The Australian Securities and Investments Commission (ASIC) has urged Australian organisations to address “significant gaps” in their cyber security and resilience.
The regulator’s call to action follows a spate of high-profile cyber attacks in Australia, including most recently on port operator DP World.
A recent survey involving 697 ASIC-regulated organisations found that 44 per cent do not manage third-party or supply chain risk and 58 per cent have limited or no capability to adequately protect confidential information.
“For all organisations, cyber security and cyber resilience must be a top priority. ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain,” commented ASIC chair Joe Longo.
“It was alarming that 44 per cent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.”
ASIC originally unveiled its cyber resilience survey in June to gauge organisations’ current cyber security and controls, governance arrangements, and incident preparedness. The regulator said that recent high-profile cyber incidents had highlighted the need for all organisations to have “robust cyber capabilities”.
In a report detailing the results of its survey on Monday, ASIC said that organisations were being reactive rather than proactive when it comes to managing cyber security. On a scale of 0 to 4, Australian organisations were given a weighted average cyber maturity score of 1.66.
Thirty-three per cent of survey participants were found to not have a cyber incident response plan and 20 per cent have not adopted a cyber security standard.
The report positively highlighted organisations’ identity and access management, governance and risk management, and information asset management.
Meanwhile, the top areas for improvement were supply chain risk management, data security, consequence management, and adoption of cyber security standards.
Smaller organisations were found to be lagging behind their larger counterparts, particularly when it comes to third-party risk management, data security, consequence management, and the adoption of industry standards.
“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks,” Mr Longo said.
“An effective cyber security strategy and governance and risk framework should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”
Phishing was identified by 26 per cent of participants as the top cyber security threat to the continued operation of their organisation, followed by ransomware (17 per cent) and business email compromise (13 per cent).
Mr Longo previously warned that failing to prioritise cyber security and resilience could open up directors to potential enforcement action.
“For all boards, cyber security and cyber resilience have got to be top priorities,” he said in September.
“If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”
Citing research by Cybersecurity Ventures, Mr Longo noted that cyber crime damage costs are set to rise by 15 per cent each year in the next three years, hitting US$10.5 trillion by 2025.
Additionally, the ASIC chair highlighted a report by Cisco which found that 62 per cent of businesses had suffered some kind of incident that affected their security resilience.
