By the numbers, 2020 has been one of the worst years on record for cyber-attacks in Australia and across the globe, particularly for ransomware.
IT security company, CrowdStrike revealed in its 2020 Global Security Attitude Survey that Australia is one of the world’s hottest targets of ransomware attacks, with 67% of respondents admitting that their organisation had suffered an attack in 2020. This puts Australia in second place amongst countries surveyed,1 with only India faring worse.
Similarly, the Australian Cyber Security Centre’s (ACSC) inaugural Cyber Threat Report 2019-20 shows that it responded to 2,226 cyber security incidents in the past year, including targeted reconnaissance, phishing emails and malicious software affecting larger organisations, supply chains and government entities.
In terms of monetary costs arising from cyber-attacks, the most recent data from the Australian Competition and Consumer Commission (ACCC) identified that Australians lost over $634 million to scams last year,2 whilst other industry experts estimate the costs to be as much as $29 billion per annum.3 Globally, the CrowdStrike Survey shows that 56% of respondents reported that their organisation suffered a ransomware attack in 2020, with 27% of those who experienced a successful attack ending up paying ransom at an average cost of US$1.1 million. 61% report that their organisation has spent US$1 million or more on digital transformation in the last three years.
The Real World Effects
Cyber-attacks are real and sometimes have catastrophic impacts on businesses in Australia and further afield.
In November 2020, Levitas Capital, a highly profitable Sydney-based hedge fund, collapsed after a spam Zoom invitation was used to compromise the fund’s email system and led to them paying invoices worth $8.7 million, before eventually recovering the money.4 The fund was ultimately forced to close due to its largest institutional client, withdrawing its money as a result of the attack. Perhaps the most concerning issue arising from the matter was that the crippling technology involved was seen as relatively “low-tech” and unsophisticated.
Cyber-crime can also do significant damage to a company’s bottom line, reputation and share price by extension. iSentia, an Australian media monitoring company, was hit by a significant ransomware attack, which caused the company to issue a media release indicating that the disruption to their SaaS platform would have an estimated $7 – 8.5 million impact on the company’s net profit before tax. To add insult to injury, the company was then ravaged by investors, sending its share price down by over 30% following the media release.5
There is also a growing regulatory burden associated with fighting cyber-crime, with regulators looking at legal avenues to ensure that organisations have sufficient protections and processes in place to fight cyber-attacks. In August 2020, the Australian Securities and Investments Commission (ASIC) filed first of its kind legal proceedings against RI Advice, an Australian Financial Services Licensee, for failing to have in place adequate cyber-security systems and breaching its licence.6
The examples that we have mentioned are set against the backdrop of a series of significant cyber-attacks in the Australian market in 2020, including ransomware attacks on Regis Healthcare (August 2020),7 Service NSW (April/September 2020),8 Nielson (July 2020),9 Lion Australia (June 2020),10 MyBudget (May 2020),11 BlueScope (May 2020),12 and two attacks on Toll Group (January and May 2020).13
The COVID-19 Factor
Much of the uptick in cyber-crime in 2020 has been chalked down to COVID-19 related issues, including the increase of people working from home with “weaker” cyber-security in place and the propensity for scammers to use COVID-19 as a tool to leverage fear. Evidently, between 10 and 26 March 2020, ACSC reports that it received over 45 pandemic themed cybercrime and cyber security incident reports, whilst the ACCC Scamwatch received over 100 reports of COVID-19 themed scams.
On a global scale, the sentiment is consistent. The CrowdStrike Survey shows that in 2020, 71% of surveyed cyber security experts were worried about ransomware attacks as a result of the COVID-19 pandemic. 84% of respondents’ organisations accelerated their digital transformation efforts as a result of COVID-19, with the focus being on modernising security tools (45%) and increasing cloud rollout to support employees working remotely (44%).
Companies are in a war but unfortunately only one side knows it. It is critical that cyber security be the number one risk issue for all organisations for 2021 as the cyber carnage is just going to continue. Organisations need to be focussed on training their staff. Good training programs will significantly mitigate the risk of cyber breach.
We would like to acknowledge Benjamin Kende for his contributions to this article.