Kaspersky’s annual IT Security Economics Report has found that a fifth of its respondents have fired employees following a cyber security incident, with casualties mostly IT team members who were laid off and one in 10 respondents noting a C-Suite executive was let go.
Kaspersky researchers found that 38 per cent of Aussie companies have implemented additional security policies and 63 per cent have changed authentication procedures for customers or employees within the past year as a result of cyber security incidents.
The businesses surveyed indicated that they detected data breaches on their organisations within a few hours (21 per cent) or one day (17 per cent). However, some organisations reported that it took several days (24 per cent), weeks (17 per cent), or even months (7 per cent) following a breach.
The type of data most commonly disclosed was customer personally identifiable information (60 per cent) and customer payment or credit card data (64 per cent).
Businesses are becoming more proactive in eliminating the consequences of a data breach, which could mean there is less need to disclose it, according to Margrith Appleby, general manager for Australia and New Zealand at Kaspersky.
"Of course, sometimes an attack cannot be hidden from the public, for example if the victim is a public authority or if the attack is exposed to the press, in which case the financial impact can rise significantly,” Appleby said.
The average financial impact for enterprises who fall victim to a data breach through their suppliers is reaching US$1.4 million, the Kaspersky report further reveals. This is now the costliest type of cyber incident for an enterprise globally. For SMBs, this form of data breach cost an average US$212,000 this year.
Kaspersky surveyed over 4,300 enterprises and SMBs globally (50 employees and over) – with over a third (35 per cent) of Australian organisations suffering attacks involving data shared with suppliers.
Appleby noted that business data is typically distributed across multiple third parties including service providers, partners, suppliers and subsidiaries and this has become a cyber security blind spot for many organisations.
“Companies need to consider not only the cyber security risks affecting their IT infrastructure but those that can come from outside it."
"Grading suppliers based on the type of work they do and complexity of access they receive, such as whether they deal with sensitive data and infrastructure or not, is recommended so companies can apply security requirements accordingly."
"If there is sensitive data or information being transferred, ask suppliers to share documentation and certifications to confirm they are able to work at such a level,” Appleby said.
The research also found that globally, crypto mining attacks, physical loss of company owned devices or inappropriate IT use by employees can have an average $1.3 million financial impact on a business.
Across all forms of cyber attack, the financial impact for Australian businesses was around $388,000 this year, down from around $483,000 in 2020. The trend was similar worldwide – decreasing to an average $927,000 financial impact in 2021 versus $1.09 million last year. This takes into consideration the cost of hiring external consultants, improving infrastructure, training employees, insurance premiums, compensation, penalties or fines and hiring new staff.
“The possible reason behind this decrease is previous investments into prevention and mitigation measures played well for businesses. Improving how they detect attacks has likely minimised the impact of a breach,” Appleby said.
Alternatively, the average cost may be affected by the fact that businesses were less likely to report data breaches this year. Only a third (37 per cent) of all Australian businesses surveyed chose to disclose a data breach (compared to 49 per cent last year and 46 per cent globally). A further 42 per cent noted a data loss was exposed by the media – 14 per cent more than 2020.
For those businesses that reported a data breach, most said it was corporate policy and ethics to do so (63 per cent) while reputation damage mitigation was the rationale for a third. Others said it was due to regulatory requirements (39 per cent), likely to be those who fall under the OAIC.
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. She started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.