Australian IT decision-makers are more confident than overseas peers that their midsized businesses are “completely ready” to deal with IT security threats – but they may be underinvesting in security as a result, according to new research that pegged the cost of the average successful attack at $1.89m.
Fully 40 percent of respondents to the Wakefield Research-Webroot Cyber Threats to Small and Medium-sized Businesses in 2017 survey – which polled 600 IT decision-makers in the US, UK and Australia – said their businesses were completely ready to protect against threats, compared with just 21 percent in the US and 30 percent overall.
This higher level of confidence was linked with a relative underspend on IT security: fully 82 percent of Australian IT security budgets were set to increase by just 1 percent to 19 percent this year, compared with 63 percent of US companies that were increasing spending by a similar percentage.
US (27 percent) and UK (22 percent) respondents were more likely than Australian companies (10 percent) to be increasing their IT-security spend by anywhere from 20 percent to 49 percent in 2017. No Australian companies were increasing budgets by 50 to 100 percent, compared with 2 percent overall and 4 percent in the US.
The budget changes suggest either that overseas companies are compensating for chronic underinvestment in IT security, or that Australian companies are still not perceiving security as enough of a priority to justify larger increases.
That could hit hard in the event of a breach, with Australian companies suggesting that the average total cost of a successful breach would be $1,893,363. Fully half of respondents expected a breach would cost $1.3m or more, while just 2 percent believed their business would get away with paying less than $135,000 to recover.
Those are significant impacts that compound the potential threats in a security climate where many SMBs are already being forced to shut their doors after a successful ransomware breach. With significant new regulations coming into effect next year, the figures confirm that decision-makers are aware that the consequences of a breach could have a material impact on the business – in addition to the direct penalties for noncompliance under looming National Data Breach, GDPR and PCI DSS controls. This, despite recent Gemalto survey findings that 65 percent of Australian businesses admit they will fail to meet those compliance deadlines.
Strategically, Australian companies’ higher confidence in their response capabilities does reflect the growing body of advice that accepts breaches as inevitable and recommends that companies invest in building effective response strategies that include methods for business continuity.
“Building wholly protective mechanisms to prevent bad things happening at the edge isn’t always feasible, either from a financial perspective or a performance perspective,” Gartner research director Rob McMillan said in a recent CIO Agenda webinar.
“Sometimes and increasingly so, we need to move away from a focus on prevention to a focus on detection and response. It’s going to happen, and you need to get onboard with that. The mindset has to be around how you are going to support the business strategy of the organisation.”
McMillan recommends CIOs consider the capabilities of their cloud providers to improve overall security practices – advice that Australian respondents to the Webroot survey seemed more than happy to follow. They were more likely than overseas peers to rely on a mix of inhouse and outsourced IT security support: 45 percent said they took that approach, compared with 33 percent in the US and UK.
This suggests a tendency to favour outsourced expertise over developing security skills internally, with far fewer Australian companies (14 percent, compared with 24 percent in the US and 22 percent in the UK) giving in-house staff IT-security duties in addition to their normal responsibilities.
Despite the potential threats, Australian companies were also significantly more confident in the education of their employees about the potential impact of a cybersecurity breach, with 54 percent saying they were very confident – compared to 45 percent globally and just 37 percent in the UK.