In Perspectives on Cyber Risk 2020, our fifth annual report, we review the cyber risk challenges that have arisen over the past 12 months, analyse the cyber survey responses received, and consider what the next 12 months may hold. We also take stock of the economic, health and logistical challenges facing all organisations as a consequence of COVID-19.
Five key findings from Perspectives on Cyber Risk
The survey – completed by more than 120 legal counsel, Chief Information Officers, Chief Operating Officers, Data Protection / Privacy Officers, Board members, IT specialists and risk managers of ASX 200 and private companies, government agencies and not-for-profit organisations – revealed five key findings.
Finding #1: The more you know, the more you realise you don’t know
For the first time in five years, respondents' understanding of their organisation's exposure to the risk of cyber attacks has decreased, falling from 35% of respondents last year to just 20% this year. This may reflect respondents' awareness of the increasingly complex and ever-evolving nature of cyber risk, and of the need to continually augment their understanding of a dynamic cyber risk landscape.
Finding #2: Testing cybersecurity and data incident response plans is critical
A majority of our survey respondents have experienced some form of compromising cyber attack in the past year. We also saw a significant increase in the number of organisations which have been subject to more than five cyber attacks that have compromised their systems or data in the past 12 months – from 5% in 2018 to 14% in 2019. There has also been a corresponding decrease in the number of organisations which have not suffered such an attack, from 63% in 2018 to 38% in 2019.
Finding #3: Cyberattacks which rely on social engineering are still the most prevalent
Among our survey respondents, the most prevalent form of cybersecurity incident resulted from social engineering, with 50% of incidents involving a phishing incident (whether via email or telephone) and a further 21% involving an email compromise (such as invoice fraud).
Finding #4: Uptake in the usage of AI and big data is at its early stages, but there is an increasing awareness of potential privacy implications
Our survey results disclosed only a modest increase – from 15% last year to 21% this year – in organisations currently using an AI or big data solution. Around 10% said that they planned to implement such a solution in the next 12 months (about the same as last year). There was a significant increase in the number of organisations that have undertaken a privacy or security impact assessment in relation to the implementation of such technology, from 32% last year, to 53% this year.
Finding #5: Less than 60% of organisations have assessed whether the GDPR applies
Only 58% of respondents said that they had considered whether the European Unions' General Data Protection Regulation (GDPR) applies to their organisation, while 12% of organisations had not considered its applicability, and 24% of respondents were unsure. Many Australian organisations (particularly those with a physical presence in the EU, or who offer goods and services in the EU) may find that they are required to comply with the GDPR.
Heightened cybersecurity challenges due to COVID-19
This year has brought with it significant new risks and challenges for all organisations due to the COVID-19 pandemic.
COVID-19 has laid bare the critical dependency of nearly all organisations on technology, and has led to heightened risk levels associated with the use of technology, including from:
- The changed IT landscape for business, with a majority of staff now working remotely;
- The increase in workers who are using devices, apps and platforms that may not be approved by their organisations;
- Stretched business systems and IT departments; and
- General cuts to operating budgets and projects due to the current economic environment.
In addition, cyber criminals are seeking to take advantage of a fraught global situation through use of malicious emails and electronic messages, websites, social engineering and exploits, designed to take advantage of the population's present state of vulnerability and need for connection and information.
Now is the time for action and leadership on cybersecurity
For organisations, this is a time for action and leadership. Poor understanding of cyber security and an inability to mitigate cyber risk will leave directors and organisations exposed to heightened legal and reputational risk and regulatory scrutiny. Organisations must review their business continuity plans and carry out revised risk assessments. They should also implement and regularly test robust cyber security governance arrangements, update technical controls, and ensure staff are informed and educated in cybersecurity risk and practices.