Canon Australia today announced the results of its inaugural Business Readiness Index, a comprehensive study which monitors and measures Australian businesses’ digital readiness. The first of four research modules, the Information Security study conducted by GfK Australia gathered insights from over 400 key business decision makers on how prepared they are when it comes to their information security practices. Results point to a relative lack of awareness and understanding of how to protect valuable information and manage risk – especially in smaller rather than larger enterprises – as Australian businesses struggle to keep up with the rapidly evolving security landscape.
A disturbing lack of awareness
February 22nd will see the new mandatory data breach notification laws come into effect. Despite the introduction looming, a whopping 3 in 5 businesses (59%) are unaware of the incoming legislation and what it means for them. Small businesses in particular are seen to be least concerned about data security, stemming from a lack of awareness where only 1 in 5 (19%) are conscious of and prepared for the new regulations. This is concerning given failure to comply puts private organisations with a turnover of more than $3 million risk crippling fines of up to $2.1 million.
“Third-party suppliers present a cyber security blind spot for many businesses. A business’ security posture doesn’t solely depend on its own efforts. Internally, a business could be a fortress, but the walls could come crashing down if a supplier’s security measures aren’t as robust – this should be number one on every boardroom’s agenda at the moment,” commented Gavin Gomes, Director of Canon Business Services.
“Small businesses, for example, are seen as the engines of Australia’s economy. The fact that 1 in 2 are only ‘slightly’ or ‘not at all’ concerned about potential upcoming breaches is in itself a red flag. In the short run, this makes them the ideal back door entry for cyber criminals angling for prized data and revenue from larger enterprises. Longer term, the implications can include missed opportunities worth millions – be it lost contracts or irreversible reputational damage,” Gomes continued.
The Catch-22 with technology
It’s an industry adage that people represent the weakest link in the security chain. Contrary to this belief is a key finding from the study that the majority of Australian businesses see technology or IT infrastructure as their biggest security risk. 44% of the risk was attributed to hardware & software meant to prevent data breaches, while 30% of the risk was believed to be from people and 26% from policies and processes.
It is interesting to note that concerns around IT infrastructure are highest with small businesses with less than 20 employees, where more than half (53%) feel the risk is attributed to technology, while only 25% pin this to people, and 22% to policies and processes. Larger organisations had a much more balanced view of the risk landscape, signalling an understanding that the responsibility lies across the company and not just with the IT department.
Small businesses are also seen to be less prepared for the risks caused by people, policies and processes. Only 34% reported having security training in place and 36% having an IT/cyber security policy. The lack of awareness around non-technological threats is a concern and creates a considerable vulnerability both to their business and the businesses they partner with.
“When it comes to overall security, ignorance is no longer bliss. According to the Index, it reportedly takes nearly a month (24.7 days) on average for a security breach to even be detected – whether it’s seemingly innocuous spam, or insidious ransomware. Our experience tells us that in fact it is much longer than this, giving cyber criminals enough time to know your business better than your IT department,” said Sop Chen, General Manager of Managed IT and Security Services, Harbour IT, a Canon Group company.
“Australian businesses are citing technology as their biggest downfall, but the question is if they’re setting themselves up for success. Only 2 in 5 businesses have implemented six or more of the Australian Signals Directorate’s Essential Eight (ASD8) – developed by the Australian government as the best practical strategies designed to help mitigate cyber security incidents. Also, just 3 in 5 have been assessed for security risk management. There needs to be much more urgency accorded to being safe rather than sorry, and businesses need to better appreciate how their actions may affect the wider industry,” continued Chen.
Underestimated vulnerabilities from phishing to printing
An evolving threat landscape has seen cyber-attacks become front-page fodder. Businesses today have much more to worry about than fraud and theft. The increasing adoption of emerging technologies, such as cloud services and the Internet of Things (IoT) has widened the attack surface.
As a result, there is a wide range of risks keeping IT managers awake at night. That said, just over half are very or extremely concerned about protecting company data (52%) and customer data (51%), figures that are far too low. 45% rank ransomware as a high concern and despite many recent data breaches resulting from phishing activity, only 39% of businesses classify it as a pressing concern.
It’s not only emerging technologies that pose a security risk. Employee behaviour and inadequate workplace print policies can create security holes for businesses and put them at risk of breaches. The study uncovered that while 84% of businesses are aware of printing-related security threats, only 4 in 10 businesses have their printers secured. Among small businesses, awareness for print related security risks is the lowest.
“Technology, globalisation and evolving demographics are changing the world we work in at a rapid pace. Innovation and disruption are becoming increasingly important for businesses of all sizes and across all industries. To survive and thrive in today’s challenging environment, we believe that Australian businesses need to be innovative, agile, and trusted. The first, simple step for businesses is to take a good look at their current practices and be mindful of how leaders and employees are managing valuable information. It’s no longer just up to IT Managers to take this responsibility,” said Gomes.
For more information and results of the Canon Business Readiness Index, download the report.