Managing cyber security risks for Australian businesses

• Proposed changes to Australia’s Privacy Act will require businesses to make adjustments to the way they collect, retain and dispose of sensitive personal information.
• Businesses require robust risk management strategies to mitigate cyber security risks, with particular focus on IT security, education, and continuity planning.
• Technological advancements, particularly AI, bring with them a range of new and emerging cyber threats for businesses to be aware of.

The financial, organisational, and reputational impacts of a cyberattack can be significant. While awareness is growing, many organisations still underestimate the broad impact of these effects.

Australian Government figures reveal the 2022 to 2023 average cost of a cybercrime event for a large business was $71,600 – a 14% increase on the previous 12 months. Common types of cybercrime affecting businesses include email compromise, business email compromise (BEC) fraud, and online banking fraud¹.

As cyber risks continue to evolve, it’s essential for businesses and their employees to stay up to date with emerging threats and legislation requirements.

Understanding Australia’s changing privacy requirements

Proposed changes to the Privacy Act 1988 introduced in September by the Federal Government suggest that businesses will need to adopt more robust data security, retention, and disposal obligations, among other requirements².

“The proposed changes to the Privacy Act set the foundations for future amendments to come. The current introduced Bill aims to strengthen privacy protections for Australian citizens (with criminal sanctions for Doxing, automated decision making transparency, and a Children’s Privacy Code), create a tort for the serious invasion of privacy (which could impact any business), as well as reshape the penalty provisions available to the OAIC,” said Ben Richardson, Cyber Product Lead, QBE Australia Pacific.

“These proposed changes, and the upcoming future amendments that were agreed in principle in 2023, come with an increased regulatory risk for businesses and will require forward planning and strong attention to detail around culture and governance.”

These changes aren’t surprising, with a 2023 survey by the Office of the Australian Information Commissioner (OAIC) revealing:

• 84% of Australians want more controls and choice over the collection and use of their information
• 74% said data breaches were one of the biggest privacy risks they face today
• 89% wanted the government to provide more legislation in this area³.

Managing cyber security risks

Beyond governance and compliance, businesses must proactively manage known and emerging cyber threats. Here are a few key areas businesses can focus on:

General IT security

Businesses should ensure they have the fundamentals of IT security in place. One of the most crucial steps is enabling multi-factor authentication (MFA) across all remote access to networks and email. MFA adds an extra layer of security by requiring a second form of verification beyond just a password, making it more difficult for unauthorised users to gain access to your network.

Strong patching policies to ensure that all critical systems and software are up-to-date can also minimise the risk of cyber-attacks, as software updates often include patches for discovered security vulnerabilities that hackers could exploit. Similarly, maintaining robust anti-virus and anti-malware programs can help protect against a variety of cyber threats by detecting and neutralising malicious software before it can cause harm.

Another important consideration is user access management. As a general rule of thumb, businesses should implement the principle of least privilege - granting employees only the access necessary for their roles and ensuring domain administration accounts are restricted and safeguarded with extra controls as much as possible.

“Businesses should limit and segregate access as much as possible, so if a specific credential does get breached, the impact is contained with less risk of sideways movement or data exfiltration from within the network,” said Richardson.

Employees and culture

Cyber security is an ongoing effort, not a one-time task. Cultivating a culture of cyber security is crucial for risk mitigation - extending beyond the IT department to every employee.

Regular training programs are essential to help employees understand, identify and respond to suspicious activity. Meanwhile, phishing simulations can provide employees a chance to actively manage and report cyber risks, while also providing valuable insights into areas where further training may be required.

Tabletop exercises are another great way to simulate cyber events in a contained environment, and further stress test the established continuity plans and crisis communication channels within the organisation.

Related article: Learn how to manage ‘insider threats’ in cyber security

Collection and management of personal data

Many cyber security attacks target personal data, making it essential to manage sensitive information compliantly and sensibly. Under the Australian Privacy Principles (APP), businesses are obligated to take reasonable steps to implement practices, procedures, and systems to ensure compliance when handling personal information.

A key focus from one of these principles (APP 11), is for businesses to take reasonable steps to destroy or de-identify personal information unless:

• the information is needed for any purpose or which it may be used or disclosed by the entity under the APPs
• the information is contained in a Commonwealth record
• the entity is required by Australian law, or a court/tribunal order, to retain the information⁴.

In addition to these obligations, businesses should only collect personal information that is reasonably necessary, as well as regularly review and update data retention policies to ensure they are current and in line with legal requirements.

Business continuity

Having clearly defined processes and response plans can protect your data, reputation, and revenue, and ensure a swift recovery when needed.

Ransomware, phishing, and IT system outages are among the very real, daily threats for businesses. It’s important to have strategies in place in advance to manage these threats and ensure the business can continue trading during a crisis.

“Businesses should back up their data regularly so if they suffer a ransomware attack, they can restore most of their data promptly and minimise the lasting impact of the attack. It’s important to regularly review that these backups are uploading correctly, are stored offline at a secondary site, are encrypted with restricted access, and the recoverability of the back-up is tested regularly,” said Richardson.

“Most importantly from a resilience perspective, businesses should make sure they have detailed disaster recovery, business continuity, and incident response plans for a wide variety of threat scenarios.

“These plans outline clear actions and communication channels in the event of a cyber breach, as well as establishing back-up contingencies which can be switched on to ensure continued operations with minimal downtime (limiting the reputational impact of any outage).”

New and emerging cyber threats

Advancements in technology, including AI, are seeing new cyber threats emerge. Deepfake videos and audio are just one example of this and are becoming increasingly common. Earlier this year, a finance officer was tricked into paying US$25 million to cybercriminals who posed as the company’s Chief Financial Officer using a deepfake in a video conference call⁵.

“Robust verification procedures for all financial transactions are a must – this can include in house dual authentication procedures being in place for large transfers, alongside direct vendor authentication and validation policies (via pre-established contact channels) if requests to change bank account details or a new payee account is provided to the business,” said Richardson.

Make cyber protection a priority for your business

According to the 2023 OAIC survey, almost half of Australian customers say they would close their account or stop using a product or service provided by an organisation that experienced a data breach⁶, highlighting just how important it is for businesses to get cyber security right.

QBE’s cyber insurance policy QCyberProtect can help protect against the financial and reputational impacts arising from digital threats, and can provide critical support during a cyber event. Talk to your broker today for more information about our offering.