Despite new mandates, most government data security incidents are due to human error

The leak of world leaders' passport details by Australia's Department of Immigration and Border Protection made news around the world, but new figures suggest that such breaches are far from isolated incidents, with human error – and not outside hacking, as many might believe – the biggest source of compromise in government agencies.

It wasn't the first time DIBP was called out for leaking information: in February 2014, another human error led to the publication of the personal details of almost 10,000 asylum seekers on the agency's Web site.

Indeed, fully 80 percent of all security incidents within government agencies last year were due to human error, Verizon found after further analysis of nearly 80,000 security incidents previously presented in its 2015 Data Breach Investigations Report.

Those results will have many government security managers particularly concerned, as protection of privacy information has been a requirement for a long time and the newly revised Privacy Act controls impose significant sanctions on organisations that fail to protect their data appropriately.

Government IT-security professionals also face new mandates, such as the April order from the new Digital Transformation Office (DTO) that all government agencies must comply with all 36 Protective Security Policy Framework (PSPF) controls as well as the requirements of the Australian Signals Directorate's Information Security Manual (ISM).

With agencies expected to have laid down compliance plans by September, public-sector CSOs may be chagrined to hear Verizon's finding that agencies were far more vulnerable to attack than those in other sectors. In 78 percent of attacks against government agencies, hackers were able to compromise target systems within seconds; across all sectors, that figure was just 38 percent.

Half of attacks against government targets took hours to exfiltrate data from the system. And while most victims (35 percent of the total) became aware of the breaches within minutes, in 68 percent of cases it took days to contain the incident.

Some 19 percent of public sector security incidents (compared to 15 percent across all industries) related to physical theft and loss of information – a factor that the report suggests is “actually more of an issue in the public sector than elsewhere”.

An additional 25 percent (compared to 20 percent) of government security incidents were due to insider and privilege misuse, with 23 percent of those related to use of unapproved hardware like flash drives to take data out of the organisation.

Another 36 percent of incidents were attributed to 'miscellaneous errors' – a category that includes misdelivery of email and letters, which account for most errors in this category. This category, which includes both known DIBP breaches, was well up from the 28 percent rate across all industries and highlights the importance of cross-checking and quality control to avoid further incidents.

The security risks from human error have long been a significant anecdotal thorn in the side of security practitioners, but the new research suggests that government employees – who collectively deal in sensitive and usually personally identifiable information about ratepayers – are more susceptible than most.

“Any loss of sensitive citizen data, such as tax information or social security details, can cause a loss of public trust,” the report warns, recommending that agencies use quality checkpoints to ensure information is only sent to the intended recipient; analyse past mistakes and implement policies to avoid repeating them; and to undergo regular staff training to minimise the recurrence of human-related security issues.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

DROPQUOTE: In 78 percent of attacks against government agencies, hackers were able to compromise target systems within seconds; across all sectors, that figure was just 38 percent.

Join the CSO newsletter!

Error: Please check your email address.

Tags passport detailsDIBPDigital Transformation Office (DTO)data securityverizonhuman errordata breachProtective Security Policy Framework (PSPF)government dataCSO Australiahacking

More about CSOEnex TestLabGovernment ITISMVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts