What cyber security lessons can Australian businesses learn from the multiple recent data breaches?

Every now and again, we hear the news of a major data breach that reignites the cyber security conversation and renews worries about our personal privacy. This year, Optus was the unlucky company that suffered a major breach and kicked off serious media attention – and were quickly followed by Medibank, Woolworths and Energy Australia, who all suffered similar (albeit slightly smaller) data breaches.

In case you’ve missed the news (or more likely, seen too many reports that the details have all blurred), here’s a quick overview of the situation:

• Optus experienced a cyber-attack and subsequent data breach (the cause of which has not yet been publicly identified), in which the personal data of up to 9.8 million current and former Optus customers was compromised – with approximately 2.8 million severely impacted. This data included full names, dates of birth, Medicare numbers, passport numbers, email addresses, bank details and more.
• Medicare experienced a “digital break-in” that saw a large amount of customer data stolen, including names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data. The hackers claim to also have credit card information, but this has not been verified. It is not yet clear how many of Medibank’s 4 million customers have been affected.
• Woolworths website My Deal was targeted by cyber hackers, with the data of 2.2 million customers being exposed. The information accessed includes customer names, email addresses, phone numbers, delivery addresses, and in some instances, and dates of birth.
• Energy Australia announced that over 300 of their residential and small business customers have had their accounts hacked, though there is no proof as yet that any data has been transferred to an external platform.

A formal external investigation has been announced to determine the cause of the Optus breach and how other incidents can be prevented in the future, while internal investigations are being carried out at the other companies mentioned. The Australian government has also announced that they plan to increase fines for companies who fail to protect customer data, from $2 million to $50 million.

Not only has it got individuals worried about their personal data, but it’s also ignited concern in businesses – if a company like these can’t prevent cyber-attacks, then could I be next?

Some tips for those who have been impacted

First things first, some advice if you’re an Optus, Medibank, or Woolworths My Deal customer and think (or know) you have been impacted by this breach. Make sure you:

• Monitor all your accounts and devices for any unusual activity
• Ensure you’ve installed the latest security updates
• Change your passwords and enable 2 Factor Authentication (2FA)

If you’re a business that’s an Optus or Energy Australia customer, you’ll want to talk to your IT team or provider to ensure your details have been secured. If your business details have been compromised, that could put your customers in jeopardy. Business details can be used to scam customers out of their personal information – starting a long trail of destruction.

Did you know? Cyber-attacks happen all the time

While these events can seem few and far between, they are actually very common – we just don’t always hear about them.

Cyber-attacks and data breaches happen every single day to businesses of all types and sizes. There were 464 reported data breaches in Australia in the second half of 2021 alone. From these, 55% were caused by malicious attacks and 41% by human error. This goes to show that simple or one-dimensional cyber security approaches aren’t enough to protect businesses.

It’s also getting more expensive to deal with a breach, with the average cost of a data break in Australia climbing 9.8% year on year and currently sitting at $3.35 million per breach.

And while major businesses like Optus might yield a hacker higher volume, more valuable data, smaller businesses are just as likely to be targeted. Fewer security measures and less attention can make them much easier to take advantage of.

Four ways to boost your cyber resilience

Obviously, the aim is to stop these incidents from happening. No one wants or deserves to go through this. Unfortunately, cyber-attacks are never 100% preventable – no matter how good your security is. The good news is there are several ways that you can strengthen your cyber defences and incident response so you’re less likely to fall victim. And, if you do, it will be easier, faster, and cheaper to recover.

1. The Essential 8 is just the baseline

Essential 8 cyber security are the core strategies that the Australian Cyber Security Centre (ACSC) believe help mitigate against 80-85% of all threats and recommend that all businesses and individuals adopt to ensure an adequate level of cyber protection. However, it does not offer a wide and varied protection – it is the base level of cyber security that businesses should use as a platform to layer on top of.

2. Security should match businesses maturity

Security should be customised to you. The best doesn’t look the same for everyone and a bigger investment isn’t always the best way to keep your business and customers safe. The level and sort of security measures you require will depend on the industry you’re in, the data you store, how you operate, and many more factors.

3. Recovery and backup are part of cyber security

A plan to recover from a cyber-attack might sound like you’re giving in before the fight has started. But having a clear disaster recovery plan in place and setting up appropriate data back up and retrieval is adding another level of protection. In the case something does happen, the entire business will know what to do and how to handle it – and be able to get back to operating as usual much quicker.

4. Don’t overlook training

As you saw before, 41% of recently reported attacks were due to human error. This can mean sending details to the wrong person, clicking on malicious links or files in emails, or poor password management. It’s rarely on purpose, but it can lead to data being stolen and used before you even realise you’ve been compromised. Thorough and regular security training can ensure understanding and best practices amongst staff and significantly reduce the chance of a breach occurring from human error.

What have we learnt and what can we do next?

We all hope there’s not another breach like the one that these companies experienced. But as cyber attackers and attacks become smarter and more complex, it’s more than likely we will continue to see breaches like this happen.

• Cyber-attacks are common and can happen to anyone

Optus, Medibank Woolworths and Energy Australia are some of the biggest companies in the country. This made them a valuable target, but also should have made them much harder to breach. When dealing with data – especially customer data – fit-for-purpose cyber security is essential.

• It’s not about how much you spend, but what you spend it on

There’s no one-size-fits-all (or one-price-protects-all) when it comes to cyber security. It’s something that you should spend time and attention on and ensure it’s right for your business data and operations.

• You can never be 100% protected

The response after a breach is just as important as the security put in to prevent it. Customers (and employees, for that matter) need to know what to expect and that you’re in control.

Of course, this is easier said than done – especially for small and mid-sized businesses who don’t have the budget or people power to dedicate themselves to ‘perfect’ cyber security. As needs and complexity rise, a single IT resource (or a small team) can struggle to keep on top of all the needs.

Having an IT partner focused on cyber security and protecting your business, can negate these challenges and ensure that you always have the people power and expertise you need, no matter how or when your security needs change. Virtual IT Group is one of Australia’s premier Managed Services Providers, and we provide an extensive range of cyber security services (including Managed Security as a Service, Security Awareness Training, Business Continuity as a Service, Data Protection and more), proactive security management, and 24/7 support.

If you would like help reviewing and improving your current cyber security measures, you can contact our friendly team to find out how we can assist.