The real consequences of a data breach for Australian businesses in 2023
15/3/23, 9:00 am
National Portfolio Manager Security at NEC Australia, Connell Perera, says worn out scare tactics must make way for a nuanced approach to cyber security for Australian companies.
When it comes to the real consequences of a cyber security breach – financial, data and reputation loss are the cyber-crime trifecta. However, IT systems can be re-invested in, fines and penalties can be paid or negotiated and even customers can be won back over time…reputation on the other hand is harder to change.
How your organisation responds to a breach plays a key role in determining short–term and long–term impacts and whether your reputation is salvageable. A breach is not necessarily unforgivable; consumers and companies can accept it as part of modern business if your response meets their expectations and is communicated effectively.
Are customers voting with their feet? Initially yes, reacting to the fear of the unknown and the avalanche of media coverage when a data breach is detected and reported.
In the case of Medibank, policy numbers decreased by 14,000 in first three months, however, Medibank have recovered with net losses 200 policyholders, stating “switching intent among consumers is back to the levels seen before the hack, as is sales conversion”.
Although customers are returning to consume these services, the subsequent class action against Medibank highlights that the real consequences of a data breach can extend to direct financial losses, additional re-investment in systems and compliance and even changes to the Privacy Act.
Higher penalties will alarm, but not necessarily drive down risk
After Australia’s high-profile cyber security incidents in late 2022, the Australian Government has started to introduce new legislation to strengthen data privacy, specifically increasing penalties for breaches.
Previously, penalties for serious or repeat offences were capped at $2.2 million – companies struggled to justify investing in a cyber security program to avoid that penalty.
New legislation will raise the maximum penalty to the highest of: $50 million; 30% of adjusted turnover; or three times the value of any benefit obtained through the misuse of data. It also gives the Australian Information Commissioner greater powers to resolve breaches and share information to help protect customers.
Increasing penalties will certainly serve as warning bell to boards, however it remains to be seen if Australian businesses will respond by changing security investment patterns or if it still takes a breach to revaluate their acceptable level of risk. The real focus needs to be on compliance.
The immediate costs of a breach from remediation to revenue
A data breach can quickly lead to significant costs and complexity, a lot less predictable than paying a fine or penalty. In the immediate aftermath of a breach, your costs can include:
- remediation to limit the damage and downtime
- new security spend to reduce risk of repeat attack
- increased cyber insurance premiums
- loss of revenue through boycotts and customer churn
- share price declines
- losses from IP going public
Companies that are breached often experience ongoing financial repercussions. Highly regulated sectors like health incur half of their breach costs in years two and three after a data breach. Beyond the immediate costs, you may also take a hit on brand awareness, reputation, and trust.
These are much tougher impacts to quantify than fines or new spending. Despite some obligations to disclose data breach costs, businesses are unlikely to share their spending on crisis communications to limit and restore reputational damage.
The impacts can snowball if your brand and or reputation is deemed by others to be an unacceptable risk, and include:
- dissolution of existing partnerships
- class actions requiring legal and PR support
- cancellation of potential mergers and acquisitions
- lack of supply chain confidence
- difficulty recruiting and retaining staff
How will you respond to the real consequences?
Being equipped to respond to a breach promptly and appropriately demands buy-in beyond the IT department. There needs to be an ongoing commitment at the Board level to understand the risks and quantify the consequences of a breach from a whole of business perspective.
The cyber security attack surface for Australian companies has increased and become more complex. Securing your entire business should be your company’s focus; the security imperative shifts from 'secure assets and data at any cost' to 'identify and prioritise fixing our security gaps to protect our business'.
For example, consider a house a business equivalent where we need to make mortgage repayments and pay insurance premiums. If we have to choose, the mortgage gets paid first. Likewise, securing your business should trump securing an asset.
Why alarmist security conversations are cancelled
Customers are becoming acutely aware and attuned to their cyber security risks and are somewhat insensitive to the narrative around fear. MSSP’s should look to frame cyber security discussions around organisational change management from the Boardroom to the desktop.
Despite the ongoing risk, there is a broader acceptance that we can't cover all the bases all the time – the landscape is too advanced. So, claims the sky is falling must be tempered with more nuance and custom solutions aligned with budget, risk and ROI profiles.
One step at a time to fit-for-purpose security
Companies that see the value of business protection over asset protection take iterative steps. Start by understanding your risk profile and build up your security credentials that are fit-for-purpose and align with your compliance needs.
Throwing money at security without focus won't protect you from the real impacts of a breach. Make a case for targeted, iterative cyber security investment that protects your business, not just your assets.