The report by IT security provider Sophos shows the majority, 60 per cent, of business decision makers believe lack of security expertise is a challenge for their organisation, with 65 per cent observing recruitment of skills to be a struggle.
However, as reported by the study, The Future of Cybersecurity in Asia Pacific and Japan – Culture Efficiency and Awareness, only 18 per cent of Australian companies are regularly making changes to their cyber security approach.
Sophos commissioned Tech Research Asia to undertake the research across the Asia-Pacific region, with 900 responses in total and around 200 companies participating in Australia, as well as insights.
A third of Australian companies said they had been breached in the last 12 months, the second highest out of all the countries surveyed by Sophos.
The serious attack vectors in Australia were found to be malware, phishing and ransomware.
Chester Wisniewski, principal research scientist at Sophos, said the survey results showed a lack of visibility into security risk and an overestimation of respondents’ abilities to defend their organisations.
“On average, one-third of respondents believed their organisations had been the victim of a breach in the last year, whereas anecdotal evidence suggests this number should be close to 100 per cent,” he said.
Security sidetracked in company budgeting and structures
The top three frustrations among companies, the research indicated, are executives assuming cyber security is easy, cyber security frequently being relegated in priority and not enough budget.
Only a third (33 per cent) of companies have a dedicated cyber security budget – in most cases, included as a part of other broader IT or departmental spend.
Organisational IT security structures are diverse – one-third of those surveyed have a dedicated chief information security officer, another third sees its cyber security led by an IT leader and the remainder give responsibility to another executive, such as the chief technology officer.
The majority of organisations keep most capabilities in-house and only in a few areas, like penetration testing and training, does outsourcing become more common, the research found.
Mr Wisniewski said cyber security is hard and the research shows companies are facing struggles in staying up to date and recruiting experts.
“Ultimately, security is about managing risk. To do that effectively, IT managers must be able to identify key areas where their team’s actions will have an outsized impact on protecting their organisation, employees and the data their company has been entrusted with,” he said.
Almost half of organisations intend to change security in place
Some 45 per cent intend to make changes to their security approach in the next six to 24 months, while more than half (54 per cent) of companies anticipate their use of external security partners to rise over the next year.
The main triggers for security updates, the report found – beyond changes to overall security posture – are technology and product developments, compliance and regulation requirements and growing awareness of new attacks.
The top three technologies or issues Australian security decision makers think will impact their company’s security in the next two years are digital transformation programs, agile development, AI and machine learning.