Human errors compromising Australian government data more than cybercriminals

The number of Australian data breaches due to human error declined significantly overall during the first half of 2021—but a surge in human-caused breaches in the public sector in the same period suggests that the ongoing pressures of rapid digital transformation are exacting a big toll on government workers.

New half-year figures from the Office of the Australian Information Commissioner (OAIC) identified just 134 data breaches in all sectors due to human error during the first six months of 2021—down 34% from the 203 breaches recorded during the previous half-year. These human-caused breaches represented 30% of all data-breach notifications, down from 38% of notifications last year.

Human-caused data breaches: Good news, bad news

“Human error remains a major source of data breaches,” said Australian information commissioner and privacy commissioner Angelene Falk in releasing the new statistics, which detailed 446 data breaches reported during the first half of 2021. “Let’s not forget the human factor also plays a role in many cybersecurity incidents, with phishing being a good example. … Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”

Overall, the OAIC recorded 54 cases where personal information was emailed to the wrong recipient and 31 cases of unauthorised disclosure where data about 523,998 people were released or published by accident. One of those breaches involved data of about 186,000 Australians, who were among 15.7 million individuals affected globally.

Overall, companies were well-attuned when employees made mistakes, with 84% of reporting entities identifying human-caused incidents within 30 days after they occurred. That was slightly ahead of the 81% identifying malicious or criminal attacks within 30 days, but well ahead of the 61% who identified data breaches caused by system faults. Indeed, 30% of breached organisations didn’t discover breaches due to system faults for more than a year—compared to just 3% of malicious breaches and 4% of human errors.

Still, whether through carelessness or manipulation, human error remains a significant and controllable source of data breaches, said Crispin Kerr, ANZ area vice president with cybersecurity provider Proofpoint, whose own “Human Factor 2021” report found 11% of employees across all industries, including government, clicked on simulated phishing attacks—in line with industry averages.

Operational pressure and natural human error are linked with the success of ‘softer’ attack techniques such as phishing and ransomware, Kerr said, both of which rely on exploiting human weaknesses rather than on brute-force hacking. “The past year has been fertile ground for cybercriminal groups to operate this way, targeting people rather than organisations,” Kerr said of the latest OAIC figures.

“Pre-pandemic, many companies did not have the proper training in place to allow employees to recognise and deal with cyberthreats—yet a year on and remote work is not the standard for a significant portion of workers, but we continue to see end users still not adequately trained to deal with cyberthreats.”

As Australian government gets more digital, more human security errors likely

Yet for all the vigilance about human errors overall, Australian government data breaches were overwhelmingly caused by human error—with 25 breaches (74%) traced to human activity and just nine (26%) due to malicious or criminal attack.

That split—which reverses the trend in every other industry sector the OAIC tracks—put Australian government agencies behind only the healthcare industry in terms of total number of human errors, but with a much smaller number of breaches overall.

The figures come as Australian public-sector organisations ramp up their IT investments, with a new Gartner forecast predicting that total Australian government spending will exceed $15.5 billion in 2022—increasing 8.8% over 2021. That forecast comes on the back of a healthy 14.7% increase in software spending in 2021 over 2020.

That sees Australian government spending outpacing the global average of 6.5%, led by a 19.2% increase in software spending within Australian government agencies. “Key national technology capabilities, whole-of-government cloud and SaaS procurement agreements, and digital skills have progressed at a federal level within Australia,” said Brian Ferreira, vice president for executive programs at Gartner. “We have also seen a strengthening digital mandate in ministerial roles with cross federal/state collaboration at a state level.”

Considering that 2021 saw an extraordinary 15% increase in device purchases—pointing to the surge in remote work during the COVID-19 pandemic—the Gartner figures suggest that government agencies are doubling down with a surge in digital transformation activity. Indeed, Gartner believes that by 2025 half of Australian government agencies will have modernised critical core legacy applications “to improve resilience and agility”.

But without appropriate intervention and training, pressure to complete these transformations could well translate into continued high levels of human error. “While we continue to drift in and out of various state-based work-from-home requests due to COVID outbreaks,” said Fabio Fratucello, CTO for Asia-Pacific and Japan at cybersecurity provider Crowdstrike, “it is important for organisations to identify security vulnerabilities and mitigate internal risks associated with a distributed, lockdown workforce.”