Skip to Main Content

Avoiding the opportunity cost of cyber risk

When something leaves us in fear that something could go horribly wrong at any minute it can change our behaviour in ways that are disproportionate to the threat. With this behaviour change comes an opportunity cost.

So it is with cyber threat in Australia today. It’s true that cyberattacks are becoming a daily reality for many Australian organisations. Frost & Sullivan research commissioned by Microsoft found that that more than half (55 per cent) of organisations in Australia have experienced a cybersecurity incident in the past five months.

Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World’ forecasts that cyber threats could cost the Australian economy a staggering $29 billion per year in direct costs alone – almost 2 per cent of Australia’s gross domestic product. Direct costs include revenue losses, decreased profitability and fines, lawsuits and remediation.

The study revealed that a large organisation with more than 500 employees would incur an average loss of $35.9 million if a breach occurs, more than 530 times higher than the average loss for a mid-sized organisation.

The opportunity cost of fear

But these costs are just one side of the coin. The opportunity cost of fear is just as significant. Two thirds (66 per cent) of Australian businesses are postponing digital transformation efforts due to fear of cyber threats. This is particularly troubling given the potential of digital transformation to boost the economy.

As our study ‘Unlocking the Economic Impact of Digital Transformation in Asia Pacific’ revealed, digitalisation could contribute $45 billion to Australia’s economy by 2021. When we include these indirect costs, taking into account customer churn effects, reputational damage, decreased consumer and enterprise spending, the total cost of cyberattacks to Australia could be much larger than $29 billion.

I’m concerned that cyber threats are causing too many organisations to enter into a state of paralysis – afraid of what might happen but not taking steps to confront the situation. In addition to the postponement of digital transformation initiatives out of fear of increased exposure to cyberattacks, one in five Australian businesses do not know if they’ve suffered an attack as they are not performing regular forensics or data breach assessments.

Ignoring the problem – or seeking to avoid it by limiting your exposure to new digital initiatives – is a strategy with diminishing returns. So how should you best engage with the potential of digital transformation while equipping your organisation to sidestep, tackle or recover from the cyber challenges that will inevitable come with it?

Cyber threat reduction strategies

Australia needs a cultural shift in how we manage data. It needs to be prioritised in the boardroom as a strategic focus. This will this ensure organisations comply with Australia’s Notifiable Data Breaches Act and Europe’s General Data Protection Regulation. But it will also empower employees to see data as the strategic asset it is, encouraging them to push forward with digital transformation initiatives. It will help us avoid becoming victims of fear.

Artificial intelligence (AI) is a potent weapon. Already being considered or adopted by four out of five (84 per cent) Australian organisations as a tool for addressing cyber threats, AI has the potential to detect and act on threat vectors based on data insights. This is key because cyberthreats are constantly evolving and the attack surface is rapidly expanding.

With its ability to see what’s on the horizon faster than any human can, AI will introduce a powerful predictive and proactive element to cyber defenses, while freeing up time to focus on other activities. Other best practices include:

Positioning cybersecurity as a digital transformation enabler rather than a hindrance. Digital transformation presents an opportunity to abandon ageing practices and embrace new methods of addressing today’s risks.

Continuing to invest in strengthening your security fundamentals. More than 90 per cent of cyber incidents can be averted by maintaining the most basic best practices. Training and policies are key, as are strong passwords, conditional use of multifactor authentication, keeping operating systems, software and anti-malware protection up-to-date.

Maximise skills with integrated tools. The best tools are useless in the hands of the amateur and too many tools can distract from the task at hand. Reduce the complexity of your security operations to allow your operators to hone their proficiency. Ensuring effective integration is a great way to maximise your risk coverage without overloading people.

Staying ahead of cyber threat means looking beyond compliance to how the organisation is progressing against security best practices. Assessments and reviews should be conducted regularly to test for potential gaps that may occur during transformation.

Minimising exposure to cyber threat by avoiding digital transformation is not a sensible strategy. Half the fight is ensuring we don’t limit our capacity to take advantage of new opportunities. With a bit of proactivity and the right tools, training and policies, Australian organisations will be well on the way to a secure digital future.

This article originally appeared in The Australian.