Looking for the weak links in Australia’s data breach battle

Human error continues to play major role in breaches

New research suggests that more than half of local businesses may have experienced data breaches in the past year, with Australia ranked among one of the top countries in the world in terms of data breach incidents.

ServiceNow’s global report, Today’s State of Security Response: ‘Patch Work’ Demands Attention, which was conducted by the Ponemon Institute, found that 52 per cent of Australian organisations had suffered breaches.

At the same time, nearly half – 48 per cent – acknowledged that they were breached because of a known vulnerability, such as a software security flaw for which a security patch was already available.

However, it should be noted that although the survey involved responses from 3,000 security professionals across nine countries around the world, just 220 of them were surveyed in Australia, albeit from a decent spread of industry verticals.

Given the relatively small sample size taken in Australia, it is unclear whether the 52 per cent figure would be representative of the country as a whole.

Regardless, the report suggests that more than a third of Australian companies – 37 per cent – were actually aware they were vulnerable before they were breached.

The report’s findings suggested Australian security teams felt they were not sufficiently staffed to patch resources in a timely manner, with 81 per cent feeling understaffed, according to ServiceNow, the highest level in the world.

In fact, the Australian component of the study reported the second lowest levels of staffing for security globally, at 15 people on average, less than half the average number in the US, according to ServiceNow.

“Organisations are focused on protecting themselves against the most sophisticated cyberattacks, yet they can dramatically improve their risk profile by focusing on the basics,” ServiceNow A/NZ managing director, David Oakley, said.

“The single most impactful step businesses can take to improve their risk profile is to improve the patch management process.

"With [Australia’s] new Mandatory Data Breach Notifications Scheme now operational, this research shows the scale of the challenge that Australian businesses are facing. Patching is now a boardroom issue."

However, Australia’s first Notifiable Data Breaches (NDB) quarterly report published in early April by the Government under the Mandatory Data Breach Notifications Scheme suggested that the biggest factor behind the 63 notifications received during the first six weeks of the scheme was human error.

Out of the 63 notifications received, 51 per cent "indicated" that the cause was human error, while 44 per cent of notifications were the result of malicious or criminal attack, and three were the result of system faults.

Human error may include inadvertent disclosures, such as by sending a document containing personal information to the incorrect recipient.

Indeed, the ServiceNow research also suggested that most breaches were caused by human error, with 55 per cent of respondents suggesting this was the case, or a criminal external attack that exploited the organisations’ vulnerabilities, with 52 per cent of respondents citing this as the cause.

At the same time, patching practices clearly play a large part.

As reported by sister publication, Computerworld, a recent study by telecommunications vendor, Verizon, revealed that businesses are still falling behind when it comes to employee awareness training and patching vulnerabilities.

“People are getting hammered with white papers and invites to conference talks and things that say ‘You definitely need artificial intelligence in your SIEM’ or whatever,” Verizon principal consultant, Chris Tappin, said. “But people aren’t really doing the basics.”