Board members of Australian companies are the least likely to understand cyber security as a key business priority, a new report has found, even as new revelations in the Optus breach highlight the risks of ignoring cyber security for too long.
The report, from Cyber security at MIT Sloan (CAMS) and Proofpoint, canvassed 600 board members at medium and large companies in 12 countries and found that just 54 per cent of Australian respondents are confident that their boards understand the systemic risks posed by cyber threats.
This was the second-lowest ranking of the surveyed countries – the average was 75 per cent – and the 58 per cent of boards that see cyber security as a top priority was the lowest, falling well behind the global average of 77 per cent.
Although they don’t feel cyber security is as important as their overseas peers do, 72 per cent of Australian board members believe they have made adequate investments in cyber security.
Despite this confidence, however, 34 per cent of respondents still believe their organisation would be unprepared to cope with a cyberattack over the next 12 months.
Not that the public would necessarily know if it happened: Australian board members were also the world’s least likely to agree that they should be required to report material cyberattacks to regulators within a reasonable timeframe, with half of Australian board members agreeing – well behind the global average of 80 per cent.
Timeliness is crucial during a data breach response, since cyber criminals often move quickly to demand ransoms, threaten to disable systems, or publish sensitive data online.
Earlier this year, the need for quick action led the federal government to introduce new requirements for critical infrastructure operators – a definition that now includes telecommunications operators – to report breaches within 12 hours.
An Optus spokesperson confirmed the company had met that deadline when reporting the latest Optus breach – which has been followed in real time by the media, Australian banks, security specialists, and other affected organisations.
Yet amidst new revelations that the personal data of 129,000 customers of Optus parent Singtel was stolen in a separate 2020 breach, it’s clear that transparency is still an evolving concept for many boards – even as the nearly 10 million individuals compromised during the breach pick up the pieces.
Indeed, the CAMS research found that just 30 per cent of Australian board members said they are concerned about internal company data becoming public – lower than the 37 per cent global figure.
Australian boards’ lackadaisical attitude towards cyber security is also evident in revelations that just two thirds of Australian boards expect to increase their cyber security budget over the next 12 months – lower than the global average of 87 per cent.
That made Australia’s boards the least likely to increase budgets out of the 12 countries surveyed.
“It is encouraging to see that cyber security is finally a focus of conversations across boardrooms,” said Lucia Milică, vice president and global resident CISO at Proofpoint. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyberattacks.”
What will it take?
That boards could still be ignorant of the threat of cyber security explains why cybercriminals continue to be so successful in stealing data and money from wilfully ignorant corporate victims.
Yet Australian companies aren’t the only ones fat-fingering their cyber response: despite noting that 32 per cent of SME respondents feel that cyber risk has increased during 2022, GlobalData’s newly released 2021-22 UK SME Insurance Surveys found that just 56.2 per cent of medium-sized businesses, 40 per cent of small businesses, and 16.8 per cent of micro businesses had taken out cyber insurance policies to protect against losses.
Changing these persisting attitudes will require board members to become more proactive advocates for cyber security investment, warned CAMS executive Dr Keri Pearlson, noting that board members “play a key role in their organisations’ cyber security culture and cyber security posture.”
“Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cyber security threats their organisations face and the strategy their organisations take to be cyber resilient.”
With just 56% of Australian boards discussing cyber security at least monthly – compared to 76% of boards globally – the issue has a long way to go before it achieves the prominence required to effectively protect corporate Australia.
To ensure their understanding of cyber security is keeping up with the ever-changing threat climate, Pearlson encouraged board members to reach out to CISOs and engage with them as “strategic partners”.
Yet with just 63 per cent of board members reporting that they see “eye to eye” with their CISO – and 58 per cent of CISOs feeling the same – the figures confirm that engagement with CISOs still has a way to go.
“One of the ways boards can boost preparedness is by getting on the same page with their CISOs,” said Proofpoint’s Milică. “The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success.”