How Australian, NZ firms have pivoted to address cyber security threats

Firms have made cyber security more strategic, but struggle to identify the key actual threats in a changing landscape

Insider threats  >  Employees suspiciously peering over cubicle walls
Thinkstock

Australian and New Zealander enterprises have shifted how they address cyber security threats, moving away from “silver bullet” approaches such as installing off-the-shelf technologies to instead revamping their organisation-wide governance processes to achieve “cyber reslilience”.

That's the finding of a 2019 survey released today by business advisory firm BDO and AusCERT, the nonprofit cyber emergency response task force in Australia.

How Australia and NZ firms have adapted their security strategies

The survey’s key findings on how Australian and New Zealander firms have adapted include:

  • Cyber insurance has increased 31 per cent, as companies realise that they will be compromised and the costs can be steep to recover from those successful attacks.
  • There are 46 per cent more CSOs/CISOs than in 2018, and double what there were in 2016, as companies prioritise cyber security at a higher level of management.
  • Governance practices have taken an increased focus. These are the top five controls being implemented as part of that shift to governance: establishing a CSO/CSO position, establising a security operations centre (SOC), establishing a security awareness program, and assessing the risks from vendors and other third parties.

Where Australian and NZ firms fall short on cyber security

But the report also showed significant improvement is needed by security organisations in both countries:

  • The number of data breaches involving contact information increased 56 per cent from the prior year. Of the 964 eligible breach notifications received by the Office of the Australian Information Commissioner (OAIC), 60 per cent were from malicious or criminal attacks.
  • Security organisations in Australia and New Zealand don’t have a strong understanding of where the threats are. In 2018, respondents predicted that data loss and theft of confidential information would be the top threats in 2019, whereas the actual top threats were phishing and targeted malicious emails.
  • Also, security organisations underestimated sgnificantly the threat of accidental disclosures of confidential information, and well as of intentional insider threats. Both forms of insider threats occurred about twice as often as security organisations had predicted. BDO suspects the reason for overestimatng external threats came from a focus on the Notifiable Data Breach (NDB) scheme that came into effect in Australia in 2018.

How cyber security threats are evolving

In terms of the evolving cyber threat landscape, the survey found:

  • Phishing attacks are inctreasingly focused on business email compromise (BEC) attacks and the dissemination of malware into organisations.
  • BEC attacks are increasingly aimed at getting staff to send payments to thieves masquerading as company executives or business partners.
  • Ransomware incidents are deceasing, despite some recent high-profile incidents. Australia and New Zealand were especially hard hit during the global ransomware peak in 2017.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies