Medium sized businesses weak link in National Cyber Defence

The risks this creates are compounded by a dangerous tendency to sweep data breaches under the carpet.

“Perhaps the most worrying responses are those showing how reluctant businesses are to report a breach,” Aidan Tudehope, managing director of Macquarie Government, said.

“Just 21 percent said they would report a cyber breach to a government agency even if they were required to contractually or by law,” Mr Tudehope said.

“This is probably compounded by the fact that there is a low level of awareness of the Government agencies who are available to assist them, despite the hard work by the Government in the past 18 months to raise cyber security literacy.”

The report was released by then Minister Assisting the Prime Minister on Cyber Security, the Hon Dan Tehan, as part of a cyber security panel discussion featuring the National Security College lead researcher, Dr Tim Legrand, and Law Council of Australia president Stuart Clark hosted by Macquarie Telecom Group.

Macquarie Telecom Group commissioned the research after participating in the business dialogue ahead of the Federal Government’s National Cyber Security strategy, released earlier this year, and in subsequent activities to promote the initiatives included in the strategy.

“Through Macquarie Government, we provide secure Internet and Cloud services to many medium sized Federal and state government agencies, and our Macquarie Telecom and Macquarie Cloud Services businesses specialise in providing services to medium sized businesses,” Mr Tudehope said.

“It been apparent to us that the message cyber security is not reaching the ears of those mid-sized organisations, who too often are simply so busy that they don’t realise this issue concerns them,” Mr Tudehope said.

“The reality is hacks and data breaches have gone from a few isolated news items a decade ago to an almost daily parade of household names, and from affecting technology businesses to hitting High Street brands,” he said.

Among the starkest findings, 46 per cent of boards rarely or never discuss cyber security and 30 per cent never receive reports of cyber security threats to their businesses.

Among Government agencies, the report found 41 per cent described as inadequate the awareness and understanding of cyber security of senior executive teams.

Public sector agencies also reviewed their cyber security risks infrequently, with none reporting their senior management reviewed risks monthly.

“The report makes clear that, for a crucial part of the Government and the business community, cyber security is not treated as core management business,” Mr Tudehope said.

“Further, getting to a point where they have integrated cyber security risk management into core business leadership practices is likely beyond their internal resources,” Mr Tudehope said.

“This represents a risk not only to them, but to the nation as a whole.

“These businesses and agencies have similar complex needs and webs of interconnections across the community as the largest organisations in the country, but lack the resources to build the specialist skills from within.

“All businesses and agencies are interconnected to other businesses and parts of government in the modern digital economy, and becoming more so every day.

“As such, the weak management practices in these medium sized organisations represents the weakest link in our national cyber security defence, and there is a real risk they will become an unwitting ‘honey pot’ for all manner of malicious online actors,” Mr Tudehope said.

Download the Cyber Security and Cyber Governance Survey Research Report from the National Security College, Australian National University (ANU).

This article was first published in First5000 in November 2016.