The cybersecurity landscape
Australia faces an unprecedented volume of cybersecurity attacks. We’ve grown accustomed to news and headlines about passwords being compromised, personal information being stolen, and personal and health information leaked and misused. The goal pursued by all attackers is very simple: sensitive data. The more, the better.
Optus and Medibank were high-profile breaches of 2022 that reminded companies of their responsibility to keep customer data and personally identifiable information (PII) safe.
Regulations and mandatory disclosure requirements
Regulators such as the Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC) and the Australian Information Commissioner’s Office (OAIC) have taken steps to require companies to notify their customers if their data has been compromised. rice field. This helps our customers protect against potential ramifications after a cybersecurity incident and take reasonable steps to prevent further harm. If mandatory disclosure requirements are not complied with, companies that fail to exercise proper due diligence when handling and protecting PII face the threat of hefty fines.
Impact of cybersecurity incidents
When analyzing cybersecurity incidents, we typically observe direct and indirect impacts such as:
- directly
repair cost – Remediate incidents and restore systems and services to operational status. For example, in the event of a ransomware attack or a production failure. Restoration costs may include professional third parties to assist with restoration procedures or conduct forensic investigations.Decrease in productivity – The business impact of unplanned outages and downtime. This will result in loss of sales or bottom line profit.
regulations and fines – Punitive fines issued by regulators for failure to safeguard critical information such as PII and systems of record.
- Indirect
high reputation – Loss of customer trust and confidence in service providers taking appropriate measures to protect data and information. This is often reflected in part in the company’s (if publicly traded) stock price, which can negatively impact customer sentiment.We are beginning to see that cybersecurity breaches, especially publicized through mainstream media channels, will ultimately reduce customer retention and revenue growth.
Customer churn and retention
Customers expect their information and data to be managed in a secure manner and protected from unauthorized access. But how willing are customers to terminate their contracts and move to other service providers when their personal data is exposed and misused? Based on our analysis of the ANZ market, highly regulated In a mature industry with intense competition, trust and lack of trust can make a big difference in customer retention.
Case Study
Latitude Financial Services
On March 27, Latitude Financial Services, a leading digital payments, installments and lending company, admitted that criminals stole 14 million customer records, most of them dating back to 2005.
The exfiltrated data included names, driver’s license numbers, addresses and dates of birth compromised by the breach, along with thousands of passport numbers.
In filings with the Australian Securities Exchange (ASX), Latitude estimated after-tax losses from the breach at approximately A$105 million. This amount excludes regulatory fines, class action lawsuits and insurance-related costs.
For reference, Latitude claims the total cost of containment and remediation of the breach is approximately $1,000. A$7 million to date, with an additional $46 million to cover future costs.
Consider this breach in light of recent cybersecurity incidents. Based on notable examples such as the Optus breach, we expect to lose customers going forward. For Optus, the breach resulted in a significant drop in net subscriber numbers and it took until the end of the calendar year to return to a positive position for customers. For Latitude Financial Services, additional indirect costs are expected from the loss of customers.
The growing cybersecurity challenge within the enterprise
How can businesses protect their information assets in order to sustainably secure the trust of their customers? focus. This ranges from data stores to backup and recovery mechanisms to local copies of customer records that may have been accidentally stored unencrypted.
Cybersecurity practices can be fairly prescriptive with granular controls structured within the context of functions. There are various frameworks that detail both preventive and detective controls. A common example is finding and remediating vulnerabilities in public resources. Nonetheless, the pace of technological advancement is posing a challenge to keeping up with normal cybersecurity practices while adding the necessary layers of protection to maintain confidentiality, integrity and availability.
Cybersecurity experts commonly refer to “defense in depth” as an approach to protecting a multifaceted environment. This refers to aggregating additional layers of protection to minimize both the impact and likelihood of cybersecurity breaches.
To illustrate the challenges cybersecurity professionals frequently face, we have outlined some recent examples based on our experience with industry clients.
Artificial intelligence (AI)
Engineering teams are leveraging AI, but it needs to be continuously trained to detect changing patterns for profiling customer behavior. Therefore, non-production environments are proliferated with production data for training purposes (such as customer transactions). In general, it is considered better practice to ensure that the controls in the non-production environment match those of the production system. This becomes even more of a challenge when considering complexities such as superuser access and separation of duties across different environments.
To protect personal information, organizations may enhance security detection and response solutions, introduce additional security controls at the perimeter, or streamline access controls (both to users and other applications and services) to protect confidential information. You can choose to protect your information.
data store
Consider the following hypothetical scenario. As part of a large-scale digital transformation program, a new enterprise resource planning (ERP) solution is being implemented to integrate multiple data stores such as customer relationship management (CRM) platforms, warehouse management solutions, and third-party inventory. (both on-premises and cloud). The data store contains sensitive customer data. The data is fragmented, but the real value is revealed when the data is aggregated to provide a complete PII and customer record. To add an extra level of security around sensitive information, either harden your infrastructure security (network, perimeter, etc.) or run programmatic data discovery exercises to identify sensitive information in unconsidered environments. can be determined.
Identifying sensitive information across both structured and unstructured data sources impacts cybersecurity considerations. In other words, you cannot protect information that you are not aware of.
Application programming interface (API)
Another hypothesis: As part of a digital transformation program, the technology team implemented APIs for high-risk, high-volume transactions to enable efficient integration between services and improve the overall customer experience. I’m here. A major challenge in API securitization is vulnerability identification. This is due to the fact that API exploitation requires application contextual information and in-scope data as opposed to the traditional approach of scanning open ports to identify/remediate vulnerable software. . APIs are the foundation of automation concepts, and their use requires new approaches to security to facilitate communication between applications and services.
To protect your API calls, you can enforce security controls at your perimeter to prevent unauthorized access from outside your organization, or leverage concepts like tokenization and just-in-time credentials. This helps protect the exchange of information between applications and ensures that API calls are authenticated.
The examples above illustrate the challenges of information and data security when leveraging digital and emerging technologies. In such cases, leveraging traditional frameworks and approaches to managing cybersecurity may not be sufficient to protect sensitive information from unauthorized individuals.
Trust as a key unique selling point in a competitive market
Service providers and companies that manage large amounts of PII are subject to targeted campaigns by malicious actors leveraging carefully crafted social engineering and other techniques such as supply chain compromise.
Cybersecurity is policy and framework driven by design, adding preventive and detective controls to better practice frameworks and approaches. But recent breaches show that we need to break down our policies and frameworks to a more granular level and look behind the usual Essential 8. The framework is comprehensive in nature, but the technology landscape is evolving at a rate that requires additional controls and approaches. Protect customer information.
Quantifying the real cost of cybersecurity tells us that if a service provider is compromised and customer data is stolen, customers will choose to leave the competition. This is especially true in a market where competition is fierce and provider changes occur smoothly. On the flip side, we hypothesize that customers will be more than happy to stick with a service provider that protects their sensitive data and continues to earn their trust. This is especially true when service providers make data security a visible and fundamental part of their service offerings.
Building the business case for cybersecurity investments is always a challenge. However, it is becoming increasingly clear that failing to invest in cybersecurity will impact revenue growth.
Disclaimer – This rating is non-representative and considers a synthesis of insights across telecom, media and technology companies. This article aggregates data points for clarity.
Author: Shashi Samar – Infosys Consulting Partner
