The Office of the Australian Information Commissioner (OAIC) received 215 breach notifications between January and March 2019. Although this shows that data breaches are still prevalent in the country, it is the lowest number of data breaches reported in a full quarter so far. In previous quarterly statistics reports, the number of data breaches increased from 245 in September to 262 in December 2018.
However, many trends regarding data breaches remain the same. Of the breaches in the first quarter of 2019, 61% were caused by malicious or criminal attacks, 35% were due to human error, and 4% were a result of system failures. A majority of these incidents affected 100 individuals or fewer, though there was one breach that impacted over 10 million people. What’s more, the most at-risk type of information involved contact details and financial data.
During the reporting period, the OAIC also highlighted the top five industry sectors that notified data breaches.
In the first quarter of 2019, healthcare once again racked the most number of data breaches, with 58 reported incidents. Of those incidents, 52% were attributed to human error, such as lost paperwork, messages sent to the wrong recipient, and unauthorised disclosure of information. Meanwhile, the types of malicious attacks reported by healthcare companies run the gamut of theft of paperwork and rogue employees to phishing and compromised credentials.
The Australian healthcare industry is highly susceptible to breaches due to two key reasons. For one, health information is a valuable commodity to hackers, and they’ll go to great lengths to obtain them. Balancing security with customer convenience and seamless access to health records has never been an easy exercise, especially with the proliferation of mobile devices and cloud solutions.
With 27 breaches, the finance industry was the second highest reporting sector, a majority of which was caused by phishing, ransomware, and account hijacking. It’s important to note that the number of reported breaches in this sector has decreased compared to the previous quarter (40 data breaches). This may indicate that financial firms are becoming more aware of cyber risks.
However, this doesn’t diminish the fact that financial institutions are prime targets for attack. Their vast repository of sensitive records is worth millions to cybercriminals, which is why it’s more important than ever to put up multilayered defences against highly advanced attacks.
3. Legal, accounting, and management
At third place is the legal, accounting, and management sector, with 23 breaches. The most common causes of notifiable breaches in the industry included stolen credentials and rogue employees. One reason why agencies fall victim to these attacks is that they may not have the best controls and policies to ensure data security. What’s worse, organisations in this sector have countless servers full of personally identifiable information that can be used to commit identity fraud.
The education sector reported 19 breaches in the first quarter of 2019, most of which were a result of unauthorised disclosures and failure to use BCC when sending an email. This suggests that schools need more secure frameworks for sending information. They also hold on to a bevy of sensitive information (e.g., student records and contact data) and are increasingly reliant on networked technology. These make risk mitigation a huge challenge.
Retail, which fell victim to 11 breaches, recently joined the top five most breached industries. Much like the legal sector, stolen credentials were the biggest contributors to the breaches. There were also two cases of ransomware, indicating that hackers are primarily targeting the industry for large payouts.
Given the findings of the report, organisations need two important elements to minimise the occurrence of data breaches. For starters, they must employ powerful security measures, such as:
- advanced threat prevention systems,
- encryption software,
- multifactor authentication, and
- cloud backups.
These tools prevent cybercriminals from infiltrating corporate networks, protect the integrity of sensitive data, and ensure recovery in case data is lost or stolen.
Secondly, organisations must enforce proper data management procedures with security training. This involves teaching staff safe data sharing etiquette, how to avoid phishing scams, and the importance of good password habits. Similar to updating your software with the latest patches, security training should be done regularly and must include simulated tests to make sure employees are aware of cyberthreats at all times.
Taking reasonable steps to secure personal information is an obligation for all companies, no matter their size or sector. Empower IT Solutions provides all the tools you need to protect your digital assets. We offer everything from anti-malware and cloud backups to security training and phishing simulations. Call our cybersecurity experts today to implement a fully rounded security framework.