Cybercrime does not discriminate by business size or industry. For a hacker to realise their ultimate goal – whether that be making money, stealing infrastructure, leveraging data to steal assets or boosting their ego – they want to find the easiest targets quickly.
Large corporations have the capacity, technology, processes and understanding to implement appropriate measures to mitigate cyber risk. For everyone else, it’s a different story.
Unfortunately, in the absence of board-level ownership of cybersecurity, mid-sized business is at a big disadvantage and exposed to greater risk. In 2017, one in four — roughly 25% — of small to medium businesses in Australia experienced cybercrime. That figure was up from the previous year and is likely rising.
When an attack occurs, every second counts. Our recent UK cybersecurity report notes that businesses with board-level buy-in and mechanisms in place — such as regular reviews, an incident response plan and a specific board member accountable for cybersecurity — have a reduced likelihood of and impact from cyberattacks.
Why target mid-sized business?
In truth, every business is a target, but mid-sized businesses are particularly vulnerable. According to our recent UK cyber security report: “They’re less likely to implement best-in-class cybersecurity than larger companies or to require their suppliers to do the same. Nevertheless, they have a level of resources that makes them an attractive target for criminals looking to extract a ransom, and a network of offices that makes fraud easier.” In essence, big businesses have deep pockets, but this also means more resources to defend themselves, notwithstanding their more complex environments and sometimes poor use of technology. Mid-sized businesses, on the other hand, are wealthy enough to be attractive but often lack an equal level of investment in detection, response and management controls.
The cost of cybersecurity complacency in Australia
Our recent UK cybersecurity report found that most businesses identify reputational loss, clean-up cost and management time as the biggest areas of expected impact from a cyberattack. It has certainly held true in a few globally known examples, such as Facebook’s Cambridge Analytica scandal and the ensuing $5 billion fine they received or the more recent hefty fines handed to Marriot Hotels and British Airways. The implications and cost of complacent cybersecurity can be vast and, often, very public. What has this looked like in Australia?
LandMark White is Australia’s largest independent property valuation and consulting firm that holds a 20 per cent share of the residential market and is the only ASX listed property valuer. In January 2019, they experienced a data breach that resulted in 100,000 of their home loan customer’s details being leaked on the dark web. The fallout and backlash from this incident were enormous and ultimately resulted in a loss of $6 million in revenue as a result of customers, including big banks, suspending business with them. LandMark White voluntarily suspended trading in mid-February.
Six weeks after it was reinstated on the ASX, a second data breach occurred in May where 76,000 files, which were a subset of the original dataset, leaked on the dark web. Though it contained no new information, the reputational damage was huge.
Both events significantly distracted the management team and demonstrated underinvestment in baseline controls. The company is currently trying to raise funding to restructure the business and concurrently implementing Australian Cyber Security Centre’s Essential Eight.
Another more recent example occurred in July 2019 when National Australia Bank (NAB) experienced a data breach as a result of human error. The personal information of 13,000 customers, which included name, date of birth, contact details and government identifying numbers, was uploaded without authorisation to the servers of two data service companies.
The scale of this breach is not as large but the cost and reputational damage are still significant. NAB offered to cover the cost of any documents that need to be reissued as well as pay for “independent, enhanced fraud detection identification services for affected customers”.
The cost and reputation implications of cybercrime can be devastating for any business. In light of these recent local examples, complacency is not an option.
If it hasn’t already, cybersecurity must be prioritised from being a simple back-of-house function. The board needs to understand their business risks and lead a cybersecurity strategy that protects their systems, clients and customers.
We can expect to see more legislation and regulation to protect data privacy as well as the even greater expectation from the community that their information is safe. And forgiveness will not be easily offered for preventable data breaches. It is time to get on the front foot.