Businesses underestimating growing cyber security threats

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.afr.com/technology/businesses-underestimating-growing-cyber-security-threats-20160129-gmgp4c

Complacency and secrecy in Australian businesses are masking the true
extent of increasing cyber security threats, a new study by one of the
country's largest corporate law firms has found.

Minter Ellison conducted two surveys: one of chairmen, directors and chief
executives; and another of more technically focused executives such as
chief information officers, chief information security officers and other
risk-related managers. The studies found boards often had an unfounded
sense that their organisations were prepared, and while cyber breaches
appeared to be on the rise, an alarming number of organisations had no
plans in place to respond to them.

The study comes as the government prepares to introduce legislation that
will bring Australia into line with other similar economies and require
businesses to disclose to customers when they have had a breach of their
systems and potentially exposed sensitive data.

Minter Ellison's report shows that 40 per cent of CIO respondents said
their organisation experienced at least one cyber attack in 2015 that
compromised their systems or data, whereas 60 per cent of board members
perceived cyber risk as worse than a year ago. Most boards were satisfied
they could prevent and respond to cyber attacks effectively.

OVER-CONFIDENCE

Minter Ellison partner Paul Kallenbach, a specialist in cyber security and
data protection, said this level of confidence belied an apparent lack of
genuine planning.

More than a quarter of companies (27 per cent) admitted to not having a
data breach response plan in place, only 28 per cent reported that they
regularly audited their suppliers' IT security practices to check there
were no weaknesses in their supply chain and only 20 per cent of
respondents indicated that they regularly audited their customers' IT
security practices.

"There is a level of dissonance when you drill down to what practical
measures these organisations had actually taken to address cyber risk, with
their view of how prepared they are. The two things didn't quite marry up,
so there is maybe a false sense of confidence," Mr Kallenbach said.

"Supply chain is a good example, where people build a fortress around their
own organisation and don't consider organisations that are suppliers to
them, and the sub-suppliers to them, and what their risks may be. There is
a chain of supply that can be disrupted at any point and be a source of
risk."

Mr Kallenbach said the likely introduction of new laws requiring companies
to disclose their data breaches to customers later this year would reveal
that more companies had breaches than was currently shown.

He said the new laws were timely and were needed to bring standards in
Australia up to the same level of other countries such the United States.

"We don't know for sure obviously, but anecdotally it would seem the
current disclosed breaches would be the tip of the iceberg," he said.

"There would be a number of organisations out there that would be sitting
on data breaches who will have to notify."

INSURANCE BOOM

One of the biggest beneficiaries of the rise in cyber security uncertainty
is the insurance sector, which has been busily signing up clients for newly
created policies to mitigate against hacking attacks.

Cyber insurance typically covers network interruption costs, crisis
management, remediation and forensic investigation, restoration of data and
third-party claims for the unauthorised publication of data. Last September
global broking giant Aon toldThe Australian Financial Review that cyber
risk insurance had become its fastest-growing protection category, with
about $US2 billion ($2.8 billion) of premiums sold in the United States.

Mr Kallenbach said his company's study found cyber insurance has not yet
been widely embraced in Australia but the local market is likely to grow
considerably in the next year. Only 25 per cent of survey respondents said
their organisation held specialist cyber risk insurance, while a further 32
per cent were unsure of whether cyber risk was addressed in their insurance
arrangements.

He said companies often discovered their business interruption insurance
didn't cover the types of losses that may be caused by a cyber attack.

"The offerings in the market are really only now starting to mature, and in
some cases the overlap between cyber insurance and other types of insurance
have only just been addressed, so it is likely that this area will grow
quickly."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.