Friday, 17 November 2023

It’s been an interesting time for cyber.

Two large incidents with national impact and two revealing reports in as many days – each telling different stories but sending the same message. 

The Australian Securities and Investments Commission (ASIC) Cyber Pulse survey tells of business ill-prepared for cyber incidents. The report attributes a weighted average cyber maturity score of 1.66 out of 4.00 to its 697 voluntary participants, concluding that “organisations are reactive rather than proactive when it comes to managing their cyber security.” In particular, the survey revealed that:
  • 44% do not manage third-party or supply chain risk, 
  • 58% have limited or no capability to protect confidential information adequately, 
  • 33% do not have a cyber incident response plan, and 
  • 20% have not adopted a cyber security standard. 
The Australian Signals Directorate’s (ASD) Annual Cyber Threat Report for 2022-23 covers a wider remit of both business and individuals, highlighting the heightened cyber threat to both. It details increases in the past year of:
  • calls to its Australian Cyber Security Hotline, up by 32 per cent (33,000 total)
  • cybercrime reports to ASD’s Australian Cyber Security Centre up by 23 per cent (94,000 total), with one report every 6 minutes.
  • the average cost of cybercrime per report up by 14 per cent to $71,600 for large businesses, $97,200 for mid-size businesses and $46,000 for small businesses.
So, what should Australian businesses be taking away from the combined weight of these reports? As cyber professionals, three things stand out for us at KordaMentha.

Firstly, the ASD report tells us that one in five published IT vulnerabilities are exploited within 48 hours of being published, with half of all vulnerabilities exploited within two weeks. This tells us how important it is that businesses act on these vulnerabilities as quickly as possible. However, this may not be easy as it may be necessary to take systems offline to fix, upgrade or patch. Additionally, IT updates can have inadvertent flow on impacts which can disrupt a business’s operations. This highlights the importance of managing the risks to your network and knowing in advance the alternatives available to your business, should this happen. 

Secondly, the ASIC report makes it clear businesses are not defending themselves well enough against cyber attack. While businesses need a maintenance strategy for their IT systems that includes patching and updates, equally essential is a defence in depth strategy that seeks to prevent cyber breaches, manage and mitigate cyber incidents. Of course, one size does not fit all, and businesses should seek expert advice to make sure they develop and execute a cyber risk strategy that is relevant and appropriate for them.

Thirdly, it’s a matter of when, not if when it comes to a cyber breach. Businesses need to know what data is important to them and make sure it is protected. Manage the risk around your most important data though access and other controls. For example, encrypt sensitive data and limit who can access it and how. 

Your cybersecurity strategy will be determined by your size and type of business, the sensitivity of the data you store and the complexity of what you do. Not every incident triggers a notifiable data breach or prompts a class action, but every incident costs that business in terms of lost time, lost business, and potentially lost reputation. 

These two reports reinforce the increasing frequency, sophistication, and severity of cyber threats to individuals and businesses. They send the same message, that to be prepared is critical.