Report shows Australian companies have increased their cyber security over the past 12 months

23 March 2020

Latest research from business advisory firm BDO reveals Australian companies have increased their cyber security measures and shifted their focus from off-the-shelf technology solutions to organisation-wide governance processes.

The 2019 BDO and AusCERT Cyber Security Survey Report shows the number of companies with Chief Information Security Officer (CISO) roles increased by 46% in 2019 compared to 2018. The data shows the adoption of CISO roles has more than doubled since 2016.

The latest research also shows a 31% increase in cyber insurance, as companies attempt to avoid the financial damage inflicted by cyber threats.

BDO’s National Cyber Security Leader Leon Fouche said Australia’s C-suites have recognised that technology alone often cannot manage the operational, legal or reputational impacts of a cyber incident.

“Decision makers are focussing less on ‘silver-bullet’ technology solutions and more on establishing enterprise-wide processes to better prepare their companies for cyber incidents,” Leon said.

“Our latest research shows companies with more senior stakeholders involved in cyber security adopt a more holistic approach to effectively managing cyber risk – and it’s paying off,” he said.

Interestingly, while stronger company-wide governance was a key theme of the research, the findings also showed a continued disparity between the types of incidents companies expect and the incidents they actually experience.  For example, phishing was 30% more common than businesses expected. As phishing is a common vehicle for many attacks, its underestimation can leave businesses significantly underprepared.

“Companies face a range of cyber security threats that originate both external and internal. Over time, these threats change, as do the technologies used and the motivations of the adversaries,” Leon said.

“There’s no one-size-fits-all approach to preparing for cyber threats. Companies must understand what their critical data and systems are, which adversaries seek to compromise them, and what their methods involve,” he said.

The survey highlights that companies continue to underestimate the cause of most incidents – with insider threats twice as common as expected. Respondents indicated that they expected a 10% year-on-year rise in insider incidents over the next year. However, when considering current and former employees, suppliers and customers, the expected rise is 40% - meaning companies expect insider threats to be a greater risk than cyber criminals in the coming financial year.

Leon pointed out that even before the coronavirus pandemic, people were doing more work away from the office, using their own personal devices.

“As people do more work on their personal devices and companies adopt flexible working arrangements, our reliance on people working from a traditional office setting is decreasing. People are accessing company data 24/7, on the go, from a range of devices – making it easier than ever to access. As the way we work changes, the complexities in companies identifying and addressing cyber security becomes more complex,” Leon said.

“Most insider threats are not necessarily malicious and more commonly the result of human error, however, this internal threat cannot be underestimated,” he said.

The recent survey revealed a 56% increase in the number of data breaches involving contact information compared to 2018. The Office of the Australian Information Commissioner (OAIC) received a total of 964 eligible data breach notifications under the Notifiable Date Breach (NDB) scheme between April 2018 and March 2019. Of these, 60% were caused by malicious or criminal attacks.

“Over the past few years we have seen increased public concern over the security of people’s contact information, which has led to companies being more critisied in the media when data breaches occur. Data breaches are now causing greater reputational damage and long-term disruption than ever before, bumping this risk to the top of the C-suite agenda,” Leon said.

The report highlighted that when companies adopt a set of five key controls (such as employing a CISO, using a Security Operations Centre, establishing cyber security awareness programs for staff, adopting third party and vendor risk assessments and developing incident response plans), they experienced 31% less incidents, and faced fewer cyber risk management challenges.

“As the complexity and extent of digital capabilities grow, so too does our dependence on them. As companies seek to capitalise on the opportunities of 2020 and beyond, they must also be prepared to defend against the threats that our reliance on technology has brought,” Leon said.

“The first step leaders must take in achieving organisational risk resilience is to understand and assign accountability for protecting their organisation’s digital DNA – these are the data and information systems that make an organisation unique but also a potential target.”

The 2019 BDO and AusCERT Cyber Security Survey Report surveyed 500 board, business and IT executives across Australia and New Zealand. Read the full report here.

Read AFR's write up here: https://www.afr.com/technology/remote-working-due-to-covid-19-raises-cyber-security-concerns-20200321-p54cjm