Data breaches in Australia have led to increased cybersecurity investments
- 77% of respondents said their leadership’s awareness of cyberthreats had increased, and 70% were also seeing an increase in leadership’s willingness to invest in cybersecurity.
- However, only 27% of Australian tech leaders have well-defined and stringent incident response plans to face a variety of scenarios, and regularly exercise them.
Data breaches in Australia made headlines around the world in 2022, especially with a sudden spike in the number of companies affected. While Australian companies have been keeping data secure, the data breaches that occurred in the country led to the government taking a stricter view of such incidents.
In fact, according to data by Surfshark, data breach density in Australia was the highest in the world in the fourth quarter of 2022. Some of the biggest data breaches in Australia last year included the Optus data breach, whereby about 9.8 million customers had their personal information compromised. The Medibank data breach also saw a few million customers affected, with cybercriminals dumping huge data files on the dark web.
Since the breaches occurred, the Australian parliament has approved a bill to amend the country’s privacy legislation. The bill significantly increases the maximum penalties for businesses that suffer data breaches in Australia. The penalty has now been set at AU$ 50 million or three times the value of any benefit obtained through the misuse of the information of 30% of a company’s adjusted turnover in the relevant period.
With the Australian government increasing fines, businesses in Australia are now looking to increase their cybersecurity spending as well. According to findings from research by Netskope on the fallout from major data breaches experienced by Australian organizations in 2022, there has been a marked shift in Australian IT professionals’ experience of their business leadership’s commitment to cybersecurity over the past three years.
When asked about their cybersecurity spending in the last three years, the majority of technology leaders (52%) admitted that their organization has not invested enough in cybersecurity, with nearly one in five (18%) believing that it was not a priority. Among small businesses, the problems are bigger, with 69% not investing enough in cybersecurity, according to the IT professionals within those businesses, and one in three (33%) asserting that it simply wasn’t a priority.
However, headline-grabbing Australian data loss incidents have acted as a catalyst for change. When asked how the events have influenced awareness among their organization’s leadership, more than three-quarters (77%) of respondents said their leadership’s awareness of cyberthreats had increased, and 70% were also seeing an increase in leadership’s willingness to invest in cybersecurity.
Cybersecurity budgets have also jumped to 63% from 2022 to 2023, compared to just 45% between 2020 and 2022. The increase is most pronounced among larger organizations with more than 200 employees, where more than 80% are increasing cybersecurity budgets. 41% of smaller businesses (with 1-19 employees) have also reported a planned increase in cybersecurity spending between 2022 and 2023 (up from just 23% during the period 2020-2022).
For David Fairman, Chief Information Officer and Chief Security Officer for APAC at Netskope, the data breaches that occurred last year deeply impacted the Australian community, but it seems there are some positives to draw from those events.
“In the last decade, attitudinal gaps between technology and business leaders regarding cybersecurity have been a key factor slowing down cybersecurity improvements, and it seems that both teams are now – at last – on the same page, ready to bolster cyber defenses for their organization and customers. Even though no organization is ever fully protected from cyber threats, we need this united front to show cybercriminals that we won’t make it easy for them and Australia won’t be an easy target anymore,” said Fairman.
Despite an increase in cybersecurity budgets, the research shows that currently only 27% of Australian tech leaders have well-defined and stringent incident response plans to face a variety of scenarios, and regularly exercise them – a dangerously low percentage.
While awareness of cyber risks has certainly grown as a result of high-profile Australian data breaches, there is no consensus on how to handle an incident. Research participants were divided, with just half (51%) stating they’d be unlikely to pay if they were victims of ransomware. 17% of tech leaders also stated that a lack of prioritization of cybersecurity among leadership was the biggest obstacle to cybersecurity improvements.
Fairman pointed out that despite an increased willingness to make cybersecurity a priority, many organizations simply don’t have enough financial or human resources to bring their plans to fruition, especially in a challenging economic environment with ongoing geopolitical instability.
“As a country, we need to do what we can to accelerate the production of industry professionals and graduates, making use of both public and private initiatives. In the meantime, Australian businesses can immediately look to rationalize their cybersecurity investments, to deliver more for their money. They can’t look for one solution to every threat out there, and fortunately, there are advances in solutions that offer broader defenses across the digital environment, enabling consolidation and simplification of the cybersecurity technology stack, and bringing down the cost of operations and resources necessary to run them,” he concluded.