Email is the underlying cause of a significant number of data breaches affecting personal information, according to the latest report by the Office of the Australian Information Commissioner (OAIC).
Simple mistakes such as sending personal information to the wrong email recipient accounted for 12% of the 245 data breaches reported during the September 2018 quarter. Cyber attackers also regularly targeted email (and phone texts) with phishing scams, which accounted for 20% of all data breaches in the quarter.
The findings suggest that organisations should re-consider their use of email to communicate sensitive information, as well as strengthen cyber security and staff training.
Around half of governance professionals use their personal email for sensitive internal board communications, according to a recent Diligent global survey on governance practices, leaving their organisation vulnerable against cyber attacks.
Safer communication methods such as secure closed-loop messaging for directors are slowly gaining traction as awareness about the risks continues to rise. More than one-third (35%) of boards are now using this method according to the Diligent survey.
Human errors suggest more intuitive systems are needed
While cyber-attacks attract plenty of headlines, simple mistakes also cause many data breaches.
Human errors accounted for more than one-third (37%) of breaches while malicious or criminal attacks accounted for more than half (57%) of breaches in the September quarter, according to the OAIC.
Sending emails to the wrong person was the most common human error, followed by unintended release or publication of a document (14 cases); personal information sent to the wrong person by post; loss of paperwork or data storage device (both 13 cases).
Human errors such as sending personal information to the wrong recipient generally impacted smaller groups of individuals while mistakes such as not using the blind carbon copy (bcc) function on email affected an average of 494 individuals per data breach.
These errors suggest better software is needed that incorporates a more human-centred design approach, while organisations should also improve their culture of compliance. When trust in businesses, government and even non-profits is falling, getting these basics right is more important than ever to restore public confidence.
Lessons from the Royal Commission: Don’t ignore paper-based risks
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry also recently released company submissions, revealing several paper-based data breaches.
- In 2013, at least 17 private banking clients received an anonymous letter which contained sensitive financial details of at least 40 clients including financial holdings, debt, recent transactions and future financial plans. An investigation was unable to reveal the source of the leak.
- In 2015, an independent legal firm received a 460-page fax containing a bank’s private customer information such as contact details, property addresses and loans. The data breach was only recognised because one of the firm’s staff was married to a bank employee and alerted their spouse. The incident remains under investigation.
- Also in 2015, a smaller financial services organisation admitted that five archive boxes were incorrectly disposed of via general waste removal rather than via secure shredding. The third-party cleaning contractor was asked to review its document destruction protocols and staff induction processes.
These breaches highlight how simple it is for sensitive data to fall into the wrong hands. Poor processes and procedures often create the opportunity for fraudulent activity.
Losing paperwork or a data storage device accounted for 5% of data breaches in the September quarter, according to the OAIC.
Data losses and human error aren’t limited to the front lines. At the top level of organisations, they can expose sensitive commercial and operation information, creating reputation, legal and financial risks. Nearly 30% of board members reported losing or misplacing electronic devices such as a phone in the past year, while another 23% reported losing or misplacing paper assets, according to Diligent’s global survey on governance practices.
A check-up on healthcare data practices
We trust the medical industry to help us when we’re unwell or injured, but is its data security similarly reliable?
Australians have their doubts, with over one million people so far opting out of the digital My Health Record system currently being rolled out across the country amid privacy concerns. That’s despite the government taking further steps to strengthen protection, including requiring a court order to release records without consent and enabling users to request their record is permanently deleted.
Statistics show public concern isn’t unfounded. Private health providers had the highest number of data breaches of all industry sectors not only in the September quarter, but in the previous two reports. Most recently, health industry breaches accounted for 18% of the total for the period.
Digging deeper, out of the top five industry sectors healthcare had the highest proportion of breaches that resulted from human error. More than half (56%) of health industry breaches stemmed from people making simple mistakes, well above the overall average of 37%.
Further complexity is created by the different privacy and breach notification rules which apply across the health sector. The Privacy Act, under which breaches are reported to the OAIC, doesn’t apply to public hospitals and health facilities, while My Health Record has its own data breach requirements.
We conduct more and more of our business and personal lives online, and data integration is continually expanding. Individuals and organisations need to work together to keep our most valuable information safe. That must involve robust cyber defences, but it also can also mean saving us from ourselves.
Diligent Messenger is a secure online communication tool that reduces process errors and creates a strong perimeter around your organisation’s mist sensitive data. To find out more, contact us at email@example.com or request a demonstration.
February 9, 2021
Governance Trends Shaping 2021: 4 Priorities to Drive Success
The COVID-19 crisis, new workplace paradigms, extreme climate change, political and economic volatility, and urgent calls for racial justice have driven a shift to virtual operations. This shift, alongside a move to stakeholder-centric capitalism, has elevated “digital resilience” to a core focus among leadership. These principles must now be translated…
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…