New report: Human error causes 30% of breaches – CFO insights

Key findings from the OAIC report

Here are the most critical findings from the report that finance leaders need to be aware of, especially when compared to the previous reporting period (July to December 2023):

1. The human element: why errors could be your downfall

Non-cyber incidents caused by human error, such as sending sensitive information to the wrong recipient, accounted for 30% of breaches, making it the second-highest cause after malicious attacks. This figure has held steady, reinforcing the notion that the human element remains the Achilles’ heel in cybersecurity.

2. High-risk zones: sectors under siege by data breaches

The finance sector reported 49 incidents in the current period, a decrease from 58 incidents in the previous period. The healthcare sector reported 59 incidents, down from 62 incidents, indicating ongoing vulnerabilities within both sectors.

3. Inside the attackers’ playbook: methods targeting finance

Cybersecurity incidents accounted for 38% of breaches, with phishing and ransomware taking centre stage. This reflects a 12% rise in malicious breaches compared to the previous period, indicating that attackers are not only persistent but also increasingly sophisticated.

4. Time is money: understanding breach detection delays

There’s a slight improvement in the time taken to identify breaches, with 64% identified within 10 days, compared to 61% in the previous period. However, around 23% were identified more than 30 days post-breach, meaning the risk of exploitation remains a pressing concern.

5. Time for action: data breach notifications surge

The OAIC reported a total of 527 data breaches in the first half of 2024, marking a 9% increase from the previous reporting period. This surge indicates an ongoing challenge for organisations to protect sensitive information and highlights the urgency to enhance their data protection measures.

A cautionary tale: lessons from the MediSecure breach

The MediSecure ransomware attack in May 2024 exposed the personal and medical data of 12.9 million Australians. Hackers accessed this data through a third-party vendor, which underscores the importance of vigilance and robust vendor management.

For finance teams, this incident highlights several key risks:

• Financial fraud: Exposed personal data can lead to identity theft and fraudulent financial activities, threatening the integrity of financial operations.
• Vendor management: Ensuring that vendors adhere to strict cybersecurity standards is vital to mitigate risks.
• Reputational damage: Breaches can erode customer trust and result in long-term damage to the organization’s reputation.

Navigating vulnerabilities: key threats for finance teams

As the landscape of cyber threats evolves, finance departments find themselves in the crosshairs. Here’s a breakdown of specific risks:

• Accounts Payable fraud: Criminals often impersonate vendors to alter bank details and redirect payments to fraudulent accounts. An IT contractor recently exploited AP systems to steal $90,000 from a government agency.
• Phishing emails are increasingly sophisticated, using breached data to deceive finance teams into transferring funds. The threat of Business Email Compromise (BEC) scams is growing, with a significant increase in false billing scams reported in 2023, highlighting the urgency for finance teams to bolster their defences against such tactics, as detailed in our article on phishing scams and how to avoid them.
• Invoice fraud: A common scam involves fraudsters submitting fake or duplicate invoices. They use stolen or falsified data to manipulate financial records and trick AP departments into making payments. This type of fraud is particularly prevalent in Australia, with online invoice scammers increasingly targeting companies.

Action plan: essential strategies for CFOs to mitigate risks

To counter these escalating threats effectively, finance leaders should consider the following proactive measures:

1. Implement multi-factor authentication (MFA): This essential safeguard prevents phishing-based credential theft, making it significantly harder for attackers to gain access.
2. Strengthen vendor oversight: Ensure that all third-party vendors handling financial data adhere to stringent cybersecurity practices. Regular audits can uncover potential weaknesses before they are exploited.
3. Increase employee awareness: Conduct regular phishing and fraud awareness training to equip your team with the knowledge they need to recognise and respond to threats effectively.
4. Enhance fraud detection systems: Invest in real-time monitoring tools that can swiftly identify and flag suspicious financial activity, enabling quicker responses to potential fraud.