“As a small business, we find it challenging to identify threats and have measures in place to mitigate them with very limited time/resource.”
“I find the board’s posture is too relaxed, suggesting lack of acute awareness of the real risks.”
“Lack of concern and awareness around the risk and consequence. Directors and management are more concerned about accessibility than protection (until an event occurs, that is...)”
“Cybersecurity is seen as an IT problem when it is a whole-of-business issue.”
“Even though we are in the IT industry, our staff don’t necessarily see cybersecurity as ‘something that happens to companies like us”.
These comments from survey respondents quoted in the 2018 AusCERT report indicate the concern about cybersecurity shared by Australian businesspeople, and that concern seems to be borne out by the figures.
Among the survey’s key findings were;
- “30% of respondents were affected by a cyber incident of some kind – and it is important to note that these incidents were not confined to large corporations.
- “The top three cybersecurity incidents experienced by Australian and New Zealand organisations were ransomware (17.8%), malware (17.9%) and phishing (19.3%).
The AusCERT 2018 report
“A cyber incident can come at a great financial and reputational cost to the business… Australian Businesses are targets and are generally underprepared” states the 2018 AusCERT Cyber Security Survey report.
AusCERT, based at the University of Queensland, is a not-for-profit organisation that provides information and security advice to its members, including their regular Security Bulletin. Their 2018 survey report is published in conjunction with BDO Australia.
(Above: the AusCERT survey found that malicious email attacks increased in number across 2016/2017. Graph excerpted from 2018 AusCERT Cyber Security Survey report.)
“Phishing and email attacks are still the most prevalent form of cybersecurity incidents affecting respondents, followed by ransomware and malware coming in a close second and third,” the AusCERT report concludes.
“Email is the primary online method used for communications and information sharing for private and business users... Phishing emails are the most widely used infection vector employed by 71% of all threat actor groups.”
(Graph above: excerpt from the 2018 AusCERT Cyber Security Survey report.)
Criminal-intent attacks were overwhelmingly the most common threat vector reported by AusCERT survey respondents. That conclusion is certainly in line with the anecdotal evidence seen by MailGuard in our threat protection work, where criminal-intent email is consistently the biggest cyber-threat category.
“Organisations seeking to enhance their cybersecurity capabilities will need to get a better understanding of the cyber threats related to them and their industry. They will need to understand which threat actors or groups will be targeting them, and anticipate their motives and strategies,” the AusCERT report advises.
Regulation and compliance
The AusCERT report emphasises the increasingly important role that data-security regulation is playing in business risk management.
“Governments are starting to make businesses accountable for protecting their data,” the report notes. “In May 2018 the EU GDPR came into effect. Companies doing business with EU residents must comply with the new regulations or risk facing heavy fines and criminal penalties.
“In Australia, the NDB became effective in February. Despite financial penalties for non-compliance – up to $420,000 for individuals and $2.1M for organisations – this year’s Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme.
“Australian businesses need to be acting now to have cybersecurity practices and processes in place.”
Top-down approach required
The damage cybercrime causes to companies goes far beyond the immediate financial losses. A company’s failure to protect their systems from hacking is also a perceived liability for their customers, trading partners and shareholders.
“Regulatory changes will require business owners and leaders to take accountability for their cybersecurity arrangements, and provide leadership and direction for ensuring compliance against regulatory changes,” the AusCERT report advises.
Cybercriminals target companies through vectors like email because humans are soft targets. Criminal-intent email can impact anyone in a company, so the responsibility for cybersecurity can’t be left to IT departments to handle alone. For security policies to be successful they need to be implemented across whole organisations, starting with senior management.
Stay up-to-date with the MailGuard Blog by subscribing to our weekly newsletter. Click on the button below: