If you haven’t been living under a rock for the last week, it’s likely you’ve heard of the extraordinary data breach suffered by telecommunications giant Optus at the hands of an as-yet unknown hacker, with fears as many as 9.8 million current and former customers had their data compromised as a result of the hack.
Such was the extent of the data breach suffered by the telecommunications giant, Australia’s government, Federal Police and even America’s Federal Bureau of Investigation have now been tasked with becoming involved in the response. Even as the story continues to develop it stands out as one that, if it isn’t already, should send shivers down the spine of businesses all around Australia as they consider their own preparedness for cyber threats.
“We know that for 9.8 million Australians, some basic personal information has been stolen from Optus,” Federal Minister for Cyber Security Clare O’Neil said on ABC’s 7:30 on Monday, “But for 2.8 million Australians, quite extensive personal data – which includes things like licence numbers and passport numbers – have been taken.”
“What is of concern for us is how what is quite a basic hack was undertaken on Optus. We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
Left red-faced by the breach and scrambling to respond, the telecommunications company’s beleaguered CEO Kelly Bayer Rosmarin fronted cameras to offer a statement, saying, “I’m angry that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it, and disappointed [that] it undermines all the great work we’ve been doing to be a pioneer in this industry.”
Yet for Optus’ insistence that the breach and their falling victim to the hack could not have been prevented, this isn’t necessarily true. As O’Neil even conceded in her interview with the ABC, “We are probably a decade behind in privacy protections where we ought to be. I would say we’re about five years behind in cyber protections than where we should be given how fast things are moving.”
That pace of the cyber threats in recent months and years has corresponded to a dramatic rise in instances of cyber attacks, including ransomware attacks, with some suggesting many Australian businesses might already have fallen victim to such attacks – and not even know it.
“Attacks on our critical infrastructure and essential services are not always financially motivated. Malicious actors often want to significantly damage things or cause physical harm to people. The reality, therefore, is that many companies may have already been attacked without knowing it,” says ANZ Director for Thales Cloud Security Brian Grant, “Once malicious actors have compromised their target, they often stay hidden under the radar ready for an economic, geopolitical, or financial event before they attack.”
In a recent global report, Thales Cloud Security surveyed 2,767 organisations in critical infrastructure to determine the prevalence of the cyber threat and the status of responses. Such examples of critical infrastructure include those in healthcare, financial services, telecommunications and, increasingly, retail.
“The pandemic has reshaped and extended what Australians view as ‘critical’,” says Grant, “Retailers and logistics providers have proved to be just as vital as utility companies and telcos.”
Of respondents to its survey, Thales reported that as many as 44 percent disclosed increases in volume, severity and/or scope of cyberattacks within the last 12 months, with more than a third having experienced a security breach within the same period. And the problem is far from one of relevance to only bigger organisations, with SMEs and sole traders also warned to take the problem seriously.
“This is not something that just impacts major organisations, cybercrime costs are expected to increase by 15% per year up until 2025, reaching an eye-watering $10.5 trillion annually, according to Cybersecurity Ventures,” Skye Theodorou, co-founder of insurtech company Upcover, tells Power Retail, “This is big business for criminals – and is expected to outstrip the global trade of all major illegal drugs combined.”
As a part of its insurance options available to customers, Upcover includes options for businesses to access ‘cyber insurance’ specifically, with interest in this coverage predictably rising sharply since the news of Optus’ data breach.
“The Optus data breach has resulted in a lot of interest in cyber insurance,” says Theodorou, “As a result, our customer success team is fielding lots of inbound queries and assisting with quotes – unsurprisingly, it’s increasing every day since the breach.”
Such options of cyber insurance being made available for smaller businesses is a relatively recent development, as legislation regarding business’ responsibilities have also developed. But the option to insure against cyber attacks has really only developed at much the same time, and at an inferior pace, to the extent of the cyber threat.
“Insurance really only developed in the last decade or so as cyber risk emerged and became more common,” Theodorou continues, “Cyber insurance was previously only offered to big businesses with more than 50 employees.”
“Today, cyber insurance has been tailored to make it specific to small and medium sized businesses, which is great. As cyber events and concerns increase, the interest and demand for this product increases too.”
Still, options to insure against cyber attacks are only one part of building preparedness for potential cyber threats, with retailers particularly warned to turn their focus to protecting their businesses against the threat. In its 2022 OverWatch Report, cybersecurity pioneers CrowdStrike found that the retail industry is globally the fourth most targeted industry by financial cybercrime – amid a 60 percent year on year increase in instances of hands-on interactive intrusions for the APJ region, including Australia.
Clearly, the problem of cybersecurity and cyber vulnerabilities is far greater than Optus alone, with the cyber threat continuing to grow and threaten us all – reinforcing the need to develop our cyber protections more so than ever before.
With October marking Cyber Security Awareness Month, Power Retail will be continuing the story of cybersecurity, threats to the Retail industry and how businesses can prepare and safeguard themselves in the week ahead. Stay up to date with updates to this story and series by subscribing to Power Retail’s newsletter today.