Lessons from Australia’s “OAIC’s Notifiable Data Breach Statistics Report”
In accordance with the Australian Privacy Amendment made in 2017 to the Privacy Act of 1988, the Office of the Australian Information Commissioner (OAIC) reports statistics on cybersecurity incidents and breaches. The data collected establishes a relatively current picture of what types of breaches are happening and why.
The Notifiable Data Breaches Report highlights breaches reported across Australia and breaks them down by impacted individuals, mechanism, and industry. The report is incredibly valuable because it is updated on a bi-annual basis. The data collected establishes a relatively current picture of what types of breaches are happening and why.
The report shows what percentage of breaches are caused by cyber-incident, human error, and system fault - and further breaks down these categories to the specific mechanism of all the breaches.
Compromised Credentials at Root of Breaches
It may not come as a surprise, but 70% of breaches are still caused by a cyber incident. The surprise might lie in the fact that the vast majority of those cyber incidents were linked to compromised credentials. Of all reported cyber incidents, 79% involved compromised credentials with phishing, brute-force attack, or unknown methods.
In aggregate, this means that over half of ALL breaches, whether caused by a cyber incident, human error or system fault can be traced back to a credential-based issue. Compromised credentials are the single cause at the root of most breaches. This should incentivize all industries to take a proactive stance with the understanding it is not a matter of if, but a matter of when a breach attempt will happen.
Securing Access With Multi-Factor Authentication
A tried and true method to drastically reduce the threat of compromised credentials is to implement multi-factor authentication (MFA). By securing access to critical data and applications with a second factor of authentication (2FA) like a push notification or a one-time passcode, would-be attackers are blocked at the access point - no longer able to use a weak password to enter the company environment.
" MFA can block over 99.9% of account compromise attacks."
Reasons Why Some Corporations Haven’t Adopted MFA
There are many preconceived notions that IT might have around adopting MFA such as:
It will be difficult to deploy MFA to my workforce. I don’t have the bandwidth or time to take on a project that will cause that many help desk tickets right now.
Multi-factor solutions only integrate with some applications in my environment. I’ve actually set it up on the easy applications, but I can’t get the solution to work on XYZ applications.
The employees at my company won’t stand for a cumbersome step in their login process. If I try to hand out tokens or force them to enter time-restricted one time passcodes, there will be a revolt.
To be clear, these are all valid concerns, but at Duo - we have worked hard to address each one as simply and effectively as we can:
Speed to Security: We know that deploying a new security solution can be an intimidating task, which is why we’ve built out a process to ensure that your organization is up and running as quickly as possible. Duo has public-facing documentation so you can review technical requirements before starting the process. We allow for an extended proof-of-concept (POC) period, effectively letting you try before you buy - and we provide a lift-off guide with step-by-step guidance regarding how you can make sure your MFA project is a huge success.
Broadest Application Coverage: A common frustration in deploying an MFA solution is that the product integrates well with a certain subset of applications in a corporate environment, but not all of the critical ones. Some providers are good at protecting cloud applications, some providers can protect on-premise applications, but few providers can easily protect custom in-house applications. Often even if a solution claims the ability to support an application, that support is technically difficult and labor-intensive. At Duo, we provide in-depth support for all critical applications in an environment to ensure set-up and maintenance are simple for your administrators.
Ease of Use: No one in any organization wants to take more steps when logging into their applications, especially if said steps are painful, inconsistent, or stringent. Many MFA providers only support one or two second factors like tokens or an SMS and constrain end users to a single device, making things miserable when a token is lost or an authentication device is left at home. At Duo, we allow self-enrollment of many different devices and utilization of a wide-variety of second factors from a push notification to a phone callback. We even allow offline MFA support in many use cases. We work hard to make sure it’s easy to enroll and use Duo, every day.
Given the findings in the NDB report from OAIC, adopting MFA is an easy defensive tactic that is recommended by most government agencies.
There will always be a reason to put off a project, but at Duo we work hard to limit and address those reasons. If you’d like to learn more about how easy it can be to protect your company’s credentials, you can start a free 30-day trial here.
Download the report, "Customer Chronicles: Securing State and Local Government Agencies with Strong MFA," now and see how your state or local government agency can modernize their cyber protection with minimal investment.