High-profile ransomware attacks have driven so many businesses to adopt protective technologies and policies that many attackers have shifted their focus to cryptocurrency-based attacks and novel attacks like formjacking and air-gap compromise, according to new figures from Telstra that also highlighted the ongoing role of human error in data breaches.
The Telstra Security Report 2019, which was conducted by GlobalData and is based on interviews with 1298 professionals in 13 Asia-Pacific and European countries, found that businesses had redoubled their commitment to cybersecurity – and, in so doing, helped push cybercriminals to explore new methods of attack.
Ransomware, for example, was shifting towards operational technology – where the potential impact of disruption could potentially be much greater and lead to financial losses or damage to property, physical assets, and health and safety.
Cybercriminals may be perceiving that operational technology attacks would be perceived as even more business-critical: with the survey finding that half of Australian businesses are paying cybercriminals to unlock ransomware, cybercriminals know that the risk of losing core operational systems would be motivation for many executives to continue paying up.
Responsibility for cybersecurity fell on a broad range of stakeholders, with 48 percent of the 320 Australian respondents saying the IT department was likely to be blamed for a cybersecurity breach. Yet executives were also in the firing line, with 30 percent saying the CIO would wear the blame and 21 percent saying that cybersecurity was ultimately the CIO’s responsibility.
The report noted an increase in formal security awareness and training investments since last year, with formal education around information management and incident response. This had led to improving response and remediation times, the report argued, noting that C-level participation had increased and executives were meeting more frequently to discuss cybersecurity initiatives.
Potentially grave repercussions from a cybersecurity breach had driven an increasing cybersecurity role for executives, who are increasingly engaged with cybersecurity outcomes and are, 36 percent of respondents indicated, being briefed more frequently in response to GDPR, Notifiable Data Breaches (NDB) and other new regulatory and compliance requirements.
Australian companies were in line with global results when asked how frequently they brief board and senior management on cyber and electronic security risk and mitigation. Some 36 percent of Australian respondents said such briefings were occurring quarterly, while a third brief board and senior management monthly and 15 percent of respondents are doing so weekly.
This level of involvement was accompanied by increasing cybersecurity budgets, with 84 percent of Australian respondents reporting that their security budgets will increase in the next 12 to 24 months – ahead of 79 percent overall.
The analysis recommends several core actions for cybersecurity practitioners, including co-ordinating security policy and processes – which may involve integrating business departments or merging business units – and considering new opportunities brought in because of the convergence of information and operational technologies.
“Organisations with a holistic approach to security will be in a better position to strengthen security defences in areas like incident response,” the report notes.
“They should consider the impact of new technologies or security posture, and enable the business to take advantage of new opportunities in a more secure way…. Security is foundational to the integration of IT and OT, and can also be an enabler of many new use cases.”
Dealing with the accidental insider
The report also explored respondents’ perception of risks, with Australians less worried about malicious insiders than the overall cohort (8 percent vs 11 percent) and a quarter of respondents believing that accidental insiders – human error – are the biggest threat to IT security.
Those perceptions are in line with recent experiences of major breaches, where human error has been recognised as a major contributor to cyber breaches for years.
A recent Ponemon Institute survey found that 64 percent of reported incidents were due to human accidents, and the Telstra figures confirmed that mistakes by accidental insiders are a regular occurrence.
Amongst Australian companies that reported experiencing a data breach, 36 percent said they were having weekly or monthly incidents due to accidental insiders – ahead of the global average of 30 percent.
Australian firms were ahead of the pack in detecting such breaches – with 62 percent saying they can detect such events in “minutes or hours” compared with just 50 percent of global respondents.
Typically, however, recovery is quick: 68 percent of Australian respondents said they can recover from accidental insider incidents within 2 hours – compared with 64 percent of global respondents.
Interestingly, only 21 percent of respondents said that the employees involved would be held responsible for a breach – highlighting a pervasive gap in perception that suggests most companies still expect technology and business leaders to enact proactive security policies to protect their employees.