Share this article on:
The cyber landscape continues to face new battles, from the proliferation of ransomware to the need for chief information security officers (CISOs) to have a budget that matches the size of the security challenge, according to Garrett O’Hara, field chief technologist at Mimecast.
Mimecast’s State of Email Security 2022 report suggests 77 per cent of Australian companies were hurt by a ransomware attack in 2021, up from 64 per cent in 2020. Of that 77 per cent, 62 per cent paid the ransom, but 30 per cent still did not recover their data.
It’s not just Australia with the problem. The SOES report also found globally, 75 per cent of respondents had been impacted by ransomware in 2022.
Australians’ biggest cyber concerns
Ransomware might be the biggest – and potentially the most damaging – cyber threat facing Australian businesses, but it is far from the only one.
Additional Australian findings from Mimecast’s State of Email Security 2022 report include:
Good cyber security is about more than technology
Every company is trying to protect itself from the growing deluge of cyber threats, but technology is only one part of the protection picture. Organisations need a comprehensive and well-rehearsed cyber resilience strategy to enable them to minimise damage and recover as rapidly as possible from the inevitable impact of a successful cyber attack.
The bad news is, rather than resilience increasing in the face of more sophisticated attacks, it seems to be declining. Only 34 per cent of Australian organisations say they have a cyber resilience strategy in place, compared to 51 per cent in 2021.
This suggests the level of cyber preparedness deemed adequate prior to the COVID pandemic is seen as inadequate today, given hybrid work models, the increased reliance by businesses on email and other collaboration tools, and the more treacherous threat landscape.
Supporting this theory are findings that more than a third of the Australian respondents surveyed for Mimecast’s latest report blame a lack of cyber resilience for: interfering with overall employee productivity (41 per cent), financial losses (37 per cent), business disruptions (35 per cent), loss of data (34 per cent), and damage to their company’s reputation (30 per cent).
CISOs asking for a bigger cyber security chequebook
CISOs need to be supported in achieving a realistic cyber strategy. Cyber security leaders do not believe cyber resilience is being allocated the resources needed. Australians surveyed said 18 per cent of the IT budget should be allocated to cyber resilience, but the current average allocation is only 14 per cent.
Ninety-three per cent of respondents said their cyber resilience had been impaired by insufficient funding. Half said there was a lack of investment in cyber security training for staff and half said their organisation was missing out on improvements to existing cyber security solutions. There’s an important conversation to be had in the boardrooms of organisations about cyber security and how it impacts business risk.
One development that could spur organisations to devote more resources to cyber security is government regulation. Many countries are implementing data privacy and security requirements modelled after the European Union’s General Data Protection Regulation (GDPR), and in Australia, amendments to legislation for the security of critical infrastructure will greatly widen the range of organisations covered.
Seventy-one per cent of respondents surveyed by Mimecast thought government mandates on cyber security would induce senior management to take cyber resilience more seriously. Sixty-nine per cent also thought it would lead to high or moderate levels of improvement in their organisation’s level of cyber preparedness, but with the side effect of increased costs. Fifty-six per cent believed such mandates would limit their freedom to take the best course of action on behalf of their business, showing that businesses do not see legislation alone as a silver bullet.
Cyber criminals target vulnerable employees
Even the best, most carefully calibrated cyber resilience strategy will fall short if the company’s employees are unprepared to respond to an attack. A dearth of impactful security awareness training is the biggest chink in the armour of many organisations.
More than 80 per cent of respondents believed their company to be at risk because of inadvertent data leaks by careless or negligent employees. Eighty-five per cent of employers offered staff training in cyber security awareness at least once every quarter, but only 23 per cent did so continuously.
And there is a growing trend of cyber attacks spreading from employee to employee. More than eight out of 10 of those surveyed by Mimecast reported that their organisation was the victim of such an attack. This figure is 10 percentage points higher than in 2021 and well above the levels seen over the six years of Mimecast’s annual report.
Looking ahead, Australians are most concerned about increasingly sophisticated attacks (57 per cent), followed by security naive employees (47 per cent) and insufficient staff (46 per cent).
Awareness training is not set-and-forget
For employees to be most effective in spotting and stopping attacks, they need more than threat-specific training. Separate research suggests more than 90 per cent of security breaches involve some degree of human error, and numerous studies suggest better cyber security awareness training could greatly reduce this figure. Mimecast researchers found employees who receive consistent, engaging cyber awareness training to be five times more likely to spot and avoid clicking on malicious links.
For CISOs, these findings are a reminder of the implications of ineffective training. Key takeaways for those managing “security naive” employees would be to ensure training is focused on engaging team members – rather than rolling it out just to tick a box – and in a way that’s easily memorable. Positive reinforcement and humour are encouraged over fearmongering or mundane messaging to improve focus and retention of security advice.
CISOs can be heartened by the fact that cyber security is increasing in profile and will continue to do so as legislation and regulation changes. Forward-thinking security leaders will harness this changing landscape to get their cyber security efforts the focus and budget they need at the executive level.
Garrett O’Hara is the field chief technologist at Mimecast.