This article was originally published 11 May 2020.
The world we live in
In our digitally-driven society, cyber security is an essential element in ensuring both data integrity and privacy. Nearly every organisation is going through some form of digital transformation to enhance data access, increase the speed to market, and reduce operational expenses. Unfortunately, we also live in a time of extensive fake technology, rampant cyber fraud, increased sophistication of cyber attacks, and costly cyber data breaches. Many organisations are struggling to separate the facts from the fiction (misinformation, hype, and fake news) in understanding the value of the growing number of cyber security software, hardware, insurance policies, and related professional services working to mitigate cyber fraud, cyber lawsuits, and data breach damages. To dispel some of the common myths surrounding cyber security, we look to research, extensive field experience, and common sense.
Myth #1
Most companies have significantly increased their investments in cyber security software, hardware, insurance policies, and related professional services in the past three years to appropriately manage cyber risks.
Reality
By 2021, global cyber fraud and cyber data breach damages are expected to reach USD 6 trillion, increasing from the current USD 4 trillion in global damages, according to Cybersecurity Ventures. The global damages from cyber fraud and cyber data breaches have been on the rise for the past ten years — largely due to a gross under-investment in global cyber security. Many companies have modestly increased their spending on cyber security tools and services. However, the average organisation is currently spending/investing only 2% to 5% of their annual Information Technology budget on information security, according to studies by Forrester Research, the Gartner Group, and the Carnegie Mellon University (CMU) Software Engineering Institute (SEI).
Myth #2
Cyber criminals are the most common threat to organisations.
Reality
The 2019 BDO and AusCERT Cyber Security Survey found respondents expect cyber criminals to be the most common threat actor they are likely to come up against. Due to this perception, organisations are constantly underestimating the prevalence of data breaches caused by insider threats. In fact, 40.2% of attribution for incidents reported through the survey could be afforded to insider threat groups (e.g. current and former employees, or suppliers).
Myth #3
Most organisations have hired a full-time, dedicated, and highly skilled Chief Information Security Officer (CISO) to manage their organisation’s information security strategy, people, policies, plans, systems, tools, and procedures to effectively mitigate cyber fraud and cyber data breach risks.
Reality
Less than 38% of all organisations surveyed through the 2019 BDO and AusCERT Cyber Security Survey have hired a CISO. Of those who have been assigned the title of CISO, many lack appropriate cyber security education, training, and professional certification.
Myth #4
Cyber security specialists are capable of effectively managing the growing number of cyber threats as a direct result of technological advancements in big data analytics, data visualisation, data encryption, biometrics, identity and access management, zero trust data architecture, cyber attack simulations, computer-based training, and artificial intelligence.
Reality
The majority of small to medium-sized organisations have made relatively limited technological investments to enhance cyber security due to financial reasons. Untangle’s 2019 SMB IT Security Report found 29% of small businesses spend less than $1,000 annually on IT security. With a limited budget, small to medium businesses do not look at advanced technology solutions. The 2019 BDO and AusCERT Cyber Security Survey determined small organisations were 22% less likely to have identity and access management solutions, 40% less likely to have intrusion detection capabilities, and 39% less likely to have a security information and event management (SIEM) solution contrasted to large organisations. Additionally, with respect to cyber attack simulations, large organisations are 10% more likely to test security incident response plans, with small businesses being 14% more likely to never conduct any testing.
Myth #5
The use of cyber security education, training, simulations, and email phishing campaigns have enabled organisations to thwart all email phishing attacks.
Reality
The human factor remains the weakest link in cyber security. Even after conducting periodic cyber security awareness education, training, and spear-phishing campaigns, most organisations typically find about 5% or more of their employees as still susceptible to socially-engineered email phishing attacks. In addition, human insider-threat cyber attacks represent a clear and present danger to nearly every organisation.
Myth #6
Only large multi-billion dollar companies and government agencies are subject to significant cyber data breaches.
Reality
According to a recent Forrester Research study, nearly every industry worldwide has suffered from significant cyber data breaches, and about 30% of all reported cyber data breaches occurred in companies with less than 200 employees. This aligns with the survey statistics reported by BDO, with 35% of respondent organisations who reported an incident having less than 100 employees. Furthermore, it is important to note that many cyber attacks and data breaches go unreported.
Myth #7
Cyber liability insurance coverage can ensure organisations are financially protected from costly cyber fraud and data breaches.
Reality
There are more than 100 insurance carriers globally offering a wide range of cyber liability insurance coverage policies, with very diverse limitations, exemptions, and related terms and conditions. Most companies find it difficult to substantiate some of the damages while preparing a cyber data breach claim and do not always receive full reimbursement from the insurance carriers for the post-breach cyber security remediation actions required.
Myth #8
The majority of prime contractors are effectively managing their supply chain partners’ cyber security risk via vendor relationship management programs and independently conducted cyber audits.
Reality
Most prime contractors are relying on vendor cyber risk self-assessments and are not conducting vendor cyber security risk audits or requiring independently conducted industry-specific cyber security audits and cyber security compliance certifications such as ISO 27001. This is despite the BDO and AusCERT Cyber Security Survey finding organisations continually overestimate the prevalence of third-party data breaches.
Myth #9
To rapidly detect cyber intrusions and reduce the impact of a cyber data breach, most organisations have implemented an effective 24 x 7 x 365 email system and network system monitoring, detection, and incident response capability.
Reality
Many small to medium-sized organisations are vulnerable to these damages, and many do not conduct 24 x 7 x 365 active monitoring, detection, and incident response capability, either internally or via outsourced Managed Security Services Providers (MSSPs).
Myth #10
Most companies and government organisations have developed, documented, and implemented an effective cyber defence program.
Reality
Unfortunately, most organisations are not implementing an effective threat-based cyber security program. Rather, some companies have no structured or documented cyber security policies, plans, and procedures. Many companies and government organisations are choosing to implement a compliance-based checklist approach to cyber security, which is well-intended, but often fails to achieve real cyber defence, as the regulations cannot keep pace with the rapid pace of cyber attack tactics, methods, and procedures.
Summary
Too often, senior executives make poor information security investment decisions based upon misinformation, short-term financial focus, and a lack of cyber security awareness, leaving their organisations vulnerable to the ramifications of cyber attacks. To achieve real information security, an organisation must understand key elements of and misconceptions surrounding the issue, such as cyber attacker’s data targets and sophisticated methods, as well as the assessment of their organisation’s real information system attack vulnerabilities.
How can BDO help?
At BDO in Australia, our cyber and risk teams collaborate closely to ensure we provide integrated cyber risk services across all levels within a client’s organisation and appropriate advice on how to best prepare for cyber threats.
Our risk practice can help you understand the impact of certain business risks and ensure you make smart decisions about your organisation’s risk appetite.
By working with our risk team and your board, the BDO cyber team can help facilitate better understanding and communication between your cyber security team and the organisation’s leadership. We can perform in-depth risk assessments that cover the whole cyber spectrum, including Information Technology and information and physical-systems security. From here, we can help you develop appropriate cyber resilience strategies to mitigate the risks to your enterprise.
To learn more about our risk and cyber security services, contact us today.