NDB scheme data highlights the importance of information risk safety and awareness of your workforce

Have you ever accidentally sent an email containing sensitive information to the wrong person? It is easy enough to do with the stroke of a single key and immediately results in that sinking feeling in the pit of your stomach. Imagine if, rather than going to Brian in accounting, an email is unintentionally sent to Brian at an external service provider. The wrong Brian now has unauthorised access to customer or sensitive data and you cannot be sure how/if he will use it.

The first quarterly report on data breaches from the Office of the Australian Information Commissioner (OAIC) has emphasised the information risk that an improperly cyber and privacy educated Australian workforce, not hackers, pose to information security. This report on the first batch of breaches reported under the Notifiable Data Breaches Scheme reveals that human error is the most common cause of all breaches thus far.

The NDB scheme, first introduced in February, requires businesses and organisations which have obligations under the Privacy Act to report data breaches that are likely to result in serious harm to any individual affected. The Privacy Commissioner ruled out naming and shaming companies that reported breaches and he has kept his word. The statistical analysis contained in the report provides much needed insight into how the scheme works and the major risks facing Australian businesses when it comes to protecting customer data. A total of 63 breaches were reported in the first six weeks of the scheme, with the health services industry the top sector in terms of volume, reporting 24 per cent of all breaches. The majority of all breaches were related to customer contact information, with human error cited as the cause for over half of the breaches reported.

This causal disclosure highlights how data and cyber security has quite rightly become much more of a people and culture issue, rather than a technical issue. Once confined to the domain of the IT team, businesses are now grappling with the challenge of making information security interesting, engaging and a priority for their entire workforce.