Key Takeaways from the ASX 100 Cyber Health Check Report
On Easter Tuesday the Commonwealth Government released the ASX 100 Cyber Health Check Report as recommended by the year-old Australian Cyber Security Strategy. Comfortingly, the Report concludes that Australia’s top companies are making good progress, but there’s more to be done. But is there any independent analysis to confirm that rosy picture and how much more needs to be done in practice?
The Health Check paints an encouraging picture but it glosses over at least one huge global competitive weakness – email fraud protection.
Common sense says that the Health Check results – like almost all self-reporting capability and competence surveys – will be positively skewed. Testing that assumption, an independent analysis of Australian companies’ email fraud readiness reveals only one ASX 50 company has its DMARC record properly configured. We can therefore reasonably conclude the nation’s top 100 companies are not as cyber-ready as they report.
Positively Skewed
Asking a company board to complete a survey about whether it has its act together on cyber security is akin to asking a citizenship aspirant to fill out a form about Australian values. Who is going to say they think it’s OK to beat their wife? But it’s still worth looking at what the ASX 100 boards and executives said about their own performance. First the good news:
- 80% of companies feel they are doing enough to protect themselves against cyber threats, but note there is more they need to do
- 75% have implemented staff training with the rest saying they are planning to do so next year.
- 80% of companies expect an increase in cyber risk over the next year or so
- 66% of companies report appropriate level of investment, however plan to do more
- 43% of Boards are confident their company is properly secured.
- 45% of companies are very confident/confident in their organisation’s ability to detect, respond and manage a cyber intrusion
- 75% of companies have considered how they would notify customers of a data breach.
On the down side:
- Only 11% of Boards have a clear understanding of where the company’s key information or data assets are shared with third parties
- The same proportion are taking proactive approaches to reassure investors/customers about the organisation’s cyber security
- 30% haven’t yet evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them.
- 32% of companies assess their cyber culture annually.
- 34% of boards have a clearly defined cyber risk appetite.
Some companies, then, are prepared to take a good look at themselves in the mirror. But when you contrast these reasonable-sounding results with the results of InfoTrust recent analysis on email fraud readiness, a very different picture emerges.
Testing Analysis
Email fraud is one of the most dangerous and growing cyber security threats facing the world today. It’s how cyber criminals get around traditional gateway controls to either steal data from you and your customers, or implant malware in your network. Companies prevent email fraud by properly configuring their Email Authentication protocols (SPF/DKIM) along with DMARC to effectively block fraudulent use of your sending domains.
Recently InfoTrust analysed the DMARC records of 7,393 Australian companies with more than 250 staff. Only half of one percent (approximately 40) of these companies have their DMARC records properly configured at p=reject. That is, 95.5% are not protected adequately protecting themselves and their customers from email fraud.
If the health check’s self-assessment was accurate, you’d expect many of those 40 companies to be among the ASX100. In fact, of the ASX 50 only Qantas has it’s DMARC record set at p=reject.
Based on that analysis, of the 80 companies who feel they are doing enough to protect themselves, only one of them apart from Qantas is right!
Given Email (and often spear phishing mimicking a trusted brand or person) is the leading attack vector of a cyber attack, the widespread lack of email fraud protection paints an entirely different picture.
Worse still, this near-zero compliance flies in the face of last year’s Australian Signals Directorate (ASD) recommendation that organisations set their DMARC records at P=Reject”.
Australia is the number one phished country in the region on a per capita basis, and ranks second globally, behind the US.
In our experience, businesses are relying on traditional email security gateways to block inbound threats, but any business with a recognisable brand should also be proactive to prevent misuse of their brand or domains.
Unlike traditional inbound attacks which can be effectively prevented with good traditional inbound security controls, email fraud attacks leverage a businesses brand to trick your unsuspecting customers, be it consumers and businesses. We all remember the AusPost fake delivery notifications – now anyone would think twice before opening an AusPost email – that’s if the mailbox provider doesn’t block it as spam first!
Cyber criminals impersonate a recognisable brand or person with brand or domain spoofing and then trick users into either handing over Personally Identifiable Information, or clicking on a link and allowing malware into their systems and corporate networks.
Email Authentication protocols SPF and DKIM, and the DMARC governance framework have been available for many years to prevent email fraud by allowing legitimate brands to tell ISPs and email applications whether or not a sender URL is legitimate.
Global Competitive Weakness
Compared with the international experience, Australia is not looking very secure from email fraud. Six out of the top ten global banks have fully deployed DMARC. None of our banks have achieved this just yet.
It’s only a matter of time before another email fraud borne cyber security incident (e.g. another AusPost, AFP or State Revenue ransomware campaign!) has dramatic impact on thousands of Australian businesses, as it has done in recent times.
We know the Australian Government takes email fraud very seriously. All Australian organisations should strong consider heeding their recommendation or risk exposing themselves – and their customers and partners – to unacceptable risk. Their boards should be asking the right questions.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
During the great cloud rush, many organisations moved to various cloud environments, for the productivity advantages, improved reliability and security compared with running on premise environments. But the naysayers conveyed the risks associated of security concerns and outages, having the potential to bring down a company or even an economy if a there was a massive outage.
Based on InfoTrust analysis at the start of 2019 of over 9000 Australian company domain MX and SPF records, over a third of these organisations rely on Microsoft O365 Productivity suite.
This includes some of Australia’s largest organisations that would undoubtedly disrupt an economy if they were without email for a sustained period of time.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
Earlier this month the CrowdStrike® Falcon® Overwatch™ team released their 2018 mid-year review, “Observations from the Front-Lines of Threat Hunting”. InfoTrust discusses the front-line and why security is everyone’s business. A brief precis, some thought provocation, and insight (hopefully) are below.
We're Here To Help