More than half of Australian businesses fail to substantially change their cyber security strategy -- even after an attack.

Security company, CyberArk, has released its CyberArk Global Advanced Threat Landscape Report 2018, detailing the ways in which businesses are responding to evolving cyber threats.

Regional Director, Australia and New Zealand at CyberArk, Matthew Brazier, said companies are struggling to keep pace with attackers.

“Attackers have almost limitless freedom and agility, and are constantly evolving their tools and techniques,” he said.

“Organisations, being much larger and more structured are not able to evolve their security strategy and controls to match this pace of change.”

The inability of companies to create threat responses to keep up with rapidly evolving risks was a pattern worldwide; 46% said their organisation’s security standards rarely change substantially, even if an attack has recently occurred.

In Australia this figure was 52%.

The report surveyed 1,300 ICT professionals and reveals ‘security inertia’— the belief that only big businesses are targeted in cyber attacks and a general resistance against cyber standards – prevents many organisations being proactive when it comes to cyber security.

“In medium to large organisations especially, there is a need for security teams to reset expectations around where security priorities and spend should be focused,” the report said.

“These findings support the dangers of inertia, with organisations not taking the initiative to make necessary changes following an attack.”

In Australia, 58% of respondents said that their organisation was only meeting the bare legal minimum when it came to cyber security, and that customers’ personally identifiable information could be at risk.

The findings come after leading cyber security consulant, Gary Gaskell, warned of the risks of businesses choosing to ignore vulnerabilities to protect reputation.

How they get in

The report also looked at the ways in which attackers infiltrate systems, most notably, the targeting of privileged user accounts.

Almost all respondents (89%) agreed that their IT infrastructure could not be fully protected unless privileged account credentials were secured.

Despite this, it was found that 41% of Australian respondents (36% globally) stored their administrative credential logins on Word or Excel documents on company PCs.

“Privileged accounts and secrets are the assets that are targeted in almost every attack,” said Brazier.

“These are the most prized assets for attackers as these allow them to bypass other security controls undetected.”

While unsecured privileged accounts emerged as a worrying security threat in the report, targeted phishing attacks were the top threat, with 56% of global respondents citing these attacks as their primary concern.

Ransomware/malware was a critical threat for 48% of those surveyed, while 41% held concerns over unsecured data stored in the cloud.

The human aspect

The inertia working against cyber security was also reflected culturally.

33% said they did not have adequate knowledge of their company’s cyber security policy, while 34% said they did not know their specific role if an attack were to occur.

However, the report also found that recent regulatory changes are beginning to drive positive change, helping organisations in “moving from inertia to action.”

83% said that new regulatory requirements, such as the upcoming European General Data Protection Regulation (GDPR), were enhancing their organisation’s security standards.

Additionally, individuals are now being encouraged to take cyber security into their own hands.

46% of Australian respondents said they recognise or reward employees who help prevent a security breach, compared to 74% in the United States.