While it is widely accepted that cyber crime is on the rise, the findings of the report show that “Australian companies are being too slow to take the necessary action to mitigate and manage that risk”, according to MinterEllison.
Over 100 legal counsel, CIOs, COOs, board members, IT specialists and risk managers of various companies were surveyed for the report, completing either the CIO survey or the board survey depending on their role.
The report emphasised the prediction made in Cybersecurity Ventures’ 2016 Cybercrime Report that the annual global cost of cyber crime will grow to US$6 trillion by 2021.
“Cyber attacks can entirely shut down businesses, causing significant and sometimes irreparable damage to corporate and government reputations, relationships and systems,” says Paul Kallenbach, MinterEllison technology partner and cyber expert.
“Yet business is not responding quickly enough. All organisations need to develop a culture of cyber risk management and look beyond the expectation of IT department[s] taking the responsibility for risk mitigation.”
Paul says that while awareness of cyber risk is rising, companies are not being proactive enough in addressing cyber threats. In fact, the CIO survey found the proportion of organisations that regularly review and test their key IT systems to identify threats or vulnerabilities dropped from 73 per cent in 2015 to 57 per cent in 2016.
He explained that many companies incorrectly view cyber risk as an issue to be dealt with by the IT team alone, with 56 per cent of board respondents saying their IT departments are principally responsible for cyber risk management, compliance and review activities.
“In our board survey, 44 per cent of organisations responded that the board is only briefed on cyber security issues annually or on an ad hoc basis, while 13 per cent of organisations said that the board received no briefings at all,” he says.
“Cyber security has well, and truly, transcended the realm of the technical.
“It is now a business, economic and national security priority, which requires that a culture of cyber resilience be woven into the fabric of public and private sector organisations’ overall risk management approach.”
Paul listed several high-profile cyber breaches that occurred in 2016 alone, including Tumblr, LinkedIn, financial messaging system SWIFT, and Panamanian law firm Mossack Fonseca.
“Every kind of organisation – government, state-owned enterprises, public and private companies and not-for-profits – has been affected. In every industry – from finance, retail, hospitality and healthcare, to mining and resources, utilities, professional services and education – it’s clear that no one is immune,” he says.
The report found that organisations in all sectors need to reinforce their cyber security measures in the next 12 months, with companies that remain complacent at great risk of having their security breached.
“This requires deep board-level engagement with cyber risk; identifying the extent of the organisation’s exposure to cyber risk, including due to supply chain risk; developing, implementing and testing procedures to protect the organisation from cyber incidents; and being able to deploy the resources, both technical and human, to identify a cyber incident in a timely manner, and to respond to and recover from an incident,” Paul explains.