Cyber security can no longer legitimately be considered the domain of IT alone, according to the new MinterEllison 'Perspectives on Cyber Risk Report 2017'. The report's findings also show that Australian companies are being too slow to take the necessary action to mitigate and manage cyber risk.
“Cyber attacks can entirely shut down businesses, causing significant (and sometimes irreparable) damage to corporate and government reputations, relationships and systems,” said Paul Kallenbach MinterEllison Technology Partner and cyber expert. “They can adversely impact other businesses in the supply chain, compromise the privacy of millions of individuals, and threaten economic wellbeing and national security. Yet business is not responding quickly enough. All organizations need to develop a culture of cyber risk management and look beyond the expectation of IT department taking the responsibility for risk mitigation.”
The report highlights the need to embed cyber resilience in every organization, yet key findings suggest this isn’t happening:
"In our board survey, 44 percent of organizations responded that the board is only briefed on cyber security issues annually or on an ad hoc basis, while 13 percent of organizations said that the board received no briefings at all,” said Kallenbach. "In our CIO survey, only 52 percent of respondents indicated their organizations had increased their expenditure on IT security over the previous 12 months and that shows little change to the 2016 report findings.”
"Cyber resilience should be a key focus area for all organizations in the next 12 months,” stated Kallenbach. “This requires deep board level engagement with cyber risk; identifying the extent of the organization's exposure to cyber risk (including due to supply chain risk); developing, implementing and testing procedures to protect the organization from cyber incidents; and being able to deploy the resources (both technical and human) to identify a cyber incident in a timely manner, and to respond to and recover from an incident."
Key findings from the report surveys are:
- Awareness of cyber risk has increased as the problem grows – but concrete actions have not changed;
- Despite concerns about the increasing cyber threat, organizations remain complacent about reviewing and testing their own cyber resilience (and the cyber resilience of their suppliers);
- Cyber security is still (wrongly) seen as being primarily an IT issue;
- The privacy landscape is changing – both in Australia and overseas;
- The increasing uptake of cyber insurance indicates some willingness to act on managing cyber risk.