Biggest cyber security threat is non-reporting culture

Bernard Kellerman
The threat to Australia's cyber security is growing in severity, according to professional services firm Deloitte.

"Given there is no legislation for breach notification in Australia and that most organisations are focused on prevention as opposed to detection, there is significant under-reporting of cyber breaches in Australia," said Tommy Viljoen, Deloitte Cyber Risk Services Partner.

The reason that the US has apparently a greater proportion of reported cyber attacks against businesses is in part due to the much stricter breach notification rules in place in that jurisdiction, noted Deloitte partner Kelly Bissell, who leads the firm's global cyber practice.

Bissell also noted that the insider threat to large companies doubled from seven per cent in 2013 to 14 per cent in 2014. He warned against companies using a "box ticking" approach to sign off on compliance rather than thinking through a more realistic and cohesive approach, based on the risk tolerance of each company

The format of breach notification is a long way from being introduced, however Bissell said Deloitte's clients were concerned about it,  "but no one wants to be first".

He said that "at some point Australia will have breach notification. When the time is right they will apply it. The question is: to what extent will that breach notification apply?"

Kelly said the law in the US was set to be standardised, pushing towards complete transparency so that, where there is a breach, the customer would have to be notified within 30 days.

His colleague James Nunn-Price, who joined Deloitte in Australia recently to lead the firm's cyber and establish the Australasian arm of Deloitte's chain of Cyber Intelligence Centres, added: "This is different from the situation in the UK where a breach is reported to the regulator but is kept confidential. However if breaches occur a number of times then it's made public. The concern from business is, of course, that if people have to notify then they won't look."

Nunn-Price said the U.K.'s biggest companies also wanted any rules on breach notification standardised across national borders, to avoid having to manage local rules in 100 different countries, as most large companies are multinationals.

Another area of opacity presented by the banking sector was the non-reporting of the cost of cyber breaches versus the cost of security spend to prevent those events  - meaning that investors had no way of assessing the effectiveness of any firms approach to this threat.

At the other end of the spectrum are the smaller mutual banks and wealth management firms that might have just a couple of partners, a few staff and around 300 clients. The Deloitte team suggested that a firm like that would struggle to effectively counter cyber security risk and, even if cyber insurance could be bought, it would be unlikely to do more than cover part of the damage caused by a breach.