Craig McDonald 25 June 2020 13:28:23 AEST 11 MIN READ

80% of Australian companies believe their cybersecurity investments are ‘failing’, according to Accenture survey. How can we keep our businesses protected?

Why are some business owners still not paying attention and underestimating a real business risk? A staggering 80% of Australian companies believe their cybersecurity investments are ‘failing’.

This was according to a new report from Accenture, which also found that staying ahead of attackers is a ‘constant battle’ for 70% of businesses, with respondents adding that the costs incurred while fortifying their cyber resilience are “spiralling out of control”. 

The figures are concerning, because now, more than ever, we need solid cybersecurity measures and strategies to protect our businesses. Prime Minister Scott Morrison has announced an emergency cybersecurity alert in Australia, warning local public and private sector organisations of a “sophisticated state-based cyber-attack”. This comes at a time when the massive upheavals triggered by the COVID-19 pandemic are threatening business continuity and operational resilience among many companies. With such high stakes involved, we need to review how we can get every ounce of value out of every cybersecurity investment we make – whether those investments are in our technology, processes or people. 

Microsoft CEO Satya Nadella recently said that “we have seen two years’ worth of digital transformation in two months,” referring to how many businesses worldwide have had to adapt to the new world of document sharing and video conferencing as they became distributed organisations overnight as a result of the pandemic. Unfortunately, cybercriminals are exploiting any vulnerability possible in these new systems and new ways of working with unprecedented intensity. 

According to the Microsoft Threat Intelligence Protection team, every country in the world has seen at least one COVID-19 themed cyber-attack over the past few months. Multiple cyber-attacks have been reported in the media that have disrupted corporate giants, all over the world, including Swiss low-cost airline EasyJet, Australian dairy processor and drink manufacturer Lion, American beauty brand Estée Lauder, and many others. This has prompted experts like the former head of the Australian Cyber Security Centre, Alastair MacGibbon, to caution businesses and remind them that cybercrime continues to be an existential threat, and that these attacks are just the tip of the iceberg. Similarly, at MailGuard, my team continues to intercept multiple variations of email threats exploiting the virus, ranging from those masquerading as relief bonuses to those announcing COVID-19 IT updates. And this is expected to get worse.   

While it’s heartening to note that businesses are continuing to invest in cybersecurity to mitigate the risks of this increasingly treacherous threat landscape, it looks like there’s more work to do when it comes to the efficiency of those investments. 

The report found 55% of attacks occurring in Australian organisations are breaching existing security measures and 62of breaches are impacting business operations. This is despite 91of companies spending more than 20% of their cybersecurity budget on advanced technologies, with 43% reporting cost rises within the last two years, and 11reporting cost rises over 25%. 

While the sobering financial and economic repercussions of COVID-19 are yet to be truly felt, many businesses are already struggling to keep the lights on. The United Nations’ Secretary-General, António Guterres, warned recently that as the diverse and severe impacts of the COVID-19 pandemic continue to be felt across the world“unemployment has skyrocketed. Temporary business closures are becoming permanent. Rebuilding to pre-crisis levels of employment and output may take years”. For companies who are already under considerable logistical and financial strain, increased spending on cybersecurity may strain budgets – especially if, as the report highlights, those investments are failing to work. 

In situations like these, it never hurts to remind ourselves and our cybersecurity teams that investing in the most advanced and up-to-date cybersecurity solutions doesn’t necessarily guarantee overall improved security — it’s all about whether those solutions are best fit to address the vulnerabilities present in your overarching cybersecurity strategy. I always recommend doing a risk analysis and seeing where most incidents occur.  

For many businesses, email security continues to be a big problem, especially given the current climate. Cybercriminals are continuing to exploit fears and uncertainty around the COVID-19 pandemic and are targeting businesses with multiple email-borne cyber-attacks. Google says it intercepts 18 million COVID-19 scams phishing emails every single day, while IBM’s chief technology officer for security in Australia and New Zealand, Chris Hockings, puts the increase in online attacks through COVID-19 related phishing scams at a massive 14,000%.Telstra also reported that cybercriminals are targeting professionals ordered to work from home amid the pandemic, with convincing phishing emails that even reference the victim’s workplace. At MailGuard, we continue intercepting multiple variations of email threats exploiting the virus, ranging from those masquerading as relief bonuses to those announcing COVID-19 IT updates. Email is a critical tool and arguably the most important means of communication among many businesses, making it imperative for companies to implement and invest in the right email security solutions that can protect their inboxes in this period of heightened risk.  

The importance of a multi-layered strategy 

Investing in the right technology is, however, just one part of the solution. I firmly believe adopting a multi-layered approach is fundamental to ensuring your cybersecurity strategy is up to scratch. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat. Along with technology, processes and people are all equally as important when facing cybersecurity challenges and aligning all three will help in mitigating any incoming cyber risks, ensuring your business is protected.  

Going back to the case of email security, as a business, you may already have native security in place from Google or Microsoft, but to protect your teams’ inboxes in this period of heightened risk, it is also prudent to adopt a ‘defence in depth’ approach and invest in another layer of protection to combat email threats. For example, using a third-party cloud email solution like MailGuard to complement Office 365.  

In addition to that, you may also want to boost your cyber defence capabilities by providing phishing awareness training to your employees so that they’re better equipped to spot the difference between a phishing email and a legitimate one. We often focus on getting the technology right in cybersecurity and are tempted to ensure our systems are protected by state-of-the-art innovations. But it’s also essential that we’re spending appropriate time and resources enabling our people to become cyber defenders and empowering them with the knowledge to make the right choices. 

The global pandemic has changed the game of cybersecurity in many ways and has made it crucial for businesses to consistently & thoroughly review the performance of existing defences, systems and processes if they wish to stay protected amid a more treacherous threat landscapeTo quote Ann Johnson, Microsoft’s Corporate Vice President, Cybersecurity Solutions Group, “operational resilience cannot be achieved without a true commitment to, and investment in, cyber resilience”. 

We need to be able to ask the hard questions and not only find out what’s working and what isn’t, but whether we are doing all that we can to ensure we’re getting the full value out of our cybersecurity investmentsTalk to your stellar security teams to identify the gaps and weaknesses of your existing cybersecurity strategy and then determine the thought process and purpose behind the changes you implement. This will increase confidence that your resources are being used as efficiently as possible.   

If you need more support to protect your business from cybercrime, feel free to reach out to my team at