Sloppy Data Governance Is Creating Aussie Nightmares
It’s no exaggeration to say that Australia is experiencing an epidemic of data breaches.
Every day, we wake up to a new hack: A real estate agency in Melbourne, a third-party provider that services the Department of Defense and the Queensland Government.
These are just the recent ones after the more high-profile breaches at telco Optus and health insurer Medibank. By some estimates, 17 million Australians out of a population of 25 million have had some part of their private data exposed — and potentially sold.
The sudden spate of breaches tells us that not only are the bad guys winning but that the responses from corporations and the Government are woefully inadequate.
Australian organizations have been asleep at the wheel on security. It might not be a very sexy topic, but the issue is so critical that it is endangering the next wave of technology innovation and putting the future of the digital economy at risk.
It doesn’t help, as Australia’s Home Affairs Minister Clare O’Neil said last week, that the hackers are increasingly aided or shielded by sovereign governments. She also called out China and Russia.
It also tells us that organizations are becoming too used to looking to monetize other people’s data. Yet, at the same time, they are forgetting that their safe custodianship of customer data is key to their brand promise and any trust they hope to create with consumers and the public.
“For too long, we have had companies solely looking at data as an asset they can use commercially”
While they are manifestly failing in their duty to protect data, organizations – particularly the Government – still want more.
Biometric data is the next frontier. The public push is beginning in the gambling industry, where advocates say biometrics can help identify problem gamblers and save them from themselves. Meanwhile, a much broader project is underway at the Home Affairs Department to expand the collection and use of biometric data.
At the same time, the actions of the — previous — Australian Government led by former Prime Minister Scott Morrison in misusing tax data to identify people who have been overpaid social security benefits is being dragged out in front of a Royal Commission.
The Government has already paid nearly AUD1 billion in compensation for the “Robodebt” scandal, which used poorly conceived algorithms applied to tax office data to identify — and often misidentify — welfare fraudsters. Applying the scheme made life so miserable for many of Australia’s poorest citizens that some committed suicide.
Increasing penalties
Against this backdrop, the Government is updating penalties under the Privacy Act, conceived in 1998 before the internet took off. It asks companies to take “such steps as are reasonable” to safeguard data and threatens maximum penalties of only AUD2.2 million.
Australia has had mandatory disclosures of data breaches since 2018, but they don’t appear to be much of an incentive for companies to get serious about their security postures.
Attorney General Mark Dreyfuss has announced that penalties for data breaches will be increased to whatever is the larger figure: AUD50 million, three times the value of any benefit obtained through mis-using information, or 30% of a company’s turnover in the relevant period.
“For too long, we have had companies solely looking at data as an asset they can use commercially,” Dreyfuss said last week.
“When Australians are asked to hand over their personal data, they have a right to expect it will be protected.”
This is all very true, but whether stiff penalties will have much impact remains to be seen.
Hike in incidents
The previous week, the Australian Cyber Security Centre released a report revealing 76,000 reported cybercrime incidents in Australia last year, an increase of 13% and an average of one every seven minutes. Of these, 95 were incidents that impacted critical infrastructure.
Business losses attributable to cybercrime rose by 15% over the same period, with the average crime costing a small business AUD39,000.
Ransomware incidents are up 75% in the last two years as the “ransomware as a service” industry gains momentum among the hacking community. The insurance industry is responding and hiked premiums by 56% yearly.
Part of the identified problem is old infrastructure, particularly outdated routers.
“Malicious actors can use these routers to conduct person-in-the-middle compromises as a vector to target other networks,” the report said.
“The ACSC estimates that at least 150,000 to 200,000 devices in Australian homes and small businesses are vulnerable.”
Cyberattacks are part of the business landscape in 2022, but Australian organizations are doing themselves — and their stakeholders — no favors through a lack of preparedness and lax internal practices.
"In the last 12 months, we witnessed this sustained integration of cyber with conventional warfare in Ukraine, and the coalescence of powerful and disruptive cybercrime, gangs and nation states combining efforts in that conflict," Abigail Bradshaw, the head of the ACSC, said.
"That has been profound and new.”
That may be true, but Australian businesses and the public are now paying the price for how many corporations have rushed into data projects thinking only of the business benefits but not the risks. This has led to poor data governance, which is almost now a national trait.
So if an acceleration of cybercrime is profound and new in 2022, what could be new in 2023 will be for Australian businesses to wake up and get serious about the threats they face.
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].
Image credit: iStockphoto/Tero Vesalainen
