Australian cyber resilience at odds with security culture
Australian businesses need to become more cyber resilient if they’re going to prevent data breaches and other cybersecurity risks, according to a new study.
The research — commissioned by cybersecurity company McAfee — surveyed 480 cybersecurity decision-makers across eight Asia–Pacific countries, including Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, Singapore and Thailand, on their perceptions of their organisations’ cyber resilience and maturity.
Of Australian respondents, 73% were familiar with the concept of cyber resilience — “the [organisation’s] ability to minimise business disruption while responding to a cyber attack” — compared to 97% of Indians and 95% of Indonesians, the report said.
Yet only 65% of Australians felt their organisations were ‘extremely’ or ‘very’ cyber resilient, the report said.
This is despite Australia’s seemingly strong cybersecurity culture, where 27% of respondents said cybersecurity decisions are made at the board or executive level and 60% said security is always included in decision-making processes.
“An impressive 87% of organisations are taking the right steps towards building a solid culture of cybersecurity. However, this isn’t translating as it should into an adequate level of cyber resilience with our Australian respondents. This indicates a disconnect between the priorities and investment required to build cyber resilience, and the decisions made at the board level,” said McAfee MVISION Cloud Asia Pacific Regional Director Joel Camissar.
“Organisations that don’t put cyber resilience at the forefront of their approach to security expose networks and infrastructures to an expanding range of cyber risks, gifting cybercriminals the opportunity to exploit clear gaps in their security posture.
“The survey found 55% of Australian respondents named data breaches as one of the top three cyber risks. To truly combat this, cyber resilience has to become a higher priority for Australian organisations,” Camissar said.
Even with this and 75% of Australians saying cybersecurity regulations impact their organisation, 12% said they aren’t planning to invest in more security, McAfee said. Australia has one of the lowest levels of investment in the region, compared to India and Indonesia, where only 2% of businesses aren’t planning to invest more in security, the company added.
“The heightened regulatory environment in Australia, highlighted by the introduction of the Notifiable Data Breaches scheme in the last two years, means businesses cannot afford to deprioritise their investment in cybersecurity,” Camissar said.
Australian organisations cited ‘culture, education, and awareness’ as the lowest investment priority to improve cybersecurity maturity.
“In the latest Notifiable Data Breaches Statistics Report from the Office of the Australian Information Commissioner, human error accounted for one-third (34%) of data breaches, from April to June, that allowed hackers access to information. Clearly, there is much work to be done to change the emphasis that Australian organisations place on cybersecurity education and awareness in the workplace,” Camissar continued.
One in six Australian respondents believe cybersecurity incidents have a ‘high’ impact on the business and a concerning 18% believe cybersecurity incidents have a ‘low’ impact on the business.
“While some Australian respondents feel in better control of their cybersecurity response, it’s risky to lose sight of the dire financial, reputational and operational impacts a cyber incident can have both in the short and long term,” Camissar said.
When asked whether they could put a cost on their recent cyber incidents, Australian organisations were well behind their counterparts, with just 46% able to quantify the financial impact. By contrast, companies in India (91%), Malaysia (85%) and Thailand (83%) were more confident they could measure the cost of a data breach.
Australian survey respondents who could place a cost on cybersecurity incidents in the past 12 months believe the estimated average cost is approximately $332,044.
The US Department of Justice has issued warrants for five alleged members of the APT41 cybercrime...
A survey by Gartner has found that cybersecurity analysts are concerned about the rapidly...
Security and risk leaders have been advised to balance risk, trust and opportunity to help their...