Cyber security and your board
The Australian Securities Exchange (ASX) has released its first ASX 100 Cyber Health Check Report: Capturing the opportunities while managing the threats, which gauges how Australia’s largest publicly listed company boards view and manage their exposure to the rapidly evolving cyber world. The information is applicable to New Zealand as well, says Board Dynamics CEO Henri Eliot.
The ASX 100 Cyber Health Check Report highlights the great progress made in the last year in raising the awareness of Cyber at the most senior levels of Australian business. It also shows that we have plenty to do with some great momentum to harness. The majority of the organisations surveyed agree that this issue is only going to become more prominent, as the Australian business landscape embraces technology and innovation and we all play a crucial role in uplifting the Resilience of the Australian market.
The report notes, “while the extent of cyber risk management varies broadly across companies, this report demonstrates a high level of risk awareness at the top levels of corporate Australia and a commitment to take further action. Significant progress has already been made, but there are gaps when it comes to building organisational preparedness and resilience. “
An industry-led initiative, the ASX 100 Cyber Health Check forms part of the Australian federal government’s Cyber Security Strategy.
This policy encourages government, regulators and businesses to collaborate to tackle cyber risk. The research helps boards and executives to better understand how mature their cyber risk management is.
It identified five trends:
- Cybersecurity is a major and growing risk for boards.
- Effectively tackling cyber risk requires a culture of collaboration.
- Boards demonstrate an understanding of the seriousness of cyber risk.
- Companies are improving their cyber risk management but there is still much more to do.
- Defining and analysing exposure is fundamental.
The research drew on insights from boards of ASX100 companies which are taking action to strengthen Australia’s resilience to cyber-attack.
As the report states, “the partnership of industry, government and regulators working together demonstrates the critical importance of strong national cybersecurity to Australian business and the millions of investors who hold shares in Australian companies.
“The sharing of best practice, and increased awareness and engagement by directors and executives of listed companies, are important steps in building the cyber resilience of Australian business.”
These statistics are an important reminder for boards and management of the importance for their organisations to reconsider their current plans or, if one does not exist, to consider implementing one.
“While many organisations might not yet have been the subject of a cyber-attack, this does not mean they are immune from the risk. Complacency in the face of action being taken by others may actually make an organisation more of a target, particularly if the inaction of the organisation is easily apparent.”
A robust plan will generally have been prepared with input from all levels and functions of the business, from the board room to the employees on the shop floor. No longer can it be restricted to those in the IT department. Organisations of all sizes must be confident that:
- the plan they have in place addresses the often unique risks associated with their business;
- staff are appropriately trained so that they can spot a cyber-attack and know their role in responding to such an attack;
- they have dedicated sufficient resources to supporting the plan (notably, no organisations reported having overspent on cyber security); and
- the plan evolves with changes in legislation, business practices and to address new types of cyber-attacks.
In preparing a robust plan, organisations should also be mindful of their limitations from a technical perspective. The report highlighted that just 7% of directors clearly understood “the cyber security of the broader ecosystem in which the company operates” and 63% said that their “understanding of the biggest IT security exposures is limited or non-existent”.
These limitations, and the constantly changing regulatory landscape, highlight the need for businesses to obtain appropriate external legal, IT and public relations support when preparing their plan. Obtaining such support will assist businesses to identify any blind spots and to ensure that they are as well prepared as possible for any cyber-attack or data breach.