Lack of resources and security skills means Australian organisations are taking a day longer, on average, to detect, investigate and contain cyber attacks than their overseas peers, according to new research that found nearly all cybersecurity practitioners believe their organisation could be doing much better at security.
The difference in response – an average of 186 hours for Australian businesses, compared with the global average of 162 hours – puts Australian companies well behind the response curve. Yet both numbers are well outside of the tolerance of the 1-10-60 rule developed by CrowdStrike, whose 2019 Global Security Attitude Survey found that 92 percent of the 1900 polled senior IT decision-makers and IT security professionals believe their organisation needed to do more to understand cyberattacks and their perpetrators.
A range of reasons for the shortfall were cited, with 46 percent saying they could do better if their organisation increased its cybersecurity budget. Legacy infrastructure was another factor cited as slowing down the cybersecurity response, with 35 percent of Australian respondents finding ageing equipment to be a hindrance.
Of the respondents who were unable to prevent an attacker from reaching their objective, 33 percent said the shortcoming was due to a lack of resources while 32 percent blamed a deficiency of cybersecurity skills.
Senior IT decision makers were more confident overall about their organisation’s cyber security capabilities, with 13 percent estimating they could detect a cybersecurity incident within one minute – but just 9 percent of IT security professionals feeling the same.
The one-minute benchmark – the 1 in CrowdStrike’s 1-10-60 rule – would be a “game-changer” for cybersecurity response, 86 percent of those surveyed held, but the current state of most responding organisations suggests that they still have a long way to go before they can even contemplate that level of efficiency.
Lingering problems aren’t for lack of awareness: fully 51 percent wanted more funds for cybersecurity training, while 42 percent wanted more for staffing and 41 percent believed their organisations should be spending more on cybersecurity overall.
Recent GlobalData figures suggested that many APAC region businesses have gotten the message, with APAC spending on security offerings expected to grow at 9.5 percent annually through 2023 to reach $US54.1 billion ($A79.3b).
High-profile targets of cybercriminals learned the importance of spending big long ago. National Australia Bank group chief executive officer Philip Chronican, for one, told a recent Standing Committee on Economics hearing that the bank is spending around $100m to $150m annually on cybersecurity – “at least triple” its spend of five years ago.
“We are active daily in identifying potential threats and shutting them down,” he said, flagging investments in a range of cybersecurity activities including intrusion protection, fraud detection, blocking malware and distributed denial of service attacks and building cyber resilience into the organisation’s environment.
“We work closely with all of the authorities across the landscape to assist in that,” he explained, noting that many of the bank’s medium-sized businesses had “incurred loss” from cyberattacks and that it was working to pass on its own cybersecurity expertise to its customers. “Every day there are attempts to attack our environment and every day we are beating them back.”
In contrast to the NAB’s prudence, many Australian companies are far less aware of the importance of extending cybersecurity learnings and monitoring outside of the organisation.
Although 36 percent of Australian companies said they had experienced a supply chain attack in the past 12 months – the third highest figure of all surveyed countries – just 16 percent of Australian respondents were concerned about supply-chain attacks.
This was well below the global average of 28 percent – suggesting that local businesses either don’t understand, or aren’t concerned about the real risk from their operational supply chains.
Whether in the supply chain or across the business in general, poor understanding of potential cybersecurity threats was a recurring theme amongst the surveyed CrowdStrike cohort, with 67 percent saying that they see a direct link between better understanding and more complete data protection.
“Organisations are challenged to achieve the kind of speed required to match sophisticated nation-state and eCrime adversaries known to be targeting organisations, from governments to enterprises,” said Thomas Etheridge, vice president of CrowdStrike Services, in a statement coinciding with his blog about the study results.
“There is still a significant reliance on legacy infrastructure that does not address security for today’s organisations from a holistic standpoint to stop breaches. Forward-leaning companies must embrace the cloud for endpoint security to give their teams comprehensive visibility and crowdsourced protection to address effectively a full range of security and operational needs.”