Key Takeaways From The ASX 100 Cyber Health Check Report

Dane Meah
April 21, 2017


On Easter Tuesday the Commonwealth Government released the ASX 100 Cyber Health Check Report as recommended by the year-old Australian Cyber Security Strategy.  Comfortingly, the Report concludes that Australia’s top companies are making good progress, but there’s more to be done.  But is there any independent analysis to confirm that rosy picture and how much more needs to be done in practice?

The Health Check paints an encouraging picture but it glosses over at least one huge global competitive weakness – email fraud protection.

Common sense says that the Health Check results – like almost all self-reporting capability and competence surveys – will be positively skewed.  Testing that assumption, an independent analysis of Australian companies’ email fraud readiness reveals only one ASX 50 company has its DMARC record properly configured.  We can therefore reasonably conclude the nation’s top 100 companies are not as cyber-ready as they report.


Asking a company board to complete a survey about whether it has its act together on cyber security is akin to asking a citizenship aspirant to fill out a form about Australian values.  Who is going to say they think it’s OK to beat their wife?  But it’s still worth looking at what the ASX 100 boards and executives said about their own performance.  First the good news:

  • 80% of companies feel they are doing enough to protect themselves against cyber threats, but note there is more they need to do
  • 75% have implemented staff training with the rest saying they are planning to do so next year.
  • 80% of companies expect an increase in cyber risk over the next year or so
  • 66% of companies report appropriate level of investment, however plan to do more
  • 43% of Boards are confident their company is properly secured.
  • 45% of companies are very confident/confident in their organisation’s ability to detect, respond and manage a cyber intrusion
  • 75% of companies have considered how they would notify customers of a data breach.

On the down side:

  • Only 11% of Boards have a clear understanding of where the company’s key information or data assets are shared with third parties
  • The same proportion are taking proactive approaches to reassure investors/customers about the organisation’s cyber security
  • 30% haven’t yet evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them.
  • 32% of companies assess their cyber culture annually.
  • 34% of boards have a clearly defined cyber risk appetite.

Some companies, then, are prepared to take a good look at themselves in the mirror. But when you contrast these reasonable-sounding results with the results of InfoTrust recent analysis on email fraud readiness, a very different picture emerges.


Email fraud is one of the most dangerous and growing cyber security threats facing the world today.  It’s how cyber criminals get around traditional gateway controls to either steal data from you and your customers, or implant malware in your network.  Companies prevent email fraud by properly configuring their Email Authentication protocols (SPF/DKIM) along with DMARC  to effectively block fraudulent use of  your sending domains.

Recently InfoTrust analysed the DMARC records of 7,393 Australian companies with more than 250 staff. Only half of one percent (approximately 40) of these companies have their DMARC records properly configured at p=reject. That is, 95.5% are not protected adequately protecting themselves and their customers from email fraud.

If the health check’s self-assessment was accurate, you’d expect many of those 40 companies to be among the ASX100.  In fact, of the ASX 50 only Qantas has it’s DMARC record set at p=reject.

Based on that analysis, of the 80 companies who feel they are doing enough to protect themselves, only one of them apart from Qantas is right!

Given Email (and often spear phishing mimicking a trusted brand or person) is the leading attack vector of a cyber attack, the widespread lack of email fraud protection paints an entirely different picture.

Worse still, this near-zero compliance flies in the face of last year’s Australian Signals Directorate (ASD) recommendation that organisations set their DMARC records at P=Reject”.

Australia is the number one phished country in the region on a per capita basis, and ranks second globally, behind the US.

In our experience, businesses are relying on traditional email security gateways to block inbound threats, but any business with a recognisable brand should also be proactive to prevent misuse of their brand or domains.

Unlike traditional inbound attacks which can be effectively prevented with good traditional inbound security controls, email fraud attacks leverage a businesses brand to trick your unsuspecting customers, be it consumers and businesses. We all remember the AusPost fake delivery notifications – now anyone would think twice before opening an AusPost email – that’s if the mailbox provider doesn’t block it as spam first!

Cyber criminals impersonate a recognisable brand or person with brand or domain spoofing and then trick users into either handing over Personally Identifiable Information, or clicking on a link and allowing malware into their systems and corporate networks.

Email Authentication protocols SPF and DKIM, and the DMARC governance framework have been available for many years to prevent email fraud by allowing legitimate brands to tell ISPs and email applications whether or not a sender URL is legitimate.


Compared with the international experience, Australia is not looking very secure from email fraud.  Six out of the top ten global banks have fully deployed DMARC.  None of our banks have achieved this just yet.

It’s only a matter of time before another email fraud borne cyber security incident (e.g. another AusPost, AFP or State Revenue ransomware campaign!) has dramatic impact on thousands of Australian businesses, as it has done in recent times.

We know the Australian Government takes email fraud very seriously. All Australian organisations should strong consider heeding their recommendation or risk exposing themselves – and their customers and partners – to unacceptable risk.  Their boards should be asking the right questions.