Cyberattacks on essential service companies on rise

The majority of Australian businesses providing essential service delivery do not have cybersecurity incidents identified in their risk register, according to an annual survey from CERT Australia.

The survey of 135 businesses in critical industries - including the banking, communications, energy, resources, transport and water sectors - also shows that the number of security incidents is on the rise.

In 2013, 76 of the respondents encountered a cybersecurity incident - up from 56 in 2012.

CERT said in its report into the survey that Australian businesses in critical industries are overall continuing to take cybersecurity seriously. Notably, 79% of respondents are implementing the top four threat mitigation strategies recommended by the Australian Signals Directorate.

But 61% do not identify cybersecurity incidents in their risk register. Announcing the report, Attorney-General George Brandis said this statistic is “consistent with the identified need for management and CEOs to improve their understanding and awareness of IT security threats, risks and best practice”.

Just 27% of respondents had increased their expenditure on IT security in 2013 - a decrease of 25% from 2012.

Also of concern is the fact that the percentage of respondents choosing not to report cybersecurity incidents to third parties increased to 57% in 2013, from 44% in 2012.

“Responses indicate that Australian businesses are yet to be convinced about the benefit of reporting, but also that many incidents are considered too minor to report,” CERT’s report states.

“This finding reinforces the need for CERT Australia and other agencies to actively promote the benefits of reporting cybersecurity incidents.”

Another potential vulnerability uncovered in the report is the fact that 13% of organisations still using Windows XP did not have plans to migrate to a newer OS by Microsoft’s April cut-off date for XP support.

Image courtesy of Jes under CC