Just like every other human being on this planet, we are not immune to making small, day-to-day mistakes.
Maybe we thought Jane wanted her latte with two sugars, not one, maybe we sent that document to the wrong printer, or maybe we sent the right email to the wrong Simon!
These are perfectly innocent oversights, right? We all make our fair share of little slip-ups, whether in the office or in our personal lives. For the most part, the worst outcome is a stern lecture about our carelessness, after which we put the incident behind us and carry on with our lives.
Laying down the law
Enter the Notifiable Data Breaches scheme, which applies to eligible data breaches that may occur after 22nd February 2018. Effectively an amendment to the Privacy Act of 1988, any organisations sitting under the Privacy Act are obliged to notify affected individuals and the OAIC whenever a data breach occurs. Especially data breaches that involve personal information which could potentially result in serious harm to the people concerned.
It has been well over two years since the NDB was introduced and it has already provided valuable insights into how many breaches occur due to human error alone. Astonishingly, over the 6 month period from July-December 2019, the OAIC reported that almost 32% of breaches could be attributed to human error.
Data security can’t be left to chance
For most of us, this leads to transparency and a level of comfort in knowing how organisations big and small are responsible for the safety of our personal data. Long gone are the days where organisations could take the ‘she’ll be right’ approach and weren’t mandated by law to have proper data security controls. From an organisation's perspective, the NDB shifts the needle from an IT problem to a business problem. Now, a breach would not only put customers at risk, but also put the company’s reputation on the line.
These new laws were long overdue, and they have changed how organisations assess the risk that comes with storing confidential information. Organisations are becoming increasingly aware of human error as a risk to their data, and how costly it can be to ignore it. COVID-19 has only increased the risk, as malicious actors try to scam more people by exploiting the uncertainty caused by the pandemic.
Scammers know human behaviour is the weak spot
We already saw scammers in action during the recent bushfires, where cyber attackers posed as legitimate charities and emergency services to exploit public goodwill and steal donations. Now with COVID-19, we’re seeing fake websites popping up that claim to sell cures or emails that promise more information about the pandemic. These fake websites and phishing emails lead unsuspecting users to a credential harvesting page and install malware on their devices.
Malicious attacks, phishing attacks in particular, are relentless and never-ending. You can have the best security technologies and solutions in place, but at the end of the day the last thing between you and a catastrophic breach is your staff. Of course, cybersecurity is essential, but no technology out there is 100% infallible. As much as we’d all like a silver bullet that could fix all our security problems, the reality is that it takes both technology and human awareness for cybersecurity to work.
Awareness is a superpower
The good news is, training your people doesn’t have to be overly technical. We’re not trying to build security gurus; we just need the average user in your company to be aware of the cyber risks they may encounter in the course of their daily lives.
Mistakes will still happen. We’re humans after all, not robots. But with the right education, there will be far less of them. Awareness training is one of the best ways to drastically cut down the frequency and impact of breaches. And if you choose the right training program, it can be fun too. Good luck!
To learn more, click here to watch our Cyber Threat Intelligence Briefing: Attacks on COVID-19 related charities, exploiting trusted brand communication platforms