Phishing Is the Top Reason Behind Australian Data Breaches

The latest Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OAIC) confirms that half of the reported data breaches in July to September 2018 quarter are attributable to phishing.

According to the report, the top five sectors by data breach notifications in the last quarter were:

1. Health service providers
2. Finance
3. Legal, accounting & management services
4. Education
5. Personal services

Out of these top vulnerable industries, ‘Legal, accounting & management services’ is the most affected by a diverse range of hacking and phishing attacks (categorised as ‘cyber incidents’) — as the latest Notifiable Data Breaches Quarterly Statistics Report confirms.

Malicious or criminal attacks breakdown (Source: OAIC)

Australian businesses at risk of cybercrime

The OAIC report corresponds to the often cited Verizon Data Breach Investigations Report stating that 90% of data breaches involve phishing. The breakdown of the ‘Cyber incidents’ category demonstrates that Australia is no different from the United States. Nine out of the fifteen reported incidents (Legal, Accounting & Management services) involve phishing.

Phishing is the main reason behind cyber incidents (Source: OAIC)

To add insult to injury, over 95% of the legal practices in Australia are small with no more than four employees on board according to the Law Society of NSW.

Small practices are particularly attractive targets for cybercriminals, because:

• They often manage settlements above $100,000; and
• Handle sensitive documents on a regular basis (e.g. 100 points checks).

In parallel, these legal practices:

• Receive no cybersecurity advice or get bad advice;
• Their IT infrastructure is either critically underfunded; and/or
• Not managed by security professionals.

In other words, small businesses tend to hire a website designer for building up a website and setting up Office 365 on the side. Even if a better-off legal practice employs a service provider to manage IT, very little is done to address the latest digital threats of today including business email compromise (BEC) fraud, CEO fraud and payment redirection scams.

Neither the website designer nor the IT service provider has the experience to address the ever-growing sophistication of cyber threats. Is no wonder that organised cybercrime is targeting the legal services sector with a high success rate — as the latest OAIC report perfectly demonstrates.

What should law firms do to avoid the top ranking position of the quarterly OAIC report?

First of all, if there is one thing you can do today to improve your business’s cybersecurity posture, it should be to turn on two-factor authentication for your work email.

According to the OAIC report, stolen or compromised credentials are behind 77% of the cyber incidents reported under the NDB scheme. The big secret is that criminals simply rely on your employees’ passwords to gain access to email accounts rather than high-tech state-sponsored hacking.

Stolen or compromised passwords are the main reason behind of data breaches (Source: OAIC)

Secondly, business owners or decision makers should start hiring cybersecurity experts. Just like we hire professionals to do our taxes or get our teeth done, an expert can identify the pain points of your IT infrastructure. They can then suggest and implement the best combination of solutions in order to protect any business from the latest cyber scams and digital threats.

End-user education and security awareness training are important pieces of the puzzle. When technology fails, your staff becomes the last defence line. Ultimately, it is an employee at the end of the line deciding whether to click on a password-stealing web link or to follow a payment instruction in a phishing email.

Finally, cyber insurance can cover the residual cyber risk. While the mandatory Lawcover cyber insurance policy pays up to $50,000 to cover expenses such as ransomware payments, digital forensics or consulting fees, other insurers offer a more generous payout in cases of cyber incidents. Insurers may also provide incident response services to help contain the initial damage.

Snapshot

• The legal services sector is an attractive target for organised cybercrime;
• The success rate of cyber attacks (targeting the legal services sector) is high;
• The majority of data breaches occur within the legal services sector due to phishing, compromised credentials and social engineering;
• Legal practices can address the cyber risk with the combination of cybersecurity professionals, security awareness training and cyber insurance.

About Iron Bastion

Iron Bastion are Australia’s phishing and cybersecurity experts. We provide cybersecurity consulting with specialised solutions to combat phishing.

Our team are qualified cybersecurity professionals providing phishing awareness training courses and cyber security solutions to small and mid-size businesses.

Contact us for a free cybersecurity consultation today.

Originally published at blog.ironbastion.com.au on November 7, 2018 and was co-written with Nicholas Kavadias.