The dark web threat: Are you vulnerable to a cyberattack?

Cyber threats, ransomware attacks and data breaches are on the rise, but there are several ways to mitigate risks, manage costs and implement cybersecurity strategies

Australia has seen a dramatic rise in cyberattacks in recent years, with both large corporations and small businesses falling victim to increasingly sophisticated threats. The 2023 Annual Cyber Threat Report from the Australian Cyber Security Centre (ACSC) revealed that cybercrime reports in Australia surged by 13% over the previous year, with over 76,000 incidents reported. The financial toll is staggering, with the ACSC estimating the cost of cybercrime to the Australian economy at $33 billion annually.

The average cost of a cyber incident for a small-to-medium-sized business in Australia is approximately $39,000, while larger enterprises often face costs exceeding $5 million per breach. These numbers highlight the urgent need for Australian businesses to enhance their cybersecurity measures, especially as attacks become more frequent and costly.

Statistics coming out of the Australian Signals Directorate reveal that there is an incident every six to seven minutes every day in Australia. These cyber incidents are not limited to large corporations. Businesses of all sizes are at risk, from small-scale invoice fraud to full-system hacks, according to Laura Newton, a Senior Associate at law firm Herbert Smith Freehills. “What traditionally was an IT problem is now a board problem,” said Ms Newton, who was recently interviewed by Dr Juliet Bourke, Professor of Practice in the School of Management and Governance at UNSW Business School for The Business Of, a podcast from UNSW Business School.

The evolving cyber threat landscape

The cyber threat landscape is constantly evolving, with new tactics emerging regularly. One concerning trend is the rise of ‘ransomware as a service’ (RaaS). “Much like software as a service, there is RaaS where a lot of these groups splinter off, or they provide, essentially ransomware in a box, and then anyone can pick it up and purchase that and act as though they are that ransomware group,” said Ms Newton, a UNSW Law & Justice Alumna, regulatory lawyer and cyber security advisory lead with more than 10 years experience in law enforcement, regulatory investigations and cyber incident response.

This democratisation of cybercrime tools makes it increasingly difficult for businesses to identify and respond to threats. “You never really know if you’re dealing with the real deal, or if you’re dealing with a teenager sitting behind their computer who’s just a little bit bored,” Ms Newton explained.

Surprisingly, many of these ransomware groups operate like legitimate businesses. “Some of the really well-known groups, they do have an accounts team, they have managers, they’ve got HR,” said Ms Newton, who explained that if an organisation chooses to engage with a group, this can result in a variety of outcomes. "They might say, ‘Oh, you know, I can't answer that, because I need to talk to my boss,' and they actually do have a boss. So that's when you know you're dealing with a credible group," she said.

The dilemma of ransom payments

When faced with a ransomware attack, businesses often grapple with the decision of whether to pay the ransom. This decision is often influenced by the company’s pre-existing stance on such situations. “Sometimes that stance does shift during the course of an incident, when they realise that perhaps they do have to pay or they’re a little bit stuck, and then that comes down to not being able to essentially operate,” said Ms Newton.

Read more: Company directors fall short of cyber security skills mark

The decision to pay often hinges on the potential consequences of not being able to operate. For some businesses, particularly those in critical sectors, the inability to function could be catastrophic. Healthcare providers, for instance, may find themselves unable to access patient records, potentially putting lives at risk. Financial institutions might lose access to transaction systems, paralysing their operations and eroding customer trust.

Ms Newton emphasised that the decision to pay is rarely straightforward. “It’s a complex calculation of risk, ethics, and practicality,” she said. “Companies must weigh the immediate cost of the ransom against the potential long-term costs of extended downtime, data loss, and reputational damage.”

However, paying the ransom doesn’t guarantee a resolution, as many ransomware groups have reputations to maintain. This ‘business-like’ approach of cybercriminals adds another layer of complexity to the decision-making process. Companies may find themselves in the surreal position of evaluating the ‘trustworthiness’ of the very criminals who are extorting them.

Businesses should never make this decision in isolation, Ms Newton explained. “It’s crucial to involve legal counsel, cybersecurity experts, and in some cases, law enforcement,” she said. “These stakeholders can provide valuable insights into the potential consequences of both paying and not paying the ransom.”

Protecting your business from cyber threats

While the cyber threat landscape may seem daunting, there are steps businesses can take to protect themselves. Human error is often the weakest link in cybersecurity, according to Ms Newton. “The statistics are varied in this but it’s anywhere from between 75 to 95% of all cyber incidents start from a human error,” she said.

This highlights the importance of regular staff training, particularly in recognising phishing attempts. However, this is becoming increasingly challenging with the rise of AI, which Ms Newton said can create more sophisticated and believable phishing emails. Beyond human factors, technical controls and frameworks play a critical role.

One framework that businesses can follow is the Essential Eight, developed by the Australian Signals Directorate. Barney Tan, Professor and Head of the School of Information Systems and Technology Management at UNSW Business School explained: “Some of the eight strategies include patching your applications, blocking Microsoft Office macros, restricting administrative privileges, patching your operating systems and ensuring that you have multi-factor authentication,” he said.

However, Prof. Tan cautioned that while these technical measures are crucial, they’re not sufficient on their own. “Often, with a breach, with a cybersecurity incident, it’s not the technical aspects of the system that actually lets them down. It’s the human and social aspect,” he said.

The importance of data management

Another critical aspect of cybersecurity is data management, and Ms Newton advised businesses to regularly audit their data holdings. “There are some legal requirements for companies to continue to hold data. So notwithstanding that it becomes one of those questions of, ‘Why are we still holding customer data? Do we need it? And can we anonymise it if we do need it?’” she explained.

This practice not only reduces the potential impact of a data breach but also aligns with upcoming privacy law reforms. Ms Newton anticipated that Australia may move towards a GDPR-style regime, which would give individuals more rights over their data, including the right to request its deletion.

Read more: Four cybersecurity misconceptions placing your business at risk

The shift towards more stringent data protection laws reflects growing concerns about privacy and data security worldwide. “We’re seeing a global trend towards empowering individuals with greater control over their personal information. This isn’t just about compliance – it’s about building trust with customers and stakeholders,” said Ms Newton.

For businesses, this means adopting a proactive approach to data management. It’s not enough to simply collect and store data; organisations must have a clear understanding of what data they hold, why they hold it, and how long they need to retain it. Ms Newton suggested implementing a comprehensive data governance strategy. “This should include regular data audits, clear retention policies, and processes for secure data deletion when it’s no longer needed,” she said.

Moreover, businesses should consider the principle of data minimisation. This involves collecting and retaining only the data that is absolutely necessary for business operations. “Every piece of data you hold is a potential liability,” Ms Newton warned. “By minimising your data footprint, you’re not only reducing your risk in case of a breach, but you’re also simplifying your compliance efforts.”

Ms Newton also stressed the importance of data encryption and access controls. “Even if a breach occurs, properly encrypted data is much less valuable to cybercriminals,” she explained. “And by implementing strict access controls, you can limit the potential impact of insider threats or compromised user accounts.”

The cost of cybersecurity

Implementing robust cybersecurity measures can be costly, but the potential cost of a cyber incident can be far higher. “The biggest that I have seen has gone beyond $5 million and that included investigations from the regulators,” said Ms Newton.

While the cost of prevention can seem high, especially for small businesses, Ms Newton advised weighing it against the potential cost of an incident. “You’ve really got to ask yourself is it worth it?” said Ms Newton, who explained that the true cost of a cyber incident extends far beyond the immediate financial impact. There are direct costs like forensic investigations, legal fees, and potential ransom payments, in addition to indirect costs that can be even more significant in the long run, Ms Newton explained.

These indirect costs can include reputational damage, loss of customer trust, and decreased market value for public companies. “We’ve seen cases where companies have lost significant market share following a major breach. Rebuilding that trust can take years and may require substantial investment in marketing and public relations efforts,” said Ms Newton.

For small and medium-sized businesses, the impact can be even more severe. Smaller companies often lack the resources to weather the storm of a major cyber incident, and Ms Newton said that in some cases, the combination of financial loss, reputational damage, and regulatory penalties can force a business to close its doors permanently.

Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School

Ultimately, Newton advised businesses to view cybersecurity spending as an investment rather than an expense. “In today’s digital landscape, robust cybersecurity is not just about protecting your assets – it’s about ensuring the continuity and resilience of your business,” she concluded.

Key cyber security takeaways for business professionals

1. Prioritise cybersecurity training for all staff, focusing on recognising and responding to phishing attempts.
2. Implement robust technical controls, such as those outlined in the Essential Eight framework.
3. Regularly audit your data holdings, only retaining what is necessary and considering anonymisation where possible.
4. Consider cybersecurity costs as an investment in your business’s future, weighing them against the potential cost of a cyber incident.
5. Stay informed about evolving cyber threats and adjust your security measures accordingly.
6. Have an incident response plan in place, and be prepared to enact it quickly if necessary.
7. Consider engaging with cybersecurity experts to assess your current vulnerabilities and recommend improvements.