Australian business owners have been warned: cybersecurity incidents are imminent.
That’s the message of Andre Conti, an information technology expert from Luxembourg, now based in Sydney.
And at the end of the day, it doesn’t matter how sophisticated an organisation’s security system is, either.
“One of the weakest links you can find in security is people: your people posting things, people letting things open on the internet.”
Conti is heading the brand new Australian chapter of NCS, one of the largest ICT service providers in Asia. As far as he can see, cybersecurity breaches are a major global concern. The World Economic Forum’s latest Global Risks 2021 report named “cybersecurity failures” the fourth-largest threat across the globe.
Australia’s corporate and prudential regulators are also on high alert about the threat this poses to Australian organisations and financial institutions. In November last year, an APRA executive board member said in a speech that cyber crime has “sped up” and company leaders lacked adequate understanding about the risks.
The security of organisations online is an issue that the whole world is grappling with, said Conti.
“I think the whole world is behind in terms of trying to catch up on what the hackers are implementing around the world,” he said.
‘State-based’ hacking is a major threat, too, he added. In June last year, Prime Minister Scott Morrison said Australian institutions had been hit by a “sophisticated state-based cyber actor” that senior sources suspected was from China.
Hackers are often “one step, two steps ahead” of organisations due to the sheer amount of money funding the effort to “find gaps and intrusions”, said Conti.
“Therefore any organisation around the world, I would say, is always at the mercy of something happening to them.
“It’s not ‘if’ it’s going to happen – it’s more ‘when’ it’s going to happen,” Conti said. “Because 100 per cent security doesn’t exist.
“Every organisation at some stage is going to have a security incident; will have to react to it; needs to have a plan around it.”
What can organisations and businesses do about this?
Leaders of every organisation with an online or digital presence will have to do two things to protect it: you need to have a strong “posture” – that is, have all the safeguards in place to prevent breaches – and a strong response plan.
“In my view, you just have to have the right structure to respond to it when it happens. So it's a continuous investment,” he said.
But this is precisely what businesses struggle with most: perpetually keeping up with new cybersecurity safety best practices.
Employees’ data have to be protected, too, to ensure business partners, clients and staff have the same ‘security posture’ as the organisation, and businesses will have to keep up with the regulators in their sector.
“Keeping up with the evolution of regulation is a lot of investment. So I don't think [organisations] are behind because they don't have the capability.
“It's a struggle because it requires a lot of investment and requires a lot of skills.” The skills shortage, in particular, may be a bigger struggle for business leaders than a lack of willingness to shore up security.
According to the Institute of Data, Australia’s severe shortage of cybersecurity workers is responsible for $400 million lost in wages and revenue.
Australia is short 2,300 cybersecurity workers across the nation, and will need at least 17,600 more professionals in this area by 2026.
It’s also been listed as one of the jobs projected to be one of the highest-paying roles by 2025.
The cost of cybersecurity failures
The Australian Cyber Security Growth Network’s Digital Trust Report 2020 found that a single week of digital disruption would directly cost Australia’s economy more than 6,000 jobs and $1.2 billion in losses.
A month-long disruption would push job losses up to 36,941 and direct economic losses to $7.3 billion.
And that’s before you count indirect losses, which would be as high as 163,042 jobs and as much as $30 billion.
A 2018 study commissioned by Microsoft found that the potential direct economic loss of cybersecurity breaches on Australian businesses could cost an eye-watering $29 billion a year.
It found that a single large organisation of more than 500 workers could cop a loss of nearly $36 million if a breach occurs, with the losses coming from the direct and indirect costs of customer churn and economic damage as well as the broader impacts of lower consumer and enterprise spending.
“Although the direct losses from cybersecurity breaches are most visible, they are just the tip of the iceberg,” said Edison Yu, vice president of Frost & Sullivan, which was commissioned to do the survey.