If there is a positive about the recent spate of data privacy breaches, it is that they reared their heads at the right time in terms of the latest budgetary expenditure.
On the surface, at least, cyber awareness and resilience received their due focus.
Updates for cyber from the federal budget
The Federal Government committed $12.6 million of its 2022 budget to combat scams and online fraud, with the bulk ($9.9 million) going towards a National Anti-Scam Centre, to be administered by the Australian Competition and Consumer Commission.
At a grassroots level, cyber safety was also addressed with $6 million over three years for the rollout of digital literacy and online safety-awareness programs for school children. $31 million will also be invested in the Australian Public Service cyber hubs pilot, with the overriding aim of improving the cyber defence of government agencies. Ultimately, four cyber hubs will deliver cyber-security capabilities to Commonwealth entities.
Concerning cyber landscape
While it’s promising to see recognition for cyber in the updated federal budget, there’s still a long way to go in achieving a strong national security posture.
Mimecast’s 2022 State of Ransomware Readiness report found that 70 per cent of Australian cybersecurity leaders say the number of cyberattacks against their company has increased since last year.
Alarmingly, 20 per cent of respondents in Australia say they sustained six or more ransomware attacks in the past year – higher than any other country/region surveyed.
The impact and frequency of ransomware attacks are increasingly troubling at a local level. One in five Australian companies has sustained six or more ransomware attacks in the past year – more than any other country surveyed, including Canada, France, Germany, Netherlands, Nordics, Singapore, South Africa, UAE, UK and US.
As noted in the report, 57 per cent of Australians (compared to 55 per cent globally) believe cyberattacks will bring down part of the critical national infrastructure in Australia, such as utilities, banks, and transport networks, in the next two years.
When you consider the exorbitant costs of ransomware attacks on individual businesses, this area of cybersecurity is ripe for development.
The report findings also concluded that 20 per cent of businesses had been asked to pay between $500,000 and $999,999 for their wrongfully gained information to be returned, with the total cost of the ransomware attack between $50,000 to $99,999 for the one-in-five affected businesses — and $1-2 million for 13 per cent of those surveyed.
The business implications of ransomware attacks and economic costs must incite a regulatory mindset of digging deeper in terms of realistic cyber spending.
Additional findings from The State of Ransomware Readiness report 2022 include:
- Up to 40 per cent of organisations have experienced significant downtime because of ransomware attacks, an increase of seven per cent on last year
- 30 per cent say it would take one to two days to return to normal business practice after an attack
- 33 per cent, say they could only withhold two to five days before sustaining significant financial loss and reputational damage.
- 41 per cent of organisations have experienced a loss in revenue due to a ransomware attack in the past 12 months
- 53 per cent are concerned that their cyber insurance will refuse to pay out for ransoms in the future
What businesses can do to mitigate risk
So, what cyber-awareness measures can be put in place? 46 per cent of respondents believe the most effective measure to reduce ransomware attacks is to train employees on recognising email threats. This highlights the need for company-wide awareness and accountability.
This necessity is compounded by 67 per cent of respondents saying end users weren’t adequately trained on security awareness; 63 per cent maintain backups of files in the cloud or on-site to combat cyberattacks; and 51 per cent say that growing media coverage of ransomware attacks is causing increased pressure to prepare.
Further investment and initiatives are required to help reduce these figures. Developing cyber resilience requires time, planning, budget and resources — and simply can’t remain an afterthought.
Information is power in terms of understanding and combating potential ransomware attacks.
Ensure all employees are regularly educated in best cybersecurity practices and are aware of their responsibilities – don’t let this lie solely with the IT department
Board members should also lead by example – if they’re not keeping up to date with the latest advice or regulations, why should their employees?
Though there is more to be done from the government, businesses and employees, the recent cyber security governance principles released by the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre, as well as the government’s proposal to increase fines for serious or repeated privacy breaches, are a step in the right direction.
While the jury is still out on Australia’s cybersecurity strategy, businesses should feel comfort from the fact that cybercrime is firmly in the crosshairs of the government with its own cabinet role, and we’re likely to see more support – and responsibilities – moving forward.