In a newly published study, Tenable, Inc., the Exposure Management company, has found that Australian organisations are unable to ward off 42% of cyber attacks. These businesses only successfully thwarted 58% of attempted cyberattacks within the past two years, highlighting a reliance on reactive measures rather than attack prevention.
The study also unveiled that 75% of Australian cyber security professionals participating in the survey hold the belief that their organisations would be better fortified against cyberattacks if increased resources were allocated towards preventative cybersecurity. Nevertheless, a distressing majority of 56% admitted that their teams are largely occupied addressing critical incidents, obstructing their ability to adopt a proactive approach.
Insights from the study have been collated from responses of 825 IT and cybersecurity professionals, 100 of which are from Australia. The research was conducted by Forrester Consulting on behalf of Tenable and forms the Australian edition of their study, "Old Habits Die Hard: How People, Process and Technology Challenges Are Hurting Cybersecurity Teams in Australia".
The results spotlight the need for a proactive versus reactive approach to cybersecurity. They further underline the challenges posed by a plethora of disjointed cybersecurity tools that prevent organisations from reliably and accurately gauging their cyber risks. Interestingly, the study found that the issue extends beyond external threats, with considerable challenges arising from inherent structural and operational issues within the organisations themselves.
Scott McKinnel, Country Manager at Tenable ANZ, explained, "Siloed cybersecurity tools, and by extension, the teams behind them, are inadvertently preventing organisations from having a clear, continuous and comprehensive view of their cyber risk." He added that internal mindsets compound the issue, with 48% of respondents admitting to finding coordination between IT and security teams challenging while 62% reveal IT prioritises system uptime over patching and remediation.
The report supports the Australian government's stance urging companies to lessen reliance on third-party tech providers due to cyber risks involved. The survey indicates that while 65% of the organisations utilise third-party programs for software and services, a mere 46% have a high or very high visibility into third-party environments.
McKinnel further noted, "While there are no quick fixes to these challenges when we look at key differences between low-maturity and high-maturity organisations across the overall sample, some themes begin to emerge that can serve as a guide for organisations looking to reduce their risk."
To this end, the study found that low-maturity organisations are typically stuck in reactive mode, with only 56% of attacks being preventively defended against. In contrast, high-maturity organisations preventatively defended against 61% of the attacks they encountered. High-maturity organisations leverage data aggregation tools more effectively, with 57% using these tools to collate and analyse data to evaluate risk exposure, compared with only 46% of low-maturity organisations. Such high-maturity organisations also spend significantly less time on reporting to business leaders than low-maturity organisations, with 57% stating it takes 11 hours or more to produce such reports, compared to 72% for low-maturity organisations.