90 percent of Australian organisations admit security compromise to ACSC

90 percent of organisations in Australia claim to have faced some form of attempted or successful cybersecurity compromise during the 2015-16 financial year, a report from the Australian Cyber Security Centre (ACSC) has found.

The ACSC's inaugural Cyber Security Survey [PDF] found that the 113 surveyed organisations faced numerous malicious cyber threats on a daily basis, with spear phishing emails alone affecting organisations up to "hundreds of times a day".

In compiling its report, the ACSC surveyed representatives from 113 businesses comprised of 68 private sector and 45 government organisations, with 43 percent of respondents hailing from organisations with over 200 employees.

18 percent of total private sector respondents represented the finance and insurance industry, with 35 percent of overall respondents in the private sector identifying as the organisation's CISO and 20 percent as the chief information officer.

The report was compiled to provide an overview of how prepared Australian organisations are to meet the growing cyber threat, the ACSC said, noting that experiencing a cyber incident is not a matter of if, but when and what type.

The report states that 86 percent of organisations surveyed experienced attempts to compromise the confidentiality, integrity, or availability of their network data or system, with 58 percent reporting their organisation experienced at least one incident that successfully compromised data and/or systems.

Of those, malware was to blame for 42 percent of compromises experienced, likewise phishing with 42 percent, and 19 percent attributed to distributed denial-of-service (DDoS) attacks, as experienced by the Australian Bureau of Statistics on Census night last year and most recently by Australian domain name registrar Melbourne IT last Thursday.

60 percent of organisations surveyed experienced tangible impacts on their business due to attempted or successful compromises, with 51 percent highlighting possible breach alerts are generated by external parties prior to it being known from within the organisation.

"Given that only 2 percent of organisations reported having completely outsourced IT functions, these figures suggest organisations are not adequately focusing on monitoring networks and detecting potentially malicious activity," the report says.

Only 48 percent of organisations experiencing any incident in 2015-16 said they reported it to an external agency; in particular, reporting by private sector organisations fell from 51 percent in 2014-15 to 40 percent in 2015-16.

The ACSC said the main reasons given for not reporting incidents include incidents not being successful, substantial, or serious enough, followed by the perception that there are no benefits to reporting.

71 percent of organisations report having a cybersecurity incident response plan in place.

Of all organisations that have incident response plans, less than half admitted to regularly reviewing and exercising such plans, while 15 percent either never test the plan, or test it on an ad hoc basis, with 24 percent testing less than once a year.

"As the threat environment continually evolves -- with new software, tools, technologies and techniques constantly released -- these plans must be regularly reviewed and updated in order to remain effective," the report warns.

Organisations surveyed most commonly had no more than five people specifically responsible for IT security within their IT function, the report said, with 5 percent of organisations -- and 31 percent of those with externally managed IT -- admitting to not having a single staff member specifically responsible for security.

"This difference is of particular concern considering the information security risks associated with outsourcing IT management," the report says.

Overall, 31 percent of organisations indicated senior management is only updated on cybersecurity after incidents or breaches have occurred; and cybersecurity is rarely, if ever, discussed at the most senior level, according to 27 percent of respondents.

The ACSC also highlights in its report that gaps are evident where organisational attitudes or exposure to risk may be out of step with the technical controls in place, giving the example of organisations allowing the use of personal devices at work or working remotely from home.

"Significantly fewer of these organisations have mobile device management systems or identity and access management systems in place to manage these risks,' the report explains.

91 percent of respondents claim to have a documented cybersecurity policy of some description; 64 percent undertake regular cyber risk assessments; and 19 percent have received external certification to cybersecurity standards.

"Organisations may believe the range of controls they have in place adequately protects against threats from malware, and are no longer motivated by this problem. However, types of malware, including worms and viruses, are commonly used as initial vectors to compromise a network, and 42 percent of organisations surveyed were successfully compromised by malware infection, suggesting it is still an issue,' the report says.

"Organisations must maintain protection against threats from malware on an ongoing basis. Not doing so places networks and data at risk."

While 80 percent of government organisations were likely to seek assistance and guidance from government sources, only 56 percent of private sector organisations surveyed also accessed government sources for cybersecurity information, advice, or guidance.

The ACSC made note that it and its agencies were the primary source of such information.

The Joint Committee of Public Accounts and Audit (JCPAA) launched an inquiry into the cybersecurity compliance of Australian government departments earlier this month, off the back of findings made by the Australian National Audit Office (ANAO) in its 2016-17 Auditor-General Report No. 42 Cybersecurity Follow-up Audit, which last month declared the Department of Human Services (DHS) as reaching its highest designated "cyber resilient" level, but found the Australian Taxation Office (ATO) and Department of Immigration and Border Protection (DIBP) lacking on the information security front.

"Cybersecurity is integral to protect government systems and secure the continued delivery of government business," Committee Chair, Senator Dean Smith said previously.

"Government entities are required to implement mitigation strategies to reduce the risk of cyber intrusions. The committee is continuing its oversight of entities' compliance with the mandated strategies with the launch of this inquiry."

The ANAO audit found that all three entities had improved their cyber resilience -- to various degrees -- since the 2014 audit, but the ANAO said both the ATO and DIBP were under the belief that they were doing better than they were.