During the past twelve months, cyber attacks in Australia and globally increased in sophistication and frequency. Australian organisations face an increasingly complex cyber regulatory environment. Yet the effectiveness of organisations to manage cyber threats is hampered by under resourcing, under preparedness, and a patchy understanding of the data that is stored and processed within their organisations.
- Cyber fatigue a danger to effective management of cyber risk
- Regulators aggressive in face of heightened risks
- Financial services most advanced in cyber preparedness
A concerning issue, identified in MinterEllison’s 2023 Cyber Risk Report, is that while 78% of organisations have a cyber security response plan, only half disclosed that they test their plan annually and assess it against an established framework.
“A plan that sits in the bottom drawer without regular testing and refinement will not provide a roadmap to an adequate response to a cyber attack,” said MinterEllison partner, Paul Kallenbach.
Cyber preparedness is a continuous journey, there is no destination,” he added.
The report found that 56% of respondents ranked cyber risk as a top five priority within their organisation, and 63% said they were not confident, or only somewhat confident, that their organisation understood what and where their data was stored, and who had access to it.
Compounding this perspective of under preparedness, just over half (51%) of respondents felt their organisations had sufficient resources to monitor and respond to cyber security needs.
The outlier is the financial services sector, where 82% of respondents ranked cyber security as a top five priority, and 62% were confident that their organisation understood where its data is stored.
Kallenbach attributes this underwhelming response to the prevalence of cyber attacks as setting a ‘new normal’, whereby attacks are considered ubiquitous or inevitable. When organisations tick the usual boxes of creating a plan, obtaining insurance and training employees, they may feel they have built it into their cost of doing business and have done all they can.
Moreover, 47% of survey respondents reported they were very confident that their organisation understood its regulatory and contractual obligations in the event of a data breach, with 43% somewhat confident and 9% not at all confident that their organisation understood its contractual and regulatory obligations,
“This is unsurprising, given the amount of new and overlapping regulation. But on the other hand, regulators are actively advertising their aggressive approach to addressing poor cyber hygiene,” said Kallenbach.
To address these issues, a cultural response that touches every person in the organisation is required. Implementing measures to embed a culture of cyber security includes promoting an understanding of the risk throughout the organisation, and incentivising commitment to mitigating cyber risk from the very top with concrete actions that flow down to all aspects of the business.
"Creating a culture of cyber security means placing cyber risk at the heart of strategic planning, resourcing, product and service design, hiring and training, and extends to an assessment of key suppliers and their cyber posture," said MinterEllison partner Shannon Sedgwick.
“With corporate data breaches costing an average of A$6.5m, it's essential for organisations to embrace a culture-focused strategy in mitigating cyber risk,” Sedgwick said.
“Connecting cyber security to the KPIs of key people can also be effective, as it will shape how they approach their role and that of their team and colleagues and improve cyber hygiene across every facet of the organisation,” Kallenbach added.
There has been progress over the past few years, but Kallenbach would like to see more action – and quickly.
“All businesses need to view this as a top five business risk. We are at an inflection point, where the likelihood of a cyber attack is far higher than the likelihood of not being attacked. And while it is pleasing that 78% of respondents have a cyber response plan, these plans need to come out of the bottom drawer into the day-to-day running of the business. We would like to see that number rise to close to 100%, for very few businesses are immune to a cyber attack.
“We have just seconds to protect years of data – we need to use that time wisely,” he added.
VIEW REPORT
