Australian companies leaving themselves exposed on security and compliance: survey

Half of firms won’t be ready for data breach legislation
and most are struggling to train staff to improve
security practices.


Security managers already know first hand about the wide gulf
between data-security best practices and employees’ everyday
behaviour. Yet a new survey confirms that most are doing very little
to fix the situation: although IT managers report that 95 percent
of security breaches happen because a manager has done the
wrong thing, just 40 percent of companies report actively
training staff to improve their cybersecurity practices.


Tony Duckmanton knows how hard effective staff cybersecurity
training can be. As information services manager at industrialsupplies
giant Coventry Group, he has been on the front line in
the fight to improve the company’s cybersecurity profile – which
took a hit this year after a “pretty substantial” ransomware
attack drove a period of review and security upgrades.


Staff training across the company’s 70 branches was “fairly
inconsistent and recognised as a big problem” in the past,
Duckmanton says, and the mix of training videos, compliance
tips and similar training only went so far in encouraging staff
to be careful.


“These days it’s difficult to see what is legitimate and what is not,”
he explains. “You can never push out enough training to staff, to
be honest. Analysis of our incoming emails has subsequently
shown that we are a highly-targeted organisation – so we need
to be on our toes even more than usual.”


Duckmanton’s experience is typical of that conveyed by the 193
Australian IT decision-makers that participated in the Mimecast
survey of iTnews readers. The survey revealed some surprising
weaknesses in security practice, and found that nearly half of
Australian companies aren’t sure they will be ready to comply
with new Notifiable Data Breach (NDB) legislation when it
comes into effect in February 2018.


Reflecting the surge of recent serious ransomware outbreaks
(WannaCry and NotPetya were headliners but far from the only
major strains to cause damage) ransomware was the top security
concern – cited by 60.6 percent of respondents. Talk to any group
of security or IT managers and most will have a ransomware
infection story to share.


Yet email threats such as phishing weren’t far behind, named
as a key concern by 55.4 percent of respondents. Malware was
also named by 43 percent – although these three responses
reflect several ways of saying the same thing, since malware and
ransomware are usually distributed through scattershot or
targeted phishing campaigns.


Interestingly, distributed denial of service (DDoS) attacks were a
relatively low concern – named by just 22.8 percent of respondents
– even though recently surging DDoS attacks have had significant
impact. The sabotage of Australia’s 2016 online Census was the
highest-profile local example of this, but security-industry studies
regularly show that DDoS attacks have become the new normal
for organisations working to maintain business continuity

 Security

Share content on email

Share