A CEO of a major Australian company put it to security consultant MichaelConnory like this:\n\u201cImplementing these [cyber awareness and governance] programs is like home insurance \u2013 high cost with no guarantee anything will ever happen \u2013 so why pay the price? How many houses burn down every year, compared to how many people buy house insurance?\u201d\n \nThis attitude towards is all wrong but not rare, says Connory whose firm Security In Depth has just published the results of research which found 83 per cent of Australian companies have no policies or plan in place for a data breach and 41 per cent said they \u201cdid not understand\u201d what an ICT security framework was.\n \n\u201cWe look at what has been said and done and companies and executives are more often than not complacent with cyber,\u201d Connory says."It is our view, based on the number of organisations that have failed to implement what we believe are cyber basics, Australian organisations today are more vulnerable than ever to a cyber incident."Security in Depth surveyed 722 organisations across Australia, each with 50 or more staff members. While most (71 per cent) had a business continuity plan, and a cyber security strategy (57 per cent) and roadmap (56 per cent) less than half (44 per cent) had any kind of cyber security governance structure. Fewer still (30 per cent) had a response plan in case of a cyber incident.\nA quarter reported having \u2018none of the above\u2019.\n \nThe unnamed CEO was clearly wrong when he told Connory that a cyber attack or data breach was like a house fire, that is: \u201chighly unlikely an event will actually occur\u201d.\n \nThe number of data breaches is rising, with 305 reported to the Office of the Australian Information Commissioner (OAIC) since February.Earlier this year Jetstar, the Tasmanian Government, Telstra, Australia Post, Commonwealth Bank and scores more suspended their use ofsoftware-as-a-service provider PageUp followingapossible data breachthat took place in May.\nWorldwide, attacks against businesses have almost doubled in five years, according to the World Economic Forum. So why aren\u2019t executives and boards responding to the rising threats?\nPriorities\nIt\u2019s down to competing priorities and security teams that lack a strategy, says Connory.\n \n\u201cExecutives are focused on so many other parts of the business that cyber still falls way behind in priorities,\u201d says Connory.\n \n\u201cAsked what would limit their ability to reach goals, regulatory requirements came up a strong first, followed by reputational issues, even supply chain requirements had higher visibility on executives agendas than cyber," he adds."You take into account other issues such as retaining talent, regulatory requirements, competition, innovation, customer demandshellip;it becomes quite clear why executives perform poorly when cyber is raised."Another issue is that ICT teams typically lack security knowledge and struggle to influence the ways employees work at an organisation.\n\u201cExecutives expect and pay their ICT teams to manage these, they trust these teams and expect it to be done," Connory says.\u201cThose teams tend to focus on the technology more than governance and almost always are tactical rather than strategic. Let\u2019s patch better, let\u2019s get a more up to date firewall, improved malware protection. They also do not generally have access to structuring how employees should conduct business on a day to day level.\u201d\n \nSome 85 per cent of companies surveyed by SID said they did not have dedicated security staff. While 100 per cent of teams had implemented antivirus software, 92 per cent had implemented firewalls and 28 per cent anti-spam and phishing solutions; a third had not completed any penetration testing on their systems, and few gave staff training on cyber hygiene.\n \nThere is also a lack of influence and effective communication from ICT teams to the wider business. And if they are successful at implementing company-wide initiatives, it may not get executive buy-in.\n \nConnory recalls a CISO within a health organisation who created a new rule disabling USB ports across a site.\n \n\u201cIt was agreed at an executive level and was communicated to all staff and external consultants. Two days later a surgeon was preparing for surgery and had brought in a USB device with X-rays on it. Of course it wouldn\u2019t load and the surgeon made two phone calls and within an hour USB devices were allowed again \u2013 never to be turned off,\u201d he says.\n \nHuman error\n \nAccording to the OAIC, human error is the second most common cause among the data breaches reported to them during the second quarter of this year. Human error \u2013 be it clicking on a link in a dodgy email or falling for a phishing scam \u2013 is cited as one of the leading security vulnerabilities in numerous reports.\n \nDespite this, nearly half of the Australian businesses surveyed (48 per cent) provide no training whatsoever to staff about cyber security. Six per cent do, \u201cbut only where mandated by law or regulation\u201d.\n \nThe finding that 36 per cent of companies do provide \u201cthrough general training\u201d information about cyber security, isn\u2019t reassuring, says Connory.\n \n\u201cIf we take out the large organisations \u2013 multinationals etc \u2013 then the number does increase dramatically. You take out organisations who spend ten or twenty minutes training staff on web usage and company policy on email usage then the number jumps up again,\u201d he says.\n \nMost of the training can be described as the \u201cbare minimum\u201d, Connory says.\n \n\u201cOur concern is that these programs do not show or teach individuals how to spot a phishing email, what to do if they receive a phishing email \u2013 and that\u2019s just one aspect of the training,\u201d he says.\n \nEffective training can cost as little as $20 per person and take place over a lunchtime with measurable results, Connory adds.