If you don’t change security policies after a data breach, when will you do it?

More than a third of CIOs plan to start monitoring employees to improve security

As if it wasn’t already bad enough that many companies are plodding along with inadequate cybersecurity policies, new research suggests that more than half of Australian businesses don’t even change their policies after their networks have been breached.

Fully 45 percent of Australian respondents to the recent Vanson Bourne-CyberArk Global Advanced Threat Landscape Report 2018 said their organisations can’t prevent attackers from breaking into internal networks whenever they try. Yet despite this high level of vulnerability, 52 percent said that their organisations rarely change their security strategy, even after a cyber attack.

This organisational inertia was creating a widening gap between security best practice and actual practice, with increasingly capable privileged user accounts serving to concentrate even more exposure within ever more capable endpoint devices.

Half of respondents said their customers’ data could be at risk because they hadn’t applied more than the “legally-required basics”, according to the survey, with just 8 percent of companies running continuous ‘red team’ exercises to test their security defences.

Yet there were few incentives to do more: only 44 percent of companies said they recognise or reward employees who help prevent an IT security breach, well behind the 74 percent rate amongst US respondents.

“Attackers have almost limitless freedom and agility, and are constantly evolving their tools and techniques,” CyberArk ANZ regional director Matthew Brazier said in a statement. “Organisations, being much larger and more structured, are not able to evolve their security strategy and controls to match this pace of change.”

“The most cyber mature organisations in Australia have a deep awareness of their privileged asset landscape and have put in place strong controls around the way these are issued, used and audited. Aligning both defensive and alerting capabilities to protect these assets is fundamental to an effective security strategy.”

Better protection of privileged accounts is a core tenet of the latest updates to the ISO 27001 family of information security management systems standards, which were revised in February.

The expanding family of standards include guidelines such as ISO 27018, which offers a code of practice for protecting sensitive personal data in public clouds, and last year’s ISO 27019, which prescribes information security controls for the energy utility industry.

Another recent standard, ISO 27021, sets competence requirements for information security management systems professionals.

These last guidelines may prove particularly important for Australian organisations that have, according to a recent survey by specialist recruitment firm Robert Half, failed to keep employees’ security knowledge up to scratch.

Fully 87 percent of the 160 surveyed CIOs and CTOs said they had experienced an internal IT security breach within the organisation during the past three years, with CIOs rating their employee knowledge about potential iT security risks as an average 7 out of 10.

“While there is already a nation-wide understanding that companies need to act proactively when it comes to internal IT security,” Robert Half Australia director Andrew Brushfield said in a statement, “taking the steps necessary to protect themselves against internal IT breaches is an ongoing process for businesses.”

Read more: Getting the security / risk balance right in the public sector

CIOs’ favoured internal IT security measures were to implement secure backup and recovery (named by 39 percent of respondents), monitoring and logging employees’ online actions (37 percent), conducting security awareness training for employees (35 percent), conducting an internal IT security audit (33 percent), and hiring permanent and temporary IT staff to strengthen their IT security processes (30 percent).

Each of these measures contributes to the overall security profile of the company – and their implementation speaks to a proactivity about security that was, according to the CyberArk figures, absent in many organisations.

“Companies should take on a continuous enterprise-wide approach that combines both the technological means and the talent to manage it,” Brushfield said. “This means onboarding skilled IT security professionals, such as IT security analysts, information security officers and IT security engineers, to address sophisticated cyber-security threats – both internal and external.”

Show Comments