Home > Risk > The latest information on cyber

The latest information on cyber

September 20, 2020 Leave a comment Go to comments

The Australian Cyber Security Center (ACSC) has published its annual Cyber Threat Report. The ACSC is an operational arm of the Australian government. It is responsible for “strengthening the nation’s cyber resilience, and for identifying, mitigating and responding to cyber threats against Australian interests. The ACSC also manages ReportCyber on behalf of federal, state and territory law enforcement agencies, providing a single online portal for individuals and businesses to report cybercrime.”

Over the year ended June 30th 2020, they “responded to 2,266 cyber security incidents and received 59,806 cybercrime reports at an average of 164 cybercrime reports per day, or one report every 10 minutes.”

Of the cyber security incidents, 803 (35.4%) were reported by government agencies. Healthcare was the sector with the next highest level of incidents at 164.

To put those statistics into context, according to the Australian government, as of June 30, 2019 there were “2,375,753 actively trading businesses in the Australian economy”. Of those, 141,628 were in healthcare.

So there was roughly 0.6 security incidents reported per thousand businesses, 1.2 per thousand in healthcare.

Cybercrime is a very broad category, including not only fraud but also online bullying and the sharing of intimate images or videos. It is not clear from the report how many of these targeted individuals rather than businesses or government agencies.

It is also unclear what the impact has been of cyber breaches, ransomware attacks, etc.

The ACSC report references a Microsoft-commissioned study from 2018. That study said:

…more than half of the organisations surveyed in Australia have experienced a cybersecurity incident (55%) in the last five months while 1 in 5 companies (20%) are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

…a large-sized organisation (over 500 employees) in Australia can incur an economic loss of AU$35.9 million if a breach occurs. The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

Fear and doubt surrounding cybersecurity incidents are undermining Australian organisations’ willingness to capture opportunities associated with today’s digital economy, with 66% of respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.

Microsoft says “the potential direct economic loss of cybersecurity incidents on Australian businesses can hit a staggering AU$29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. Direct costs refer to tangible losses in revenue, decreased profitability and fines, lawsuits and remediation.”

But that is simply the potential, a projection of some sort. But is that a credible or a scare number? What is the likelihood of losses that high? You can decide for yourself, but I just don’t see 2% of a nation’s GDP being lost to cyber.

Microsoft bemoans “fear and doubt” but they are stoking it!

We need, as I have said many times, to assess for ourselves how a breach could affect our businesses and the achievement of our objectives.

There will be a range of potential effects, from trivial to major. Each point in that range has its own likelihood.

Don’t assess cyber or any other source of business risk using a single point in that range. Consider that entire range and whether it is acceptable.

If it is not acceptable, then consider what defense, detection, response, and preparedness you need to bring it down to where you are willing to take the risk. Consider whether the cost is justified based on the risk reduction – given that there are other uses for those resources.

Everybody should gauge the level of resource that should be applied to cyber based on their organization’s specific circumstances.

Don’t spend more than the risk merits – but spend enough.

What do you think?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: