(Reuters) — A spate of hacks at some of Australia’s biggest companies has made the country a target for copycat attacks just as a skills shortage leaves an understaffed, overworked cyber security workforce ill-equipped to stop it, technology experts said.
As Monday saw the disclosure of yet another potential breach of sensitive data — a ransomware attack on a communications platform for military personnel — cybersecurity experts put a wave of high-profile breaches down to a common factor: human error.
Between Australia’s No. 2 telecom company Optus, owned by Singapore Telecommunications Ltd., and the country’s largest health insurer, Medibank Private Ltd., about 14 million customer accounts have had their data hacked — equivalent to 56% of the population — since Sept. 22 alone.
The claim of workforce weakness points to a problem with no quick fix.
After covid-19 border closures that ended at the end of 2021, Australian immigration officials say they are still dealing with a million visa applications from people who want to work in the country, many in technology and cyber security jobs for employers looking to fill vacancies overseas.
“They don’t have enough trained people to take it seriously and do what’s needed,” said Sanjay Jha, chief scientist at the University of New South Wales’ cyber security institute.
“Sometimes you check a box in an Excel spreadsheet and you don’t understand what you’re doing, and then the result is not good. You need people who are really skilled and properly trained.”
With hacking software easier to obtain online and the shift to working from home leaving more weak points in corporate networks, the number of data breaches has tripled globally in two years, according to cybersecurity industry research. This week, 37 countries, including Australia, will meet at the White House with the goal of tackling ransomware and other cybercrime.
The rise has sent shockwaves through corporate Australia, particularly because of the high visibility of the targets and the sensitivity of their data, including millions of medical records.
Experts said a steady stream of smaller breach notifications could be the result of hackers trying to match the success of others.
Government agency the Australian Cyber Security Center said breach notifications rose 13% to be worth a total of A$33 billion ($21 billion) in the year to June 2021, the latest figures available. The agency is expected to show a further increase when it publishes 2022 figures in the coming weeks.
Australian cyber security insurance premiums rose an average of 56% year-on-year in the second quarter, broker Marsh & McLennan Cos said. Inc.
“It’s a rich country, a first-world country that does a lot of business, that has a lot of data, so that’s why it’s being targeted,” said Win-Li Toh, principal at actuarial firm Taylor Fry, which specializes in cyber security risk.
“Trying to hire people to defend your assets becomes more difficult because there just aren’t enough people coming out, and training will take one to two years.”
Companies are offering premiums of up to 50% on starting salary offers for cybersecurity workers because of a “deep talent shortage,” said Nicole Gorton, director of specialist recruiter Robert Half. The average Australian starting cyber security salary is A$105,000, according to jobs website Glassdoor.
Neil Curtis, an Australian cybersecurity manager for U.S. tech entrepreneur DXC Technology Co., which runs a program to retrain military veterans in cybersecurity, said he had requests for about 300 trained personnel over the next six months.