Companies are under-estimating the cyber security risks posed by their employees’ use of technology and are facing increasing threats as more workers work remotely during the coronavirus crisis, a study has found.
While companies overwhelmingly viewed the theft of confidential information as the most important cyber threat, they suffered more breaches from email phishing scams or the accidental disclosure of confidential information, according to the annual Cyber Security Survey Report.
The report, by consulting firm BDO and national not-for-profit cyber emergency response team AusCERT, found organisations added additional complexity to their cyber risk profile by having workers use a combination of company and personal devices to work remotely – something that will obviously increase during the COVID-19 pandemic.
The study, which received responses from 400 executives across industry sectors, came as a slew of cyber security companies released figures showing a surge in cyber scam emails purporting to be about the virus.
BDO’s national cyber security leader Leon Fouche said there was a continued disparity between the types of incidents companies expect and the incidents actually experienced. For example, phishing is 30 per cent more common than businesses expect.
Executives believe that the theft of confidential information or data loss is the biggest threat facing them in 2020, followed by phishing attacks, data breaches caused by third-party suppliers and unauthorised access to information by external users.
“A lot of companies rely on technical controls, such as email filtering, to save the day. Companies have been focusing their spend here for so long that they’re not as accustomed to looking at the people and process side of security,” Mr Fouche said.
“Companies can’t be prepared 100 per cent of the time – even with the best security controls and mechanisms in place, there’s always going to be a remote chance of a breach.”
Prior to the breakout of coronavirus in Australia, the ransomware attack at logistics giant Toll Group had put cyber security high on the business agenda. The financial cost of the attack has not been calculated but will be extremely high. So is the potential for further revenue loss from customers who sought alternative options during its shutdown.
The BDO research showed a 31 per cent increase in the number of companies looking to take out insurance to avoid some of the financial damage from cybercrime.
Remote work risk
While the survey was conducted prior to the escalation in COVID-19 cases, Mr Fouche said it found that staff were already doing more work away from the office using their personal devices.
This involved them accessing company data around the clock from a range of devices, which increase the risk of external attack or user carelessness.
“As the way we work changes, the complexities in companies identifying and addressing cyber security becomes more complex,” Mr Fouche said. “Companies must be aware of how their organisational data is handled outside of their walls, and they must understand the ways in which their data is leaving and entering the business – especially via the cloud.”
Mr Fouche said BDO had noted five controls that organisations most commonly adopted to have a more resilient governance framework. These were led by the need to have a dedicated senior executive responsible for cyber security.
In addition, it recommended having decentralised security operations centres, which focus on detecting, containing, eradicating and recovering from cyber security incidents; introducing employee cyber awareness programs; conducting third-party and vendor risk assessments and having pre-defined cyber security incident response plans.
The BDO report said the number of companies with chief information security officer (CISO) roles increased by 46 per cent in 2019. The data shows the adoption of CISO roles has more than doubled since 2016.
Large organisations with revenue between $500 million and $1 billion were more than twice as likely to have adopted CISOs than all other businesses.
Over 30 per cent of the larger companies in its survey still have no CISO and most of those companies don’t perform regular risk assessments, or regularly report cyber risk to the board.
“CISOs must be empowered to take custody and ownership of setting the cyber security strategy to defend the company’s information assets and systems,” Mr Fouchee said.
“CISO’s also need to have ‘a seat at the table’ … If they’re too low in the structure, even the best-intentioned CISO can’t force change to happen.
“The success of security programs rely heavily on the support from the executive leadership team so it’s important that the CISO is a peer to the other C-suites.”
How the coronavirus is changing markets, business and politics.
Coronavirus: Need to know. Our daily reporting, in your inbox.
Paul Smith leads the The Australian Financial Review’s technology coverage and has been a leading writer on all areas of the sector for almost 20 years. He covers big tech, how businesses are using technology, fast growing start-ups, telecommunications and national innovation policy. Connect with Paul on Twitter. Email Paul at email@example.com