Human error is still causing data breaches

How Liable is a Builder?
November 2, 2018

Human error remains a key cause of notifiable data breaches, according to the latest quarterly report from the Office of the Australian Information Commissioner (OAIC).

While malicious or criminal attacks are still the largest source of notifiable data breaches (NDBs), accounting for 57%, human error is second with cyber incidents exploiting human vulnerabilities, for example, encouraging people to click on phishing emails or disclose passwords.

Gerry Power, Head of Sales at Emergence, said: “The continued propensity for human error to cause NDBs is a disturbing insight because it shows businesses are not educating staff enough on how to identify phishing emails or handle personal information appropriately.”

Human error accounted for 37% of data breaches in the latest report. Emailing personal information to the wrong recipients was the most common human error data breach (12%). Second highest was failing to use the BCC function when sending group emails, which impacted on an average of 494 people each breach.

Gerry said the healthcare industry continued to be the worst-performing sector, recording 18% of data breaches and human error was responsible for more than half those. “That gives an insight into why some cyber insurers will not write the healthcare industry for data breaches,” he said.

The finance sector was the second-worst performing industry for the second consecutive quarter, with 14% of breaches.

The legal, accounting and management services sector was a close third. Gerry said Emergence’s claims data backed that up. “The accounting profession is a honeypot of data for cyber criminals,” he said.

The NDB scheme was introduced on 22 February 2018 and, since then, OAIC has had 550 notifications, including 245 in the July-September quarter. That compares to only 114 notifications in the 12 months before the scheme’s launch.

As knowledge of the NDB scheme increases in the business community, the number of known data breaches will continue to rise.

Education is the key to reducing the human error element of NDBs.

Emergence conducts in-house education sessions, online seminars, and a social media program to educate brokers and their clients about the need for diligence and risk management to avoid data breaches and cyber attacks.

The increasing rate of notifications highlights the need for cyber insurance. Emergence’s cyber policy gives insureds 24/7 access to an Australian-based incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.

Emergence’s policy includes cover for reporting data breaches to OAIC, regulatory investigations, and costs of communicating data breaches to affected individuals.

“A cyber policy is part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies, and procedures fail to stop an attack,” Gerry said.

Organisations can reduce the potential for NDBs through risk management practices such as:
•    Employee training, including strong password protection strategies and raising awareness about the importance of protecting personal information
•    Restricting administration privileges
•    Conducting daily backups
•    Continuously patching operating systems and software
•    Implementing multi-factor authentication.

Emergence is a pioneer of cyber cover in Australia and provides protection for SMEs through to ASX-listed entities.