Encryption is the last line of defence against cyber-threats and a failure to encrypt can have a devastating impact. Despite this, Australia lags as Quantum computing approaches.
In an article published in AISA 2023, Senetas CMO Simon Galbally discusses the impact of successful cyberattacks and spotlight’s Australia’s need to play catchup when it comes to securing network data and infrastucture against the impending threat posed by the arrival of quantum computers.
The biggest concern about Australia’s data protection practices – minimising threats to privacy, intellectual property and government secrets – arising from the historically shocking data breaches in the past year, isn’t the obvious cybersecurity failures. It is that these data breaches are indicators Australian businesses may not adequately prepare for the looming biggest cyber-threat in history – Quantum computing.
As Australian companies report stronger profits and global supply chains begin to recover, the post-Covid return-to-normal for customers proved different in a way that shocked the nation. The September 2022 Optus data breach disclosed (unencrypted) identity details of nearly half Australia’s population! What followed was a series of similarly shocking data breaches (among the largest in the world) – Medibank, Latitude Financial and most recently, HWL Ebsworth. Many asked, do Australian organisations have a ‘laissez-faire’ attitude to cybersecurity?
As the Covid pandemic highlighted supply chains’ importance to national interests, from food and energy to medicines, cybersecurity saw increased emphasis in the United States, Singapore, Japan, South Korea (each government legislated) while the EU focused on enforcing its strong General Data Protection Regulation (GDPR) laws. Not so it seems in Australia.
In the wake of Australia’s worst ever data breaches, outrage from customers, regulators, the media, and government ministers followed. But, will things change? Will organisations improve their cybersecurity practices by investing in state-of-the-art ‘prevention’ (anti-hacking and anti-malware) and ‘data protection’ (encryption) technologies?
These breaches raised critical questions: was the data encrypted? If not, why not? In a world of well-known weaponised cyber-attacks; highly organised and resourced cyber-criminals; and geo-political conflict, the criticality of encrypting sensitive data throughout its life-cycle (stored, in use and network data in motion) is self-evident protection against unauthorised access.
Whatever cyber criminals’ motives – stealing government/business secrets and citizen identities, business disruption, or financial gain – cyber-attacks are advanced and persistent. Despite the cyber-defences used to prevent successful attacks, the issue is that data must also be protected by encryption in the event of successful attacks.
Reputational loss- trust
These data breaches didn’t just harm customers, employees and supply chains, they also harmed brand reputations and, in turn, shareholder value. Eventually, they hurt Australia’s national reputation. For example, Optus and Medibank suffered customer outrage, defection and reputational loss. Reports stated share value declines and provisions for ‘repair’ costs of about 2% and $20M, and 4.5% and $30M respectively. Litigation, penalties and reputational loss follow. Latitude Financial’s announcement of provisions for its breach costs saw its share value decline by about 10%.
One thing is certain, lawyers are queuing to begin class action litigation. The legal and compensation costs will be huge. That will lead to a further serious hidden cost – ‘reputational loss’ – loss of trust leading to customer defection. Time will tell, although these costs (revenue and recovery) are likely to be measured in millions of dollars.
Moreover, because each of the Optus, Medibank, Latitude Financial and HWL Ebsworth data breaches received global attention, there will also be national reputational loss as the effects attach to ‘brand Australia’ – as a trading partner and safe place to do business.
Roy Morgan’s brand trust report highlighted the impact of these data breaches on Optus, Medicare and Latitude Financial. Optus has for the first time ranked as the least trust-worthy brand in Australia (June 2023), with Medibank elevated to the top 10 least trusted.
The Looming ‘Main Event’ – Quantum Computing
In the past, data breaches adversely affecting thousands of businesses and millions of citizens took place in other much bigger countries. It seems during those years Australian cybersecurity practices lagged. As other countries legislated and their businesses and governments moved towards ‘security first’ principles, Australia didn’t.
In the meantime, the US, EU and Asia moved further forward focusing on the looming Quantum computing threat. In recognising this biggest cybersecurity threat in history, the US government took the high-ground by legislating its Quantum Computing Cybersecurity Preparedness Act. Whilst other countries are planning similar initiatives no formal plans have been announced for Australia.
The US Quantum Computing Cybersecurity Preparedness Act mandates the migration by federal agencies to Quantum resistant IT and cybersecurity systems. Like US data, Australian data also requires Quantum resistant IT and security, which will be critical as the AUKUS trilateral security partnership progresses through technology sharing.
Lest history be repeated
Cyber-crime growth – business crippling cyber-attacks and theft of unencrypted data – highlights weaknesses in ‘legacy’ cyber-defences and failures to encrypt sensitive data as the last line of defence. Just look at ‘signature-dependent’ anti-malware solutions’ failures to prevent signatureless ransomware and zero-day attacks. Obviously, one can’t fight a 21st century war with 20th century technologies!
A recent policy audit by the Australian Prudential Regulation Authority (APRA) revealed serious gaps in cybersecurity measures of banks, insurance companies, and other institutions.
Despite being regulated (CPS 234) – requiring an information security capability commensurate with vulnerabilities and threats – glaring deficiencies persist. These include incomplete inventories of sensitive data, poor control over third-party security, and inadequate breach response plans.
The now infamous Optus/Medibank/Latitude Financial/HWL Ebsworth data breaches alerted governments and businesses to the need for ‘security first’ and ‘zero trust’ principles in IT and security. These principles ensure cybersecurity technologies are fit for purpose (state-of-the-art) and sensitive data is encrypted throughout its lifecycle avoiding the stuff of nightmares.
Similarly, as Quantum computing looms, Australian government and business organisations must develop and implement plans for Quantum resistance. If not, they risk even greater catastrophic reputational and economic losses.