NDB stats show need for serious security
The Office of the Australian Information Commissioner’s latest quarterly Notifiable Data Breach report highlights the urgent need for organisations to take a more proactive approach to security, experts have warned.
The report, released last week, shows that 242 data breaches were disclosed in the first full quarter of the scheme’s operation. Around 59% of these involved malicious attacks, and around half of such attacks were the result of compromised credentials.
CQR co-founder and CTO Phil Kernick said the findings demonstrate that organisations need to be better at fostering a culture of security.
“For some reason, IT security messages are not yet ingrained in the mindset of each and every employee within an organisation and it remains to be seen if Australian businesses have actually worked out how much risk they are willing to stomach,” he said.
Content Security CTO Ken Pang said the report shows the need for companies to regularly review their IT security policies and practices. Such a review should incorporate “all aspects from systems patching and centralised logging to implementing a principle of least privilege,” he said.
Bitglass VP of Sales for Asia Pacific and Japan David Shephard said the statistics highlight the challenge of finding a balance between convenient user access, flexible ways of working and appropriate data security.
“Businesses today must understand the value of their data, where it’s stored, who can access it, how it’s accessed and how it’s being protected,” he said.
Meanwhile, the finding that 88 of the reported breaches not caused by malicious attacks involved human error, and that compromised credentials were the cause of the majority of breaches involving malicious attacks, aligns with the findings of recent audits by Dekko Secure.
“Our recent experience conducting security audits inside the legal, healthcare, engineering and public sector organisations shows that human error continues to be at the heart of at least half of all security breaches,” the company’s Managing Director, Jacqui Nelson, said.
“Too often, a desire to just get the job done in the fastest and most efficient way means that we mere humans fall prey to simple errors like accidental misaddressing, using email to share files and an inability to verify a person’s identity are the fundamental causes of systematic failure in today’s online environment.”
Experts also agreed on the need for organisations to adopt new and upgraded security capabilities in response to a rapidly evolving threat landscape.
“The latest network monitoring and forensics technology, rapid threat detection and advanced SIEM are increasing in importance all the time,” LogRhythm Director of Sales for APAC Simon Howe said.
“Technologies like user and entity behaviour analytics (UEBA) can be vital in building [the] capability to defend against an attack by expanding the network activity they monitor, so any new and unusual interactions that could signify a compromise can be picked up before they lead to a damaging breach.”
Ping Identity CTO for APAC said the high number of breaches involving compromised credentials indicates that not enough organisations are using multifactor authentication.
“Ping Identity advocates the use of preventative technology throughout an organisation’s IT architecture: from multifactor authentication at the end-user device, through to access management for applications and APIs to control access to services based on user context and policies, to the data tier with strong controls over who can access sensitive records and individual data elements, with data encrypted at rest and in backups,” he said.
Aura Information Security’s Australia Country Manager Michael Warnock added that it is becoming even more important for organisations to take what he called a “secure by design” approach.
“By considering security at the very beginning of an application design process, rather than just before ‘go-live’, and by carrying out regular penetration testing of both old and new applications, organisations can help build a better line of defence; and in turn make it harder for cybercriminals to use tried and true techniques to steal data,” he said.
Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.
Limiting our focus to a particular process or solution rather than the desired outcome of our...
Nearly a third (29%) of phishing web pages uncovered by Webroot during 1H19 were using HTTPS...
When it comes to IT, security and safety aren't always synonymous. Sometimes, measures that...