scheme between July and December 2020 – a period during which many Australian employees worked from home in response to COVID-19. This provides the opportunity to confirm or debunk some of the assumptions about the link between remote work and cybersecurity.
In July 2020 McKinsey advised organisations to urgently shift cybersecurity priorities towards establishing secure connections for remote workers. Deloitte warned of a spike in phishing, malware and ransomware attacks from cybercriminals who wished to capitalise on the crisis. The Australian Government’s Annual Cyber Threat Report warned in June 2020 that “malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, and sophistication”.
What sort of breaches did organisations experience?
The breaches fall under two main categories: malicious/criminal attacks and breaches resulting from human error.
- Malicious or criminal attacks accounted for 58% of notifications, down from the previous reporting period by 1%. These attacks took the following forms:
– 212 cyber incidents (external attacks)
– 34 social engineering (impersonations)
– 35 rogue employee/insider threats
– 29 theft of paperwork/storage device
- Human error accounted for 38% of all data breaches, jumping by 18% from the previous reporting period. Errors included:
– 108 instances of personal information emailed/mailed to wrong recipient
– 33 unauthorised disclosures/unintended release
– 18 failures to use BCC when sending emails.
System faults, meanwhile, accounted for only 5% of all data breaches.
The top five industry sectors reporting data breaches were healthcare, finance, education, legal and accounting, and government. As might be expected, healthcare and finance experienced the highest number of malicious attacks, while healthcare also suffered the most from human error.
The nature of personal information involved in the breaches included contact information (492 breaches), identity (241), financial details (218), health information (138), and tax file number (96). It’s important to note that the number of people impacted by the breaches listed in the report are not in the tens of thousands; most commonly, only a single individual was affected per breach.
Remote working and human error
What is driving the sharp spike in human error? The OAIC notes that it is yet to identify a conclusive link between changed business and information-handling practices resulting from remote-working arrangements, but we can speculate the following:
- Lack of in-person supervision: Employees who would normally have a supervisor double-checking their work were operating unsupervised when working remotely.
- Casual environment: Keeping in mind this is speculation, it is possible that the “casual” environment created by remote working has led to a more casual attitude in regard to information handling.
- Distractions: Employees may have made mistakes due to common working-from-home distractions, such as family members or pets interrupting their work.
How to mitigate the risk of data breaches?
While the drop in malicious/criminal activity is encouraging, it’s clear from this data that cybersecurity is not just an IT issue, but a human issue that belongs to every employee.
- To help reduce this risk, organisations should increase employee education in response to the increased threat level. This could involve making people aware of privacy and cybersecurity as it relates to their role, and having data protocols and processes clearly established and documented. Moreover, cybersecurity training should not be a once-only event during onboarding. Employees should be reminded and re-educated regularly to ensure security stays front-of-mind.
- Implement a testing system such as sending fake phishing emails to employees and following up with staff who click on something they shouldn’t. This will provide a good snapshot of cybersecurity awareness and enable targeted training.
- Take a holistic approach. The small number of rogue employee/insider threats is dwarfed by the number of external cyberattacks, but still remain of concern. Organisations should take a holistic approach to managing all risks to their business, including data security risks.
Every organisation has a responsibility to protect its own security and the security of its client’s data. With personal data increasingly shared between entities, every interconnection creates its own risk.
As we continue to adjust to remote working, organisations should step up their focus on cybersecurity and data education to reduce human error while maintaining a strong defence against external attack.
Originally prepared for and published by PBSA in the (insert edition) of the APAC Report, PBSA APAC Council’s quarterly newsletter. Read the full issue here: https://thepbsa.org/councils/apac/newsletters/