Criminals - Whitepaper

CANNINGS PURPLE WHITE PAPER

Data breach

Chris Leitch is Cannings Purple's data breach communications lead, driving risk management projects and shaping strategies for clients that allow leaders to be prepared and agile in crisis and issues management.

He is available to lead or support projects around data breach preparedness, including development of communications plans, scenario planning, auditing and testing existing plans, helping to build a secure data culture and developing data breach simulations to test resilience.

We can help!

Cannings Purple is your partner to build and test data breach resilience. Start a conversation with our data breach lead Chris Leitch today

Jeff Green, Senior Director for Cybersecurity Programs at Aspen Digital.

"Cyber insecurity will always be a significant problem, but it is one that we must work to manage, not eliminate."

The databases of telecommunications firm Optus were hacked in 2022, in one of the biggest breaches in Australian history. Up to 9.8 million current and former customers had personal data such as phone numbers, addresses, Medicare and driver’s licences stolen.

Optus CEO Kelly Bayer Rosmarin, reflecting on the data breach at a business lunch in March 2023, said the company did everything it could to protect customers but it was clear they were unprepared in terms of communications.

“We sent out 16 million customer communications [with] 110 different bespoke messages for the different cohorts...

“There were a couple of messages that, when you read them, you thought: ‘Oh, this looks like it’s been written by someone who hasn’t slept in four days’.

“I wish every single one of those 110 communications had been to our usual level of quality.”
- AFR, March 2023

Communications with clients and customers are the public facing interactions but the clarity of messages to staff, suppliers, and other stakeholders are equally important.

The Optus data breach

Close

Case study

Continue reading below

The fight against cyber crime is often thought of as a war, but against an unseen enemy, attack methods constantly changing and no real endgame, it is useful to rethink the problem.

A better analogy for combatting this problem might be developing good cyber health habits that mean if you face an attack or breach, the recovery won’t take as long or be as painful.

What do cyber-criminals actually want?

Data is the language of business. Personal information about staff for payroll and other essential operations, contact information for clients and customers, sensitive information used in decision making and many other data points are collected and stored by organisations of all sizes.

Gartner has found that businesses increasingly prefer data-driven decision-making to intuition-based decision-making, which means organisations are gathering more information than ever before.

But criminals have also noticed all that data, and they place a high value on that information for sale or identity theft. Threats come from both individual hackers and well-funded organised crime groups.

Most cybercrime comes down to the value of that information on the black market, or dark web. It’s a money making exercise.

Cybercrime is now not only a business, but a lucrative growth industry with healthy returns and low risks.

Information has varying values on the black market, ranging from a few dollars for data from popular apps such as Spotify and Netflix, to stolen medical records, credit cards and identifiable information that can fetch thousands of dollars.

For that reason alone, malicious data breaches are not going anywhere.

The industry is so big, global consultancy McKinsey believes cyber incursions are on track to cause nearly $16 trillion a year in damage to the global economy by 2025.

IBM’s 2023 Cost of a Data Breach report revealed the average cost of a data breach globally was $7 million – a price tag that could potentially sink a small or medium business, or a not-for-profit organisation.

The most valuable information is personally identifiable, which is used to perpetrate identity fraud, fuel future phishing attacks or simply financial gain.

Small and medium businesses are also a target for cybercriminals, who may be seeking a way into bigger organisations through its weakest links – its supply chain.

As more information is collected and stored, the more attractive it is to organised crime seeking to exploit vulnerabilities for extorting organisations, or threat actors attempting to disrupt critical infrastructure and steal sensitive information.

Understanding how an organisation stores data and who can access it is a key risk management step that means the highest risk areas can be identified and addressed.

Safe handling and secure storage of data is the first line of defence against cybercrime. It is a risk management investment that reassures staff, customers, investors and other stakeholders that private information is safe from those who might exploit it.

But if a crack appears in the storage and personal or sensitive data is exposed, business leaders must be proactive to win back that broken trust. And that will not happen quickly.

In the event of a breach, organisations and boards will need to demonstrate that they took seriously the job of protecting personal and private information by showing actions taken to assess risk and defend data.

Cyber crime and data protection are complex problems but organisations should encourage greater understanding of the issues, to empower and educate their people.
Cybercrime isn’t going away but it will flourish if employees and executives don’t understand the motivations and start to think like their adversary.