The ACSC handles key operational elements of the government’s cyber security capabilities to enable a more complete understanding of sophisticated cyber threats, facilitate faster and more effective responses to significant cyber incidents, and foster better interaction between government and industry partners. The ACSC is the focal point for the cyber security efforts of the Australian Signals Directorate (ASD), the Defence Intelligence Organisation (DIO), the Australian Security Intelligence Organisation (ASIO), the Computer Emergency Response Team (CERT) Australia, the Australian Criminal Intelligence Commission (ACIC), and the Australian Federal Police (AFP).
During the 2015-16 financial year, around 90% faced some form of attempted or successful cyber security compromise. While 86% of respondents experienced attempts to compromise the confidentiality, integrity or availability of their network data or system, over half (58%) experienced at least one incident that successfully compromised data and/or systems. Sixty percent of those surveyed experienced tangible impacts on their business due to attempted or successful compromises.
Majority of organisations surveyed (70%) were classified as having a high level of resilience based on their responses. The report defines cyber resilience refers to an organisation’s ability to prepare for, withstand and recover from cyber threats and incidents, regardless of whether such occurrences are deliberate, accidental, or naturally occurring.
Cyber-resilient respondents were more likely to have discussed cyber security at the board level within the last three months (87%) in comparison with 59% for those categorised as less Resilient. Also, majority of the senior level cybersecurity discussions in more resilient organisations were pro-active, rather than in reaction to an incident.
In addition, 71% of organisations reported having a cyber security incident response plan in place, compared with 60% in the 2015 ACSC Cyber Security Survey of Major Australian Businesses.
Nearly 51% of the organisations surveyed said they tend to be alerted to possible breaches by external parties before they detect it themselves. In view of the fact that only 2% of organisations reported having completely outsourced IT functions (55% had outsourced elements of their IT function), this might indicate that organisations are not adequately focusing on monitoring networks and detecting potentially malicious activity. In addition, the percentage of organisations surveyed who had a process in place to identify critical systems and data was on the lower side at 56%. Of all organisations with incident response plans, only 46% regularly review and exercise these plans.
Bring Your Own Device (BYOD) appears to be regular practice, with nearly 73% allowing employees to use personal devices for business reasons. However, not enough organisations have mobile device management systems or identity and access management systems in place.
Government as primary source of cyber security information for public as well as private sector
Majority of organisations sought government assistance for cyber security information, advice or guidance, including 56% of private sector entities (along with 80% of government organisations).
The ACSC and its agencies were the primary source of such information, indicating that the ACSC has a clear and important role to play providing impartial information, guidance and support to both private sector and government organisations.
Having an accurate and up-to-date picture of the threat environment is vital for ACSC agencies to assist other organisations who are also at risk. ACSC’s visibility of cyber security incidents affecting the private sector is heavily reliant on voluntary self-reporting. Although the ACSC is the most common external agency receiving reports (34%), ACSC recognises that there is scope for improvement.
Cyber security as a whole-of-business concern
The report highlights that cyber incidents incurs whole-of-business costs. It recommends that cyber security be approached from a risk-reduction rather than compliance mindset, considering information security alongside other business risks. it should be understood that everyone shares responsibility for cyber security, not just the IT department and regular discussions should be held with the board and senior management.
Read the report here.