Lack of cyber-attack preparedness leaves Australian businesses vulnerable despite lift in breach notification compliance

30 April 2019

Despite enhanced cyber maturity, beefed up cyber budgets and improved security posture, many Australian businesses still lack the ability to act quickly and comprehensively in the face of a cyber security attack.

Despite enhanced cyber maturity, beefed up cyber budgets and improved security posture, many Australian businesses still lack the ability to act quickly and comprehensively in the face of a cyber security attack.

The key take-away from accounting and professional services firm BDO in Australia’s annual Cyber Security Survey, which – in conjunction with leading cyber emergency response team AusCERT - examined the cyber security risks and realities experienced by more than 500 board, business and IT executives across Australia and New Zealand.

The 2018/2019 BDO and AusCERT Cyber Security Survey found that despite the introduction of stricter compliance regulations and greater executive and leadership team buy-in on cyber security, untried or poorly planned response protocols were leaving both government and private enterprises vulnerable to increasingly sophisticated cyber attacks.

BDO’s National Cyber Security Leader Leon Fouche said all industries needed to ramp up their focus on employee education and training to empower their people to take action, with the 2018/2019 survey finding that 64 per cent of all data breaches were caused by targeted, malicious attacks on people.

“While recent compliance regulations have boosted data breach notification numbers and industry leaders have endorsed the implementation of more comprehensive resilience measures, many Australian organisations do not have the capability to detect a breach or respond to it in a manner that contains cost and reputational damage,” Mr Fouche said.

“Sophisticated cyber attacks and data breaches sit alongside weapons of mass destruction and natural disasters in terms of their ability to disrupt and damage, however in many business cases, the focus on preventative measures has far outweighed response or incident management.

 “Every organisation should have a pre-defined plan, which is regularly tested, to ensure that everyone in the organisation knows what to do and how to respond to cyber security incidents.”

On average, the cost to an Australian organisation for a data breach was almost $US2 million1.

The potential for huge financial implications is one reason 86.4% of survey respondents indicated they expected to have a cyber security awareness plan in place within the next 12 months. 

The most common vehicle for cyber attack remained phishing, which accounted for 20.19% of all cyber security incidents experienced in 2018 and has been trending upwards since the inaugural BDO and AusCERT Cyber Security Survey in 2016. Phishing was followed by malware (14.08%) and ransomware attacks (9.39%).

“Phishing attacks remain popular as hackers seek the simplest, cheapest tactic to prey on human curiosity and achieve the best results,” Mr Fouche said.

“The level of sophistication of some phishing attacks makes it difficult for a recipient to determine if these types of emails are real or fake. 

“That’s why education and training are so important. Employees need to be given the knowledge to detect a potential cyber attack and the tools to respond if they suspect there has been a breach or they have inadvertently disclosed sensitive information.”

AusCERT Director Dr David Stockdale was encouraged by the survey findings.

“AusCERT has long supported the concept of mandatory breach notification, and it is heartening to see evidence that organisations expected to comply with at least one data breach regulation spend approximately 20% more on information security controls,” Dr Stockdale said.

“It is also pleasing to observe the survey finding that leadership awareness has increased.

“This has forced a change of culture within our own management as we’ve shifted from a purely technical organisation to a business focused, modern incarnation of a Cyber Emergency Response Team.

“Increasingly AusCERT is seeing greater uptake amongst members for training courses, impartial advice, post-incident reviews and the development of incident response plans.”

Respondents are anticipating data loss and theft of confidential information to be the most prevalent threat in 2019 and beyond.

1Ponemon Institute’s Cost of a Data Breach Study: https://databreachcalculator.mybluemix.net/assets/2018_Global_Cost_of_a_Data_Breach_Report.pdf