OAIC REPORT HIGHLIGHTS CYBER RISKS’ MAGNITUDE

17 May 2019

Human error is a key reason why data breaches occur.

 

The Office of the Australian Information Commissioner’s (OAIC) first annual report on the notifiable data breaches (NDB) scheme shows it received 964 notifications from 1 April 2018 to 31 March 2019, a 712% increase on the previous voluntary scheme.

 

While malicious or criminal attacks were the main data breach sources in the scheme’s first year, at 60%, Gerry Power, Head of Sales at Emergence Insurance, said many of those incidents exploited human vulnerabilities, such as clicking on attachments to fake emails or inadvertently disclosing passwords.

 

The report highlights cyber risk’s magnitude and emphasises the need for employers to educate their employees.

 

OAIC also released its January to March quarterly report. Below is a snapshot of the results. Emergence encourages brokers to distribute this to clients to alert them to cyber risks’ dangers.Emergence NDB Infographic - 2019 Q1_p001

 

OAIC’s annual report said phishing (when a target is contacted by email or text by someone posing as a legitimate institution to lure people into providing information) and spear phishing (using social engineering to impersonate a trusted contact to obtain information) were the most common and highly effective methods by which entities were compromised in the 12 months.

 

OAIC said phishing attack techniques continue to evolve, making phishing emails increasingly difficult to detect without “sustained, focused user education”.

 

In 28% of cases, the notifying entity was unaware of how credentials were obtained, because they had detected no phishing-based compromises. The source could be a concept called “credential stuffing” where criminals use breached usernames and passwords that have been leaked or posted online.

 

While 35% of data breaches across all sectors involved human error, such as unintended information disclosures or losing data storage devices, in the health sector, the figure was 55% and 41% in finance.

 

OAIC said entities should understand their data holdings and proactively contemplate mitigation steps to “genuinely protect consumers from further harm” when breaches occurred.

 

People keep finding new ways to make mistakes, but staff education can materially reduce the potential for data breaches.

 

Emergence plays a role through conducting in-house education sessions, online webinars, and a social media program to educate brokers and their clients about the need for diligence and risk management to avoid data breaches and cyber attacks.

 

The high rate of notifications highlights the need for cyber insurance.

 

Emergence’s cyber policy gives insureds 24/7/365 access to an Australian-based incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.

 

Emergence’s policy covers reporting data breaches to OAIC, any subsequent regulatory investigations, costs associated with communicating data breaches to affected individuals, and any fines imposed by the regulator.

 

An enhanced wording, introduced this month, expands coverage to include social engineering thefts and cryptojacking.

 

Commissioner Angelene Falk said OAIC, over the next year, would “take a proportionate, evidence based regulatory approach to the NDB scheme, including exercising enforcement powers, where necessary”.

 

Gerry says a cyber insurance policy is part of every successful business’s risk management framework and can assist with recovering from hack attacks or data breach incidents.

 

“Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,” he said.

 

Emergence is a pioneer of cyber cover in Australia and provides protection for SMEs through to ASX-listed entities.

 

Emergence has been voted the 2019 Insurance Business Underwriting Agency of the Year award and has won Insurance Business’s brokers’ pick for Cyber Product of the Year award in three of the last four years.

 

You can obtain Emergence cyber quotations for clients by accessing the broker portal.

 

This blog is another cyber education initiative from Emergence.