SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybersecurity reporting will need to be a seamless business process in 2020
Thu, 13th Feb 2020
FYI, this story is more than a year old

While Australia now has in place mandatory data breach laws, it appears many organisations are consistently underreporting the number and nature of cyberattacks they are suffering.

The issue was highlighted in a recent survey of IT professionals in Australia and around the globe. The State of Cybersecurity 2019 survey, conducted by ISACA and sponsored by HCL Technologies, found 75% of respondents believe that reporting of instances of cybercrime is being intentionally suppressed. More concerningly, 50% of respondents believe that most cybercrime is underreported, even where organisations are legally required to do so.

The laws, which came into effect in February last year, require many organisations handling personal information to report data breaches if they are likely to result in serious harm. While reports are being made, it seems the number doesn't accurately reflect what is really going on.

These results are a significant concern for both governments and the business sector. Any misrepresentation of the levels of cybercrime occurring could result in under preparedness, disruption and losses.

More work needs to be done to improve response capabilities and ensure core systems remain protected at all times.

Threat types remain consistent 

While reporting of incidents may be in inaccurate, there is consistency when it comes to the types of threats being faced. The top identified threat actor in this year's survey were cybercriminals, nominated by 32% of respondents. This compares with 33% who placed this threat first last year.

Second was hackers, nominated by 23% of respondents (23% last year) and non-malicious insiders, nominated by 15% (14% last year).

Among respondents in the Asia-Pacific region, more than a fifth (21%) indicate they have seen an increase in hacktivist attacks, compared with 13% globally. In this region, hackers and cybercriminals remain the biggest threats, nominated by 41% and 49% of respondents respectively.

When it comes to the types of threats being experienced, phishing attacks are most prevalent, being nominated by 44% of respondents. This was followed by malware (31%) and social engineering (27%). Of the AsiaPac respondents, almost a third (32%) say they have experienced APT attacks which is higher than the global figure of 20%. SQL attacks are also higher in AsiaPac, reported by 17% of respondents, compared with 10% globally.

These results show a degree of consistency over time. It should also provide some comfort for cybersecurity professionals as they can be relatively certain that any attacks occurring in the near future are likely to be of these types. This means that security measures in place should be able to provide required protection.

Asked whether they expect their organisation to be the target of a cyberattack this year, 60% of survey respondents say this is ‘likely' or ‘very likely'. Just 5% believe it is ‘unlikely' or ‘very unlikely' to happen.

Ability to respond

With the number of cyberthreats continuing to increase, it is interesting to gain an insight into how prepared organisations believe they are to respond. Of those surveyed, only 7% say they are ‘extremely confident'. A further 27% consider they are ‘very confident' with more than a third (37%) saying they are only ‘somewhat confident'.

These results are concerning as they illustrate a lack of confidence in the ability to deal with cyberattacks if or when they occur. Clearly more work needs to be done to improve response capabilities and ensure core systems remain protected at all times.

Strategic planning

Overall, the survey shows work remains to be done when it comes to cybersecurity preparedness. The rising number of attacks means extra vigilance is required and staffing and budgetary levels must at least be maintained if not increased.

There is also a need for improvement when it comes to reporting. If attack numbers are being intentionally underreported, it makes effective strategic planning very difficult. Staying quiet may seem like the best option now, but it could come back as a bigger problem in the future.