When it comes to business cyber risk, laid-back Aussies aren't equipped with the most defensive mindset, says Fergus Brooks, national practice leader of cyber risk at Aon Risk Solutions.
“Australians think ‘We’ll be alright, we haven’t been hacked and it won’t happen any time soon’,” says Brooks, who spent 20 years in the IT sector before moving to the global insurance-broking firm.
The irony is, however, that many who believe she'll be right could already be compromised, as the average time it takes to detect a data breach is 210 days.
Another trap Aussie professional services fall into is thinking they’re too small a target for cyber criminals to bother.
Yet research shows businesses with 10,000 records have approximately a 26 per cent chance of experiencing a data breach over two years, while companies with over 100,000 records have a probability of less than one per cent.
“Large companies tend to have intrusion detection systems. Criminals don’t tend to go after someone who's actually watching. That makes SMEs an easier target,” Brooks says.
“Plus, criminals don't discriminate – they don't care if you’re a psychiatrist with just 50 people's health records. If they can sell them on the dark market for $200 a pop, it's worth it.”
Australia's increasing reliance on networks, cloud technology and computing systems is only further exposing organisations to cyber-crime.
“We've really seen organised crime take the bull by the horns in terms of monetising their crime,” Brooks explains.
The big scores are credit card details and health records, he notes, but any business connected to the internet is a target. For example, hackers can seize control of your system and records, only releasing them if you cough up a $10,000 ransom within 72 hours. Or not: It’s new-age Russian Roulette.
Another trend shaking up the IT security world is the Internet of Things (IoT), an interconnected system incorporating everything from a smart watch, to an industrial control system for a power plant, to a driverless car.
“Devices have become so ubiquitous. We each have three or four internet-connected devices, and the only unhackable device is one that isn't connected to the internet,” Brooks notes.
Then there's the cloud. One misguided line Brooks often hears from SMEs is “our stuff is in the cloud, so we'll be ok”.
“I always tell them ‘no, you can't be completely secure. Because if you were, you’d be better than the FBI, Google and IBM – all of which have been hacked’,” he explains.
Social media, combined with heightened media attention to breaches, means your business reputation has never been more exposed. In fact, businesses that lose confidential information to hackers suffer about an .
“If you’re a trusted adviser, as professional service firms are to their customers, there’s going to be an element of breach of trust,” says Brooks.
Then there are also potential costs for business interruption, customer notification, lawyers, public relations experts, credit card monitoring services, fines and penalties from the privacy commissioner, and soon a mandatory breach notification.
While Aon’s shows that 59 per cent of large corporates that suffer a cyber attack lose between $1 million and $100m in business interruption expenses alone, the consequences for your average Australian SME aren’t particularly palatable either.
For example, Brooks says the notorious ransomware trojan CryptoLocker, which is propagated via infected email attachments, usually costs an Australian SME about $20,000 - not an amount to be sneezed at when it could be covered with an insurance premium of about $1000.
Whether you’re in the ASX 500, or a plain old mum and dad operation selling knitwear patterns online, it's important to have a cyber incident response plan ready to go - even if you don’t take out cyber insurance coverage.
“It only has to be a one-page document that you and your staff can refer to if you find out you've lost valuable customer information, or have an extortion attempt,” Brooks says.
The beauty of a good cyber crime insurance policy, adds Brooks, is it includes an incident response team that moves in quickly to contain the damage.
“There's a number to call and all of a sudden you've got people there to help you - lawyers, credit monitoring services, etc - so you're not running around making mistakes,” he says.
The other crucial element of a cyber insurance policy is third party coverage.
“That includes fines, penalties, notification costs, as well as the cost of business interruption,” says Brooks.
“Those are the two key components of a good cyber policy. Traditionally we would have said get a decent firewall and put in anti-virus. But everyone knows that now.”
Regardless of whether it's feasible for your business to take out cyber insurance, Brooks says it's important to at least consider the financial implications a breach would have on your business, as well as ways to deter attacks and minimise damage.
“I'm completely biased, but I've seen some pretty crippling incidents. I've also seen some pretty bad IT infrastructure that's just dying to be compromised,” he says.
“Something will happen at some stage, it's just a matter of how severe and how well you handle it.”
The articles represent the views of the authors and not necessarily that of the Bank. You should seek independent professional advice before acting on any matters set out in the articles.
This article was originally published on Westpac's Business Focus on February 9.
By Peter King
Acting Chief Executive Officer, Westpac