MinterEllison’s third annual cyber security survey assesses changes in Australian organisations' cyber resilience, from the perspectives of both buyers and users of technology. It was completed by more than 70 legal counsel, Chief Information Officers (CIOs), Chief Operating Officers (COOs), Board members, IT specialists and risk managers of ASX 200 and private companies, government agencies and not-for-profit organisations.
Growth of the digital economy, teamed with increased use of internet, mobile technologies and the Internet of Things (IoT), poses ever-growing challenges for information protection.
Many of the cyber attacks described in our introduction to the report (in particular, the WannaCry ransomware campaign) affected Australian organisations and individuals. This has heightened awareness of the risks that accompany these technological advances. Our most recent survey results reflect this fraught landscape.
More than a third of surveyed organisations indicated they were subject to at least one cyber incident in the last 12 months that compromised their systems or data. CIO survey respondents who categorised themselves as having a ‘good understanding’ of cyber exposure increased from 33% in 2016 to 44% in 2017, while those who categorised themselves as having a ‘very good understanding’ increased from 10% in 2016 to 18% in 2017.
At the Board level, there was an increase from a ‘fair’ understanding of cyber risk (45%, up from 35% in 2016) and ‘very good’ understanding (24%, up from 15% in 2016) of cyber risk. Further, the Board survey revealed 82% (up from 65% in 2016) of Boards perceived cyber risk as more of a risk than 12 months ago.
These results suggest organisations are becoming more educated and informed about cyber security, particularly in the lead up to the commencement of Australia’s mandatory data breach notification scheme on 22 February 2018.
Our survey also indicated that 54% of respondent organisations had a cyber incident response plan in place (up from 42% in 2016).
While this represents an increase in readiness, (explained perhaps in part by the commencement of the mandatory data breach notification scheme), it is still concerning that nearly half of surveyed organisations do not have appropriate cyber incident response protocols in place. Further, our survey results indicated approximately only one third of surveyed organisations are testing their cyber incident responses regularly (at least once per year).
Also concerning was a decrease in the percentage of organisations that say they audit their suppliers’ IT security practices at least annually (from 34% in 2016 to 21% in 2017). These results indicate that while awareness continues to increase, many surveyed organisations still have not translated this awareness into effective, tested cyber risk management strategies, protocols, plans and procedures.
Responses to the CIO survey indicated that a wide variety of services are being delivered to organisations via the cloud.
These include email, data storage, access management, IT security, HR performance management, accounting and payroll, productivity applications, mobile device management, and customer relationship management services. The proportion of organisations receiving cloud services has increased from last year’s survey in almost every category.
Further, our CIO survey respondents indicated that 70% of organisations are considering adopting further cloud delivery services in the next 12 months.
Against this backdrop, only 29% of CIO respondents said they permit personal information of personnel, customers or suppliers to be transferred and stored outside of Australia.
Our results suggest an increasing number of organisations are taking (or planning to take) advantage of the flexibility offered by cloud based services, while being aware of the risks (be they technical, commercial or regulatory) of transferring and storing personal information overseas.
On the other hand, as noted above, most surveyed organisations are not engaging in regular testing of their own cyber resilience, with an even lower percentage conducting regular audits of the cyber resilience of their key suppliers.
Accordingly, while they may be aware of the risks of outsourcing critical IT and business functions to the cloud, many organisations may not be taking appropriate steps to mitigate against these risks.
In our last report we found that cyber insurance uptake had increased among surveyed organisations. Our latest survey responses indicate a significant increase in cyber insurance uptake, with 62% of respondents indicating their organisation has a cyber insurance policy in place (compared with 39% in 2016).
This is consistent with the Insurance Council of Australia’s comments that cyber insurance is the fastest growing commercial segment of the Australian insurance market. With the introduction of the Notifiable Data Breaches (NDB) scheme, the Australian cyber insurance market is tipped to grow as global insurance houses continue to move into this space. For the moment, however, Australia’s uptake of cyber insurance still lags significantly behind that of the established markets in the United States and Europe.
Organisations considering purchasing or renewing cyber insurance products should seek specialist advice to avoid potential gaps in cover.
One increasingly common example is a cyber crime enabled by manipulating an individual to transfer a payment to a fraudster’s account (known commonly as social engineering), which might fall into a gap between an organisation’s cyber risk and crime policies given the “voluntary” nature of the payment. Organisations should therefore ensure that they have adequate insurance cover to protect against social engineering losses.
While cyber insurance is a key risk management measure for many organisations, it is important to remember that insurance should form part of a wider toolkit of risk management measures for organisations, and should not be seen as a panacea for addressing cyber risk. This is especially critical as more organisations move to the cloud and are subject to the security arrangements of their third party service providers.
The introduction of Australia’s Notifiable Data Breaches (NDB) scheme, due to commence on 22 February, is widely considered to be long overdue.
The amendments that the NDB scheme will make to the Privacy Act 1988 (Cth) (Privacy Act) mean that data breach response planning is no longer a ‘nice to have’. Being prepared to act quickly to mitigate, contain and respond to a data breach is a critical legal risk and reputation management strategy.
Many (though by no means all) of our surveyed organisations appear to recognise this need, with around 40% of organisations stating they were preparing for the incoming laws by reviewing policies, data breach response plans and security controls.
Australia is imminently joining a number of its global counterparts in implementing mandatory data breach notification. This will also include the European Union when the General Data Protection Regulation (GDPR) begins in May 2018. The GDPR will directly impact many Australian businesses.
Our survey results indicate that many organisations still have work to do in preparing for these laws, as well as implementing the protocols, policies and procedures necessary to mitigate their exposure to cyber risk.