A picture taken on October 17, 2016 shows an employee walking behind a glass wall with machine coding symbols at the headquarters of Internet security giant Kaspersky in Moscow

‘Not the reality’: The $250k cyber risk facing businesses


Directors fearing a breach are rejecting Board appointments and they are not the only ones running scared.
Cyberattack word written in red agains a green computer text background
Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images

We probably remember to lock our windows and doors in our homes, but we are not so careful when it comes to our personal data.

Research from the Commonwealth Bank found 60% of Australians surveyed had personally been a victim of a scam, or knew someone who had.

Banks are putting in sophisticated systems and trying to raise customer awareness of the problem. But scammers are using increasingly convincing methods to defraud Australians. Heritage Bank CEO Peter Lock believes it is vital that people take proactive steps to assess their personal digital security and to reinforce it.

One of the reasons why customers need to do their part is because no business can keep your personal data 100% safe. Recent events in the past month at Optus and Medibank are just the well-publicised occurrences of data breaches and the incidence of scams and fraud continues to rise.

“Preparing for the inevitable is critically important.”

– Kris Lovejoy, Kyndryl

People need to take some responsibility for keeping personal data safe and ask better questions around what is being collected and held, says David Fairman, chief information officer and chief security officer APAC at Netskope.

“We often forgo privacy when we want something, but we expect security. It is not the reality. Any organisation could suffer a data breach,” says Fairman.

However, Luke Clifton, group executive at Macquarie Telecom, believes customers have been taken for granted as well as the protection of their data, and says, “Security is more than just a risk register; it must be central to the operating culture of an organisation.”

Even so, when companies invest in the technology, there is never a guarantee that it will prevent a data breach, but it might help with the management of the breach, says Fairman.

Change needed

Cyber security is often perceived as a cost centre, but that perception needs to change, says Jay Hira, director of Cyber Transformation, EY.

“Organisations should be viewing it as a value centre … an investment that fuels accelerated digital transformation and supports a smoother transition to trends such as remote working models and cloud adoption – offering both agility and scalability.”

What’s the price?

Independent consultancy SenateSHJ has done research into the financial and organisational impacts of crises and found an average share price drop of 22.5% at companies where there had been a cyber breach.

Business IT spend should be 5% of a company’s revenue and half of that should be spent on security to prevent cyber break, says Andrew Fluitsma, CEO of Honan Group, a risk and insurance advisory business. But in Australia, “we are nowhere near that”, he says.

“Ransomware is the big word for 2022,” says Fluitsma. “The occurrence is up 20% over the past 18 months, with the average ransom around $250,000 and the median around $75,000. If you are a medium-sized enterprise, and someone comes at you for a $250,000 ransom – and that doesn’t include the PR costs, the legal costs – the reality is it will cost a significant amount of money. If you are turning over $2 million or $3 million a year, that is going to have an impact on your business.”

What about cost to reputation?

Digital transformation has shifted the value of customer data, says Fairman, with consumers expecting a service to be delivered securely. “Customers trust the business to secure their data. If you lose that trust you can lose your customers,” Fairman says.

Martijn Verbree, National Cyber Lead, at KPMG Australia, notes that the size of your business won’t give you any special protection against an attack. “The average cybercriminal doesn’t discriminate between large and small organisations. Everyone’s a target initially.”

“Most common attacks aren’t highly sophisticated,” says Verbree. “The majority of attacks are still pretty basic, taking advantage of small errors, a lack of awareness and social engineering.

“When organisations spend more on cyber security, the chance of an attack will go down, but not to zero. The problem is the potential impact of a single successful attack, which is why executives and Board members are starting to ask the right questions.”

The broader impact

Research from the University of Queensland Business School found Board directors were not always sure about their duties and liability for cybersecurity, and often did not fully understand its importance.

“Considering that the responsibility to oversee cyber risk management in modern organisations lies with their Board of directors, an uplift of cyber-skills at the Board level is necessary,” says research lead Dr Ivano Bongiovanni.

Co-author of the study Megan Gale notes it is not just Boards of large companies that need to be better equipped in this area. “Boards of small to medium-sized organisations across all sectors in Australia, including not-for-profits and community-run organisations, need to be vigilant,” Gales says.

“We often forgo privacy when we want something, but we expect security. It is not the reality. Any organisation could suffer a data breach.”

– David Fairman, Netskope.

Fluitsma agrees and says in his discussions, cyber security and data breach are the top concerns for directors and officers, globally. “Previously, it has been reputational risk, supply chain risk. But cyber security and breach has jumped in front by an absolute mile. The costs associated with a data breach, the reputational and enterprise risk of a company are all going to suffer from a cyber attack because people are going to feel unsafe.

“Their directors and officers are going to be exposed. You will see class action and litigation. Directors on Boards sign directors’ deeds. They are responsible for running businesses. To join a Board, you have to trust the IT guys and trust that the safety framework is iron-clad.

“Businesses need to take it seriously and spend the money. These are operational overheads that are required to be sustainable. Businesses can effectively shut down because of a data breach,” Fluitsma says.

Kris Lovejoy, global security and resilience leader at Kyndryl, has served as a member of the World Economic Forum’s Cybersecurity Committee, and stresses that “Boards need to reimagine their risk management strategy”.

“Leadership must evaluate the opportunity to create a ‘cyber resilience’ function which integrates security and recovery. The focus then shifts to the ability to anticipate, protect against, withstand, and recover from adverse conditions, stresses, attacks, and compromises of cyber-enabled business. Preparing for the inevitable is critically important.”