Human error bigger threat than malicious attacks – Cyber Risks

Human error

Insider threats to cyber security may be under-reported

Statistics from the Office of the Australian Information Commissioner (OAIC) may be under-reporting the damage insider threats can cause to organisations’ cyber security.

IT expert Ahmed Khanji, CEO of Gridware Cybersecurity, told Emergence Insurance’s latest webinar for brokers that Gridware statistics suggested insider threats were a bigger risk than malicious or criminal attacks. The latest OAIC statistics found malicious attacks were responsible for 57% of notifiable data breaches (NDBs).

Gridware data showed malicious threats lagged behind insider threats. Contrary to what’s being reported to OAIC, Ahmed said Gridware found employees were the greatest threat. He urged all businesses to consider who had access to their customer lists and email contacts.

Untrained staff as the greatest cyber risk

He said a global survey found 87% of executives viewed untrained staff as the greatest cyber risk to their businesses, yet staff training was ranked high among categories to have made the least progress when measured against the US-developed, voluntary National Institute of Standards & Technology’s cyber security framework.

Ahmed said many insider threats came from “phishing” incidents where people were manipulated by emails that tricked them into disclosing or changing passwords.

Human error was responsible for 37% of NDBs

Emergence Head of Sales Gerry Power said OAIC’s latest report found human error was responsible for 37% of NDBs. “As humans, we keep finding new ways to make mistakes,” he said. “But, with sound risk management in place, many breaches can be prevented. Employees are the last line of defence, they must be educated to identify such things as dodgy emails and suspicious invoices.”

Medical data was particularly vulnerable because it sold for nine times more than financial data on the dark web.

Gerry said managing data breaches was critical to business survival. Ahmed agreed, saying reputation damage was the biggest loss. “About 85% of people won’t do business with companies that have had known data breaches. Facebook is now one of the least trusted companies in the world.”

Ahmed said organisations needed good firewalls to guard their networks; strong anti-virus software; endpoint protection for all devices; and intrusion detection and prevention systems that inspected all inbound and outbound activity and blocked suspicious activities.

“A hacker can be in your system for 200 days before being identified,” he said.

Protection methods include:

 

  • Strong passwords, long enough to prevent brute force attacks
  • Two-factor authentication
  • Not sharing passwords across multiple devices
  • Regular testing and auditing of company policies and procedures.

Emergence MD Troy Filipcevic distinguished cyber threats from social engineering, which used psychological manipulation to get people to divulge information using trickery, deception and impersonation.

He said social engineering was targeted, sophisticated fraud where trust was built and human weaknesses exploited.

Source: Emergence Insurance

Compare Cyber Insurance

Cyber Insurance Comparison

 

Please note Cyberliabilitycomparison.com.au Insurance News is an information service sometimes provided by third parties Insure 247 Australia doesn’t warrants the accuracy of any information contained there in, readers should make their own enquiry’s before relying on information in the stories Terms of Service

 

Please note that any advice given has been provided without taking into account your objectives, financial situation or needs. It is also based on information we have obtained from you. You must ensure the information is accurate and complete. Otherwise, this advice may be based on the inaccurate or incomplete information. You should consider whether the advice is appropriate in light of your objectives, financial situation and needs

Human error

Human Error Remains Key Cause Of Notifiable Data Breaches

Human Error Data Breach

Human error remains a key cause of notifiable data breaches, according to the latest quarterly report from the Office of the Australian Information Commissioner (OAIC).

While malicious or criminal attacks are still the largest source of notifiable data breaches (NDBs), accounting for 57%, human error is second with cyber incidents exploiting human vulnerabilities, for example, encouraging people to click on phishing emails or disclose passwords.

Gerry Power, Head of Sales at Cyber Insurer Emergence, said: “The continued propensity for human error to cause NDBs is a disturbing insight because it shows businesses are not educating staff enough on how to identify phishing emails or handle personal information appropriately.”

Source Emergence

Human Error and Data Breaches

Human error accounted for 37% of data breaches in the latest report. Emailing personal information to the wrong recipients was the most common human error data breach (12%). Second highest was failing to use the BCC function when sending group emails, which impacted on an average of 494 people each breach.

Gerry said the healthcare industry continued to be the worst-performing sector, recording 18% of data breaches and human error was responsible for more than half those. “That gives an insight into why some cyber insurers will not write the healthcare industry for data breaches,” he said.

The finance sector was the second-worst performing industry for the second consecutive quarter, with 14% of breaches.

The legal, accounting and management services sector was a close third. Gerry said Emergence’s claims data backed that up. “The accounting profession is a honeypot of data for cyber criminals,” he said.

Notifiable Data Breache Scheme

The NDB scheme was introduced on 22 February 2018 and, since then, OAIC has had 550 notifications, including 245 in the July-September quarter. That compares to only 114 notifications in the 12 months before the scheme’s launch.

As knowledge of the NDB scheme increases in the business community, the number of known data breaches will continue to rise.

Education is the key to reducing the human error element of NDBs.

Emergence conducts in-house education sessions, online seminars, and a social media program to educate brokers and their clients about the need for diligence and risk management to avoid data breaches and cyber attacks.

The increasing rate of notifications highlights the need for cyber insurance. Emergence’s cyber policy gives insureds 24/7 access to an Australian-based incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.

Emergence’s policy includes cover for reporting data breaches to OAIC, regulatory investigations, and costs of communicating data breaches to affected individuals.

“A cyber policy is part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies, and procedures fail to stop an attack,” Gerry said.

Organisations can reduce the potential for NDBs through risk management practices such as:
• Employee training, including strong password protection strategies and raising awareness about the importance of protecting personal information
• Restricting administration privileges
• Conducting daily backups
• Continuously patching operating systems and software
• Implementing multi-factor authentication.

Emergence is a pioneer of cyber cover in Australia and provides protection for SMEs through to ASX-listed entities.

Compare Cyber Insurance

Cyber Insurance Comparison

 

Please note Cyberliabilitycomparison.com.au Insurance News is an information service sometimes provided by third parties Insure 247 Australia doesn’t warrants the accuracy of any information contained there in, readers should make their own enquiry’s before relying on information in the stories Terms of Service

 

Please note that any advice given has been provided without taking into account your objectives, financial situation or needs. It is also based on information we have obtained from you. You must ensure the information is accurate and complete. Otherwise, this advice may be based on the inaccurate or incomplete information. You should consider whether the advice is appropriate in light of your objectives, financial situation and needs