Australian organisations are facing increasingly frequent and “more destructive” data breaches and need to adopt integrated risk management, experts warn.

With governments, organisations and companies increasingly connected and interdependent on technology such as cloud and the Internet of Things, the vulnerability of organisations to an expanding “threat landscape” has dramatically increased, according to Alexander Serrano, an Australian consulting practice leader with IBM.

“In 2009 there were around three million security cyber-attacks globally, by 2016 it had risen to 42 million,” he told the Gartner Security & Risk Management Summit on Monday.

Mr Serrano said research by the Ponemon Institute showed the average total cost of a data breach is now $1.9 million for Australian organisations “and has been increasing year on year.”

A bad actor could be in an Australian organisation’s system for up to 139 days before it is detected, he warned.

Globally, more than half of 2,000 organisations surveyed (56 per cent) had suffered a significant disruption in the past two years, and 65 per cent of those said the severity of attacks had increased in the past year, he said.

“53 per cent of those organisations are confident they can prevent, detect and recover from major cyber events, which to me is dramatically low to think of the number of organisations that aren’t confident,” he said.

He said cyber security had arguably reached a tipping point given organisations were identifying it as a “clear and present danger,” with the World Economic Forum now ranking cyber-attacks in the top three of major risks facing organisations globally.

“Cyber security has gone from off-Broadway to absolutely being the main show when it comes to business risk,” Mr Serrano said.

One in four organisations can now expect a data breach over a period of two years, he said. “If you haven’t had a major cyber-attack, it’s not a matter of it, but when.”

Mr Serrano said it became clear last year that organisations are starting to suffer “more destructive cyber-attacks”.

“Previously threat actors were happy to get into an organisation, extract valuable data, usually for financial fraud, use it and get out. We’ve found over the past 12 months a move towards destructive cyber-attacks, probably because of some nation state type attacks getting into the wile. Some of those exploits look like ransomware but when the organisation tried to pay the ransom it still destroyed the system.”

Integrated responses needed

John Wheeler, research director with Gartner, told the Sydney audience that cyber risk management is evolving and whole-of-organisation responses are needed.

“Integrated risk management” required the engagement of all facets of an organisation – from legal and CEO to human resources, finance, operations and marketing – to cross silos and provide an organisational view of risks, Mr Wheeler said.

Mr Serrano said that many organisations did not have a cyber incidence response plan, which articulates how they would contain damage during and after a cyber-attack and communicate to stakeholders in order to lessen reputational impacts.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter.