IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Malware
#
Data Protection
#
Ransomware

Basic security controls could prevent most major data breaches

Yesterday
Author image
By Sean Mitchell, Publisher

New analysis of data from the UK and Australian Information Commissioners' offices indicates that concentrating efforts on basic cyber security controls and best practices could prevent large-scale exposure of individuals' personal data annually.

The review, conducted by Huntsman Security, used official figures from the UK Information Commissioner's Office (ICO) and information obtained through Freedom of Information requests to the Office of the Australian Information Commissioner (OAIC). The findings reveal that fewer than a third of reported data security incidents are responsible for the overwhelming majority of the personal data lost or exposed each year, impacting tens of millions of people.

The data illustrates that common and persistent attack methods such as brute force attacks, phishing, malware, ransomware, system misconfigurations and unauthorised access are still the primary vectors behind large-scale breaches. According to Huntsman Security, many of these incidents could be prevented by adopting security frameworks such as the National Institute of Standards and Technology (NIST) guidelines or the Australian Cyber Security Centre (ACSC) Essential Eight strategy.

In the United Kingdom, Huntsman Security's analysis of ICO data for 2024 showed that just 2,817 data security incidents — representing 29% of the 9,654 incidents where a cause could be identified — were linked to these threat vectors. These incidents affected 13.9 million individuals, out of a total of 17.6 million affected by all breaches that year, which equates to nearly 80% of all victims in the dataset.

The 2,817 incidents identified also accounted for approximately 90% of all cyber-related data security incidents reported in the UK. Huntsman Security notes that these attacks are frequently targeted and are more likely to compromise sensitive or high-value information, such as health records, financial details, and identity documents, thereby heightening the risks faced by individuals and organisations alike.

The situation in Australia closely mirrors that of the UK. Between 2022 and 2024, just 1,188 incidents (32% of all eligible data breaches reported to the OAIC) involving similar attack methods were responsible for 77% of all compromised records. Overall, the OAIC data shows that while malicious or criminal attacks made up 62% of all eligible breaches (2,312 out of 3,742), these incidents accounted for 98% of affected individuals, compromising 203.5 million data records from a total of 207 million.

Detection and response times for breaches remain a significant concern in Australia. The data shows that, on average, organisations took 48 days to identify breaches and a total of 86 days to report them to the OAIC, potentially prolonging the period during which individuals were exposed to risk and exacerbating potential reputational or regulatory consequences for the affected organisations.

Peter Woollacott, Chief Executive Officer at Huntsman Security, commented on the findings, stating: "While it's unrealistic to expect organisations to prevent every breach, the data shows that implementing some basic controls could really make a difference. Adhering to established security frameworks like NIST or the ACSC Essential Eight can dramatically reduce, not only the number of incidents, but – more importantly –the number of people affected by those incidents overall. Putting in place baseline controls such as effective and timely patching, multi factor authentication, user application hardening and regular backups can make the world of difference when it comes to effective cyber security."

Woollacott further emphasised the need for continuous vigilance: "What's needed is better visibility through a shift from periodic reviews to a more frequent, 'business as usual', approach that routinely identifies threats from mitigation, reports control effectiveness and reassures both security and executive stakeholders. Annual assessments or audits are simply no longer enough to protect against data theft."

The report recommends that organisations prioritise immediate and ongoing visibility of their security posture, with access to data and insights that enable swift risk mitigation. With evolving cyber threats, routine monitoring, effective controls, and a culture that treats cyber resilience as an ongoing operational focus are seen as key factors in reducing the scale and impact of data breaches on individuals.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Healthcare faces surge in cyberattacks & AI-driven threats
Diliko launches partner scheme for AI data in regulated sectors
Too many cloud security tools harming incident response times - survey
AWS launches AI Spring Australia to boost local AI innovation
Video & influencer strategies seen as key for B2B marketers
Top stories
US-China chip export debate highlights risks for AI leadership
Global survey finds gaps leave cloud security dangerously exposed
Cloudera joins AI-RAN Alliance to boost AI in telecoms sector
Australian leaders see AI as risk & opportunity, identity gaps grow
How managed XDR boosts cyber security visibility for SMEs