Large Australian Companies Expect Rising Cyber RisksASX 100 Survey Finds Improved Awareness But Room for Improvement
Cybersecurity is becoming a board-level concern among Australia's largest companies, but many are worried a breach or intrusion would nonetheless disrupt their businesses.
The finding comes from a first-ever survey, the ASX 100 Cyber Health Check Report, released this week by the Australian government. Seventy-six of Australia's 100 largest companies by market capitalization on the Australian Stock Exchange (ASX) participated.
Only 29 percent say they're "very confident" that they can detect and respond to an intrusion with minimal operational impact. The surveyed companies are not named, and their responses are aggregated.
"This may be partly because cyber risk is increasing and becoming more complex, as well as a greater recognition of the potential costs," according to the survey. "It may also be due to a traditional focus on protection rather than detection and response capabilities."
Still, the broad trends illustrated by the survey are positive, says Shane Bell, forensic and cyber director of the technology advisory firm McGrathNicol. Many companies have cybersecurity training and considered how they would notify customers about a data breach.
"It shows you that this [cybersecurity] is on the agenda in boards," Bell says. "You want people to be talking about this. Most of our top listed companies are concerned this isn't something that is going away."
The report comes a year after the Australian government launched a refreshed cybersecurity strategy that's designed to put the country on a stronger footing in the face of increasing threats (see Is Australia Spending Enough on Cybersecurity?).
Cyber Risk Increasing
Australia pledged in April 2016 to spend AU$230 million (US$173 million) over the next four years on a range of initiatives to bolster the country's cybersecurity stance. That includes fostering a homegrown cybersecurity industry, better threat information sharing and helping businesses defend against hackers.
It's estimated cybercrime costs the Australian economy a minimum of $1 billion a year, although the figure the figure could be as high as $17 billion.
The survey is a mix of findings, some good and others more worrying. More than 80 percent of companies expected the likelihood "of cyber risk to increase within the short term."
The report is significant in that it has taken the cybersecurity pulse of large Australian companies, says Jeff Paine, CEO and managing director of ResponSight, a data breach prevention firm based in Melbourne.
"There seems to be a feeling of reasonable capability in terms of what we are spending and what we're able to do in terms of detection and prevention," Paine says. "But at the same time a feeling we're only sort of a bit confident" about stopping breaches.
Some 88 percent of boards now receive reports on cyber incidents, with 21 percent of those respondents establishing reporting procedures within the last year. But more than half of directors, 54 percent, contend that those reports contain only basic information.
Also of increasing concern is how attackers look for weaknesses in the networks of a company's partners. Those partners may have weaker security controls, making it possible to breach the intended victim.
This is how Target saw 40 million payment card details stolen in 2013. Attackers hacked a company specializing in supermarket refrigeration systems that maintained a data connection with Target. Eventually, attackers managed to install malware within Target's payment systems.
A third of survey respondents say they've not evaluated the cyber defenses of their suppliers or customers who have connections to their systems. Plus, only 37 percent have a "clear understanding of their own key information assets," the report says.
Paine says that's concerning. "The board doesn't have a good understanding of where the data is," he says. "I think that goes to the core of what you're trying to protect."
Australia's mandatory data breach notification law, which is due to come in force no later than early next year, makes understanding where data is even more important (see Australia Enacts Mandatory Breach Notification Law).
If a partner is responsible for a data breach, regulators will look to the company with the customer relationship. Not knowing where data resides is problematic, says Peter Malan, a partner with PwC's cybersecurity practice.
"If you have a breach, it's going to make it difficult to properly respond to that legislation," Malan says.