• United States



by David Braue

Australian companies lag world in evaluating business risk of data compromise

Jan 15, 20184 mins
Application SecurityBackup and RecoveryBusiness Continuity

Despite tighter privacy controls and a looming disclosure regime, Australian companies are less vigilant about data risk than their counterparts in other advanced economies, according to research that found protection of critical data varied with dramatic differences in the perceived value of that data.

Businesses are actively triaging the various types of data they collect, according to Trustwave’s recent Value of Data Report, which found that healthcare and hospitality companies prioritise protection of customers’ personally identifiable information (PII) while industrial and IT/communications companies are more concerned about protecting intellectual property (IP).

Overall, PII was seen as being of higher priority than IP, with corporate email dismissed as being least important – even though email often contains both sensitive PII and IP.

Healthcare organisations were far more cautious than those in other industries about the risk to data they collected, with nearly 80 percent of patient-focused organisations saying they had carried out a comprehensive risk assessment.

Such organisations had high degrees of ‘data risk vigilance’, which was assessed based on the sophistication of companies’ thinking in areas such as the overall risk of data being stolen, the value of data, potential regulator fines, the cost of cyber insurance, and short-term consequences of a data theft.

These and other factors contributed to a ‘data risk vigilance’ (DRV) score, with Australian companies posting the lowest overall score (12.8) – well behind Canada (15.8) and the uS (15.7). Financial-services organisations had the highest overall scores, while hospitality and retail industries were lowest overall.

The differences between industries, and the value of their data, was likely to drive a growing trend towards data-based extortion, FireEye APAC chief technology officer Bryce Boland recently told CSO Australia.

“We are seeing ransom and extortion activities becoming steadily more profitable,” Boland explained. “Criminals know that people believe this is a real threat.”

“When they have breached you, they are just as likely to try to turn around and extort you to try to keep it quiet – and we are anticipating that is going to create a lot of opportunities for criminals to monetise the breaches they conduct. This is going to change the dynamics in the market from a business perspective.”

Supply chains were particularly vulnerable given that companies don’t tend to protect third parties’ data as carefully as they protect their own. Similarly, different stakeholders attach different values to various types of data – and all felt their data was worth much more than criminals do.

US security professionals value their company’s PII at $US1820 ($A2340) per record, for example, while Australian respondents value it at $US1186 ($1524).

And while cybercriminals value PII at an average of $US39 ($A50) per record, senior IT managers see that same record as being worth $US1198 $($A1540) while insurers value it at $US3211 ($A4125) and regulators, $US8118 ($A10,433).

Each of these figures reflects a different range of risk factors, but the overriding result is that compromised PII will have a much bigger impact on businesses than the value it delivers to cybercriminals.

This dynamic is leading some criminals to divert their efforts to other activities: servers compromised by a recent exploit for an Oracle WebLogic flaw were, for example, exploited by hackers to mine Monero cryptocurrency rather than stealing data from its targets.

The broadening range of cybercriminal motives was driving the resurgence of a ‘new Mafia’ that, Malwarebytes recently warned, drove the volume of attacks, sophistication and malice up 23 percent in 2017 versus the prior year.

That ‘new Mafia’ comprises traditional gangs, state-sponsored attackers, ideological hackers, and hackers-for-higher, noted Malwarebytes CEO Marcin Kleczynski.

“CEOs will soon have little choice but to elevate cybercrime from a technology issue to a business-critical consideration,” Kleczynski said in a statement. “The most damaging cyberattacks to businesses are the ones that go undetected for long stretches of time. In spite of high-profile occurrences over the last year, many business executives may still have some knowledge gaps to fill.”