Cyber security – the overlooked factor in Privacy Protection
Cyber security is key to privacy compliance because human factors are the major contributors to privacy breaches in Australia
OAIC Notifiable Data Breaches Report July to December 2020
Although according to the Office of the Australian Information Commissioner (OAIC)’s Notifiable Data Breaches Report July to December 2020, malicious or criminal attacks were the largest source of notified data breaches, in fact human factors and human errors underlie the vast majority of breaches.
For the purposes of its report, the OAIC defines “malicious or criminal attacks” as “attacks that are deliberately crafted to exploit known vulnerabilities for financial or other gain.”
However these attacks “included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices …”
It is important to remember that in every such data breach incident, human factors would play a key role.
For this reason, the importance of cyber security compliance in maintaining privacy compliance cannot be underestimated.
Major Cyber Security Breach Types
“Cyber incidents were responsible for 39% of all data breaches, with phishing, compromised or stolen credentials, and ransomware the main sources of the data breaches in this category.” OAIC report P16
The three major cyber security data breach types that OAIC’s report flags as posing major risks for privacy compliance are:
Phishing
According to the Australian Competition and Consumer Commission’s Scamwatch, phishing continues to be the most reported type of scam, with reports increasing by around 75% from 2019 to 2020. It is not surprising, then, that phishing was a significant cause of privacy data breaches.
It should go without saying that phishing attacks rely on human factors in order to succeed: someone has to click on the malicious link.
Many business’ IT systems are hardened against malicious emails, but some will always get through, and, paradoxically, the effectiveness of those systems can be a factor in lowering the employee’s guard.
Social Engineering
The number of social engineering-induced data breaches was down slightly in the second half of 2020, but they still accounted for 11% of breaches. The willingness of contact centre staff to assist “distressed” callers, the reluctance of staff to confront a stranger that tailgates them through security… these continue to be a challenge for businesses that manage customers’ personal information.
Theft of Paperwork or Data Storage Device
The OAIC reports that this source of data breaches increased during 2020. It accounts for 9% of reported breaches. Here again, data security depends heavily on staff observing security practices.
The Role that Human Factors Play
The OAIC explicitly recognises the role that human factors play in what it characterises as “cyber incidents”:
“ … email-based vulnerability is one of the greatest risks to information security facing organisations. The human factor is an important element in an organisation’s overall information and cyber security posture, given these attacks rely on a person clicking on a phishing link.” p18
Explicit Human Error
The OAIC reports that data breaches from human error increased during 2020, and that human error was – after cyber incidents – the second-largest source of data breaches.
“Common examples of human error breaches include sending personal information to the wrong recipient via email (45% of human error breaches), unintended release or publication of personal information (16%), and failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.” p18
Privacy Training and Cyber Security Compliance Training
There is no escaping the necessity for businesses that hold personal data to train their staff – and indeed their management and their directors – on the relevant privacy laws. The 13 Australian Privacy Principles, and in particular those on collection, use and correction, should be familiar to all staff. Increasingly, staff in Australia and in the Asia-Pacific region need also to be familiar with the EU’s General Data Protection Regulation, the Personal Data Protection Act, Malaysia; the Personal Data Protection Act, Singapore; the New Zealand Privacy Act; and the California Consumer Privacy Act.
But knowing the procedures for the management of personal data is not the whole story. Businesses must acknowledge that a focus on data protection, particularly on cyber security compliance, is key in maintaining data security for customers, and in protecting the business from the enormous potential financial and reputational risk that can stem from a data breach.
Risk Assessment
When a business that holds personal data conducts a risk assessment, training in privacy compliance is always in scope. The information included in the OAIC report provides strong support for the contention that such a risk assessment should also involve a review of the business’ cyber security compliance training.
Reporting Cybersecurity Breaches
If you’ve been the victim of a cybercrime including financial loss, identity theft or compromised personal details, report it to ReportCyber at www.cyber.gov.au/report
GRC Solutions’ Cyber Security Training Resources
Cyber Security – Non-Jurisdictional
GRC Solutions’ Privacy Training Resources
Australia
Privacy -Covering the Privacy Act and the Australian Privacy Principles
Privacy for Schools – Covering the Privacy Act and the Australian Privacy Principles as they apply to schools
Australia- Financial Services
Financial Services Privacy Training – covering the Privacy Act and the Australian Privacy Principles
Credit Reporting – covering the Credit Reporting Act
New Zealand
Privacy – New Zealand – covering privacy in New Zealand under the 2020 updates to the law
Europe
General Data Protection Regulation – covering the GDPR – which has global implications
Singapore
Data Protection Singapore – covering the Personal Data Protection Act 2012 and also the implications of the GDPR
Malaysia
Data Protection Malaysia – covering the Personal Data Protection Act 2010 and also the implications of the GDPR
California