BDO Australia and BDO New Zealand, in partnership with AusCERT, conducted the second annual Cyber Security Survey with more than 500 board, business and IT executives across Australia and New Zealand. The BDO and AusCERT 2017/2018 Cyber Security Survey delivers insights into the cyber resilience and maturity of Australian and New Zealand businesses for the second year in a row. This annual survey gives organisations the opportunity to benchmark themselves against their peers and equip them to ask the right questions on how to improve their cybersecurity environment. The resulting report contains valuable benchmarking data, identifying the current state of play in the local cyber landscape and capturing views on what may lay ahead. The report also reveals the cybersecurity risks and realities faced by Australian and New Zealand businesses across a range of organisation sizes and industry verticals.
The main trend observed in this year’s report is that attitudes and adoption have both shifted in favour of cybersecurity best practice. However, still only 56 percent of organisations have a cyber incident response plan in place, which is a slight increase from 48 percent last year. The survey also found that the top three cybersecurity incidents experienced by Australian and New Zealand organisations were ransomware (17.8 percent), phishing (19.3 percent) and malware (17.9 percent). Thirty percent of respondents were affected by a cyber incident of some kind; and it is important to note that these incidents were not confined to large corporations. The survey found that almost 18 percent of small- to medium-sized businesses were impacted by a cyber incident. A cyber incident can come at a great financial and reputational cost to the business, yet only 37 percent of survey respondents had cyber insurance cover.
New Legislation Creates Real and Significant Penalties for Businesses
Since the 2016/2017 Cyber Security Survey Report, it has been revealed that Equifax, Uber, Facebook and Cambridge Analytica compromised the personal information of more than 150 million users. It is understandable then that the general public’s expectations of organisations protecting their privacy has never been higher. The level of government and public scrutiny brings cybersecurity to the attention of boards and executives. It can no longer be regarded as simply an IT activity – cybersecurity now needs to firmly reside as an embedded part of organisational risk strategy and this change is occurring.
Governments are starting to make businesses accountable for protecting their data. In May 2018, the European Union (EU) General Data Privacy Regulation (GDPR) came into effect. Companies in the EU will be required to demonstrate compliance, while companies doing business with, or in the EU, or marketing goods and services to EU residents, must comply with the new regulations or risk facing heavy fines and criminal penalties. Even companies that are not located in the EU may be impacted, as their EU client companies and suppliers may require compliance as a condition of continued business.
In Australia, the Privacy Amendment (Notifiable Data Breaches [NDP]) Act 2017 became effective in February this year. Despite financial penalties for non-compliance – up to $420,000 for individuals and $2.1M for organisations – this year’s Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme. Australian businesses need to be acting now to have cybersecurity practices and processes in place, should they be required to report any actual or perceived breach to the regulator once the legislation comes into effect.
Leadership and Strategy are Important Roles
Most of these regulatory changes will require business owners and leaders to take accountability for their cybersecurity arrangements and provide leadership and direction for ensuring compliance against regulatory changes. Increasingly, boards and executives play an important role in ensuring cyber resilience within their organisations. The results from this year’s survey show that business owners and executives recognise the importance of cybersecurity, which is evident in improvements noted on a number of leadership-related activities from prior years: a 17 percent increase in the adoption of cyber risk reporting to boards, 18 percent increase in the adoption of cybersecurity awareness programs and 29 percent increase in the adoption of CISO roles.
Phishing and Email Attacks are on the Rise
Phishing and email attacks are still the most prevalent form of cybersecurity incidents affecting respondents, followed by ransomware and malware coming in a close second and third. Email is the primary online method used for communications and information sharing for private and business users. Symantec reported that in 2017, 55 percent of all emails sent were spam and that phishing emails are the most widely used infection vector employed by 71 percent of all threat actor groups. The BDO survey found similar trends for Australia.
Over the past year, Business Email Compromise (BEC) scams have grown more prevalent and sophisticated. In these scams, the cybercriminals use social engineering tactics to trick employees authorised to request or conduct wire/bank transfers. Fraudsters usually spoof or hack the emails of senior executives at the organisation and use email to instruct lower level employees to conduct a bank transfer to a fraudulent account (aka CEO fraud). In other forms of BEC, the criminals compromise the email of a finance officer and request invoice payments from vendors to their own bank accounts. Scammers can also pose as a supplier to the organisation and request a wire transfer to a fraudulent account (aka bogus invoice scheme).
The Visibility of Risk is Improving
One of the most important components of a successful cyber resilience program is to have a clear and end-to-end understanding of cybersecurity. Compared to last year’s survey, this year’s survey showed a year-on-year increase in adoption of visibility of cybersecurity risk:
- Adoption of cloud security standards increased by 7 percent from the previous year.
- Adoption of third party/vendor risk assessments increased 20 percent from the previous year.
- Adoption of IT/cybersecurity standards/baselines for third parties increased 18 percent from the previous year.
- Adoption of regular cybersecurity risk assessments increased 18 percent from the previous year.
- Adoption of a process to identify critical systems and data increased 14 percent from the previous year.
- Adoption of an IT/cybersecurity policy increased 12 percent from the previous year.
Our Predictions for the Coming Year
Despite the view from survey respondents, phishing, ransomware and malware remain a concern. We believe that ransomware will continue to be successful due to its effectiveness in extorting money out of corporations. We also anticipate an increase in wiper-based malware masquerading as ransomware, aiming to disrupt businesses.
Survey respondents indicated that they expect to see an increase in data breach-related incidents. With the implementation of the Australian NDB and EU’s GDPR, we expect to see more organisations report data breaches. Whilst there might be initial difficulties to adopt these changes, compliance with these regulations is raising awareness on data leaks and privacy concerns for corporates and individuals and we look forward to seeing improved maturity over the coming year.
Finally, we expect more organisations will invest in staff education and training, as they are often the weakest link within the organisation.
We are seeing more boards and management teams requiring specialist training on cyber risk management, which we predict is likely to increase further this year. We are also expecting to see larger and more mature corporates and multinational organisations provide basic cybersecurity risk assessment training to their suppliers and service providers in an effort to improve the security maturity of their supply chain.
