It’s become a dull and repetitive tune for our cybersecurity incident response team to endure on a daily basis Australian businesses ask how they got breached when their IT company assured them they were ‘secure’.
“With the global damage from cyber-crime predicted to exceed $6 trillion USD annually by 2021, it’s sad to see Australian businesses becoming the casualties of greedy corporations jumping on the ‘cybersecurity’ movement.”
The reality is quite simple, Managed Service Providers (MSPs), IT companies and IT consultants are not security experts. And whilst there is some overlap in setting up infrastructure in a ‘secure’ way, it’s simply not enough for companies in 2019 to rely on soundbites from those who are simply not qualified or familiar with the world of cyber-crime. Cybersecurity has never solely centred on technology, in fact recent statistics from OAIC Notifiable Data Breaches Quarterly Statistics Report show human error accounts for one-third of report breaches. [1]
In today’s age, criminals simply don’t want the combination to your vault of gold bars, they want your customer data and they want to manipulate your customers into sending money their way. And if they can’t do that – they’ll simply sell your customer data to the highest bidder. That’s the reality of the dark web and this threat is what has facilitated a lot of business managers to bring up the security as a concern with their technology companies who pounce at the opportunity.
Being a mechanic does not automatically qualify you for the Grand Prix, so why do companies continue to rely on assurances and security assessments by IT providers who are not even qualified to even issue them? Well, it’s because IT providers keep issuing assurances. Cybersecurity is an emerging industry, and many IT providers are riding the wave of inbound ‘security’ inquiries by offering ad hoc security assessments that are not aligned to industry standards.
IT providers have a duty of care to accurately represent their capabilities in a way that is honest and transparent. And it’s in their favour to do so, because when a client does suffer a data breach, the first phone call is usually to the IT company asking, ‘how could this have occurred?’.
It is sad to see Australian businesses become the casualties of greedy corporations jumping on the ‘cybersecurity’ movement, because at the end of the day it is cyber criminals that continue to benefit. In 2018, Australian’s lost over $107 million from scams and cyber-crime[2] with the global damage from cyber-crime predicted to exceed $6 trillion USD annually by 2021.[3] If Australian businesses continue to struggle making cybersecurity a priority, the statistics will soon stop being just numbers and become a nail on the coffin of boards, employees and the economy.
[1] https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-october-31-december-2018
[2] https://www.scamwatch.gov.au/about-scamwatch/scam-statistics?scamid=all&date=2018
[3] https://www.herjavecgroup.com/the-2019-official-annual-cybercrime-report/