Computer Emergency Response Team (CERT) Australia is urging companies that haven’t migrated off the Windows XP operating system (OS) to start doing so because they are at increased risk of network vulnerability.
The 2013 <i>Cyber Crime and Security Survey</i> received responses from 135 businesses that partner with CERT Australia.
The survey found that 13 per cent of respondents had no plans to migrate off XP, despite support and patching ending on 8 April 2014.
In addition, 8 per cent of businesses surveyed did not know if they had IT security plans in place.
“Anecdotal reports indicate that cyber criminals have been stockpiling new XP attacks, waiting for support to end,” read the survey.
Of the organisations using XP, 79 per cent had migrated to new software.
XP was launched in October 2001. According to Microsoft, it has been supported for more than 12 years – longer than any other Windows OS.
Microsoft Australia's commercial product marketing manager, Emmanuele Silanesu, told Computerworld Australia in January 2014 that a full migration off XP can take up to six months, depending on the organisation’s size.
“Businesses will need to take into account the size of their employee base, the number of existing apps currently in use as well as the data that will need to be migrated. All these aspects can be roadblocks to the migration path and add time to the process,” he said at the time
- Australia needs effective government cyber policy leadership: report
- Security incidents going unreported: CERT Australia
- Windows XP, Office 2003 deadline looms
Turning to other areas of concern, the report found that 61 per cent of businesses surveyed did not have cyber security incidents identified in their risk register.
“This may be linked with the identified need for management and CEOs to improve their IT security skills, practices and perhaps awareness,” read the report.
Commenting on this, Attorney-General George Brandis said that cyber security should be considered a “CEO or board issue” and not just an information security issue.
“Importantly, the survey indicates the cyber security conversation is shifting from being only about technology to also recognising social, behavioural and cultural factors,” he said in a statement.
For example, 60 per cent of respondents said that IT staff, the CEO and board of directors needed to improve their cyber security skills or practices.
This was because 57 per cent of respondents said the main internal factors that contributed to cyber security incidents were staff errors.
According to the report, 51 per cent of business surveyed said external targeted attacks had contributed to incidents, while the remaining 49 per cent indicated that third party risks were making their business potentially vulnerable.
“Constant review and improvement is important as there has been an overall increase in the number of cyber security incidents experienced by businesses, most of which have been targeted rather than random or indiscriminate attacks,” said Brandis.
CERT Australia’s report found that 56 per cent of the businesses surveyed had identified intrusions or incidents on their networks. This was an increase of 34 per cent on the 2012 findings where 22 per cent of respondents had found cyber security incidents.
Most of these incidents were targeted emails, followed by virus/ worm infection and Trojan or rootkit malware.
While cyber intrusion incidents were on the rise, the number of businesses that spent more on IT security had decreased by 25 per cent since the 2012 report.
According to CERT Australia, only 27 per cent of businesses surveyed spent more on IT security in 2013, compared with 52 per cent of businesses in 2012.
Brandis also had some cyber security advice for Australian businesses:
- Understand the value of your information and how it is protected on your network
- Create a culture of cyber security awareness and practices
- Ensure cyber security incidents are identified in your business risk register.
Follow Hamish Barwick on Twitter: @HamishBarwick