The latest OAIC Quarterly Statistics Report, from April to June 2019, indicates that more than 10 million people suffered a data breach in one way or the other. There were a total of 245 data breach notifications. This is a substantial number considering that 62% of these resulted from criminal or malicious attacks, meaning they were intentional. About 34% of these breach notifications resulted from human error while the rest resulted from system faults.
In your agency or organisation, a data breach occurs when your client's personal information is accessed or disclosed without the client's permission.
Stolen data may involve financial information such as bank details or credit card numbers, personal health information (PHI), personally identifiable information (PII), intellectual property or trade secrets.
If your agency or organisation is covered by the Privacy Act of 1988, and if a data breach occurs, the Notifiable Data Breach (NDB) scheme requires that you must notify the affected clients and the Office of the Australian Information Commissioner (OAIC), especially when the data breach is likely to cause serious harm to the affected individual.
As stated earlier, you need to report any data breaches to the OAIC. A breach is eligible for reporting when:
Your agency or organisation isn't able to take remedial action to prevent the risk which is likely to cause serious harm.
The risk is likely to cause serious harm to one or several individuals.
There is unauthorised disclosure of or unauthorised access to personal information that an agency or organisation holds (or lost information where unauthorised disclosure or access is most likely to occur.
If you suspect that an eligible data breach might have occurred in your agency or organisation, you must quickly assess the breach and determine whether serious harm to an individual or a group of people is likely to result. If that's the case, you have to report to the OAIC immediately.
If your business does not notify the OAIC of a data breach, a failure to comply with the NDB scheme may attract fines up to $2.1 million, in addition to any damages from the data breach.
Preventing a data breach requires an understanding of the types of breaches you are likely to face. Criminal and malicious attacks are the leading causes of data breaches. That's why the first line of action should be to use strong passwords and to raise awareness among your employees on the importance of protecting clients' data.
Criminals use simple tricks to lure employees into revealing the credentials of their organisations to enable them to exploit and access sensitive information. Some of the tricks they use are:
Phishing: This is a case in which criminals steal confidential information by sending deceptive messages to those they target.
Spear-phishing: This is a class of phishing that's more dangerous. Here, social engineering is used by criminals to target individuals and companies using realistic messages or bait, based on company information availed in public sources such as media releases, shareholder updates, annual reports, etc.
Passwords are the first line of defense when it comes to data breaches and spills. To mitigate breaches related to passwords:
Software systems provide another weak point for criminals to attack. To mitigate this:
Use multi-factor authentication that gives a user access only after entering two or more factors (pieces of evidence) to the authentication mechanism. The evidence can be something that only the user knows or something only the user possesses.
Look out for suspicious account activity such as user logins at odd hours,from suspicious locations or devices.
Discourage users from entering their credentials like username and passwords without checking for authenticity of the systems that need this information.
Keep plug-ins, browsers, and operating systems up-to-date.
Enable anti-virus protection on all devices.
Web filtering to stop users from viewing certain websites or URLs. For example, you can use WebGuard (or other industry leaders) to prevent the user's browsers from loading pages from these websites or URLs.
Additional mail filtering systems to ensure you only receive mails from trusted sources and classify other mails as spam. You can use mail filters such as MailGuard.
Capitalising on the Office 365 Administrator / Alerts Portal - this ensures only authorised individuals can access your documents.
1. We can help move your data to a secure cloud infrastructure. Your data is stored in your own private space in our Australian-based, Government-grade secure servers, and provide you instant access to your confidential data.
2. We offer a Document Management System which will allow you to digitise unsecured paper documents and safely store them in the cloud.
3. We offer printer security because this is the point where hackers can install their malware to gain access to copies of your documents, launch DoS attacks, gain access to sensitive or confidential information, and send unauthorised print jobs.
4. We are 100% Australian, meaning we understand local problems and are, therefore, in the best position to provide solutions.
Cybercriminals are always on the lookout for areas of security weaknesses so they can attack your system. Dealing with security issues can, therefore, be a great challenge to your agency or organisation. That's why you need the services of security experts.