The inaugural Canon Business Readiness Index on Information Security is a comprehensive study that examines the digital readiness of Australian businesses with specific reference to the new data breach notification laws coming into effect on 22 February 2018.
The study, conducted by GfK Australia in January 2018, reveals some worrying trends.
The current level of concern of many businesses is too low, particularly for small businesses with 15% saying they are not at all concerned about a security breach occurring. With cyber crime growing in sophistication and volume day by day, this is a perception that is out of sync with the reality of the risk landscape.
Many business just aren’t prepared enough when it comes to their information security, particularly small businesses. Only 40% of all businesses have 6 or more of the Australian Signals Directorate Essential 8 (ASD8) strategies in place and this decreases to 27% for small businesses. Of particular concern, 12% of small businesses have absolutely no ASD8 strategies in place, which not only leaves their business open to attack, but also has serious implications for their customers, suppliers and partners.
Many Australian businesses need to increase their understanding of information security and put better protection measures in place. Failure to do so could risk compromising their confidential data, expose them to hefty fines and lead to significant reputational damage. So, how will your business measure up?
38% of Australian businesses are ‘extremely’ to ‘very concerned’ that they could suffer from a security breach within the next 12 months. Small business appear less concerned with only 21% extremely/very concerned and alarmingly 15% not concerned at all.
Less than half of the businesses (41%) affected are aware of the upcoming changes to the Privacy Act that will make it mandatory to report certain data security breaches. Only 1 in 5 small businesses said they were aware of the changes.
Only 40% of Australian businesses have implemented six or more of the Australian Signals Directorate Essential 8 (ASD8) strategies to mitigate cyber security incidents and just 18% reported implementing all 8. Worryingly, 12% of small businesses implemented none.
A risk and management assessment should be the starting point for any security journey, but only 56% of Australian businesses have done so. Businesses recently assessed are more likely to be concerned about their security because they have a better understanding of their risks.
Small businesses see technology as the biggest vulnerability in their information security, but larger organisations have a more balanced understanding of the risks across their people, processes and technology.
While 84% of businesses are aware of printing related security threats, only 4 in 10 businesses have their printers secured. Small businesses are less aware of printer security issues with 31% not aware of risks vs. 5% of larger businesses.
Only 56% of Australian businesses have a documented internal IT security/cyber security policy for employees, with only 55% investing in security training. Small businesses are even less likely to have these protection strategies in place.
The most common security incidences in last 12 months were viruses, spam, malware/spyware, phishing and ransomware. On average it took 24.7 days to detect a data breach.