IBM recently released its annual Cost of a Data Breach report, which reveals that the average cost of a data breach in Australia reached a record AUD$4.26 million (USD$2.77 million) in 2024. This represents a 27% increase from 2020.
The report also highlighted that Australian organisations remain the most at risk from the same threats that were prevalent in previous years. Furthermore, due to the country’s deep cybersecurity skills crisis, it is proving difficult for organisations to mitigate the risks, despite being fully aware of them.
Phishing: the most common cyber attack
This year's IBM research shows:
- Initial attack vectors:Phishing was the most common initial attack vector, accounting for 22% of breaches and costing organizations an average of $AUD 4.35 million per breach. Stolen or compromised credentials followed at 17%, costing organizations an average of $AUD 4.32 million per breach. The most costly breaches were caused by malicious actors, costing organizations an average of $AUD 4.91 million per breach and accounting for 8% of incidents studied.
- Data breach life cycleAustralian businesses took an average of 266 days to identify and contain cyber incidents, eight days longer than the global average.
- Gaps in data visibility:32% of breaches affected data stored in multiple environments, including public cloud, private cloud, and on-premises systems. These breaches cost AUD$4.88 million on average and took the longest to identify and contain – 301 days.
- Detection and escalation costsDetection and escalation costs remain the most expensive part of a breach, averaging AUD$1.65 million, followed by post-breach response costs and lost business.
- Skills shortages costOrganizations facing severe staffing shortages saw an average cost of AUD$2.7 million higher per breach than those organizations with little or no security staffing issues.
AI and automation: a strategic advantage and a risk
The growing reliance on artificial intelligence and security automation to combat cybersecurity threats was also a key finding.
According to the report, 65% of Australian organisations surveyed use these technologies in their security operations centres. Companies that do not use AI and security automation face significantly higher breach costs, averaging AUD$5.21 million (USD$3.39 million), and take an additional 99 days to identify and contain breaches compared to those that widely use these technologies.
Katherine Robins, principal partner for cybersecurity services at IBM Consulting, said that while companies' awareness of common cyber threats is improving, attackers are also leveraging AI in ways that make those common threats still the biggest risks.
“New technologies have made possible the emergence of deepfakes that facilitate social engineering attacks,” Robins told TechRepublic. “People are falling victim to scams and phishing campaigns, leading to these data breaches. The lack of qualified cybersecurity professionals further exacerbates this problem.”
SEE: IBM's Think 2024 news that should help solve Australia's skills and productivity issues
Skills shortages and gaps in understanding
Robins suggests that organizations can address critical skills shortages by supporting early-career cybersecurity professionals through mentoring programs and facilitating career changes with appropriate training and certifications.
In the meantime, there needs to be a clearer understanding of who should be responsible for cybersecurity. Increasingly, CISOs or CIOs are seen as having direct and personal responsibility for an organization’s cybersecurity.
But, as Robins said, some key nuances are missing.
“CISOs and CIOs are custodians of the budget they receive,” he said. Holding them personally accountable becomes complex if organizations cut budgets that fund cybersecurity programs. Cybersecurity is an organization-wide responsibility, from the board on down, and accountability needs to reflect that.”
Robins added that more needs to be done to help drive cybersecurity awareness across the board.
“We are seeing cybersecurity appearing on the agenda of most boards as a priority,” he said. “Understanding of cybersecurity at the board level varies widely, but many programs and initiatives are targeted at board executives to educate them on the risks, such as those offered by AICD. Including your board in cybersecurity awareness training is also important.”
Government initiatives and their impact
At a national level, the Australian government has committed to promoting cybersecurity, and its Cybersecurity Strategy 2023-2030 is its overarching vision. Robins hopes to see risks better managed and the cost of breaches falling.
The 2024 Cost of a Data Breach Report noted that law enforcement involvement saved ransomware victims up to $1 million in breach costs.
“Cybersecurity is constantly evolving to meet the threat landscape,” Robins said. “We look forward to seeing how strategy updates are reflected in research, policy and compliance. Cybersecurity is everyone’s issue, and having the government lead from the top has been great for all Australians.”
Overall, while cybersecurity is an increasingly serious issue for Australian organisations and skills shortages are exacerbating this challenge, the highly strategic and national priority Australia is placing on improving conditions should help alleviate costs in the future.
