According to the Australian CERT (set out in the 2012 Cyber Crime and Security Survey Report and reported online), more than a fifth of major companies reported being hit last year, 20% of them experiencing more that 10 security incidents. One organisation reported the theft of 15 years’ worth of critical data.
Three paragraphs in the above coverage stood out for me:
- “Those companies that reported no cyber incidents were likely to not have detected them, the report says.”
- “This is despite 90 per cent of respondents saying they use anti-virus software, spam filters and firewalls, and 65 per cent having IT security staff with tertiary qualifications.”
- ‘At a time when it only takes one naive employee clicking on a malicious email attachment to breach a corporate network, the report found that ”many organisations are not confident that cyber security is sufficiently understood and appreciated by staff, management and boards”.’
Let me put this another way: what this report describes as taking place in Australia is also happening everywhere else in the world. The bottom line is: if your board thinks that cybersecurity is not an issue for your organisation, your board is naively putting corporate assets, reputation and competitive position at risk.