​Trustwave: One in seven Australian businesses do not test for security vulnerabilities

According to the security firm, many Australian businesses fail to conduct frequent security testing despite considering threat protection to be a critical practice within an organisation.
Written by Asha Barbaschow, Contributor

A report by US-based security firm Trustwave has found that one in seven Australian businesses are failing to conduct frequent security testing despite believing that it is critical in securing their systems and data.

In compiling its report, A Trustwave Survey Report: Australian Security Testing Practices and Priorities, the security company surveyed 200 individuals responsible for, or knowledgeable about, security testing in their respective organisations. It found that those not undertaking regular testing still had not adopted the practice, despite having encountered vulnerabilities within their environment.

The Trustwave survey was conducted in October 2016, with respondents representing the technology, government, healthcare, financial services, automotive, and manufacturing industries, among others.

It focused explicitly on security testing, which Trustwave said included the process of testing database, network, and application systems for vulnerabilities that could result in unwanted intrusion and allow threat actors to steal sensitive or confidential information, encrypt data, disable the intended functionality, or otherwise cause harm to an organisation.

The report says that among those that do conduct security testing, 39 percent do so only monthly or less frequently, and many do not perform regular security testing after performing infrastructure changes.

Of those that do frequently test, nearly half do so using a combination of in-house resources and third-party testing services, while just over one-third use managed security testing only in-house.

The survey also found that two in five organisations consider themselves to be "very proactive" when it comes to security testing. Another two in five admitted to being "somewhat proactive", while the remaining one-fifth was comprised of those considering their organisation's security testing procedures to be either "somewhat" or "very" reactive, or in fact non-existent.

"Security testing and reviews are infrequent and, in some cases, organisations are leaving it up to fate," the report explains. "Both security testing and reviews of these tests are not commonplace: Only 14 percent perform detailed reviews of security testing to assess vulnerabilities on a daily basis, and only 41 percent do so weekly or multiple times during the week."

Meanwhile, 11 percent of the organisations surveyed perform these reviews only quarterly or annually, and 8 percent do so only when they perceive the need, which Trustwave said is creating a situation where businesses are simply guessing when to test their systems.

According to Trustwave, all respondents belonged to organisations that had been the victims of a significant number of different types of attacks, including phishing and social engineering, which 34 percent of respondents had previous fallen victim to. Network breaches were the second most common type of vulnerability experienced by respondents with 30 percent falling victim to such incidents, while malware infiltration was suffered by 29 percent.

Incidents like distributed denial-of-service (DDoS) attacks, breaches of customer data, and attacks against applications were also flagged in the report as fairly common in Australian organisations, with 20 percent of those surveyed admitting to being the victim of a DDoS attack.

Earlier this month, Australian discount department store Big W confirmed it experienced a "technical issue" that saw the checkout process on its website pre-populated with the personal information of other customers.

The Australian Red Cross apologised last month for the leak of a database back-up containing 1.3 million rows and 647 different tables of data stemming from an online donor application form. This contained details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments they made.

Online classifieds site Gumtree Australia also confirmed it had been hacked, sending an email to a number of account holders in April that admitted attackers had infiltrated its system and accessed email addresses, contact names, and phone numbers.

The e-marketplace maintained that account passwords were not obtained and that it does not store payment information on its site, which it said means no payment information had been compromised.

Australian department store David Jones revealed last year that customer details were stolen as a result of its website being hacked on September 25, 2015. The breach came a day after Australian discount homewares chain Kmart revealed it had also experienced a breach.

Editorial standards