If you have an Optus phone, you might have gotten a not-so-pleasant note recently. Australia’s second-largest telco revealed it was the victim of a cyberattack that may have compromised 1.2 million customer records filled with personal information. Think names, dates of birth, addresses, phone numbers and driver’s license numbers. The company said customers’ payment details and passwords weren’t affected.
The Optus data breach was a sticky situation and ironically happened a week before Cybersecurity Awareness Month. So, we called on the experts at ESET to explain how expensive data breaches are — and what we can do to avoid following in Optus’ unlucky footsteps.
How costly are company data breaches?
Answer: very. Data breaches can affect a business’ bottom line in a devastating way.
On a global scale, data breaches cost companies an average of USD$4.35 million, according to IBM’s 2022 Cost of a Data Breach report. Stolen or compromised credentials are the most common cause of a data breach, and it can take a while for companies to catch on: 327 days on average. Plus, they’re expensive, costing USD$150,000 more than the average cost of a data breach overall.
The report also confirmed that ransomware attacks are on the rise. There were 41% more attacks in the last year, and they’re becoming more sophisticated, costing companies USD$430,000 more than usual to contain. Nearly half of all company security breaches occurred in the cloud, though businesses with hybrid cloud models did better than those that don’t.
The faster you can detect and respond to a breach, the better. Organisations that use automation and AI to monitor cybercrime save an average of USD$3 million — and rebound 74 days sooner than those that don’t. Preventative breach detection measures help, too. Companies that have an incident response team save USD$2.66 million on average.
What can we learn from Optus’ data breach?
As a business owner, you’re probably looking at the telco’s data breach, one of the largest in Australia’s history, and thinking “I hope that doesn’t happen to me.” There are some key learnings we can take away from this incident. Here’s how companies can prevent data breaches:
1. Password security is essential
You need to create a complex, unique password for every single account you use. A password vault can generate and store passwords for you, but if you don’t have one, aim to come up with a password that’s at least 12 characters long, with a mix of lowercase and uppercase letters, numbers and symbols. It should be hard to guess and include no identifying information, such as your child’s or pet’s name.
Along with strengthening passwords, it’s worth activating multi-factor authentication (MFA). With this setting switched on, you’ll be asked to provide a username, password and one more piece of information — like a code sent to your phone — before logging in. Depending on the account, you might need to enter a one-time password or answer security questions instead.
2. Back up your data, regularly
That way, if you do fall victim to a data breach, you’ll be able to recover your data quicker and mitigate any losses. Data recovery is an expensive and time-consuming process, so you want to be able to bounce back and keep your business operating in the event of a breach.
Try to maintain two backups: one on a physical, external hard drive, and a digital copy on a cloud with configured security. If your company has a remote or hybrid working model, add frequent backups to your IT policy. It’s important for your team members to keep their laptops, phones and other devices they use for work safe and secure.
Speaking of data, consider restricting it. Ideally, employees should only be able to access the files, platforms and software programs they need to do their jobs effectively. This can reduce the chance of a leak.
3. Accept all software updates
The manufacturers behind software systems monitor cybersecurity threats, and release patches and fixes to address these issues. This is a constant cycle, which is why you might see software updates popping up pretty frequently. To stay one step ahead of cybercriminals, it’s essential to say yes to those notifications as soon as they pop up. Take the opportunity to stretch or grab a coffee while your computer reboots, and you’ll come back to a device protected with the latest and best defences.
You can enable auto-updates so you never miss one, or set up your applications to update overnight or outside of business hours.
4. Set up cybersecurity training
Here’s an unfortunate truth: most data breaches can be traced back to human error. This issue is more prevalent with the rise in remote work, and employees left to fend for themselves at home, no matter how “computer savvy” they are. For example, a staff member might accidentally open a phishing email and download malware onto their company computer.
It’s a good idea to run a training session walking employees through best practices and allowing them to ask questions. As part of the training, touch on password security, setting up MFA, choosing the strictest privacy settings on platforms like Slack and Zoom, and how to spot suspicious sites or emails. Also, they should use their work devices for work purposes only, and turn off their microphones and cameras when they’re not in use.
5. Come up with an incident response plan
The next step is to create a “what if” plan, known as an incident response (IR) plan in the cybersecurity world. If you have the resources, engage an IT professional to create a course of action that covers how to respond to a variety of cybercrimes, including data breaches. Test the plan regularly, and work on any weaknesses in your security.
6. Invest in multi-layered protection
Antivirus software isn’t enough business protection for data breaches. To really defend your company and its data, look into an all-encompassing software solution that addresses internet and email security, strengthens firewalls, filters content and prevents malware, ransomware and phishing attacks. Ideally, invest in protection that encompasses smartphones and IoT devices, like ESET NETPROTECT, so you are safe on all operating systems.
Designed for enterprises, ESET PROTECT Platform prevents, detects and responds to threats in real time. It leverages ESET’s award-winning technologies to offer full-spectrum prevention, including cloud app security, authentication and encryption. It also provides endpoint protection, which is key if you have employees working remotely from devices that “talk” to each other.