How Human Error is Driving Cyber Risks: Insights from the OAIC Report

With a 9% increase in reported data breaches in the first half of 2024, Australia is facing a rising tide of cyber risks. Notably, 38% of all breaches stemmed from cyber incidents, with methods like phishing, ransomware, and brute-force attacks dominating the threat landscape. Organisations must anticipate these ever-evolving threats by not only enhancing traditional defences but also adopting proactive measures to mitigate risk.

In this era, the expectation has shifted from breach avoidance to breach readiness. You are no longer judged solely by whether a breach occurs but by how the organisation responds and mitigates its effects. As highlighted in the OAIC report, entities are expected to move beyond compliance and embrace a “privacy-centric approach.” Risk professionals should champion this evolution, embedding privacy into every level of the business from governance frameworks to frontline operations.

The report emphasises that a comprehensive cybersecurity strategy should include robust technical defences like multi-factor authentication (MFA), strong password management, and layered security controls. Equally important is the education of employees and ensuring they are not the weak link in the defence chain.

Organisations need to ensure that these controls are implemented across all systems. For example, enforcing MFA for business systems and limiting employee access to critical data can significantly reduce the chances of a successful phishing attack. Moreover, threat monitoring and incident response frameworks must be continuously tested and optimised for the rapid detection of suspicious activity.

The Essential Eight and other standards like ISO 27001 are invaluable tools, providing a baseline for protecting IT systems and managing cybersecurity risks. While adhering to these frameworks, it’s imperative that risk professionals tailor these controls to their specific operating environments, ensuring that no single point of failure exists in their organisation.
 

One of the most concerning statistics in the OAIC report is that 30% of all data breaches were caused by human error. Whether it's emailing sensitive information to the wrong recipient or failing to use blind carbon copy (BCC) when sending emails, human mistakes continue to be a significant vulnerability.

We must adopt a multi-faceted approach to mitigate these risks. On one hand, technical safeguards—like automated tools that flag potential missteps—can reduce the likelihood of errors. On the other hand, comprehensive and frequent training is crucial. Training should extend beyond basic compliance, equipping staff with knowledge of the latest social engineering tactics and phishing scams. Moreover, monitoring internal behaviours and setting up early-warning systems to detect insider threats can prevent deliberate breaches.
 

The report highlights how extended supply chains pose unique vulnerabilities. A single weakness in a supplier’s cybersecurity posture can compromise the entire chain. Given the rising incidents of multi-party breaches, such as the MediSecure and Outabox incidents, organisations must ensure their supplier risk management frameworks are robust and include specific provisions for managing sensitive data.

To manage these, businesses should enforce strict vetting processes, regularly audit third-party security controls, and include specific clauses in contracts related to data protection. Moreover, contingency plans should be in place for breaches occurring within the supply chain, ensuring rapid response and communication across all affected entities.
 

The rapid adoption of cloud services has introduced new challenges. Misconfiguration of cloud settings, often due to human error, is increasingly responsible for data breaches, as evidenced in the OAIC report. Risk professionals must recognise that the shared responsibility model of cloud security means organisations cannot entirely rely on service providers to safeguard data.

Strong access controls, encryption, and regular security assessments are essential steps to avoid the misconfiguration of cloud-based environments. Policies and procedures governing cloud use should be clearly defined and implemented, ensuring that sensitive information stored in the cloud remains secure.
 

OAIC’s increasing focus on enforcement should also be noted. The recent civil penalty actions against Medibank and Australian Clinical Labs signal a new era of accountability. The regulator’s shift to a more risk-based approach underscores the importance of prioritising systemic issues and potential harms. Organisations must ensure that they are fully compliant with the

Privacy Act and the Notifiable Data Breaches (NDB) scheme, not only to avoid penalties but also to build trust with customers and stakeholders.

Management plays a crucial role in setting a tone of accountability across their organisation, ensuring that privacy is integrated into every aspect of business operations. From securing third-party contracts to training employees and implementing robust technical controls, they must be the champions of a proactive and responsive security culture.
 

Internal audit plays a pivotal role in safeguarding against data breaches, serving as the organisation’s independent assurance mechanism. By evaluating the effectiveness of risk management, control frameworks, and governance processes, internal audit provides an unbiased perspective on cybersecurity posture and data privacy controls.

Those charged with safeguarding an organisation must collaborate closely with internal auditors to ensure that the assurance gained goes beyond mere compliance checks, focusing instead on identifying vulnerabilities in systems, processes, and human behaviour that could lead to breaches. A proactive internal audit function can uncover gaps in cybersecurity protocols, detect weaknesses in third-party arrangements, and assess the adequacy of breach response plans.

With a data-driven focus, internal audits can also help you strengthen defences by providing actionable recommendations, ensuring that corrective actions are taken before vulnerabilities are exploited. Regular audit reviews, combined with real-time insights into the evolving threat landscape, enable risk professionals to continuously adapt and reinforce resilience against data breaches.

In a time where cyber risks are escalating, the partnership between internal audit and the business is crucial for maintaining robust data protection practices and fostering a culture of accountability.
 

As data breaches become a question of “when” rather than “if,” management must transition from a mindset of reactive compliance to proactive prevention. The OAIC’s report serves as a clear call to action for Australian organisations: robust risk management, continuous vigilance, and a culture of accountability are non-negotiable. By embracing privacy by design and focusing on human and supply chain risks, Australian professionals can protect their organisations and foster trust in an increasingly digital world.

For businesses in Australia, 2024 presents both challenges and opportunities. Those who leverage the insights from the OAIC’s report and implement forward-looking risk management strategies will be well-positioned to navigate the evolving landscape of data breaches.