Aussies have mixed priorities in protection of essential services - PwC Community Attitudes Survey

• New community attitudes survey of over 2,000 Aussies on cybersecurity and protecting essential services
• Australians are equally concerned about a cyber attack that steals their sensitive personal data and a cyber attack that disables essential services (42% and 41% respectively)
• Almost two-thirds (64%) said they would consider changing providers if they were impacted by a cyber attack that affected their essential service
• 85% of Aussies think providers should disclose cyber breaches so that they can choose to use another supplier in the future

Australians are increasingly concerned as cybersecurity incidents and data breaches continue to rise. However, when it comes to essential services such as water, gas or electricity, telecommunications, transport or hospital and healthcare, Australian consumers still value privacy just as equally as access to essential services. A new survey by PwC Australia of over 2,000 Australian consumers was conducted to gain their insights on cybersecurity in relation to the country’s critical infrastructure assets and understand how it impacts their everyday lives.

According to the survey, Australians are just as concerned about a cyber attack involving their sensitive personal data being stolen (42%) as they are about a cyber attack that disables an essential service (41%). This is particularly pronounced among Australian youth with 42% of those aged 18-24 more worried about their personal data being stolen compared to 37% aged 65 and over. In contrast, nearly half (47%) of Australians aged 65 and over were more concerned about an essential service being impacted by a cyber incident. Australians living in regional and rural areas rated continued access to essential services over data privacy compared to those in capital cities.

Garry Bentlin, Cybersecurity Lead for Critical Infrastructure at PwC Australia, said, “The findings have shown that the protection of our essential services is low on consumers’ agenda - possibly due to a lack of understanding or losing sight of priorities. We all know how critical it is to protect our banks since they manage the flow of money between people and businesses, and we expect them to make cybersecurity their top priority. But imagine the uproar if our transport network that delivers essential goods was immobilised, or our power grids were attacked by cyber criminals or if our hospital systems were hacked - and what if you had a family member in hospital at the time? It’s important for Aussies to understand the real world impacts of these kinds of critical infrastructure attacks.

“We live in a rapidly evolving technology environment and every essential service relies on digitisation, making them vulnerable. While protecting personal data should be a major priority for organisations, it is also vital that they have safeguards in place for improved security and greater resilience against cyber attacks. The catastrophic possibility of a successful cyber attack on Australia’s critical infrastructure and the consequences of a breach go far further than financial loss. They include the potential for prolonged outages of essential services and, subsequently, impacts on health, safety, and even national security.”

Over 60% of survey participants said they would consider changing providers if they were impacted by a cyber attack that affected their essential service. For Gen Z and Millennials, this number soared to 77%, suggesting a lack of brand trust. On the other end of the scale, this number dropped to 50% for respondents aged 65 and over which may indicate that trust has been built over time. Sentiments between genders were similar, however, the numbers did vary between males and females aged 18-24. Nearly 80% of males aged 18-24 said they would consider changing providers if they were impacted by a cyber attack that affected their essential service, compared to 64% of females in the same age group.

When asked about essential service providers stopping supply because of a security incident, a total of 85% of respondents said providers should disclose cyber breaches so that they can choose to use another supplier in the future - 54% agreed providers should disclose this in all circumstances while 31% said if it was more than a temporary disruption. Cumulatively, 90% of Australians aged 65 and over indicated that providers should communicate security incidents to customers so that they have the option to change providers.

Mr Bentlin said this expectation also goes to trust and transparency and supports the Government’s position on disclosure of cyber security incidents.

Data modelling by PwC Australia estimated direct costs of cyber incidents to business to be approximately $10.1 billion with a loss of GDP through to 2031 to be $114.9 billion. According to the Australian Cyber Security Centre (ACSC), there was an increase of nearly 13% in cyber incidents in the last financial year.

“Cyber security threats are increasing and with Australians more connected than ever before, criminals are looking to exploit any vulnerabilities by accessing sensitive information and for financial gain. As cyber attack tools become more commoditised, operators of critical infrastructure are increasingly being targeted by a broader range of threat actors. The ACSC revealed that around a quarter of reported cyber security incidents affected critical infrastructure organisations. Australia’s essential services such as health care, energy and food distribution are a potential target for cyber criminals and any major disruption of these services would mean reputational damage and loss of trust, lost revenue, and potentially harm or loss of life.

“Considering the increasing hostility of the threat environment, Australian consumers should take an interest in how organisations and the Government are tackling cyber security and the need for greater protection of Australia’s ‘critical infrastructure assets’ and ‘systems of national significance’,” concluded Mr Bentlin.

Read "How our essential service suppliers can better protect us from cyber crime" for further insights.