ARN

Aussie critical infrastructure organisations in the cyber firing line

The 2016 Australian Cyber Security Centre Survey report highlights high rate of compromise
Dan Tehan - Minister Assisting the Prime Minister for Cyber Security,

Dan Tehan - Minister Assisting the Prime Minister for Cyber Security,

A new cyber security report by the Federal Government has revealed that more than half of Australian organisations surveyed have experienced an incident in which their data or systems were compromised.

The Government released the report, published by the Australian Cyber Security Centre (ACSC), on 19 April, following a survey of Australian government and major businesses of “national significance”.

The 2016 Australian Cyber Security Centre Survey report reinforces the “unrelenting and increasingly sophisticated” cyber threat that Australian organisations face, according to the government.

According to the government, the report reveals that Australian critical infrastructure organisations are being "targeted by cyber criminals up to hundreds of times each day".

“It confirms that many Australian organisations – 90 per cent of those surveyed – are experiencing some form of attempted or successful cyber security compromise, and that some are being targeted up to hundreds of times per day,” a joint statement by Attorney-General, George Brandis, and Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, said.

“Importantly, the survey demonstrates a high level of ability of organisations to prepare for and recover from cyber threats. However the continually changing threat environment means more needs to be done to prepare, adapt and detect potentially malicious activity,” it said.

According to the report, 86 per cent of organisations surveyed experienced attempts to compromise the confidentiality, integrity or availability of their network data or system, while 58 per cent experienced at least one incident that successfully compromised their data or systems.

At the same time, 90 per cent of organisations faced some form of attempted or successful cyber security compromise during the 2015-16 financial year.

“Organisations faced numerous malicious cyber threats on a daily basis — through spear phishing emails alone, organisations are affected up to hundreds of times a day,” the report stated.

Meanwhile, 60 per cent of organisations surveyed experienced tangible impacts on their business due to attempted or successful compromises, while 51 per cent said they tend to be alerted to possible breaches by external parties before they detect it themselves.

According to the report, the findings suggest that the current level of cyber threat activity is disruptive for organisations, regardless of whether an attempt to compromise a network is successful or not.

However, there is some good news, according to the ACSC, with the majority of organisations surveyed displaying a high level of resilience.

Page Break

Despite the overall resilience, there are still a number of significant challenges that suggest organisations could do more to prepare for and adapt to continually changing cyber threats.

For example, 71 per cent of organisations report having a cyber security incident response plan in place compared with 60 per cent in the 2015 ACSC Cyber Security Survey of Major Australian Businesses.

But more can be done, according to the ACSC, which is tasked with bringing cyber security capabilities from across the Australian Government together into a single location.

The focus now, according to the ACSC, needs to be on ensuring that incident response plans remain relevant.

Of all organisations that have incident response plans, 45 per cent regularly review and exercise these plans, according to the survey, while 15 per cent either never test the plan, or test it on an ad hoc basis, with 24 per cent testing less than once a year.

“As the threat environment continually evolves — with new software, tools, technologies and techniques constantly released — these plans must be regularly reviewed and updated in order to remain effective,” the report stated.

“When weighing investment in cyber security against other business needs, senior management need to consider the overall level of cyber risk, their organisation’s exposure to such risks, and the potential whole-of-business cost that could be incurred if a serious cyber incident were to occur on their network.

“The costs of compromise are almost certainly more expensive than preventative measures,” it said.

The release of the ACSC survey report comes as the government marks the first anniversary of the launch of its Cyber Security Strategy, aimed at increasing the awareness of, and helping to mitigate, cyber security threats among organisations in Australia.

The report comes just weeks after the ACSC warned that Australian managed service providers (MSPs) are among those that have been targeted by a cyber threat actor thought to be based in China, known as APT10.

The ACSC issued a warning to local enterprises on 4 April, encouraging Australian companies that engage MSPs to speak to their respective providers about the potential risks arising from the global threat.

The ACSC has also called on local MSPs to make sure their clients have not been affected by the global cyber espionage campaign.

“We have strongly encouraged affected Managed Service Providers to identify whether any of their clients have been compromised and work closely with them,” the ACSC said at the time.