iscover
Australian companies and organisations must have “robust and proactive procedures” in place to handle data breaches and protect consumer information, warned the Office of the Australian Information Commissioner (OAIC).
The OAIC has released its latest Notifiable Data Breaches Report for the year to June 2023.
“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” said Angelene Falk, Australian information and privacy commissioner.
“In the event of an incident such as a cyber attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”
Overall, the first half of 2023 has seen a 16 per cent reduction in notifications of a breach, with 409 incidents reported compared to 486 in the previous period.
The number of people affected by breaches has also dropped in line with the reporting; while there were 42 breaches affecting more than 5,000 Australians in the second half of last year, there were only 23 reported in the first half of 2023. Of course, that same period also saw the first Australian breach affect more than 10 million people, so it’s very much swings and roundabouts on that matter.
Malicious attacks remain the leading cause of data breaches, with 70 per cent of reports relating to threat actor activity.
As for the time it takes organisations to make a report, 78 per cent of organisations take less than a month to notify the OAIC. Breaches relating to human error are often the fastest to be reported, while those that occur as a result of a system fault are the slowest. In fact, 14 per cent of organisations took more than a year to report such incidents.
Ransomware attacks remain the most prevalent, making up 31 per cent of the total, followed by compromised credentials at 29 per cent. Phishing takes the third spot at 33 per cent.
The healthcare sector is responsible for 15 per cent of all incident reports, followed by finance at 13 per cent and recruitment agencies at 8 per cent. Recruitment agencies are also the fastest to report any breaches, with the finance sector the slowest.
“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” commissioner Falk said.
“The longer organisations delay notification, the more the chance of harm increases.”
Anthony Daniel, regional director for Australia, New Zealand, and Pacific Islands at WatchGuard Technologies, feels that the healthcare sector, in particular, needs to be paying attention to the report’s findings.
“As in previous reports, the healthcare sector continues to suffer the most data breaches reported of any industry in Australia and would be well advised to understand its weaknesses and improve its security posture from the ground up,” Mr Daniel said.
“Hospitals are a lucrative target for hackers seeking to on-sell sensitive patient data. In an industry beset with staff shortages, healthcare facilities must mitigate the risk of cyber security attacks and have a strong cyber security posture, including robust incident and response plans, along with preventive measures such as password hygiene, threat detection, and real-time monitoring capabilities. In addition, aggressive patching, regular backups, and prioritising employee awareness training are essential to safeguarding valuable data and ensuring patient protection.
“At the same time, while this latest report highlights that the majority of breaches affected 100 or fewer individuals, these statistics emphasise that data breaches continue to be a significant concern for organisations across various sectors. At the end of the day, the report reinforces the need for businesses of all sizes to remain vigilant, keep all hardware and software devices up to date, enhance security posture with multifactor authentication, and implement measures to safeguard sensitive information.”
This article was originally published on HR Leader's sister brand, Cyber Security Connect.
