In fact, a Microsoft commissioned report by Frost & Sullivan found that direct costs resulting from cybercrime caused losses of AUD $29 billion per year to Australian businesses. The study further revealed that at least 55% of surveyed firms in Australia experienced a cybersecurity incident in the last five months, while 20% were not sure if they had one or not because of the absence of proper forensics or data breach assessments.
According to ACORN statistics, business email compromise (BEC) scams exceeded AUD $60 million, resulting in a 170% increase over the combined losses of AUD $22.1 million reported in 2017. This tracking of losses to businesses became possible after the government introduced the Notifiable Data Breaches Scheme (NDB) in February 2018. Prior to the times before reporting became mandatory, only 114 voluntary data breach reports were received by the OAIC in comparison to the 812 reports they received after the NDB scheme was introduced.
Data security is an important consideration for digital businesses today. Your data can be breached in various ways, for example by theft, system failure, unauthorised access, inappropriate usage, or computer viruses. Malicious actors can steal your data and sell it on the dark web, gain access to confidential company information, obtain biometric data and personal details of employees, and acquire sensitive customer information like ethnic origins, credit card particulars, passport information, bank statements, and financial data to misuse it. That’s why securing data is of paramount importance for organisations today if they do not want it to fall prey to cyber attacks.
An ACIC study that showed the potential losses to the Australian economy in direct costs resulting from cyber attacks is just the tip of the iceberg. Companies also stand to face a loss of reputation, increased customer churn, and damages to valuable assets after a single instance of a cyberattack.
Repeated cybersecurity incidents can also interrupt the digital transformation strategies of a company. The Frost & Sullivan study mentioned earlier revealed that as many as 66% of Australian organisations halted their digital transformation plans due to a fear of cyberattacks. In addition, many firms in Australia see cybersecurity as an afterthought, with most considering to build a cybersecurity strategy after their digital transformation projects have started, severely limiting their ability to create a holistic and secure infrastructure.
Cyber threats are of various types, according to CISCO, and the most common ones comprise of malware, phishing, man-in-the-middle attack, distributed denial-of-service (DDoS) attack, SQL injection, zero-day exploit, and DNS Tunnelling.
A Norton Lifelock Cyber Safety Insights Report issued in 2018 showed that the most serious attack vectors in Australia were malicious software at 26%, unauthorised bank access at 14%, and unauthorised email access at 12%. A report by Sophos states that 37% of organisations have deployed cybersecurity approaches that were untested, while 55% of them believe that they are not cyber mature. Further, 59% of organisations mentioned inadequate budgets and 65% of organisations listed lack of skilled security specialists as common reasons for inept cybersecurity measures. These can also be cited as key cybersecurity challenges for enterprises, in addition to educating the leaders, as well as staff, about cybercrime and how to prevent it.
How Australian IT and security decision-makers prepare for cybersecurity will affect their organisation’s security in the next two years. The top technologies or issues that Australian IT leaders think will impact their organisational security in the next two years are digital transformation programs, agile development, and AI and machine learning.
These leaders and key decision-makers should, therefore, ensure to educate the entire organisation and leverage maximum cooperation from all the departments to ensure everyone has a baseline for cyber hygiene. Apart from setting up a strategy for cyber-resilience, they also need to evolve a cybersecurity-driven business model that is dynamic and scalable.
The primary step in the construction of an effective cybersecurity policy is assessing risks – or identifying the current security landscape of your company and how it looks like, what are its potential threats, and which security regulations it must adhere to.
55% of Australian firms reported that they were not cyber mature and this impacted how quickly they could detect vulnerabilities in security while another 47% of Australian firms felt that their organisations lacked a proper cybersecurity team that could detect, investigate, and respond to threats in time.
Apart from setting down firm policies and regulations, Australian IT leaders should look at hiring a full time professional as your security officer or identify someone in your existing IT team for implementation and monitoring. However, the former may turn out to be too expensive and ineffective without an expert team to work under the chief security officer. The latter may not be feasible, for many companies have heavily burdened IT departments and an internal team member may take time to learn the ropes. The third option is partnering with a trusted managed security services provider that works alongside you to keep your IT infrastructure and data secure.
To build a secure organisation, you have to address the key concerns of the security of your critical infrastructure and network from external threats, cloud security and data protection, risk assessment and compliance management.
According to Gartner, the benefits of working with an MSSPs allow for an “outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning, and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.”
Adopting a more proactive cybersecurity strategy isn’t something that has been practised by most Australian firms. In fact, 65% of Australian businesses that were interrupted by a security breach only thought about improving cybersecurity after experiencing an incident. The WannaCry ransomware attack, which affected 3,388 systems in Australia was a case in point. Described as ‘a wakeup call’ by national cyber security advisor, Alastair MacGibbon, it turned the attention of Australian businesses to cybersecurity, forcing them to grow smarter about cybersecurity while looking to employ the services of MSSPs to help them keep cyber attacks at bay and improve business opportunities as a result.
The International Data Corporation (IDC) issued a market assessment guide in 2019 that highlights how companies can choose the right cybersecurity services provider, indicating measures like comparing the breadth of the portfolio of multiple MSSPs, the availability of 24/7 support, threat detection capabilities, etc.
Independent research by CenturyLink reports improved business outcomes for companies using third party MSSPs, and suggests three points to consider while comparing managed services for securing your IT infrastructures. First, ask yourself whether a particular service improves your security or not. If it is an area where your company is already doing well – you can strengthen your expertise further. If not, it is best to rely on a third-party expert.
The next question to consider is whether working with an MSSP would improve the efficiency of your employees. As mentioned before, internal IT teams are usually too burdened to take on the additional task of security management.
Third is the question of costs – that is, does working with an MSSP reduce them? As most companies operate with limited funds, it is quite essential to weigh the benefits of hiring a third-party vis-à-vis costs before making the final choice.
Besides comparing services, you may seek answers to the following questions to choose the perfect fit:
You may also ask your potential cybersecurity partner about the cybersecurity strategy they employ. For example, at CenturyLink,our comprehensive methodology of People, Process and Technology to simplify security through automated threat detection, mitigation and response allows our clients to focus on strategic initiatives while we guard their IT infrastructure.