While many Australian organisations understand the inevitability of a data breach, a large majority are unprepared to respond to security incidents.
The 2019 annual State of Cyber Security report, released earlier this year by Melbourne-based firm Security in Depth, found that only around 37 per cent of organisations have developed an incident response plan.
Worse, the survey of close 1900 organisations with a headcount of 50+, found that just 17 per cent had a tested incident response plan, says Michael Connory.
In many cases, organisations are “focusing on implementing things such as anti-malware, they’re trying, in certain circumstances, to train their staff, they’re trying to manage the technology, their trying to trying to do the right thing,” says Connory, the chief executive of Security in Depth and lead author of the report, “but an incident response plan seems to be almost one of the last things on the checklist”
Organisations “simply just don’t get to it,” he tells Computerworld. “Those that do, more often than not, they’ve just downloaded a basic incident response plan from the Internet and have never tested it,” the CEO adds.
One of the exercises run by Security in Depth involves responding to contact from a malicious actor demanding payment under threat of posting an organisation’s emails online.
“’We’ve just downloaded all of your emails over last month, you need to pay us,’” Connory says. “What do you go? When we have a look at CEOs or CIOs, they just have no idea how to respond to [that kind of] data breach.”
He says there are two reasons organisations are falling short. The first is a lack of in-house security skills. Secondly, “a lot of people think that a backup and disaster recovery plan actually is enough”.
“‘Oh we've got a plan, you know, we’ve got a backup and disaster recovery plan,’” he says. “What they're thinking is that if they get hacked, they can shut everything down, boot everything up and off they go again, their business can start again.”
“It doesn't actually cover a dozen of the different potential cyber security attack that can occur,” he adds. The approach neglects damages such as the reputational hit that an organisation can take.
“One of the one of the things that is concerning to a lot of businesses is reputational damage, but the incident response component is still very low on the list,” Connory adds.
The much higher level of recovery preparedness is reflected in Security in Depth’s report, he says.
“It has been of no surprise the scores across the recover section for Australian business is higher than everything else,” the document states. “There has been almost two decades of communication on the importance of backing up data and disaster recovery capabilities.”
It adds: “This is now easier than ever for organisations, as many move to cloud based solutions with the investment moving from managing on premises data to cloud based – with a significant investment made by software vendors to keep and protect and restore critical business functions in case of disaster.”
“Over the last decade storage has become really cheap,” says Connory. “The technology has also become much, much more effective. It no longer takes 15 hours, or 20 hours or 30 hours to back everything up on tape; you can do incremental backups in 15-minute grabs these days.
“An organisation will basically, if they're really smart, get back up very quickly and not lose much data at all if a major incident was to happen.”
The CEO said that the State of Cyber Security report is a precursor to a quarterly index that will compile a range of metrics related to cyber security in Australia.