Ongoing high levels of data breach notifications in Australia echo the experience of European jurisdictions where a post-GDPR surge in data-privacy regulations is finally shedding light on the true magnitude of the data-breach problem.
Australian organisations – for whom it became mandatory to report data breaches with the February activation of the notifiable data breaches (NDB) scheme – reported 308 incidents during the half, the Gemalto Breach Level Index Report for H1 2018 noted.
Recently released figures for the first quarter of fiscal 2019 added 245 Australian breaches to Gemalto’s previous-quarter totals, while reports from Europe suggested that post-GDPR notifications had surged four-fold in the UK and jumped 29 percent in the leadup to GDPR.
Surging reports since the end of the last financial year had confirmed that the European Union can expect an inundation in the wake of its general data protection regulation (GDPR) taking effect just before the middle of the year, Gemalto ANZ regional director Graeme Pyper told CSO Australia at the recent AISA Cyber Conference 2018 in Melbourne.
“People can’t hide anymore,” Pyper said. “They’ve got to tell when these things happen. But through this begins a learning cycle, with companies learning that the costs of cleaning up a breach can be absolutely huge.”
Early fines for GDPR violations had already been met with legal challenges, with political data aggregator AggregateIQ last month appealing a potential fine from the Information Commissioner’s Office (ICO) after the ICO warned the firm to stop processing the personal data of UK or EU citizens. And Portuguese hospital the Central Hospital of Barreiro Montijo was threatening a legal challenge after the ICO hit it with a €400,000 ($A648,000) fine for two GDPR violations.
Fines are one potential cost of non-compliance, but the hacks themselves can be even more problematic. High-profile hacking victim Equifax had learned this lesson the hard way, with cleanup costs for its 143-million record breach expected to pass $US439 million ($A619m) on the way to becoming the most costly data breach in history.
The increased visibility introduced by Australia’s NDB scheme had increased the likelihood of businesses having to similarly report dramatic financial losses to data breaches.
Indeed, Cisco’s recently released 2018 Asia Pacific Security Capabilities Benchmark Study found that Australian companies’ data breaches are costing more than those affecting any other country in the Asia-Pacific region.
Fully 52 percent of Australian respondents to that study said breaches had costed them between $US1m ($A1.4m) and $US5m ($A7m). This was well ahead of the rates in India (25 percent) and Japan (23 percent).
Self-reporting was changing one long-standing statistic within Australia – namely, that many companies never find out about a breach until they hear about its effects from a third party. Just 24 percent of Australian breaches were reported by a third-party data source.
This was the lowest figure in the Asia-Pacific region, likely another effect of the requirements of the new NDB regime – which encourages companies to work with business partners to develop joint data-breach response strategies.
Indeed, the OAIC’s recent report highlighted the fact that the NDB authority was receiving reports related to breaches affecting multiple parties – something that authorities have said is causing confusion |widespread confusion]] amongst many organisations.
Fighting alert fatigue
APAC organisations were more likely than their global peers to receive large volumes of security alerts, according to the Cisco study, with 15 percent of APAC and 10 percent of global organisations reporting receiving between 100,000 and 150,000 security alerts daily.
Australian companies were the most comprehensive in investigating security alerts, with 72 percent of alerts investigated; by contrast, the APAC average was 56 percent of alerts, and laggard Korean companies were only investigating 30 percent of security alerts.
Interestingly, 65 percent of investigated security alerts in Australia were found to be legitimate – well ahead of the regional average of 44 percent. This suggested that Australian companies’ investment in security processes and tools had been particularly successful in reducing the number of false positives.
Yet the sheer volume of those tools and environments was also introducing complexity, with Australian companies using tools from far more security vendors than those in any other country.
Fully a third of Australian respondents were using 11 to 20 vendors’ security tools in their environments, while 28 percent said they had between 21 and 50 vendors’ products and 12 percent had more than 50 tools in place.
Yet despite their heavy investment in security tools, use of encryption remained low across the board.
Overall, Gemalto found, the number of records breached more than doubled during the quarter, to over 3.3 billion. Just 2.2 percent of those records had been encrypted for protection by the breached companies – highlighting the persistent gap between security practice and security best practice.
This was set to change thanks to growing availability of cloud-based security tools, which Pyper said had proven particularly helpful to small businesses that couldn’t historically access such applications.
“It really is quite cost-effective, and is opening up these tools to the smaller side that can’t afford $50k for an encryption platform,” he said. “The people who are probably most vulnerable can now consume something as a service, but benefit from the same scale and capabilities that the big guys have always had.”