Only one percent of Australia’s top 100 companies feel “very confident” about being safe from cyber attacks, a new survey has found.
The survey of Australia’s largest listed companies, boasting a market capitalisation of $1.5 trillion, found 81% of respondents expect more cyber attacks in the next 12 months.
Yet only 12% think their company is doing enough to protect itself, the ASX 100 Cyber Health Check Report found.
Recommended in Australia’s inaugural Cyber Security Strategy, the study probed non-executive directors about cyber resilience. 76% of the ASX100 took part in the survey – the first attempt to gauge how the boards of Australia’s largest companies view and manage their cyber risk.
Of the respondents, just 1% said they were “very confident” their company was properly secured against cyber attacks.
It’s a sobering statistic; the survey cites a 2016 global study which found the average cost of cybercrime against Australian corporations is more than $5.6 million per incident – and rising.
But it’s not all doom and gloom. At almost every surveyed company (99%), the ultimate owner of cyber risk is either the CEO or another member of the C-suite, suggesting cybersecurity is now on the radar of the right people.
Australia’s cyber readiness: How we stack up
Worryingly:
- More than 80% of respondents expect cyber risk to increase in the short term, yet only 29% are confident that management can detect, respond to and manage a cyber incident with minimal impact on the business.
- One third of companies haven’t evaluated the cyber resilience of suppliers, customers and other key external parties they work with, and only 37% have a clear understanding of their own key information assets.
- 30% have never assessed cybersecurity culture at their organisation
- Just one third (34%) have a clearly-defined cyber risk appetite – a hallmark of companies that take information security seriously, according to the report.
- 38% have a specific cyber insurance policy. A similar percentage (36%) considered it and decided not to implement it.
- 62% have notified the board about “more or significantly more” malicious cyber activity against their company in the past year. 13% of the companies don’t notify the board of attacks, while 4% say there have been no cyber attack attempts.
- More than half (54%) of businesses are “somewhat” or “not very” confident of their organisation’s ability to detect, respond and manage a cyber intrusion to minimise the impact to their business.
- Only 11% have a clear understanding of which of the company’s key information or data assets are shared with third parties such as suppliers, customers, advisors and outsourcing partners
- More than half of directors say the description in the corporate risk radar of cyber implications is “basic”.
- Only 59% have a documented, approved and tested response, recovery and resumption plan.
- Just 33% of boards received company cyber training in the past year.
- Less than two thirds (60%) have tested what staff would do when faced with a security threat.
On a positive note:
- At almost every company (99%) the ultimate owner of cyber risk is either the CEO or another member of the C-suite.
- Cyber-related risk has been added to the corporate risk registers of 92% of respondent companies.
- More than half of companies (54%) made inroads in the past year by implementing cyber training.
- 80% have a clear understanding of the company’s disclosure requirements in the event of a cyber breach.
- Firms are increasingly sharing threat intelligence. This includes encouraging cybersecurity teams to engage in data-sharing arrangements with other organisations including peers (30%), government agencies (25%), customers, vendors and suppliers (20%) and competitor organisations (20%).
- 75% have considered how they’d notify customers or clients in the event of a breach of their confidential data.
- The majority of boards (88%) receive management reports on cybersecurity incidents – 21% of companies established this procedure in the past year.
Surveying the ASX 100 for their cyber attack readiness is a great start. After all, education and awareness are two primary hurdles to improving protection for Australian businesses of all sizes.
Interested to know more about cybersecurity and its impacts on your businesses?
Our CEO, Craig McDonald, has written a plain-English, jargon-free guide to understanding cybercrime in today’s business world. Download a free version of Surviving the Rise of Cybercrime at http://survivingcybercrime.com.au/
The ASX 100 Cyber Health Check survey was a result of a collaboration between the ASX, ASIC, the Department of Prime Minister and Cabinet, CERT Australia and professional services companies Deloitte, EY, KPMG and PwC.
