It’s been a long, hard, and sometimes lonely road for CISOs to get the rest of the company on board and recognise the value of cybersecurity. Historically cybersecurity has not been a priority due to a lack of awareness or willingness to act from the C-suite and boardroom.
But the recent devastating data breaches suffered by Optus and Medicare and a general increase in prevalence of attacks, has led to significantly better awareness and recognition of the cyber risk that all firms face, big and small. The first hurdle has been overcome, but the next challenge is transforming this awareness into tangible actions and increased budgets.
Cybersecurity budget – will there ever be enough?
Sadly, the increase in cyberattacks and resulting C-suite awareness has not yet translated into better budgets for CISOs and cybersecurity strategies. Just under 65% of Australian respondents in Mimecast’s State of Email Security Report 2023 say their firms cybersecurity budget is less than it should be, a worrying result which needs to be rectified rapidly.
Although the dial is shifting in the right direction, with improved awareness among business leaders and decision makers, the majority of respondents still don’t think their cyber budget is adequate. Last September a cyberattack on telecommunications provider Optus, saw the private information of millions of Australians breached. Just months later, health insurance provider Medibank was breached, with highly personal data leaked onto the dark web.
These attacks showed just how devastating cybercrime is and helped to focus the nation’s attention on this issue. But recognition alone is no longer enough. These high-profile attacks also piqued the attention of the federal government, with a number of announced reforms and a pledge to make Australia the “most cyber secure country in the world by 2030”.
But this won’t be realised unless local businesses translate this awareness into tangible actions. There’s also the risk that the private sector will develop a false sense of security that govt will solve cyber threats for them. Everyone needs to play their part, take responsibility for their own security posture. We’ve all got real work to do right now to be secure.
On the upside, the report found that the gap in cybersecurity funding may not be too wide. According to those respondents who said their company is not spending enough on cybersecurity, the underfunding was estimated to be just under 8% on average.
A matter of ‘when’, not ‘if’ – all firms need to be prepared
For Aussie firms, a cyberattack is now a question of when, not if. According to the Mimecast report, nearly a third of respondents believe a cyberattack to be “extremely likely” in the next twelve months, while 7% say it is “inevitable”. There has already been a sharp uptick in the attacks firms are facing. According to the report, 96% of Australian firms have been targeted by common email-based phishing attacks, while three-quarters experienced an increase.
The federal government’s Notifiable Data Breaches Report also revealed there was a 26% increase in reported data breaches in the second half of last year, with a spike in December.
Australian companies are aware of the risk they now face in their day-to-day work. It’s time to translate this into real actions and proper budgeting to ensure the digital surface where work is carried out is fully protected. Awareness and employee training is a vital element of working protected, and something that is lacking currently. According to the Mimecast report, there has been a decrease in regular security awareness training offered at companies.
The report found that 77% of respondents offered awareness training at least quarterly at their company – down from 85% in the previous year. That means nearly 1 in 4 only offer training once a year or less often than that – hardly regular enough to have any significant impact on cyber awareness or culture. Most worryingly, 5% of Australian companies are offering no cybersecurity training at all, the worst result for all companies surveyed.
This needs to quickly change. A firm is only as secure as its least cyber aware employee, with a quarter of all reported data breaches the result of human error. Eight of 10 respondents said they believed that their company is at risk because of inadvertent data leaks by “careless or negligent employees”. There needs to be proper funding for cyber training.
It cannot be a tick-box exercise and must be engaging, conducted regularly and be updated to match the adapting cyber threats that all Australian businesses face. Cybercriminals are growing in sophistication by the day, and the cybersecurity efforts of all Australian companies need to at least match this – with sufficient training and cyber mitigation strategies.
More than ever, the tide is turning on cybersecurity, and it’s now not enough to merely be aware of the risk. The upper echelons of local Australian companies need to put their money where their awareness is and start to take real measures to address cyber risk.
Nick Lennon is VP for APAC for cybersecurity and resilience company, Mimecast, which takes on cyber disruption for its tens of thousands of customers around the globe. Mimecast helps protect large and small organisations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world.