The risk of cybersecurity compromise has become ubiquitous across business and government sectors, with new figures suggesting that nine out of every 10 Australian organisations dealt with an attempted or successful cybersecurity breach during fiscal 2015-16 – and that 58 percent had been successfully compromised.
The results, from the Australian Cyber Security Centre (ACSC) Cyber Security Survey 2016 of 45 government departments and 68 major Australian businesses, highlight the very real risk facing Australian organisations from snowballing cybersecurity attacks that caused tangible impacts on the business of 60 percent of survey respondents.
Most organisations rated these impacts as relatively low in severity, but the fact that they happened at all is a wakeup call for a business community that is often unaware of its own cybersecurity exposure: fully 51 percent of organisations surveyed said external parties tended to let them know about possible breaches before they had even detected those breaches themselves.
“Given that only 2% of organisations reported having completely outsourced IT functions,” the report notes, “these figures suggest organisations are not adequately focusing on monitoring networks and detecting potentially malicious activity.”
There were hints of progress, with 71 percent of organisations reporting that they have a cybersecurity incident response plan in place – up from 60 percent in the previous year’s survey.
Despite some positive findings, Forcepoint country manager Guy Eilon said that the results “should provide a much needed jolt to organisations across Australia to review their cyber-security measures and ensure they are set up to protect their organisation from a raft of cyber-security threats – both inside and outside their perimeter.”
“With almost all Australian organisations the target of multiple cyber incidents in the past year,” he said, “the question today is no longer if, but when, an organisation will come under fire. However, despite a large proportion of these incidents proving damaging to organisations in some way – cost or reputation – it is concerning that few are truly set up to combat these relentless threats.”
Yet awareness is not the only issue at hand: with 74 percent of organisations having five or fewer staff responsible for IT security, the results reinforced perceptions that cybersecurity defences are already stretched to their limits. This has increased the pressure on cybersecurity staff in recent years, with the recent Trustwave 2017 Security Pressures Report finding that less than a quarter of IT professionals believe their security staffing size is ideal.
There were signs, however, that security organisations are getting more effective at doing more with less – and that they are getting better support from executives that are finally becoming more realistic about their cybersecurity expectations.
Some 53 percent of respondents felt more pressure to secure their organisations in 2016 than 2015, the Trustwave figures showed – but this was actually down from 63 percent a year ago (the Australian figure was 55 percent this year). Some 58 percent expected this to increase during 2017, with boards, owners and C-level executives cited as applying the most pressure by 46 percent of respondents.
Interestingly, Australian respondents were far less likely to blame boards and C-level executives for pressuring them – just 35 percent said pressure came from above – and more likely to say that they are pressuring themselves when it comes to cybersecurity. Fully 31 percent of Australians reported pressuring themselves; this compared with 24 percent overall and was the highest figure out of the six countries surveyed.
Respondents were most likely to cite public exposure as the biggest source of pressure, with 40 percent saying they felt the most pressure about their security program after a major security breach hit the headlines. This is likely to become an even more significant factor as Australia’s long-awaited mandatory breach notification regime kicks into effect next year – and that threat will, most likely, push executives to get more on board with their cybersecurity specialists.
The new ACSC figures also showed consistently higher levels of proactive policy development amongst organisations deemed to have high levels of cyber-resiliency – a trait identified as involving habits such as maintaining good situational awareness; approaching cybersecurity from a risk-reduction rather than a compliance mindset; building a strong security culture across the whole organisation; discussing cybersecurity at a board level; proactively identifying and stopping threats; and sharing information within trusted networks and alerting other organisations about possible security breaches.
“When weighing investment in cyber security against other business needs,” the report recommends, “senior management need to consider the overall level of cyber risk, their organisation’s exposure to such risks, and the potential whole-of-business cost that could be incurred if a serious cyber incident were to occur on their network. The costs of compromise are almost certainly more expensive than preventative measures.”