More than half of Australian companies believe they have very mature cybersecurity protections even though most are ignoring clear best-practice guidelines from the Australian Signals Directorate, according to a new end-user survey that also found just 46 percent of companies run staff security training more than once per year.
Just 13 percent of IT-security professionals, surveyed at Content Security’s recent CLOUDSEC 2018 conference, said their organisations were following the guidance of the ASD Essential Eight – which are said to protect against more than 85 percent of cybersecurity attacks.
The Australian Cyber Security Centre recommends that “organisations are recommended to implement eight essential mitigation strategies as a baseline”.
Australian companies’ low level of participation is not due to lack of awareness of best-practice guidelines: 41 percent have aligned their activities with the requirements of the Notifiable Data Breaches (NDB) scheme, while 30 percent have aligned their activities with the strictures of the EU’s general data protection regulation (GDPR).
This last finding is significant given recent findings that most European companies aren’t even complying with GDPR.
The results suggest that compliance and governance take higher precedence in guiding Australian security investments and driving digital transformation than technological controls – or that many companies are joining the increasing school of thought that breaches are inevitable and that it’s the response to those breaches that really matters.
“At the end of the day, most companies will be breached if an attacker really wants access to that company,” said Content Security CEO and co-founder Louis Abdilla in a statement. “You can still come out of a breach in a pretty good spot if you’ve been diligent about your IT and security controls, including the implementation of monitoring, detection, and response capabilities.”
Such preparations “can help minimise the impact of the breach and stamp down any thoughts of negligence,” he added, “if you’ve handled the post incident breach work well and in accordance with legal regulation and ethical principles.”
Yet commercial organisations aren’t the only ones that are failing to embrace government security guidance: a new Attorney-General’s Department compliance review of the government-mandated Protective Security Policy Framework (PSPF) found that just 60.2 percent of government agencies had implemented PSPF’s INFOSEC4 requirement – which mandates the adoption of the Essential Eight’s precursor, the ASD’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions.
This was almost unchanged from the 59.1 percent compliance figure a year earlier, with the report suggesting that structured cybersecurity policy efforts had stalled within government bodies “despite increased awareness of cyber security risks, and a concerted effort over the year to promote risk mitigation measures [such as the Essential Eight strategies].”
Yet the gap between perceived and actual security protections remains a challenge for security staff, with recent reviews finding, for example, that executives are overconfident about their DevSecOps capabilities and that companies are still slow to implement anti-cybercrime platforms such as DMARC.
They have been more proactive, however, in managing their cybersecurity response: fully 36 percent of surveyed companies said they review their cybersecurity strategy and incident response plan quarterly, while 21 percent conduct reviews biannually and 39 percent annually.
Organisations have also been proactive when it comes to staff cybersecurity training, with 46 percent training staff monthly or quarterly. Some 35 percent train their staff just once per year.
“It's encouraging to see that Australian organisations are preparing for the very real possibility of an attack,” Abdilla said, “but every individual needs to be responsible for aspects of personal security such as changing compromised passwords.”
“Security awareness training is now a key component of security strategy, with the survey suggesting that organisations have now recognised that security is now a business-wide issue and non-technical end-users need to be educated.”