The ASIC Cyber Pulse Survey “exposed deficiencies” in critical cyber capabilities and revealed organisations were reactive rather than proactive, with smallest companies faring worst.

According to the report, due to competing demands for limited human and financial resources, small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.

The foremost challenges confronting organisations on the cybersecurity front have been meticulously assessed, with the primary threats being delineated as follows:

• Business email compromise, constituting 13 percent of the identified risks
• Ransomware, registering at 17 percent
• Phishing, standing out as the most prominent concern at 26 percent.

In a comprehensive analysis, the report has pinpointed four critical domains that warrant strategic enhancement: supply chain risk management, fortification of data security protocols, the development of robust consequence management strategies, and the imperative adoption of recognised cybersecurity standards.

These identified areas serve as focal points for organisational augmentation, fortifying defenses against the evolving landscape of cyber threats.

The survey results also unveiled a concerning trend, indicating that a substantial 44 percent of entities struggled to effectively mitigate the risks associated with vendors, suppliers, partners, contractors, or service providers who had access to internal or confidential information within an organisation.

Furthermore, a noteworthy 58 percent of surveyed organisations demonstrated either limited or entirely lacking capabilities in ensuring the adequate protection of confidential information highlighting a critical need for organisations to bolster their risk management strategies and enhance protective measures.

ASIC chair Joe Longo says some aspects of the report were of special concern. “For all organisations, cyber security and cyber resilience must be a top priority,” he said.

One-third lacked a cyber incident response plan that would allow an organisation to quickly respond if its protection measures failed while 20 per cent had yet to adopt a cyber security framework to help identify and manage risks.

“Ransomware threat actors target confidential information,” the report said. “To limit the impact of cyber breaches, organisations should identify, classify and secure confidential information – and limit what is stored.”

“Implementing a cyber security standard begins with a cyber risk assessment and identification of gaps in cyber risk management.”

According to Mr Longo the capacity to rebuild after a cyber attack had to be part of any strategy.“ There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident

“It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks,

“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.” he said.

Four Recommendations Singled Out

1. Engage a cyber security expert to evaluate the key cyber risks and implement an appropriate security standard.
2. Strengthen cyber defences and implement risk controls while efficiently managing cyber security investments.
3. Adopt risk management practices that prioritise critical assets, key cyber risks and potential threats.
4. Ensure limited resources are used efficiently to protect against cyber threats that have the potential to impact their operations (for example, by outsourcing cyber security functions to specialised experts).

A total of 697 participants voluntarily participated in the survey, providing a diverse representation of various organization sizes, types, sectors, and sub-sectors. Notably, 42 percent of the participants held an AFS license.

The survey tasked participants with evaluating their cyber resilience across six functions: governance and risk management, identification of information assets, protection of information assets, detection of cybersecurity events, response to cybersecurity incidents, and recovery from cybersecurity incidents.

Interestingly, the survey coincided with a recent cyber-attack that compelled stevedore DP World to close port terminals nationwide, resulting in the immobilisation of thousands of shipping containers.

Meanwhile Longo warned businesses must close “alarming” gaps in their cybersecurity defences, while experts said it would be “very costly” for telcos to comply with new cyber laws foisted on them after Optus’ network outage last week.

Mr Longo was speaking as the regulator released an annual snapshot of corporate Australia’s cyber preparedness on Monday, which found almost half were not managing third-party or supply chain risks, commonly used by hackers to breach companies.

Next week, the anticipated unveiling of the long-awaited national cybersecurity strategy by the government is anticipated. Emerging details highlight new obligations for companies to promptly notify the government of ongoing cyber incidents and ransom demands.

Additionally, telecommunications providers are slated to be included in more stringent Security of Critical Infrastructure (SOCI) laws.

As the survey delved into the cyber security practices of organisations, it was evident that a substantial portion lacks the robust measures necessary to combat the evolving threat landscape.

With cyber threats becoming increasingly sophisticated, the need for a proactive and comprehensive approach to security has become more critical than ever for Australian business.