Since September 22, 2022, Australians have watched with bemused interest as one of the strangest IT sagas in our history played out. For millions of people, that puzzlement was personal as they discovered via email that their data had been compromised. Each day delivered a new twist to the tale, and at this stage, it appears that an inexperienced solo hacker was behind it all.
We are talking, of course, about the Optus data breach. And one of the main takeaways seems to be that all it takes is a kid with a computer to carry out the largest data breach in Australian history. To avoid falling victim to such attacks, businesses must do more than simply cover cybersecurity in their policies and corporate documents. A checkbox approach won’t cut it when it comes to the security of your systems and the safety of your customer data.
Thankfully, other Australian businesses are in an excellent position to learn from what went down with Optus. So, if you’re ready to improve your IT security, take the following five lessons to heart:
1. Data breach prevention is infinitely better than the cure
If you’re operating a small or midsize business (SMB), you may watch major data breaches go down with detached interest, assuming that nothing of the sort will ever happen to you. The unfortunate truth is that attacks on small businesses happen every day – they just don’t make national news.
When hackers target small businesses, they generally seek smaller amounts of money. However, this can still be crippling, especially if your systems are shut down or sensitive customer data is stolen. SMBs can also face fines in the wake of a data breach. Even if you don’t have any repercussions from the government, it can be nearly impossible to regain customer faith.
A recent Telecommunications Trust Survey conducted by Roy Morgan found that consumer trust in Optus plummeted in the weeks following the data breach. Meanwhile, Telstra benefited greatly from the event, with consumers reporting far more trust in the telco after the Optus incident. This is a notable finding, as Telstra didn’t have to do anything to gain this trust – by simply not being the telco to expose customer data, they enjoyed a major win in the popularity polls.
2. Honesty and transparency are crucial after a data breach
While it’s tempting to blame anyone but yourself if something as catastrophic as a major data breach occurs, the Optus saga has proven this isn’t the ideal course of action. Many customers first heard the news from the media, with very little information sent directly by Optus. In addition, the telco was reportedly slow to provide information to the government, and their general lack of transparency drew criticism.
When Optus Chief Executive Kelly Bayer Rosmarin suggested that the breach resulted from a “sophisticated attack,” Australian Cyber Security Minister Clare O’Neil was quick to shut this claim down, stating, “well, it wasn’t. So no.” An attack of such magnitude will always shake consumer trust, but businesses can go a long way toward mitigating the damage by acting swiftly and with transparency.
In addition to being honest with customers, it’s essential to be upfront with the government about any breach. For example, when Medibank experienced a similarly devastating data breach in October 2022, the company maintained regular contact with customers. However, there are suggestions that they could have informed the government of the severity of the breach around a week earlier. This could have made a difference in how the situation unfolded. As it stands, more than 3.9 million Medibank customers have had their sensitive data put at risk, and the company’s share prices have fallen considerably in the wake of the attack.
3. Your actions must match your cybersecurity and data retention policies
A comprehensive cybersecurity strategy is crucial for modern businesses of all sizes. However, these words will do you no good if you don’t comply with them. Optus is now under investigation by the Australian Communications and Media Authority (ACMA). If the telco’s actions don’t match its policies and the relevant legislation, fines will likely follow.
Returning to the Medibank example, journalists from the ABC and The Guardian have revealed that, ironically, the insurance company had no cyber insurance. It’s unclear whether any other policy-based issues were at play. However, this problem alone leaves Medibank in a deeply unenviable position. As you can probably imagine, it’s far better to take the actions necessary to ensure your business never gets to this position in the first place.
4. Companies can expect larger penalties for data breaches
According to Clare O’Neil, the Optus breach highlighted numerous ways in which the nation is lagging on cybersecurity measures. Specifically, she pointed to the massive fines – we’re talking hundreds of millions of dollars – that companies like Optus would face in other countries. Currently, the Australian government can penalise companies for failing to take adequate protective measures. However, these fines are capped at around $2 million.
Ms O’Neil does not support the continued application of such caps. The minister also hinted at sweeping reforms to data retention laws in Australia. Aussie businesses can expect harsher penalties in future. However, any increase in penalties should come with more precise legislation that doesn’t require businesses to retain unnecessary data.
If you’re looking to improve your enterprise cybersecurity or IT infrastructure, now is the ideal time to contact Invotec. One of our skilled IT consultants would be happy to answer your questions and help you determine the right solution for your business.
