According to new research, companies remain underprepared for the myriad threats they face, including but not limited to attacks on supply chains.
The 2020 BDO and AusCERT Cyber Security Survey Report, which surveyed nearly 500 professionals across Australia and New Zealand, was recently published and identified industry trends across private and public SME organisations.
It found, the authors wrote, that the age of coronavirus changed the way that organisations operate, and the reality check that came along with the pandemic said many realise that they were “overconfident and underprepared” when it comes to cyber risk.
Attacks targets at supply chains, for example, are now over 50 per cent more likely than they were in 2016, and supply chain breaches have more than tripled for organisations that have not been prepared for cyber threats that arose out of the pandemic.
The findings, BDO said in a statement, highlighted the importance of third-party risk assessments to build resilience through supply chains.
“The rise in third-party breaches is not surprising, and has been on the radar of cyber decision-makers for a long time. Supply chain risk has also been a driving factor in the Australian Government’s push to secure our critical infrastructure sectors,” said BDO national cyber-security leader Leon Fouche.
The threat landscape extends further than just supply chains, however.
The report noted that data breaches have more than doubled compared to 2019, and accidental disclosures rose by nearly 60 per cent. Breaches caused by malicious hacking in 2020 increased by 91 per cent, likely caused, BDO mused, by IT support challenges during remote working periods and a lack of preparedness.
Moreover, cyber activity from foreign governments remained active throughout last year, the report continued, with attacks rising by 40 per cent from 2019 rates and doubling from 2016 levels. Thirty per cent of public sector respondents, it noted, reported that foreign governments were the most likely source of cyber-security incidents in the past year.
This all said, there were some positives to emerge from the report.
Organisations in Australia and New Zealand are adopting, BDO said, five key controls at a rapid pace: chief information security officers (CISOs), security operations centres, cyber-security awareness training programs, third-party/vendor risk assessments, and cyber-security incident response plans.
Respondents that didn’t have these five controls in place, BDO noted, were almost four times as likely to have to pay a cyber ransom, more than twice as likely to lose access to systems and data following a cyber incident, and were almost twice as likely to have employee records compromised in a data breach.
“While we have seen significant improvements in cyber security and awareness across Australian and New Zealand organisations as a result of the pandemic, the majority still fail to interpret their threat landscape accurately,” Mr Fouche said.
“Many organisations don’t understand which adversaries are targeting them, what assets they seek to compromise, and how they will do so.”
The past year has provided, Mr Fouche continued, a “real-life example” of why cyber security cannot be a set-and-forget issue.
“It requires constant oversight, investment and improvement to manage risks – many of which can emerge and worsen overnight,” he said.
“Now, more than ever, Australian and New Zealand organisations understand the importance of clear, ongoing visibility into their cyber threats and risks, and that cyber security cannot be just an IT issue. It is a whole-of-business issue.”