Australian companies ramping up cyber security measures

29 April 2020 4 min. read
More news on

A study by BDO and AusCERT has examined the state of cyber security in Australia, finding that Australian companies continue to ramp up their cyber security efforts amid an increasingly risky environment. The threat from insiders and the use of personal devices for professional activity is accelerating on the back of the the Covid-19 crisis.

The professional services firm teamed up with the cybersecurity body to survey around 500 IT business leaders, finding not surprisingly that cyber security already is a top priority for many. Australia is undergoing a phase of rapid digitalisation, which brings with it a number of vulnerabilities as organisations come to terms with the expanding risk profile.

Notably, the authors found a shift in attitudes towards cyber security. Where organisations previously saw cyber security as a short-term challenge that could be solved with isolated investments in technological safeguards, they now perceive it as an underlying principle to be incorporated in most business developments.

Cyber security incidents: 2016-2019“Decision makers are focussing less on ‘silver-bullet’ technology solutions and more on establishing enterprise-wide processes to better prepare their companies for cyber incidents. Our latest research shows companies with more senior stakeholders involved in cyber security adopt a more holistic approach to effectively managing cyber risk – and it’s paying off” explained Leon Fouche, the leader of BDO’s Cyber Security practice in Australia.

So attitudes are moving in the right direction. The challenge then emerges of identifying the most likely sources of potential cyber threats. This is where the researchers find most businesses are missing the mark. This is best exemplified by the issue of phishing – fraudulent email communications that draw out sensitive information. The survey found that most organisations underestimate phishing as a threat.

A similar scenario emerges in the sphere of insider faults as a cause of cyber breaches. Businesses are well aware of the fact that staff can cause breaches without malicious intent, simply by accessing their data from a variety of personal and professional devices.

Cyber security incidents: 2016-2019

This was already a threat prior to the Covid-19 crisis, but as the whole business environment transitions to ‘work from home’ conditions where digital platforms become central, this threat is now more pronounced than ever. BDO finds that businesses view insider faults as a bigger threat than malicious attacks from cyber criminals.

While insider faults are a doubtless a significant threat, data from the Office of the Australian Information Commissioner reveals that 60% of the data breaches recorded between April 2018 and March 2019 were actually the result of criminal attacks with malicious intent. 

Five recommendations

According to Fouche, the challenge for businesses is that the source of cyber threats is never constant, and their ever-changing nature makes it hard for organisations to develop a cyber security framework. Nevertheless, the researchers identify five measures that businesses can take, on the premise that adopting these best practices can make operations over 30% more resilient to cyber incidents.

Rates of Control adoption - 2016-2019

The first of these is to appoint a Chief Information Security Officer (CISO), which signals an organisation’s commitment to leadership and ensures cyber resilience throughout every aspect of their operations. BDO found a dramatic increase in the number of CISO’s between 2018 and 2019: a 46% jump, and the number of has now doubled since 2016.

The establishment of Security Operations Centres (SOCs) is another key measure. SOCs are dedicated hubs that are designed to detect, contain and recover from cyber threats. The third and fourth key controls are aimed at minimising insider faults through cyber security awareness programmes for staff and third party/vendor risk assessments for other stakeholders. The last key measure is to devise cyber security incident response plans, which entails deploying SOC capacity for damage control.

Organisations appear to be increasingly engaged in the last phase as well, with a more than 30% increase in cyber insurance reported. As the business environment grapples with the additional and unpredictable digital threats brought about by Covid-19, the market for cyber insurance is forecasted to grow further.