tashka2000 - Fotolia

Lower average cost of Australian data breaches is not a sign of comfort

The average cost of a data breach to Australian organisations dropped in 2015, according to research

The cost of an Australian enterprise data breach has dropped over the past year – but it is not a signal that the nation is off the cyber security hook.

According to the latest Ponemon Institute survey, commissioned by IBM, there has been a 6.6% drop in the cost of the average data breach in Australia (down to $US2.44m).  The average cost per lost or stolen record also fell.

This is in stark contrast with the situation globally, where the costs of a data breach continue to rise, reaching $US4m – up from $US3.79m a year ago. Australia is the only country where the total cost of a data breach fell.

The global report also found that Australia and Germany were the two countries among the 12 surveyed that were least likely to face a “material data breach” involving 10,000 or more records.

However, Glen Gooding, IBM security business unit executive ANZ, acknowledged that there was a relatively small sample of Australian businesses included in the global survey, and that it should not be taken as a signal of a “steady state decline” in terms of cyber breach impact in Australia.

Gooding said he had spoken to the Ponemon Institute about the local phenomenon and believed there were three factors at play.

First, Australian companies have gotten better at detecting and responding to incidents; second, local companies are spending less on consultants and legal experts; and, finally, Australian companies are doing a better job at keeping customers after a breach. 

This backs up the findings of the recent Deloitte Australian Privacy Index, which revealed that 71% of individuals did not trust an organisation any less after they were notified of a data breach.

Rather than the actual number of breaches going down in Australia, there has been a slight improvement in how they are handled.

The 2015 Australian Cyber Security Survey of major Australian businesses, released by the Australian Cyber Security Centre in association with Cert Australia, noted that 50% of respondents had experienced one cyber security event in the previous year. Cert responded to 11,733 incidents affecting businesses.

Read more about cyber security in Australia

  • The Australian government is aware it has a cyber security challenge, but might not understand the size of the issue, according to experts.
  • Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.
  • The costs associated with a security breach can mount up and it is difficult to put a number on it, but organisations are increasingly trying to do this as attacks increase.
  • Australian bank and university work together to train the next generation of cyber security experts.

Australia’s proposed mandated data breach legislation is in limbo pending the outcome of the July election, but if passed the legislation will help shed further light on the extent of the problem.

According to Corrs Chambers Westgarth partner Helen Clarke and special counsel Sophie Bradshaw, if the legislation is passed companies will have to disclose breaches involving personal information, credit reporting or credit eligibility information.

Notification will also be required where the breach involves tax file information, or if it gives rise to “a real risk of serious harm” to an individual.

Gooding at IBM warned that the increasing use of cloud computing services – especially those brought into the organisation through shadow IT spending, outside of the CIO’s oversight – could render a business more vulnerable in the future.

“Complexity is the enemy of good security,” he said, and the challenge for the CIO or CISO with cloud computing is “how well they can control third-party suppliers.”

Security in the cloud

The 2015 Australian Cyber Security Survey found 82% of respondents used or planned to use cloud-based services. Among those not planning to use cloud-based services, security concerns were nominated as a barrier to adoption.

Gooding said it is important as part of a security audit that enterprises gained a clear view of what was running in the cloud, especially when there is a lot of shadow IT in use. “They confidently come back with their spreadsheets, but when we run a discovery audit there can be three or four times what they thought.”

“There’s been no due diligence. They’ve grabbed a service, but not considered the security implications of using a cloud payments gateway service that has not been validated by the security team,” he said, adding that this leaves an enterprise more exposed than it realised.

Read more on Data breach incident management and recovery