FS PortalPURCHASE COURSES |Financial Services PortalContact Us
Home
Articles & Events
Articles
Articles
May 5, 2021

Cyber security - the overlooked factor in Privacy Protection

Cyber security is key to privacy compliance because human factors are the major contributors to privacy breaches in Australia

OAIC Notifiable Data Breaches Report July to December 2020

Although according to the Office of the Australian Information Commissioner (OAIC)’s Notifiable Data Breaches Report July to December 2020, malicious or criminal attacks were the largest source of notified data breaches, in fact human factors and human errors underlie the vast majority of breaches.

For the purposes of its report, the OAIC defines "malicious or criminal attacks" as “attacks that are deliberately crafted to exploit known vulnerabilities for financial or other gain.”

However these attacks “included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices …”

It is important to remember that in every such data breach incident, human factors would play a key role.

For this reason, the importance of cyber security compliance in maintaining privacy compliance cannot be underestimated.

Major Cyber Security Breach Types

“Cyber incidents were responsible for 39% of all data breaches, with phishing, compromised or stolen credentials, and ransomware the main sources of the data breaches in this category.” OAIC report P16

The three major cyber security data breach types that OAIC’s report flags as posing major risks for privacy compliance are:

Phishing

According to the Australian Competition and Consumer Commission’s Scamwatch, phishing continues to be the most reported type of scam, with reports increasing by around 75% from 2019 to 2020. It is not surprising, then, that phishing was a significant cause of privacy data breaches.

It should go without saying that phishing attacks rely on human factors in order to succeed: someone has to click on the malicious link.

Many business’ IT systems are hardened against malicious emails, but some will always get through, and, paradoxically, the effectiveness of those systems can be a factor in lowering the employee’s guard.

Social Engineering

The number of social engineering-induced data breaches was down slightly in the second half of 2020, but they still accounted for 11% of breaches. The willingness of contact centre staff to assist “distressed” callers, the reluctance of staff to confront a stranger that tailgates them through security… these continue to be a challenge for businesses that manage customers’ personal information.

Theft of Paperwork or Data Storage Device

The OAIC reports that this source of data breaches increased during 2020. It accounts for 9% of reported breaches. Here again, data security depends heavily on staff observing security practices.

The Role that Human Factors Play

The OAIC explicitly recognises the role that human factors play in what it characterises as “cyber incidents”:

“ … email-based vulnerability is one of the greatest risks to information security facing organisations. The human factor is an important element in an organisation’s overall information and cyber security posture, given these attacks rely on a person clicking on a phishing link.” p18

Explicit Human Error

The OAIC reports that data breaches from human error increased during 2020, and that human error was – after cyber incidents – the second-largest source of data breaches.

“Common examples of human error breaches include sending personal information to the wrong recipient via email (45% of human error breaches), unintended release or publication of personal information (16%), and failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.” p18

Privacy Training and Cyber Security Compliance Training

There is no escaping the necessity for businesses that hold personal data to train their staff – and indeed their management and their directors – on the relevant privacy laws. The 13 Australian Privacy Principles, and in particular those on collection, use and correction, should be familiar to all staff. Increasingly, staff in Australia and in the Asia-Pacific region need also to be familiar with the EU’s General Data Protection Regulation,  the Personal Data Protection Act, Malaysia; the Personal Data Protection Act, Singapore; the New Zealand Privacy Act; and the California Consumer Privacy Act.

But knowing the procedures for the management of personal data is not the whole story. Businesses must acknowledge that a focus on data protection, particularly on cyber security compliance, is key in maintaining data security for customers, and in protecting the business from the enormous potential financial and reputational risk that can stem from a data breach.

Risk Assessment

When a business that holds personal data conducts a risk assessment, training in privacy compliance is always in scope. The information included in the OAIC report provides strong support for the contention that such a risk assessment should also involve a review of the business’ cyber security compliance training.

 

 

GRC Solutions’ Cyber Security Training Resources

Cyber Security – Australia

Cyber Security – USA

Cyber Security – Non-Jurisdictional

 

GRC Solutions’ Privacy Training Resources

Australia

Privacy -Covering the Privacy Act and the Australian Privacy Principles

Privacy for Schools - Covering the Privacy Act and the Australian Privacy Principles as they apply to schools

Australia- Financial Services

Financial Services Privacy Training - covering the Privacy Act and the Australian Privacy Principles

Credit Reporting - covering the Credit Reporting Act

New Zealand

Privacy - New Zealand - covering privacy in New Zealand under the2020 updates to the law

Europe

General Data Protection Regulation - covering the GDPR - which has global implications

Singapore

Data Protection Singapore - covering the Personal Data Protection Act2012 and also the implications of the GDPR

Malaysia

Data Protection Malaysia - covering the Personal Data Protection Act2010 and also the implications of the GDPR

California

California Consumer Privacy Act

You might be interested in...

May 3, 2021
Articles
4 Steps to Improve Your Compliance Training Scenarios

Learning is more effective when learners can relate to the content by reflecting upon their real-world experience. Presenting scenarios in training are often used to assist in this reflection. This article shares four simple steps for writing relevant and effective scenarios and several tips to help you incorporate relevant scenarios into your compliance training sessions.

April 14, 2021
Articles
5 Tips to incorporate Microlearning into your compliance training program

GRC Solutions Senior Consultant, Lyndon Lovell, offers insightful tips to improve your compliance training program via the use of Microlearning

Get in touch

Speak to an account manager today

Off to a great start! One of our customer service representatives will be in touch with you shortly.
Oops! Something went wrong while submitting the form.