Story image

Businesses worried but complacent about cyber attacks - Aura Infosec

14 Jan 19

Article by Aura Information Security Australia country manager Michael Warnock

Almost a third of Australian businesses report having been targeted by cyber-criminals in the past twelve months, and more than a third expect to become a target in the coming year.

What’s more, 40% of businesses say their employees receive between one and five phishing or ransomware attacks every quarter, and a further 30% say the number is higher — as many as ten per quarter.

The situation is pretty bad, and most businesses think it’s only going to get worse in the year ahead, according to research commissioned by Aura Information Security.

Little fear of financial impact

Given these numbers, and the potential for serious financial losses in the event of a cybersecurity breach, one might think that Australian businesses were fully on board with doing whatever had to be done to mitigate harm.

Unfortunately, that is not always the case.

While the majority of businesses have some sort of structure in place to keep the board and senior management apprised of security issues, one-fifth of IT professionals report that senior managers do not regard cybersecurity as a key concern.

As anyone will tell you, buy-in from senior management is essential for any company-wide process.

Complacency on cybersecurity from management puts the whole organisation at risk.

What’s worse, almost half of businesses allocate less than 10% of their IT budget to security, while a further quarter raise the bar to a mere 15%.

For something like data security — which can be an existential issue for some companies — these numbers are frighteningly low.

The slow tide of rising importance

Local research has found three-quarters of business leaders report more of the IT budget will go to security in the coming year.

But will that be enough?

Consider that the vast majority — 79% — of businesses leaders believe they have put in place the necessary tools and processes to train employees in security awareness to fend off phishing attacks and the like.

However, only 47% are confident that the processes they have in place will actually prevent a breach.

As organisations get larger, the likelihood that they have such processes increases, but so too does the likelihood of phishing and ransomware attacks.

More employees might bring a greater awareness of the need to mitigate risk, but they also bring more potential victims of targeted attacks.

Clearly, the money being invested in training and other processes is not buying confidence.

Distance doesn’t equal defence

Australia is geographically isolated, but of course, cybercriminals know no borders and are not hampered by oceans.

Wherever the Internet goes, so do they.

Even so, almost a quarter of Australian businesses regard local companies as not as big a target as similar companies in other countries (the remainder regard Australia as either as large a target or larger).

It is unsurprising, then, that 40% of businesses see Australia as lagging behind the rest of the world when it comes to implementing good cybersecurity practices.

The global nature of digital business means that four out of 10 Australian businesses have reporting requirements under the European Union’s General Data Protection Regulation (GDPR), which compels organisations that handle data of European citizens to have in place technical and organisational measures to protect that data and to notify people of data breaches.

Of those, 80% say they are prepared to notify clients and could do so within 48 hours of a breach being detected.

Australia’s own regulatory regime is also bringing a focus on data protection, in the form of the Notifiable Data Breaches (NDB) Scheme, introduced earlier this year and having a similar effect.

Prior to the introduction of the NDB, only 59% of businesses said they would have reported a security breach to customers.

Now that it is in place, 71% say they believe their business is supportive of it.

Given the potentially catastrophic financial implications of a cyber breach — not to mention the loss of trust that would follow if customer data were compromised — one might expect businesses to come to the security party out of pure self-interest, and some are.

As for the rest, legislation will simply have to drag them along.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
How SMBs can use data to drive business outcomes
With the right technology, companies can capture consumer, sales, and expense data, and use it to evaluate and construct future plans.
Survey shows that IoT is RoI across Asia Pacific
A recent Frost & Sullivan survey across Australia, Hong Kong and Singapore shows that IoT deployment improves business metrics by around 12%.
IDC: Aussie spending on IT Services to hit $23.5B by 2023
the project-oriented market which is predicted to achieve the highest CAGR through to 2023; though no market is expected to decline
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.