People, processes, practices key to improved cyber security
Media release
Date 8th December 2016 For immediate release
People, processes and practices the key to improved cyber security
Leading advisory firm BDO is urging businesses to get back to basics to ensure they stay ahead of potential cyber security breaches, after releasing the results of its inaugural cyber security survey.
The survey, which was completed in conjunction with AusCERT, aims to help the market understand the cyber security challenges Australian and New Zealand businesses face, in an environment characterised by the movement of systems and processes online.
BDO New Zealand’s National Leader for Risk Advisory, Andrew Sloman said although general awareness of cyber risks had improved, organisations were relying too much on technical solutions for defending against the increased risk of cyber attacks and data breaches.
“The people and process component of cyber defences must be addressed if organisations want to improve their cyber resilience,” Mr Sloman said.
“Getting back to basics and understanding the risks, defining baseline security standards to address these risks, and then enforcing these standards, while monitoring how well they are implemented, is critical to improving the maturity of a business’ cyber security posture.”
The report revealed around 40% of respondents had security standards and cyber risk management guidelines in place for their supply chain — including third party providers, and the cloud.
Thomas King, General Manager, AusCERT, said the fact that less than half of the respondents had security standards for their supply chain was concerning, considering most organisations were becoming increasingly connected to the internet and were highly reliant on third party providers and applications for running their businesses.
“Without proper security standards and oversight of the cyber security risks in their supply chain, businesses risk losing control over the security of their operation,” he said.
“As the use of cloud solutions increases, organisations need to prepare themselves by having the right tools and processes in place to manage security risks directly under their control.”
Mr Sloman explained transparency around an organisation’s data sources is the best way to address this issue.
“Organisations can start with the simple step of identifying the key data sources and applications they have outsourced to third parties and ensure these have effective security controls in place,” he said.
“This will provide them with insights into the cyber risks in their supply chain and what strategies they need to implement to make them more cyber resilient.”
Mr Sloman said the survey findings reinforced the fact that awareness of cyber risks had improved in recent years among business, however there was still not a true appreciation of the consequences and impacts of cyber incidents.
“Although businesses have adopted good security technologies, their cyber security processes and practices are relatively weak,” he said.
“For example, 40% of organisations are able to detect security incidents, and 52% of organisations are performing regular security risk assessments which is great to see.
“But only 21% of organisations have a security operations centre in place to investigate and respond to security incidents that may occur and, only 49% of organisations regularly report cyber risks to the board.
“It’s important the board and CEO continue to play an increasingly active role in the cyber security of their own business. After all, they are ultimately accountable for it.
“This is important because data breaches will impact the reputation and financial stability of an organisation and it’s essential for boards and executives to be educated about the impact and likelihood of a security incident, and what the organisation’s capabilities are to defend against it.”
Report snapshot:
• Less than 19% of respondents have or plan to have a senior management role responsible for cyber security (i.e. a chief information security officer)
• 47% of respondents have implemented security awareness training for staff
• Many respondents have already taken up endpoint and gateway controls like anti-virus (93%), website and internet filtering (75%), and email filtering to block suspicious emails (91%)
• 52% of respondents are performing regular security risk assessments, but only 49% regularly report cyber risks to the board
• 40% of respondents can detect security incidents, but only 21% have a security operations centre in place to investigate and respond to security incidents
• 48% of respondents have a cyber incident response plan in place and only 41% have a cyber incident response team or capability in place to respond to incidents
• 44% of respondents have defined security standards for cloud and third parties or supply chain.
Supporting graphs are available for download from the BDO website - https://www.bdo.com.au/en-au/2016-cybersecurity-survey-results
BDO_CyberSecurityReport_FINAL_1.pdf
Note to editors
BDO offers a wide range of business and corporate advisory services to large corporate organisations, Government & Public Sector entities, private businesses, entrepreneurs, and individual clients across a wide range of industry sectors.
In New Zealand, BDO can offer the expertise of 91 partners, supported by over 850 staff. We are one of New Zealand’s largest networks of independently-owned accounting practices, with offices in Kerikeri, Whangarei, Auckland, Hamilton, Tauranga, Rotorua, Gisborne, New Plymouth, Napier, Palmerston North, Wellington, Christchurch and Invercargill.
Our service lines include: Audit & Assurance, Corporate Finance, Tax, Advisory, Forensic Services, Risk Advisory, Business Recovery & Insolvency, HR Services and Information Systems. We also focus on a range of industries and specialisations, including: Automotive, Agribusiness; Government & Public Sector, Healthcare, Not-for-Profit, Professional Services, Real Estate & Construction, Retail, Technology, Entertainment & Telecommunications; and Tourism, Sports & Leisure.
International BDO network
The global network has 1,328 offices in 157 countries and more than 59,428 people provide advisory services throughout the world.
Service provision within the international BDO network of independent member firms (‘the BDO network’) is coordinated by Brussels Worldwide Services BVBA, a limited liability company incorporated in Belgium with its statutory seat in Brussels. Each of BDO International Limited (the governing entity of the BDO network), Brussels Worldwide Services BVBA and the member firms is a separate legal entity and has no liability for another such entity’s acts or omissions. Nothing in the arrangements or rules of the BDO network shall constitute or imply an agency relationship or a partnership between BDO International Limited, Brussels Worldwide Services BVBA and/or the member firms of the BDO network.
BDO is the brand name for the BDO network and for each of the BDO member firms.