Palo Alto Networks has released a new cybersecurity report that reveals Australian organisations are generally resilient when it comes to their cybersecurity posture and habits, despite the general belief that the local IT security professionals are finding it difficult to combat growing threats and savvier cybercriminals.
The report, entitled ‘The State of Cybersecurity in Asia-Pacific’, also confirmed that the battle against cybercriminals is far from won as Australian organisations appear to have a misplaced sense of confidence when it comes to cybersecurity.
While Australian organisations are experiencing some success in mitigating cyberthreats, it remains an ongoing problem. Data breaches are still costly, with 36 per cent of respondents losing at least AU$ 130,000 (US$100,000) due to incidents in the 2015-16 financial year. Worryingly, that number rose to 40 per cent in the 2016-17 financial year.
Other key findings in Australia revealed:
- Australian organisations are complacent: According to the report, 34 per cent of Australian businesses have a low average adoption rate for advanced security measures, yet almost three-quarters (74 per cent) of respondents said they were confident in their security measures. In addition, 59 per cent of respondents said they believe their organisation is not a target for cyberthreats, despite growing anecdotal evidence that no company is safe regardless of size or industry.
- There is a lack of awareness of the seriousness of cyberthreats: Just 70 per cent of Australian respondents agreed that cybercrime has become increasingly sophisticated in the last three years, compared with 86 per cent of respondents in China.
- Australian organisations aren’t spending enough on cybersecurity: Only 50 per cent of Australian organisations reported an increase in cyber spend, which was lower than all other markets surveyed. And, while 60 per cent of Australian respondents allocate between 5 and 15 per cent of their IT budget to cybersecurity, just over half (55 per cent) of respondents agreed it is easy to convince management to invest in cybersecurity solutions and technology. Furthermore, 36 per cent of Australian companies cite a lack of budget as the main barrier to keeping up with evolving cybersecurity solutions.
- Focus should shift to prevention: Clinging to outdated security approaches can put businesses at an even greater disadvantage. Instead, organisations should shift their focus away from mitigation and towards breach prevention. Better threat intelligence sharing can help achieve this. By sharing information about threats in time for organisations to protect themselves, businesses can collectively save time and money, and avoid complacency. There may be some work to do to achieve this: Almost half (46 per cent) of Australian respondents said that, in their organisation, detecting and responding to cyberthreats is more important than prevention. Australia is heading in the right direction when it comes to a breach prevention mindset, but organisations need to implement the right systems and measures to stay ahead.
- A framework is required: Most IT decision-makers agreed that reporting breaches to regulators should be mandatory. There needs to be a framework around the types of information shared so that businesses feel comfortable sharing cyberthreat information with each other. This is the only way Australian organisations will be able to implement a cybersecurity posture oriented around prevention rather than the far more expensive cure.
- Cybersecurity awareness and policies are crucial: Just 56 per cent of Australian respondents agreed that all employees/departments in their organisation understood safe cybersecurity practices. Interestingly, not one of the government respondents in Australia said they review their policy and/or standard operating procedure for cybersecurity more than once per year.
This is in stark contrast to the financial industry, in which 56 per cent of respondents review policies and standard operating procedures more often than once a year. At the same time, 44 per cent of respondents in Australia said employees in their organisation don’t check with the IT department before introducing new devices or installing software on company devices. Companies must develop, communicate and, importantly, enforce clear security policies to prevent vulnerabilities as much as possible. Educating employees about safe cyber practices is just as important as putting the right security measures in place.
- ‘These survey results highlight that every organisation is a potential target for cybercriminals. If businesses don’t put the right measures in place, they may be exposed to financial losses and reputational damage after just one successful breach. Failure to take a strong preventative mindset, which includes implementing advanced, next-generation security measures and policies, puts these organisations at risk.’ – Sean Duca, vice president and regional chief security officer for Asia-Pacific, Palo Alto Networks
Management Buy-In Is Key
Good cybersecurity practices, like any cultural behaviour, must be modelled from the top down in an organisation. It’s vital for senior leaders to understand the cyber risk the business faces, as well as their own roles in combatting that risk. IT and security teams can make this visceral and relevant for senior leaders by defining clear business metrics for cybersecurity.
This could include involving them in readiness exercises to test cybersecurity processes so they can understand and become engaged in the issues and risks. It’s also important to emphasise how new regulations, such as the Privacy Act in Australia and the General Data Protection Regulation in Europe, will affect the business. Cybersecurity is not a set-and-forget exercise: It is an ongoing battle that requires constant vigilance and regular technology updates.
- ‘The State of Cybersecurity in Asia-Pacific’ report features analysis, practical strategies and tips that can be implemented to help companies in Asia-Pacific keep up with rapidly evolving cybersecurity technologies.
About Palo Alto Networks
Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets. Find out more at www.paloaltonetworks.com.