weerapat1003 - stock.adobe.com

Australia’s data breaches are a ‘sign of naiveté’

McAfee executive attributes Australia’s poor cloud security record to the lack of data protection measures amid “new and confusing” cloud configurations

One in 20 Amazon Web Services (AWS) S3 cloud storage services had been set up with such lax security that the data stored in them could be read by anyone.

That was just one of the findings of the latest Cloud adoption and risk report released by cyber security company McAfee at its user conference in Sydney.

According to Rajiv Gupta, senior vice-president of cloud security at McAfee, Australian enterprises might be slightly less exposed – but not because they are more diligent about cloud security.

Instead, it was because they had been rather slower than their global counterparts in embracing cloud infrastructure and platform services, he said.

Gupta also said companies that had once believed they had “reasonable transparency” into their data and how it was secured had had that belief “shattered” by the transition to cloud – but not because cloud suppliers were less diligent about security.

Rather, Gupta said this was because businesses did not take precautions to ensure their data remained secure and private, in a sign of “naiveté rather than bad intentions”.

“Cloud configurations are new and confusing,” he said. “But I am surprised how widespread this is. Any S3 bucket left open could be on the front pages of the newspaper.”

In 2017, Australia’s national broadcaster inadvertently exposed sensitive data hosted on S3, following similar incidents in the US.

And more data breaches are coming to light following Australia’s mandatory data breach notification legislation, which came into effect earlier this year.

In its latest quarterly report, released this week, the Office of the Australian Information Commissioner revealed that 245 organisations had experienced data breaches affecting personal information in the three months up to the end of September 2018, with 57% of breaches attributed to malicious or criminal attacks.

Read more about cyber security in Australia

  • Australia’s Cyber Security Strategy, aimed at protecting citizens, companies and critical infrastructure, has made significant headway over the past year, but the jury is still out on its long-term impact.
  • The Australian Broadcasting Corporation is the latest organisation to fall prey to misconfigured Amazon S3 storage buckets, exposing database backups and sensitive data such as login credentials.
  • Amid growing cyber threats, Australia’s cyber security centre calls for businesses to be more open about cyber incidents and plug potential loopholesin their supply chains.
  • Unsanctioned cloud apps continue to be major bugbear among security chiefs in Australia, a Symantec survey has found.

McAfee’s analysis showed that, at present, 21% of all files held on public cloud services hold some sensitive data, and sharing data with a publicly accessible link increased by 23% last year. Threats in Microsoft Office 365, for example, soared by 63% over the past 12 months, said McAfee.

Speaking at the Sydney conference, McAfee’s senior vice-president and chief marketing officer, Allison Cerra, called for businesses that are tackling growing cyber security challenges to navigate the threat, technology and regulatory landscapes as they moved critical applications to the cloud.

Cerra pointed to McAfee’s Mvision suite of cyber security tools, which will eventually include a cloud-focused tool.

The company said the suite’s newest module for endpoint detection and incident response would be released in the first quarter of 2019, but gave no indication of when the cloud module will be due.

A further challenge faced by many organisations, particularly in Australia, is the shortage of cyber security skills as cited by nearly four out of five respondents to McAfee’s skills survey.

However, 63% were unable to specify which skills were missing, while two in five people working in cyber security roles in Australia today have no formal qualification in the area, according to McAfee.

Read more on Cloud security