Companies Turn a Deaf Ear To Security
- By Lachlan Colquhoun
- October 05, 2020
Another week in Australia, another bunch of reports about data breaches and cyber attacks.
Maybe it is because data breaches are now legally notifiable, or perhaps it is just that there is a lot of breaching going on. But it is hard to escape the conclusion that the IT infrastructures and security procedures of many Australian organisations are just not up to the task.
Here’s just a random sample of what has happened in recent months.
In September, state government organization Service New South Wales confirmed that the personal information of 180,000 people may have been exposed after the emails of 47 staff were hacked.
The incident happened after the organization began using Office365, the cloud-based email and office software Microsoft product. But staff had not yet switched to multi-factor authentication which could have prevented the breach.
The organization is now examining around 3.8 million documents to assess the severity of the breach, but that process won’t be completed until December.
Down in Tasmania, a simple configuration error made the personal details of almost 20,000 University of Tasmania students accessible to anyone with a university email address.
The error happened due to the misconfiguration of the SharePoint server, exposing the documents through the Delve feature in Office365.
More recently, the email addresses of almost 3,000 Australians stranded overseas due to the COVID-19 pandemic disruptions were revealed in an incident the Department of Foreign Affairs described as a “stuff up.”
In this case, instead of sending out the emails as Bcc, they were sent openly by a departmental officer.
These three cases show two aspects of Australia’s cyber security problems: poor processes and incompetence among organizational users, and the growing activity of cyber criminals keen to exploit opportunities.
Unsurprisingly, ransomware attacks are also on the rise, with targets which even include the not-for-profit charity group Anglicare, while business email compromise (BEC) scams are also on the rise, making up 7.3% of all cybercrime and costing the economy around AUD 132 million per year.
The hidden danger
Data from the Office of the Australian Information Commission (OAIC) reveals there were 1,050 eligible data breaches under the mandatory Notifiable Data Breaches scheme.
Most of these, according to the OAIC, were as a result of human error or cyber-attacks linked to phishing or poor password practices.
Beyond these trends, it is perhaps of more concern that as organizations digitally transform, they are storing more and more of their sensitive data in the cloud, a majority of which is not encrypted.
According to multinational data protection vendor Thales, more of this data will be stored in the cloud than outside of it. Currently, only half — or 52% of data in the cloud is encrypted, potentially creating a crisis in cyber resilience for Australian organizations.
According to the Thales Asia-Pacific Data Threat Report released in late September, just over half — or 53% — of new technologies are being deployed with appropriate data security.
Organizations also estimate that 43% of their data is sensitive, but only 52% of it is encrypted.
The attitude problem
This is occurring in the context of increasing complexity in cloud infrastructure.
Hybrid and multi-cloud infrastructures are the norm, used by 90% of organizations according to Gartner, and the Thales view is that this means increased complexity, stretching the focus of IT management resulting in multiple non-integrated encryption key management systems.
Other trends are also contributing to potential security failures. The pandemic has created the need for many people to work remotely, which brings with it new vulnerabilities both in process and technology.
And despite all this, seven in ten organizations are continuing their digital transformations, suggesting that security corners could be cut and vulnerabilities almost entrenched in the haste to transform.
As a whole, this means there is a “laissez-faire attitude to data protection,” according to Brian Grant, ANZ regional director of data security solutions at Thales.
“The old school approach of statically building and enforcing cybersecurity is at odds with the reality that change is accelerating and being driven by software,” says Grant.
All talk, no walk
While some organizations were “talking a good story,” Thales research found that in 2021 data protection would “fall below the rate of attention,” to an average of 14 percent of IT budgets.
The impact of this, says Grant, could be that innovation and business agility could be stifled “for years to come” due to a loss in customer confidence, and the impact on the bottom line from digital initiative failures or data breach remediation costs.
And speaking of consumer confidence, it remains highly skeptical, and not only that but consumers are demanding compensation for breaches.
A survey by the OAIC office released in September found four out of five people wanted some compensation for breaches of their privacy, while 83% wanted the Government to do more about data protection, raising expectations for key changes after a review of Australia’s Privacy Act.
Organizations, therefore, are facing the prospect of mandatory disclosure combined with compensation for breaches, not to mention the loss in confidence which can beset their work over the long term.
One answer? While human error will always occur, despite best processes and intentions, there’s no substitute for encryption. Something to ponder as organizations ramp up their data migration to the cloud.
Image credit: iStockphoto/SIphotography