​Reported breaches not painting complete picture of Australian security landscape

Although 63 data breaches were reported to the Office of the Australian Information Commissioner in less than six weeks, FireEye's Mandiant has warned the figure is higher, but organisations are unsure if their breach fits the brief.
Written by Asha Barbaschow, Contributor

The Office of the Australian Information Commissioner (OAIC) reported earlier this month it had received 63 notifications since Australia's Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.

While 63 breach notifications may appear quite high for the period spanning just shy of six weeks, Charles Carmakal, vice president at FireEye's Mandiant, said the number is likely to be even higher.

"In general, any time a data breach disclosure law comes into effect, there are a lot of organisations that actually do experience a breach, but they're still trying to figure out if the law applies to them and whether or not they're dealing with a reportable incident," he told ZDNet.

From a vendor perspective, Carmakal said individuals seek clarity around what the threshold is when it comes to believing data was taken from an environment.

"In other countries around the world, there's sometimes this perception that unless you can actually prove definitively that data actually left the environment, people may not disclose that there was a breach," Carmakal continued. "Those organisations just simply don't have the monitoring and the logging tools in place to definitively prove that something left the environment, despite all the other indicators saying it probably did leave."

Although speaking with ZDNet while visiting Australia for the Australian Cyber Security Centre conference in Canberra, Carmakal previously headed up the local security consulting business of PwC, and considers himself well-placed to discuss the state of Australia's cybersecurity.

"When I lived here, most Aussies perceived cyber to be more of a US problem; they felt they were relatively protected. Part of that belief was quite frankly the lack of awareness of data breaches that actually occurred in the country ... when people don't hear about breaches every single day, there's this belief that it's more of a US problem," Carmakal said.

"When you think about the value of the data Australians have, if you think about the amount of money that's in this country, there's no reason why organisations here wouldn't be a ripe target."

While the scale might be smaller in Australia than it is in the US, the country's natural resources, financial institutions, and healthcare providers have always been a prime target for both offline and online crime.

"China for example was at one point in time the world's largest consumer of iron ore and Australia was the world's largest producer of iron ore. If you think about the merger talks between BHP Billiton and Rio Tinto, years ago, that obviously scared the Chinese government in that it would make competition incredibly difficult and potentially bring the price of iron ore up ... so they're interested in knowing pricing information, interested in knowing business transaction strategies, who is looking at acquiring which companies," he said.

"There's also a lot of variation in Australia so other governments are interested in learning how does Australia produce certain goods and how can they shave off billions of dollars in R&D -- those types of attacks have always been happening in Australia, they just haven't always been publicised."

The majority of reported breaches to the OAIC stemmed from the health sector, with health service providers accounting for 15 breaches. The health and medical sector also bore the brunt of the WannaCry and Petya ransomware campaigns of 2017.

"In general, what I find is healthcare organisations -- providers, insurance firms, life sciences, pharmaceutical companies -- depending on which sector of healthcare you're looking at, I think you'll find a different level of security in general," Carmakal said.

"In general, I find that healthcare providers tend to have some of, when compared to other sectors, they tend to have relatively weaker security controls in place than other industries, for example financial services or defence. And the reason for that is that it's a unique environment where physicians -- most physicians don't want passwords to begin with."

He said when thinking about all of the security controls required to fully secure an organisation, it can be a nuisance to a number of people in the healthcare sector.

"I find that healthcare providers have struggled with implementing strong security controls that other industries have become accustomed to," he added. "I think the controls are looser with healthcare providers and I think also the data is incredibly interesting too."

According to Carmakal, greater understanding of the data breach disclosure laws and better understanding what an organisation's obligations are will result in more breaches being reported. However, the threat landscape is expected to become more destructive in parallel.

"We've seen some incredibly sophisticated and incredibly destructive attacks in the past year that we've never seen before, and unfortunately we do believe that's probably going to continue," he said.


Editorial standards