Cyber security: a very human problem

In our articles dated 23 November 2018 and 14 February 2019, we reported that of the 245 notifiable data breaches reported to the Office of the Australian Information Commissioner between 1 July and 30 September, 27% were attributable to human error, and in the next quarter to 31 December 2018, 33% of the reported breaches were attributable to human error.

As we have previously reported, the penalties for notifiable data breaches are significant, insurers will be refining policy wordings in relation to cyber insurance over the forthcoming years, and the Commissioner will start enforcing penalties in respect of failure to notify breaches.

Whilst the importance of having a secure IT system, and having the security on that system reviewed regularly, this can only guard to a certain extent against human error.

Accordingly, it is important to make all employees (from senior management to the office junior), third party providers, and outside contractors, aware of your organisations policies in relation to the Australian privacy legislation, cyber security and data breaches, and to ensure, as far as practicable, that those policies are understood by all relevant personnel, and complied with.

One key area that can assist in minimising human error is to introduce staff training to raise awareness of the relevant issues, and to back up that training with written policies providing clear guidelines that staff can read and then refer to when appropriate.

Some key areas to focus on are set out below:

Raising awareness of employees

• In the first instance, make sure that all staff know where they can access your organisation’s privacy policy and that they understand it, so they know what customers or clients are being advised in relation to the collection and retention of their information.  
• Have a designated manager that staff can direct specific queries to in relation to privacy issues, suspected data breaches or cyber attacks.
• Inform staff of common mistakes made by personnel, such as failing to bcc customers on group emails, sending an email to the wrong recipient, failing to report lost equipment (such as mobile phones or laptops) at the earliest opportunity, and sharing passwords.

Review your current policies and procedures

• Review your current Acceptable IT Use policy, or create one, to assist staff in dealing with your organisation’s IT system and in understanding what their obligations are. The policy should include, but not be limited to, such issues as use of passwords, access to information, the collection and storage of information, the obligation to destroy information when it is no longer, the use of personal hardware and software in the workplace (which should be prohibited), the use of devices outside the office, and what to do if a device is lost or stolen.
• Access to information should be limited to those employees who need to view it, thus reducing the risk of an accidental breach.
• Ensure that all staff attend a compulsory training session at least annually to remind them of their obligations.
• Review your contracts with third party consultants and providers to ensure that your organisation is protected from either a cyber attack on that organisation, or a data breach by personnel from that organisation.

If you have any questions in relation to this article, please contact Iain Freeman or Lorraine Madden.