In Australia, a new cyber crime is reported every seven minutes. During the last financial year, almost 700,000 businesses experienced a cyber crime, and 60 percent of targeted attacks struck small and medium size businesses.[1]
Today, Australia’s mid market, private and family businesses operate in a cyber ecosystem they’re not set up for. These businesses are less likely to have sufficient in-house or third-party support across prevention, detection and response, usually due to a lack of resources and the current talent shortage.
Four cyber trends for 2023
In this article, we look at four cyber trends playing out in 2023 and how mid market, private and family organisations can respond to them.
Trend 1: increased digitisation and connection
Accelerated by the pandemic, digitisation shows no sign of slowing down. Our hyperconnected world has redrawn the traditional perimeters. Data can move fluidly beyond organisational boundaries as business data and systems are accessed globally through collaborations, partnerships and BYO devices. Additionally, 5G technology, edge computing, and hundreds of millions of emerging IoT devices quickly make conventional security approaches outdated and inadequate.
Response
First, adopt a zero trust approach. Zero trust is not a technology solution but a model that requires a mindset shift based on three key principles: assume nothing, check everything and limit access. This approach sees companies build an end-to-end cyber security model that is ‘perimeter-less’ – protecting every aspect of the ecosystem, including assets, workloads and other resources.
Secondly, businesses must become aware of their attack surface and increase their ability to manage it. An attack surface is the entire area of an organisation or system susceptible to hacking and includes all possible entry points for unauthorised access into any system. Once organisations know what they are dealing with, they can direct necessary resources or procure services to help them mitigate their risk.
Trend 2: Threat landscape
During the 2021–22 financial year, cyber crime reports increased by nearly 13 percent.[1] The creative and rapidly evolving ways these crimes have been carried out include hacking, credentials theft, insider threats, business email compromise, malware, phishing, and third-party compromise. While ransomware forms a very small percentage of total cyber crime reports, the ACSC assesses that ransomware remains the most destructive cyber crime threat. This is because victim organisations suffer direct and indirect costs of stolen data, and the public is also often impacted.
Response
Because a cyber attack will inevitably happen to your organisation at some point, resilience is one of the most important things a business can strive for. Its ability to detect, identify, respond and recover can make all the difference to its survival. Organisations can change their thinking about the role of security and adopt a stance that cyber security is a major part of what the company does. This will help embed it into the culture and make it everyone’s responsibility.
Trend 3: Regulatory environment
Keeping on top of the regulatory environment is challenging for most organisations, even those with well-used, high levels of compliance such as the financial services sector. As changes come into effect around the OAIC data breach reporting requirements, Critical Infrastructure Act expansion, privacy law enhancements and Positive Security Obligations, knowing what is applicable to your business and finding appropriate, cost-effective ways to demonstrate your compliance should be a priority.
Response
To supplement, complement and manage the rules and regulatory expectations around cyber security and privacy, organisations can adopt cyber security and privacy-by-design thinking on top of adopting standards or frameworks such as Essential8, NIST, or ISO 27001 series. Understanding these usually goes beyond the in-house capabilities of most mid market businesses. Leveraging an external service such as KPMG’s cyber security governance, risk & compliance management can do the heavy lifting for you.
Trend 4: There is more at risk than data
The mid market had the highest average loss per cyber crime report where a financial loss occurred.[1] Overall, the average cost of a cyber attack is over $270,000. A cyber attack doesn’t only cause financial loss, other impacts include:
- reputational damage
- operational disruption
- interruption of essential services
- information loss
- costs to customers
- emotional stress
- physical health and safety of society.
It can also result in permanent damage to an organisation. A substantial loss of capital, a severely damaged reputation, or even the exposure of key operational information such as client lists, can all cause a company to fold, with examples coming from the UK, South Korea and the US.
In addition, businesses can face scrutiny from regulators in the aftermath of an attack. A KPMG survey[2] showed that after a cyber incident, 32 percent reported their companies had to deal with a compliance investigation.
Response
The executive suite can start by reframing how it thinks about cyber – focusing on practical enterprise risk rather than expense and speed. Secondly, cyber security requires proper oversight. However, most senior leaders are not cyber security experts. They rely on specialists within the business to provide timely, accurate and easy-to-understand reporting and insights that enable them to make the right decisions and help keep the organisation resilient to threats and risk.
Increased digitisation, regulation and a broader threat landscape are raising cyber risk for the mid market. In response, organisations can adopt a zero trust approach, collaborate with relevant industry specialists to fill capability gaps and commit to measuring progress – focusing on improvement, not perfection.
1. ACSC Annual Cyber Threat Report, July 2021 to June 2022
2. A triple threat across the Americas: KPMG 2022 Fraud Outlook