It seems not a day goes by without another report of a high-profile cybersecurity breach affecting companies worldwide. The sight of a red-faced CEO apologising to customers on national television for lax security practices has become commonplace.
Data breaches are on the rise globally - and Australia is no exception. 2018 represents a crucial turning point for consumer control with the introduction of several landmark data privacy laws, making organisations significantly more accountable for how they safeguard user data.
Since February, all organisations covered by the Australian Privacy Act have had to comply with the Notifiable Data Breaches (NDB) scheme. This year, we’ve witnessed some of the biggest breaches in Australian history and no industry has been immune. From healthcare to finance and legal, accounting and management services, the list goes on. Despite the well-documented impact of a breach, most Australian organisations have still not done all they should to understand and address the growing distance between the visibility security tools provide, and the modern attack surface. Understanding this Cyber Exposure gap is what security teams actually need to do in order to reduce their overall cyber risk. The stakes have never been higher when it comes to cybersecurity and months on from the introduction of the NDB, where are we now?
The latest Office of the Australian Information Commissioner (OAIC) data breach statistics report reveals that we are seeing more data breaches than ever in Australia. In July, there were 81 breaches, followed by 88 in August and 76 in September. The majority of the reported breaches were a result of malicious or criminal attacks (57 per cent), while a mere 6 per cent were the result of system faults.
In tandem with these findings, the Tenable Cyber Defender Strategies report highlights that 33 per cent of organisations take a minimalistic approach to vulnerability assessments, making just the minimum effort required for regulatory compliance, increasing the risk of a business-impacting cyber event. This is an unsurprising yet worrying statistic when compared to how many breaches are being reported by the OAIC.
With damage to brand reputation and massive financial risk at stake, fines of up to $360,000 for individuals and $2.1 million for organisations, it’s startling that some are still so woefully unprepared and continue practising poor cyber hygiene.
One of the most concerning statistics from the OAIC to date is that 30 per cent of breaches is reported by repeat offenders. Fool me once, shame on you. Fool me twice, shame on me. This suggests there’s plenty more learning to be done to improve Australia’s security posture.
It’s never too late to start
Organisations should familiarise themselves with the Australian Signals Directorate (ASD) “Essential Eight,” a prioritised list of initiatives which, if adhered to, will enhance security. The Essential Eight is a framework and precursor of sorts in bridging the Cyber Exposure gap and setting good security habits that can be employed throughout an organisation. The guidelines are best used as a baseline to evaluate existing security protocols and can be adapted to the specific needs of each organisation. Implementing each of the eight steps is a good starting point for creating a secure environment for your organisation, but it definitely isn’t the end game.
Australian organisations must understand that today’s threatscape is constantly evolving. The proliferation of Internet of Things (IoT) devices and new application technologies like containers are common examples of the changing IT landscape. Organisations should fully expect security weaknesses to exist in newer technologies and must plan to deploy them securely Understanding where they are vulnerable and exposed across their entire attack surface will help organisations from becoming another statistic.
As their Cyber Exposure gap widens, Australian organisations are increasingly susceptible to falling victim to a breach. The latest NDB report lodged 245 notifications of breach for the quarter, up from last quarter where a total of 242 notifications were received. The previous report only covered a period of a few weeks and reported 63 notifications. While it is impossible to guarantee total security, it has never been more important for organisations, particularly those in high-risk sectors, to ensure they’re equipped to mitigate risk and implement basic cyber hygiene practices to reduce their overall level of cyber exposure.