One in two Australian businesses estimated that they received fines for being in breach of new legislation in the past two years and nearly two-thirds of Australian businesses fell victim to a security breach last year according to new Telstra research.
The 2019 Telstra Security Report released today found that awareness and understanding of the strategic importance of security has increased with 84 per cent of Australian companies saying they will increase security budgets, currently averaging over $900,000 per annum, in the next 12 to 24 months to combat security threats.
The research found Australian businesses are better prepared than ever for cyber-attacks with incident response plans in place at 77 per cent of local businesses. Of the respondents with a plan, more are reviewing and testing them on a monthly basis compared to last year as businesses shift to an ‘expectation of breach’ mentality.
The introduction of new regulations, such as the Notifiable Data Breach Scheme in Australia and the European Union’s Global Data Protection Regulation, as well as several high-profile privacy breaches, has driven C-level and senior management interest in security with one-third of Australian respondents saying the frequency of meetings with senior stakeholders has increased.
“Against a backdrop of more frequent and sophisticated attacks and the introduction of new regulations that force the public disclosure of breaches, companies are now more aware of the threat of reputational damage and the erosion of customer trust caused by cyber breaches,” said Michael Ebeid, Group Executive, Telstra Enterprise.
“Our research found that customer concern around data privacy has increased within the past year according to 38 per cent of respondents, which compares to 46 per cent globally.”
Human error major risk factor
According to the report, a major source of risk to IT security is human error, which is often caused by inadequate business processes and by employees not understanding their organisation’s security policies. Human error or a targeted attack on an employee were cited as the highest risks to IT security by 36 per cent of respondents.
Detecting data breaches
The ability to timely detect and effectively respond to incidents is still the number one challenge for Australian companies when managing electronic security.
Alarmingly, 19 per cent of Australian respondents surveyed estimated that more than half of the data breaches impacting their company went undetected altogether in the past year. This is despite 74 per cent of Australian businesses believing they have strong systems in place to verify when an incident has occurred.
While Australian businesses are faster at detecting breaches than international counterparts – 62 per cent of the local respondents that experienced a breach indicated they were able to detect a breach in minutes or hours compared to 50 per cent globally – businesses are still taking too long to detect and contain an incident or breach.
While ransomware is still pervasive and profitable for cyber criminals, it is encouraging to note that most potential victims have adopted policies and safeguards against such attacks. These incidents, however, are just as prevalent this year as last year.
Among Australian respondents that reported being interrupted due to a security incident in the past 12 months, 32 per cent indicated interruptions on a weekly or monthly basis, due to ransomware attacks.
The research shows that, increasingly, paying the ransom does not guarantee a retrieval of data. More than half of Australian businesses that experienced ransomware in the past year reported paying the ransom, compared to 47 per cent the previous year. Of those that paid, 77 per cent were able to retrieve the data, compared with 86 per cent the year before.
If attacked again, 79 per cent who paid the ransom would consider paying the ransom again if there was no back-up for the impacted data.
The 2019 Telstra Security Report’s outlook for the future is that security will continue to be a top strategic focus for Australian businesses and increased investment on security will reflect this prioritisation. New compliance measures will also drive increased investment particularly focused on the automation of processes and to demonstrate all necessary precautions are taken to prepare for events.
There is also the much broader security landscape to consider when managing cyber and electronic security. The more devices that become connected, the broader the security footprint becomes. This also brings the opportunity for new technologies to improve end-to-end visibility and better management of security risks.
“As security threats become more sophisticated, companies must stay vigilant in order to protect themselves and customers, and to take full advantage of an increasingly connected world,” said Mr Ebeid.
“Businesses must look for ways to help prepare for sophisticated emerging threats as part of their security strategy.”
Telstra’s Security Report outlines general best practices for businesses to consider as part of their security strategy. They include having multi-layered defences, conducting constant architecture reviews, ensuring employees are aware and trained to improve security resiliency and following Telstra’s guidance on the five things businesses should know to effectively manage the business risk of cyber security risk.