Human error is the second highest overall source of data breaches – and in some sectors the highest – according to the second quarterly report into notifiable data breaches, issued by the Office of the Australian Information Commissioner (OAIC).
The quarter to 30 June 2018 had 242 notifications, taking the total since the notifiable data breaches (NDB) scheme began on 22 February to 305. That compares to only 114 notifications in the 12 months before the scheme’s launch.
Of total breaches in the quarter, 36% were caused by human error, 59% malicious or criminal attacks, and 5% system errors.
The statistics sent a strong message: “Think twice before you hit the send button.”
Education is the key to preventing human error breaches. “Your employees are your last line of defence. Give them the risk management tools to protect your business,” says Emergence Head of Sales Gerry Power.
Human error breaches include sending personal information to the wrong recipient, mainly via email or mail; and unintended release or publication of personal information.
Gerry warns litigation for financial loss is likely to follow financial information breaches, which accounted for 42% of NDBs.
In the June quarter, loss of storage devices impacted on large numbers of people, averaging 1,199 affected individuals per breach. Failing to use the ‘blind carbon copy’ (BCC) function when sending group emails impacted, on average, 571 people per data breach.
In the health service providers sector, which had the highest number of NDBs, 59% resulted from human error. In the finance sector, human error caused 50% of notifications.
While malicious or criminal attacks were the largest source of NDBs, many cyber incidents exploited human vulnerabilities, for example, clicking on phishing emails or disclosing passwords.
“Emergence conducts in-house education sessions, online seminars, and a social media program to educate brokers and their clients about the need for diligence and risk management to avoid data breaches and cyber attacks,” Gerry said.
The high rate of notifications and the continual rise month on month highlighted the need for cyber insurance.
Emergence’s cyber policy gives insureds 24/7 access to an incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.
Emergence’s policy covers reporting data breaches to OAIC, any subsequent regulatory investigations, and costs associated with communicating data breaches to affected individuals.
“A cyber policy is part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,” Gerry said.
Organisations can reduce the potential for data breaches through risk management practices such as:
• Restricting administration privileges
• Conducting daily backups
• Continuously patching operating systems and software
• Implementing multi-factor authentication
• Employee training, including strong password protection strategies and raising awareness about the importance of protecting personal information.