Cyber-Attacks: How exposed are Australian businesses?

In 2019, the World Economic Forum’s ‘Regional Risks of Doing Business’ report named cyber-attacks as the second biggest risk of doing business in Australia, behind “energy price shock”. In all highly developed economies like our own, the perceived risk was the second priority or higher, and coming in at number one in the US, UK and Germany. That places it above financial crises, natural disasters, asset bubbles, unemployment, conflict, fraud, climate change – in short, everything that is usually prioritised when assessing economic futures. It’s estimated that in 2018 cybercrime wiped half a trillion dollars from the global economy – more than the $300 billion caused by natural disasters.

In order to understand the risks to Australian businesses, we need to consider the changing face of these attacks, and that of cybersecurity.

What is Cybercrime?

Cybercrime is a broad-reaching umbrella term for the infiltration of IT systems in order to extort money or power. This can be on a micro level, such as stealing an individual’s information from a personal computer, up to a national level, where a country’s power grid, financial systems, and classified information might be hacked and controlled by external forces. The idea of cybercrime is so unsettling because it’s still largely unfamiliar to us. Despite the existence of a hundred Hollywood renderings of stolen missile codes and World War III, we’re yet to see just how damaging such an attack could be.

Cyberwarfare entered the news last week following the US assassination of Iranian military commander Qassem Soleimani, when experts warned cyber-retaliation may be imminent. State and federal departments at government agencies across America were put on guard, and officials warned that in this new age of online warfare, when world powers collide, businesses are at risk of becoming collateral damage.

What does it mean for everyday businesses?

Let’s step back from the geo-political implications for a moment. Falling short of a major terrorist event, what does the threat of cybercrime mean for everyday businesses?

The internet has been around for decades now, and for as long as it has existed, people have exploited it for illicit financial gain. In the early days of the internet, cybercrime looked like the style of attacks with which we are all familiar – phishing schemes that steal your passwords and credit card details, and Nigerian princes begging for a short-term loan. Cybersecurity has progressed in the intervening years and is now pretty good at preventing these kinds of viruses and hacks (though they unfortunately cannot protect against human stupidity). However, as security has progressed, so have the hackers.

In the contemporary online environment, a new type of cyber attack is becoming increasingly popular; cyber extortion.

Instead of hacking highly secure financial information, cyber criminals are now hacking into other aspects of our increasingly online lives and businesses and holding them ransom to extort money. This may look like a breach in private customer data, withholding access to essential online files, or interference with electricity, phones, internet service, or other elements that are necessary to the smooth operation of the business. Smart homes, driverless cars, and autopiloted aircraft are just some of new technologies that have emerged in recent years presenting new, terrifying targets for attackers.

One highly publicised attack on a private business was the 2015 hack of extra-marital dating website Ashley Madison, in which account information for the sites millions of users was publicly leaked. The website, which has the controversial tagline, “Life is short. Have an affair,” is built on the promise that users can operate in anonymity and secrecy, and this hack seriously dented the reputation it relies on to do business. The owners of the site have since settled two dozen lawsuits totalling over US$11 million resulting from the breach.

In Australia, we’ve seen significant data breaches that threaten businesses for some time. In 2012, a Romanian syndicate infiltrated the records of over 100 small Australian businesses, stealing credit card details from some 30,000 customers, which were used in illegal purchases totalling $30 million. In this case the money was reimbursed by Australian financial institutions, but it is the kind of data breach that can expose small businesses to significant litigation. Beyond financial costs, a security breach of this kind threatens a business’ professional reputation, to both its customers and affiliates. If a business can’t protect its own data, it’s a risk to the data of everyone they work with.

Cybercrime Insurance

Cybercrime is currently costing our economy up to $4.5 billion per year, yet it remains highly uninsured. Only an estimated 46% of worldwide businesses have any form of cyber-insurance. In Australia, as many as 30% of businesses have already faced some form of cyber-attack, yet there seems to be a pervasive attitude from businesses that it won’t happen to them.

In the US, businesses spent only the amount of $4 billion on cybersecurity insurance premiums in 2018, as compared to the amount of $180 billion paid on property coverage. Even this small amount was mostly spent by big business, suggesting small businesses are the most at risk.

Cybercrime coverage can cost around $3000 a year for medium sized businesses, though if a business has already suffered an attack it can lead to increase in premiums. Improved cybersecurity should be embraced along with insurance coverage, an expenditure that should quickly pay for itself.

There are multiple steps you can take to improve your own business’ cybersecurity, as follows:

1. Staff education on best practices for safe internet and email usage.
2. Maintain password hygiene – regularly update passwords, never use the same password twice, embrace multi-factor verification. The vast majority of data breaches occur due to weak passwords.
3. Outsource professional security software.

Moving forward

Australia is currently at the beginning of a fintech (financial technology) boom. Many of the best performers on the ASX currently in that field, and a new wave of digital banks like Volt and Xinja have started entering the tightly regulating deposit-taking industry. Cyber threats have the capacity to make or break the industry.