Hey Australian businesses, if you fear it, do something about it

The latest report from the Australian Cyber Security Centre shows a disconnect between what businesses fear and what actions they're taking to improve security.

The Australian Cyber Security Centre (ACSC) and CERT Australia released a new cyber report of cyber statistics on Monday, the 2015 Cyber Security Survey: Major Australian Businesses [PDF]. What interests me most is not the cyber news of some improvement in our cyber defences, cyber heartening though that is, but what seem to be some gaps in the cyber defenders' thinking.

The survey builds upon the 2013 Cyber Crime and Security Survey released in May 2014, and the 2012 report released in February 2014. As with those that came before it, the exact figures in this latest report should be taken with a grain of salt.

Only 149 organisations participated, all of whom are described as: "Major Australian businesses that partner with CERT Australia, and that underpin the social and economic welfare of Australia and deliver essential services including banking and finance, defence industry providers, communications, energy, resources, transport and water".

With two-thirds of them having 200+ employees, and 18 percent of them being from the defence sector, this is far from being a representative sample of Australian businesses. Nevertheless, some trends can be detected.

The good news is that there's fewer organisations failing to implement infosec essentials.

Only 3 percent have no dedicated IT security team, down from 16 percent in 2013. Some 79 percent of those with international connections are figuring those extended networks into the cybersecurity thinking, up from 55 percent in 2013. The number of those who had IT security staff with more than five years experience, or tertiary qualifications, is up. And so on.

But there are some curious gaps.

Take ransomware, for example.

We know that Australian organisations have been hit hard by such attacks in 2015, and it's bound to get worse. The report reveals that 72 percent of respondents had been victims of a ransomware attack in the previous 12 months, and ransomware topped the list of cyberthreats that most concerned these businesses.

The threat of ransomware can largely be disregarded if you have known-good backups. Wipe the infected devices, restore from the latest backup, report the attack to CERT Australia, and move on.

Yet only 78 percent of businesses had a backup or archiving policy, less than 60 percent had emergency procedures, and only 50 percent had an audit policy -- all of which would surely be needed to build an effective defence against ransomware.

Or consider the insider threat.

The theft or breach of confidential information held second spot on the list of businesses' concerns, with 70 percent having this worry. The "cyber actor" of most concern was "trusted insiders", listed by 60 percent of businesses, ahead of issue-motivated groups or hacktivists at 55 percent, and organised criminal syndicates and state-based actors, both at 54 percent.

Yet only 76 percent of businesses had user access and identity processes, and only 51 percent had a policy for removable storage media -- again, core components of the relevant defences.

Given that humans will always be the weakest link, it was also curious to see that the organisations which had increased the cybersecurity spending had mostly been lashing out on new technical security controls (86 percent), and vulnerability assessments (82 percent).

More user awareness training and more IT security training were way down the list, at 50 percent and 41 percent respectively. When we know there's an enormous cybersecurity skills shortage, this seems backwards to me.

So how are government organisations doing? All of these statistics relate to the aforementioned "major Australian businesses". Alas, I can't tell you.

In previous reports, 12 percent of the surveyed organisations were government. This year, that data has been split into a separate document, the 2015 ACSC Cyber Security Survey of Commonwealth Government Entities, and that hasn't been made public.