Key Takeaways from the ASX 100 Cyber Health Check Report
On Easter Tuesday the Commonwealth Government released the ASX 100 Cyber Health Check Report as recommended by the year-old Australian Cyber Security Strategy. Comfortingly, the Report concludes that Australia’s top companies are making good progress, but there’s more to be done. But is there any independent analysis to confirm that rosy picture and how much more needs to be done in practice?
The Health Check paints an encouraging picture but it glosses over at least one huge global competitive weakness – email fraud protection.
Common sense says that the Health Check results – like almost all self-reporting capability and competence surveys – will be positively skewed. Testing that assumption, an independent analysis of Australian companies’ email fraud readiness reveals only one ASX 50 company has its DMARC record properly configured. We can therefore reasonably conclude the nation’s top 100 companies are not as cyber-ready as they report.
Positively Skewed
Asking a company board to complete a survey about whether it has its act together on cyber security is akin to asking a citizenship aspirant to fill out a form about Australian values. Who is going to say they think it’s OK to beat their wife? But it’s still worth looking at what the ASX 100 boards and executives said about their own performance. First the good news:
- 80% of companies feel they are doing enough to protect themselves against cyber threats, but note there is more they need to do
- 75% have implemented staff training with the rest saying they are planning to do so next year.
- 80% of companies expect an increase in cyber risk over the next year or so
- 66% of companies report appropriate level of investment, however plan to do more
- 43% of Boards are confident their company is properly secured.
- 45% of companies are very confident/confident in their organisation’s ability to detect, respond and manage a cyber intrusion
- 75% of companies have considered how they would notify customers of a data breach.
On the down side:
- Only 11% of Boards have a clear understanding of where the company’s key information or data assets are shared with third parties
- The same proportion are taking proactive approaches to reassure investors/customers about the organisation’s cyber security
- 30% haven’t yet evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them.
- 32% of companies assess their cyber culture annually.
- 34% of boards have a clearly defined cyber risk appetite.
Some companies, then, are prepared to take a good look at themselves in the mirror. But when you contrast these reasonable-sounding results with the results of InfoTrust recent analysis on email fraud readiness, a very different picture emerges.
Testing Analysis
Email fraud is one of the most dangerous and growing cyber security threats facing the world today. It’s how cyber criminals get around traditional gateway controls to either steal data from you and your customers, or implant malware in your network. Companies prevent email fraud by properly configuring their Email Authentication protocols (SPF/DKIM) along with DMARC to effectively block fraudulent use of your sending domains.
Recently InfoTrust analysed the DMARC records of 7,393 Australian companies with more than 250 staff. Only half of one percent (approximately 40) of these companies have their DMARC records properly configured at p=reject. That is, 95.5% are not protected adequately protecting themselves and their customers from email fraud.
If the health check’s self-assessment was accurate, you’d expect many of those 40 companies to be among the ASX100. In fact, of the ASX 50 only Qantas has it’s DMARC record set at p=reject.
Based on that analysis, of the 80 companies who feel they are doing enough to protect themselves, only one of them apart from Qantas is right!
Given Email (and often spear phishing mimicking a trusted brand or person) is the leading attack vector of a cyber attack, the widespread lack of email fraud protection paints an entirely different picture.
Worse still, this near-zero compliance flies in the face of last year’s Australian Signals Directorate (ASD) recommendation that organisations set their DMARC records at P=Reject”.
Australia is the number one phished country in the region on a per capita basis, and ranks second globally, behind the US.
In our experience, businesses are relying on traditional email security gateways to block inbound threats, but any business with a recognisable brand should also be proactive to prevent misuse of their brand or domains.
Unlike traditional inbound attacks which can be effectively prevented with good traditional inbound security controls, email fraud attacks leverage a businesses brand to trick your unsuspecting customers, be it consumers and businesses. We all remember the AusPost fake delivery notifications – now anyone would think twice before opening an AusPost email – that’s if the mailbox provider doesn’t block it as spam first!
Cyber criminals impersonate a recognisable brand or person with brand or domain spoofing and then trick users into either handing over Personally Identifiable Information, or clicking on a link and allowing malware into their systems and corporate networks.
Email Authentication protocols SPF and DKIM, and the DMARC governance framework have been available for many years to prevent email fraud by allowing legitimate brands to tell ISPs and email applications whether or not a sender URL is legitimate.
Global Competitive Weakness
Compared with the international experience, Australia is not looking very secure from email fraud. Six out of the top ten global banks have fully deployed DMARC. None of our banks have achieved this just yet.
It’s only a matter of time before another email fraud borne cyber security incident (e.g. another AusPost, AFP or State Revenue ransomware campaign!) has dramatic impact on thousands of Australian businesses, as it has done in recent times.
We know the Australian Government takes email fraud very seriously. All Australian organisations should strong consider heeding their recommendation or risk exposing themselves – and their customers and partners – to unacceptable risk. Their boards should be asking the right questions.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help