Australian employees are the weakest link in the nation’s efforts to fend off cyber attacks, with nearly half of all security incidents in 2019 occurring through inappropriate IT use, a new study has found.
According to the Kaspersky corporate IT security risks survey, 42.9% of Australian employees are sharing inappropriate data across mobile devices, while lost employee devices accounted for 42% of security incidents in small and medium-sized businesses and 47% of incidents in enterprises.
Despite these risks, just 8.5% of the Australian respondents ranked mobile security as their most important security issue, despite evidence that this is a significant issue across the rest of the world.
The global research, which surveyed about 5,000 businesses including almost 250 Australian firms, found that nearly half of all breaches in China between 2018 and 2019 stemmed from mobile devices, an important issue given that so many Australian businesses rely on commercial relationships in the region.
“This highlights a significant blind spot in Australian security strategies and budgets that is not being addressed,” said Noushin Shabab, senior security researcher at Kaspersky Australia and New Zealand. “If Australian businesses don’t start to take the risk of attacks over mobile devices more seriously, the velocity and value will quickly begin to escalate.”
Also, the growing use of mobile devices amid the Covid-19 coronavirus pandemic could exacerbate security risks, with cloud applications and data being used from more locations. Already, 36.5% of Australian businesses have been involved in an incident through a third-party cloud service used by their employees in the past year, according to the study.
When it comes to budgets, about two-thirds of Australian businesses expected to increase their IT budgets over the next three years, with much of that expected to happen over the next year.
About 28% of Australian enterprises and small businesses currently allocate less than 10% of their IT budget to security, with around 40% allocating between 10% and 25% to security. Only 7.5% of businesses expect to increase that spend by over 50% in 2020.
“Our findings show that Australian businesses vastly underfund their security measures compared to their global counterparts, with 11.7% of businesses globally allocating more than half their IT budget to security,” said Shabab.
The cost of data breaches can be crippling to some businesses. The NotPetya attack in 2017 cost food giant Mondelez as much as $100m in remediation and recovery costs. But even smaller losses can be crippling. Some 26.4% of Australian small businesses reported losing between $3,000 and $15,000 through attacks in 2018-2019.
“Cyber attacks on small businesses can be devastating,” said Shabab. “We know that as many as two-thirds of small businesses that suffer a cyber attack collapse within six months. An attack like this happening as a precursor to the impacts of Covid-19 may be too much for many Australian small businesses to recover from.”
Read more about cyber security in Australia
- VMware’s Carbon Black is planning to open a new datacentre in Australia in the first half of 2020 to support local firms bounded by regulatory and data residency requirements.
- A report suggesting Australian firms are experiencing fewer cyber incidents has left its co-author perplexed with the findings.
- Australia’s Royal Melbourne Institute of Technology has teamed up with Amazon Web Services to launch a Cloud Innovation Centre to solve cyber security challenges.
- Compromised login credentials and human error were the most common causes of data breaches reported under Australia’s notifiable data breach regime from July to December 2019.
In a separate study by TechTarget/Computer Weekly, 54% of organisations in Australia and New Zealand plan to invest more in cyber security, specifically in key areas such as data loss prevention (DLP) and endpoint security to mitigate the impact of growing cyber threats.
In Australia, the investment in DLP technologies is timely. According to the Office of the Australian Information Commissioner (OAIC), 537 data breaches were reported between July and December 2019, a 19% increase on the first half of the year.
Almost one in three breaches were linked to compromised login credentials, possibly through phishing attacks, which accounted for at least 15% of data breaches during the reporting period, the OAIC noted in its latest Notifiable data breaches report.
Human error was also a key risk, causing 32% of all data breaches. This could be unintended disclosure of personal information to wrong recipients via email, which accounted for 9% of all breaches.
But the good news is that nearly 80% of respondents in Australia and New Zealand plan to invest more in end-user security training this year – the highest among all Asia-Pacific respondents who took part in the study.