Researchers from the University of Queensland have urged Australian organisations to prioritise cyber security training for board directors in the wake of the Optus data breach.
A timely study conducted by the researchers has found that directors are not always aware of their duties and liability in relation to cyber security and often do not understand its importance.
“As the data breach at Optus this month demonstrates, no organisation is immune to cyber crime,” warned study co-author Dr Ivano Bongiovanni from the UQ Business School.
Dr Bongiovanni said that the research, which included interviews with non-executive directors from 43 organisations, identified a lot of uncertainty about current best practices and industry guidelines for cyber security strategies.
“There is a misleading perception of cyber security being a purely technical topic and directors weren’t engaged or confident talking about it,” he said.
“Considering the responsibility to oversee cyber risk management in modern organisations lies with their board of directors, an uplift of cyber skills at the board level is necessary.”
Study co-author and UQ honours graduate, Megan Gale, stated that data breaches can potentially have a massive impact on Australian organisations.
“A disruption to IT infrastructure could force a company to shut down, leading to financial loss or even more severe consequences,” she said.
“In the Optus breach, sensitive, personal customer information along with identity documents have been accessed, putting people at risk of being victims of fraud.”
Optus announced last week that the details of up to 9.8 million of its customers may have been compromised in the data breach including drivers licence and passport numbers.
Ms Gale said that the boards of large companies, as well as those of small- to medium-sized organisations, all needed to be better equipped in the area of cyber security.
According to the researchers, clearer regulations and reporting practices are now needed and cyber security training must be made a priority for all board directors.
“As we’ve seen with Optus, cyber threats are a matter of ‘not if, but when’, and organisations must be prepared,” said UQ director of cyber security and director of the not-for-profit cyber emergency response team AusCERT, Dr David Stockdale.
“More cyber risk training and regular communication between executives and their security teams will ensure the best course of action and prevention.”
Government called to exert regulatory pressure
In a separate statement, RMIT University called on the government to intervene and use its regulatory powers to force Australian organisations to improve their cyber security.
“Instead of seeing the Optus hack as just another cyber breach, it should be a key turning point,” said the Director of the RMIT University Centre for Cyber Security Research and Innovation, and Professor of cyber security at RMIT, Matt Warren.
He would also like to see the government ensure that organisations meet mandatory cyber security requirements; issue penalties for organisations that fail in their cyber security duties; and undertake national cyber security exercises to determine Australia’s overall readiness to cyber security incidents.
“Cyber crime isn’t going away and will continue to become more prevalent and sophisticated. In our new cyber normal, if steps are not undertaken then the situation will be repeated time after time.”
The Australian Banking Association said that its members were working collaboratively with the government and across industries “to contribute to measures to strengthen Australia’s cyber security resilience”.
“Banks have built strong cyber protection systems to keep their customers safe. They stand ready to assist government and the broader business sector. Banks’ focus is on protecting customers and cooperative measures are an important part of a continued focus on resilience,” the association said.
