Australian firms are confident about withstanding cyberattacks—should they be?

A survey shows breach costs have gone down, but the reasons are unclear. And the cost of customer data lost through supplier breaches is rising.

cso security fist hacker breach gettyimages 163928143 by smitt 2400x1600px
Smitt / Getty Images

Australian companies that suffer a data breach through a supplier suffer nearly four times the financial impact of standalone breaches, according to a new study that also found more than one in three Australian businesses has disclosed a data breach.

The average Australian cybersecurity attack costs around $519,000, according to Kaspersky’s newly released “IT Security Economics 2021” survey, which flagged the cumulative cost of expenses such as insurance premiums, compensation, penalties, hiring consultants, improving infrastructure, and training employees.

Fewer breaches, or just fewer breaches reported?

The new loss figures were down significantly, from $663,000 last year—although, said Kaspersky ANZ general manager Margrith Appleby, this may be due to an overall reduction in the reporting of data breaches.

Just 37% of companies said they had reported a data breach in the past year—lower than the 46% global figure and down markedly from 49% last year—and Appleby suggested the decline may be due to companies becoming “more proactive in eliminating the consequences of a data breach, which could mean there is less need to disclose it.”

Alternatively, she said, the figures may be because “previous investments into prevention and mitigation measures played well for businesses. Improving how they detect attacks has likely minimised the impact of a breach.”

The decline in reported breaches echoes the results of the latest Office of the Australian Information Commissioner (OAIC) Notifiable Data Breach (NDB) scheme report, which also saw a reduction in the number of notifications amidst concerns that many companies were opting not to report ransomware attacks because they weren’t sure they qualified as breaches.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated,” Australian Information Commissioner and Privacy Commissioner Angelene Falk noted when the figures were released, “and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware. We expect entities to have appropriate internal practices, procedures, and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”

The higher cost of PII breaches at suppliers

Where that personal information is stored with business partners, the consequences can be even more significant: Average losses increased to $1.9 million per breach for companies that suffered a data breach through a compromised supplier, Kaspersky reported, with customer credit card data and personally identifiable information (PII) the most commonly compromised types of data.

The risks of being breached through suppliers have long been identified as a potential blind spot for enterprises—but with such attacks magnifying financial losses, Appleby advised companies to proactively audit supplier relationships based on the data they handle.

“Grading suppliers based on the type of work they do and complexity of access they receive, such as whether they deal with sensitive data and infrastructure or not, is recommended so companies can apply security requirements accordingly,” she said. “If there is sensitive data or information being transferred, ask suppliers to share documentation and certifications to confirm they are able to work at such a level.”

The consequences of poor data governance

Systemic problems leading to a data breach were having severe consequences for companies, with one in five Australian businesses in the Kaspersky report saying that they had fired employees in the wake of a cybersecurity incident.

Yet attributing blame in this way may be counterproductive, with recruitment firm Robert Half recently noting that Australia is in the midst of a skills shortage—with 52% of surveyed business executives and hiring managers agreeing that it has become more challenging to find qualified employees than it was before the pandemic.

Fully 54% blame the rising skills shortages on increased demand for specialist skills, with 23% attributing it to existing skills’ inability to keep up with digital transformation. “While there currently might be no shortage of job opportunities in the Australian professional sectors, there is most certainly a shortage of talent,” noted Robert Half director Nicole Gorton in recommending that companies combine “robust and competitive remuneration strategies, well-rounded hybrid capabilities, cutting-edge technology stacks … and clear succession and career development strategies.”

Yet for companies dealing with the fallout of a cybersecurity attacks and facing uncertain flow-on effects, reflexively firing staff in the face of chronic skills shortages may be an own-goal of sorts.

Are Australian firms as prepared for cyberattacks as they believe?

New figures from security firm Varonis suggest an even bigger problem—overconfidence—may be affecting Australian companies’ cybersecurity nous. Although 63% of the 515 C-level executives and senior managers surveyed for the company’s “2021 Australian Cybersecurity Risk Report” said a cyberattack on their companies was likely or very likely within the next 12 months, fully 82% rated their company’s ability to protect themselves from such an attack as good or very good.

More respondents were concerned about loss of reputation due to a cyberattack (29%) than loss of intellectual property (24%), while just 18% said they were concerned about the costs associated with a cybersecurity breach.

With Kaspersky’s breach cost figures highlighting the very real costs that can flow from a data breach—and the additional penalties paid by companies with poor visibility of their supply chain risks—Varonis APAC’s vice president of sales, Scott Leach, said executives’ confidence was “a surprising statistic in light of today’s evolving threats and big ransomware payouts”.

“The high value of sensitive data, combined with the lack of knowledge about where this data is located and who has access to it, makes organisations prize targets for threat actors,” he warned. “Executives and board members must put their data first and proactively turn to cyberresilience—preventing breaches by limiting the potential damage a compromised user or account could do during an attack.”

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)