It’s not if but when a cyber security attack will happen

Businesses need to assume a cyber security breach will happen and prepare accordingly. And, the focus needs to shift from pure prevention to detection and response planning, the goal being to become resilient organisations that can bounce back quickly from attacks.

That is the advice from Tommy Viljoen, national security and resilience lead partner at Deloitte Australia, following the recent release of the Deloitte TMT Global Security Study, a survey of 121 global technology, media and telecommunications (TMT) companies.

It found that businesses are underestimating how well prepared they are to prevent cyber attacks, with 88 per cent of survey participants not seeing their company as vulnerable and over 60 per cent rating their ability to mitigate newly developed threats as “average” or “high”.

The survey’s report states that this widespread confidence may not be realistic. It notes that even the US Government’s National Security Agency works under the assumption that it has been compromised and builds its systems on the assumption that adversaries will get in.

More than half (59 per cent) of the TMT organisations surveyed acknowledged that they experienced a security breach in the past year and of those incidents, seven per cent were considered high impact. Other organisations may have had their security breached without even realising it, the report notes.

It says: “The truth is every organisation is vulnerable; 100 per cent prevention does not exist. That’s why a combination of detection and incident response, in addition to prevention, is becoming more important. In fact, TMT organisations today are increasingly focusing on cyber resilience, not just security.”

Innovations in technology and how people use that technology were seen as the biggest security threat. More than three quarters of the respondents rated security breaches at third parties as one of their top three threats. As businesses become more reliant on third parties in their efforts to improve efficiencies (and as third parties develop their own downstream service networks and increasingly rely on the cloud), TMT organisations are concerned their data is, and will be, shared and exposed in ways they cannot control.

“In order to effectively counter cyber risks, companies need to move beyond pure contractual arrangements with their suppliers and other third parties, such as government, and be more willing to collaborate and co-operate to reduce the weaker links,” says Deloitte technology risk leader, Dean Kingsley. “Only 30 per cent of the participants believe third parties are shouldering enough responsibility for cyber security.”

He adds that the mobile and “bring your own device” (BYOD) trends continue to challenge security teams, with 74 per cent of survey participants ranking it as their second-biggest security risk. Despite this, only half indicated they have specific policies for mobile devices in place, and 10 per cent do not address BYOD risks at all.

In addition, 70 per cent of survey respondents also listed their employees’ lack of security awareness as an “average” or “high” vulnerability.

According to the surveyed organisations, network-related protective technologies (such as firewalls and network zones) are by far the most effective methods. Security compliance tools are considered the least effective.

“Hacktivism” is referenced in the survey for the first time, with 63 per cent of participants rating it as a major concern. This combines social or political activism with hacking and seeking to block access to a company’s online operations through a denial of service (DOS) attack.

“This vulnerability to hacktivism reflects that cyber attacks can now come from anywhere, and be prompted by perceived controversial business practices and decisions, often highlighted through social media,” says Viljoen.

The survey found that one of the biggest obstacles to improving information security continues to be lack of budget, a barrier cited by 49 per cent of respondents. “This is an issue that organisations will need to address if they want to stay a step ahead of the threats,” notes the report.