August 20, 2023
The financial impact of a data breach on organisations in Australia is approximately $4.03 million with the majority of businesses passing on the cost to customers through an increase in the prices of services and products.
Taking an average of 204 days to identify an attack in the first instance, companies then require an additional 73 days to contain breaches.
Only one-third of organisations discover data breaches through internal security teams however, with 67% of incidents reported by a benign third party or by the attackers themselves. When attackers do disclose a breach to the public, such a declaration costs organisations almost $1.5 million extra compared to an in-house detection.
The costs – calculated and reported in AUD based on a USD conversion rate of 1.4916 – place Australia as the 13th most expensive country or region in the world for a data breach, behind the US (#1), Canada (#3), UK (#6) and ASEAN (#11) among others.
That’s according to IBM findings – The Cost of a Data Breach Report – which examines the financial consequences of 553 data beaches locally and globally that occurred between March 2022 and March 2023.
While the cost of a data breach in Australia is down slightly from $4.36 million in 2022, the global average cost stands at $6.64 million.
Of all record types, customer and employee personal identifiable information (PII) is the costliest to have compromised – names and social security numbers cost organisations an average of $272 per record. The least expensive record type to have compromised is anonymised customer data, which costs organisations $206 per record.
More than half (52%) of all breaches involved some form of customer PII during 2023, up five percentage points from 2022. This is followed by employee PII (40%) and corporate data, such as financial information and client lists (21%).
“The threat of a cyber incident can no longer be classified as remote or novel,” said Paul Kallenbach, Partner at MinterEllison. “Cyber security and privacy by design must be embedded within the culture and planning of every organisation. Proactive and agile management and response to cyber risk are the new normal.”
During that period in Australia, and based on analysis in MinterEllison’s 2023 Cyber Risk Report, major cyber incidents included:
During the final six months of 2022, malicious or criminal attacks comprised 70% of all notifications to the Office of the Australian Information Commissioner (OAIC). Ransomware remains the primary source of cyber incidents (29%), followed by compromised or stolen credentials and phishing.
Essential Eight framework under-utilised
According to MinterEllison findings, while 78% of organisations have a cyber security response plan in Australia, only 53% test such a plan annually and assess it against established frameworks such as the ASD Essential Eight or the NIST Cybersecurity Framework.
“A plan that sits in the bottom drawer without regular testing and refinement will not provide a roadmap to an adequate response to a cyber attack,” Kallenbach cautioned. “Cyber preparedness is a continuous journey, there is no destination.”
Within this context, 63% of local businesses are not confident that their organisation understands what and where their data is stored, and who has access to it. A notable outlier is the financial services sector in Australia with 62% of businesses confident their organisation understands where its data is stored.
Additional costs experienced by organisations that didn’t involve law enforcement in a ransomware attack is approximately $700,000 in Australia, according to IBM findings.
Of the 37% of business that excluded law enforcement following a breach, the financial impact was a 9.6% increase in costs and a 33-day longer breach lifecycle.
From a standards perspective, Kallenbach said almost all (91%) businesses locally understand the regulatory and contractual obligations in the event of a data breach.
“This is unsurprising, given the amount of new and overlapping regulation,” he added. “But on the other hand, regulators are actively advertising their aggressive approach to addressing poor cyber hygiene.”
As noted by Kallenbach, key regulatory developments during the past 12 months include:
“These developments and reform proposals aim to enhance organisations’ capacity to manage
and mitigate cyber risk,” he explained. “However, implementation of these new obligations comes with considerable costs, and for many organisations, they will contribute to an already onerous web of overlapping cyber regulation.”
In December 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) took effect. The legislation amended the Privacy Act as the first tranche of reforms resulting from the Privacy Act review.
This amending Act was an expedited response to the Optus and Medibank data breaches, in which maximum civil penalties for serious or repeated interferences with privacy significantly increased:
“We are at an inflection point, where the likelihood of a cyber attack is far higher than the likelihood of not being attacked,” Kallenbach added. “We have just seconds to protect years of data – we need to use that time wisely.”
Inform your opinion with executive guidance, in-depth analysis and business commentary.