IBM recently released its annual Cost of a Data Breach report, revealing that the average cost of a data breach in Australia reached a record-high of AUD $4.26 million (USD $2.77 million) in 2024. This represents a 27% increase since 2020.
The report also highlighted that Australian organizations continue to be most threatened by the same threats that had dominated in previous years. Furthermore, with a deep cyber security skills crisis in the country, it’s proving to be difficult for organizations to mitigate against the risks, despite being well aware of them.
Phishing: Most Common Cyber Attack
IBM’s research this year shows:
- Initial attack vectors: Phishing was the most common initial attack vector, accounting for 22% of breaches and costing businesses AUD $4.35 million per breach on average. Stolen or compromised credentials followed at 17%, with an average cost of AUD $4.32 million per breach. The costliest breaches were caused by malicious insiders, averaging AUD $4.91 million per breach and representing 8% of incidents studied.
- Data breach lifecycle: Australian companies needed an average of 266 days to identify and contain cyber incidents — eight days longer than the global average.
- Data visibility gaps: 32% of breaches involved data stored across multiple environments, including public cloud, private cloud, and on-premises systems. These breaches cost AUD $4.88 million on average and took the longest to identify and contain at 301 days.
- Detection and escalation costs: Detection and escalation costs remain the most expensive part of a breach, averaging AUD $1.65 million, followed by post-breach response and lost business costs.
- Skills shortages cost: Organizations facing severe staffing shortages observed an average cost of AUD $2.7 million higher per breach than those organizations with small or no security staffing issues.
AI and automation: A strategic advantage and risk
The growing reliance on security AI and automation to combat cybersecurity threats was also a key finding.
According to the report, 65% of Australian organisations surveyed use these technologies within their Security Operation Centres. Companies that don’t use security AI and automation face significantly higher breach costs, averaging AUD $5.21 million (USD $3.39 million), and take an additional 99 days to identify and contain breaches compared to those extensively using these technologies.
Katherine Robins, lead partner for Cybersecurity Services at IBM Consulting, said that while companies’ knowledge of common cyber threats is improving, attackers are also leveraging AI in such a way that those common threats remain the biggest risks.
“New technologies have enabled deepfakes that make it easier to socially engineer attacks,” Robins told TechRepublic. “People are falling prey to scams and phishing campaigns, leading to these data breaches. The skill shortage of qualified cybersecurity professionals further exacerbates this issue.”
SEE: IBM’s Think 2024 News That Should Help Skills & Productivity Issues in Australia
Skill shortages and gaps in understanding
Robins suggests that organizations can address critical skill shortages by supporting early professionals in cyber security through mentorship programs and facilitating career pivots with appropriate training and certifications.
Meanwhile, there needs to be a clearer understanding of where responsibility for cyber security should be. Increasingly, CISO or CIO are being held directly and personally responsible for the cyber security of an organization.
But as Robins said, that’s missing some key nuances.
“CISOs and CIOs are custodians of the budget they receive,” she said. Holding them personally accountable becomes complex if organizations cut budgets that fund cybersecurity programs. Cyber security is an organizational-wide responsibility from the board down, and accountability should reflect that.”
Robins added that more needs to be done to help drive full cybersecurity awareness across the board.
“We are seeing cyber security appear on most board agendas as a priority,” she said. “The understanding of cyber security at the board-level varies greatly, but many programs and initiatives target board executives to train them on the risks, such as those offered by AICD. Including your board in cybersecurity awareness training is also important.”
Government initiatives and their impact
At a national level, the Australian government is committed to furthering cyber security, with the 2023-2030 cybersecurity strategy as their overarching vision. Robins hopes that the risks will be better managed and the cost of breaches will ease.
The 2024 Cost of a Data Breach Report noted that involving law enforcement saved ransomware victims as much as US $1 million in breach costs.
“Cyber security is ever-evolving to meet the threat landscape,” Robins said. “We look forward to seeing strategy updates cascade down into research, policies and regulatory compliance. Cyber security is everyone’s problem, and having the government drive this from the top has been great for all Australians.”
Overall, while cyber security represents a deepening problem for Australian organizations, and the skills shortage is exacerbating this challenge, the highly strategic and national priority that Australia is placing on improving conditions should help ease costs in the future.