Cybersecurity lessons from down under

Are Australians really the victims of cybersecurity breaches more often than the rest of us? We think not.
31 October 2022

“Kangaroo Boxing” by Scott_Calleja is licensed under CC BY 2.0.

The last couple of months has seen a rise in the number of reports of cybercrime affecting Australian companies and organizations. The latest is the hacking of ForceNet, a social media platform used by Australia’s armed forces, their families, and some contractors.

The ForceNet hack apparently exposed up to 40,000 accounts contained in a data set from 2018. The breach was via a third-party IT service provider that is currently being grilled so the Australian government can “make sure we’ve got a full picture of what sort of data was there and available,” according to Matt Keogh, the minister for veterans’ affairs and defense personnel.

At the end of September, one of Australia’s big telcos, Optus, informed its customers that up to 10 million people had had their details revealed after it suffered the biggest cyberbreach in the country’s history. That incident has exposed one in three Australians to the possibility of identity theft or financial fraud and has led to an exodus of customers.

Since then, other Australian household names have also announced that they too have been victims of cybercrime. EnergyAustralia, Woolworths’ MyDeal, and Medibank are just three. According to the latest reports, the Medibank breach exposed over 200GB of data to the attackers.

Cybersecurity courses for Australian horses

Australia isn’t a particularly insecure country in respect of its cybersecurity (or its national character, it has to be said). What’s different is that companies and organizations have to declare cyberbreaches that affect them and their customers above a nominal level. That mandatory disclosure mechanism makes reporting cybersecurity breaches easier – thus a greater number of press reports – and removes the option for companies simply never to release details of how, when, and to what extent their defenses have been breached.

The Australian government’s mandatory data breach notification scheme received just over 850 filings last year. In a country with a population of 26 million, that’s one successful cyberbreach of note per 30,000 population. In the US, with a population of 332 million, that would equate to 11,000 serious breaches per year.

The Australian government is categorizing larger sections of industry as “critical infrastructure” (such as food production and transport, for example). Organizations thus classified have to operate under stricter controls on what has to be reported via the government’s mandatory cyberbreach disclosure scheme. That, too, increases the statistical evidence available for mainstream reporting.

Taken together, these circumstances provide a more accurate explanation of the seeming abundance of successful cybersecurity breaches in Australia.

Network security when “network” means internet

The difference between Australia and the rest of the world is not that its organizations have no cybersecurity playbook but that they are legislatively bound to release details when they suffer a successful attack. Most companies would prefer not to announce when they have had their data stolen and take measures to keep news of any attacks secret. In Australia, that’s often not an option.

The decision to hush up any attacks by organizations outside Australia reduces public awareness of the preponderance of successful attacks and removes cybersecurity from the front-of-mind position when company boards allocate IT spending. Consequently, investment in protection is lower than it should be, and attackers will find more low-hanging fruit; targets that could have been protected with relatively trivial expenditure.

Australia’s insistence on at least a degree of openness in cybersecurity matters may do the country’s “brand” some harm. But to a hacker, the internet is just a network of potential victims. Whether an organization’s physical facilities are in San Francisco or Sydney is irrelevant.