Guidewire Cyence: Ready to Take on Australian Cyber Risks, Part 2
This has been a bumper year for cyber attacks. Given the Optus and Medibank hacks, I’m sure everyone I know has been affected in some way. Even if it's only anxiety provoked by unknown and potentially long-term consequences, it’s something we can all do without. Since the attacks the Australian government has proposed and enacted stronger laws to help detect fraud and provide incentives and penalties as a mechanism to improve cyber security measures from organisations.
Before discussing the 2022 Australian Cyber Security Centre (ACSC) report, it’s worth discussing a couple of aspects of what the government is trying to achieve with the updated laws. First, the new penalties are designed to make it more cost effective to implement good security than to pay the penalty for a breach. With Guidewire Cloud, you get this aspect of security included, as discussed in James Dolph and Mark Sayewich’s excellent blog articles “How We Approach Security in Guidewire Cloud”, parts 1 and 2. Our co-founding membership of the Critical SaaS Special Interest Group (CSaaS SIG) is another example of our commitment to ongoing improvements in SaaS security, not just for Guidewire, but across the industry.
Second, you can’t compromise on what isn’t there, and the new legislation encourages organisations to retain only the Personally Identifiable Information (PII) they need, and to destroy PII as soon as it’s no longer required. To this end, Guidewire provides extensible personal data destruction capabilities in our core solutions. Driven initially by the need to help our insurers in Europe comply with the European General Data Protection Regulation (GDPR), it became a flexible solution to address the needs of any insurer wanting to get the jump on new privacy regulations. The approach includes pre-identified personal information in the data model and processes to purge or obfuscate. The approach is flexible enough for customers to configure to support their own extensions.
The report provides an overview of cyber threats impacting Australia, how the ACSC is responding, and advice for Australian organisations to protect themselves online. Some of the highlights of the updated cyber security report are:
Cyber being increasingly used as an act of warfare
Ransomware continuing as the most destructive cybercrime
Increasing number of attacks on critical infrastructure which were fortunately defended against in Australia
Most successful attacks scan for unpatched vulnerabilities as an entry to higher value targets
Looking at the specific metrics I discussed in part 1, you can see there has been another 13% increase in cybercrime reports, the same percentage increase as seen from 2020 to 2021.
Interestingly, it seems Queensland has the highest rate of cybercrime per capita. Maybe we’re too trusting here.
The biggest increases in cybercrime were seen in fraud (up almost 4%) and investment scams (doubling from 6% to 12%). While ransomware remains a small proportion of all cybercrimes, the report highlights that it continues to be the most destructive, as it has a wide impact on disruption and reputation across organisations and the general public.
If you compare the figures below with those in the previous report, it looks like the increase in loss per incident has increased massively. However, this year's report changed the method of calculating loss so it reflects only those incidents that resulted in a financial loss. However, this still represents a 14% increase over 2021, making cybercrime losses in the 2022 financial year almost $38 billion.
So in concluding this post and the year, remember that:
Guidewire Cloud is built with security in mind
InsuranceSuite is designed to support protection of PII
Cyence helps insurers quantify cyber risk and help their customers understand and protect themselves against cyber threats
Have a safe and happy Christmas and avoid the inevitable Christmas-related scams.