2023 saw several shifts around the world in data privacy laws. But by far the biggest is the news that the Australian authorities have increased penalties for data breaches following a spate of major cyberattacks.
Australian firms are facing a hacking ‘pile on’ as threat actors find relatively few sophisticated defenses and an undersized and overstretched cybersecurity workforce to stop them. The Australian cybersecurity minister, Clare O’Neil, has warned of a new world “under relentless cyber-attack” as Australia’s security agencies scramble to stop the latest ransomware attacks.
This is exacerbated by a country-wide lack of skilled security professionals across all disciplines which, according to the latest research, is nearing crisis levels. Finally, Australia isn’t immune to global pressures like the post-pandemic shift to remote working which has only increased the attack surface.
Previous attempts to address the issue
It’s not like the Australian Government has been sitting on its thumbs over the issue. In 2016, the government released its first Cyber Security Strategy, which included investments in cybersecurity research and development, increased collaboration between government and industry, and the establishment of the Australian Cyber Security Centre (ACSC).
The ACSC is a key element of Australia’s cybersecurity infrastructure and provides a range of services to government agencies and businesses, including threat intelligence, incident response, and advice on cybersecurity best practices. The ACSC also works with international partners to share information and collaborate on cybersecurity initiatives.
The Australian government has also introduced legislation aimed at improving cybersecurity. The Security of Critical Infrastructure Act 2018 requires owners and operators of critical infrastructure to report cyber incidents to the government, while the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 provides law enforcement agencies with greater powers to access encrypted communications.
Australian privacy breach fines just got a whole lot bigger
The new bill aims to increase fines from a current maximum of AU$ 2.22 million (USD$ 1.4m) to whichever of the following is greater; AU$50 million (USD$ 34m), three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.
That’s a significant increase on the old fine and dwarfs IBM’s average total cost of a data breach which stood at USD$4.35 million in 2022. It is even bigger than the estimated $25m and $35m fallout costs of the attack on Australian healthcare provider, Medibank. Further damage was done as Medibank’s value fell by AU$1.6 billion in just a single week after the breach.
Australia’s cyber future
Another key trend that will shape the future of cybersecurity in Australia is the increasing use of cloud computing. Many businesses are moving their data and applications to the cloud, which can provide cost savings and greater flexibility. However, cloud computing also introduces new cybersecurity challenges, such as the need to secure data stored in multiple locations and the risk of third-party data breaches.
As mentioned above, the shortage of skilled cybersecurity professionals is also likely to remain a challenge in the future. The Australian Cyber Security Centre’s 2020 Cyber Security Survey found that 88% of surveyed businesses had difficulty recruiting cybersecurity professionals. To address this shortage, the Government and industry need to work together to provide training and education opportunities for cybersecurity professionals.
Looking further ahead, the Government recently launched the 2023-2030 Australian Cyber Security Strategy Discussion Paper, seeking the views and opinions of interested parties and experts (the option to contribute closes April 15 2023). The aim is to assemble an offensive cyber team to become the world’s “most cyber-secure country” by the end of the decade.
That’s going to take a while. In the meantime, Australian firms, or global enterprises that have data there, are left with the threat of large, potentially ‘business ending’ fines. Interestingly, The ‘breach turnover period’ stands at 12 months or the duration of the contravention, whichever is longer. For longer-term systemic breaches by larger organizations, this framework could lead to maximum penalties significantly higher than the A$50 million figure. Indeed some commentators are asking if 2023 will see the first AU$1 billion data privacy fine.
All this raises the question about the effectiveness of state sanctions on companies who fall foul of cyber regulations. But will, as the Australian authorities hope, bigger fines lead to companies upgrading their security stance and ultimately fewer breaches? We’ll have to wait and see. But with email the biggest attack vector, Australia-based organizations should give serious thought to adopting an Integrated Cloud Email Security solution, and quickly.