The Australian government has released this comprehensive cyber security survey, published by the Australian Cyber Security Centre (ACSC), of Australian government and major businesses of national significance.
This report should be viewed as a companion to the ACSC 2016 Threat Report. Both reports reflect the experience, focus, and mandates of the ACSC’s member organisations. While the 2016 Threat Report provides an insight into what the Centre has been seeing, learning, and responding to, the aim of this survey is to gain an understanding of how ready Australian organisations are to prevent and respond to cyber threats.
The release of the survey comes as the Turnbull Government this week marks the first anniversary of the launch of its Cyber Security Strategy. The strategy has increased awareness of cyber security threats and the Government continues to collaborate with industry to mitigate the online risks facing all Australians.
The report confirms that many Australian organisations – 90% of those surveyed – are experiencing some form of attempted or successful cyber security compromise, and that some are being targeted hundreds of times per day.
Importantly, the survey demonstrates a high level of ability of organisations to prepare for and recover from cyber threats. However the continually changing threat environment means more needs to be done to prepare, adapt and detect potentially malicious activity.
Key findings from the survey include:
- The need for senior executives and boards to be considering cyber security risks more regularly – and not just when there is an incident to manage;
- The need to improve our understanding of the factors that can increase cyber security risk;
- The need to better understand the value of the data and systems we are trying to protect;
- The need to better explain and demonstrate the benefits of building relationships and sharing information;
- The need for cyber security plans to consider whole of business operations and impacts as well as be regularly reviewed and exercised to ensure they remain relevant and effective; and
- The quantum of cyber incidents is likely underreported as they are still hard to detect and organisations can be reluctant to tell others about their experiences.
The survey provides us with a benchmark for future reporting and will be an important document to help the Australian Cyber Security Centre ensure its advice continues to meet requirements, as well as deepening our understanding of the pressures industry and government face in cyberspace.