Latest research from business advisory firm BDO identified that more Australian companies are taking a top-down approach to cyber security after the COVID-19 pandemic resulted in a ‘cyber reality check’.

BDO’s National Cyber Security Leader Leon Fouche said the pandemic forced industries and governments to make years of digital progress within months, and has made many organisations realise they were overconfident and underprepared when it came to cyber risk.

“Never before has the modern world seen such a rapid, global rush to digitise business practices. Boards are now more cyber engaged than ever before, and more Chief Information Security Officers (CISOs) are being appointed,” Leon said.

The 2020 BDO and AusCERT Cyber Security Survey highlighted the growing concern and focus at the board level, and showed an 11% increase in the appointment of CISOs in 2020, and an 18% increase in cyber risk reporting to the board.

In terms of what the threat landscape looked like in 2020, data breaches has more than doubled compared to the previous year, and accidental disclosures by staff rose by almost 60%.

During 2020, one in four respondents invested in cyber security education awareness training compared to prior years.

Data breaches caused by malicious hacking increased by 91% in 2020, likely caused by IT support challenges during remote working, and the lack of preparedness for increased cyber attacks during the pandemic. The professional and scientific industry experienced the highest increase in cyber incidents, with almost 30% of all notable incidents being some form of a data breach, whether accidental or deliberate.

The new report also identified that attacks targeted at supply chains are now over 50% more likely than they were in 2016, and that supply chain breaches more than tripled for organisations that were not prepared for the cyber threats that came with COVID-19.

“Our findings highlight the importance of third party risk assessments to build resilience through supply chains. The rise in third-party breaches is not surprising and has been on the radar of cyber decision-makers for a long time. Supply chain risk has also been a driving factor in the Australian Government’s push to secure our critical infrastructure sectors,” Leon said.

Cyber activity from foreign governments remained active through 2020, with attacks rising by 40% since 2019 and doubling since 2016. The survey identified that 30% of public sector respondents reported that foreign governments were the most likely source of cyber security incidents in the past year.

On the positive side, the 2020 report showed Australian and New Zealand organisations are adopting five key controls at a rapid pace:

  • Chief Information Security Officers
  • Security Operations Centres
  • Cyber security awareness training
  • Third-party / Vendor risk assessments
  • Cyber security incident response plans.

The report highlighted that respondents without these top five controls were:

  • Almost four times more likely to have to pay a cyber ransom
  • More than twice as likely to lose access to systems and data following a cyber incident
  • Almost twice as likely to have employee records compromised in a data breach.

“While we have seen significant improvements in cyber security and awareness across Australian and New Zealand organisations as a result of the pandemic, the majority still fail to interpret their threat landscape accurately. Many organisations don’t understand which adversaries are targeting them, what assets they seek to compromise, and how they will do so” Leon said.

For example, respondents felt cyber criminals were responsible for 56% of all incidents in 2020, yet they expect cyber criminals to cause only 19% in 2021.

The report also showed that many respondents were less concerned with accidental disclosure in prior years, yet this accounts for a significant portion of all incidents.

“These predictions suggest many organisations don’t understand their cyber threats and risks, which could mean they are focusing their cyber investment in areas they potentially won’t need, and under-investing in the areas they will,” Leon said.

“2020 has provided a real life example of why cyber security cannot be a set-and-forget issue. It requires constant oversight, investment and improvement to manage risks – many of which can emerge and worsen overnight,” he said.

“Now, more than ever, Australian and New Zealand organisations understand the importance of clear, ongoing visibility into their cyber threats and risks, and that cyber security cannot be just an IT issue. It is a whole-of-business issue.”

The 2020 BDO and AusCERT Cyber Security Survey Report surveyed almost 500 respondents across a variety of industry sectors. Of these respondents, 87% were based in Australia, 8% were based in New Zealand, and 5% were based internationally.