Cybersecurity incidents could cost Australia $29 billion a year

The potential direct economic loss of cybersecurity incidents on Australian businesses is AU$29 billion per year, according to a Microsoft commissioned report by Frost & Sullivan.

Direct costs were defined as tangible losses in revenue, decreased profitability and fines, lawsuits and remediation.

The figure – equivalent to almost two per cent of Australia’s gross domestic product – was estimated based on survey data, market research, historical data, and accumulated observations of the industry over the last few years.

The finding comes from a report Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, the key figures of which were released today.

Despite the huge direct cost, the actual ‘economic loss’ is even higher, Microsoft said. A large-sized organisation with more than 500 employees in Australia can incur an economic loss of AU$35.9 million if a breach occurs, it claimed.

The ‘economic loss’ was calculated in the report from direct costs, indirect costs (which includes customer churn and reputational damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

“Although the direct losses from cybersecurity breaches are most visible, they are just the tip of the iceberg,” said Edison Yu, Asia Pacific head of enterprise for Frost & Sullivan.

“There are many other hidden losses that we have to consider from both the indirect and induced perspectives, and the economic loss for organisations suffering from cybersecurity attacks can be often underestimated," he added.

The report includes a survey of 100 Australian senior IT executives and business decision makers working in a range of sectors.

It found more than half (55 per cent) of the 100 organisations surveyed locally have experienced a cybersecurity incident in the last five months while one in five companies were not sure if they have had one or not as they had not performed forensics or a data breach assessment.

The lack of awareness was “surprising” said Microsoft director of corporate, legal and external affairs Tom Daemen, “given the frequency of attacks and suggests a need for greater awareness and a cultural shift in how we manage and think about data”.

The report also found that the perceived risk of cyber incidents was slowing companies’ digital transformation efforts, with two thirds saying they had put off initiatives due to “the fear of cyber-risks”.