As organisations across Australia implement digital transformation projects and increase their adoption of cutting-edge technologies such as artificial intelligence (AI), the level of associated cyber risk rises. Further, these risks become more complex and harder to manage.
It is imperative that business leaders understand the nature of the cyber risks and threats facing their organisations and how to address them.
We recently found that fewer than half (45%) of Australian businesses surveyed for an international study rated their IT security posture as effective or very effective when it came to identifying and responding to threats.
The other countries surveyed showed the same pattern. We decided to dig deeper to understand why this might be the case, and what organisations can do to boost their cyber resilience and mitigate risk.
Gaps in security governance
Some of the biggest challenges facing organisations trying to manage cyber risk are related not to technology, but to how security is managed and implemented across the organisation. For Australian organisations with between 100 and 2,500 employees these challenges include:
Inadequate incident response strategies
Only half the Australian businesses surveyed have an incident response plan that is applied consistently across their organisation, while 1 in 10 don’t have a plan at all. If an organisation doesn’t have a plan for what to do if a security incident takes place, they risk finding themselves in the precarious position of not knowing how to react to events, and consequently doing nothing or doing the wrong thing.
Lack of consistent company-wide security policies and programs
The most cited governance challenge was a lack of consistent enterprise-wide security policies and programs. This was listed as a top two challenge by 49% of Australian organisations.
Enforcing consistent policies can be difficult for security teams. Leaders may hesitate to implement security measures that seem burdensome or restrictive.
Meanwhile, employees may push back against controls, especially if they’re accustomed to unrestricted access. Additionally, some employees may simply lack awareness of applicable security policies, leading to confusion and resistance, which heightens organisational risk.
Lack of leadership support and understanding
Around a quarter (26%) of the Australian businesses surveyed worry that their management teams do not perceive cyberattacks as a significant threat. This is not a question of management failure.
It is hard for business leaders to engage with or care about something they don’t fully understand. The onus is on security professionals to speak in a language that means something to business leaders, articulating the importance of proactive defence strategies to safeguard brand reputation.
A lack of third-party visibility and control
Supply chain risks pose significant challenges for all organisations, irrespective of their size. Almost half of the Australian respondents (46%) said that not having a ‘complete inventory of third parties with access to sensitive and confidential data’ was a top two governance challenge.
The unfortunate reality is that much of the supply chain operates outside a company’s security boundaries. This means companies inherently have much less control over the risks that third-party organisations take.
Shadow IT, the unregulated use of software applications by employees, also poses significant security risks as they often circumvent company policies. Even sanctioned software tools can introduce risk, as many have expanded into platforms featuring marketplaces for third-party apps and plug-ins.
Moreover, the unregulated use of open-source generative AI tools can expose company data beyond the confines of corporate security measures.
Lack of security personnel
Australian respondents also reported that a shortage of skilled security professionals (26%) was one of their top governance challenges.
AustCyber estimates that Australia may need around 16,600 additional cybersecurity workers for technical as well as non-technical cybersecurity positions by 2026, and even today is facing a substantial number of unfilled cyber security positions because companies can’t find the right talents.
From risk to resilience
In today’s increasingly digital landscape, where cyberthreats actively leverage the latest technologies to target every corner of your IT infrastructure, for many organisations a security incident is more a question of when, not if.
Cyber resilience is about having the tools and security measures in place to withstand, respond to and recover from a security incident. Cyber resilience is about being able to bend rather than break.
Effective prevention and detection measures remain a critical first line of defence. However, cyber resilience is about shifting from focusing solely on blocking attacks to being able to contain and neutralize an incident.
This may seem like a daunting process, but there are tools available to help – including a practical cyber resilience checklist based on the NIST cybersecurity framework, and Australia’s Cyber Security Governance Principles.
Not every company has all the security resources, tools, and processes it needs on day one, and risk levels change over time. A roadmap approach will help you to keep track of where you are on your journey towards cyber resilience and where to go next.
