Security Incidents in the Past 12 months

2015 04 interal_threats.jpg

88% of businesses have experienced an IT or security incident in the last 12 months. Clearsift, a multinational information security company, recently published a survey which found that 88% of businesses have experienced an IT or security incident in the last 12 months. This may seem shocking to some, particularly in light of increased regulation by the Australian Privacy Commissioner and a greater global awareness of the dangers of "hacktivists" (Think: Edward Snowden[1]). But for those of you who work at the heart of Information Technology management, this comes as no surprise at all. It is not to say that privacy and data retention changes have made no difference whatsoever in the enhancement of business security protocols. It is undeniable that most companies have strengthened (or at least thought about) their protections against external threats like viruses (remember the Heart Bleed bug?), malicious users and malware. But alarmingly, 73% of the incidents were attributable to employees, ex-employees, contractors and partners - insiders of the organisation. This is a sharp increase from last year, which found only 58% of IT or security incidents were caused by workers. What this reveals is that companies are neglecting to treat the biggest security threat to their business processes: ignorance. Most of these workers are not acting maliciously, or intending to cause any problems. They are people who aren't entirely clear about: In relation to non-business records:

  • what kind of confidential information can be kept, and what needs to be destroyed
  • what kind of threats exist in the workplace, and how to prevent them
  • what the company's security protocols are and how to implement them
  • If the business already has clear procedures to manage the confidentiality and security of this data then the solution is providing training to staff and monitoring that the procedures are adhered to. If the business does not have clear procedures or practices then there is far more work to be done. Over the past two years ITCRA has been active in providing information and resources to the contracting and recruitment sector on the application of the Privacy Act in their business. Many businesses have reviewed and improved their practices, but the figures quoted in this research suggest that we cannot be complacent and there is still a long way to go. Privacy Awareness Week (an initiative of the Asia Pacific Privacy Authorities forum) from the 3 - 9 May 2015 - to which Federal and State regulators in Australia and the New Zealand are all signatories - provides an ideal opportunity for everyone to consider the theme Privacy Everyday. The theme emphasises the need for organisations to embed privacy practices into business as usual processes, and for individuals and the community to think about how to protect privacy in their everyday lives. ITCRA and Service Excellence Consulting have registered as a Privacy Awareness Week Partners and the Privacy Risk Management program lodged as an example of best practice. Clients of companies in the Privacy Network managed by ITCRA will have increased assurance that they will not figure in the 88% identified in surveys such as that conducted by Clearsift. 1. Edward Snowden worked for the National Security Agency through subcontractor Booz Allen in the NSA's Oahu office. After only three months, Snowden began collecting top-secret documents regarding NSA domestic surveillance practices, which he found disturbing. After Snowden fled to Hong Kong, China, newspapers began printing the documents that he had leaked to them, many of them detailing invasive spying practices against American citizens. With the U.S. charging Snowden under the Espionage Act but many groups calling him a hero, Snowden remains in Russia, with the U.S. government working on extradition