Small businesses are running behind on key security practices, and putting other organisations at risk, a survey [pdf] by the Australian Securities and Investments Commission (ASIC) has found.
ASIC’s research showed that 33 percent of small organisations had “no or limited” multifactor authentication capability, 41 percent don’t patch applications, and 30 percent don’t have backups in place.
The bleak picture also included that 44 percent don’t perform risk assessments of vendors and third parties; 45 percent don’t run vulnerability scans, and 34 percent “do not follow or benchmark against any cyber security standard”.
While ASIC noted that “it’s unsurprising that they consistently reported a lower level of
cyber maturity capability than medium and large organisations,” small businesses could arguably represent a risk to larger operations that they worked with.
Third party risk, the report found, is badly managed across the board: 44 percent of organisations “do not manage third-party or supply chain risk”, ASIC said, something which should change.
“These parties could be vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information,” the report found.
Announcing the survey results, ASIC chair Joe Longo described the lack of attention to third-party risk as “alarming”.
“Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.
Longo added that the study also emphasised the importance of resilience.
“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident.
“It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks,” he said.
About Author
