Published on the 28/09/2022 | Written by Heather Wright
As Optus experiences shattering of digital trust…
Companies are spending a lot of time on digital transformation, but they may be missing a key aspect without which the benefits of DX can’t be fully realised.
“Digital trust is the bedrock of business relationships.”
And that oh so important key aspect? Digital trust.
That’s one of the key takeouts from the inaugural State of Digital A/NZ research from IT professionals industry association ISACA, which says digital trust needs to be a top priority in digital transformation work.
“Digital trust is the bedrock of business relationships, and is critical for strategic digital transformation,” says David Samuelson, ISACA chief executive officer. “Innovation, market leadership and financial performance rely heavily on trust that must be earned every day.”
The research found that Australian and New Zealand businesses are in agreement on the importance of digital trust, with 95 percent agreeing it’s important, but that walking the talk is proving more problematic. Just 12 percent of organisations had a dedicated staff role for digital trust, defined by ISACA as the confidence in the integrity of relationships, interactions and transactions within a digital ecosystem – is important.
That lack of focus is leaving businesses vulnerable to some serious risks, ISACA says, including reputational, regulatory and financial repercussions.
Survey respondents are aware of those risks, outlining consequences including reputation decline (68 percent across A/NZ vs 62 percent globally), more privacy breaches (73 percent vs 60 percent globally), more cybersecurity incidents (71 percent vs 59 percent), lost customers (51 percent vs 56 percent), less reliable data for decision-making (56 percent vs 53 percent globally) a negative impact on revenue (40 percent vs 43 percent globally) and a slower ability to innovate (33 percent vs 36 percent globally).
Loss of trust and reputational damage – and a few others on that list – are things Optus is likely to be feeling only too acutely, following a massive hack of its systems last week which saw the personal information of 9.8 million people compromised.
The telco, whose CISO Siva Sivasubramanian left in August, is already facing potential class action, with one of Australia’s largest consumer law firms, Slater and Gordon, investigating launching action on behalf of Optus customers. The federal government too, has waded into the fray, flagging regulatory changes on the back of the breach.
In an email to customers on Friday, Optus said no financial information or passwords had been accessed, but names, dates of birth, emails, phone numbers, addresses and the numbers of ID documents, such as driver’s licenses or passports, were exposed.
Details for 10,000 Optus customers have reportedly been released by an online poster claiming to be the hacker, with a threat that more batches of information will be released each day unless demands – believed to include a AU$1.5 million ransom – are met.
Australian Federal Police are investigating, while Home Affairs minister Clare O’Neil has laid blame completely at Optus’ feet, saying the breach is of a nature that we shouldn’t expect to see in a large telco provider in Australia, and saying ‘substantial’ cyber reforms – likely with substantial fines attached – are going to emerge from the breach.
“One significant question is whether the cybersecurity requirements that we place on large telecommunications providers in this country are fit for purpose,” O’Neil says.
“I also note that in other jurisdictions that a data breach of this size would result in fines of hundreds of millions of dollars.”
While Optus has called the breach the result of a ‘sophisticated’ cyber attack, O’Neil has claimed the telco ‘left the window open’ to a ‘basic’ hack. Others have suggested the breach occurred when the company left open an API, revealing customer data to anyone visiting the API – no hacking required.
The cause and means of the breach are likely of little interest to the millions of people caught up in the debacle, and whose trust in Optus is likely shattered. Alongside the breach itself has come complaints about Optus’ management, particularly on the communications side, with some complaining they hadn’t been notified, and others unhappy over ‘condescending’ damage control efforts.
Security, data integrity and privacy were the top three most important components of digital trust according to the ISACA report, but half of respondents said there was insufficient collaboration among professionals in these and other digital trust fields within their organisation.
And as Optus, along with many other companies, is discovering only too clearly, just one breach of digital trust can have devastating repercussions including reputational, regulatory and financial. Yet only 71 percent of those surveyed said their organisation prioritises digital trust at a significant level.
For those companies keen to improve their digital trust maturity, ISACA recommends understanding what you want to accomplish and learning how digital trust can contribute; outlining the desired state and developing a road map to achieve it, and focusing on a mindset of continuous improvement as it relates to security, quality, reliability, compliance and customer experience.