OAIC data breach figures

David Shephard, Bitglass Vice President Asia Pacific, responds to the recently-released OAIC data breach figures.

A common perception is that breaches happen when malicious outsiders evade our defences and steal our data.

While true, we’ve consistently seen from the Notifiable Data Breach Reports issued quarterly by the Australian Information Commissioner (OAIC) that human error continues to account for a large number (almost one-third) of all reported breaches. Many of these are easily avoidable.

Breaches attributed to human error could possibly be even higher if we consider external attackers capitalise on these mistakes, including system misconfigurations (S3 sharing in AWS is by default turned off, yet S3 buckets with public access are common), inappropriately shared files or weak passwords used alone without MFA.

We aren’t talking about malicious insiders, just everyday users who make simple and avoidable errors.

The Cloud can complicates things. In the Cloud, inappropriate sharing of data and system misconfigurations may be rife, but would an organisation even know? The traditional technologies that many cyber defences have been built on don’t extend to Cloud, and the control points they’re designed to protect may not feature in the IT architectures of Cloud and Mobile Enterprises. As Businesses rethink IT, they must rethink IT Security too.

What use is a moat when the castle, its contents and all the people have moved. “