The latest Notifiable Data Breaches report marked two years since it was introduced as a mandate for Australian organisations. Despite these reports spotlighting the need for better security practices, there seems to be little improvement with data breaches continuing to increase. Since the last report, reports jumped from 490 to 537; indicating a 19 percent jump in data breaches over a span of six months. The figures demonstrate persistent gaps in security, reinforced by a lack of security awareness amongst Australian organisations—despite the fact 55 percent of Australian respondents to a McAfee survey named data breaches as one of the top three cyber risks.

The report revealed, malicious or criminal attacks, including cyber incidents, are the largest source of data breaches, accounting for 64 percent of all notifications, or 343 breaches (an additional 61 notifications compared to the previous half-year). Moreover, data breaches that resulted from human error accounted for 170, or 32 percent, of all breaches, down 34 percent from the last reporting period. The report also revealed 230 notifications were classified as cyber incidents such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials.

With these concerning figures in mind, we’re at a critical time where organisations need to recognise that a complete security model involves everyone across the enterprise and cloud.

The state of cloud security

Two years on and the Notifiable Data Breaches (NDB) report still holds strong indications that Australian organisations can and should be doing more when it comes to cloud security. Over 63 percent of organisations are flying blind in the cloud with no capability to monitor for data loss prevention incidents and 99 percent of misconfiguration incidents in public cloud environments are going undetected. It is clear that there is still a long way in cybersecurity, and moving into a new decade, the constantly evolving threat landscape is putting increased pressure for business to further commit to best practice to combat data breaches.

As the digital landscape broadens, data breaches are moving away from on-premise architecture to the cloud. With the broad distribution of data across devices and the cloud, visibility becomes increasingly fragmented. In a recent McAfee study analysing the distribution of enterprise data across devices and the cloud, it was found 79 per cent of companies allow access to enterprise-approved cloud services from personal devices – meaning new security vulnerabilities beyond enterprise control. While it is essential that cloud providers have measures in place to keep data secure, cloud security is a shared responsibility and organisations must recognise everyone’s part in the security paradigm.

The shared responsibility model

Security is not something to be delivered and managed solely by the IT department. In a cloud environment, the security model involves everyone across the enterprise. Data protection is a layered defence, where every individual at any touchpoint has a role and responsibility to ensuring cyber best practice. With data more valuable than ever, the security of data that is dispersed across on-premise and cloud environments can only become a reality when responsibility is shared.

The 360° Shared Responsibility Model is designed to help define the combination of groups that need to be aligned to ensure full cloud and data security—across all types of cloud platforms and all types of cloud use cases. The model shows which groups are either wholly or jointly accountable at each layer of the model, with a focus on those groups inside the enterprise. The 360° Shared Responsibility Model provides a foundational security approach that should be incorporated as a key element of any organisation’s cloud IT strategy.