SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
NDB report: Stronger authentication practices needed
Tue, 14th May 2019
FYI, this story is more than a year old

The Australian Information Commissioner (OIAC) has released the latest quarterly report on the notifications under the Notifiable Data Breaches scheme.

The report found that the majority of the data breaches were on a more targeted scale, involving 100 individuals or fewer.

Most of the data compromised were contact information from malicious or criminal attacks.

Here is what some of the executives in the industry had to say about the report:

Sophos ANZ managing director John Donovan

According to the latest OAIC report, the healthcare sector has once again topped the list for the most data breaches - with 58 reports of data breaches in the last three months (up 7.4% compared to the previous quarter).

What's more, malicious and criminal attacks again account for the highest proportion of breach notifications in Australia, followed by human error.

It is very concerning to see health service providers continuing to be targeted and successfully breached by attackers. It goes without saying that this industry is dealing with incredibly sensitive and personal data and, as such, has a huge responsibility to the people of Australia to protect their data effectively.

The report serves as a reminder to the healthcare industry to implement robust security practices to protect the extremely sensitive data they are entrusted with.

Ping Identity APAC chief technology officer Mark Perry

Enhanced security measures can counter the risk of a breach occurring but have historically been met with employee and management pushback, courtesy of the fact they were perceived as onerous.

The positive news is that we should see the tide turning with the increasing adoption multi-factor authentication (MFA)  and the introduction of adaptive authentication, self-service capabilities and phone-as-a-token authentication.

Out-of-the-box APIs, SDKs and integration kits continue to reduce the expense and complexity associated with implementation and cloud-delivered solutions, which require minor oversight to run effectively, have seen infrastructure and administration costs plummet.

Aura Information Security Australia country manager Michael Warnock

While cyber-protection software has a role to play in preventing attacks and provide a sense of comfort to a chief information security officer, human error, carelessness and gullibility allow many a hacker to slip through the cordon.

This should raise alarm bells for anyone responsible for company compliance and risk management.

2019 should be a year in which information security is finally viewed as not just the remit of the IT department but an integral component of every employee's role.

LogMeIn Asia Pacific and Japan VP Lindsay Brown

Similar to last quarter, the Notifiable Data Breaches Q1 2019 report found that malicious or criminal attacks accounted for the majority (61%) of reported data breaches (131 of the 215 breaches).

Of these attacks, 67% involved compromised or stolen credentials collected through various means including phishing and brute-force attacks.

While more and more organisations are looking at ways to mitigate the risk around passwords they continue to be an avenue for malicious actors to infiltrate businesses who rely on their users to do the right thing when it comes to credentials.

With the threat to the digital landscape worsening, organisations must be keenly aware of the importance of their employees having strong passwords. It's important that businesses establish password requirements, such as minimum length, and complexity.

Ideally, passwords should have a mix of characters (uppercase, lowercase, symbols, and numbers), avoid words straight out of the dictionary, and be as long as possible – ideally no shorter than 14 characters.