More than two-thirds of Australian organisations suffered at least one security breach or incident in the past 12 months, according to CompTIA. And these types of data breaches cost Australian businesses an average of $3 million.
Big and alarming numbers, yet proof of the harsh reality all businesses operate in: no matter how secure you think your company is, we are all vulnerable to cyber-attacks.
Despite increasing investments in security systems, research from the Australia Cyber Security Centre shows only 37% of businesses regularly review their cyber-security incident response plans.
If we accept cyber-crime as ever changing, Australian organisations can't afford to stand still. Combating security threats is not a transformation businesses can ever complete, but one they must remain ahead of. A key factor in achieving this is an attitudinal change, accepting cyber-breaches are a matter of ‘when', not ‘if'.
The next step is in shifting sentiment. Businesses must move away from the concept cyber- security is an issue unique to IT, and view it as a shared responsibility across all employees. For instance, employees need to understand the risks of opening confidential documents on their tablets, or accessing the corporate network through public Wi-Fi networks.
To achieve this change in approach, the Australian Federal Government's Cyber-Security Strategy is a great starting point for business; covering a range of areas including inter-business collaboration and employee education and training.
However, as cyber-criminals and hackers exploit vulnerabilities with new types of malware or targeted attacks, organisations cannot ignore the role of technology. Particularly when faced with the difficult challenge of balancing employee needs with the integrity of IT security.
In today's digital world where an employee expects to work remotely from one of three connected devices, IT departments must be able to mandate and enforce corporate security standards and control across all locations and devices. This highlights the need for organisations to rethink technological approaches to security and remote access when implementing initiatives such as BYOD and flexible work.
To achieve this, businesses must defined what information is of value to cyber-criminals. Most organisations are likely to have some sense of what this is, but must never be complacent and always scrutinise their IT infrastructure to understand where sensitive data is stored, and what security controls to place around it at the source, rather than end point which is out of their control.
By implementing this level of awareness, IT administrators shift away from the band-aid routine of patching security layers to fix isolated problems after they occur, to resolving the issue at its core ahead of any problems developing.
While industry agrees the issue of cyber-security requires a holistic approach, technology must remain front and centre. What businesses need to do better is understand where their vulnerabilities lie before deploying technology to ensure it doesn't hinder business objectives such as collaboration, productivity and connectivity.
Only by acknowledging weaknesses will businesses truly be able to see the bigger picture and successfully protect their IT infrastructure.