91% of Australian organisations see escalating level of external security threats
- Gap widening between security measures in place to protect organisations and the level of threats
- 90% of organisations conduct penetration testing to assess security risks
- Cloud computing uptake doubles since 2010
While the vast majority of Australian organisations believe the risk environment has changed significantly as a result of rising security threats, 63% of organisations say that the number of actual security incidents has remained the same in the past 12 months.
Thirty-two percent say the number of security incidents affecting their organisation has increased, while only six per cent have seen a drop. The findings are part of Ernst & Young’s Global Information Security Survey 2012 report released today.
The global report, now in its fifteenth year, is based on responses from more than 1,850 CIOs, CISOs and other information security executives across 64 countries.
Ernst & Young Asia-Pacific Information Security Leader Mike Trovato said a much higher proportion of Australian companies (91%) had an increasing risk from external attacks compared to the global average (74%). However, this was not the only source of concern for Australian organisations, with 45% reporting that internal vulnerabilities were also on the rise.
Mr Trovato said ‘outdated information security controls or architecture’ topped the list of vulnerabilities that had most increased organisations’ risk exposure over the past 12 months. This was followed by careless or unaware employees, cyber attacks to disrupt or deface the organisation and cyber attacks to steal financial information. Social media ranked close to the bottom of the list of threats.
Key Australian findings of the Global Information Security Survey 2012 include:
- Only 2% of organisations disallow the use of all tablets/smartphones for business use altogether, while 36% only allow the use of company-owned devices and disallow use of personal devices.
- Most organisations have made policy adjustments (62%), implemented new mobile device management software (57%) and encryption techniques (41%) to mitigate potential risks of using smart phones or tablets.
- 80% of organisations are using some form of cloud-computing or have it under evaluation, while 20% have not made the jump as yet.
- Cloud computing continues to be a main driver of business model innovation, with the numbers of organisations using the cloud almost doubling in the past two years.
- However, 38% of organisations have not taken any measures to mitigate the risks of cloud computing, such as stronger oversight on the contract management process for cloud providers, the use of encryption techniques, or third party security assessment.
“There’s no doubt that the gap between organisations’ current level of information security measures and what they actually need is widening. However, there’s no single issue creating the gap.
“Rather, it’s a combination of complex, intersecting issues that are driving the need for organisations to get their house in order. We’re at a point in time where the need to develop a robust security architecture framework as well as all-encompassing ongoing monitoring system has never been greater,” Mr Trovato said.
Mr Trovato said in Australia, companies would be well advised to implement the “Top Four Strategies to Mitigate Targeted Cyber Intrusions” as set out by the Defence Signal Directorate (DSD)1 which included ‘application whitelisting’, ‘patch applications’, ‘patch operating systems’ and ‘minimising the number of users with domain or local administrative privileges’.
“Additionally, given the role employees play and the fact they ranked close to the top of the list of vulnerabilities organisations face, to help counter fraud and financial errors organisations must work to remediate gaps in user access for key programs and applications. “These kinds of critical initiatives need to be actioned before anything else. Business process controls security and penetration testing is a critical step to improving security,” Mr Trovato said.
Mr Trovato said the majority of organisations conducted only between 1 and 10 attack and penetration simulation tests annually, with a worrying 10% of organisations not conducting any tests at all to assess current security levels.
“While it’s promising to see the majority of organisations conducting these critical tests, they shouldn’t be seen as once-in-a-while or a tick-a-box initiative. To truly minimise threats, testing needs to be part of a program aligned to the risk appetite of the organisation and include strategic and tactical action,” Mr Trovato said.
With 45% of organisations now allowing the use of company or privately-owned tablets substantial levels of information are now flowing in and out of the office, making control increasingly difficult.
Mr Trovato said organisations need to fundamentally shift their approach around information security in order to meet the threats presented by existing and emerging technologies.
“Australian organisations absolutely recognise they need to do more on mobile technology. However, in the fast-moving mobile computing market the adoption of security techniques and software is still relatively low, with just 41% of organisations using some form of encryption technique on mobile devices,” Mr Trovato said.
The survey found organisations were implementing incremental improvements to their information security capabilities to provide short-term solutions — without tackling the issues associated with the overall information security threat.
“The new normal for the CIO is that fast is not fast enough.
“The velocity and complexity of change is happening at a staggering pace, with the growth in emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements adding to an already complicated information security environment.
Mr Trovato said in Australia, as well as around the world, there will be a new interest in creating resilient organisations for industries considered to be critical infrastructure (CI). By doing so, we will have a CI that can adapt and thrive despite unexpected challenges.
“This will require a learning and adaptive security culture as well as a new mindset,” Mr Trovato added.
To read the complete survey findings visit www.ey.com/GISS.
1Strategies to Mitigate Targeted Cyber Intrusions, CYBER SECURITY OPERATIONS CENTRE, Department of Defence Intelligence and Security, Defence Signal Directorate, Originally published 18 February 2010, last updated 10 October 2012.
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. For more information, please visit www.ey.com
Ernst & Young refers to the global organisation of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
This news release has been issued by Ernst & Young Australia, a member firm of Ernst & Young Global Limited.
Liability limited by a scheme approved under Professional Standards Legislation.
Ernst & Young Australia
Tel: +61 3 9288 8322 or 0411 245 099