The average cost of a data breach to an Australian business is more than $2.5 million per year and, by some estimates, up to nearly $3 million - or to be precise $2.8 million.
In the last financial year alone, one organisation monitoring the Australian threat landscape reported nearly 1.4 million unique Australian IP addresses exhibiting signs of malware infection – on average nearly 4,000 each and every day of the year. (And, as reported by iTWire yesterday, security firm Norton by Symantec said cybercrime cost Australians more than $1.2 billion over the past year, with around four million Aussie Internet users impacted by online crime}.
These stats and facts – and many more worrying signs of the constant, daily threats – are from a number of organisations, both government and private, monitoring Australia’s cyber threat landscape.
It was AISI which reported nearly 1.4 million IP addresses in 12 months had likely been hit by malware infections and, as the ACMA chairman Chris Chapman says, “the risk of cyber security incidents affecting Australian business is becoming more evident than ever, and where the cost of a cyber security incident—especially one that is not managed well—can be exorbitant”.
In a wide-ranging speech at the launch of the Baker & McKenzie Cyber Security Counter-Offensive Guide, Chapman said the reports on malware infections contain information that enables its partners in AISI to identify their infected customers and alert them to their malware infection.
On the cost to Australia of cybercrime, Chapman cited a recent cyber security summit in which Deloitte suggested that the average cost of a data breach to an Australian business is more than $2.5 million per year, and another by ‘respected’ Ponemon Institute in the US that the total average cost paid for data breaches by Australian companies it surveyed was even higher, at $2.82 million.
“Precise figures here are not the point – what is to the point is the reality of data breaches and their significant direct and indirect costs,” Chapman stressed.
On the thousands of reports on malware infections sent out daily, Chapman said this:
“As indicated by the fact that the AISI has been operating for 10 years, botnets are not a new phenomenon. Unfortunately, malware has also been a constant and pervasive threat over this 10-year period, despite the emergence of a substantial commercial anti-malware industry over this time.
“To underscore this point, in the recently released 2015 threat report by the Australian Cyber Security Centre, malware was identified as the predominant cybercrime threat in 2014.”
Chapman also says there is substantial recent research that indicates SMEs have become the predominant target of cyber criminals.
“Given the interconnected network of contractor relationships in the modern business environment, breaches of smaller companies may lead to breaches of much larger companies.
“For example, the much-publicised breach of Target’s systems in the United States in December 2013, which involved hackers obtaining approximately 70 million records, is suspected to have occurred through lax security arrangements by a small sub-contracting firm who managed some of Target’s heating and cooling operations.
“The takeaway message from this incident is that cyber defence policies need to extend to any company with whom a business interacts who has access to their systems,” Chapman said.
Chapman also had something to say on what he sees as the industry and government leadership required to get on top of, and coordinate, responses to the problem of cyber threats to Australia.
“The fact that the Australian Cyber Security Centre itself has been established is recognition of the need for the government to address and provide coordinated responses within its national jurisdiction to the increasingly important national issue of cybercrime.
“I note that similar developments throughout the Asia Pacific are a theme of the Baker & McKenzie Cybersecurity Counter-offensive Guide, as is its observation that there is not yet a unified, cross Asia—Pacific approach to the regulation of cyber security and convenient cross-border notification and rectification procedures.
“In time no doubt, that will all follow but, for the moment, the Government’s Cyber Security Review will soon deliver a new Cyber Security Strategy, which will set the framework for our national approach to cyber security over the foreseeable future.”
Chapman stressed in his speech that both in government and among businesses, leadership is critical to developing a “strong cybersecurity culture”.
“Without that leadership, Australia’s ability to benefit from online opportunities and to become a trusted place to do online business cannot be assured,” Chapman warned.
Chapman also said that the ACMA’s development, support and continuing evolution of the AISI is “just one demonstration” of the leadership that is needed in cyber security.
“In fact, the AISI was one of the very first national anti-botnet initiatives and has influenced the development of responses in other countries (to us an obvious example being Germany) to the threats posed by botnets.”
Chapman cautioned that although the AISI and the other ACMA programs that deal with the cyber security issues don’t attract big headlines, they can still be “devastating to the home users and SMEs that become the targets of cyber-crime”.
“This makes our role distinct from Commonwealth and State agencies that are concerned with cyber security threats to Government itself, to defence interests and to critical infrastructure.
“It’s increasingly evident that a botnet comprising thousands of compromised devices owned by home users, or an SME whose systems are compromised but is a key supplier to a major corporate, can nevertheless cause damage to our national interest.”
Chapman was strong on the ACMA’s role in playing its part in the fight against cybersecurity threats, citing the authority’s work in the telecommunications sector.
“The ACMA’s awareness of and unrelenting focus on the interests of consumers and SMEs, evidenced (for example) through our work in recent years to reform the then woeful levels of customer care and complaints-handling in the telecommunications industry, means we’re in good shape to continue the role of addressing the cyber security risks affecting these parties.
“The fact is that interventions at this level can make a substantial economic contribution. We announced only last week a $545 million in annual savings accruing to telecommunications consumers - detailed in an ACMA economic analysis report - and which benefits are also likely to be spent elsewhere, thus delivering benefits to other areas of the economy.”
In a veiled swipe at government, Chapman said the ACMA has maintained its cyber security programs despite an 18% decline in nominal terms to its base funding over the past 10 years.
“These programs aren’t required under our legislation and it would have been easy for me to discontinue them on the basis that they are discretionary. But, in today’s world, treating the cyber security of home users and SMEs as a discretionary item would be the antithesis of leadership.”
Chapman did acknowledge that the fact that most cybersecurity threats affecting Australian internet users originate from outside Australia making it “difficult for government alone to undertake traditional enforcement action against the originators of the threats”.
“But much can be done to make Australia a difficult target for cybercriminals and a good global ‘cyber citizen’,” he said.
According to Chapman, collaboration between the key government and industry organisations is critical to the establishment and maintenance of an “effective national approach to cyber security”.
The ACMA chief said there is certainly a need for government organisations to collaborate effectively with each other and have clearly defined roles, and there is a need for private sector executives and boards to “recognise the important role they have in promoting the security of their own business, their industry, and their customers, and be ready to show leadership themselves—as corporate governance and their fiduciary duties now increasingly dictate”.
“Having made that observation, I know many Australian businesses already invest in promoting the security of their customers and work with government to the benefit of all Australian internet users,” Chapman concluded.