Cybercrime is an increasingly prevalent issue affecting Australian businesses. Businesses must maintain cybersecure practices to mitigate cybercrime risks, helping to protect their employees, customers, and business.
What is cybercrime?
Cybercrimes are most commonly committed by cybercriminals who seek to illegally access hardware or data, or disrupt operations. This is often for financial gain or to otherwise inflict damage on an organisation, for example, reputational damage.
Cybercrime actors may also include current or former clients, customers, competitors and employees. It is important to be aware of all possible threats.
Cyberthreats can occur in a wide variety of ways, including:
- theft or unauthorised access of hardware, computers and mobile devices;
- unauthorised access or sharing of data;
- infecting computers with malware (for example, varuses, ransomware, and spyware);
- spam emails containing malware;
- attacks on third party systems you use;
- gaining access to your systems through employees or customers;
- distributed denial of service (DDoS) attacks; and
- Corporate Account Takeover (CATO).
Cybercrime is an increasingly prevalent with attacks on Australian businesses, of all sizes, becoming more frequent, targeted and sophisticated. According to the Annual Cyber Threat Report 2021-2022, the Australian Cyber Security Centre recorded 76,000 cybercrime reports, indicating a 13% increase from the previous year.
Developments in artificial intelligence will likely result in more frequent and more sophisticated attacks in coming years, as cybercriminals deploy AI technology to enhance their attacks.
What is cybersecurity?
Cybersecurity encompasses the processes adopted by an organisation to protect its systems and data from accidental or unauthorised access, corruption, theft or damage.
Organisations need to be vigilant in the security practices and processes they adopt and maintain, and continuously improve those practices, to keep up to date protections to mitigate the likelihood of falling victim to ever changing cybercrimes.
Key cyberthreats affecting Australian businesses in 2023
Social engineering is a common and effective form of cyberattack. This involves manipulating and deceiving individuals into divulging confidential or personal information, often to gain control over their computer system or to enable personal attacks. Phishing and ransomware attacks are two examples of social engineering which are commonly used to gain unauthorised access to an organisation’s systems.
Phishing includes fraudulent emails or text messages which purport to be from a known source. They often contain malicious links and are use to steal online banking logins, credit card details or passwords.
Ransomware is the use of malicious software to encrypt files or block access to a computer system until a ransom amount is paid. For further information on types of cyberattacks read Sainty Law’s Insight here.
Human error is one of the leading causes of successful cybercrimes and data breaches in organisations. According to Stanford University 88% of all data breaches are caused by an employee’s mistake.[1] From a security perspective, human error refers to unintentional actions, or a lack of action, by device users that cause, spread or allow a security breach to occur. Patricia Titus, Chief Information Security Officer of Freddie Mac, states, “The biggest business risk for us and most companies is a data breach or system failure … but the biggest challenge is the potential for human error”.[2]
Another key risk to Australian businesses is through their supply and distribution chains. For example third-party service providers, such as external IT and logistics providers. Often cybercriminals will target third-party providers to gain access to their client businesses.
Australian businesses need to focus beyond simply their own internal cyber practices, and ensure that any third-party service providers they engage have effective and sufficient cybersecurity measures including communications protocols in the event of a cyberattack.
Implications of a cyberattack
Cyberattacks may have financial, reputational and legal implications for businesses.
Financial costs
Cyberattacks may impact a company’s ability to operate, slowing operations and diminishing revenue. Companies often also incur significant costs responding to and containing a cyberattack.
In September 2022, the Optus data breach impacted 9.7 million current and former customers, over a third of Australia’s population. The organisation has put aside $140 million for costs relating to the breaches,[3] including to replace hacked identification documents, provide Equifax Protect subscriptions, and undertake a formal review.
Reputational costs
Regardless of its size, a cyberattack will impact an organisation’s reputation. Diminished public confidence and trust in the organisation may then reduce its revenue. This can happen over time with contracts not renewed, jobs not won.
Data breaches, a common outcome of a cyberattack, are ranked among the top three threats to an organisation’s reputation, alongside environmental disasters and poor customer service. For example, MediBank has “worked to regain their customers trust”[4] following the 2022 data breach, which saw its “share price plunge by more than 15 per cent in the week”[5] following the breach.
Effective cybersecure practices not only aim to prevent cyberattacks from occurring, but must also enable an organisation to respond to any potential or actual cyberthreat swiftly and effectively, including by providing legally compliant and effective notices to affected consumers and the general public, if required.
Legal and regulatory costs
Given the ramifications of cyberattacks for the Australian economy, regulatory oversight has increased, largely through Australia’s privacy and competition law regimes. Businesses can be held accountable for how they handle consumer and personal data.
Businesses that mishandle consumer data and who suffer cybersecurity failures are exposed significant fines, and legal fees and settlement costs, for affected individuals. Prudent cybersecure practices must comply with an organisation’s legal obligations. This will assist in defending claims for regulatory breach.
What does a cybersecure business look like?
There are number of measures you can implement to mitigate the likelihood of suffering, or implications of, a cyberattack.
Employee Education
Cyber security training, whether by internal or external IT and security professionals is essential. This increases the likelihood that employees will detect, prevent and mitigate risks from cyberthreats.
Privileged Access Management Schemes
These schemes restrict who has access to different types of organisational data, and ensures sensitive or important information can only be accessed by specific individuals who understand and follow specific protocols in line with the company’s data handling procedures.
Monitor, Detect & Respond
Cybersecurity monitoring entails continually observing the behaviour of an organisation’s network to recognise any signals of a potential data breach. In circumstances where unusual or alarming activity is detected, cybersecurity monitoring gives the business time to promptly implement the necessary prevention steps or response plan.
Third-Party Risk
Using third-party vendors, such as software providers, outsourced data centres, data consultants or computer hardware suppliers, who have access to an organisation’s data or systems, presents different cyber risks that must be managed.
A cybersecure organisation will ensure its third-party vendors have adequate information security policies in place before partnering with them, and will seek to ensure that these standards are upheld when handling their valuable data and information.
Best Practices for Australian Businesses
To ensure greater protection for you and your business, consider implementing the following cybersecure practices:
- conduct a data audit to understand the types of information collected by your business, how it is collected and stored, and who may access it and how;
- establish and maintain data management protocols, including implementing security controls to only allow authorised personnel to access sensitive information, and data retention procedures so you only keep what you must;
- regularly update software and operating systems;
- use strong passwords and multi-factor authentication to prevent unauthorised access;
- encrypt all sensitive data;
- have clear procedures in place for responding to a suspected or actual cyber attack;
- conduct regular security training sessions for employees to help them recognise and manage cyberattacks and to keep abreast of the nature of new threats.
The Australian Cyber Security Centre provides an insightful guide to Australian small businesses and how they can improve their cybersecurity. This is equally useful for larger businesses and individuals. Use the ACSC checklist here as a tool to measure how well your business is handling its cybersecurity.
[1] (2022). Psychology of Human Error: Understand the Mistakes that Compromise your Company’s Cybersecurity. Standford: Tessian.
[2] Forbes Insights, ‘The Reputational Impact of IT Risk’ (2014).
[3] Samios, Z. (2022, November 10). The Sydney Morning Herald. Retrieved from Optus hack to cost at least $140 million: https://www.smh.com.au/business/companies/optus-puts-aside-140m-to-replace-customers-hacked-identity-documents-20221110-p5bx4g.html
[4] Cameron, N. (2023, November 22). Mi3. Retrieved from One year since massive data breach, Medibank brand, growth, profit powers as Federal Government sets out ‘six shield’ cybersecurity plan: https://mi-3.com.au/22-11-2023/medibank-flags-customer-advocacy-back-pre-cybercrime-levels-federal-government-unveils
[5]Ibid.