One of the most frequent questions I get asked by organisations is “How good is my security and how do we compare to other Australian organisations?” BDO and AusCERT joined forces to look at this and get insights into the cyber security strategies in Australian and New Zealand organisations.
We have released the results of our inaugural 2016 BDO and AusCERT Cyber Security Survey and they highlight that although general awareness of cyber risks have improved among Australian and New Zealand organisations, many are still relying too much on technical solutions for defending against the increased risk of cyber attacks and data breaches.
Key survey findings
- Less than 19% of respondents have or plan to have a senior management role responsible for cyber security (i.e. a chief information security officer)
- 47% of respondents have implemented security awareness training for staff
- Many respondents have already taken up endpoint and gateway controls like anti-virus (93%), website and internet filtering (75%), and email filtering to block suspicious emails (91%)
- 52% of respondents are performing regular security risk assessments, but only 49% regularly report cyber risks to the board
- 40% of respondents can detect security incidents, but only 21% have a security operations centre in place to investigate and respond to security incidents
- 48% of respondents have a cyber incident response plan in place and only 41% have a cyber incident response team or capability in place to respond to incidents
- 44% of respondents have defined security standards for cloud and third parties or supply chain.
Protecting the supply chain
The fact that less than half of the respondents have security standards in place for their supply chain is a concern, especially considering most organisations today are becoming increasingly connected to the internet and rely highly on third party providers and applications for running their businesses.
Without proper security standards and oversight of the cyber security risks in their supply chain, businesses risk losing control over the security of their operation. Combine this with the rising use of cloud solutions and its clear organisations need to prepare themselves by having the right tools and processes in place to manage security risks directly under their control.
The best way to address this issue is to enhance transparency around an organisation’s data sources. Start by identifying the key data sources and applications an organisation has outsourced to third parties and ensure these have effective security controls in place. This will shed light on the cyber risks in the supply chain and what strategies need to implemented to improve cyber resilience.
Awareness of cyber risks improved, but consequences to truly appreciated
Although respondents have adopted good security technologies, their reported cyber security processes and practices are relatively weak.
For example, 40% of respondents are able to detect security incidents, and 52% are performing regular security risk assessments which is great to see. Yet, only 21% of respondents have a security operations centre in place to investigate and respond to security incidents that may occur and, only 49% of organisations regularly report cyber risks to the board.
As I’ve mentioned in previous articles, it’s important the board and CEO continue to play an increasingly active role in the cyber security of their own business. After all, they are ultimately accountable for it.
Data breaches will impact the reputation and financial stability of an organisation and it’s essential for boards and executives to be educated about the impact and likelihood of a security incident, and what the organisation’s capabilities are to defend against it.
If you have any questions about the results of our cyber survey or how you can use the data to benchmark the maturity of your organisations, please connect with me.