By Byron Kaye and Lewis Jackson
SYDNEY (Reuters) – A swathe of hacks on some of Australia's biggest companies has made the country a target for copycat attacks just as a skills shortage leaves an understaffed, overworked cybersecurity workforce ill-equipped to stop it, technology experts said.
As Monday saw the disclosure of another potential breach of sensitive data – a ransomware attack on a communication platform for military personnel – cybersecurity experts put a wave of high-profile breaches down to a common factor: human error.
Between Australia's No. 2 telecoms company Optus, which is owned by Singapore Telecommunications Ltd, and the country's biggest health insurer, Medibank Private Ltd, some 14 million customer accounts have had data hacked – equivalent to 56% of the population – since Sept. 22 alone.
The workforce weakness assertion points to a problem with no quick fix.
After COVID-19 border closures which ended in late 2021, Australian immigration officials say they are still working through one million visa applications from people seeking to work in the country, many in technology and cybersecurity jobs for employers looking to fill vacancies abroad.
"They don't have enough trained people to take it seriously and do what is needed," said Sanjay Jha, chief scientist at the University of New South Wales institute for cybersecurity.
"Sometimes you're ticking a box in an Excel spreadsheet and you don't understand what you're doing, and then the outcome is not going to be great. You need people who are really skilled and trained properly."
With hacking software easier to acquire online and the shift to working from home leaving more weak spots in company networks, the number of data breaches has tripled globally in two years, according to cybersecurity industry research. This week 37 countries, including Australia, will meet at the White House with the goal of tackling ransomware and other cyber crime.
The uptick has sent shockwaves through corporate Australia in particular due to the high visibility of targets and the sensitivity of their data, including millions of medical records.
Experts said a steady stream of smaller breach notifications may be the result of hackers seeking to match others' success.
Government agency the Australian Cyber Security Centre (ACSC) said the number of breach notifications rose 13% to be worth a total A$33 billion ($21 billion) in the year to June 2021, the most recent available figures. The agency is expected to show another increase when it publishes 2022 figures in the coming weeks.
Australian cybersecurity insurance premiums rose by an average of 56% year-on-year in the second quarter, said insurer Marsh & McLennan Companies Inc.
"It's a rich country, a first-world country that does a lot of business, that has a lot of data, so therefore it is targeted," said Win-Li Toh, principal at actuary firm Taylor Fry, who specialises in cybersecurity risk.
"Trying to employ people to defend your assets is getting harder because there just aren't enough people coming out, and education will take one to two years."
Companies are offering premiums of up to 50% on starting salary offers for cybersecurity workers due to a "deep talent deficit", said Nicole Gorton, a director at specialist recruiter Robert Half. The average Australian cybersecurity base salary is A$105,000, according to jobs website Glassdoor.
Neil Curtis, an Australian cybersecurity executive of U.S. technology contractor DXC Technology Co, who runs a programme retraining military veterans in cybersecurity, said he had requests for about 300 trained personnel in the next six months.
Curtis said an official at DXC Technology had recently relayed to him a private request for cybersecurity staff for one of Australia's biggest companies.
"I said, 'How many do you want?'," he told Reuters by phone.
"They said, 'We'll take everybody you've got'."
($1 = 1.5584 Australian dollars)