Who’s getting breached and how it’s happening
In case you’re not aware and to frame the conversation, the new Mandatory Breach Legislation took effect on Feb 22nd which is the Australian Government’s effort to make SME businesses accountable for how they manage personal information. By mandating the reporting of a breach to the privacy commissioner and the affected parties (aka clients), the logic is that firms will be motivated by the threat to their reputation to take steps to reduce the likelihood of a breach happening.
In line with that, the first quarterly report has been released here which gives us an early insight into who’s getting breached and how it’s happening. Here’s the long and short of the data…
Who got breached – Health services topped the list with legal, accounting and management services businesses running a close second. The interesting point we found here was that in 78% of cases less than 100 individuals’ information was breached suggesting it’s small business falling foul. This is consistent with www.scamwatch.gov.au statistic that 60% of reported breaches happen to businesses with less than 20 staff.
What got breached – The clear majority of it was contact information, followed by heath, identity and financial information. TFN’s were exposed in 14% of cases.
So how is it happening – Over 50% of cases and the majority category is human error which confirms the point that this isn’t an IT issue, it’s a HR issue.
Unless you’re the CIA, putting expensive firewalls and technical security measures in places is not going to help you because it’s easier to trick someone than hack someone.
I’m talking about business owners being impersonated in an email to accounts payable staff with requests for money transfer, staff accidentally clicking on links sent from people they trust, people making their work and personal passwords the same or saving them in web browsers and their desktop because they have so many to remember.
So what to do? – Well, as a business owner it’s about setting basic company guidelines and helping staff (and yourself) understand how everyone can play their part as responsible data custodians. If you haven’t, you can’t blame anyone but yourself when they do.
Have you set an expectation that your staff shouldn’t be saving your company passwords on their teenage son’s gaming computer full of viruses?
Have you made it clear to your team that they’re not allowed to write down or save passwords on a post-it note or their personal web browser?
Do they know how to identify an email that isn’t really from who they think it is?
Is their password to your client base the same one they’ve had for the last six years with a different number on the end?
These are the things that cause breaches and bring successful companies undone. Aside from protecting your risk it’s only fair that you’ve put basic guidelines and educational content in place so your staff understand your expectation on how to keep your firm and client data safe.
Yes we’re all busy but it’s worth taking 30 minutes to get the basic understanding of not just how to protect your firm but also demonstrating to your clients that you’re serious about their privacy given they’re consuming the same media you are that’s making us all too aware that this issue is here to stay.