The Australian Cyber Security Strategy, which was published by the Government last year, encourages strong collaboration between Government, private sector and the insurance community to support the Country’s vision in becoming the world leader in cybersecurity and resiliency by 2030.
As Government and organisations work together to improve Australia’s collective posture, it is vital that businesses proactively seek to deepen their understanding of the key cyber risk factors and the changing regulatory landscape so that they can build capabilities that will allow them to successfully adapt and thrive. Furthermore, business leaders are being called upon to raise not just their own cybersecurity posture but to hold those within their business community accountable and, in so doing, driving widescale improvements – acting as ‘Cyber Evangelists’, if you will.
Below are some of the key themes relating to cyber risk management and data governance that could help mobilise action:
The proposed Privacy Act reforms, which include 116 proposals, are intended to upgrade Australia’s current privacy framework to ensure that it is fit-for-purpose in an increasing digital age.
The key theme is focused on moving away from a ‘notice & consent’ model to an overarching ‘fair & reasonable’ test which incorporates a Privacy Impact Assessment (PIA). This involves strengthening the protection of personal information centered around the individual and assessing the risk of harm to that individual.
This is likely to see a removal of the SME exemption (which currently applies to companies with revenues under $3m), although this may become politicised ahead of the next election (despite currently having bi-partisan support).
Managed Service Providers (MSPs) have all too often been shown to be the weak link in the supply chain, accounting for 43% of all third party breaches in 2023. It is worth noting therefore that, despite the clear advantages of involving third party suppliers in increasing operational efficiency and leveraging outside expertise, an external vendor may create a weak link in your IT environment if proper vetting and monitoring of these suppliers is not at the forefront of the corporate risk management agenda.
As MSP breaches become more prominent, risk mitigation requires sound MSP procurement and contract management processes, including:
a. Enhanced contractual protection. This involves ensuring suitable contractual provisions, i.e. that the contract that you hold with your MSP is not unfavourable to your business and instead, holds the MSP liable and lays out strict KPIs which they must meet in the event of a breach;
b. Alignment of vendor data handling/retention practices;
c. Alignment of cyber security controls;
d. Mandating that the MSP holds suitable cyber insurance.
Recent trends show a continued move towards ‘big game hunting’, with the volume of ransomware attacks down, while the average quantums being claimed have increased materially from $330,000 in H1 2022 to $1,290,000 in H2 2023.
Threat actors are increasingly focused on data theft only attacks, moving away from ransomware and double and triple ransomware tactics previously favoured (whereby the threat actor would encrypt key systems, steal data, disable emails etc. and require a ransom payment for the release/reinstatement of each function).Instead, there is a pattern of hyper-weaponisation of highly sensitive stolen data accompanied by an ever increasing ransom demand.
What’s interesting, however, is that, in Australia, the percentage of businesses paying ransom demands has dropped from 85% to an all-time low of 29% in Q4 2023which suggests a wholesale improvement in corporate contingency and resiliency and that strides are already being taken in the right direction.
Business Email Compromise (BEC)and Funds Transfer Fraud (FTF) remain a large contributor of cyber related losses in Australia. Last year, over $500,000,000 of funds were misappropriated with 78% of those funds unrecoverable from the bank.
The main contributing factor remains the absence of appropriate multi-factor authentication (MFA) procedures, including call-backs.
As Australian organisations move towards continuous cyber security enhancements, business leaders should better understand whether their controls and processes in place are sufficient to manage and protect their data, ensure continuity of operations, and prevent cyber attacks.
The cyber insurance industry is highlighted to be an important part of the solution, with insurers playing a crucial role in supporting policyholders in terms of uplifting capabilities. Businesses are therefore encouraged to consult with a specialty insurance broker to understand their policies and the extent of cover for cyber incidents.
Lack of awareness and potentially existing poor risk management practices are bound to pose major problems.
Stay up to date with recent developments and trends, and if you have questions, feel free to contact our specialist team.