The Optus data breach has left the personal information of millions of customers exposed – and new information is still coming to light about exactly what information is out there.Not to mention, who will use it and for what purposes.Optus CEO Kelly Bayer Rosmarin issued a heartfelt apology – but she also said the company is not “the villain” and urged customers to be on high alert .As Optus customers vigilantly avoid clicking links and figure out whether they need to replace their drivers licences , the data breach also revealed corporate governance issues around cyber security.”Responsibility for the security breach rests with Optus, and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Home Affairs Minister Clare O’Neil told question time on Monday.But Optus isn’t the only company that should be on notice.
“The truth is that what has occurred over the last week has been a wakeup call for corporate Australia,” Deputy Prime Minister Richard Marles said on Tuesday.”Cyber security is right there in the top echelon of issues which face corporate Australia … and we need to be doing everything we can to make sure that protection is in place.” There have been warning signs that company boards are not well equipped to deal with the risks that come with constantly evolving technology and cyber security risks.
In May, the Australian Securities & Investments Commission successfully prosecuted a company for a data breach as a result of failure to manage its cybersecurity risks – it was the first time this happened in Australia.”Boards need to realise that the new digital landscape is something they have to be prepared for,” CEO of the Governance Institute of Australia Megan Motto told The Drum.Megan Motto agrees that the Optus data breach is a massive wakeup call for Australian companies big and small and it “should strike fear in the hearts of all directors and senior managers.” “They need to have digital literacy in the same way that the Enron scandal forced company directors to wake up to financial literacy.” The Governance Institute of Australia recently released the results of a survey that showed an overwhelming majority of respondents believe a company board should be involved in technology and cyber issues — 94 per cent.However a third of respondents believed their organisation’s board lacked the ability to deal competently with these issues — 34 per cent.
Almost half of respondents believed their organisation’s management and protection of data was average — 41 per cent — or poor — five per cent.”We expect [the Optus data breach] will galvanise organisations that are dragging the chain on this very serious – and real – risk,” Ms Motto said.The Governance Institute of Australia is not the only one pointing the finger at Australian companies.
From the University of New South Wales, an analysis of cyber security skills of ASX 100 company directors found that less than on per cent have cyber experience, only 16 per cent have technology experience.An alarming 80 per cent of boards have neither cyber or technology backgrounds.”Company directors need to assess cyber security just as they would any risk, making competent decisions to understand the nature of the risk and how their level of (under) investment in cyber security controls will impact customers and stakeholders,” said Nigel Phair, Director (Enterprise) for the UNSW Institute for Cyber.In 2021, the Department of Home Affairs released a d iscussion paper that highlighted weaknesses in Australian cyber security regulations and incentives.A submission by a major Australian telco, Telstra , outlined a couple of key factors preventing companies from adopting cyber security best practice: “A confirmation bias (it won’t happen to me) leading to apathy in seeking to understand and mitigate the risk of an attack, or … not knowing where to start.” “Many organisations are emerging from more than two crisis years,” Ms Motto said.”But the pandemic accelerated the use of technology, and in many respects increased the risk of data and privacy breaches.” “Issues such as data governance need to be brought back into the spotlight as a matter of urgency.” Also, data security is expensive, and boards need to see the value in investing in cyber security.
“With the Optus case, we have highly sensitive data and effecting a third of Australians,” Ms Motto told The Drum.”We have a reputational risk involved and a big financial risk involved – it should be seen through that lens.”.