Businesses worried but complacent about cyber attacks - Aura Infosec
Article by Aura Information Security Australia country manager Michael Warnock
Almost a third of Australian businesses report having been targeted by cyber-criminals in the past twelve months, and more than a third expect to become a target in the coming year.
What’s more, 40% of businesses say their employees receive between one and five phishing or ransomware attacks every quarter, and a further 30% say the number is higher — as many as ten per quarter.
The situation is pretty bad, and most businesses think it’s only going to get worse in the year ahead, according to research commissioned by Aura Information Security.
Little fear of financial impact
Given these numbers, and the potential for serious financial losses in the event of a cybersecurity breach, one might think that Australian businesses were fully on board with doing whatever had to be done to mitigate harm.
Unfortunately, that is not always the case.
While the majority of businesses have some sort of structure in place to keep the board and senior management apprised of security issues, one-fifth of IT professionals report that senior managers do not regard cybersecurity as a key concern.
As anyone will tell you, buy-in from senior management is essential for any company-wide process.
Complacency on cybersecurity from management puts the whole organisation at risk.
What’s worse, almost half of businesses allocate less than 10% of their IT budget to security, while a further quarter raise the bar to a mere 15%.
For something like data security — which can be an existential issue for some companies — these numbers are frighteningly low.
The slow tide of rising importance
Local research has found three-quarters of business leaders report more of the IT budget will go to security in the coming year.
But will that be enough?
Consider that the vast majority — 79% — of businesses leaders believe they have put in place the necessary tools and processes to train employees in security awareness to fend off phishing attacks and the like.
However, only 47% are confident that the processes they have in place will actually prevent a breach.
As organisations get larger, the likelihood that they have such processes increases, but so too does the likelihood of phishing and ransomware attacks.
More employees might bring a greater awareness of the need to mitigate risk, but they also bring more potential victims of targeted attacks.
Clearly, the money being invested in training and other processes is not buying confidence.
Distance doesn’t equal defence
Australia is geographically isolated, but of course, cybercriminals know no borders and are not hampered by oceans.
Wherever the Internet goes, so do they.
Even so, almost a quarter of Australian businesses regard local companies as not as big a target as similar companies in other countries (the remainder regard Australia as either as large a target or larger).
It is unsurprising, then, that 40% of businesses see Australia as lagging behind the rest of the world when it comes to implementing good cybersecurity practices.
The global nature of digital business means that four out of 10 Australian businesses have reporting requirements under the European Union’s General Data Protection Regulation (GDPR), which compels organisations that handle data of European citizens to have in place technical and organisational measures to protect that data and to notify people of data breaches.
Of those, 80% say they are prepared to notify clients and could do so within 48 hours of a breach being detected.
Australia’s own regulatory regime is also bringing a focus on data protection, in the form of the Notifiable Data Breaches (NDB) Scheme, introduced earlier this year and having a similar effect.
Prior to the introduction of the NDB, only 59% of businesses said they would have reported a security breach to customers.
Now that it is in place, 71% say they believe their business is supportive of it.
Given the potentially catastrophic financial implications of a cyber breach — not to mention the loss of trust that would follow if customer data were compromised — one might expect businesses to come to the security party out of pure self-interest, and some are.
As for the rest, legislation will simply have to drag them along.