The Notifiable Data Breaches Scheme has been in effect for the better part of a year now, so it’s a great chance to see the impact its had. Since coming into effect earlier this year, the OAIC has released a few statistical reports on the matter. The NDBS allows us to really collate the frequency and scope of reported data breaches in Australia.

According to Norton 1 in 4 businesses has fallen victim to a cyber security attack which is well and truly more than the Notifiable Data Breaches Scheme is reporting.

Let’s have a look at the evolution of the stats over the course of the year. The Scheme only came into effect on 22nd February this year, so the results for the first quarter are a little skewed in comparison to the rest.

January to March 2018

  • 63 Notifications
  • Largest Sector Affected: Health (24%)
  • Malicious/Criminal: 44%
  • Human Error: 51%
  • System Fault: 5%

Due to the Notifiable Data Breaches scheme only commencing on the 22nd February, this quarter doesn’t fully capture an accurate portrait of breaches. The second most affected sector was Legal/Accounting/Management, totaling 16% of all breaches. With human error accounting for over half, it shows that cyber security priorities were not high enough.

April to June 2018

  • 242 Notifications
  • Largest Sector Affected: Health (20%)
  • Malicious/Criminal: 59%
  • Human Error: 36%
  • System Fault: 5%

The health sector was still the largest affected, but an improved 20% from 24% last quarter. Legal dropped significantly from 16% to 8% while Finance came in as the second most affected sector at 15%. Human error accounted for far fewer notifiable data breaches which indicates that people are taking better precautions.

July to September 2018

  • 245 Notifications
  • Largest Sector Affected: Health (18%)
  • Malicious/Criminal: 57%
  • Human Error: 37%
  • System Fault: 6%

Health still takes the top slot for most affected sector, but shows a consistent decline in breaches which is promising to see. Finance is still second but down to 14% of all reported breaches. There is a pattern emerging with the incidence of malicious and human error breaches, with malicious accounting for far more overall. From this you could take away that businesses are taking data privacy more seriously and conscious of reducing any possible notifiable data breaches.

Conclusion

The health care sector is by far the most consistently affected of all sectors (Health, Finance, Legal, Education and Personal). The majority of cyber incidents can be boiled down to compromised credentials, either through phishing, brute force attack or otherwise. This highlights the importance of good password habits — including changing it periodically using strong, random combinations. Human error breaches are still too high considering how simple it is to enforce secure data management. Educate your employees and have cyber security policies in place to prevent inadvertent disclosures and breaches.

With the consistent growth of cyber crime and their evolving methods, it’s time to keep your foot on the pedal in terms of managing cyber security. Don’t let it be a low-level priority. Take care of your business and data today to avoid being one of these statistics.

Notifiable Data Breaches: Is Your Business At Risk?

To avoid being one of these grim statistics, you need to determine if your business is at risk of these notifiable data breaches and what you can do to reduce said risk. The best way to go about it, is to perform an audit of your current cyber security and identify any weak spots.

Firstly, determine if you fall within the scope of the scheme. Are you one of the following?

  • Australian Government agency
  • Business or not-for-profit organisation with an annual turnover of $3 million or more
  • Credit reporting body
  • Health service provider
  • TFN recipient (someone holding a Tax File Number in your systems)

Your organisation is likely to be subject to this scheme. To protect yourself, we recommend using an audit questionnaire that you can fill out yourself in order to highlight problem areas. An audit should effectively determine the following information:

  • Are any compliance, governance and legislative requirements required?
  • The types of data your organisation deals with, and how is it handled?
  • What IT systems are in place that store data and how are they managed?
  • The protections that are in place around the IT systems to enforce security and compliance.
  • What levels of access and awareness do the staff have around the data and its security?

This information will provide a good picture of your organisation’s current state (strengths and weaknesses) and what areas need attention, in terms of cyber security.

Protect Your Business

There are several ways to protect your business from being victim of one of these notifiable data breaches. Here at Stanfield IT we always recommend our clients to implement the ASD’s “essential eight” as a starting point. If you review our recent case studies, you can see this is exactly what we’ve done for our clients.

We’ve published several compilations of tips on how you can protect your business from cyber risk, and even an audit checklist you can run through yourself. However, the biggest tip we will always advocate for is possibly the simplest of all.

Educate your employees.

Your team is your best resource and biggest protection. With cyber aware staff, you deter the majority of phishing attacks, and malware downloads which lead to a good portion of data breaches. The ‘essential eight’ mentioned above has limited effectiveness if your team isn’t alert and aware.

Still Not Feeling Sure?

If you don’t feel confident in the security of your business, or the answers to your cyber security audit have you questioning your set up, then it’s time to take a few steps. We have a guide linked here that gives you some pointers about what to do now. However, it’s likely that at this point you need an external IT specialist to come in and assist you.

Your cyber security specialist will take time to evaluate your current set up, and help you identify what your goals are and what needs additional support. Ultimately, talking to someone (perhaps even Stanfield IT) is what you need to be sure you’re on the right track.

Even businesses who have a well-established cyber security perimeter can benefit from an audit, and take it to the next level — as can be seen in our latest case study here.