Cyberattacks a matter of ‘when’ not ‘if’ as experts say Australian business has always been a target

The last four weeks have seen a string of high-profile data breaches and hacks. Attacks on Optus, Medibank, Woolworths, Vinomofo and more have resulted in the personal details of millions of Australians being threatened, exposed and in some cases allegedly sold off.

But while it may seem that Australia is suddenly a hot target for bad actors, cyber experts disagree, saying that attacks happen all the time and businesses need to prepare for them.

Troy Hunt is the founder of Have I Been Pwned — a site that checks whether personal data has been compromised by data breaches. He says that the recent ‘spotlight’ on Australian companies is coincidental.

“There’s no evidence of anything concerted — it’s not like Australia is under attack. But that probably doesn’t fit the narrative some people are trying to build.” Hunt said in a phone call with SmartCompany.

Hunt makes the point that the majority of the recent data breaches haven’t been particularly sophisticated.

“Obviously it kicked off with Optus. I suspect the AFP has found the person who was involved in that. [The breach] was very trivial — it was almost certainly a child or a very young adult. It’s easy to explain that one,” Hunt said.

“Then Vinomofo and MyDeal are just very garden variety, everyday data breach stuff. Medibank’s a little bit more interesting because that is in a heavily regulated industry. There are usually a lot more controls. There’s always very sensitive personally identifiable information there and medical data. That one I find more fascinating but there’s nothing to tie them all together other than the period of time in which they’ve occurred.”

While we may be paying more attention to data breaches this month, large-scale attacks on Australian companies are nothing new. The Australian Red Cross had the data of 1.3 million donors leaked back in 2016. In 2018, ANU saw a breach that saw the data of 200,000 students going back 19 years accessed, including names, addresses, tax file numbers, bank account details, dates of birth and more. Service NSW staff were phished in 2020, resulting in the data of 104,000 people being accessed due to a lack of two-factor authentication on the system.

And one of the largest hacks in Australian history happened in 2019 when the personal details of 137 million Canva users were stolen. This included names, email addresses, passwords and partial payment data.

This isn’t a fresh problem for Australian businesses, but it is an ongoing one. And according to Ajay Unni, founder of cybersecurity company StickmanCyber, businesses need to be vigilant.

“It’s not an ‘if, it’s a ‘when’, right? [You] could be the next in line, you never know.

“Just because it’s not in the news, doesn’t mean it’s not an issue. You need to start preparing yourselves.”

As businesses become more connected, cyberattacks are easier

While the plethora of recent attacks may not actually be unique, cyberattacks are certainly on the rise.

During The Tax Summit 2022, ATO second commissioner Jeremy Hirschhorn said there are 3 million attempted hacks of the ATO’s system every month.

“In the time it takes me to make this speech, there will be 4,000 attempted hacks on the ATO’s system,” he said.

And according to the AICD managing director, Mark Rigotti, a cyber attack hits an Australian company every eight minutes. This has resulted in over $33 billion in losses over the past year.

And a large contributing factor is interconnectivity.

This means that businesses have to be wary not only of their own cybersecurity practices, but also of those they partner with. The more platforms you share data with, the more points of potential failure you’re creating.

The use of third-party platforms is what contributed to the recent MyDeal and Telstra data breaches. Similarly, back in 2020, Ticketmaster was compromised due to a third-party chatbot it utilised on its site.

“When you delegate some of the control and the risk to third parties you end up with this massive hybrid of on-premise stuff, custom code and stuff, your own products, external services. You just create a landscape where sooner or later something’s going go wrong,” Hunt said.

“There is a saying when you work in security that you have to get it right every single time. The attacker only has to get it right once.”

What needs to be done — IT is not the same as cybersecurity

When it comes to cybersecurity in Australia, the experts agree that the bar needs to be raised by both businesses and the government.

Oftentimes it’s not that difficult for bad actors to get access to personal data. Many of these attacks aren’t particularly sophisticated or by instigated by a hostile state. They’re often by people with enough know-how to be aware of how interconnected and lax some businesses can be and will find the quickest way to access it to make a quick buck.

At a business level, experts should be employed to ensure that practices are up to scratch and that customer data is safe.

“Cyber is not IT security. It’s one step above,” Ajay Unni said.

“That’s where the confusion is. I deal with small, medium and large businesses and they’re often thinking ‘my IT guy will do my cyber’ but they’re just doing their antivirus and the firewalls. Hackers are able to get across all that.”

“That’s where companies like us come into play to do verification, validation, and testing. You should measure the cyber knowledge and activity within the business and have stronger policies and procedures. That is why you need a separate entity or a team for cybersecurity, like how you have a marketing and sales team separate or finance and accounting.”

There is also a call within the cybersecurity community for more support and education for businesses from the government, as well as regulation and penalties being handed down to companies that mishandle data.

Ajay Unni believes that foundational cyber security should be required when a business is created, similar to codes of conduct, director duties and financials.

“It’s not about beating businesses up and making it difficult. [Governments] need to make it easy for them to access cyber services.”

Troy Hunt also brings up requirements around how long data is held by companies.

“Optus was a really good example where here I would love to see less data retention.

“I’d also like to see improvements around things like identity verification. It’s crazy that if you have a few numbers, like a driver’s licence and a passport number that it can cause really big problems.

“Other regulatory controls as well. Our notifiable data breach scheme in Australia is extraordinarily weak compared to Europe in particular. And we’d really like to see more penalties levelled at organisations. Optus and Medibank are going to pay for this dearly through bad press and incident response costs, and lawyers and PR companies. But we might not actually see much in terms of a regulatory penalty.”