Plan of attack: Distance no defence in Australia’s cyber battleground

Australia’s geographical remoteness is no guarantee of cyber security in a tightly connected digital world. In fact, almost a third of IT decision-makers in research commissioned by Aura Information Security see Australia as a bigger target than other countries. Add that to the roughly half who say that Australia is as much a target as anywhere else and it’s clear that the days of complacency due to distance are over.

Or are they? Despite the fact that 60 per cent of businesses expect the risk of cyber-attacks to become worse in the coming year, a fifth say that things will get better. Fully a quarter of businesses say that senior management doesn’t see cyber-security as a key concern — indeed, almost a quarter of Australian business decision-makers say they think Australia is less of a target than other countries. Those numbers are also reflected in our closest regional neighbor, New Zealand.

Debunking the defence of distance

For CSOs this is a worrying posture. Cyber-threats know no geographical boundaries, and they are not discouraged by oceans — where there’s a network and money to be made, criminals will be hard at work.

The research bears it out. Three in ten Australian businesses report having been the target of a cyber-attack in the past twelve months, and more than a third say they expect to be targeted in the year ahead. Often these attacks are directed at easy or “soft” targets — misconfigured hardware, or software that’s left unpatched and unsecured. Default password anyone?

But there are multiple vectors of attack in play in the war over information of value. More than a third of businesses report having experienced between one and five ransomware or phishing attacks per quarter, and for some businesses that number is even higher. Often it is key executives who are targeted in this way. The only solution for that kind of attack is staff training and solid security practices throughout the organisation.

Let’s up our awareness game

Given the numbers, you might think that Australia’s security professionals would be preparing themselves for the onslaught. Budgets would be in place and high, and skilled staff placed at the battlements.

Well, that’s where it gets a little complicated. While seven out of ten businesses rate their organisation as either “mature” or “very mature” in terms of its ability to defend against cyber-threats, and eight out of ten say they have policies and training in place to combat such threats, less than half are actually confident their defenses would work.

In short, while they are aware of the issue and they think they’re doing something about it, they don’t think they’re doing enough. It’s time to up our awareness of this significant problem.

In another example, almost thirty per cent of businesses have not even taken the time to assess the effect that a major cyber breach would have on their organisation. Given the scale of the threat, that’s a staggering figure.

Build a case for more resources (and planning)

So what’s the problem? As always, it’s about resources — and the placement of those resources. More than 60 per cent of business decision-makers believe that Australia has a skills shortage when it comes to cyber-security, and 40 per cent believe that Australian businesses in general are less prepared than their international counterparts to defend against attacks.

The larger a business is, the more likely it is to regard cyber-security as a high priority. Take, for example, penetration testing — a necessity for any web-facing business. While 60 per cent of such businesses say they carry out regular penetration testing, a quarter say they don’t. Larger businesses — with 100 or more employees — report they carry out this kind of testing most regularly.

Even more worrying is the priority given to security in the development of web-facing applications. While 40 per cent of businesses wisely consider security at the design stage, before any coding commences, almost as many say it’s added in part-way through the process of building. A further 11 per cent say security is tacked on right at the end — just before go-live — and a mercifully small 4 per cent say they don’t consider security in the design of web-facing applications at all.

That kind of complacency is dangerous. It illustrates that, even with widespread understanding of the nature of the threat landscape, too many Australian businesses are not thinking about security as a business fundamental.

It’s time for CSOs to build strong business cases for an adequate level of resources and a culture of security planning.

Security is not something businesses can think about once a year and then adopt a “she’ll be right” stance on planning. It requires constant review at all levels of the business from the top down.