2017/2018 CYBER SECURITY SURVEY
2017/2018 CYBER SECURITY SURVEYii
FOREWORD
FOREWORD
The BDO and AusCERT 2017/2018 Cyber Security Survey delivers insights into the cyber resilience and maturity of Australian and New Zealand businesses for the second year in a row.
This annual survey gives organisations the opportunity to benchmark themselves against their peers and equip them to ask the right questions on how to improve their cyber security environment.
The resulting report contains valuable benchmarking data, identifying the current state of play in our local cyber landscape and capturing views on what may lay ahead.
The report also reveals the cyber security risks and realities faced by Australian and New Zealand businesses across a range of organisation sizes and industry verticals.
With the introduction of Australia’s Notifiable Data Breaches scheme and the EU’s GDPR, both carrying financial penalties for non-compliance, an organisation’s ability to detect and respond to a cyber incident is more important than ever before.
Since the 2016/2017 Cyber Security Survey Report, it has been revealed that Equifax, Uber, Facebook and Cambridge Analytica compromised the personal information of more than 150 million users. It is understandable then, that the general public’s expectations of organisations protecting their privacy has never been higher.
This level of government and public scrutiny brings cyber security to the attention of organisation boards and executives. It can no longer be regarded as simply an IT activity – cyber security now needs to firmly reside as an embedded part of organisational risk strategy.
And this change is occurring.
The main trend observed in this year’s report is that attitudes and adoption have both shifted in favour of cyber security best practice. But – interestingly, the survey results suggest that businesses may now in fact be over-confident of their level of preparedness for a cyber incident.This year’s report includes a review of the current cyber security landscape, and highlights the continued threat of phishing and email-based cyber attacks, using examples of incidents experienced by businesses.
The report also looks at how organisations are building their cyber resilience, and how the visibility of risk within an organisation reduces the number and impact of cyber incidents.
Understanding businesses’ adoption of a cyber security posture, methods of protection, and levels of preparedness is crucial to building a picture of our overall cyber capabilities and what still needs to be done to improve maturity.
Thank you to all the participants and supporters of our 2017/2018 survey. We appreciate your input, and look forward to your continuing involvement to measure trends and track how our cyber security landscape evolves into the future.
LEON FOUCHENATIONAL CYBER SECURITY LEADER, BDO
JAMES CULVERHOUSEGENERAL MANAGER, AUSCERT
2017/2018 CYBER SECURITY SURVEY 01
CONTENTS
CONTENTS
ii FOREWORD 02 INTRODUCTION 04 OUR SURVEY - WHO PARTICIPATED
32 CYBER INSURANCE AS A RISK MANAGEMENT STRATEGY
37 LOOKING AHEAD
08 REVIEWING THE CURRENT CYBER RISK LANDSCAPE
17 BUILDING CYBER RESILIENCE
40 ABOUT US - BDO & AUSCERT
30 CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
2017/2018 CYBER SECURITY SURVEY02
INTRODUCTION
INTRODUCTION
Most countries around the world have seen a surge in cyber attacks over the past 12 months. The changing security risk landscape and increased legislative environment have sparked a lot of discussion about cyber security and industry’s cyber preparedness. How prepared are Australian businesses? Are business leaders providing appropriate strategic direction and investment to ensure cyber resilience?
CYBER SECURITY IS A GLOBAL CONCERN
Only extreme weather events and natural disasters are viewed as greater risks, according to the World Economic Forum. Cyber attacks and data fraud or theft are the third- and fourth-highest risks (respectively) in terms of likelihood on the World Economic Forum’s 2018 Global Risk Landscape Report. In the same report, cyber attacks sits as number six in the ‘Top ten risks in terms of impact’.
Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails. Notable examples included the WannaCry attack - which affected 230,000 computers across 150 countries - and NotPetya, with estimated damages of around $1.2 billion.
THE GLOBAL RISKS REPORT 2018, WORLD ECONOMIC FORUM, PAGE 6.
2017/2018 CYBER SECURITY SURVEY 03
INTRODUCTION
AUSTRALIAN BUSINESSES ARE TARGETS – AND ARE GENERALLY UNDER-PREPARED
The 2017/2018 BDO and AusCERT Cyber Security Survey found that the top three cyber security incidents experienced by Australian and New Zealand organisations were ransomware (17.8%), phishing (19.3%), and malware (17.9%). Thirty per cent of respondents were affected by a cyber incident of some kind – and it is important to note that these incidents were not confined to large corporations. The survey found that almost 18% of small- to medium-sized businesses were impacted by a cyber incident. A cyber incident can come at a great financial and reputational cost to the business, yet only 37% of survey respondents had cyber insurance cover.
NEW LEGISLATION CREATES REAL AND SIGNIFICANT PENALTIES FOR BUSINESSES
Governments are starting to make businesses accountable for protecting their data. In May 2018 the EU General Data Privacy Regulation (GDPR) comes into effect. Companies in the EU will be required to demonstrate compliance, while companies doing business with, or in the EU, or marketing
goods and services to EU residents, must comply with the new regulations, or risk facing heavy fines and criminal penalties. Even companies that are not located in the EU may be impacted, as their EU client companies and suppliers may require compliance as a condition of continued business.
In Australia, the Privacy Amendment (Notifiable Data Breaches) Act 2017 became effective in February this year. Despite financial penalties for non-compliance – up to $420,000 for individuals and $2.1M for organisations – this year’s Cyber Security Survey found that more than a third of respondents did not know if their organisation must comply with the notifiable data breaches scheme.
Australian businesses need to be acting now to have cyber security practices and processes in place, should they be required to report any actual or perceived breach to the regulator once the legislation comes into effect.
This year’s survey report provides benchmark information and insights to business leaders and cyber security practitioners to assist them with improving their cyber security maturity.
2017/2018 CYBER SECURITY SURVEY04
OUR SURVEY - WHO PARTICIPATED
OUR SURVEY - WHO PARTICIPATED
BDO and AusCERT have regular conversations with organisations who want to understand industry trends and how their cyber security strategies compare to industry peers. Although there is a lot of industry research and benchmark data available, it is mainly global data focussing on large multinational enterprises.
The value of the benchmark data we have obtained with industry’s support in this survey is significant. It not only provides a snapshot of the current state of the cyber landscape in Australia and New Zealand, but it also allows businesses to conduct local benchmarking, which we believe is essential for thorough cyber resilience planning.
In 2017, we conducted the second BDO and AusCERT Cyber Security Survey to source local, representative benchmark data of the cyber security strategies of Australian and New Zealand organisations. We received strong support from industry, with more than 500 respondents across a variety of industry sectors – 85% of respondents from Australia and 15% from New Zealand.
Our survey covered a wide variety of organisation types across a range of industry categories. The data set contained all industry sizes, but particularly focussed on small- and medium-sized businesses. The individuals completing the survey were closely connected to cyber security and their organisation’s risk management responsibilities:
X 59% were C-level executives X 20% were IT/Security Managers X 3% were Security Analysts/Engineers X 1% were Internal Auditors X 17% were in other roles.
QUEENSLAND 40.7%
NEW SOUTH WALES 22.0%
SOUTH AUSTRALIA5.5%
WESTERN AUSTRALIA11.0%
AUSTRALIAN CAPITALTERRITORY1.7%
VICTORIA14.8%
TASMANIA2.1%
NORTHERNTERRITORY 1.3%
0.9% of respondents did not disclose their location by state.
2017/2018 CYBER SECURITY SURVEY 05
OUR SURVEY - WHO PARTICIPATED
AUCKLAND 21.0%
WAIKATO 5.0%
TARANAKI 5.0%
BAY OF PLENTY 5.0%
WELLINGTON 34.0%
CANTERBURY 21.0%
OTAGO 3.0%
2017/2018 CYBER SECURITY SURVEY06
OUR SURVEY - WHO PARTICIPATED
RESPONDENTS BY ORGANISATIONS’ ANNUAL REVENUE
15 20 25 30
C-SUITES IT/SECURITY MANAGER INFORMATION SECURITY ANALYST/ENGINEER
INTERNAL AUDITOR
$10 MILLION TO $50 MILLION
$2.5 MILLION TO $10 MILLION
$250 MILLION TO $500 MILLION
$50 MILLION TO $250 MILLION
$500 MILLION TO $1 BILLION
$500,000 TO $2.5 MILLION
DO NOT KNOW
LESS THAN $500,000
MORE THAN $1 BILLION
0 5 10
2017/2018 CYBER SECURITY SURVEY 07
OUR SURVEY - WHO PARTICIPATED
0% 5% 10 5% 20%
WHOLESALE TRADE
TRAVEL
TRANSPORT, POSTAL AND WAREHOUSING
RETAIL TRADE
RENTAL, HIRING AND REAL ESTATE SERVICES
PUBLIC ADMINISTRATION AND SAFETY
PROFESSIONAL, SCIENTIFIC AND TECHNICAL SERVICES
OTHER
MINING
MARKETING
MANUFACTURING
INFORMATION MEDIA AND TELECOMMUNICATIONS
HEALTH CARE AND SOCIAL ASSISTANCE
FINANCIAL AND INSURANCE SERVICES
ELECTRICITY, GAS, WATER AND WASTE SERVICES
EDUCATION AND TRAINING
CONSTRUCTION
ARTS AND RECREATION SERVICES
AGRICULTURE, FORESTRY AND FISHING
ADMINISTRATIVE AND SUPPORT SERVICES
ACCOMMODATION AND FOOD SERVICES
1
STATE GOVERNMENT
SOLE TRADER/ PARTNERSHIP
PUBLIC LISTED COMPANY
PRIVATE LIMITED COMPANY
FEDERAL GOVERNMENT
LOCAL/REGIONAL GOVERNMENT
NOT-FOR-PROFIT
RESPONDENTS BY ORGANISATION TYPE & SECTOR
2017/2018 CYBER SECURITY SURVEY08
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
Organisations seeking to enhance their cyber security capabilities will need to get a better understanding of the cyber threats related to them and their industry. They will need to understand which threat actors or groups will be targeting them, and anticipate their motives and strategies. UNDERSTANDING THE THREATS
The different threat actors in a general threat landscape are:
HACKTIVISTS CRIMINALS
MOTIVES MOTIVES
Hacktivists target computer networks to advance their political or social causes.
Individuals and sophisticated criminal groups steal personal information and extort victims for financial gain.
TARGETSTARGETS
X Corporate secrets X Sensitive business information X Information related to key executives, employees, customers and business partners
X Financial / payment systems and processes X Personally identifiable information X Payment card information X Protected health information
IMPACTSIMPACTS
X Disruption of business activities X Brand and reputational damage X Loss of consumer confidence
X Financial loss X Regulatory inquiries and penalties X Consumer and shareholder litigation X Loss of consumer confidence
2017/2018 CYBER SECURITY SURVEY 09
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
INSIDERS NATION STATES
MOTIVES MOTIVES
Insider threat actors typically steal proprietary information for personal, financial or ideological reasons. This group also includes unintentional incidents by staff and supply chain providers.
Nation-states actors conduct computer intrusions to steal sensitive state secrets and proprietary information from private companies for economic and political advantage.
TARGETS TARGETS
X Sales, deals, market strategies X Corporate secrets, IP, R&D X Business operations X Personnel information
X Trade secrets X Sensitive business information X Emerging technologies X Administration of public policy
IMPACTS IMPACTS
X Trade secret disclosure X Operational disruption X Brand and reputational damage
X Loss of competitive advantage X Political and reputational impacts X Damage to public confidence
2017/2018 CYBER SECURITY SURVEY10
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
LIKELY SOURCE OF CYBER SECURITY INCIDENTS
This graph shows a summary of sources of cyber incidents from the last two years. There has been a decrease in criminal activity and a slight increase in incidents caused by insiders.
2016 2017
0% 10% 20% 30% 40% 50% 60%
ACTIVISTS
CYBER CRIMINALS / ORGANISED CRIME
SUPPLIERS / BUSINESS PARTNERS
THIRD PARTY HOSTING PROVIDER
FORMER EMPLOYEES
INSIDERS / CURRENT EMPLOYEES
FOREIGN GOVERNMENTS / NATION STATES
2017/2018 CYBER SECURITY SURVEY 11
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
PHISHING AND EMAIL-BASED ATTACKS ARE ON THE RISE
Phishing and email attacks are still the most prevalent form of cyber security incidents affecting respondents, followed by ransomware and malware coming in a close second and third.
Email is the primary online method used for communications and information sharing for private and business users. Symantec reported that in 2017, 55% of all emails sent were spam and that phishing emails are the most widely used infection vector employed by 71% of all threat actor groups. Our survey found similar trends for Australia.
INCIDENTS EXPERIENCED IN 2017 AND 2016
0%
5%
10%
15%
20%
25%
PHISHING / T
ARGETED
MALICIO
US E-MAILS
MALWARE / T
ROJAN
INFECTIO
NS
RANSOMWARE
DENIAL O
F SERVICE
ATTACK
EMAIL ADDRESSES O
R
WEBSITE(S
) BLA
CKLISTED
THEFT OF LA
PTOPS OR
MOBILE D
EVICES
DATA LOSS / T
HEFT OF
CONFIDENTIA
L INFORMATIO
N
DATA BREACH AND THIRD PARTY
PROVIDER / S
UPPLIER
BRUTE FORCE ATTACK
UNAUTHORISED ACCESS TO
INFORMATIO
N BY INTERNAL U
SER
UNAUTHORISED ACCESS TO
INFORMATIO
N BY EXTERNAL USER
UNAUTHORISED MODIFIC
ATION O
F
INFORMATIO
N
WEBSITE D
EFACEMENT
2016 2017
2017/2018 CYBER SECURITY SURVEY12
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
PHISHING EXPERIENCED BY INDUSTRY
2016 2017
Over the past year, Business Email Compromise (BEC) scams have grown more prevalent and sophisticated. In these scams, the cyber criminals use social engineering tactics to trick employees authorised to request or conduct wire /bank transfers. Fraudsters usually spoof or hack the emails of senior executives at the organisation and use email to instruct lower level employees to conduct a bank transfer to a fraudulent account (a.k.a. CEO fraud).
In other forms of BEC, the criminals compromise the email of a finance officer and request invoice payments from vendors to their own bank accounts. Scammers can also pose as a supplier to the organisation and request a wire transfer to a fraudulent account (a.k.a. bogus invoice scheme).
0% 5% 20% 25%
OTHER
PROFESSIONAL, SCIENTIFIC AND
TECHNICAL SERVICES
EDUCATION AND TRAINING
HEALTH CARE AND SOCIAL ASSISTANCE
INFORMATION MEDIA AND TELECOMMUNICATIONS
PUBLIC ADMINISTRATION AND SAFETY
FINANCIAL AND INSURANCE SERVICES
10% 15%
2017/2018 CYBER SECURITY SURVEY 13
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
According to the FBI and Internet Crime Center data, fraudulent transfers have been sent to 103 countries, most commonly to banks located in China, Hong Kong and the UK. We expect to see continued growth in BEC this year, with Trend Micro projecting the financial impact to be more than $9B in 2018.
HOW TO PROTECT AGAINST BEC ATTACKS
The following are some tips and actions organisations should consider implementing to protect against BEC attacks:
X Educate users constantly about fraud techniques like BEC threats, particularly for staff who are authorised to request or perform bank funds transfers. Remind staff to report emails that are suspicious to their security team.
X Review existing policies and processes to be robust against internal and external attacks and ensure separation of duties to complete financial transactions.
X Implement reliable email security solutions to scan and filter emails, and to flag potential fraud emails with keywords used in BEC emails (e.g. urgent, payment).
X Use two-factor authentication to access emails from the internet or to conduct funds transfers.
X Require a second level of authorisation for funds transfers over a certain amount and verify changes of payment details by calling the vendor, client, or staff requesting the transfer.
CASE STUDY: QUEENSLAND LAW FIRMS
Queensland law firms lost millions of dollars in December 2017 after being targeted by email scammers. The attackers used the same approach to target the different firms by compromising an email account and using it to misdirect money or request incorrect payments.
The criminals emailed or called the law firms and pretended to be potential clients seeking legal services. The phone calls or emails seemed legitimate, with a backstory explaining their problems. The hackers then requested the lawyers to proceed and shared confidential documents with them.
This was phase 1 of their attack: the documents sent requested the law firm employee’s login details to open them. Once the credentials were provided, the attackers were able to monitor the firm’s email traffic, and specifically emails related to outstanding payments. Phase 2 of the attack began when they sent payment reminders to the law firms’ clients, reminding them of their payment due date and providing their own bank account details.
The attacks were not even detected until the law firm started following up clients to pay their invoices, who explained that the transactions had already been made.
X Register all domains that are slightly different from your company’s domain (to defend against ‘typo squatting’).
X Use email authentication mechanisms to prevent domain spoofing.
2017/2018 CYBER SECURITY SURVEY14
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
RANSOMWARE AND MALWARE ATTACKS ARE BECOMING MORE SOPHISTICATED
MALWARE AND RANSOMWARE EXPERIENCED BY INDUSTRY
0% 10% 20% 30% 40% 50% 60%
EDUCATION AND TRAINING
PROFESSIONAL, SCIENTIFIC AND TECHNICAL SERVICES
INFORMATION MEDIA AND TELECOMMUNICATIONS
HEALTH CARE AND SOCIAL ASSISTANCE
FINANCIAL AND INSURANCE SERVICES
PUBLIC ADMINISTRATION AND SAFETY
OTHER
2016 2017
Ransomware attacks are becoming increasingly sophisticated and more widespread. In several recent cases, attackers distributed wiper malware masquerading as ransomware, aiming to prolong the attacks.
One of the largest and most destructive cyber attacks in 2017 was Petya/NotPetya, which took place in June 2017. This was a malware-based attack that wiped thousands of computers and disrupted the operation of numerous companies in the Ukraine and countries that conduct business with them. This was the costliest cyber attack of the year, with estimated damages of around $1.2B.
During 2017 we also witnessed a significant increase in ransomware attacks. In May 2017, the WannaCry ransomware attack against healthcare organisations resulted in an unprecedented global event, infecting and damaging more than 230,000 computers across 150 countries within a single day. Due to the critical nature of hospitals and healthcare providers, and the extensive and possibly even immediate damage that can take place if their systems are shut down, in many incidents these organisations were forced to pay the ransom. Australia was fortunate with only a few healthcare providers falling victim to this ransomware attack.
The graph provides an overview of the malware and ransomware attacks by industry, which shows an overall
2017/2018 CYBER SECURITY SURVEY 15
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
decline in reported ransomware attacks in Australia. Symantec observed a similar trend globally, noting that ransomware profitability in 2016 led to a crowded market with overpriced ransom demands. In 2017, the ransomware ‘market’ made a correction, with fewer ransomware families and lower ransom demands - signalling that ransomware has become a commodity.
Australia has not experienced the wiper malware attacks seen elsewhere around the world.
HOW TO PROTECT AGAINST RANSOMWARE ATTACKS
Ransomware can severely damage your services and operations, especially for healthcare providers where it can be life threatening, or professional services organisations who require access to systems and data in order to provide a service. Most ransomware attacks, however, could be prevented by proper security practices.
The following are some tips and actions organisations should consider implementing to protect against ransomware attacks:
X Conduct, at least annually, information security awareness training and educate users about ransomware and phishing attacks. Ensure staff are equipped with
knowledge and skills to detect suspicious emails, avoid clicking on malicious links, and prevent downloading unsolicited attachments.
X Ensure data is backed-up and stored onsite and offsite, and regularly test restoring the back-ups to avoid paying a ransom to access the data.
X Update all systems and software with relevant patches to prevent the compromise of vulnerable systems.
X Whitelist software applications to prevent users from installing illegitimate software that has not been approved.
X Deploy redundant servers to ensure availability of the data in case a server is hit by a ransomware attack.
X Deploy email scanning and filtering solutions to detect known threats and block attachment types that can be malicious.
X Review and test incident management playbooks and disaster recovery plans, and document the steps to isolate and contain a ransomware attack as well as restoring operations.
X Review and test the business continuity plan to minimise the disruption of services in case a ransomware attack occurs. Ensure that staff are trained to follow manual procedures, whilst the IT team restores infected systems.
X Review the organisation’s insurance policy and make sure there is cover for cyber attacks such as ransomware, and that there is also cover for business disruption.
CASE STUDY: AUSTRALIAN MEDICAL PRACTICE
A medical practice fell victim to a ransomware attack in 2017, which caused serious disruption to their practice for several weeks. The ransomware was installed on one of the computers via a malicious email attachment disguised as an invoice. When the recipient opened the attached document, the ransomware encrypted all accessible files, including files on the machine and shared network drives. The IT team had to follow their incident management procedures and shut down the network to prevent the spread of the ransomware.
This extended disruption of computers and systems caused the staff to rely on manual procedures, logging patient administration, appointment scheduling, medical notes, and prescriptions on paper. Staff struggled to deal with the loss of email and access to patient data, and had to transfer patients to other hospitals. Other services that relied upon equipment, medical procedures, and tests were also affected.
The entire process to restore backup data took several days, as back-ups were stored offsite at multiple locations (including a doctor’s private residence), and then had to be scanned for viruses, and then the data restored.
The practice had cyber insurance cover and filed a report with their insurance company, but were unable to recover any lost revenue, since the policy did not cover malware or ransomware cyber attacks.
2017/2018 CYBER SECURITY SURVEY16
REVIEWING THE CURRENT CYBER RISK LANDSCAPE
THE IMPACT OF CYBER INCIDENTS
IMPACT OF INCIDENTS
2016 2017
%
The Telstra Security Report 2018 showed that 41% of Australian organisations who suffered a cyber attack had experienced loss of productivity and incurred costs to recover. Our survey showed that 27% of organisations incurred data recovery costs from cyber incidents (improved from 31% in 2016), and that 8% of organisations who experienced a cyber attack lost access to their systems for several days (consistent across both years).
Our survey also showed an increase in the compromise of customer records, where 6% of organisations reported a compromise in customer records and 3% in employee records (both up 50% from last year’s results).
CASE STUDY: EQUIFAX
The credit reporting company Equifax experienced a cyber breach which affected 143 million records of individuals and organisations across the world. The attackers exploited a vulnerability in one of the systems that Equifax had failed to patch. This vulnerability was exploited to compromise databases that contained personal records such as full names, dates of birth, addresses, driver’s licence numbers, and other personally identifiable information of Equifax customers.
Equifax appointed a security firm to assist with forensic investigations and took six weeks to notify impacted customers. This was a significant data breach, expected to result in significant costs for forensic investigations, credit monitoring for impacted individuals, customer support, identity protection, and civil lawsuits.
Equifax is expecting the costs for the data breach to surge by $275M this year, suggesting this data breach could turn out to be the costliest breach in corporate history. There are also a number of class action law suits in the US against Equifax, seeking as much as $70B in damages.
Although Equifax has cyber insurance cover for data breaches, the insured amount is for $100M to $150M, which will be inadequate to cover their costs. This will result in a significant reduction in profits and reputational damage to the organisation.
A DATA RECOVERY EXERCISE WAS REQUIRED
ACCESS TO INFORMATION / SYSTEMS LOST FOR LESS THAN A DAY
ACCESS TO INFORMATION / SYSTEMS LOST FOR SEVERAL DAYS
WEBSITES TAKEN OFF LINE
CUSTOMER RECORDS COMPROMISED
BRAND / BUSINESS REPUTATION DAMAGED
INTELLECTUAL PROPERTY / TRADE SECRETS STOLEN
EMPLOYEE RECORDS COMPROMISED
A RANSOM HAD TO BE PAID
LEGAL EXPOSURE / LAWSUIT
NOTIFICATION OF BREACHES TO THE PRIVACY COMMISSIONER MADE
FINED FOR NON-COMPLIANCE
15%0% 5% 20% 25% 30%10% 35%
2017/2018 CYBER SECURITY SURVEY 17
BUILDING CYBER RESILIENCE
BUILDING CYBER RESILIENCE
Cyber resilience is the ability to prepare for, respond to and recover from a cyber attack. Resilience is more than just preventing or responding to an attack – it also takes into account the ability to operate during, and to adapt and recover from such an event.
Businesses face a range of cyber risks – both external threats and internal vulnerabilities that continue to evolve over time. It is not possible to protect against all cyber security risks, so it is important that organisations seek to improve their overall cyber resilience in order to respond to and recover from attacks as quickly as possible.
The Australian Securities and Investments Commission adopted the NIST Cybersecurity Framework covering the following cyber resilience components:
X Identifying your critical business assets X Protecting systems, assets, data and capabilities from cyber security risks
X Detecting the occurrence of cyber security events X Responding to detected cyber security events X Recovering and restoring any capabilities or services that were impaired by cyber security events.
IDENTIFYyour assets
PROTECTyour assets
DETECTincidentsRESPOND
with a plan
RECOVERnormal operations
NISTCYBERSECURITY
FRAMEWORK
2017/2018 CYBER SECURITY SURVEY18
BUILDING CYBER RESILIENCE
LEADERSHIP AND STRATEGY ARE IMPORTANT ROLES
This year will see a number of cyber security related regulatory and compliance changes, such as the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, the Australian Security of Critical Infrastructure Bill 2017, and the EU’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), to name a few.
Most of these regulatory changes will require business owners and leaders to take accountability for their cyber security arrangements, and provide leadership and direction for ensuring compliance against regulatory changes. Increasingly, boards and executives play an important role in ensuring cyber resilience within their organisations.
The results from this year’s survey show that business owners and executives recognise the importance of cyber security, which is evident in improvements noted on a number of leadership related activities from prior years:
X 17% increase in the adoption of cyber risk reporting to boards
X 18% increase in the adoption of cyber security awareness programs
X 29% increase in the adoption of CISO roles.C
0% 10% 20% 30% 40% 50% 60%
YBER SECURITY RISK REPORTING TO THE BOARD / EXECUTIVES
CYBER SECURITY AWARENESS PROGRAM
CHIEF INFORMATION SECURITY OFFICER (CISO)
CONTROLS ADOPTED OR BEING ADOPTED - LEADERSHIP AND STRATEGY
2016 2017
2017/2018 CYBER SECURITY SURVEY 19
BUILDING CYBER RESILIENCE
2017 The survey showed an increase in security budgets, where 58% of organisations increased their security spend (a 35% increase from the previous year).
The Telstra Security Report 2018 suggests that the top security initiatives for 2018 will be compliance, incident response services and cloud-based security services.
In fact, 87% of respondents are more confident this year on their ability to respond to cyber security incidents, which can be attributed to improved business strategy and clearer management responsibility related to cyber security.
15%0% 5% 20% 25% 30% 35% 40%
STAY THE SAME
INCREASE BETWEEN 1% AND 9%
INCREASE BETWEEN 10% AND 29%
INCREASE BY 30% OR MORE
DO NOT KNOW
DECREASE BETWEEN 1% AND 9%
DECREASE BY 30% OR MORE
DECREASE BETWEEN 10% AND 29%
2016 2017
10%
CHANGES IN IT SECURITY SPENDING
2017/2018 CYBER SECURITY SURVEY20
BUILDING CYBER RESILIENCE
THE VISIBILITY OF RISK IS IMPROVING
One of the most important components of a successful cyber resilience program is to have a clear and end–to-end understanding of cyber security risks.
COMMENTS FROM OUR SURVEY RESPONDENTS:
As a small business we find it challenging to identify threats and have measures in place to mitigate them with very limited time/resource.”“I find the board’s posture is too relaxed, suggesting lack of acute awareness of the real risks.”
“Lack of concern and awareness around the risk and consequence. Directors and management are more concerned about accessibility than protection (until an event occurs, that is…).”
“[Cyber security] is seen as an IT problem when it is a whole-of-business issue.”
“Even though we are in the IT industry, our staff don’t necessarily see cyber security as ‘something that happens to companies like us’.
Despite these concerns, compared to last year’s survey, this year’s survey showed a year-on-year increase in adoption of visibility of cyber security risk:
X Adoption of cloud security standards increased by 7% from the previous year
X Adoption of third party/vendor risk assessments increased 20% from the previous year
X Adoption of IT/cyber security standards/baselines for third parties increased 18% from the previous year
X Adoption of regular cyber security risk assessments increased 18% from the previous year
X Adoption of a process to identify critical systems and data increased 14% from the previous year
X Adoption of an IT/cyber security policy increased from 12% from the previous year.
2017/2018 CYBER SECURITY SURVEY 21
BUILDING CYBER RESILIENCE
CYBER SECURITY CONTROLS - VISIBILITY OF RISK2016 2017
0% 10% 20% 30% 40% 50% 60% 70% 80%
IT / CYBER SECURITY POLICY
PROCESS TO IDENTIFY CRITICAL
SYSTEMS AND DATA
REGULAR CYBER SECURITY RISK ASSESSMENTS
IT / CYBER SECURITY STANDARDS / BASELINES FOR THIRD PARTIES
THIRD PARTY / VENDOR RISK ASSESSMENT
CLOUD SECURITY STANDARDS
2017/2018 CYBER SECURITY SURVEY22
BUILDING CYBER RESILIENCE
YEAR-ON-YEAR INCREASING ADOPTION OF VISIBILITY OF CYBER SECURITY RISK
IT /
PR
CYBER IT /
0% 5% 20%
CYBER SECURITY POLICY
OCESS TO IDENTIFY CRITICAL
SYSTEMS AND DATA
REGULAR CYBER SECURITY RISK ASSESSMENTS
SECURITY STANDARDS / BASELINES FOR THIRD PARTIES
THIRD PARTY / VENDOR RISK ASSESSMENT
CLOUD SECURITY STANDARDS
10% 5%
2017/2018 CYBER SECURITY SURVEY 23
BUILDING CYBER RESILIENCE
THE VISIBILITY OF RISK REDUCES CYBER INCIDENTS
Organisations performing regular risk assessments experienced: X 25% less ransomware X 3% less phishing/targeted malicious emails X 25% less data breaches of third party providers/suppliers.
0% 20% 25%
RANSOMWARE
PHISHING / TARGETED
MALICIOUS E-MAILS
DATA BREACH AND THIRD PARTY PROVIDER / SUPPLIER
WITHOUT VISIBILITY OF RISK WITH VISIBILITY OF RISK
10% 15%
INCIDENTS EXPERIENCED WITH AND WITHOUT VISIBILITY OF CYBER SECURITY RISK
5%
2017/2018 CYBER SECURITY SURVEY24
BUILDING CYBER RESILIENCE
EFFECTIVE CYBER PROTECTION IS BEING ADOPTED
Implementing strong security controls are important safeguards to protect against cyber attacks.
X Application whitelisting saw a 14% increase in adoption X Patch management processes saw an 11% increase in adoption
X Privileged account management saw a 6% increase in adoption
X Website and internet filtering saw a 6% increase in adoption
X Intrusion Detection Systems (IDS) saw a 12% increase in adoption
X Intrusion Prevention Systems (IPS) saw a 10% increase in adoption.
There was no significant increase in the adoption of email filtering, despite the fact that phishing/targeted malicious emails increased 7% from last year.
COMMENTS FROM OUR SURVEY RESPONDENTS:
“Link cyber security to overall risk management processes, and ensure you manage proactively.”
“Build a layered approach to security: systems, education, responses.”
“Specific cyber risk policies do not take the place of properly audited resources and hardened IT assets.”
“Get independent advice, set up your policies and procedures and then be disciplined in adhering to them.
“Establish ownership and role clarity around the cyber security functions…”
Implement email filtering and don’t open suspicious attachments.”
2017/2018 CYBER SECURITY SURVEY 25
BUILDING CYBER RESILIENCE
EFFECTIVE SECURITY CONTROLS REDUCE CYBER SECURITY INCIDENTS
We have seen an improvement in the maturity of security controls since last year. Organisations who reported improvements in security controls also experienced less cyber security incidents, for example:
X 29% less data loss/theft of confidential information X 37% less ransomware X 52% less malware/trojan infections.
The Australian Signals Directorate (ASD), an intelligence agency in the Australian Government Department of Defence, recommends that organisations implement eight essential cyber security controls as a baseline for improving its cyber defences. These baseline controls make it more difficult for hackers and cyber criminals to compromise the confidentiality, integrity and availability of systems. Listed on the following page are the outcomes sought and controls recommended by the ASD Essential 8.
0% 5% 20% 25% 30%
DATA LOSS / THEFT OF CONFIDENTIAL INFORMATION
RANSOMWARE
MALWARE / TROJAN INFECTIONS
10% 15%
WITHOUT EFFECTIVE CYBER PROTECTIONS WITH EFFECTIVE CYBER PROTECTIONS
INCIDENTS EXPERIENCED WITH AND WITHOUT EFFECTIVE CYBER PROTECTIONS
2017/2018 CYBER SECURITY SURVEY26
BUILDING CYBER RESILIENCE
ASD ESSENTIAL 8
MITIGATION: TO PREVENT MALWARE OR VIRUSES FROM RUNNING ON YOUR COMPUTER SYSTEMS
1. Application whitelisting
Allow only approved programs to be installed and run on computers.
2. Patch applications
Apply patch fixes to address security vulnerabilities in software applications.
3. Disable Microsoft macros
Only allow vetted macros to be executed in ‘trusted locations’ with limited write-access.
4. Application hardening
Configure web browsers to block Adobe Flash Player, web ads and untrusted Java code.
MITIGATION: MITIGATE THE EXTENT OF CYBER INCIDENTS ANDEFFECTIVE RECOVERY
5. Restrict administrator privileges
Only allow administrator privileges to users responsible for maintaining systems, installing systems and security patches. Regularly revalidate the need for privileges.
6. Patch operating systems
Apply patch fixes to address security vulnerabilities in operating systems.
7. Multi-factor authentication
Implement two-factor authentication on remote access systems.
8. Daily back-ups
Regularly back-up all data and store securely off-site.
2017/2018 CYBER SECURITY SURVEY 27
BUILDING CYBER RESILIENCE
DETECTION AND RESPONSE CAPABILITIES REDUCE CYBER ATTACKS
Organisations with improved detection and response capabilities experienced:
X 37% less phishing/targeted malicious emails X 12% less malware/trojan infections X 7% reduction in ransomware.
15%10%0% 5% 20% 25%
RANSOMWARE
MALWARE / TROJAN INFECTIONS
WITHOUT DETECTION AND RESPONSE WITH DETECTION AND RESPONSE
INCIDENTS EXPERIENCED WITH AND WITHOUT DETECTION AND RESPONSE CONTROLS
PHISHING / TARGETED MALICIOUS EMAILS
2017/2018 CYBER SECURITY SURVEY28
BUILDING CYBER RESILIENCE
Lessons learned from both a general industry perspective and numerous survey findings and reviews have proven that mature Security Operation Centre (SOC) capabilities greatly reduce the impact of cyber security incidents. The survey’s found that SOCs can reduce incidents by up to 73%. While SOC capabilities reduce the impact of cyber security incidents, they also change the security model to be proactive (rather than reactive), shrink the security alert problem overwhelming most security teams and drive better, more informed responses to security incidents.
Implement ASD Top 4 and focus on your incident response and threat hunting capability.”
“Use a framework such as the ASD cyber security controls (particularly Essential 8) or the CIS Controls as a starting point for assessing and prioritising the maturity of controls.”
“Educate staff and document a procedure to deal with any scenario.”
“Make sure you have a disaster recovery plan!”
“Get a cyber incident response plan in place as soon as possible.”
“Have a contingency plan in place.”
“Back up all data. Test recovery often.COMMENTS FROM OUR SURVEY RESPONDENTS:
2017/2018 CYBER SECURITY SURVEY 29
BUILDING CYBER RESILIENCE
General industry sentiment and survey trends have shown that more organisations are beginning to understand the cost effectiveness of being prepared for cyber security incidents. The media is getting more involved in reporting data breaches, data privacy regulations are coming into play, and cyber security incident response has become a more pressing and important concern among executives and boards.
This survey found a general increase in the adoption of cyber security incident response controls: X Security information and event management (SIEM) systems saw a 14% increase in adoption X Security Operation Centres saw a 21% increase in adoption X Cyber security incident response plans saw a 17% increase in adoption X Cyber security incident response teams/capability saw a 22% increase in adoption.
CYBER SECURITY CONTROLS - DETECTION AND RESPONSE CAPABILITY
0% 10% 20% 30% 40% 50% 60%
SECURITY INFORMATION AND EVENT MANAGEMENT SYSTEM (SIEM)
CYBER SECURITY INCIDENT RESPONSE PLAN
CYBER SECURITY INCIDENT RESPONSE TEAM / CAPABILITY
2016 2017
SECURITY OPERATION CENTRE
2017/2018 CYBER SECURITY SURVEY30
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
Public disclosure of data breaches will increase in 2018.Australia has recently introduced legislation to make data breach notifications mandatory for organisations subject to the Privacy Act 1988 or with a turnover of more than $3M per year.
Taking effect on 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 requires eligible organisations to notify individuals ‘at risk of serious harm by a data breach’ within 30 days of discovering the breach. The penalty for those who fail to comply with this legislation is a large fine - $420,000 for individuals and $2.1M for organisations.
Whilst New Zealand has not yet introduced legislation making data breach notifications compulsory, there are guidelines for organisations to follow in notifying both the individuals affected and the New Zealand Privacy Commissioner, and the potential of a $10,000 fine for non-compliance.
From May 2018 onwards, the EU’s General Data Protection Regulation (GDPR) will come into effect, requiring businesses around the world holding data related to EU organisations and citizens to provide a high level of protection and explicitly know where their data is stored. Those in breach of the GDPR will face significant fines – up to €20M or 4% of annual global turnover – whichever is higher.
NOTIFIABLE DATA BREACH PREPAREDNESS
Our survey results showed that 1 in 3 organisations surveyed did not know if their organisation will be required to report a data breach under the Australian Notifiable Data Breaches (NDB) scheme. For those who indicated that they are required to comply with NDB, only 11.3% were completely confident they are appropriately prepared.
16.3%
17.3%
4.1%
COMPLETELY MOSTLY ALMOST
MOSTLY NOT ABSOLUTELY NOT
CONFIDENCE IN MEETING NDB OBLIGATIONS
51.0%
11.3%
2017/2018 CYBER SECURITY SURVEY 31
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
The survey also assessed the preparedness of the organisations that expressed confidence in their ability to meet the NDB requirements. Less than half have taken significant steps to respond appropriately. The majority of organisations who said they were ‘completely confident’ reported they have increased their spending on IT security this year (compared to last year). These organisations were mostly within the Information Media and Telecommunications and the Professional, Scientific and Technical Services industries.
Organisations who were less confident in meeting NDB requirements generally experienced more incidents in the past year and spend less on IT and IT security. Not-for-profit organisations are generally less prepared for the NDB and generally experienced more incidents.
When reviewing the levels of preparedness, the main areas of concern were:
Privacy Impact Assessments (PIA) – less than half of respondents complete PIAs, which suggests that organisations are not fully aware of the Private Identifiable Information (PII) they store.
Data breach response plans – general lack of processes and procedures to determine if a data breach notification is required, who needs to be notified and the different steps for notification. There is also a general lack of regular testing of data breach and incident response plans.
The NDB scheme commenced in Australia on 22 February 2018. 63 data breach notifications were made to the Office of the Australian Information Commissioner (OAIC) within the first six weeks.
The top five sectors making notifications were health service providers (24%), legal, accounting and management services (16%), finance (13%), private education (10%), and charities (6%).
78% of the reported data breaches involved individuals’ contact information, 33% involved health information and 30% involved financial details.
51% of data breach notifications were caused by human error, while 44% were malicious or criminal activity, and 3% were the result of system faults.
ALREADY BEEN ADOPTED PLAN TO ADOPT
NDB PREPARATION ACTIVITIES TAKEN BY ALL RESPONDENTS
DO NOT KNOW ADOPTION STATUS OF ORGANISATIONS COMPLETELY CONFIDENT IN MEETING NDB REQUIREMENTS
0% 10% 30%20% 40% 50% 60% 70% 90%80 00%
DATA PRIVACY IMPACT ASSESSMENT(S)
DATA BREACH RESPONSE PLAN
A PROCESS FOR EXTERNAL PARTIES TO NOTIFY THE ORGANISATION OF A
SUSPECTED DATA BREACH
IDENTIFY THE HARM OR POTENTIAL HARM CAUSED BY A BREACH OF DATA HELD BY THE ORGANISATION
TESTED THE ORGANISATION'S DATA BREACH RESPONSE PLAN
A PROCESS TO DETERMINE WHEN A DATA
BREACH NOTIFICATION NEEDS TO BE MADE
A PROCESS TO DETERMINE
WHO NEEDS TO BE NOTIFIED
A PROCESS TO DETERMINE HOW TO MANAGE THE
DIFFERENT STEPS OF
IDENTIFIED HOW TO ACCESS THE CAPABILITIES THE ORGANISATIONOF
A DATA BREACH NOTIFICATION
A PROCESS TO REGULARLY AND PROACTIVELY REVIEW AND UPDATE THE DATA BREACH RESPONSE PLAN
PROACTIVELY ASSESS RISKS RELATED TO PERSONALLY IDENTIFIABLE INFORMATION HELD BY THE ORGANISATION
PROACTIVELY ESCALATE, ACCEPT AND MANAGE PRIVACY-RELATED RISKS
2017/18 CYBER SECURITY SURVEY32
CYBER INSURANCE AS A RISK MANAGEMENT STRATEGY
CYBER INSURANCE AS A RISK MANAGEMENT STRATEGY
Cyber incidents are on the rise. This year’s survey found that 30.2% of organisations had experienced cyber security incidents in the past year. 30.2%
64.2%
WAS AN INCIDENT EXPERIENCED IN 2017?
YES NO DO NOT KNOW
The challenge for industry is that, as cyber incidents increase, they will become more difficult – and therefore more expensive - to defend. The Ponemon Institute recently found that data breaches cost an average of $2.51M in 2017, or approximately $139 per individual record.
In many jurisdictions, businesses now also need to factor in the cost of compliance – or be faced with massive fines for non-compliance. With the changing compliance landscape, we are starting to see boards and business owners become much more interested in using cyber insurance as part of their cyber security risk mitigation strategy.
Cyber insurance is a relatively new form of ‘liability’ insurance, providing cover to organisations for costs related to computer systems being hacked and data compromised. Cyber insurance typically provides first-party cover (the insured business) and third-party cover (customers of other affected parties).
5.6%
2017/18 CYBER SECURITY SURVEY 33
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
The OAIC received 63 data breach notifications within the first six weeks from when the NDB scheme commenced on 22 February 2018.
58% of notifications involved the personal information of between 1 and 9 individuals.
73% of notifications involved the personal information of under 100 individuals.
27% of notifications involved more than 100 individuals.
10% of notifications involved 1,000 individuals.
Using the Ponemon Institute average cost of $139 per record, 10% of organisations’ data breach costs were $139,000 or more, which is a lot higher than the most common insurance premium of less than $2,499 noted from our survey.
LIMITED VISIBILITY OF RISK ACROSS THE ORGANISATION INCREASES CYBER RISK
This year’s survey found that 61% of organisations had processes in place to conduct regular cyber security risk assessments, but only 48% of organisations had a process in place to conduct third party/vendor risk assessments. This means that many organisations do not have repeatable processes in place to consider and assess their cyber risk exposure and how these may impact their business, especially considering that only 58% of organisations’ boards and executives get regular briefings on their cyber security risks.
0% 10% 20% 30% 40% 50% 60%
REGULAR CYBER SECURITY RISK ASSESSMENTS
CYBER SECURITY RISK REPORTING TO THE BOARD / EXECUTIVES
THIRD PARTY / VENDOR RISK ASSESSMENT
2016 2017
CYBER SECURITY CONTROLS - RISK MANAGEMENT
70%
2017/2018 CYBER SECURITY SURVEY34
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
With these sorts of figures in mind, it’s easy to see why more organisations are now looking at cyber insurance as part of their risk mitigation plans, with 37% of organisations having some form of cyber insurance (up from 28% in the last survey):
8.5%
6.6%
15.4%16.4%
16.7%
13.8%
4.4%
12.3%NO - WE WERE NOT AWARE OF THIS TYPE OF INSURANCE
NO - WE DON’T FEEL WE NEED IT
NO - WE BELIEVE THIS RISK IS COVERED UNDER OTHER INSURANCE POLICIES WE HAVE
NO - WE SELF-INSURE
NOT YET - WE ARE CONSIDERING IT
YES - BUT DO NOT KNOW HOW THE POLICY WAS ARRANGED
YES - WE HAVE THIS COVER AS AN EXTENSION TO ANOTHER INSURANCE POLICY
YES - WE HAVE A STANDALONE CYBER POLICY
DO NOT KNOW
DOES YOUR ORGANISATION HAVE CYBER INSURANCE?
6.0%
2017/2018 CYBER SECURITY SURVEY 35
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
This year’s survey found that most organisations use a broker for cyber insurance but only 28% of organisations have undertaken a formal assessment process (internal or external) before buying insurance cover. This lack of expertise and formal assessment approach could potentially leave organisations exposed in purchasing the wrong cyber insurance, which may not respond as expected in the event of a cyber-related incident.
0%
5%
10%
15%
20%
25%
30%
35%
40%
HOW DID YOU CHOOSE THE LEVEL OF COVER IN YOUR CYBER INSURANCE POLICY?
2016 2017
WE U
NDERTOOK A
FORMAL INTERNAL
ASSESSMENT PROCESS
WE ENGAGED AN
EXTERNAL RISK ASSESSOR
TO ADVISE US
OUR INSURANCE BROKER
SUGGESTED THEM
WE M
ADE AN
EDUCATED GUESS
WE BOUGHT THE H
IGHEST LI
MIT(S)
OFFERED BY THE INSURER
WE BOUGHT THE H
IGHEST
LIMIT(S
) WE COULD
AFFORD
DO NOT KNOW
UNDERSTAND INSURABLE CYBER RISKS
Before buying cyber insurance, businesses need to understand their insurable cyber risks. Cyber insurance policies provide cover for your losses, including:
X Costs of restoring systems and data X Forensic investigation costs X Loss of revenue/profit due to a cyber event X Public relations costs X Financial losses from cyber theft or extortion.
With cyber insurance being a relatively new line of cover in the Australian and New Zealand markets, many general insurance brokers don’t have the necessary expertise to be able to determine whether a particular cyber insurance policy will cater for an organisation’s specific cyber risk requirements.
2017/2018 CYBER SECURITY SURVEY36
CHANGING REGULATORY & COMPLIANCE REQUIREMENTS
When it comes to cyber exposure, every organisation is unique and cover must be appropriate to their exposure and risk transfer strategy. Before getting cyber insurance, it is important for the organisation to:
X Understand its data and financial risk position X Identify real unique threats X Secure appropriate limits and sub-limits based on its unique risk exposure X Understand the small print and know what is covered (beware of exclusions) X Consider coverage for actions and omissions of third parties X Dove-tail cyber insurance with other indemnity agreements X Understand policy wordings and subjectivities and how to address them X Use scenarios to test if the cyber insurance policy will respond.
CYBER INSURANCE READINESS CHECKLIST
J Is your organisation backing up data regularly?
JAre your staff regularly informed about cyber security risks, threats and trends?
JDoes your organisation exercise effective governance and oversight of cyber risk?
JHave you prepared a data breach response plan?
JDo you understand where third parties store your information (cloud hosting)?
JHow do you comply with the Privacy Act and the Privacy Principles?
JDo you have sufficient technical controls safeguarding your sensitive information?
JDo you apply sufficient access controls across all devices (including mobiles)?
JHave you encrypted all sensitive data, both online, digitally or in removable media?
2017/2018 CYBER SECURITY SURVEY 37
LOOKING AHEAD
LOOKING AHEAD
In 2017, we witnessed a number of major cyber attacks disrupting business operations, compromising individuals’ privacy, and costing organisations a significant percentage of their profits to recover. Given the trend of cyber security events in the past few years, we expect to see an increase in disruptive cyber attacks which will become more damaging, and attack tools will become more widely available.
Our survey respondents’ view of expected cyber incidents in the coming year, compared to what was experienced in 2017, shows a greatly increased expectation of unauthorised access and data loss/theft of confidential information, alongside an optimistic view that ransomware, phishing and malware will reduce.
2017/2018 CYBER SECURITY SURVEY38
LOOKING AHEAD
Expected in 2018Experienced in 2017
DATA BREACH AND THIRD PARTY PROVIDER
DATA LOSS/THEFT OF CONFIDENTIAL INFORMATION
DENIAL OF SERVICE ATTACK
BRUTE FORCE ATTACK
EMAIL ADDRESSES OR WEBSITE(S) BLACKLISTED
PHISHING/TARGETED MALICIOUS EMAILS
RANSOMWARE
THEFT OF LAPTOPS OR MOBILE DEVICES
UNAUTHORISED ACCESS TO INFORMATION BY EXTERNAL USER
UNAUTHORISED ACCESS TO INFORMATION BY INTERNAL USER
UNAUTHORISED MODIFICATION OF INFORMATION
WEBSITE DEFACEMENT
MALWARE/TROJAN INFECTIONS
INCIDENTS EXPERIENCED IN 2017 AND EXPECTED IN 2018
2017/2018 CYBER SECURITY SURVEY 39
LOOKING AHEAD
OUR PREDICTIONS FOR THE COMING YEAR
Despite this view from survey respondents, phishing, ransomware and malware remain a concern. We believe that ransomware will continue to be successful due to its effectiveness in extorting money out of corporations. We also anticipate an increase in wiper-based malware masquerading as ransomware, aiming to disrupt businesses.
Survey respondents indicated that they expect to see an increase in data breach-related incidents. With the implementation of the Australian NDB and EU’s GDPR, we expect to see more organisations report data breaches. Whilst there might be initial difficulties to adopt these changes, compliance with these regulations is raising awareness on data leaks and privacy concerns for corporates and individuals and we look forward to seeing improved maturity over the coming year.
The largest – and most effective - cyber attacks in previous years were carried out by breaching third-party service providers in order to then execute an attack on the company using its services. Given the adoption of cloud services and increased reliance on third parties and external service providers, we believe this attack vector will be widely adopted and used by hackers.
Most businesses today rely on information, systems and the internet to provide their services, which guarantees the exposure to cyber security risks. While we are starting to see more organisations adopt improved security measures such as incident management, business continuity, and disaster recovery plans, there still remains a residual risk of an extended attack.
We anticipate an increase in costs for unexpected financial losses due to the interruption of commercial services, investigations, legal costs and fines related to cyber incidents. This can be devastating for any business, particularly those in the small-to-medium sized categories.
We also see indications of an uptake in cyber insurance in the coming year, with an increased demand for insurance brokers and underwriters to provide specialist cyber risk assessment services and tailored insurance policies.
And finally, we expect more organisations will invest in staff education and training as they are often the weakest link within the organisation. We are seeing more boards and management teams requiring specialist training on cyber risk management, which we predict is likely to increase further this year. We are also expecting to see larger and more mature corporates and multinational organisations provide basic cyber security risk assessment training to their suppliers and service providers in an effort to improve the security maturity of their supply chain.
2017/2018 CYBER SECURITY SURVEY40
ABOUT US - BDO & AUSCERT
ABOUT US - BDO & AUSCERT
ABOUT BDO IN AUSTRALIA AND BDO IN NEW ZEALAND
BDO is one of the world’s leading accountancy and advisory organisations. We have clients of all types and sizes, in every sector. Our global reach allows us to keep abreast of industry developments and the emergence of new and evolving cyber security threats.
BDO’s Cyber Resilience Framework allows our clients to take a strategic view of their entire cyber security risk management lifecycle. This ensures they can better understand the evolving cyber risk landscape and build their cyber resilience over the long term.
The delivery of our cyber security services is based on a client partnership approach. Using this method gives us a strong insight into our clients’ business, enabling us to find innovative ways to help clients maximise their growth opportunities, improve processes and avoid pitfalls. The result is that we meet – and exceed – expectations.
BDO has 1,500+ partners and staff across Australia, making us one of the country’s largest associations of independently owned accounting practices. We have offices in New South Wales, Northern Territory, Queensland, South Australia, Tasmania, Victoria and Western Australia.
In New Zealand, BDO has almost 890 partners and staff in 16 offices across the North and South Islands, and BDO is the fastest-growing business services firm in the country.
For more information about BDO services, visit www.bdo.com.au or www.bdo.co.nz.
STAFF NUMBERS ARE AS AT 1 JULY 2017
2017/2018 CYBER SECURITY SURVEY 41
ABOUT US - BDO & AUSCERT
ABOUT AUSCERT
AusCERT (the Australian Cyber Emergency Response Team) is a membership-based, independent, not-for-profit security team, which is part of The University of Queensland. AusCERT has a national focus across industry and government and has a national and global reach.
Established in 1993, AusCERT is one of the oldest cyber emergency response teams in the world. AusCERT services help organisations prevent, detect, respond and improve their resilience to cyber attacks.
For more information about AusCERT services, visit www.auscert.org.au.
LEON FOUCHENATIONAL CYBER SECURITY LEADER, BDOTel: +61 7 3237 [email protected]
JAMES CULVERHOUSEGENERAL MANAGER, AUSCERTTel: +61 7 3365 [email protected]
CONTACT US
BOOK YOUR COMPLIMENTARY CYBER CONSULTATION
This publication has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact the BDO member firms in Australia to discuss these matters in the context of your particular circumstances. BDO Australia Ltd and each BDO member firm in Australia, their partners and/or directors, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.
BDO refers to one or more of the independent member firms of BDO International Ltd, a UK company limited by guarantee. Each BDO member firm in Australia is a separate legal entity and has no liability for another entity’s acts and omissions. Liability limited by a scheme approved under Professional Standards Legislation other than for the acts or omissions of financial services licensees.
BDO is the brand name for the BDO network and for each of the BDO member firms.
© 2018 BDO Australia Ltd. All rights reserved.
NEW SOUTH WALES
NORTHERN TERRITORY
QUEENSLAND
SOUTH AUSTRALIA
TASMANIA
VICTORIA
WESTERN AUSTRALIA
1300 138 991www.bdo.com.au
Distinctively different - it’s how we see youAUDIT • TAX • ADVISORY
Top Related