According to the report, the cyber landscape is “dangerously evolving”, as organisations face a great volume of cyber attacks and suffer “increasingly severe financial and reputational consequences”.

The research also showed that 90 per cent of respondents personally received an obvious phishing email or ransomware security threat in the last 12 months, with 56 per cent confirming that cyber security risk ranks as high risk (top five) on their organisation’s corporate risk register. In addition, 25 per cent of respondent organisations were subject to at least one cyber security incident in the past 12 months that compromised their systems or data.

Despite these numbers, less than 50 per cent of organisations said they had taken steps to assess their cyber security maturity against an established framework.

Organisations must now comply with new laws, including the new Security of Critical Infrastructure (SOCI) legislation and ransomware-specific regulation, and Privacy Act amendments have been proposed.

The report notes that privacy and corporate regulators, such as the Office of the Australian Information Commissioner (OAIC), the Australian Securities and Investments Commission (ASIC), the Australian Competition and Consumer Commission (ACCC), and the Australian Prudential Regulation Authority (APRA), have put organisations on notice that they will take enforcement action against those who fail to comply with regulatory obligations and standards.

This was seen in the Federal Court earlier this month, whereby the court handed down a landmark judgment in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 and found that the financial services provider had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

According to the report, “2020-21 saw a 15 per cent increase in ransomware-related cybercrime compared to the previous financial year, as reported in the Australian Cyber Security Centre’s annual report. In 2020-21, the ACSC responded to nearly 160 cyber security incidents related to ransomware.”

VIEW ALL

“Many organisations we interviewed told us they had received additional budget to mitigate a ransomware attack – though few had developed a ransomware playbook to implement should one occur. Governments around the world are responding. The Australian government released its Ransomware Action Plan in October 2021, which sets out its intention to introduce ransomware-specific laws,” it said.

As such, board awareness and education must be a priority for organisations moving forward, as cyber risks continue to escalate. Within that context, board members are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.

However, many Australian organisations are struggling to find cyber security specialists, according to the report.

“Many organisations said that finding qualified and experienced IT security personnel continues to be a significant challenge. This is exacerbated by the ‘great resignation’ and global resourcing issues, but the cyber resourcing problem predates them. Cyber insurance is becoming increasingly difficult to obtain – and is not a panacea,” it stated.

“In our one-on-one interviews, technology and information security leaders told us that cyber insurance is becoming increasingly more expensive and its coverage more limited – both in terms of the extent of policy exclusions, and the lower available limits. Leaders recognise that cyber insurance is not (and has never been) a panacea for cyber risk. They must continue to take proactive steps to uplift their cyber resilience.”

In terms of mitigating cyber risk, the report recommends that organisations align cyber security measures with an external framework, such as the ASD Essential Eight Maturity Model or the NIST Cybersecurity Framework.

Furthermore, organisations should conduct cyber incident response plan drills and regularly test cyber incident response plans – as well as update them to reflect an ever-changing environment.