Security role models: The pressure is on for the ASX 200

Security is hard. There’s a lot of noise and pressure for businesses to get it right. But it requires a fine balance between getting the security basics right on limited budgets and doing so without creating friction or hindering innovation for the rest of the business.But it requires a fine balance between getting the security basics right on limited budgets and doing so without creating friction or hindering innovation for the rest of the business.

We only need to look at the struggles of very large, mature, and well-resourced ASX 200 organisations to understand just how difficult it is.

Recent technical research unveiled how, even among the largest public companies in the country, cybersecurity basics are being overlooked or deployed insufficiently. On average, ASX 200 organisations expose a public attack surface of 29 servers and devices that should not be internet-facing, with many exposing more than 200.

Those organisations that expose a large number of vulnerable internet services or make suspicious outbound connections will have a commensurate increase in their overall attack surface.

It’s no secret that phishing is a leading cause of cyber incidents. Yet, the same research showed that 67 percent of Australia’s leading public companies have weak or non-existent anti-phishing defences in the public configuration of their email domains.

This is supported by the Notifiable Data Breaches Scheme 12‑month Insights Report released by the Office of the Australian Information Commissioner. According to the report, “phishing and spear phishing continue to be the most common and highly effective methods by which entities are being compromised—whether large or small...” In total, 153 data breaches in Australia were attributed to phishing between 1 April 2018 and 31 March 2019.

It’s clear that even with the most comprehensive security resources, organisations are not entirely infallible or bulletproof.

In fact, ASX 200 organisations have the hardest job to stay secure. They are significantly larger, have more employees and legacy infrastructure, and tend to have challenges with shadow IT (where individuals or teams set up rogue systems like email infrastructure and messaging platforms).

While all organisations are exposed to a basic level of cyber risk, the ASX 200 are faced with more unique, targeted and enhanced threats because their high-value assets, such as intellectual property and computing power, are worth stealing.

This is in comparison to small-to-medium businesses (SMBs) where security resources are far more limited. In this category, many choose the simpler path of hosting all their infrastructure in the cloud with a reliable, secure, top-tier cloud service provider such as Google Cloud, Microsoft Azure, or Amazon Web Services.

So, should we be looking to ASX 200 organisations to set a security standard?

The reality is that, in the wake of data privacy regulations and increasing cybersecurity awareness, addressing cyber risk has become essential for any successful business. For the sake of their reputation and longevity, ASX 200 organisations would be wise to take their position as role models seriously. 

Here are some simple security strategies:

1. Borrow established policies: Leveraging security materials like the Protective Security Policy Framework developed by the Australian government can be useful to help set security guidelines within the company. It helps avoid the need to reinvent the wheel, as these policies have already been designed and tested by government.
2. Update and maintain web servers: Consistent version control and maintenance of web servers such as Microsoft’s Internet Information Services (IIS), Apache HTTPD, and nginx is critical to maintain a strong security posture. It’s possible to run older versions securely, but more important to ensure consistency across the environment so that future upgrades are simple.
3. Install anti-phishing defences: One of the easiest – and free – strategies is introducing an anti-phishing defence such as DMARC configuration into the environment. The shortfall, however, is that this can be time consuming and the opportunity cost of not carrying out other activities can be significant.

Big or small, organisations with an online presence have an ethical obligation to be safe and secure role models, and good actors to internet neighbours. Failing to do so not only puts the organisation at risk of becoming a victim of a cyberattack, but their victimisation can have knock-on effects in their wider supply chain.