Australia’s reported data breaches increased by 19% in the last quarter of 2019. In this short post, we break down what caused them and how you can protect your business.

Australian organisations are now subject to Notifiable Data Breach laws. These laws attempt to drive better security standards for protecting personal information, and they require organisations to disclose breaches to the Office of Australian Information Commissioner (OAIC).

Companies who fail to disclose may be subject to hefty fines which also extend personally to company directors.

 

Want to protect sensitive information in Microsoft 365? Download our free Microsoft 365 Data Protection guide.

 

How were Australian companies breached?

The OAIC releases a quarterly report on reported data breaches. The latest contains records up to December 2019 with a total of 537 reported breaches which break down into the following categories:

  • Malicious or criminal attack – 64%
  • Human Error – 32%
  • System Fault – 4%

Causes of Australian Data Breaches December 2019

To adequately protect your business against data breaches, you need to implement a system that addresses all three categories.

Protecting your organisation against malicious or criminal attacks

Let’s look at the methods hackers used to breach Australian businesses.

Methods Of Malicious Or Criminal Attack

Of the ‘Malicious or criminal attack’ category, 74% of breaches involved compromised credentials. These are known as identity attacks because they use a compromised identity to gain unauthorised access. According to Microsoft, by implementing Multi-Factor Authentication across all users, an organisation can defend itself against 99.9% of identity-based attacks.

Ransomware and Malware made up another 16% of ‘Malicious or criminal attack’ breaches. These can be prevented by implementing a capable desktop and email threat protection engine such as:

  • Office 365 Advanced Threat Protection
  • Microsoft Defender Advanced Threat Protection.

Protecting your organisation against human error related breaches

Of the ‘Human Error’ category, 42% of breaches occurred using email. An example of this might be sending sensitive data to the wrong recipient. Companies can prevent this kind of breach by implementing a system which scans outbound email.

If the system determines that the email contains sensitive information, it can immediately block the mail delivery or alert a team member.

Protecting your organisation against System Fault breaches

Protecting your organization against system fault breaches relies on a combination of luck and due diligence. According to the OAIC, these types of breaches involve ‘disclosure of personal information on a website due to a bug in the web code, or a machine fault that results in a document containing personal information being sent to the wrong person.’

To defend against system faults, we recommend storing your sensitive data with reputable vendors only and choosing an IT partner who will regularly monitor and maintain your systems.

How can we help secure your environment against data breaches?

We use a combination of Microsoft 365 Business Premium and Microsoft Cloud App Security to implement enhanced cybersecurity for small businesses.

It’s not enough to simply buy the Microsoft licenses and apply them to your users.

To be effective in the modern threat landscape, these systems must be configured and monitored with policies applied and adhered to.

Want to learn more about protecting your data against breaches in Microsoft 365? Download our free guide on which features you should configure, or get in touch today.

  • This field is for validation purposes and should be left unchanged.

GCITS - Dropbox Business Elite Partner

We’ve been providing Dropbox Business as a core part of our Managed Services for a few years now, and have received great feedback from customers for its simplicity and reliability.

Our customers get a seamless solution with Dropbox Business and Microsoft 365, with single sign on through Azure Active Directory, advanced protection via Microsoft Cloud App Security and an excellent integration with Office Online.

We’re thrilled to announce that we have completed the customer satisfaction and training requirements to become the first Dropbox Business Elite Partner in Australia and New Zealand. And we’re pretty happy with the smash cake too.

The recently implemented Notifiable Data Breaches scheme imposes an obligation for entities to notify individuals whose personal information was exposed in a data breach if they’re at risk of serious harm.

If you don’t comply with the requirements of the scheme, the penalties can be quite severe. The Office of the Australian Information Commissioner can impose fines of up to $1.8 million for organisations, and $360 000 for company directors.

To find out how to assess a breach, as well as how to correctly notify any affected individuals, see this resource on the OAIC Website .

Which businesses need to comply?

While all businesses should take the privacy and security of customer data seriously, not every one needs to adhere to the NDB scheme.

If your business meets any of the following criteria, you’ll need to make sure you’re aware of the new requirements. Please note that this is not an exhaustive list. See the OAIC website for more information.

  • Any business with an annual turnover over $3 million dollars
  • Entities that are Tax File Number recipients, such as:
    • solicitors
    • tax agents
    • accountants
    • share registries and agents of ESS providers
  • Entities that provide any health services, such as:
    • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
    • gyms and weight loss clinics
    • complementary therapists, such as naturopaths and chiropractors
    • child care centres and private schools.
  • Organisations or small businesses that provide credit, such as:
    • a bank
    • a building society, finance company or a credit union
    • a retailer that issues credit cards in connection with the sale of goods or services
    • an organisation or small businesses that supplies goods and services where payment is deferred for seven days or more, such as telecommunications carriers, and energy and water utilities
    • certain organisations or small busineses that provide credit in connection with the hiring, leasing, or renting of goods.
  • Entities related to an APP (Australian Privacy Principles) entity.
  • Entities that trade in personal information. These are businesses buy or sell personal information for a benefit, service or advantage.
  • Employee associations registered under the Fair Work (Registered Organisations) Act 2009

How to make sure your business is protected

If your organisation is covered by the Notifiable Data Breaches scheme, it’s important to make sure you are taking appropriate steps to protect your customers data.

Our Security First Managed Services offering is designed to help address the requirements of the NDB and the incoming EU General Data Protection Regulation. Find out how.