If you're an Australian business reading this, there's a 30% chance you will suffer a data breach.
Such cutthroat statistics, as uncomfortable as they are to read, are important to be aware of if you want to avoid becoming one.
To help you achieve a data-driven approach to cybersecurity, we've aggregated some of the most critical data breach stats for Australian businesses. This list also includes global data breach statistics that could be a window into Australia's future modified threat landscape.
What is the Average Cost of a Data Breach in Australia?
The average cost of a data breach in Australia is $3.35 million per breach, an increase of 9.8% year on year. This amount is about $2 million less than the global average of $5.39 million (about US$ 3.86 million) in 2020.
This average amount will increase next year with Australia introducing tougher data breach penalties in response to the devastation of the Optus breach. This legislation plans to increase the penalty for serious or repeated data privacy breaches to $50 million, or 30% of a company’s adjusted turnover in the relevant period, whichever is greater - a significant increase from the former penalty amount of $2.22 million.
The graph below demonstrates the fluctuations of the global average between 2015 and 2020.
The financial repercussions of a data breach has been found to last several years. For highly regulated industries, such as healthcare and financial services, 53% of data breach costs were incurred during the second and third years following a data breach event.
Between 2014 and 2020, the average total data breach cost increased by 10%. This steep trend is likely caused by an increase in both the sophistication and volume of cyberattacks. There are other contributing factor to data breach cost. Those are discussed further long this article.
According to the Cost of a Data Breach Report 2020 by IBM and the Ponemon Institute, Australia was ranked 13th out of 18 countries sorted by total data breach cost.
Though the security posture of the average Australian business is far from perfect, the country's data breach cost is significantly lower than the global average. This demonstrates promising cyber threat resilience potential that should be leveraged with a cybersecurity strategy.
Globally, the average data breach cost has risen across the Energy, Healthcare, and retail sectors.
Data breaches involving the compromise of over 50 million records cost an average of US $392 million. Such mega-breaches happen a lot more often than you might think.
Why Do Data Breaches Cost So Much?
Regulatory fines contribute the most to data breach costs. As an example, the University of Texas cancer center suffered a data breach compromising the personal information of 33,500 patients.
The medical center did not encrypt its patient data, and therefore, did not comply with the Health Insurance Portability and Accountability Act, which resulted in a $4.3 million fine.
Other factors include legal costs and hiring security remediate data breach damage
There are also indirect costs such as customer churn when customers dissociate themselves from compromised vendors to prevent reputational damage.
Costs linked to customer turnover after a breach rose from $1.42 million in 2019 to $1.52 million in 2020.
Stock prices could also plummet, especially if credit card data is compromised in a breach.
Slow response time will further add to data breach costs. So a strategy for reducing data breach costs is to simply respond to data breaches faster.
Victims that respond to data breaches in under 200 days spend an average of $1.1 million less on data breach damages.
Complying with cybercriminal demands could also hike up data breach costs. According to the State of Ransomware 2020 report by Sophos, ransomware attack remediation efforts on average cost US$732,500 when a ransom is not paid, and US $1,448,458 when a ransom is paid. That's double the cost of not paying a ransom.
This startling statistic supports the FBI's strong recommendation of not paying cybercrime ransoms.
Average Data Breach Response Time for Australian Businesses
According to the 2021 Verizon Data Breach Investigations Report, a hacker can exfiltrate an entire customer database in a matter of hours. On Average, it takes 200 days for Australian organisations to identify a data breach - that's over 6 months.
This means, on average, cybercriminals exfiltrate a victim's entire database and then keep monitoring internal activity for half a year before their presence is finally discovered.
This demonstrates a concerning lack of attack surface transparency amongst Australian businesses. Such organizations definitely don't stand a chance against complex breaches involving access log obfuscation tactics to avoid detection.
Many poorly secured organizations have already suffered a data breach by such highly sophisticated threat actors and never detected it.
“The more time an attacker has within an environment the more access they can get to different devices, different pieces of data, different accounts."
- Wendi Whitmore, director of X-Force Threat Intelligence at IBM
The data breaches that are detected are usually discovered through the following channels:
- Breach statements from compromised third-parties
- Notifications from monitoring services
- Dark web victory posts by threat actors responsible for the attack
Most Common Types of Data Breaches
The average cost per record of customer PII is $175
The reason for its popularity is because customer data usually includes financial information or at least a portion of it that could be enough for an intelligent hacker to completely uncover.
Customer PII can also offer compounding financial returns for cybercriminals that target each customer with phishing attacks and then the new victims that are discovered in each attack campaign.
Are Cyberattacks On The Rise?
2020 was a particularly disastrous year for cybersecurity as cybercriminals capitalized on a world distracted by the shock of a pandemic.
The trends below demonstrate the surge in cyberattacks trends between 2019 and 2020.
Cyberattack data for 2021 is still being harvested, by so far, here's a summary of the findings.
- Publically reported U.S data compromises increased by 12% between Q4 2020 and Q1 2021.
- Number of individuals impacted by data breaches increased by 564% between Q4 2020 (8 million) and Q1 2021 (51 million).
- Compared to 2019, Malware attacks increased by 358%, and ransomware attacks increased by 435%.
- Google recognized over 2 million phishing sites as of January 2021.
Because cyberattacks are on the rise, the probability of businesses suffering a data breach is increasing.
Are Cyberattacks in Australia On the Rise?
Since the Australian parliament introduced the Notifiable Data Breach (NDBS) scheme in 2018, data breach reports have risen by a shocking 712%.
According to the Australian Cyber Security Center ACSC, on average, 164 cybercrime reports are made by Australia every day - that's about 1 report every 10 minutes.
Between 1 April 2018 and 31 March 2019 the Office of the Australian Information Commissioner (OAIC) received almost 1000 data breach notifications.
In comparison, between July 1, 2019, and June 30, 2020, the ACSC received almost 60,000 cyberattack reports and responded to almost 2,300 cyberattack incidents.
Michele Bullock, Assistant Government for the Royal Bank of Australia says that cyberattacks targeting Australian financial systems are on the rise, and they're getting increasingly sophisticated.
"Cyber-attacks are becoming more organised and sophisticated."
- Michele Bullock, Assistant Governor for the Royal Bank of Australia
Fraud attacks, such as phishing campaigns, are one of the most common types of cyberattacks in Australia, but ransomware attacks are following close behind.
"This year we've seen ransomware attacks on reasonably large businesses, as well as small businesses, which can cripple a business while they try and work out how to keep their businesses going,"
- Abigail Bradshaw, Head of the ACSC
Between 1 April 2018 and 31 March 2019, The Healthcare sector reported the highest number of data breaches to the OAIC; followed by Finance Legal, Education, and Personal Services.
Do Australian Businesses Need to Report Data Breaches?
In 2018, the Australian government mandated the Notifiable Data Breach (NDB) scheme which requires all business entities with an annual turnover of more than $3 million to report data breach events to both impacted individuals and the OAIC.
NDB scheme compliance is also mandatory for the following entities:
- Health service providers
- Credit reporting bodies
- Credit providers that process credit eligibility information
- Tax File Number (TFN) recipients
- All entities regulated under the Privacy Act 1988
Failure to comply with the NDB scheme breaches the Privacy act which could result in enforcement action.
How to Protect Your business Against Data Breaches
Data breach prevention controls will remove the devastating financial impacts of data breaches. The financial benefits compound if the right data protection strategies are implemented.
The Australian Signals Directorate (ASD) recommends all Australian businesses implement the Essential Eight framework to raise their baseline of cybersecurity. But this is a minimal security best practice. In addition to this, security solutions should be implemented to further reduce the chances of a data breach.
Your choice of solutions should depend upon the findings of reputable studies. Let's summarise some of the key findings of such studies:
- According to a study by the Ponemon Institute, some of the most profitable cybersecurity investments include an incident response plan and security posture strengthening solutions.
- IBM found that cybersecurity automation solutions, powered by Machine Learning and Artificial Intelligence, help organizations respond over 27% faster to data breach events.
- The OAIC discovered that 38% of all data breach notifications received via the NDB scheme were caused by human errors.
- The most common type of compromised data is customer Personal Identifiable Information (PII).
- The most type of cyber threat is phishing attacks.
- In Australia, the healthcare and finance sectors suffer the highest number of cyber attacks.
The problem of human error acting as a prominent attack vector can be readily solved with education. Staff need to be taught how to identify common cyber threats and how to correctly respond to them.
Each of the following items links to an article that can be used for cyber threat awareness training in the workplace:
- What is a cyber threat?
- What is a data breach?
- What is social engineering?
- What are v attacks?
- What is clickjacking?
- What is typosquatting?
- What is a DDoS attack?
- What is Ransomware-as-a-Service (RaaS)?
The most critical attack vector that needs to be addressed is phishing, since almost all data breaches begin with a phishing attack. With the support of ChatGPT, you can implement your own in-house phishing resilience program.
Data Breach Protection with UpGuard
UpGuard helps Australian businesses protect their sensitive data by addressing critical attack vectors facilitating data breaches. This effort includes third-party attack vectors like data leaks, security vulnerabilies, software misconfigurations, zero-day exploits and more.
In addition to continuous attack surface monitoring for discovering emerging threats, UpGuard also offers a library of customizable security questionnaires mapping to popualr regulations and frameworks, including the Essential Eight.
Watch the video below to learn how UpGuard streamlines Attack Surface Management to reduce data breach risks.