New research showed that cyber investment priorities for the past 12 months neglected third-party vulnerabilities, despite it being the “number one cyber risk for Australian organisations”, it found.
Herbert Smith Freehills Kramer (HSF Kramer) released its latest Cyber Risk Survey Report, which compiled the responses of general counsel from various sectors, including consumer services, financial services, resources, health, and energy, focusing on the imperative that all individuals of an organisation must defend against cyber risks.
The report found that more than two in three (68 per cent) respondents believe cyber risk is growing year on year – down from 80 per cent in 2024.
It further revealed that data risk was a top cyber concern (63 per cent), second only to third-party risk.
Corporate victims
Three in four (75 per cent) respondents believed that the increase in cyber risk was due to “newer and more sophisticated technologies, including social engineering and AI”, the report said.
HSF Kramer partner and Asia-Pacific cyber security head Cameron Whittfield said: “We are seeing highly sophisticated social engineering techniques exacerbated by the use of AI and attacks perpetuated by criminals whose first language is English.”
These sophisticated techniques, he said, are used to “monetise stolen data and credentials”. He warned that board directors, senior executives, system administrators, customer-facing representatives, procurement and IT help desk staff are among those being targeted.
It also found that third-party vulnerabilities rank low for cyber investment priorities in the past 12 months, despite 75 per cent of respondents suffering from a third-party cyber incident in the past two years.
Whittfield argued that “the management of cyber risk needs to be democratised across the business. It is as much a risk for the chief information security officer as it is for leaders dealing with data governance, human resources, procurement, legal and finance.”
HSF Kramer research showed that “38 per cent are not confident their organisation is well placed to manage and mitigate cyber risk”.
“We need our people to no longer feel vulnerable and instead be empowered to act as a front line of defence,” Whittfield said.
What next?
Even with the increased regulatory and media spotlight on the boards’ responsibility for their organisation’s cyber preparedness, less than half (45 per cent) of respondents regarded their boards as “cyber mature”, HSF Kramer found.
“In addition, 32 per cent don’t believe their boards have a clear understanding of the delineation between board and management roles and responsibilities during incident response,” it added.
HSF Kramer partner and cyber and financial services expert Peter Jones said: “There’s an expectation, whether it’s explicit or implicit, that organisations should be testing incident response plans and undertaking simulation activities, particularly in and around cyber risk and resilience.”
Jones said that simulations allow boards to engage with cyber security in “optimal conditions”, and regulators also recognised the importance of simulations.
Results from this survey found no change in boards’ cyber simulation participation over the past year – “approximately half of boards have never participated in a cyber simulation exercise”, it found.
“Sixty-three per cent believe it would take a cyber attack to meaningfully improve focus on data risk management,” the firm noted, up from 58 per cent in the past 12 months.
It urged that “cyber risk management must be fully embedded in daily operations across all business functions, with a continuous commitment to scrutiny and improvement. Regrettably, we must adopt a position of zero-trust.”
“In an uncertain world, one thing we can be sure of is that cyber security will remain central to managing and mitigating organisational risk,” Whittfield said.
