The cost of doing nothing: Australian organisations are gambling on cybersecurity
GUEST OPINION Ask any CEO or senior business leader what’s been keeping them up at night over the past few months and it’s almost guaranteed cybersecurity will be on that list.
After getting by unaffected by the scale of cyber-attacks experienced in other countries – like the Colonial Pipeline for example, Australia has been living in a false sense of security when it comes to our cyber-readiness.
The recent high-profile data breaches against Optus and Medibank and dozens more have woken corporate Australia up to the realities of the evolving cyber landscape. Attacks are increasing in scale and severity, creating vulnerabilities in the security posture of organisations and Australia as a nation. Combined with ongoing workforce challenges, the industry is facing a critical turning point.
The Australian Cyber Security Centre’s annual Cyber Threat Report this year found a cyber crime is reported every seven minutes while the overall number of cyber crime reports increased by 13% from 2021. Australia’s Minister for Home Affairs and Cybersecurity recently announced a new cybersecurity strategy will be developed as part of government’s ambition to make Australia the most cyber-secure nation in the world. How can organisations help ensure we get there?
Financials more important to the bottom line than reputation
Despite the media fallout from Optus, Medibank and dozens of other attacks, the reality is many organisations are still of the mentality that from a financial perspective, it’s sometimes accepted to do nothing than to place significant investment into cybersecurity measures. The business could be willing to accepts the risks if they view that the cost of investing in cybersecurity measures to be greater than the cost or impacts to their business from a cyber incident.
Mass migration to the cloud and remote working has expanded an organisation’s potential attack surface exponentially, making securing data, systems and employees more challenging and more expensive than ever before.
While organisations have a price on reputation, many are more concerned about financial losses, data theft or downtime from a cyber attack than reputational damage alone. The introduction of new penalties for organisations who suffer serious or repeated data breaches could however, force organisations to invest more in cybersecurity or suffer financial damages. Prompted by the recent cyber attacks, the Australian government has passed reforms to increase fines from $2.2 million to $50 million – or 30% of a company’s adjusted turnover, whichever is greater.
While the changes have been welcomed by some, a survey by PwC of Australian executives conducted prior to the recent attacks found 90% believe public information sharing and transparency was a risk that could lead to a loss of competitive advantage, compared to 70% of executives globally. If cybersecurity is to be taken serious, Australian organisations must be ready for the consequences that come with doing nothing.
The right to be forgotten
One of the greatest criticisms of the Optus attack has been the storing of historical personal information and data from Australians that were no longer customers of the telecommunications provider. This has raised valid questions about customers ‘right to be forgotten’ – for example, to have their data erased if they aren’t a customer anymore.
Data storage and management is a complex field. Some industries like healthcare are required to collect large volumes of personal data and organisations are often bound by auditing requirements. However, for consumer goods like telecommunications and retail, the volume of data collected and held is becoming increasingly problematic.
Unlike the European Union, which is bound by General Data Protection Regulation (GDPR), Australians currently don’t have the right to be forgotten. The recent changes to the Privacy Act and Notifiable Data Breaches Scheme could signal this kind of protection might be on the way for Australia, however the reality is many organisations would be unprepared to handle it. Organisations are currently not forced to delete old customer data, so there is no incentive to do so.
Personal accountability on the table
In 2021, the government floated the idea that company directors could be held personally responsible for cyber attacks on their company. Meanwhile Gartner has predicted three quarters of CEOs will be personally liable for cyber-physical incidents by 2024.
Just as CEOs are bound by workplace health and safety policies, directors may soon be held liable for attacks that have a significant impact on customers, employees, and their business. If organisations aren’t making the required investment – which according to PwC just 37% of Australian organisations (vs 53% globally) are taking anticipatory action in cybersecurity and embedding mitigations accordingly – this comes back to who has, or hasn’t, signed off on these investments.
Not all cyber attacks are sophisticated, but increasingly a result of business email compromise (BEC) which cost Australians an average of $64,000 per incident. CEOs are often used as a lure in BEC and credential phishing attacks given their privileged access to sensitive data. These threats are why proper identity management across all layers of an organisation is so critical.
As the minister for cyber security stated in her National Press Club Address, Australia has been in a cyber slumber and the next few years will test Australia’s readiness and responsiveness to rising cyber threats. A wait and see approach or delaying investment to save on short-term costs is no longer sufficient. As policy and regulation continue to tighten, organisations must be ready to live in this new world. Adopting an adaptive zero trust approach underpinned by technology will be critical in giving organisation the visibility and control they need to implement a holistic cybersecurity strategy.
Gloss