Australia lags in cybersecurity maturity

New research from Proofpoint suggests that Australian board-level buy-in to prioritising cybersecurity lags well behind global counterparts. The Cybersecurity: The 2022 Board Perspective report was published in conjunction with Cybersecurity at RMIT Sloan and explores company directors’ perceptions of key challenges and risks and surveyed 600 board members from 12 countries.

Key Australian findings include:

• Only 58% of Australian board members see cybersecurity as a top priority — the lowest score out of all 12 countries surveyed (global average 77%).
• Just 54% of Australian board members are confident in their board’s understanding of systemic risks from cyber threats — the second lowest at 11th place of all countries surveyed (global average 75%) — and 72% feel that they’ve made adequate investments in cybersecurity.
• Half of Australian boards agree that organisations should be required to report a material cyber attack to regulators within a reasonable time frame — the lowest of all 12 countries surveyed (global average 80%), whilst 34% disagree (highest of all countries).
• Just over half (56%) of Australian boards discuss cybersecurity at least monthly — compared with 76% of boards globally.
• Two-thirds (66%) of Australian boards expect an increase in their cybersecurity budget in the next 12 months, the lowest of any market surveyed (global average 87%). In addition, 22% expected budgets to go down, compared to the global average of 5%.
   

The report explores three key areas: the cyber threats and risks boards face, their level of preparedness to combat those threats and alignment with CISOs based on sentiments uncovered in a previous Proofpoint report (2022 Voice of the CISO). The study found a disconnect between the two sides in cyber risks, consequences and threats.

“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyber attacks,” said Lucia Milică, vice president and global resident CISO at Proofpoint.

“One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board–CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success.”

The new report highlights global trends, along with industry and regional differences among organisational leaders. Additional Australian findings include:

• There is a disconnect between the boardroom and CISOs when evaluating the risk posed by today’s sophisticated cybercriminals: 52% of Australian board members believe that their organisation is at risk of material cyber attack in the next 12 months, compared to 68% of CISOs.
• Board members and CISOs have similar concerns about the threats they face: board members in Australia ranked email fraud/business email compromise (BEC) as their top concern (44%), followed by supply chain attacks (32%) and cloud account compromise (28%). CISOs ranked insider threat, email fraud/BEC and supply chain attacks as their top concerns.
• Awareness and funding do not translate into preparedness: 72% of Australian respondents think they have invested adequately in cybersecurity and 66% believe their data is adequately protected. However, one-third (34%) still view their organisation as unprepared to cope with a cyber attack in the next 12 months.
• Board members agree with CISOs about the most important consequences of a cyber incident: significant downtime is at the top of the list of concerns for Australian boards (42%), followed by internal data becoming public (30%) and disruption to operations (30%). These concerns are similar to those of Australian CISOs, who are also worried about significant downtime and disruption of operations, along with impact on business valuations. This differs globally, where boards are most concerned about internal data becoming public (37%) followed by reputational damage (34%) and revenue loss (33%).
• High employee awareness doesn’t protect against human error: although 62% of those surveyed believe their employees understand their role in protecting the organisation against threats, 60% of Australian board members believe human error is their biggest cyber vulnerability — despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.
• The relationship between boards and CISOs has room for improvement: in Australia, 63% of board members report seeing eye to eye with their CISO and 58% of CISOs feel the same.

“Board members play a key role in their organisations’ cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cybersecurity threats their organisations face and the strategy their organisations take to be cyber resilient,” said Dr Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS).

“Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and centre on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organisations’ protection and resilience.”

The full report is available for download here.

Image credit: iStock.com/baona