Digital security not keeping pace with technology

Australia has ranked 30th out of 121 countries in an international digital wellbeing study, but senior business leaders’ dedication to improve cyber security has faded in the past 12 months.

The 2023 Digital Quality of Life Index was released in September by Lithuania-founded cyber security company Surfshark.

The study examined each country according to five aspects of technology that affected the population to determine overall digital wellbeing.

Australia ranked 30th in 2023, improving from 35th in 2022.

Among the five areas used by Surfshark to measure digital wellbeing was ‘electronic security’, comprised of two sub-categories: cyber security and data protection laws.

This was used to review how well-prepared a country was to tackle cyber crime and how advanced its data protection laws were.

Australia improved in this area, up two places to 41st.

However, the country’s ranking for the individual cyber security indicator had fallen four places to 39th.

The drop could be attributable to the series of high-profile cyber incidents in Australia between last year and this year’s Surfshark ratings.

The Optus data breach happened a week after the 2022 index was published and affected almost 10 million Australians.

This was followed closely by an incident at Medibank Private estimated to have affected a similar number of people.

Other breaches included Latitude Financial Services in March with 14 million people affected, national law firm HWL Ebsworth in May, Fortescue Metals Group in July and Dymocks in September.

In June, the Insurance Commission of Western Australia confirmed it was one of the victims in the HWL Ebsworth data hack.

Despite these high-profile breaches, an annual report conducted by BDO and AusCERT found companies’ emphasis on cyber governance and risk management had dropped.

The 2022 Cyber Security Survey received more than 550 responses from across a range of industries and revealed a 7 per cent decrease in regular cyber risk assessments and reporting.

The survey found companies were still integrating risk management strategies at a steady rate but there was a clear drop-off in reviewing and updating these processes later, despite a 70 per cent surge in criminals targeting customer records.

BDO national cyber security leader Leon Fouche said the 2021 report had highlighted an increased focus on a top-down approach to cyber security, with a record number of chief information security officers appointed.

“Despite multiple cyber attacks on high-profile companies in 2022, which resulted in widespread data breaches affecting millions of Australians and New Zealanders, we see a decline in senior leadership’s emphasis on cyber governance,” Mr Fouche said.

“Proactive C-suite involvement through governance and oversight of cyber systems and processes is essential to ensure companies are prepared.”

The main barriers cited by BDO and AusCERT were competing priorities, a lack of resources and budget. 

The survey also found reported attacks targeting customer records were up 70 per cent year on year, while those targeting employee records increased 54 per cent.

Confidence in responding to threats dropped 18 per cent, which Mr Fouche said was particularly worrying.

“A lack of confidence will only hinder an organisation’s ability to effectively mitigate cyber risk and recover from the incident,” he said.

“It is crucial that companies address the underlying challenges that are getting in the way of their ability to respond and mitigate.”

CyberCX chief strategy officer Alastair MacGibbon said companies needed to understand where risk resided within the business in order to improve cyber security.

“If you know and document the risks, you can develop contingency plans and redundancy in the event the risks are realised, and key systems are brought offline,” he said.

“If you have identified your key risks, when an incident does occur you will know who within your organisation will play what role, who needs to be contacted, what systems need to be contained or taken offline and what systems can continue to operate.

“A company that identifies and defines its risk can put mitigations and responses in place to act and recover far quicker than a company that doesn’t.”

Alastair MacGibbon says CyberCX responds to between 300 and 500 cyber incidents per year. Photo: CyberCX

The Office of the Auditor General for Western Australia identified cyber security as a weak point for public tertiary institutions in the state.

The Financial Audit Results Universities and TAFEs 2022 released in June found information systems control issues at tertiary institutions increased from 124 last year to 134 this year.

Of these issues, 59 per cent remained unresolved, another increase compared with the 49 per cent not mitigated in the previous year.

In conversation with Business News, auditor general Caroline Spencer said this meant entities aware of the issues were not taking action to address these quickly enough.

“The continuing increase in these control issues is particularly concerning considering recent high-profile data leaks from other Australian entities,” she said.

“Like all organisations as cyber security threats evolve, universities and TAFEs need to continue to review and enhance their information and cyber security posture.

“A number of security frameworks, including the Australian Cyber Security Centre’s Essential Eight, should be considered by the tertiary sector.”

The Essential Eight is a list of mitigation strategies developed by the Australian Signals Directorate and compiled by ACSC to help companies to protect themselves against cyber security incidents.

The Office of the Auditor General noted there were no requirements for state government entities, such as public universities and TAFEs, to comply with ESG standards because mandatory ESG reporting had not yet been established in Australia. 

Ms Spencer said reporting on ESG was an evolution, not a revolution.

“Over time, reporting scope has responded to emerging stakeholder needs and interests,” she said.

“For the public sector, where profit is not the focus, reporting and assurance on public service delivery and administration have long been demanded by the parliament and community.

“The public sector is already doing certain ESG reporting, [mainly for] sustainability, in different forms, for example through public reporting on a range of matters, as well as entity key performance indicators on which the OAG provides assurance over reported results.”

Ms Spencer said non-financial audits carried out by the Office of the Auditor General were monitored to determine the extent of assurance organisational bodies provided for categories such as governance, service delivery, social and environment and economic development.

“Specifically on cyber risk, our information systems audits look at information security, business continuity, business systems, governance and risk management across the state, local government and tertiary sectors,” she said.

The findings of BDO and AusCERT’s report and the Office of the Auditor General’s audit expose a weakened urgency from businesses and tertiary institutions to seek strong cyber security.

Mr MacGibbon said criminals would always find some vulnerability if they were determined enough and it was important for companies to regularly review their cyber security systems.

“The vast majority [of cyber hacks] are basic cyber hygiene failures easily exploited by cyber criminals, not sophisticated attacks by nation states,” he said.

“While the risk may be impossible to eliminate, there are steps that every organisation can and should take to minimise this risk.”