Australia under attack… thousands of breaches, millions in costs

For many, the cyber security conversation has entered clichéd territory, suffocated by fear-mongering and alarmists. That unrelenting ‘you could be next’ mob of marketers hell-bent on heightening danger levels to achieve commercial gain.

But this sub-section of the industry – albeit diminishing – is doing a disservice to the real issue at hand. Because Australia is under attack.

And the numbers back that up in terms of scale and severity.

Within a 12-month period, the Australian Signals Directorate (ASD) responded to more than 1,100 cyber security incidents from Australian entities. This is in addition to nearly 94,000 reports made to law enforcement through ReportCyber – around one every six minutes.

For Australian businesses, the average cost of a data breach now stands at $4.26 million in AUD, representing a 27% increase since 2020.

“IBM conducts R&D in cyber security right here in Australia at our Gold Coast Development Lab and is proud to be delivering global innovative cyber security solutions to Australian clients to enhance their security measures and response strategies,” said Nick Flood, Managing Director of IBM Australia.

Flood addressed the evolving threat landscape in the local market following the annual release of Cost of a Data Breach Report – conducted by Ponemon Institute and analysed by IBM.

Running for 19 consecutive years, the latest edition includes real-world data breaches experienced by 604 organisations globally between March 2023 and February 2024.

Based on the data – of which all currency in this article is in AUD – the cost of $4.26 million placed Australia as the 13th most expensive country or region in the world for a data breach, behind the US (#1), Canada (#6), UK (#7), Japan (#8) and ASEAN (#12) among others.

Australian companies require an average of 266 days to identify and contain cyber incidents, eight days longer than the global average of 258 days.

From a local sector standpoint, the technology industry – defined as software and hardware companies – commanded the highest average cost of a breach at $5.81 million. This was slightly ahead of financial services – consisting of banking, insurance and investment companies – at $5.61 million.

“Businesses are caught in a continuous cycle of breaches, containment and fallout response,” observed Kevin Skapinetz, Vice President of Strategy and Product Design at IBM Security. “This cycle now often includes investments in strengthening security defences and passing breach expenses on to consumers – making security the new cost of doing business.”

In Australia, 32% of breaches involved data stored across multiple environments including public cloud, private cloud and on-premises locations. At an average cost of $4.88 million, this type of breach took the longest to identify and contain at 301 days.

Notably, phishing ranked as the most common initial attack vector, accounting for 22% of breaches and costing local businesses an average of $4.35 million per incident. Stolen credentials accounted for 17% of breaches and costs approximately $4.32 million per incident.

Despite only accounting for 8% of breaches, malicious insider attacks proved the most costly in Australia at a rough cost of $4.91 million per incident.

Issues of scale and severity

As outlined in the fourth and most recent Annual Cyber Threat Report – published by the ASD and spanning the 2022-23 financial year – Australian governments, critical infrastructure, businesses and households continue to be the “target of malicious cyber actors”.

Categorised as a “persistent threat” to the nation, such a threat now extends beyond cyber espionage campaigns to disruptive activities against Australia’s essential services.

For example, high-profile attacks on Optus, Medibank and Latitude impacted over 33 million customers combined in Australia – all between a seven-month period from September 2022 to March 2023.

In response, the Australian Protective Domain Name System blocked over 67 million malicious domain requests, up 176%. Meanwhile, Domain Takedown Service blocked over 127,000 attacks against Australian servers, up 336%.

According to IBM, Australian businesses are spending $1.65 million on average to detect cyber threats, which is still the most expensive part of a breach. This is followed by post-breach response and lost business costs.

To mitigate such risks and costs, Christopher Hockings – CTO of Asia Pacific at IBM Security – cited the importance of AI and automation as integral parts of modern cyber security defences.

“Breached organisations across Australia are seeing significant cost and time savings via their use of security AI and automation across their security operations,” Hockings outlined.

Organisations leveraging AI and automation saved an average of $1.74 million per breach while reducing response time by 99 days.

“Australian businesses are increasingly understanding that the ability to detect and respond to cyber threats swiftly can make all the difference,” Hockings added. “With attacks growing more sophisticated, it’s imperative for organisations to adapt and prioritise speed in their cyber security efforts to avoid costly breaches.”

The adoption of AI and automation is also designed to help businesses overcome rising challenges associated with security staffing shortages. In 2024, this drove up breach costs both locally and globally.

More than half of the organisations studied (53%) had ‘severe’ or ‘high-level’ staffing shortages last year and experienced significantly higher breach costs as a result.

But mounting staffing challenges may soon see relief, with organisations planning to increase security budgets compared to last year (63% vs. 51%), and employee training emerged as a top planned investment area.

Organisations also plan to invest in incident response planning and testing, threat detection and response technologies – such as SIEM, SOAR and EDR – alongside identity and access management and data security protection tools.