On the 15th of February, the Office of the Australian Information Commissioner (OAIC) released its latest Notifiable Data Breaches Report for July to December 2021. And its fair to say that the legal sector hasn't performed well.
Reports made to the OAIC topped 464 for the 2021 half, with Legal services* coming in at the third most prevalent, with 51 reported data breaches - Health services and Finance were first and second, with 83 and 56 respectively. And while 51 reports from the more than 16,800 Australian legal practices and legal service providers may not sound like cause for concern, the break down of the data is significant.
Across the entire data set, for all industries, 41% of the sources of data breaches were caused by human error, which is an increase of 43% from the last report. Of the compromised data, contact information remains the most common type of personal information (PI or PII). When compromised, 96% of breaches affected up to 5,000 people. Additionally, the PI datasets comprised of Contact Information, Identity Information, Financial Details and Tax File Numbers.
Has there ever been a more prudent point to reinforce the case for Zero Trust?
To further highlight this point, over half of all cyber incidents reported originated from either stolen credentials or phishing. We've all heard the stories of user credentials for sale on the dark web. However when we work with outsourcing organisations, such as e-discovery firms and IT service providers, ensuring correct procedures are followed is critical. The report highlights that theft from paperwork and data storage devices represented 11% of breaches caused by malicious attacks, with social engineering also a cause for concern at 12%.
Educating users on due process and correct procedure when it comes to information security is paramount and should always form a critical centrepiece of an organisations cyber security strategy.
Lets get into some of the legal specific research.
From the top six industries in the report the legal sector stands alone when comparing the breakdown of sources of PI breaches. Legal was more susceptible to Malicious attacks than the other industries, comparatively, with the second highest amount of malicious attacks overall.
When we look at only malicious attacks, across all six industries, legal tops the scale, with 31 total breaches, with healthcare next at 22.
Looking at PI data breaches caused by human error, legal has 14 in total, with 12 breaches caused by users sending PI data to the wrong recipients via email, again highlighting the need for continual user training and vigilance in this area, by IT departments and service providers.
The concept of Zero Trust is built upon the understanding that a breach is assumed, which, given what you've just read, is probably a safe bet for the future. Aside from emailing the wrong people, the impact from phishing, ransomware and data exfiltration from stolen credentials can all be minimised with a Zero Trust approach to Cyber Security.
Given that a vast majority of organisations are already using Office 365 and Azure Active Directory, implementing Microsoft Defender for Cloud makes a lot of sense. The Defender family integrates across cloud, apps and identity to help organisations implement a Zero Trust approach to data security, quickly. In fact, you can begin your Zero Trust journey and improve your security posture with Defender for Cloud in as little as 15 minutes.
To see how Wrive, Microsoft and Defender can support you on your Zero Trust journey, register for our Zero Trust Webinar today.
*The report includes legal services Legal, accounting & management services in a single industry category.