“No matter how secure or vigilant an organisation may be when it comes to cybersecurity, it only takes one error, one lapse of judgement or missing the red flags in a malicious email for a breach to be successful.”
And even as both security professionals and cyber criminals get access to more powerful tools, Jayne said human error overwhelmingly remained the leading cause of breaches, making up between 82 per cent and 95 per cent of cases, depending on the research you read.
‘It only takes one error, one lapse of judgement or missing the red flags in a malicious email for a breach to be successful.’
Security awareness advocate Jacqueline Jayne
“The focus on IT is not commensurate with that. The recent large data breaches in Australia have also highlighted that both IT and consumers are looking to the government to provide guidance and solutions to the issue, which is concerning,” she said.
“While government has a part to play, cybersecurity is everyone’s responsibility and these events have highlighted that we have a long way to go when it comes to basic cyber hygiene for consumers.”
Daniel Trauner, senior director of security at Axonius, said things are complicated in the current business environment, where employees often use a mix of managed work platforms and personal accounts on platforms like LinkedIn and WhatsApp. The result is a potential for human error that goes beyond simply clicking on a dodgy link in a work email.
“In effect, it means that personal and work data are being mixed into a single account and interface, which is a huge advantage for an attacker,” he said.
“We saw this happen during the 2022 Uber hack, where the attacker posed as Uber IT on WhatsApp to help convince the target to approve an MFA (multi-factor authentication) request.”
Nuix research showed more than 1800 breaches in Australia in the past 12 months, costing around $4.5 million per breach. The Australian Security Centre received more than 76,000 cybercrime reports in the 2021-22 financial year, an increase of 13 per cent from the previous year and equivalent to one report every seven minutes.
Rubinsztein said he only expected matters to get worse, given ballooning data storage and increasingly complex criminal tactics.
“I think the data proliferation is going to continue, and in fact the rate of change of proliferation will increase. We’re collecting data from many more systems, from IoT and other devices,” he said, referring to the so-called Internet of Things – physical devices with processors, software or other technologies that are connected with the internet.
“And just as Nuix can take multiple data sets and aggregate those, the bad actors can too. With the ability to aggregate multiple sets of personal identifying information, the value of that data on the dark web increases, and the scariness does too,” he said.
Big companies can store hundreds of millions of documents, of various file types and in various locations, with Rubinsztein saying data volume is doubling every two to three years. It’s a complex challenge to keep track of it all, review it and secure it in preparation of a potential breach.
“If you think about a big corporate, a big bank, you’ve got backups, and you’ve got archiving, in some scenarios you actually don’t know what is included in your data assets,” he said.
“What data are you storing with a third party? How do you know how at risk that data is? It’s something that needs a sophisticated review.”
Small businesses, SMEs and non-profits are far from immune, as evidenced by the recent breach at children’s charity The Smith Family. Jayne said that with essentially all businesses harvesting and storing some kind of data, every company was a potential target.
“Like any form of a break-in, criminals will spend considerable time and resources on the larger targets as the potential data haul is equal to the effort. On the flip side, small businesses and not-for-profits may require less time and resources from the cybercriminals, and the data haul is again equal to the effort,” Jayne said.
“Not-for-profits struggle with the resources for information security, making it challenging to develop a much-needed robust security culture to ensure the organisation and its staff are aware of current attack vectors.“
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.