ExtraHop, the leader in cloud-native network detection and response, today released findings from a new survey that shows 85% of organisations in Asia Pacific were breached by ransomware at least once in the past five years, but only 28% publicly disclosed that an incident occurred.
The ExtraHop Cyber Confidence Index - Asia Pacific Report 2022, conducted by StollzNow Research, sheds light on discrepancies in how Australian IT decision makers (ITDMs) see their current security practices, and the reality of the ransomware attack landscape.
It shows that both outward and inward perceptions of security can be deceiving.
Externally, 72% of organisations will try to keep a ransomware incident quiet, telling few people if anyone, and certainly doing their utmost not to make it public knowledge.
Meanwhile, growing cybersecurity budgets don’t necessarily buy improved degrees of protection and confidence, with only 43% of ITDMs in Australia expressing a high degree of confidence in their organisation’s ability to prevent or mitigate cybersecurity threats, and an equal percentage having low confidence. Of those that are confident, many shouldn’t be. Lax security practices, continued reliance on legacy technology, and actual attack numbers all suggest that confidence levels may be overstated or unrealistic.
This may explain why executives in the region don’t back transparency or disclosure of incidents, since they can’t be confident history won’t repeat itself. It often does: on average, every Australian business that identifies as a ransomware victim was infected—or reinfected—yearly in four of the past five years.
As executive committees and directors become more educated in cybersecurity risks, and accountable for those risks to shareholders and regulators, ITDMs and security teams are likely to face more detailed questions and future audits of their security posture, decision-making and protections, particularly as it relates to budget and resource allocation. Boards and executive committees may be driven to undertake their own separate due diligence on ‘low confidence’ environments and indicators.
“Security leaders in Asia Pacific are facing a challenge. They’re in disagreement with executives around disclosure, they’re getting increased budgets but it doesn’t feel like enough, and there is worry around legal obligations,” said Jeff Costlow, CISO, ExtraHop. “These leaders need to focus on their risk tolerance for their IP, data, and customer data and arm their teams with the tools and network intelligence that can help them defend their most critical assets. This survey reinforces the challenge organisations face in preventing attacks. Let’s arm defenders with the tools and forensics needed to prevent an intrusion from becoming a full-blown breach.”
Key Australian research findings include:
- The cost of ransomware is high: 35% of organisations in Australia have paid a ransom, despite a majority believing that paying increases the number of attacks. Organisations are more likely to have specific insurance for ransomware (42%) than to rely on a general business insurance policy (34%).
- Ransomware attacks come in numbers: Only 15% of Australian respondents to this study said they experienced no ransomware incidents in the past five years; 53% had experienced 1-5 attacks, while 32% had experienced 6 or more. But 22% of organisations wouldn’t tell anyone if they were breached anyway, suggesting the proportion of organisations hit by ransomware is probably a lot higher.
- Corporate leaders and security teams disagree on disclosure: Only 28% of Australian organisations are public and transparent about ransomware attacks; 50% let some people know but keep it as private as possible and 22% tell no one. This is largely against the wishes of IT security personnel, of whom 66% feel it would be better to be transparent and public about ransomware attacks.
- Australian firms are less worried about official repercussions: While the ‘stick’ of legal action and fines can promote action on cybersecurity by senior management in certain jurisdictions, only 64% of Australian respondents agree with this statement than their Asia Pacific-wide counterparts.
- An attentive focus on supply chain risks: A minority (44%) of Australian organisations allow third-party access to their networks, and most (87%) have considered the security aspects.
- Budgets on the rise: Two-thirds (66%) of Australian organisations expect cybersecurity budgets to increase in 2022, while 31% expect to see stable budgets year-on-year. Very few expect cybersecurity budgets to decrease.
- Under-resourcing is still too high: 5% of Australian organisations do not have a dedicated internal team or external team. This may seem a low figure, but if applied to all organisations it is a very large number that lack basic cybersecurity protection. Being a part of this cohort is a cause for concern.
- Slow response times to critical vulnerabilities: Only 31% of teams are able to enact mitigations or apply a patch (where available) in under a day, with 42% taking one-to-three-days, 17% needing a week, and 6% requiring a month or more.
- Legacy technology hit confidence: 44% of Australian respondents last updated their cybersecurity infrastructure in 2020 or before; 14% of organisations have technology that has gone at least three years without being updated. Additionally, 69% state they are concerned about legacy systems being attacked.
Even as companies continue to innovate with cloud technologies and remote workforces, IT infrastructures remain vulnerable to past architectural decisions, with obsolete protocols providing ongoing opportunities for attackers to infiltrate networks and unleash ransomware attacks. A lack of visibility and effective use of data has also contributed to organisations' obstacles in identifying vulnerabilities and preventing ongoing ransomware attacks.
“High levels of fear around the security implications of legacy environments, and the very real threat of multiple breaches a year, is a reminder of just how quickly cybersecurity postures can become outdated and vulnerable,” said ExtraHop ANZ country manager Rohan Langdon.
“Defenders need tools that can track attacker activity across cloud, on-premises, and remote environments so they can identify and stop an attack before it can compromise the business."
Organisations should look for ransomware mitigation tools that can capture network communications across all devices, and use technologies like behavioural analytics and artificial intelligence to detect behaviours that signal a ransomware attack in progress. By leveraging a network detection and response platform, defenders can detect and stop the lateral movement and other post-compromise activity of ransomware attackers before they achieve real damage.
The report identifies several courses of action that Australian organisations intend to take in 2022:
Network detection and response: 40% intend to invest in network detection and response systems this year, adding to the 36% of organisations that already have such systems in place.
Social engineering strategy: 36% of respondents plan to implement a social engineering strategy in 2022, building on the 30% that already have one in place today and the 46% that train staff to recognise social engineering cues. This correlates with a finding that over half (55%) of ITDMs are already confident in staff ability to identify cyber- and social engineering attacks.
Improved threat training and identification: 43% plan to implement staff threat training, while 50% plan to improve the speed of threat identification.
Onboarding more resources: 40% of organisations plan to increase or recruit dedicated internal security staff. The same proportion (41%) intend to engage external managed security services in 2022.
Australia struggles for staff
The research shows that 43% of Australian ITDMs are very or completely confident in their ability to handle cyber threats. Within that, confidence varies: 77% are confident of preventing attackers from breaking into internal networks, for example, while only 19% say they can always identify and block ransomware. Australian teams will mostly emerge from 2022 with more budget than the previous year, but may still find it difficult to attract resourcing; 63% say it is difficult to find staff for the cybersecurity team, although work-from-home options have broadened the possible skills pool.