If you struggled with insomnia during 2023, then you were not alone. Cyber security was on everyone’s mind and the result was widespread sleeplessness.
For example, it has kept departing ATO Commissioner Chris Jordan awake, as he admitted in a valedictory speech a month ago. The office repelled 3 million cyber attacks a month, he said, targeting its 1 billion filing cabinets worth of data and it would only get worse: “Our risk of sophisticated fraud attempts will continue to grow with global threats, organised crime, the use of artificial intelligence, and data breaches in the community.”
It was a sentiment echoed in boardrooms across the country. The Australian newspaper’s CEO Survey a few weeks later found the constant threat of a crippling cyber attack was the “3am thought” for an overwhelming majority. CSL chief Paul McKenzie highlighted the viral nature of a breach and how a company’s supplier network could make it vulnerable. “We’ve seen many examples where one company has a breach, but many people and organisations are affected,” he told The Australian.
Meanwhile, KPMG’s annual survey of 300 senior executives – suitably titled “Keeping us up at Night” – found 43 per cent were restless about the issue, relegating last year’s top concern of skills shortages to second place.
Released yesterday, it found cyber security was now the number one issue for 2024 and the next three to five years.
KPMG Australia chief executive Andrew Yates said COVID-19 had accelerated our shift to digital channels and brought data issues into sharp focus.
“High-profile attacks and outages over the last 12 months have clearly reinforced the importance of cyber in executive minds and boardrooms,” he said. “They see it as the top issue both in 2024 and over the years ahead.”
Last year’s cyber attacks lacked the shock and awe of the Optus or Medibank incidents in 2022, which left millions of affected customers scrambling to comprehend what had been lost.
But 2023 highlighted how – despite those cautionary tales – businesses across the spectrum remained vulnerable. The roll call of victims included Latitude Financial back in March, when the personal details of 14 million customers were stolen, to industry superannuation fund NGS Super, stevedore DP World, and law firm Allen & Overy.
During the final two months it felt like Australia was on a losing streak, with a run of attacks that took in Court Services Victoria, St Vincent’s Health, probiotic drink maker Yakult Australia, and car dealer group Eagers Automotive. As with other attacks, the companies involved initially struggled to ascertain the extent of the breaches and how many customers had been compromised.
In its Threat Report for 2022–23, the Australian Signals Directorate said it received incident reports at the rate of one every six minutes – up from every seven minutes – and the average cost per breach had risen 14 per cent, with small businesses losing $46,000 on average. Email compromise was the top cyber crime against businesses while for individuals, it was identity fraud.
The federal government responded with a wide range of measures including the National Anti-Scam Centre, set up under the auspices of the ACCC midyear, to the 2023–30 Cyber Security Strategy in late November that channels $587 million to the problem.
The first phase, through to 2025, aims to “address critical gaps in our cyber shields, build better protections for our most vulnerable citizens and businesses, and support cyber maturity uplift across our region”. It specified six “shields” that included the adoption of safer technology standards, better information sharing, protection for critical infrastructure, and attracting more cyber talent.
Small business welcomed its provision of cyber health checks and the establishment of a Cyber Resilience Service, two of the first initiatives to receive funding pledges. Small business ombudsman Bruce Billson said: “Small and family businesses are sadly a preferred target for some of the scammers and cyber criminals and these new programs will give small business greater confidence they are not alone.”
The ATO’s roll-out of revised client-agent linking protocols and rules around myGov access were two examples of attempts to lock the digital door en route to broader, more encompassing schemes.
Despite acknowledging the necessity for such measures, they met some pushback from the tax profession and the government’s cyber strategy put several other potentially controversial initiatives on the agenda. These included expanding the Digital ID program “to reduce the need for people to share sensitive personal information with government and businesses to access services online” as well as working with industry to design mandatory reporting of ransomware attacks and a review board for cyber incidents.
So 2024 looks like being – as two specialists from KordaMentha put it – “the year of the cyber professional”.
Cyber partners Brendan Read and Tony Vizza said leaders would be expected to prevent cyber attacks and investigate when they happened or face punitive action from regulators and stakeholders through the courts.
“As part of this heightened regulatory activity, we are likely to see the first judgment from litigation brought by regulators as well as an increase in class actions from those impacted by the consequences of cyber breaches,” they said.
And that does not sound like a recipe for a good night’s sleep.
You are not authorised to post comments.
Comments will undergo moderation before they get published.