Privacy under attack

Millions of Australians have lost control of their personal data as a result of notifiable data breaches.

Three of Australia’s biggest data breaches occurred in the last 12 months.
Whether they were the result of malicious actions or negligence, their details are potentially in the hands of cybercriminals, leaving them exposed to fraud and identity theft.

Cyber threats are evolving faster than any other risk management areas, and business leaders must demonstrate they are taking these threats seriously. 
The threat to our data 
The databases of telecommunications firm Optus were hacked in 2022, in one of the biggest breaches in Australian history.
The Optus data breach 

Case study

For many organizations, understanding the full scope of the relationship between cyber riskand their third-party suppliers/vendors can be a blind spot. Yet it is critical.

Marsh/Microsoft State of Cyber
Resilience Report

About two notifiable data breaches are made each day in Australia on average, with around seven in 10 of those reports the result of malicious or criminal actions. 

When information is stolen, goes missing or becomes visible to criminal elements, the reputational damage can be devastating, shattering the trust that staff, customers, investors and other stakeholders have in an organisation as a sound custodian. 

Increased sophistication by attackers and the widespread availability of ransomware and malware tools has raised expectations for company disclosure, through such means as the Notifiable Data Breach scheme. 

Data breaches among bigger companies, such as Optus, Medibank or Latitude Financial, have long tails and investors make their influence felt by withdrawing funds or taking legal action

The risks are more than just within organisations, with supply chains increasingly a weak link in data protection risk management. 

A supply chain attack, also known as a value-chain or third-party attack, occurs when information is compromised through an outside partner or provider with access to your systems and data. 

Personal information is legitimately shared with third-party organisations and platforms for the purpose of doing business, such as an external agency who handles services or a software platform used for business purposes. 

Although many businesses have effectively enacted internal cybersecurity protections, The Marsh State of Cyber Resilience Report 2022 found that just 43% have conducted risk assessments of their supply chain.

Despite best efforts, the reality is that almost all organisations will experience some form of privacy breach, cyberattack or other serious data breach, which can be harmful to people and damaging for an organisation’s financial position and reputation. 

As regulations on managing sensitive data and third-party vendors continually evolve, compliance is becoming increasingly complex. 

There is an increasing need for business leaders to develop cyber-resilience and a data safety culture with their organisations, as well as rapid response capabilities. 

A well-rehearsed communications plan and a strategy to mitigate the impact of cyberattacks or data breaches can be the difference between saving an organisation’s reputation or destroying relationships with stakeholders. 

The response in the first 72 hours can determine if the damage will become irreparable. 

Preparation is critical to managing cyberattacks and data breaches, and no effective response was ever created in a time of crisis. 

Organisations need to know what data is being protected and how it’s being protected, and where there are risks and vulnerabilities in accessing information.