With new data showing more than 950 data breaches were recorded in the first year of the notifiable data breach scheme, a list of best practice tips for entities has been released by the government.
The Office of the Australian Information Commissioner, the department behind the report, said that 60 per cent of all breaches were the result of malicious or criminal attacks, while human error resulted in 35 per cent of all data losses.
System faults accounted for just five per cent of all notifications, the report said.
Based on the findings, the OAIC re-iterated that it expects “organisations and agencies to act on the risks highlighted by these reports ― whether or not they were directly affected ― and take steps to prevent a similar breach of Australians’ personal data”.
It also expects entities to employ the following best practice tips in preventing and managing all data breaches:
Train your people
Employees should be trained on how to detect and report on email-based threats, understand basic account security, and ways they can protect their devices.
According to the OAIC, best practice approaches in mature organisations usually involve dedicated training programs with face-to-face training and e-learning and are supported by tools and ongoing communication around evolving threats.
When setting awareness strategies, entities should consider their broader workforce, inclusive of contractors, it was also noted.
Adopt preventative technologies and processes
The OAIC said all entities should prioritise investments in improving their overall security posture in line with known security risks, and if necessary, engage expert security advice.
At the user level, technology such as multifactor authentication complement user education in mitigating against risks around compromised credentials.
Encryption and secure data transfer technology was also recommended for risk minimisation, as well as proactive system monitoring for detection and response to breaches in a timely manner.
According to the report, “uplifting these strategies provides a prime opportunity to review data holdings and minimise unnecessary holdings”.
Prepare, prepare, prepare
By preparing for data breach incidents, you will be best placed to identify and manage any breaches, the OAIC emphasised.
Data breach response plans provide practical guidance on how data breach impacts can be reduced, and how scheme obligations can be met.
It recommended that “entities should seek to address multiparty and supplier breaches in data breach response plans and contracts” over the coming year.
Organisations can also use regular exercises or data breach simulations to ensure preparedness, the report offered.
Entities which understand their data holdings and how breaches could impact their customers “will be best placed to assess whether a data breach is notifiable or not following an incident”, it was stated.
The OAIC has reminded businesses and organisations that the test for assessing whether an incident is notifiable being whether it is likely to result in serious harm for affected individuals.
The flexibility means that each entity is best placed to understand the individuals with which they engage, however, “there is an opportunity for industry groups to share knowledge to drive strategies which will better support consumers”, it considered.
“The risk of reporting when the threshold is not reached is that of notification fatigue and resulting inertia when it really matters”, the report said, and pointed to a need for “a thoughtful assessment process which has regard to the particulars of the incident”.
In the wake of a data breach, the OAIC called “transparency and simplicity” key guiding principles.
According to the report, “consumers have responded most favourably to those organisations that communicated in plain English about what had occurred and the steps they needed to take to protect themselves”.
Organisations should be mindful of the impacts of mixed messages and poor timing of their communications, such as on weekend or public holidays when response actions can’t occur.
Emerging best practice is highlighting establishment and maintenance of microsites and setting up of support lines to provide customers centralised channels to ask questions and find out what they can do to reduce harm as ways to mitigate damages, it was said.