Alex Woerndle, principal adviser, Cyber Security at Ecosystm, said the report was a concerning read as it continued to show Australian businesses were failing to grasp necessary data protection and data management techniques.
"It appears we have learnt nothing locally from scandals and breaches that have seen millions wiped off the value of businesses overseas," Woerndle said. "For a third of all breaches to be attributable to human error is unacceptable.
"All businesses can now understand the damage and disruption simple human error mistakes are causing or could cause if not addressed. In today's world, business requires partnership and co-operation, and leaders need to find the right allies and partners to defend innovation and overcome threats, be they competitive from rivals, internal malicious attacks, or from cyber criminals looking to extort financial gain.”
"Software can now use back-up data to scan for exposures and vulnerabilities in recent data as a matter of course," he said. "This can be automated too, to eliminate the necessity for IT resources to be continually checking reports and platforms.
"Automated alerts can notify the IT team when server usage is abnormal or when permissions to access data are changed, which helps counter internal and external threats that may have system access too. This gives businesses a precious commodity when dealing with cyber criminals: time. You don't have to react to a full-scale breach; instead you can spot the early warning signs and rectify.”
Woerndle said the report indicated that Australian businesses needed to have better password discipline.
"Indeed, in recent years we’ve seen a whole industry built on creating word lists of common passwords that can be thrown at employee accounts in an attempt to crack them," he said. "In addition, organisations need to train their staff better on appropriate use of email as a communication medium - not just on how to detect a malicious email, but more broadly on appropriate use. Indeed, staff should be constantly educated about phishing attacks and to be cautious when downloading files or opening attachments from unfamiliar parties.
“Businesses in 2020 should also look at their overall IT environment. While no single defence can protect completely, today’s IT security toolbox should include firewalls and anti-virus software through to network intrusion and advanced persistent threat tools, incident response planning, cloud security solutions and comprehensive awareness training for all staff. By taking a comprehensive and multi-layered approach to security, organisations can reduce the likelihood they will fall victim to malware attacks, data breaches, and avoid the disruptive and potentially costly problems they can cause.”
Simon Howe, vice-president Sales Asia Pacific, LogRhythm, said the report showed that businesses continued to be an attractive target for cyber criminals due to the large amounts of sensitive customer data collected and stored.
"Increasingly organisations of any size must be aware of the evolving types of threats and the vulnerabilities that exist across their networks in order to protect customers’ data," he said. "Security awareness programs are a great help in this regard, especially those that this report suggests focus specifically on phishing awareness.
“At the same time, security visibility and monitoring of systems, even those hosted outside of a network, are critically important. Organisations should also increasingly look at their security supply chain and include security controls and protections within contracts when partnering with third parties. This will not only limit a company’s liability if a breach were to occur, but it will also test the third party’s adherence to those controls and enable a company to monitor the controls themselves.
“As in previous years, when there is detection of a breach, rapid incident response can mean the difference between a damaging data breach and quick containment. As they look at their investment dollars in 2020, decisions makers would be well advised to put in place advanced security tools that automate common investigation tasks and streamline remediation and response in order to halt a breach immediately and in real-time.”
Ping Identity Asia Pacific chief technology officer Mark Perry focused on the issue of compromised credentials.
“It’s clear from the report that organisations are not doing enough to close the major attack vector that leads to data breaches, namely compromised credentials," he said. "At the same time, for attackers right now, phishing is low-hanging fruit, enabled by simple and outdated authentication methods. Multi-factor authentication really needs to be considered as an essential component of a cyber security strategy, for both employees and customers, especially for email accounts.
"Going passwordless is another option, well supported by industry solutions. The FIDO2 standard has been designed to mitigate phishing attacks and should be considered as a replacement for a One-Time code delivered by email or SMS, which are inherently less secure. The report also appears to suggest that the healthcare sector, in particular, needs to embrace modern, secure authentication solutions to safeguard personal and sensitive data.”
Jim Cook, ANZ regional director at Attivo Networks, said credential theft had been identified as having major appeal to hackers and suggested that against this backdrop, organisations could not afford to be complacent about their security posture or assume traditional cyber-security measures would continue to answer.
"The threat posed by cyber-crime is rising and, as organisations continue to digitise, traditional perimeter-based cyber-security strategies will no longer be completely reliable or adequate," he said. “Businesses need to have real-time monitoring and clear visibility into their operations so they can rapidly detect and neutralise security threats.
"As a result, they may now need to focus on how they manage their security challenges head-on by making every network element part of a deception fabric to disrupt an attacker’s ability to break out and further infiltrate the network. Indeed, luring adversaries into the open with deception technology can prevent them from gaining access to critical IT data and assets and ultimately reduces the occurrence of disruptive and costly incidents which businesses of all sizes can ill afford to weather.”
WatchGuard Technologies ANZ regional director Mark Sinclair said it appeared that not a day went by without the public not hearing of some new data breach, ransomware attack, company network compromise, or state-sponsored cyber-attack.
"Meanwhile, thanks to Facebook, consumers have also become intimately aware of how their own personal data privacy contributes to their own security," he said. “This Notifiable Data Breaches report data highlights the treasure trove of personal information held in email accounts and contact lists that attackers are exploiting more and more often.
"Protecting email credentials has never been more important and multi-factor authentication should now become a standard security control for businesses in 2020. Indeed, the Australian Cyber Security Centre lists MFA as a key counter-measure to protect again the exploitation of stolen credentials as part of its Essential Eight.
"MFA is a highly effective and easy to implement solution that will render a phished username/password useless. All Australian businesses should have MFA high on their cyber-security shopping list if they have not implemented it already. At the same time, businesses should remember that good security hygiene is often more about sustained behaviours than any one mistake or decision.“
Zscaler ANZ country manager Budd Ilic said despite huge sums of money being spent on security, the OAIC report painted an alarming picture of the increasing number of notifications.
"This implies businesses are not keeping up with the increasing sophistication of phishing and other cyber attacks," he said. "Every business leader should read the report and review their cyber-security governance posture in the light of these results.
"At the same time, they should focus effort on developing and integrating a risk management program across platforms and cloud and ensure that their investments are regularly reviewed and aligned to the current threat environment so that they don’t run afoul of compliance, laws and regulation.”