SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cyber alert: tackling the unseen risk that could sink your business in 2020
Wed, 27th May 2020
FYI, this story is more than a year old

Have you considered the existential risk a major cybersecurity incident could pose to your organisation? If the answer is no, you're missing a trick.

Incursions can come in many forms – ransomware that shuts down your systems and locks you out of your data, malware that acts as an undercover spy stealing valuable company secrets, cybercriminals who monitor your emails for sensitive data, and ‘social engineers' who manipulate your employees into disclosing their log-in credentials.

In 2020, the chances of falling victim to high tech crime are real and rising. The Australian Cyber Security Centre (ACSC) has latterly warned of a surge in COVID-19 themed malicious cyber activity. The agency has already received scores of cybercrime reports and responded to at least 20 cybersecurity incidents involving national suppliers and COVID-19 response services.

Counting the cost of downtime

So, how might a cyber incident impact on your business? Start by tallying the cost of downtime – the amount of business you'd stand to lose if you unexpectedly lost access to your core systems and the data they contain, for a day or several.

A ransomware attack can place you in just this position: infecting your servers and systems, encrypting your business data – and demanding a hefty sum to unlock it all again. Refuse to pay up and you face the prospect of being offline for an extended period, unable to take orders, make deliveries, receive payments and pay staff and suppliers, while systems are restored from backup.

Depending on the size of your business, you're potentially looking at a five or six-figure sum – and that's before you add the cost of professional assistance, to investigate the source of the attack and implement countermeasures that reduce the likelihood of recurrence, to your tab.

Writing cheques on the road to recovery

Post-incident investigation costs are just one of three financial imposts that typically accrue from a major cyber incident; the others being systems restoration and customer notification.

Restoring systems via backup recovery can take hours or even days to complete – and the result may well be incomplete, if a backup was not recently carried out.

Your alternative – paying the nominated sum to have your systems and data restored – is an uncertain one. Faceless cybercriminals might fail to make good on their assurances after you've parted with your cash. And opening the company chequebook may encourage future incursions.

Keeping customers in the loop is another exercise that can be costly and time-consuming but very necessary. Australia's stringent privacy laws require businesses with turnover in excess of $3 million to notify customers, and the Office of the Australian Information Commissioner (OAIC), the national privacy watchdog, of serious data breaches within 30 days.

Devoting resources to this process can be a good investment on another front – customers are less likely to take their business elsewhere if they're provided with timely and transparent information about what went wrong and what you're doing about it.

Putting a figure on data loss

How do you value the data that you keep?  Customer information – email addresses and phone numbers, driver's licence and tax file numbers and the like – is a valuable commodity which can be on-sold for profit and used by the unscrupulous to commit identity fraud.

Being deemed to have not taken sufficient measures to safeguard this data or remediate a breach can cost you dearly. In 2019, the government announced its intention to increase the maximum penalty, currently $2.1 million, for serious or repeated breaches. It's set to rise to $10 million or three times the value of any benefit derived from the breach, or 10% of the concerned entity's annual domestic turnover; whichever is the highest.

The loss of intellectual property that helps you maintain a competitive advantage – patented information, confidential commercial data and key customers lists, for example – can be an even more devastating financial blow.

The cost of losing your good name

The reputation of your business is also an asset worth preserving. Cyber attacks and data breaches can rarely be kept on the down low and, if your organisation is a prominent one, a major incident may well make the news. Case in point: Melbourne logistics giant Toll Group, which has hit the headlines twice this year, courtesy of ransomware attacks which forced the firm to shut down core systems.

Once you've acquired a name for cyber-insecurity, rebuilding customer trust can be a long and expensive process.

Prevention is better than costly cure

A successful cyber attack can have many implications for your business, including a price tag you may be unwilling or unable to pay. A comprehensive understanding of the risks and costs involved should inform your cybersecurity planning in today's uncertain times and the months to come.