Australian small and medium businesses (SMBs) have had a year since they were set a deadline for Notifiable Data Breaches (NDB) scheme compliance but 49 percent admit they are still unprepared for the new laws, according to a new study that found SMBs confident in their network security even though nearly half didn’t bother to perform an IT-security risk assessment over the last year.
The new figures – compiled by ACA Research for HP Australia based on interviews with 528 SMB IT decision-makers – paint a grim picture for compliance with the NDB legislation, which threatens substantial fines for failure to detect breaches and notify those potentially affected.
Surveyed companies were generally confident about their IT-security capabilities, with the most confidence in capabilities in network security (cited by 75 percent), detecting and recovering against malware (66 percent), and end-user management (64 percent)
Despite this high degree of operational security confidence, just 18 percent of respondents said they had an NDB compliance policy in place, with an additional 33 percent developing one.
Confidence in security measures varied by industry: some 40 percent of services companies said they had a ‘very secure’ security posture overall, for example, compared with just 15 percent of health and education firms and 10 percent of retail and hospitality providers.
Those numbers are far from a resounding vote of confidence in SMBs’ security capabilities – particularly as the new NDB scheme is introduced in the wake of the surges that traditionally accompany holidays like Valentine’s Day, and events like the Pyeongchang Winter Olympics – which has, McAfee has warned, already generated malware attacks in a flurry of traffic that is set to increase in intensity over time.
The surge in phishing traffic around such events will be a litmus test about the accuracy of SMBs’ contentions about their security preparedness. Although they were generally confident about technological measures, employee-related security – crucial in mounting an effective defence against phishing attacks that can have severe repercussions from a single wrong click – was a different story.
Fully 39 percent of the ACA Research-HP respondents said they were ‘not secure’ in ensuring employees use strong passwords and 44 percent said the same about protecting company data from visual hacking – being read off of a device screen while employees are working. And just 16 percent considered themselves to be ‘very secure’ in terms of protecting company data when employees are working remotely.
Similarly, only 32 percent of respondents said they were ‘extremely secure’ against malware and viruses; 25 percent against ransomware; and 22 percent against data theft or misuse. Fully 13 percent said they were not at all secure when it came to managing lost or stolen devices.
Those figures suggest that massive security gaps continue to plague the data-protection capabilities of SMBs – and their repercussions will become clearer as the NDB deadline nears.
As if the problem wasn’t pronounced enough, recent research by Zscaler ThreatlabZ suggested that growing use of SSL encryption was helping malware evade detection even where strong security protections are in place.
Fully 70 percent of traffic running through that vendor’s cloud-based security network in the second half of 2017 were encrypted with SSL – up 10 percent over the first half of the year. Encrypted phishing site activity jumped by a third during that time, with 800,000 SSL transactions blocked in that cloud every day.
Zscaler’s analysis also found many new malicious payloads utilising SSL/TLS for command-and-control server activity; half were banking Trojans, a quarter were ransomware, and 12 percent were Infostealer Trojan families including Fareit, Papras, and the like. Many of these payloads were delivered from cloud file-storage sites like Box, Dropbox, AWS, and Google.
The “alarming” increase in such activity suggests that cybercriminals are becoming more effective at using encryption to skirt protections that have often not handled encrypted traffic as well as conventional traffic. The result has, the report warns, “turned what was once a reliable privacy protection protocol into one of the most active threat vectors in the enterprise.”