Organisations must adopt a 'cyber security culture' to combat threats

4 minute read  03.05.2023

In the past year, cyber attacks have become more sophisticated, and Australian organisations face a complex regulatory environment. MinterEllison's 2023 Cyber Risk Report shows that 78% of organisations have a cyber security plan, but only half test it annually. Continuous improvement and a culture of cyber security are crucial. The financial services sector leads in preparedness, but all businesses must prioritise cyber risk. A culture-focused strategy and regular plan reviews are vital to mitigate cyber risk.

During the past twelve months, cyber attacks in Australia and globally increased in sophistication and frequency. Australian organisations face an increasingly complex cyber regulatory environment. Yet the effectiveness of organisations to manage cyber threats is hampered by under resourcing, under preparedness, and a patchy understanding of the data that is stored and processed within their organisations.

  • Cyber fatigue a danger to effective management of cyber risk
  • Regulators aggressive in face of heightened risks
  • Financial services most advanced in cyber preparedness

A concerning issue, identified in MinterEllison’s 2023 Cyber Risk Report, is that while 78% of organisations have a cyber security response plan, only half disclosed that they test their plan annually and assess it against an established framework.

“A plan that sits in the bottom drawer without regular testing and refinement will not provide a roadmap to an adequate response to a cyber attack,” said MinterEllison partner, Paul Kallenbach.

Cyber preparedness is a continuous journey, there is no destination,” he added.

The report found that 56% of respondents ranked cyber risk as a top five priority within their organisation, and 63% said they were not confident, or only somewhat confident, that their organisation understood what and where their data was stored, and who had access to it.

Compounding this perspective of under preparedness, just over half (51%) of respondents felt their organisations had sufficient resources to monitor and respond to cyber security needs.

The outlier is the financial services sector, where 82% of respondents ranked cyber security as a top five priority, and 62% were confident that their organisation understood where its data is stored.

Kallenbach attributes this underwhelming response to the prevalence of cyber attacks as setting a ‘new normal’, whereby attacks are considered ubiquitous or inevitable. When organisations tick the usual boxes of creating a plan, obtaining insurance and training employees, they may feel they have built it into their cost of doing business and have done all they can.

Moreover, 47% of survey respondents reported they were very confident that their organisation understood its regulatory and contractual obligations in the event of a data breach, with 43% somewhat confident and 9% not at all confident that their organisation understood its contractual and regulatory obligations,

“This is unsurprising, given the amount of new and overlapping regulation. But on the other hand, regulators are actively advertising their aggressive approach to addressing poor cyber hygiene,” said Kallenbach.

To address these issues, a cultural response that touches every person in the organisation is required. Implementing measures to embed a culture of cyber security includes promoting an understanding of the risk throughout the organisation, and incentivising commitment to mitigating cyber risk from the very top with concrete actions that flow down to all aspects of the business.

"Creating a culture of cyber security means placing cyber risk at the heart of strategic planning, resourcing, product and service design, hiring and training, and extends to an assessment of key suppliers and their cyber posture," said MinterEllison partner Shannon Sedgwick.

“With corporate data breaches costing an average of A$6.5m, it's essential for organisations to embrace a culture-focused strategy in mitigating cyber risk,” Sedgwick said.

“Connecting cyber security to the KPIs of key people can also be effective, as it will shape how they approach their role and that of their team and colleagues and improve cyber hygiene across every facet of the organisation,” Kallenbach added.

There has been progress over the past few years, but Kallenbach would like to see more action – and quickly.

“All businesses need to view this as a top five business risk. We are at an inflection point, where the likelihood of a cyber attack is far higher than the likelihood of not being attacked. And while it is pleasing that 78% of respondents have a cyber response plan, these plans need to come out of the bottom drawer into the day-to-day running of the business. We would like to see that number rise to close to 100%, for very few businesses are immune to a cyber attack.

“We have just seconds to protect years of data – we need to use that time wisely,” he added.


Related lawyers

For media enquiries, please contact:

Charlotte Juhasz
Director, Corporate Communications & Media
M +61 408 837 975

Editors' note:

Along with comprehensive survey results, the report has further information on how to respond to a data breach, and the regulatory compliance. It also contains several graphs that illustrate the findings.


Data was collected through our annual online survey between February and April 2023. From more than 200 respondents, approximately 50% of respondents were legal counsel, and 20% were C-suite executives. Other respondents included IT, risk and security specialists and Board members. The year's key sectors represented in the survey included finance, energy, health, infrastructure and government.