ASIC calls on organisations to prioritise their cyber security after its report into the cyber capability of corporate Australia identified significant gaps.
The report summarises the results of ASIC’s recent cyber pulse survey. The results of the voluntary self-assessment survey have exposed deficiencies in cyber security risk management of critical cyber capabilities, indicating that organisations are reactive rather than proactive when it comes to managing their cyber security.
ASIC Chair Joe Longo said, ‘For all organisations, cyber security and cyber resilience must be a top priority. ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.’
Encouragingly, participating organisations indicated well-developed capabilities in identity and access management, governance and risk management, and information asset management, with large organisations consistently self-reporting more mature cyber capabilities.
Understandably, due to competing demands for limited human and financial resources, small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.
‘There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks.
‘An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards,’ concluded Mr Longo.
Ninety-five per cent of survey participants opted to receive an individual report which provided important insights on how their cyber resilience compared to their peers. This demonstrates a commitment to improving their organisation’s cyber resilience.
The National Cyber Security Coordinator, Air Marshal Darren Goldie AM CSC, welcomed the results of the report and acknowledged ASIC’s work to map out key gaps in corporate Australia’s cyber resilience.
‘Cyber security must be a priority for us all, including individuals and businesses large and small. Support is available – the National Office of Cyber Security works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents. The 2023-2030 Australian Cyber Security Strategy will enable Australia to build and strengthen its cyber shields and develop our resilience to bounce back quickly,’ said Air Marshal Goldie.
Survey result highlights
Survey result highlights - text version
- 44% of participants do not manage third-party or supply chain risk
- 58% of participants have limited or no capability to protect confidential information adequately
- 33% of participants do not have a cyber incident response plan
- 20% of participants have not adopted a cyber security standard
Report 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023
The Australian Cyber Security Centre estimated cybercrime cost Australia $42 billion in 2021.
The inaugural ASIC cyber pulse survey was one of the largest conducted into Australia’s cyber resilience. The survey measured participants’ ability to:
- govern and manage organisational-wide cyber risks
- identify and protect information assets that support critical services
- detect, respond to, and recover from, cyber security incidents.
ASIC encourages organisations to foster a culture of cyber awareness. ASIC’s cyber resilience webpage contains useful resources to help entities improve their cyber security and resilience.