Sydney, 7 November 2018 – Almost one in three businesses believe Australia is more at risk of cyber- attacks than the rest of the world, and the majority aren't "very confident" they could stop a breach, a new survey commissioned by Aura Information Security – the independent security division of mission-critical technology solutions provider Kordia – has found.
The survey of 307 Australian IT and security executives demonstrates the considerable uncertainty faced by businesses in trying to combat cyber security threats.
While some leaders are confident they are on top of cyber security with the tools, policies and budget to be successful, others are unsure their planning and posture is strong enough to ward off an attack – or at least an attempted one.
The survey also shows those that have been attacked are not confident they can avoid being hit again. Half of CEOs, general managers and operations executives say they have been subject to a cyber-attack in the past 12 months, and they are also the respondents most expecting to be the target of an attack in the next 12 months.
According to the survey, 29 percent of executives believe that Australia is more at risk than the rest of the world when it comes to cyber-attacks, and a further 48 percent say Australia is at "the same risk" as other countries.
Perhaps surprisingly given the interconnected nature of the world, 23 percent of executives think Australia is at less risk of attack than other countries. This appears to be a perspective shared by other regional executives; a similar survey commissioned by Aura Information Security in New Zealand found 33 percent of executives there shared this view.
"Organisations should avoid getting too complacent about the risks of an attack. Threat actors operate across geographic boundaries and often look for targets with easy points of entry, such as unsecured, unpatched or misconfigured hardware," says Michael Warnock, country manager for Aura Information Security in Australia.
Just over 40 percent of respondents believe Australia’s cyber security practices are lagging behind the rest of the world. The same amount, however, believe we are on par.
Other topline results include:
- Breach prevention: Australian businesses are mature when it comes to education and awareness, with 80 percent saying they have policies or training in place to prevent cyber breaches. Despite this, less than half (47 percent) are very confident these policies and training will prevent a breach.
- Slow security budgets: Over 70 percent of businesses allocate 15 percent or less of their total IT spend to security; 14 percent of respondents spend less than five percent. In recognition of the growing threat, 72 percent say they intend to raise their budgets.
- Personal targets: CEOs and general managers are disproportionately targeted by phishing and ransomware attacks, with over half of these survey respondents revealing they had been personally targeted. On average, 34 percent of all business managers and above reported being targeted in the past year.
- Data breach notification: 71 percent of businesses support the existence of the national mandatory data breach notification scheme, and 36 percent have had to report under it so far. Almost two thirds said the data breach scheme prompted them to re-assess their cyber security policies. Still, not everyone is completely committed: 17 percent of Australian organisations would try to hide a breach from their customers or clients.
- Pen testing: Six in ten Australian businesses carry out some form of penetration testing. Regular testing is most common in organisations between 100 and 200 staff in size.
- Secure by Design: In the web app design process, 41 percent of businesses take security into account at the earliest planning stages of the project. A further 37 percent admit to baking security in "midway through", while only 11 percent treat security as an afterthought.
“With attacks on the rise it’s becoming increasingly crucial that businesses get the cyber security basics right. Employee training, regular penetration testing of web-facing applications and cyber- attack simulations are just some of the things that should be on the priority list,” Warnock notes. “Cyber security is not something that a business can assess once a year, it requires constant review and consideration by all parts of the business – from the top down,” he concludes.
About the survey
Aura Information Security commissioned Perceptive to undertake a quantitative research project focused on cyber security. An online survey of 307 business IT decision makers from organisations with over 20 employees in Australia was conducted between September 7th and September 11th 2018.
To qualify, respondents had to be a decision maker regarding IT or information security within their company; hold a management position or higher; and work in an organisation with 20 or more employees.
About Aura Information Security
Founded in 2006, Aura Information Security is a leading provider of information security consulting services to corporates and government. Headquartered in Wellington, and with staff in Auckland, Sydney and Melbourne, the Aura team consists of a range of industry experts – all of which have been hand-picked for their individual talent and expertise. Aura was acquired by Kordia, a leading provider of mission critical networks and technology solutions in Australasia, in November 2015. www.aurainfosec.com