olly - Fotolia
Three out of four Australian security managers believe their CEO has deliberately or unwittingly breached cyber safety guidelines, placing entire enterprises at risk.
In addition, almost a third of all applications now used in Australian enterprises are thought to be shadow IT, or unsanctioned software and cloud services that extend the attack surface of organisations.
These were some of the findings from Symantec’s Cracks in the cloud survey, underscoring the lax cyber security around cloud services that delivers potentially rich pickings for attackers.
Samir Kapuria, senior vice-president and general manager of cyber security services for Symantec, said while organisations had raced to adopt cloud, they were also becoming more vulnerable to cyber attacks.
Indeed, ensuring cloud services complied with security requirements was the most stressful task for 86% of Australia’s chief information security officers (CISOs) who participated in the survey.
“The cloud is a potential goldmine because it takes so many forms and is growing so rapidly with our information,” Kapuria said, adding that it has also become a target for attackers, with credential hijacking still the easiest route into cloud applications.
“You have malware that traverses the corporate network, and is hopping into different networks not necessarily under the same control as internal networks,” he warned.
Despite the high profile and impact of cyber attacks such as WannaCry and Petya, 74% of Australian CISOs believed their CEOs had probably broken internal security protocols, either intentionally or unintentionally.
Kapuria said Australian CISOs remained concerned over the lack of understanding about the risk of cyber attacks among CEOs and board members.
KPMG partner Gordon Archibald, however, noted that a KPMG survey of recent security spending had indicated that “Australian CEOs are awake to the threat represented by cyber attacks, and are investing in defences accordingly. They’re more likely to admit they’re not where they need to be, and recognise that work needs to be done”.
The KPMG survey found that 80% of Australian companies had made a “high investment” in cyber security over the past year – considerably higher than the 66% figure reported globally.
Read more about cyber security in APAC
- The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research.
- Threat intelligence feeds provide valuable information to help identify incidents quickly, but only if they are part of an intelligence-driven security programme.
- WannaCry’s spread in Asia-Pacific accounted for just 10% of detections worldwide, indicating the ransomware’s limited reach in the region.
- Singapore and Australia will conduct joint cyber security exercises, among a raft of measures to secure critical infrastructure and bolster cyber security know-how.
However, 57% of senior executives acknowledged that they were not fully prepared for a cyber attack and 48% were concerned about combatting “security fatigue” in their organisations.
Business leaders should be concerned, given the high cost of data breaches. The latest IBM/Ponemon report indicated that on average, a data breach in Australia costs an organisation A$2.5m.
Additionally, it took an average of 175 days for an Australian business to identify a breach. But from February 2018, companies will have just 30 days to alert the authorities if they have a significant data breach under Australia’s new mandatory data breach notification laws.
On-premise mindset in Singapore
Besides Australia, Symantec’s survey also involved CISOs in Canada, China, France, Germany, India, Japan, Korea, Singapore, the UK and the US.
In Singapore, CISOs estimated that, on average, 32% of cloud-based applications used at their company were unsanctioned applications – slightly higher that cited by their counterparts in Australia.
The actual figure, however, might be higher, going by a separate global study by Symantec which found that organisations were using an average of 928 cloud apps in the second half of 2016, way higher than the 30 to 40 cloud apps that CIOs had thought their organisations were using.
Nick Savvides, Symantec
Nick Savvides, manager for cyber security strategy at Symantec Asia-Pacific and Japan, told Computer Weekly that Singapore organisations are still coming to terms with cloud security, largely because of the on-premise mindset prevalent in the country.
“Singapore has a security-aware culture, but there’s also an ingrained on-premise IT mentality where things are under control,” he said. “Organisations may not realise how many cloud workloads they have, and they’re also unable translate traditional security processes such as incident management to the cloud.”
Asked if standards such as Singapore’s Multi-Tier Cloud Security (MTCS) standard would help to alleviate cloud security concerns, Savvides said while security standards were a step in the right direction, they could create a false sense of security.
“Standards haven’t saved us,” he said, noting that credit card fraud remains a problem despite well-adopted standards such as PCI-DSS in the payment card industry.
Instead, he said organisations should understand what their cloud usage is and develop policies and guidelines to mitigate any security concerns based on their risk appetite.