In March 2016 the Australian Cyber Security Centre (ACSC) released its 2015 cyber security survey of major Australian businesses. This follows a similar report in 2013 and shows the state of cyber security across 149 Australian businesses and government departments from 12 industry sectors. A copy of the report can be accessed here: 2015 Cyber Security Survey: Major Australian Businesses.
The report covered a range of industries, many of whom contract services to government, and asked a range of questions in relation to organisations' preparedness for cyber attacks and the various strategies that they have in place to deal with such business risks.
The results are illuminating in the context of the government draft legislation for mandatory reporting of data breaches. One of the key findings was that industry is yet to be convinced of the benefit of reporting incidents and many businesses fail to report cyber security incidents on the basis there is no perceived benefit in doing so. 43% of respondents failed to report incidents on that basis.
In terms of prevention and structural steps to reduce risk it is clear that organisations have in place a range of structures as set out in the Report, the most common being an information security policy, which over 90% of respondents had in place. This was followed by a business continuity/disaster plan, a change management policy and procedures, a backup or archiving policy, and a user access and identity policy. It is apparent that there is a broad use of external IT security standards, approximately 82%. This shows that businesses are preparing for cyber incidents. Respondents identified as a key issue, awareness training for staff.
The most prevalent type of attacks identified at 72% were ransomware incidents. A ransomware incident involves extortion through the use of malware which locks a computer's content and requires the locked computer to pay a ransom to regain access. The threat report identifies that ransomware campaigns will continue to be prominent. Organisations identified that one of their biggest risks was of the trusted insider. This represented the highest concern for 60% of respondents, followed closely at 55% by motivated groups or hacktivists.
It is clear that these issues are not likely to abate in the near future and that organisations need to continue to allocate resources to prevention and management of incidents. Privacy and data protection policies and training can assist in this area and we are well placed to assist businesses including in responses to data breaches and reputation management.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
