Human error sparks high data breach notifications

Human error is the second highest overall source of data breaches – and in some sectors the highest – according to the second quarterly report into notifiable data breaches, issued by the Office of the Australian Information Commissioner (OAIC).

The quarter to 30 June 2018 had 242 notifications, taking the total since the notifiable data breaches (NDB) scheme began on 22 February to 305. That compares to only 114 notifications in the 12 months before the scheme’s launch.

Of total breaches in the quarter, 36 per cent were caused by human error, 59 per cent malicious or criminal attacks, and 5 per cent system errors.

Gerry Power, National Head of Sales for cyber specialist underwriting agency Emergence Insurance, said the statistics sent a strong message: “Think twice before you hit the send button.”

He believes that education was the key to preventing human error breaches. “Your employees are your last line of defense. Give them the risk management tools to protect your business.”

Power said human error breaches included sending personal information to the wrong recipient, mainly via email or mail; and unintended release or publication of personal information.

He warned litigation for financial loss was likely to follow financial information breaches, which accounted for 42 per cent of NDBs. In the June quarter, loss of storage devices impacted on large numbers of people, averaging 1,199 affected individuals per breach. Failing to use the ‘blind carbon copy’ (BCC) function when sending group emails impacted, on average, 571 people per data breach.

In the health service providers sector, which had the highest number of NDBs, 59 per cent resulted from human error. In the finance sector, human error caused 50 per cent of notifications. While malicious or criminal attacks were the largest source of NDBs, Power said many cyber incidents exploited human vulnerabilities, for example, clicking on phishing emails or disclosing passwords.

“A cyber policy is part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack.”

Brokers can advise their clients that organisations could reduce the potential for data breaches through risk management practices such as:
• Restricting administration privileges
• Conducting daily backups
• Continuously patching operating systems and software
• Implementing multi-factor authentication
• Employee training, including strong password protection strategies and raising awareness about the importance of protecting personal information.