‘An unfair arms race’: Cyber crime and the vulnerability of Aussie businesses

While Aussie finance professionals are aware of the growing threats posed by cyber crime, new research suggests vulnerabilities persist.

“Finance leaders are in an unfair arms race,” said Mark Chazan, chief executive at Eftsure. “They’re under constant siege from cyber criminals who – with unlimited time and vast resources – only need to be successful once, whereas organisations’ internal controls and defences need to stop every attempt despite limited resources and time.”

Produced in partnership with BrandHook, Eftsure’s the State of Cyber Fraud Defence AU 2023 report has exposed a gulf between the increasing awareness among business leaders of the threats posed by cyber crime and their concerning underutilisation of protective measures.

Mapping the threat

The Australian Cyber Security Centre (ACSC) receives approximately 144 reports of cyber crime every day, while the severity of cyber security incidents is increasing, according to the ACSC. In 2021–2022, the top five cyber threats facing Australian businesses were:

1. Phishing (39 per cent)
2. Ransomware (17 per cent)
3. Malware (16 per cent)
4. Cyber espionage (8 per cent)
5. Vulnerabilities in web applications (6 per cent)

While cyber crime is a threat for all Australian businesses, “almost all of the risks are even more pronounced in small business[es],” said Mr Chazan.

Smaller businesses are particularly vulnerable to cyber attacks since they often have limited resources to dedicate to digital security. According to Eftsure, small organisations were the least likely to strongly anticipate investments or upgrades for current anti-fraud controls.

A recent survey found that nearly half of small business respondents spend less than $500 per year on cyber security. According to Marsh, it is advisable that small- to medium-sized enterprises allocate a minimum of 5 per cent to 10 per cent of their IT budget to cyber security.

As noted in a recent HR Leader article, the Australian Competition and Consumer Commission estimated that business email compromise scams alone cost Australian businesses $132 million every year.

Business perspectives

While finance professionals see cyber crime as a growing threat, said Eftsure, they tend to believe the threat is less pronounced when it comes to their own organisations.

An “overwhelming majority” (90 per cent) of finance professionals said they believe cyber crime is on the rise globally, while nearly half reported more pronounced payment security concerns this year as compared to last year.

While respondents identified threats like phishing as major threats to cyber security, there appears to be less awareness of emerging threats, including AI-generated deepfakes.

Taking action

“Despite bigger losses, bigger threats, and growing fears among finance professionals, financial process vulnerabilities and ambiguous ownership may be hampering organisations’ cyber crime defences,” said Eftsure.

The “ambiguous ownership” mentioned above refers to the lack of clarity among professions when it comes to who is responsible for digital fraud prevention in their organisations.

“While some recognise the jurisdiction as belonging to both the chief financial officer and the chief technology officer, a quarter say they don’t know who is chiefly responsible,” said Eftsure.

The same ambiguity extends to external authorities as professionals appear uncertain as to whom cyber crime incidents should be reported. Most who had reported cyber crime incidents to an external authority had gone to their bank, while a large minority answered that they were unsure where to go.

Despite the operational ambiguities, the study found that most professionals expect further anti-fraud investments and upgrades in the future. Fifty-four per cent of respondents said they plan to invest in anti-fraud controls in the next three years, while 68 per cent expect to upgrade their anti-fraud controls in the next three years.

Recommendations

Building on the findings of the report, Eftsure recommends that businesses do the following to build stronger anti-fraud defences:

1. Develop a unified cyber-crime strategy driven by the chief financial officer.
2. Double down on security hygiene.
3. Incorporate key anti-fraud controls like segregation of duties and call-back controls.
4. Pressure-test existing controls.

“To make sure those investments pay off, leaders will need to bring accounting and cyber security approaches closer together under a unified cyber crime strategy,” said Mr Chazan.

“Using collaborative approaches both inside and outside our organisations, we can make our business communities safer.”