Nearly half of business, security execs don’t know what to do after a data breach

Nearly half of Australian business leaders – and a third of IT security professionals – don’t know what to do if their business suffers a cybersecurity incident, according to a new survey that also highlighted industry’s chronic failure to notify customers when personal data was compromised in a cybersecurity attack.

The figures – drawn from Vanson Bourne-CyberArk’s Global Advanced Threat Landscape Report 2018 survey of more than 1300 IT security decision-makers and line-of-business owners in seven countries – suggest that businesses are still a long way from implementing the security practices they will need to comply with the new Notifiable Data Breaches (NDB) scheme]] when it comes into effect in February.

NDB requirements mean that businesses need to be ready to notify “individuals at likely risk of serious harm” after an organisation becomes aware of “reasonable grounds to believe an eligible data breach has occurred”. Yet if the NDB law was in effect today, the report found, just 47 percent of Australian businesses believe their organisation would be completely prepared to investigate a breach and notify affected customers in line with the guidelines.

Preparedness varied dramatically between sectors, with 67 percent of business and professional services respondents saying they would be completely prepared but just 29 percent of retail, distribution and transport companies believing the same.

The findings were in line with similar studies around preparedness for the European Union’s general data protection regulation (GDPR), which will come into effect in May and impose further onerous provisions on the protection of private data. The need for GDPR compliance is driving some employers to consider drastic measures to bring employees into line, and the CyberArk figures suggest that similar thinking may be necessary to ensure NDB compliance by February.

“Organisations are moving towards a cultural shift of managing their data more strategically,” Veritas ANZ managing director Louis Tague recently told CSO Australia. “The risk is well understood, and organisations are making inroads into understanding what their data looks like.”

Staff are unsure what to do

Even though some organisations may understand what their data looks like, many IT and business staff still have no idea how to protect it. Fully 42 percent of Australian respondents to the CyberArk survey said they do not understand their specific role if their organisation is hit by a cyber attack. This was ahead of the world average of 52 percent, but nonetheless portends a level of chaos from systemic failures once organisations try to launch an organised response to meet their obligations under the NDB scheme.

The importance of user education and buy-in were also accentuated by the finding that 41 percent said they do not have sufficient knowledge about security policies.

That finding is concerning not only on its own merits, but because 45 percent of Australian respondents said their organisation can’t stop every attempt to break into their internal network. This suggests that it is only a matter of time until staff are called upon to execute data-breach protocols – and shortcomings in user preparedness are laid bare for the world to see.

“Despite widespread concern about cyber security among line of business owners, adoption of security best practices remains glaringly absent,” the report’s authors noted.

“While there are areas of alignment with security IT leaders, gaps with line of business owners associated with cyber security awareness are unnecessarily exposing organisations to serious risks and could impact their organisation’s ability to effectively identify and respond to a breach.”

In many cases, poor preparedness has left customers in the dark even when their data was breached: fully half of respondents said their organisations did not fully inform customers when their personal data was compromised in a cyber attack. This echoes recent revelations about breaches at the likes of Yahoo! – which took years to disclose the full extent of its 3 billion-strong data breach – and Uber, which paid hackers to delete stolen data and didn’t reveal its late-2016 breach for nearly a year.

“As we’ve seen in incidents at Yahoo!, Uber and more, companies have a tendency to downplay breaches either through complete non-disclosure of events, or by only partially disclosing the extent to which systems and data have been breached,” CyberArk regional director ANZ Matthew Brazier said in a statement.

“If it continues, this approach will have tangible consequences in 2018…. What’s concerning about CyberArk’s findings is that poor security practices continue to be upheld, despite the increased awareness of cybersecurity risks and the prevalence of high profile cyber attacks in the headlines.”

Australian organisations were also more likely than their global peers to be exposed through concessions made to third-party providers. Fully 61 percent of local companies – compared with 51 percent globally – said they provide third-party vendors with remote access to their networks but 29 percent don’t monitor the activity of those third parties; this, despite findings that hackers often go after third parties to laterally gain access to a target company’s network.