Critical infrastructure protection low on citizen agenda

Australians are increasingly concerned as cybersecurity incidents and data breaches continue to rise. However, when it comes to essential services such as water, gas or electricity, telecommunications, transport or hospital and health care, Australian consumers still value privacy just as equally as access to essential services.

A new survey by PwC Australia of over 2000 Australian consumers gained their insights on cybersecurity in relation to the country’s critical infrastructure assets and understand how it impacts their everyday lives.

According to the survey, Australians are just as concerned about a cyber attack involving their sensitive personal data being stolen (42%) as they are about a cyber attack that disables an essential service (41%). This is particularly pronounced among Australian youth with 42% of those aged 18–24 more worried about their personal data being stolen compared to 37% aged 65 and over.

In contrast, nearly half (47%) of Australians aged 65 and over were more concerned about an essential service being impacted by a cyber incident. Australians living in regional and rural areas rated continued access to essential services over data privacy compared to those in capital cities.

“The findings have shown that the protection of our essential services is low on consumers’ agenda — possibly due to a lack of understanding or losing sight of priorities," said Garry Bentlin, Cybersecurity Lead for Critical Infrastructure at PwC Australia.

“We all know how critical it is to protect our banks since they manage the flow of money between people and businesses, and we expect them to make cybersecurity their top priority. But imagine the uproar if our transport network that delivers essential goods was immobilised, or our power grids were attacked by cybercriminals, or if our hospital systems were hacked — and what if you had a family member in hospital at the time? It’s important for Aussies to understand the real-world impacts of these kinds of critical infrastructure attacks.

“We live in a rapidly evolving technology environment and every essential service relies on digitisation, making them vulnerable. While protecting personal data should be a major priority for organisations, it is also vital that they have safeguards in place for improved security and greater resilience against cyber attacks. The catastrophic possibility of a successful cyber attack on Australia’s critical infrastructure and the consequences of a breach go far further than financial loss. They include the potential for prolonged outages of essential services and, subsequently, impacts on health, safety and even national security,” Bentlin said.

Over 60% of survey participants said they would consider changing providers if they were impacted by a cyber attack that affected their essential service. For Gen Z and Millennials, this number soared to 77%, suggesting a lack of brand trust.

On the other end of the scale, this number dropped to 50% for respondents aged 65 and over, which may indicate that trust has been built over time. Sentiments between genders were similar; however, the numbers did vary between males and females aged 18–24. Nearly 80% of males aged 18–24 said they would consider changing providers if they were impacted by a cyber attack that affected their essential service, compared to 64% of females in the same age group.

When asked about essential service providers stopping supply because of a security incident, a total of 85% of respondents said providers should disclose cyber breaches so that they can choose to use another supplier in the future — 54% agreed providers should disclose this in all circumstances while 31% said if it was more than a temporary disruption. Cumulatively, 90% of Australians aged 65 and over indicated that providers should communicate security incidents to customers so that they have the option to change providers.

Bentlin said this expectation also goes to trust and transparency and supports the government’s position on disclosure of cybersecurity incidents.

Data modelling by PwC Australia estimated direct costs of cyber incidents to business to be approximately $10.1 billion with a loss of GDP through to 2031 to be $114.9 billion. According to the Australian Cyber Security Centre (ACSC), there was an increase of nearly 13% in cyber incidents in the last financial year.

“Cybersecurity threats are increasing and with Australians more connected than ever before, criminals are looking to exploit any vulnerabilities by accessing sensitive information and for financial gain. As cyber attack tools become more commoditised, operators of critical infrastructure are increasingly being targeted by a broader range of threat actors. The ACSC revealed that around a quarter of reported cybersecurity incidents affected critical infrastructure organisations. Australia’s essential services such as health care, energy and food distribution are a potential target for cybercriminals and any major disruption of these services would mean reputational damage and loss of trust, lost revenue and potentially harm or loss of life.

“Considering the increasing hostility of the threat environment, Australian consumers should take an interest in how organisations and the government are tackling cybersecurity and the need for greater protection of Australia’s ‘critical infrastructure assets’ and ‘systems of national significance’,” Bentlin said.

Image credit: ©stock.adobe.com/au/Blue Planet Studio