FS PortalContact Us
Home
Articles & Events
Articles

Cyber security - the overlooked factor in Privacy Protection

Cyber security is key to privacy compliance because human factors are the major contributors to privacy breaches in Australia

OAIC Notifiable Data Breaches Report July to December 2020

Although according to the Office of the Australian Information Commissioner (OAIC)’s Notifiable Data Breaches Report July to December 2020, malicious or criminal attacks were the largest source of notified data breaches, in fact human factors and human errors underlie the vast majority of breaches.

For the purposes of its report, the OAIC defines "malicious or criminal attacks" as “attacks that are deliberately crafted to exploit known vulnerabilities for financial or other gain.”

However these attacks “included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices …”

It is important to remember that in every such data breach incident, human factors would play a key role.

For this reason, the importance of cyber security compliance in maintaining privacy compliance cannot be underestimated.

Major Cyber Security Breach Types

“Cyber incidents were responsible for 39% of all data breaches, with phishing, compromised or stolen credentials, and ransomware the main sources of the data breaches in this category.” OAIC report P16

The three major cyber security data breach types that OAIC’s report flags as posing major risks for privacy compliance are:

Phishing

According to the Australian Competition and Consumer Commission’s Scamwatch, phishing continues to be the most reported type of scam, with reports increasing by around 75% from 2019 to 2020. It is not surprising, then, that phishing was a significant cause of privacy data breaches.

It should go without saying that phishing attacks rely on human factors in order to succeed: someone has to click on the malicious link.

Many business’ IT systems are hardened against malicious emails, but some will always get through, and, paradoxically, the effectiveness of those systems can be a factor in lowering the employee’s guard.

Social Engineering

The number of social engineering-induced data breaches was down slightly in the second half of 2020, but they still accounted for 11% of breaches. The willingness of contact centre staff to assist “distressed” callers, the reluctance of staff to confront a stranger that tailgates them through security… these continue to be a challenge for businesses that manage customers’ personal information.

Theft of Paperwork or Data Storage Device

The OAIC reports that this source of data breaches increased during 2020. It accounts for 9% of reported breaches. Here again, data security depends heavily on staff observing security practices.

The Role that Human Factors Play

The OAIC explicitly recognises the role that human factors play in what it characterises as “cyber incidents”:

“ … email-based vulnerability is one of the greatest risks to information security facing organisations. The human factor is an important element in an organisation’s overall information and cyber security posture, given these attacks rely on a person clicking on a phishing link.” p18

Explicit Human Error

The OAIC reports that data breaches from human error increased during 2020, and that human error was – after cyber incidents – the second-largest source of data breaches.

“Common examples of human error breaches include sending personal information to the wrong recipient via email (45% of human error breaches), unintended release or publication of personal information (16%), and failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.” p18

Privacy Training and Cyber Security Compliance Training

There is no escaping the necessity for businesses that hold personal data to train their staff – and indeed their management and their directors – on the relevant privacy laws. The 13 Australian Privacy Principles, and in particular those on collection, use and correction, should be familiar to all staff. Increasingly, staff in Australia and in the Asia-Pacific region need also to be familiar with the EU’s General Data Protection Regulation,  the Personal Data Protection Act, Malaysia; the Personal Data Protection Act, Singapore; the New Zealand Privacy Act; and the California Consumer Privacy Act.

But knowing the procedures for the management of personal data is not the whole story. Businesses must acknowledge that a focus on data protection, particularly on cyber security compliance, is key in maintaining data security for customers, and in protecting the business from the enormous potential financial and reputational risk that can stem from a data breach.

Risk Assessment

When a business that holds personal data conducts a risk assessment, training in privacy compliance is always in scope. The information included in the OAIC report provides strong support for the contention that such a risk assessment should also involve a review of the business’ cyber security compliance training.

 

 

GRC Solutions’ Cyber Security Training Resources

Cyber Security – Australia

Cyber Security – USA

Cyber Security – Non-Jurisdictional

 

GRC Solutions’ Privacy Training Resources

Australia

Privacy -Covering the Privacy Act and the Australian Privacy Principles

Privacy for Schools - Covering the Privacy Act and the Australian Privacy Principles as they apply to schools

Australia- Financial Services

Financial Services Privacy Training - covering the Privacy Act and the Australian Privacy Principles

Credit Reporting - covering the Credit Reporting Act

New Zealand

Privacy - New Zealand - covering privacy in New Zealand under the 2020 updates to the law

Europe

General Data Protection Regulation - covering the GDPR - which has global implications

Singapore

Personal Data Protection Singapore - covering the Personal Data Protection Act 2012 and also the implications of the GDPR

Malaysia

Data Protection Malaysia - covering the Personal Data Protection Act 2010 and also the implications of the GDPR

California

California Consumer Privacy Act

Salt® Adaptive
30 day free trial

No credit card required. Cancel anytime

Power your own e-learning with data analytics.

Creation + User Analytics

Our platform is designed to enable our users to efficiently create e-learning courses that are equipped with the latest technology that can provide full user insights based on the activity of the course learner.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Workplace Behaviours

Changing workplace cultures by changing behaviours

You might be interested in...

July 13, 2021
Articles
5 steps to combat financial crime in 2021

With the COVID-19 pandemic still ongoing, you might think that combatting money laundering, bribery and fraud is not a priority for your organisation.

May 27, 2021
Articles
Changes to the Singapore Personal Data Protection Act - why they matter to you

The Singapore PDPA has been significantly strengthened and imposes new responsibilities on businesses that work with Singaporeans

Not sure
where to start?

Give us a call or complete the form and we'll be in touch soon

Off to a great start! One of our customer service representatives will be in-touch shorty.
Oops! Something went wrong while submitting the form.