The Latitude, Optus, and Medibank high-profile breaches in Australia have left consumers angry, regulators increasing maximum fines from A$2.2m to A$50m, and organizations looking over their shoulders.
I spent six days in Australia at the end of April and early May 2023. Specifically, I was in Melbourne and Sydney to discuss cybersecurity and regional/country nuances. The Latitude, Optus, and Medibank high-profile breaches in Australia have left consumers angry, regulators increasing maximum fines from A$2.2m to A$50m, and organizations looking over their shoulders, concerned that they could be the subject of the next headline. No firm I spoke to said that it wouldn’t happen to them.
Increasing acceptance that cybersecurity breaches are a cost of doing business
I got the impression that in corporate Australia, there is increasing acceptance that organizations will be breached. However, these same organizations know they must be better prepared for the inevitable, both in prevention and in detection and response.
Many of the larger organizations, with substantial resources (people and money) at their disposal, feel as though they’re “doing ok” when it comes to the prevention and detection of, and response to, security incidents and breaches. However, these are in the minority, and there are a huge number of organizations that know they’re not “doing ok.” The combination of budget pressures, lack of resources, and lots of attention all make for an uncomfortable time.
Therefore, demand for security expertise, especially from those outsourcing providers with the capability to augment the current workforce, is much in demand. Furthermore, these same organizations want to utilize their existing security stack rather than invest in additional products, whether it comes from Microsoft (an increasingly big player in “base” security capabilities) or other cybersecurity investments. There is also more demand for these outsourcing providers to understand the specific verticals in which their customers are operating.
Avoiding being the subject of the next headline is driving plenty of cybersecurity activity in Australia. All “big three” breaches have, arguably, been poorly handled by the attacked organizations. It pays to have a practiced action plan in place for those occasions where the defenses are breached—a kind of “damage limitation” exercise. This extends beyond the technical response and shutting down the breach as quickly as possible, also including corporate communications, handling the engagement with those customers affected by the breach, and providing best-practice actions for individuals to take. A cyberattack can damage corporate reputation; a poorly handled cyberattack can cause serious harm and even end a company. Knowing what to do before an attack happens is essential to protect the organization as much as possible.
Poor data management leads the axe to fall on cybersecurity
One of the other big takeaways touches on cybersecurity, but only because of poor data management issues. The information lifecycle has five stages (see Figure 1).
The last stage—destroying the data—has been seemingly ignored, and customers that perhaps hadn’t done business with an organization for 15 years still had their data breached. Why would an organization hold on to data for so long?
It seems that scant attention was paid to what happens to data after it needs to be retained. When combined with potentially confusing regulations on data retention, this has led to personally identifiable information (PII) being left languishing, just waiting for an attacker to sweep up anything and everything they can get their hands on.
Somehow, lack of data destruction has become a problem for the security function; eyes are on the security function for not managing the data appropriately, rather than on the line of business for retaining data that they likely should not have. This issue clearly demonstrates that security is not just the security function’s responsibility; it is the organization’s responsibility to ensure that data is held in line with regulatory and organizational requirements. (The General Data Protection Regulation [GDPR] can fine organizations for retaining data for a period beyond its stated need.) If there is an active, rather than passive, decision to retain the data, the security function should be involved to ensure that the data is classified and protected appropriately. It is unreasonable to blame the security function for not protecting data it probably didn’t even know about.
Avoiding becoming one of the “big four or more”
Proper preparation and planning prevent poor performance—and can minimize the impact of cyberattacks. Expecting that an attack will happen, knowing that your organization has done as much as possible to prevent that attack, and then being prepared for it as and when it occurs, will contribute to the organization avoiding the headlines. It’s not possible to eliminate cyberattacks, but it is possible to be prepared and continuously act in the best interests of customers and the organization. This isn’t just the security function’s responsibility; every part of the organization plays a role.
“Data Security Strategy: Not all data is equal” (March 2023)
Maxine Holt, Senior Director, Cybersecurity