A recent survey report by Sophos has revealed many significant security challenges that Australian businesses are facing and will continue to face going forward.
Security frustrations, skill shortage consequences and education issues were some of the key topics highlighted in the research, with many companies also reporting a lack of boardroom awareness around cybersecurity.
In light of a rising number of ransomware attacks and incidents, the report found that cybersecurity vendors are frustrated with the relegation of cybersecurity as a priority as well as the lack of funding for it.
Only 52% of Australian respondents believed their board truly understood cybersecurity, while 80% of Australian respondents believed cybersecurity vendors generally don't provide them with the information they need to help educate executives.
The general consensus, however, is that there is an overriding issue when it comes to security. 95% of Australian companies agreed their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.
There is also significant concern regarding skilled security staff, with 69% of Australian businesses saying they expect to have problems with recruiting cybersecurity employees over the coming 24 months.
The report goes on to say that the top two attack vectors of concern for APJ organisations (phishing or whaling attacks and weak or compromised employee credentials) are directly addressable by ongoing education and awareness campaigns.
"With ransomware attacks continuing to become more complex, organisations need a genuine, actionable cybersecurity education program," says Sophos global solutions engineer for APJ Aaron Bugal.
"The current reactionary tendencies we are seeing have created an attack, change, attack, change cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the backfoot. Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organisations," he says.
A number of key areas of skill increases that are needed were also highlighted in the report, such as:
- Awareness of cloud security policies and architecture.
- Programmes like train the trainer employee and executive cybersecurity training skills.
- Software vulnerability testing skills.
- Staying up to date with the latest threats.
- Policy compliance and reporting.
Bugal says the pressure on security teams and a lack of understanding and cohesion in a business can cause major problems and believes education and understanding are the key to a better future.
"The challenge for cybersecurity professionals faced with low levels of security understanding among company boards is that many are unlikely to invest in the necessary programs to alleviate these frustrations," he says.
"The issue isn't technology, it's education. Increasing spend on cybersecurity wont help unless organisations understand from the top down the true nature and critical threat that cyberattacks constitute to their organisational capabilities, their customers and their own existence."