Lax Australian security attitudes leaving databases exposed to web compromise

Cybersecurity research group Group-IB has identified 1,550 unsecured public-facing databases in Australia, highlighting the lingering weaknesses in corporate data protection and providing a stark warning to the surprisingly large number of companies that continue to prioritise business performance over data security.

Ongoing internet server scans by the Group-IB Attack Surface Management team identified 308,000 exposed databases worldwide last year—93,685 of which were located in the US; 54,764 in China; and 11,177 in Germany. Singapore (with 5882 exposed databases) ranked sixth and Hong Kong (5563) seventh—suggesting that Australia was faring relatively well on a comparative basis.

Yet that will be small consolation for the likely hundreds of Australian organisations whose failure to secure their data may have led to problematic breaches of their critical data, and potentially damaging penalties under Australia’s notifiable data breaches (NDB) scheme.

Globally, the number of exposed databases increased from 69,000 in Q1 last year to 91,200 in Q1 this year—and Redis databases were most frequently exposed during the first quarter of this year, doubling year-on-year while the number of exposed MongoDB, Elastic and MySQL databases stayed relatively stable.

Many of those breaches may have lingered for many months, Group-IB found, noting that the average time to patch an exposed database had increased from 116.9 days in the last quarter of 2021 to 170 days in the first quarter of this year.

Worse still is that most of this exposure is completely preventable—with more than half of the company’s incident response engagements last year stemming from a preventable, perimeter-based security error, said Group-IB attack surface management product lead Tim Bobak

ANZ businesses favour performance over cybersecurity

The findings are an indictment of utilitarian approaches to security that are seemingly leaving many businesses in breach of their obligations to protect their sensitive data.

That’s hardly a surprise, given that a recent F5 Networks study found that 52% of Australian and New Zealand respondents would turn off cybersecurity controls to improve the performance of their systems.

Similarly, CyberArk recently noted that Australian organisations are well behind global averages when it comes to compromising security for business reasons. A total of 87% of Australian security professionals admitted that they had prioritised maintaining business operations over ensuring robust cybersecurity during the previous 12 months—compared with 79% globally.

A similar percentage—86% of Australian respondents, compared with 68% globally—said they had struggled with security issues due to the accelerated rate of employee churn, which had often left privileged accounts accessible even after the employees had left.

The prevalence of such business-first attitudes is compromising security and, if Group-IB’s work is any indication, leaving business data more exposed to compromise than ever.

This persisting threat, said Cyberark ANZ regional director Thomas Fikentscher, is a reminder that getting business support for cybersecurity requires more than just convincing the board that security is important.

“While cyber risk awareness has generally risen amongst executives and board members, it has not necessarily triggered the required programmatic focus and funding to mature core cybersecurity controls among Australian businesses across all sizes and industries,” he said.

“The volume of machine and human identities has steadily grown and will play into the hands of malicious actors unless the current cybersecurity debt is rapidly addressed. Compromising fundamental cybersecurity controls in favour of rapid introduction of new digital initiatives is a risky endeavour and should be brought into balance in 2022 and beyond,” Fikentscher said.