July 2021 ASX 200 Security Report This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the top 200 companies in Australia by market capitalization. ASX 200 Security Report Executive Overview This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the top 200 companies 36.3% in Australia by market capitalization. For this report, the UpGuard platform collected public 36.3% of companies surveyed had a live data leak in the past year. data to assess risk factors known to contribute to data breaches. These risk factors can be divided into data leaks and system configurations– that is, are companies unintentionally putting sensitive information onto the public internet, and are they configuring their internet-facing systems to reduce the likelihood of being compromised. This information is then aggregated and interpreted by an overall security rating. Key findings: • 36.3% of companies surveyed had a live data leak in the past year. Data leaks have increased by 25% in the ASX 200 since 2019. • Overall, bigger companies are still more likely to have leaks: a company in the most valuable quartile of the ASX 200 is three times as likely to have a leak as one in the least valuable quartile. However, the quartile of the least capitalized companies experienced the greatest growth rate in leaks, more than doubling from 6% of companies in 2020 to 17% in 2021. www.upguard.com 1 • More than 50% of companies in the Communication, Telecom, Energy, and Information Technology sectors had data leaks, with Financials close behind at 48%. Fewer than 20% of companies in the Health Care, Consumer Staples, and Real Estate sectors had data leaks detected by the methods used for this study. • All companies have improved their overall security rating, no company has a score below 400 anymore. • Although all industries generally improved their overall security rating, the best performing industries were finance, energy, and healthcare. Notably, utilities fared the worst, only increasing by 0.6% whereas nearly every other sector saw at least a 5% improvement in overall scores in the surveyed time period. • The average UpGuard user score improved from 714 to 758, a 6% increase, whereas the rest of the ASX 200 improved from 668 to 700, a 4.5% increase. • While both UpGuard customers and non-customers experienced overall increases in scores in the previous year, UpGuard customers began at a higher starting point. On average, non-customers had scores that were consistent with UpGuard customer scores from about a year ago, indicating that UpGuard customers are roughly a year ahead in their overall security programs. www.upguard.com 2 ASX 200 Security Report Introduction Last year, UpGuard published a research report on the ASX 200. To say that the world has changed between 2020 and 2021 is an understatement. At the same time, many of the ways in which societies have responded to COVID-19 have only accelerated or accentuated existing trends. The mass adoption of remote work, for example, suddenly left city highways empty, but it was possible because of an existing marketplace of tools for telecommunication. COVID-19 60% didn’t lead to the invention of video chat, it just made it Ransomware attacks have the norm. increased 60% year over year COVID-19 didn’t invent cyber threats, either, but the increase in digital adoption has multiplied the potential targets. Ransomware attacks have increased by 60% year over year1, a trend that can be given a dollar amount by looking at its impact on cyber insurance. In Canada, the net claims ratio – the ratio between losses paid out by insurers versus premiums collected by them – for cyber insurance in 2019 was 39%. In 2020, it was 105%2. Despite premiums increasing significantly throughout 2020, losses increase more quickly than insurers’ ability to raise prices, ultimately resulting in the operating at a loss. Insurance exists because disasters happen all the time. Those disasters aren’t supposed to happen to the insurers. 1. SonicWall, "2021 SonicWall Cyber Threat Report", https://www.sonicwall.com/2021- cyber-threat-report/ 2. FitchRatings, "Sharply Rising Cyber Insurance Claims Signal Further Risk Challenges", https://www.fitchratings.com/research/insurance/sharply-rising-cyber-insurance-claims- signal-further-risk-challenges-15-04-2021/ www.upguard.com 3 Even as shifting digital footprints created fertile ground for misconfigurations, human error, and vulnerabilities, companies were not helpless. Especially for companies like those in the ASX 200, digital transformation projects have been underway for years. Having, and testing, a disaster recovery plan is always a good idea. Why it is worth doing all that preparation only becomes more tangible after a ransomware attack. Methodology The UpGuard platform collects public data to assess risk factors known to contribute to data breaches. At a high level, these risk factors can be divided into data leaks and system configurations - that is, are companies unintentionally putting sensitive information onto the public internet, and are they configuring their internet- facing systems to reduce the likelihood of being compromised. UpGuard analysts manually reviewed all data leaks to ensure they meet the criteria of internal data of some level of sensitivity. The companies included in this study were the 200 most valuable Australian companies in April of 2021. The group of companies in the 2020 study was slightly different due to changes in market capitalization between 2020 and 2021. When year over year changes are discussed, we have tried to make it clear whether we are comparing the two cohorts or are discussing the state of the 2021 cohort as it existed a year ago versus today. www.upguard.com 4 Part 1 Data leaks Data leaks or data exposures occur when people mishandle information and make it publicly accessible. There are other usages of these terms – for example, when an insider “leaks” information to the press to expose some perceived wrongdoing at their organization, or when threat actor groups “leak” data they have exfiltrated – but for our purposes, we are looking at the unintentional exposure of data of some level of sensitivity. Some data leaks are serious in themselves, containing protected data classes like personal health information. Othertimes, they sit in a gray zone of potential impact. When credentials are leaked, for example, there is no impact until someone abuses them. The SolarWinds attack, which Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen,” may have been precipitated by an intern exposing a password on Github3, according to former SolarWinds CEO Kevin Thompson. Incidents like that are very common, and if no one abuses the credentials - or more precisely, no one is known to have abused the credentials - they are treated as minor events. Data leaks thus have a high degree of potential – under one set of circumstances disastrous, and under another insignificant. An intern exposing a password may have no impact at all, depending on their level of access and other mitigating factors; it also has the potential to be the first step on the road to catastrophe. Conversely, we have worked cases where large sets of sensitive data have been exposed, but with speedy detection and thorough investigation, they have been secured before any malicious actors could exploit them. This quality of leaks helps explain why they are so often ignored, and perhaps why so many breaches happen with credentials gathered from an unknown source. 3. ZDNet, "SolarWinds security fiasco may have started with simple password blunders", https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with- simple-password-blunders/ www.upguard.com 5 More than 36% of ASX200 01 companies have open data leaks UpGuard continuously monitors for customer data using search queries tuned by analysts in collaboration with the security teams of those companies. These searches use many keywords and are more likely to detect leaks than companies without threat intelligence programs. Because those leaks are reported and remediated immediately, they pose far less risk than those left in the open. For the purposes of maintaining the integrity of this research, UpGuard customers have been excluded from this report’s dataset. Among the companies surveyed, we detected leaks for 36.3% of ASX200 companies in 2021. As we will discuss in the next finding, the percentage of companies in this study with data leaks shows an increasing and troubling trend. We detected leaks for 36.3% of the remaining companies in the ASX 200. www.upguard.com 6 Number of companies with leaks 02 continues to increase In 2020 we reported leaks for around one third of the ASX 200, and would have rounded the overall exposure in 2019 to “around one third” as well. The precise percentage of companies with data exposures, however, shows a troubling trend. Amongst non-customers, we detected leaks for 36.3% of companies in 2021. In 2020, 32.5% of companies had leaks; in 2019, it was 29%. Given that data leaks are a byproduct of digitization, this trend appears likely to continue. Businesses will continue to expand the number of IT systems they use, the number of technical employees, the digitization of information, and their digital supply chain. We were able to observe some of the effects of this overall trend when comparing the correlation between data leaks and company size. www.upguard.com 7 Leaks growing in smaller companies 03 One of the trends that shows how data leaks are becoming more commonplace is the changing degree of correlation between market capitalization and data leaks.