EXECUTIVES AND BOARDS NEED TO STEP UP DEFENCES AGAINST CYBERCRIMINALS, REPORT SAYS

UP to 90 per cent of Australian businesses are experiencing cyber security attacks, sometimes up to hundreds of times a day, and senior executives and boards need to act pre-emptively for their own safety, according to a government report.

The Australian Cyber Security Centre (ASCS) published the comprehensive survey which reveals the "unrelenting and increasingly sophisticated cyber threat that organisations face every day".

The survey is the first of its kind to assess the scale of cyber-attacks in Australia and covers both government and the private sector and concludes that experiencing a cyber incident "is not a matter of if but when, and what type".

While nearly all organisations surveyed revealed they had been the subject of attempted cyber espionage or hacking, over half (58 percent) of organisations revealed these attacks had been successful and compromised their data and/or systems.

"The compromise of these systems threatened to result in significant impacts on Australia's economic prosperity, social wellbeing, national defence and security," the report says.

The ASCS is a collaboration of security and intelligence agencies including ASIO, the Federal Police, the Defence Intelligence Organisation and the Australian Signals Directorate.

As part of its key findings, the survey found that while most companies were well equipped to deal with cyber-attacks, there was a need for senior executives and boards to consider these risks more regularly and proactively rather than just react to such incidents.

"When weighing investment in cyber security against other business needs, senior management need to consider the overall level of cyber risk, their organisation's exposure to such risks, and the potential whole-of-business cost that could be incurred if a serious cyber incident were to occur on their network," the report says.

"The costs of compromise are almost certainly more expensive than preventative measures.

"One of the key factors that distinguish more cyber-resilient organisations from less resilient ones is that cyber security is regularly discussed at the most senior board or management level.

"Regardless of resilience more needs to be done to embed cyber security into the core strategic business of senior management."

The findings suggest that even unsuccessful cyber incidents can be disruptive and that 60 per cent of organisations experienced "tangible impacts" on their businesses because of attempted or successful compromises.

Although most businesses displayed a high level of resilience to attacks, the report found just over half (51 per cent) of them had to be alerted to possible breaches by external parties before they detected it themselves.

"Given that only two per cent of organisations reported having completely outsourced IT functions, these figures suggest organisations are not adequately focusing on monitoring networks and detecting potentially malicious activity," the report says.

The survey included 113 organisations, including 68 private sector and 45 government bodies, and involved key decision makers in IT management.

Business News Australia