Corporate complacency no cure for cyber epidemic
By Michael Cerny, Cybersecurity & Digital Trust Partner, PwC Australia
Share this article
Data theft is the new normal.
It has the potential to be highly lucrative when it hits the right target, the target being everyday Australians and their most personal data. And then, after that, their hip pockets.
Over the past year we’ve seen a ramping up - at least more publicly - of this activity. Some of Australia’s most prominent organisations have held their feet held to the fire - and no doubt there will be more to come.
The grim reality is that this is not some temporary trend - it’s here to stay. And it’s time for all Australian organisations to take notice.
In coming weeks and months, as the impacts of these breaches continues to send shockwaves through Australia’s business community, there will be much soul searching, hand wringing and plenty of talking.
Around the nation, audit and risk committees will be busy reviewing dashboards, chief security officers will be interrogated and a myriad of compliance reviews will be completed.
Memos will go to staff, basic online cybersecurity training modules will be mandated and everyone will swear to do better.
And then, when the dust settles, cybersecurity will once again get relegated to the in-tray. Still a priority, but definitely not top of the pile. An exercise in box ticking with tight budgetary constraints.
While it may seem cynical, this is a cycle we have seen time and time again. And it needs to change.
Crises like this should play a catalyst to real and tangible change, not just lip service.
But for many Australian businesses, cybersecurity is still viewed as an optional add-on – a nice-to-have. When a new system or application is launched a lot of back slapping occurs, which is great if security is baked in. But all too often it’s not. This is akin to releasing a state-of-the-art car without airbags - it’s just a matter of time before people get hurt. Such a stance is not only bad business, it has the potential to cause severe upheaval in the lives of ordinary Australians, and it will increasingly become bad for business.
As digitisation continues to expand at a rapid pace, businesses need to start looking at and treating cybersecurity as an environmental, social and governance (ESG) issue.
Like they have come to expect climate change solutions, banishment of unethical labour practices and crack downs on board corruption, consumers and shareholders will increasingly look to businesses to implement a strong and transparent cybersecurity posture. And if they do not, these consumers and shareholders will talk with their feet.
The frustrating thing is that cybersecurity is not some big surprise – it is something we have been talking about for years. According to PwC Australia’s latest CEO Survey, cybersecurity is the number one issue keeping CEOs awake at night. Yet there is still resistance.
All of this has occurred against a rapidly evolving legislative and regulatory landscape.
Over the past several years we have seen an overhaul of the nation’s critical infrastructure regime with a key focus on cybersecurity as its cornerstone. This has seen an expansion of Australia’s critical infrastructure sectors from four to 11, with the regime reaching wide across the economy.
In 2019, the Australian Prudential Regulation Authority (APRA) introduced its prudential standard CPS 234, which helps ensure APRA-regulated entities take measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats. They are building on this via proposed CPS 230, which is aimed at ensuring APRA-regulated entities take measures to strengthen the management of operational risk in the banking, insurance and superannuation industries and minimise the impact of disruptions to customers and the financial system.
And while compliance with regulation is one thing, regulatory action is another. And regulators are starting to take action.
In what may be a sign of things to come, a landmark Australian cyber case – ASIC v RI Advice Group – was settled earlier this year. In the highly anticipated judgement, the Federal Court found RI Advice had contravened the Corporations Act “as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience”.
The action resulted because the company failed to remedy inadequate cyber controls despite being aware of the issues, resulting in sensitive client information being compromised multiple times over a six-year period as well as a brute-force ransomware attack. This case has set a precedent for future actions and indicates that regulators will increasingly cast a magnifying glass over cyber practices.
This revelation should make business leaders across the nation take notice. And for those with lax cyber posture, there could be severe implications. As we know, significant fines for failing to protect consumers from data breaches are just around the corner - fines that could be more devastating for an organisation than the cost of getting their cybersecurity up to scratch.
In 2023, cyber threats present a clearly foreseeable business risk - when it comes to cyber attack victimisation, businesses should not see it as a matter of ‘if’, but ‘when’. And while there is no perfect solution, there are many mitigations. Even the simplest things, like effective patching programs, password policies and training of people will significantly help bolster a business’s cyber resilience.
Recent breaches are of a size and scale Australia has not seen before - and it must serve to draw a line in the sand. The time has come for Australian businesses to become secure-by-design and alive to the fact that not just regulators, but also customers and shareholders, expect cybersecurity to be a high priority.
This is a crisis we cannot let go to waste.
Contact us
