A new global comparison of cyber security defences may have placed Australia as the world’s 15th most-secure country, but experts warn against complacence as data breaches hit record highs and attacks continue to ravage companies whose leaders still don’t understand security.

Australia rose 12 positions in the latest Comparitech ranking, which evaluated 76 countries’ susceptibility to security compromises against a number of factors.

The overall score of 13.95 was an appreciable improvement over the previous year’s 16.34 (lower scores are better) but still well behind top-ranked Denmark (6.72), runners-up Sweden (8.40) and Germany (9.39), and even eighth-ranked UK (10.64)

Comparitech tracks indicators of compromise such as the per cent of mobiles infected with malware, prevalence of financial malware attacks, per cent of computers infected with malware, and country rankings from the ITU’s Global Cybersecurity Index.

Fully 4.86 per cent of Australian mobiles were infected with malware – twice the rate of higher-ranked Denmark, Turkey, Norway, and Croatia but half the rate of the 17th-ranked United States (8.18 per cent of mobiles).

Worst-case scenario Iran, by contrast, saw malware compromising 52.68 per cent of mobiles – helping it weigh in as the world’s fifth most-insecure country.

Belarus, ranked sixth most-insecure, recorded the highest rate of financial malware attacks (2.9 per cent of users) – ten times Australia’s level and nearly 30 times higher than that in Denmark.

Cryptominers were also relatively rare in Australia, attacking just 0.28 per cent of users – well behind worst-case Tajikistan, where 7.9 per cent of users were hit by the computer-hogging code.

Interestingly, while most countries’ scores improved since 2018, prominent geopolitical states including the United States, Brazil, Japan, France, Iran, and Singapore all recorded slightly worse scores than in the previous year.

“Most countries’ scores improved since last year,” technology writer Paul Bischoff noted in presenting the findings, “and this means some of the best performers from last year have dropped down the rankings.

The United States, for example, dropped from fifth place in the previous year, to 17th place in 2019 – lagging other countries that had improved their postures through a combination of better cyber security awareness, broader technology adoption, and improving cyber security legislation.

Australian cyber security legislation addressed five out of seven key areas (identified as national strategy, military, content, privacy, critical infrastructure, commerce, and crime) – a solid score given that only France, China, Russia, and Germany had addressed all seven categories.

We can do better

Despite Australia’s good overall standing, the figures highlighted persistent systematic deficiencies that are consistently being reinforced by a concerning lack of security awareness amongst Australian businesses.

Malware infection rates on Australian computers (11.08 per cent) were consistent with those in all comparable countries, but were still several times those in top performers like Denmark (3.15 per cent), Sweden (4.03 per cent), the Netherlands (3.78 per cent), and the Czech Republic (4.88).

And while malware infection rates aren’t the only indicator of insecurity, they are a lead indicator of overall security attitudes that, in Australia, continue to lag best practice.

Indeed, despite years of being told how to fix their security, Australian companies are still being breached at a frenetic pace that belies the country’s promising overall ranking.

Newly released Office of the Australian Information Commissioner (OAIC) figures found the number of notifiable data breaches (NDBs) had increased 19 per cent in the second half of 2019, compared with the first half.

Even more concerning are the findings of security giant Chubb’s latest SME Cyber Preparedness Report, in which 49 per cent of Australian SMEs said they had been the victim of a cyber incident.

Many respondents were overconfident in their capabilities, with 32 per cent of senior business leaders believe their companies will never experience a cyber incident – and 79 per cent confident they could overcome a breach by sophisticated hackers within 24 hours.

Sophisticated hackers would beg to differ, with recent compromises of the Australian Defence Force, Toll Group, and other firms highlighting their continuing success in scamming humans and breaching sensitive systems.

Indeed, 64 per cent reported NDBs were due to malicious or criminal attacks – leading Ecosystm principal advisor for cyber security Alex Woerndle to warn companies that they need to reinforce staff training around safe email practices and detection of phishing attacks.

Businesses also need to stop thinking of antivirus software as being enough security defence – layering firewalls and antivirus software with tools for detecting network intrusions and advanced persistent threats; incident response planning; cloud security solutions; and “comprehensive” staff awareness training.

“By taking a comprehensive and multi-layered approach to security,” Woerndle said, “organisations can reduce the likelihood they will fall victim to malware attacks, data breaches, and avoid the disruptive and potentially costly problems they can cause.”