Protect yourself: Own your cyber risk
This week the Office of the Australian Information Commissioner (OAIC), released its Notifiable Data Breaches (NDB) Scheme report. This quarter, there were 30 more data breaches reported in than in Q1, with the health service reported to be the country’s most affected sector (47 NDBs reported). The finance sector followed closely with (42 NDBs) and in one single incident, over 10 million individuals had their information compromised.
The majority of breaches were attributed to malicious or criminal attacks, which accounted for 62 per cent of all breaches, followed by human error (34 per cent) and system faults (4 per cent).
Interestingly, as attacks increase, the OAIC will curtail its reporting to just twice a year. That could be a story in itself, however when you look at the amount of attacks - and the calibre - it is certainly a good time to tighten security protocols. The OAIC is putting that onus on businesses," said Australian Information Commissioner and Privacy Commissioner Angelene Falk.
“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combating data breaches and improving response strategies,” she said.
“Effecting change in practices to prevent breaches is vital to the goal of protecting the community.
“Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”
According to Lindsay Brown, Vice President of Asia Pacific and Japan at LogMeIn (NASDAQ:LOGM), “Data breaches and security issues have become the new normal, which is deeply concerning, for consumers and businesses alike."
We have seen several examples of this new normal, just this week, following a fresh data breach involving PayID records.
NPP Australia revealed that phone numbers, names, BSB and account details linked to PayID were all breached after the New Payments Platform (NPP) database was hacked. The NPP is a real-time payments platform mutually owned by 13 major financial institutions, including the big four banks, who have been in touch with affected customers.
"Though the number of reported data breaches has grown by 30 in Q2, the composition looks eerily similar. Much like last quarter, the Notifiable Data Breaches Q2 2019 report found that malicious or criminal attacks accounted for the majority (62%) of reported data breaches (151 of the 245 breaches). The vast majority of cyber incidents (79%) were linked to stolen or compromised credentials, collected through various means including phishing and brute-force attacks. While more organisations are looking at ways to mitigate the risk around credential management (including passwords) it continues to be an avenue for malicious actors to infiltrate businesses who rely on their users to do the right thing when it comes to credentials."
Westpac has heightened account monitoring on accounts and asked customers to be on the lookout for any suspicious activity. "We ask that you also be vigilant with any messages received via text or phone calls from an unidentified source," the bank said.
Meanwhile, a database belonging to Neoclinical, an Australia-based company that matches individuals with active clinical trials, exposed approximately 37,000 people's contact information and their responses to personal medical questions qualifying them for clinical trials, which included information about diagnoses, illicit drug use and treatments.
School students' email addresses were exposed online in a major data leak, after being used to register for an international pornography site.
That's just a drop in the ocean of what has happened this week alone.
Our own worst enemies
We need to be wary fo hackers, but sometimes we are our own worst enemies.
“In our LastPass Psychology of Passwords survey we found that 91% of respondents claim to know that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so," Brown says.
"Meanwhile, in a global study of 47,000 LastPass users, 50% said there is no difference between their personal and work passwords, while each of us shares around six passwords with our co-workers! Naturally, humans resort to using the bare minimum required when inputting credentials, and this doesn’t change in the workplace. Credentials are a core part of every employee’s daily workflow, and failing to secure them can have dire consequences.
Brown has urged business leaders to educate employees on the importance of these practices and establish password requirements including a mix of characters (uppercase, lowercase, symbols, and numbers), avoid words straight out of the dictionary, and be as long as possible – ideally no shorter than 14 characters.
"The longer the password is, the harder it becomes to crack, or brute-force attack," she says.
“What’s more, using an identity security solution that brings together password management, single-sign-on (SSO) for apps, and multi-factor authentication (MFA) (or biometric based solutions), is the single best way to keep your organisation’s credentials secure. Looking beyond passwords and incorporating these additional features adds layers of protection that helps ensure an attacker won’t be able to access an account even if they do obtain the password.
“As those on the front line, staff should also be given guidance on responding quickly to data hacks. If a business can build a strong defence mechanism combined with trained staff, it will stand a better chance of remaining secure and cyber-ready.
“By leveraging user friendly comprehensive identity management solutions alongside solid cybersecurity processes, we can ensure that data breaches as a result of weak passwords and stolen credentials become a thing of the past.”
There is a great deal that can be done to mitigate data breaches, including strengthening passwords, creating multi-factor authentication security solutions and using companies such as WhiteHawk (ASX:WHK) that can match businesses with bespoke solutions, find insights, affordable vendor products and services to help them own their cyber risk.
And that's the key. Own your cyber risk by implementing all of the above. You may not beat the hackers by doing so, but you'll certainly make them think twice about instigating a breach against you.
When the experts at Next Investors have a stock pick, it may pay to listen.
The Next Investors have been investing in ASX small cap stocks for years, with their best small cap picks yielding returns of 1,200%, 1,120%, 900% and 678%.
They have just revealed their hand-picked, FY2021 stock portfolio of high conviction long-term investments.
Click the link below to see what they are currently investing in.
S3 Consortium Pty Ltd (CAR No.433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information only. Any advice is general advice only. Neither your personal objectives, financial situation nor needs have been taken into consideration. Accordingly you should consider how appropriate the advice (if any) is to those objectives, financial situation and needs, before acting on the advice.
Conflict of Interest Notice
S3 Consortium Pty Ltd does and seeks to do business with companies featured in its articles. As a result, investors should be aware that the Firm may have a conflict of interest that could affect the objectivity of this article. Investors should consider this article as only a single factor in making any investment decision. The publishers of this article also wish to disclose that they may hold this stock in their portfolios and that any decision to purchase this stock should be done so after the purchaser has made their own inquires as to the validity of any information in this article.
The information contained in this article is current at the finalised date. The information contained in this article is based on sources reasonably considered to be reliable by S3 Consortium Pty Ltd, and available in the public domain. No “insider information” is ever sourced, disclosed or used by S3 Consortium.