The questioning of Australia’s security preparedness follows the OAIC’s quarterly report that malicious or criminal attacks were the largest source of data breaches in Australia in the quarter, accounting for 62% of all data breaches.
Of these 151 data breaches, 69.5% involved cyber incidents such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials.
The latest figures from the OAIC show that Australian organisations continue to struggle with the increased presence of cyber threats,” says Bede Hackney, ANZ Country Manager, Tenable.
And Hackney said Australian organisations have a duty of care to protect customer information “and need to be vigilant with managing, measuring and reducing their cyber risk”.
“Malicious or criminal attacks again account for the highest proportion of breach notifications in Australia, followed by human error (34%) - this indicates Australian organisations aren’t investing in cybersecurity from both a technology and employee education perspective,” commented John Donovan, managing director ANZ at Sophos.
Commenting on the importance of cybersecurity and the ramifications for not prioritising it, Donovan said “by investing in these areas, organisations will be able to better block attacks and have a workforce that is attuned to cybersecurity issues”.
Mark Sinclair, ANZ Regional Director, WatchGuard Technologies, weighed in, saying that “this latest report suggests that in reality not much has changed over previous quarters”.
“Health still dominates as the top offending industry and more than 50 percent of breaches in healthcare continue to be because of human error.
“Healthcare providers need to invest in systems and user education to help prevent accidental data breach. They should also look at who has access to what information and consider removing the ability of repeat offenders to accidentally send out such information.
“Finance has always been second but the number of breach notifications have increased over the last quarter and this is due to an increase in breaches resulting in malicious activities.
“This matches what we are seeing worldwide where criminals continue to chase dollars via cybercrime,” Sinclair concluded.
And rounding out the concerns of the security firms, Phil Kernick, co-founder and chief technology officer at CQR Consulting said “it feels like Groundhog Day for the OAIC. This report is undistinguishable from the last quarter, which is the same as the one before that, and the one before that, and so on…”
“The intent of mandatory breach notification was to cause Australian business to internalise the cost of breaches, and use that money to improve their systems to keep all of our information safe. Clearly they haven’t.”
According to Kernick, Australian business has realised that reporting to the OAIC is “much easier and cheaper than actually improving security”.
“Until businesses involved in breaches are publicly named, and until there are meaningful penalties for non-compliance, the situation will not improve,” he warned.