Phishing attacks were by far the biggest security threats faced by Australian businesses during 2018, according to a new survey that confirmed companies continue to be under siege from ransomware, business email compromise (BEC) and password compromise attacks.\u201cPhishing by far remains one of the biggest threats that we typically observe,\u201d reported one respondent to a recent survey conducted by CSO LogRhythm - The CSO Security Capabilities Survey 2019, which polled 100 Australian information-security leaders between February and April. Ransomware, which is usually installed as a result of a phishing compromise, was called out as being particularly worrisome. \u201cI get the cold sweats just thinking about this plague on the world,\u201d one respondent admitted. \u201cIt is still, in my opinion, the worst threat to our systems and by far the most damaging.\u201d Despite such fears, the survey revealed that Australian security leaders are struggling to keep up with a rising climate of cybersecurity compromise, often taking weeks to detect \u2013much less deal with \u2013 security breaches. Some 54.7 percent of respondents said they were able to detect their last security incident within hours and 23.2 percent said it took just minutes to detect. Yet a further 15.8 percent said it had taken them up to a week to detect their last security incident \u2013and 6.3 percent had taken longer than that. These delays raise serious issues for Australian businesses, which since the introduction of the Notifiable Data Breaches (NDB) scheme in early 2018 have been under legal obligation to detect and report on breaches as quickly as possible. After all, if entities cannot detect and evaluate a data breach quickly, the protections put in place by the Privacy Act and NDB scheme offer little chance of remediating the damage those breaches cause. Skills and people \u2013 real or virtual Yet with obligations around reporting and compliance continuing to increase, many organisations are struggling to get any more performance out of staff that are already stretched to breaking point. Despite strategies for managing and leveraging security staff, qualified security people are increasingly difficult to attract and hire, and are being increasingly overworked as the cybersecurity threat steadily escalates. \u201cPeople can only respond to so many threats,\u201d one respondent noted, \u201chowever this is unscalable.\u201d This dynamic had pushed security practitioners to review their processes and implement drastic measures to keep abreast of threats. Fully 52.1 percent of respondents said they are streamlining their security technologies to reduce the complexity of their environments for their people, and most of those \u2013 48.9 percent \u2013 were turning to automation to help their staff move away from security monitoring to focus on other tasks. Less than 1 in 3 respondents said they were focused on hiring the best talent to manage their security staff\u2013 reflecting the complexity of getting good security staff in today\u2019s market. Others said they were variously focusing on managed services, careful application of software updates, application of security awareness programs, implementation of \u201cproper\u201d incident response plans, and extensive training and upskilling of their people. The promise of AI and automation Automation has been increasingly flagged as being crucial for rapid detection and response of cybersecurity incidents, and the survey revealed that Australian companies are still at a broad range of maturity levels when it comes to adopting the capability. Around half of respondents said they had applied automated incident detection and response (IDR) to less than half of their infrastructure, while 15.8 percent said they had successfully rolled out automated incident detection and response capabilities across their entire infrastructure. Automation has long been identified as a crucial capability for helping businesses scale up their cybersecurity efforts, with IDC adjunct research analyst Mike Chapple noting that the increasingly important capability \u201cserves as a force multiplier by taking routine tasks off the plate of the cybersecurity team and allowing specialists to focus their effort on adding higher-level value to the organisation.\u201d Some respondents were well aware of this, citing the importance of using AI to reduce workloads on existing staff. \u201cThese tools can provide automated rule sets to determine what course of action can be taken in emergency situations, and identify any toxic combinations of access,\u201d one respondent said. \u201cIt is an uphill battle to ensure that these tools are correctly configured and up-to-date.\u201d Yet adoption of automation is still in its early days: 17.9 percent of the survey respondents said they had only deployed automation to less than half of their infrastructure, and 13.7 percent had not yet rolled out automated IDR at all. This suggests there is still a long way for Australian businesses to go when it comes to deploying the cybersecurity scalability to match the growing demands of digital transformation. \u201cData security is an important element of all types of business,\u201d one respondent said. \u201cEntities must also implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected information.\u201d \u201cIn addition, the digital transformation is essential for all organisations if they wish to survive in a highly competitive market.\u201d Budget \u2013 and getting enough of it With many competing priorities and challenges, CISOs must continually walk the line between security and insecurity. In the past, this has often been a lonely path \u2013 but with increasing recognition of cybersecurity as a business priority, many security practitioners report greater involvement from executives and budget increases that come with it. A key goal for 2019, one respondent said, was \u201cboard awareness to spend money instead of being ignorant around company threats.\u201d Some companies were already responding with stronger support \u2013 fully 44.2 percent of respondents said their security budgets would increase by 5% or more in 2019 \u2013 although an almost equal percentage (46.3 percent) said their budget would stay the same. A few reported budgets that were increasing by 15 percent, 30 percent, or even doubling \u2013 suggesting a sudden heightened awareness of the increased risk that businesses now face. Asked what risks they face this year, respondents offered a bevy of concerns. Commonly identified issues such as malware and zero-day threats, identity theft, business email compromise, data loss, poor patching, credential theft, and data exfiltration were frequently named. However, respondents also cited concerns with a growing risk of nation state-sponsored attacks; web site hacks leading to theft of customer information; man-in-the-middle WiFi attacks; cryptojacking; cloud security breaches; malicious mobile apps; insecure third parties; and Internet of Things devices. \u201cAttackers will live off the land using inbuilt tools to avoid whitelisting and malware detection,\u201d one respondent said, noting that they expected \u201cmore attacks against web applications and users to obtain a foothold or credentials.\u201d The broad spectrum of responses confirms that security executives are facing a steady onslaught of attacks that target access credentials, weaknesses in devices, and potential weaknesses in the extended connectivity chains that cloud computing and managed service provision have created. \u201cCyber attacks are increasing and data theft has been a trend in the IT industry,\u201d one respondent said. \u201cData breaches are being done from inside the organisation as well, thereby compromising the company\u2019s stake in the market. Disaster is a key potential threat for the company.\u201d Automation was flagged as a particular threat, since it allows compromises without even requiring human effort on the attacker\u2019s side: one respondent said they were worried about \u201cautomated malware workflows that pursue phishing and credential abuse to implement BEC, lateral movement, ransomware and data exfiltration.\u201d Controlling this would expose businesses to inadequate processes for \u201cmanaging identity and cloud security,\u201d yet another respondent noted, \u201cas there is a continued push to move services to the cloud, and support not only internal colleagues but data sharing overseas, between third party vendors, and clients. All the while, ensuring that the right people are getting access to the right content, and privileges\/access rights are not being exploited.\u201d Eyes on the prize That\u2019s a tall order for any security executive \u2013but it has become the everyday challenge as a growing climate of complexity rewrites the rules of security. Asked how they would meet the threats they face in 2019, respondents were reaching into every corner to find the technologies and skills they would need to most effectively fight the battles ahead of them. Better email and Web security gateways, AI-based endpoint security systems, stricter control over user access rights, SIEM systems, application whitelisting, tools for secure coding, and offline backups were just a few of the tools being eyed off as critical for improving the organisations\u2019 cyber protections. Yet for all the importance of security technology, one of the most consistently cited goals for this year was to improve user education, training, and engagement \u2013to all staff. Many respondents cited the need for better awareness or more awareness, while one respondent said it was important to have \u201cmore focus on making it real\u201d for users. \u201cWe need a security awareness training package that actually engages people,\u201d one respondent said, \u201cand doesn\u2019t make them focus on what to click to finish.\u201dThe CSO Security Capabilities Survey 2019 was conducted by CSO LogRhythmto help us get a better understanding of our level of Capabilities in the ever-evolving threat-landscape that is Cyber Security.