CIO

Aussie businesses hit with ransomware and regulatory fines

Half of the 1,300 IT decision makers responding to a study received fines for being in breach of new legislation in the past two years

Businesses are having a hard time in ensuring compliance with regulatory obligations and securing against ransomware, a Telstra report shows.

Half of the 1,300 IT security decision makers and c-suite execs across various industries who responded to the Telstra Security Report 2019 said they received fines for being in breach of new legislation in the past two years. The same number also said they paid a ransom to cybercriminals for ransomware.

The report found awareness and understanding of the strategic importance of security has increased with 84 per cent of Australian companies saying they will increase security budgets, currently averaging over $900,000 per year, in the next one to two years to combat security threats.

It also found that Australian businesses are better prepared than ever for cyber-attacks with incident response plans in place at 77 per cent of local businesses. The respondents with a plan are reviewing and testing them on a monthly basis, compared to last year as businesses shift to an ‘expectation of breach’ mentality.

The introduction of new regulations, such as the Notifiable Data Breach Scheme in Australia and the European Union’s Global Data Protection Regulation, as well as several high-profile privacy breaches -- has driven c-level and senior management interest in security. One-third of Australian respondents saying the frequency of meetings with senior stakeholders has increased.

Top findings:

  • 89 per cent of Australian businesses estimate that breaches went undetected - up 12 per cent since 2018
  • This contrasts with 74 per cent of Australian businesses believing they have strong systems in place to verify when an incident has occurred
  • 65 per cent of Australian businesses interrupted by a breach - up 5 per cent since 2018
  • 55 per cent of Australian businesses said they received fines for being in breach of legislation enacted in the past two years
  • 48 per cent of Australian businesses experienced a security attack in the past 12 months
  • We are more prepared than ever for cyber-attacks with incident response plans in place at 77 per cent of local businesses
  • 34 per cent of Australian respondents review and test their incident response plan monthly as businesses move to an ‘expectation of breach’ mentality
  • 27 per cent of organisations take weeks, months or years on average to detect a security incident or breach
  • 84 per cent of Australian organisations spend up to 20 per cent of their overall IT budget on security
  • Among the subset of organisations interrupted due to a security breach, 81 per cent of Australian businesses experienced a ransomware incident within the past year; 51 per cent of Australian organisations who experienced ransomware paid the ransom
  • 44 per cent of Australian respondents identified C-level executives were ultimately held responsible in the event of a cyber security incident
  • Human error or a targeted attack on an employee are cited as the highest risks to IT security by 36 per cent of respondents.