Organisations too complacent on cyber risk – report

Despite increasing awareness and concern, not much is being done

Organisations too complacent on cyber risk – report
Australian companies and government and not-for-profit organisations are not doing enough to meet the threat of cyber attacks despite increasing awareness and concern about the issue, MinterEllison says in a study.

In 2016, 18% of respondents, up from 8% the previous year, said their organisations were subject to more than five cyber incidents in the previous 12 months, the law firm said in its Perspectives on Cyber Risk 2017 report.  By 2021, the world will see annual losses of more than $6tn from cyber risk, the report said.

In the firm’s CIO survey, 40% of respondents said they were dissatisfied with their organisation’s capability to prevent cyber incidents, up from 18% in 2015. Furthermore, only 10% said that they had a good understanding of their organisations’ exposure to cyber threats, down from more than 40% in the previous year.

When board members were asked, 65% of respondents said that they considered cyber risk to be more of a risk than 12 months ago, up from 35%. However, 44% said boards were briefed on cyber issues on an annual or ad hoc basis, and 13% said board were not briefed at all. In an indication that maybe not enough is being done, just over half said cyber security spending had increased, in line with the last Cyber Risk report, MinterEllison said.

The report also said that 42% said they do not have a data breach response plan, up from 27% in 2015. The firm also found that less than 20% said they regularly assess customer cyber risk profiles and less than half do not regularly audit the IT security practices of suppliers, both largely unchanged from the previous year. The report also said that cyber security is still being wrongly seen as being primarily an IT issue.

“Cyber attacks can entirely shut down businesses, causing significant (and sometimes irreparable) damage to corporate and government reputations, relationships and systems. They can adversely impact other businesses in the supply chain, compromise the privacy of millions of individuals, and threaten economic wellbeing and national security,” said Paul Kallenbach, MinterEllison technology partner. “Yet business is not responding quickly enough.”

There was, however, an increased uptake of cyber insurance indicating a willingness to act on managing cyber risk, the report said. In 2016, 39% of respondents bought cyber insurance, up from 24% in 2015. Kallenbach said, however, that organisations need to go beyond insurance.

“Cyber resilience should be a key focus area for all organisations in the next 12 months,” he said. “This requires deep board-level engagement with cyber risk; identifying the extent of the organisation's exposure to cyber risk (including due to supply chain risk); developing, implementing and testing procedures to protect the organisation from cyber incidents; and being able to deploy the resources (both technical and human) to identify a cyber incident in a timely manner, and to respond to and recover from an incident.”

The report gathered data from more than 100 legal counsel, CIOs, COOs, board members, IT specialists and risk managers of ASX200 and private companies and government and not-for-profit organisations.


Related stories:
Data breaches cause for alarm among corporate counsel, survey reveals
Lawyers warned over cyber attacks