People, processes and practices the key to improved cyber security

Leon Fouche , National Leader, Cyber Security |

01 December 2016

Leading advisory firm BDO is urging businesses to get back to basics to ensure they stay ahead of potential cyber security breaches, after releasing the results of its inaugural cyber security survey.

The survey, which was completed in conjunction with AusCERT, aims to help the market understand the cyber security challenges Australian and New Zealand businesses face, in an environment characterised by the movement of systems and processes online.

BDO National Leader for Cyber Security Leon Fouche said although general awareness of cyber risks had improved, organisations were relying too much on technical solutions for defending against the increased risk of cyber attacks and data breaches.

“The people and process component of cyber defences must be addressed if organisations want to improve their cyber resilience,” Mr Fouche said.

“Getting back to basics and understanding the risks, defining baseline security standards to address these risks, and then enforcing these standards, while monitoring how well they are implemented, is critical to improving the maturity of a business’ cyber security posture.”

The report revealed around 40% of respondents had security standards and cyber risk management guidelines in place for their supply chain — including third party providers, and the cloud. 

Thomas King, General Manger, AusCERT, said the fact that less than half of the respondents had security standards for their supply chain was concerning, considering most organisations were becoming increasingly connected to the internet and were highly reliant on third party providers and applications for running their businesses. 

“Without proper security standards and oversight of the cyber security risks in their supply chain, businesses risk losing control over the security of their operation,” he said.

“As the use of cloud solutions increases, organisations need to prepare themselves by having the right tools and processes in place to manage security risks directly under their control.”

Mr Fouche explained transparency around an organisation’s data sources is the best way to address this issue.

“Organisations can start with the simple step of identifying the key data sources and applications they have outsourced to third parties and ensure these have effective security controls in place,” he said.

“This will provide them with insights into the cyber risks in their supply chain and what strategies they need to implement to make them more cyber resilient.”

Mr Fouche said the survey findings reinforced the fact that awareness of cyber risks had improved in recent years among business, however there was still not a true appreciation of the consequences and impacts of cyber incidents. 

“Although businesses have adopted good security technologies, their cyber security processes and practices are relatively weak,” he said.  

“For example, 40% of organisations are able to detect security incidents, and 52% of organisations are performing regular security risk assessments which is great to see.

“But only 21% of organisations have a security operations centre in place to investigate and respond to security incidents that may occur and, only 49% of organisations regularly report cyber risks to the board.

“It’s important the board and CEO continue to play an increasingly active role in the cyber security of their own business. After all, they are ultimately accountable for it.

“This is important because data breaches will impact the reputation and financial stability of an organisation and it’s essential for boards and executives to be educated about the impact and likelihood of a security incident, and what the organisation’s capabilities are to defend against it.”

Report snapshot:

  • Less than 19% of respondents have or plan to have a senior management role responsible for cyber security (i.e. a chief information security officer)
  • 47% of respondents have implemented security awareness training for staff
  • Many respondents have already taken up endpoint and gateway controls like anti-virus (93%), website and internet filtering (75%), and email filtering to block suspicious emails (91%)
  • 52% of respondents are performing regular security risk assessments, but only 49% regularly report cyber risks to the board
  • 40% of respondents can detect security incidents, but only 21% have a security operations centre in place to investigate and respond to security incidents
  • 48% of respondents have a cyber incident response plan in place and only 41% have a cyber incident response team or capability in place to respond to incidents
  • 44% of respondents have defined security standards for cloud and third parties or supply chain.

Supporting graphs are available for download from the BDO website -