Cybercrime attacks that cost the economy an estimated $3.5billion a year are just the tip of the iceberg, making board disclosure responsibilities more likely.
One expert suggested the 13% increase in the number of cybercrime disclosures to the Australian Cyber Security Centre – taking the total in the past financial year to 67,500 attacks – could be just a fifth of the true figure.
Even the reported total is the equivalent of one cyber attack every eight minutes.
But the scale underreporting makes it seem likely that federal government mooted plans to make company directors personally liable for cyber breaches could become a reality.
Assistant Minister for Defence, the Hon Andrew Hastie MP launched October’s Cyber Security Awareness Month, saying: “It’s critical that Australian families and business report any instances of cybercrime via ReportCyber.
“Reporting not only helps the victim, it also helps to develop the Australian Cyber Security Centre’s knowledge of the threat picture, which helps keep everyone more secure.”
Full release here.
Professor Nigel Phair, of University of New South Wales Institute for Cyber Security, told The Standard that Hastie’s comments were welcome as the majority of crimes went undisclosed.
“Only ten to 20% of all cyber crime matters are actually reported,” he said.
“If you look at the 62,000 figure from last year, you need to multiple that substantially.
“One of the issues is that most organisations wouldn’t know where to report to. If they go to the police, they might get past around. There’s friction at every step.
“A lot of businesses don’t even know that it has happened to them. If you can’t open a file, you might not know that is the result of a breach.”
Professor Phair said that making board directors personally responsible for cyber attacks would go some way to helping tackle the crime that is costing the economy an estimated $3.5billion a year.
Extra responsibilities for board directors at large firms, similar to workplace health and safety, are being considered as part of cyber-security reforms.
Brendan Read, lead partner of KordaMentha’s cyber team – former detective from the Queensland Police High Tech Crime Investigation Unit – who spoke to the FINSIA Podcast earlier this year, also highlighted how difficult was to get a true picture of the scale of the problem.
“It’s really hard to give an exact figure,” he said of the number of cyber crimes
“The reason for that is a lot of these incidents go unreported.
“Organisations are concerned about brand damage, and also not even aware that something has happened or to the extent of how their information has been exposed.
“The problem that we’re now facing is that it’s an uphill battle to keep up with it and we’re not going to see those numbers drop at all.”
Expanding on this in his own blog, he said: “In our experience, the cybercrimes that do come to light are considered the tip of the iceberg.
“Concerningly, numerous breaches go unreported to authorities and never end up in the public domain due to companies fearing reputational damage.
“Many organisations also lack the expertise to identify whether a data breach warrants reporting to the Office of the Australian Information Commissioner (OAIC).
“However, businesses that have appropriate response plans to cyber risks have an increased ability to reduce reputational and financial damage.
“It is also important for management to ensure that these plans are developed and tested against real world scenarios rather than waiting for the inevitable.”
Professor Phair suggested that some larger organisations would rather not disclose the fact there had been a breach because of the reputational damage it could cause.
“There are those at the bigger end of town who are going to pay someone to remedy the problem and pay a few hundred grand rather than risk customer damage.”
Hear more from Brendan Read on the topic of cyber crime on the FINSIA Podcast.
