NSW Authorities Urged to Enhance Cybersecurity Amid Growing Data Breaches
In light of a troubling increase in data security incidents, agencies, councils, and universities in New South Wales (NSW) are being strongly encouraged to elevate their cybersecurity measures. In the first seven months leading to June 2024, these entities reported a total of 52 data breaches, highlighting a significant risk landscape that demands urgent attention.
The reported breaches stem from a newly implemented mandatory data breach notification scheme within the state. This initiative marks the inaugural reporting period, and while the Information and Privacy Commissioner (IPC) characterizes the volume of breaches as “moderate,” there has been a marked escalation in incidents, particularly in May and June, where monthly numbers effectively doubled compared to earlier months. The IPC’s inaugural trends report clearly indicates the critical need for enhanced vigilance across all sectors.
The IPC emphasizes the importance of leaders engaging with the inherent risks linked to cybersecurity, stating that investment aimed at enhancing information and communication technology (ICT) security and developing staff capabilities is crucial. By doing so, organizations can better safeguard personal information entrusted to them.
Breaking down the 52 reportable breaches, it was found that government agencies accounted for 34 of these incidents, while local councils and universities reported nine breaches each. Notably, around 80 percent of the breaches within government, whether local or state, resulted from human error, indicating a pressing need for targeted training and awareness. In contrast, the academic sector displayed a different trend; 44 percent of the breaches at universities were attributed to cyber incidents, underscoring the diverse nature of risks faced by different institutions. Among these breaches, three affected more than 5,000 individuals, highlighting the potential scale of the impact.
One area of concern for state government agencies is the delay in breach notifications sent to the IPC, with approximately one-third taking between one to six months. While agencies may require over 30 days to assess a breach, it is essential that they maintain a documented request for any extension provided to the IPC, ensuring accountability and transparency.
The potential tactics involved in these breaches could align with various stages outlined in the MITRE ATT&CK framework. For instance, initial access methods may include spear-phishing or exploitation of vulnerable software. Following initial access, adversaries could employ techniques for persistence, allowing them to maintain their foothold within compromised systems. Additionally, privilege escalation tactics could have facilitated unauthorized access to sensitive data, leading to the eventual breaches reported.
As organizations in NSW face increasing scrutiny regarding their data protection practices, the imperative to bolster cybersecurity infrastructure is clearer than ever. Business owners and decision-makers must remain proactive in addressing vulnerabilities, fostering a culture of security awareness, and understanding the evolving threat landscape to mitigate risks effectively.
