While Australia has yet to experience a data breach like Target or Sony, some experts believe that has more to do with inadequate disclosure laws than strong security measures.
For a long time, Australia has been seen as the cul-de-sac of the internet, with our antipodean location giving us protection from the attention of hackers. However, Deloitte’s cyber-security experts warn our isolation is at an end.
The average cost of a data breach per Australian organisation is more than $2.5 million per year, and over the five years to 2014 each breach in the country was estimated to involve over 20,000 records. Around the world, data loss also increased by 25 per cent between 2013 and 2014.
Speaking at Deloitte’s Cyber Intelligence Centre in Australia, Deloitte’s Cyber Risk Services Partner Tommy Viljoen said, “Given there is no legislation for breach notification in Australia and that most organisations are focused on prevention as opposed to detection, there is significant under-reporting of cyber breaches in Australia.”
Viljoen believes that if our defences are lower than other countries, Australian companies risk becoming a ‘target-rich environment’ for hackers. “It has been gradual, but the pace has picked up in the last 18 months to two years. I’m no longer having conversations with Australian CEOs and other C-level executives about hypothetically when they’re going to be attacked. They’re now talking in terms of when they were last attacked.”
Three elements of security
As the threat evolves, so must security, with the traditional approach of focusing on perimeter defences leaving businesses ill-prepared. Instead, security needs to consist of three elements.
While it’s fair to say that perfect security is impossible, networks need to be secure, protecting critical assets against known and emerging threats across the ecosystem. The organisation also needs to be vigilant, monitoring its network consistently. For example, investigating why that server went down rather than just getting it back up as quickly as possible, and using pre-emptive threat insight to detect both known and unknown adversarial activity.
Lastly, security needs to be resilient – the company and its IT have to nurture their ability to recover when incidents occur. Deloitte argues that Australian companies are lagging behind in the last two elements, although some organisations like banks, which are governed by APRA, are doing a better job than the majority of companies. Most Australian companies still spend 50 per cent of their budget on perimeter defence, with not much spent on monitoring and even less spent on resilience.
In the US, companies are assuming their firewall and intrusion detection systems are good enough and are putting more money into vigilance and resilience. Nevertheless, it’s often a customer or partner who alerts them to a breach.
Organised crime: The greatest threat
According to Australian Cyber Intelligence Centre head James Nunn-Price, 92 per cent of breaches are perpetrated by outsiders. These known external perpetrators come from organised crime (55 per cent), state-affiliated hackers (21 per cent), activists (2 per cent) and former employees (1 per cent). Only 14 per cent of breaches are by insiders, though this figure rose from 7 per cent last year.
“More than three-quarters of the breach incidents are caused by weak or stolen credentials, with rogue hardware and malware also frequent causes of breach or service denial,” warns Nunn-Price. “It is therefore important for all employees, contractors and suppliers to be aware of how criminals are targeting them with their well-planned attacks, often triggered by ‘apparent insiders’ who are already lying in wait within the organisation.”
Hacking a $55 billion global market
Breaching the electronic defences of corporations has become a $55 billion market with a growing level of sophistication. Deloitte global cyber-security leader Kelly Bissell added that while industrial espionage is not new, it’s now been digitised.
“The threat actors are more sophisticated than ever before and more industrialised. Now there are people who just focus on breaching the network layer, while other people focus on cracking passwords. Each of these specialists just sells their expertise or the information they’ve stolen.”
It’s an issue that’s at the top of many business leaders’ minds, with the potential for crippling financial and reputational repercussions. To ensure your business doesn’t fall victim to these increasingly sophisticated attacks, up-to-date and holistic security systems are a must.