Trend Micro has revealed that cyber-risk levels have improved from “elevated” to “moderate” for the first time, but that insiders represent a persistent threat for global organisations.
“We saw the Australian cyber-risk index (CRI) improve from -0.54 in 1H 2022 to -0.12 in 2H 2022. It means that organisations may be taking steps to improve their cyber-preparedness. There is still much to be done, as employees remain a source of risk. The first step to managing this is to gain complete and continuous attack surface visibility and control,” said Mick McCluney, Technical Director at Trend Micro ANZ.
The global cyber-risk index (CRI) saw an even more significant improvement, moving into positive territory at +0.01. The CRI also found that cyber-preparedness improved in Europe and APAC but declined slightly in North and Latin America over the past six months. At the same time, threats declined in every region bar Europe.
Most Australian organisations are still pessimistic about their prospects over the coming year. The CRI found that most respondents said it was “somewhat to very likely” they’d suffer a breach of customer data (79%) or IP (80%) or a successful cyber-attack (84%).
The top four threats listed by respondents in the CRI 2H 2022 include:
- Login attacks (credential theft)
Australian respondents also named employees as representing two of their top five infrastructure risks:
- Negligent insiders
- Cloud computing infrastructure and providers
- Organisational misalignment and complexity
- Data centres
- Mobile/remote employees
Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said: “As the shift to hybrid working gathers momentum, organisations are rightly concerned about the risk posed by negligent employees and the infrastructure used to support remote workers. They will need to focus not only on technology solutions but people and processes to help mitigate these risks.”
Based on the global survey results, the greatest areas of concern for businesses related to cyber-preparedness are:
People: “My organisation’s IT security leader reports to senior leadership (such as the CEO, COO or CIO).”
Process: “My organisation’s IT security function doesn’t have the ability to unleash countermeasures (such as honeypots) to gain intelligence about the attacker.”
Technology: “My organisation’s IT security function does not have the ability to know the physical location of business-critical data assets and applications.”