Australian business managers, including those in large financial institutions, need to improve their IT security awareness and skills, according to the latest CERT Australia cyber crime survey.CERT, which is part of the Commonwealth Attorney-General's Department and is the national computer emergency response team, found that 56 per cent of organisations identified one or more cyber security incidents in the previous 12 months. The number of respondents reporting cyber security incidents increased from 56 in 2012 to 76 in 2013. CERT received responses from 135 businesses. The majority had  200 or more employees, and 13 per cent of respondents were in banking and finance.Respondents reported that the part of their business most vulnerable to a cyber threat was its internal network, followed by externally facing systems and mobile devices.System vulnerabilities included weaknesses in authentication, unused and unpatched services and unsecure devices.If cyber criminals do gain access to a network, one of the main ways of exploiting this access is through targeted emails - so-called "spear phishing". These emails typically carry a virus, worm infection, Trojan malware or rootkit malware. Other common problems were theft of mobile devices, distributed denial of service and unauthorised access to information from an outside source.Organisations view most incidents as targeted, rather than random or indiscriminate. The main motivation for a cyber attack was thought to be a competitor seeking commercial advantage. Personal grievance was also rated highly as a motivating factor.Eighty-four per cent of the organisations have IT security areas but only 39 per cent identified cyber security incidents on their risk registers. A risk register is used to record all identified risks and reports incidents and mitigation."This finding is of concern and indicates an area for improvement, as all organisations should factor the risk of a cyber security incident in their business continuity planning," the report said.There is also a problem of under-reporting. The number of organisations not reporting cyber security incidents to an outside agency rose from 44 per cent in 2012 to 57 per cent last year.Only 27 per cent of organisations increased expenditure on IT security in the previous 12 months - down from 52 per cent in 2012. Sixteen per cent of organisations had no staff dedicated to IT security.