Corporate Australia “foolish, naive or arrogant” in face of cyber threats, says expert

A review of the year’s cyber incidents and data breaches so far presents a “damning condemnation of corporate Australia” says CEO of Security In Depth, Michael Connory.

In the first six months of 2019, 3,396 organisations have reported an attack, the true figure potentially being far higher considering many will be unaware they have been compromised, Connory’s report notes.

There have been 903 data breaches in 2019 to date, 450 of which were major enough to report to the Office of the Australian Information Commissioner, a huge increase on the previous six month period.

Despite new legislation has been introduced and adopted such as the Notifiable Data Breaches act 2017 and the APRA Prudential Standard CPS 234, within major companies “sadly, very little has changed” in terms of their approach and response to cyber threats Connory says.

“Taking into consideration the variables of these figures, they paint a disturbing picture for Australia and the failures of corporates and government to heed the warnings that have now become a tidal wave of despair,” the CEO said.

More than half (55 per cent) of Australian organisations have no cyber security governance in place, the Security In Depth survey of 1,894 businesses found. Some 38 per cent did not provide any cyber awareness training to staff, despite 71 per cent of breaches being the result of human error (90 per cent beginning with an email).

The survey – claimed to be the largest, most comprehensive cyber research project undertaken in Australia – found 63 per cent of local companies “have no idea” how to respond to a cyber incident. The majority (84 per cent) were found to “blindly trust third parties” with data holdings and didn’t review their maturity or security policies.

“The report is a sad and disturbing indictment of Australia as a country that either refuses to address the fastest growing problem globally or we are just simply foolish, naïve or arrogant to believe we don’t need to address this problem,” Connory said.

Some simple steps could help reduce the threat and impact of cyber incidents, Connory added, namely: improved training, better co-ordination and communication between the IT department and the rest of the organisations and greater input from the board to improve cyber governance.