Cyber crime and security survey report
29 May 2014
I am pleased to announce that CERT Australia, the national computer emergency response team, has released the 2013 Cyber Crime and Security Survey Report.
The annual survey provides a picture of the cyber threat environment, helping the CERT to provide major Australian businesses the best cyber security advice and support possible.
The survey of businesses underpinning essential service delivery across the nation, including banking and finance, communications, energy, resources, transport and water confirmed that businesses are taking cyber security seriously. However, the findings indicate potential vulnerabilities and areas where organisations can make improvements to strengthen their cyber resilience—and I encourage them to do so.
Constant review and improvement is important as there has been an overall increase in the number of cyber security incidents experienced by businesses, most of which have been targeted rather than random or indiscriminate attacks.
Cyber criminals continue to gain access to networks primarily through targeted emails, or 'spear phishing', which was reported as the main cyber security incident experienced.
The main motivation for cyber-attacks is considered to be competitors seeking commercial advantage. This aligns with the cyber threat of most concern to businesses, which is theft or breach of confidential information or intellectual property. This of course has recently come to prominence through the US indicting Chinese officials for the theft of IP from US companies by cyber means.
Of concern, 61% of organisations do not have cyber security incidents identified in their risk register. This is consistent with the identified need for management and CEOs to improve their understanding and awareness of IT security threats, risks and best practice.
Cyber security should be considered a CEO or Board issue and not just an information security issue. Importantly, the survey indicates the cyber security conversation is shifting from being only about technology to also recognising social, behavioural and cultural factors.
Another potential vulnerability is that businesses reported no compromises of mobile devices despite the fact recent reports from leading IT security companies have noted a large increase in mobile malware attacks.
Overall, the key messages for businesses are to:
- understand the value of your information and how it is protected on your network;
- create a culture of cyber security awareness and practices;
- ensure cyber security incidents are identified in your business risk register; and
- partner with CERT Australia before an incident occurs.
The report is available on the CERT Australia website—www.cert.gov.au.