Are data breaches actually on the rise? Where the problems exist in Australia today.
Every month we look at a core issue impacting organisations and more importantly their IT teams in ensuring that they deliver rock-solid security and are able to work with their end-users to help enforce the right types of policies and practices to prevent security issues.
The recent report from the Office of the Information Commissioner highlighted a sharp increase in data breach notifications from Australian organisations in the last quarter.
It is important to note that this is a rise in the notifications, which does not mean that there has been a rise in data breaches. It would be easy to draw a straight line between the two but without hard evidence, we are creating what is now known as fake news.
You could assume considering the somewhat voluntary nature of the data breach notification laws that the number would be much higher.
It also needs to be read alongside the one key item that needs to be kept top of mind – the simple fact that companies need to know that a data breach has occurred.
And, they need to make a judgement and be prepared to release it to the public they have been breached and contact the individuals concerned.
If we take the facts at face value and look at the statistics from the second quarter of the Notifiable Data Breaches Quarterly Statistics Report — 1 April – 30 June 2018 – you will see clearly that only 5% of the reported breaches were due to system faults (high five for all the IT guys out there).
59% were caused by malicious or criminal attacks ( this might be slightly over inflated as they could often be hard to prove and also provide a ready excuse for any organisation rather than admitting it).
The last core area causing breaches was human error – which represented 36% of notified data breaches.
36% of data breaches were caused by human error1
36% might seem low especially when you consider your own past experience dealing with end users who consider IT security as hiding their password on a post it note under the keyboard – the office equivalent of hiding your wallet in a towel or shoe at the beach.
Here is a list of the average number of affected individuals by type of breach (failure to use BCC for an email to 571 individuals seems a little alarming – heard of mailchimp?)
What can IT teams do to help reduce human error?
Ok, we already have a huge list of nerd-funny ways to reduce human error (thanks team) but when we look at the breakdown above – there are two areas that come to mind – loss of data storage device and failure to use BCC when sending email
- Secure data storage devices exist – are easily purchased and with these statistics and easy sell to the bean counters in any organisation.
- Failure to use BCC can be simply solved by setting up a platform such as mailchimp or any of the thousands of platforms for people in the organisation to use. There is no reason to BCC 571 people in an email and we know that well. Now go and smack your marketing teams because it is probably them.
Probably the most notable exception that we feel should be classed as human error – the lost / disclosed password – is classed as malicious or criminal. And that is the core area where IT teams can help (see diagram)
How do we solve the password issue with end-users?
Forget about forgotten passwords and constant resets and lets for a minute have some empathy for our end users. They have a lot on their mind, so it is easy to forget a password oh every day or so. Note that we have not always made it easy for end users with complex rules, requirements and frequent changes.
But using some simple arithmetic, 34% of 59% is roughly 20%.
20% of data breaches were caused by compromised or stolen credentials
Now this is one area where IT need to step up to the plate. How do we enable end users in our organisations to utilise all of the apps and tools they want to use but still maintain security?
- Last Pass – well we all read about that one. https://www.pcworld.com/article/3185731/security/lastpass-is-scrambling-to-fix-another-serious-vulnerability.html#tk.rss_all
- Chrome password management – Google use hardware based credentials for all staff accounts and have not had an incident in 18 months (or so they say).
Implementing a robust platform for managing user credentials that can manage both directory log-in and all the other apps out there is the only way to go for most organisations unless you go completely down the hosted application path and add 2 factor authentication which is what we use to protect ourselves and our clients.
Another option, is a simple offering called APPSPOINT Workspace. It will help IT teams put some control over App Sprawl and help manage what is becoming an increasingly complex management problem for IT teams.
We look forward to seeing the new report and it is definitely an area that is worth having a discussion with a group of peers rather than relying on some reddit or quora advice. If you would like to talk security or how we can help you or your customers – drop us a note or give us a call.