Powered by MOMENTUM MEDIA
accountants daily logo

ASIC slams ‘alarming’ neglect of cyber security

Technology

Supply chain risks singled out as a key weakness in the regulator’s survey.

By Philip King 10 minute read

An “alarming” number of organisations neglect cyber security and fall short when it comes to protecting confidential data or managing supply chain risks, a survey by ASIC found.

It said the Cyber Pulse Survey “exposed deficiencies” in critical cyber capabilities and revealed organisations were reactive rather than proactive, with smallest companies faring worst.

“Understandably, due to competing demands for limited human and financial resources, small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities,” the report said.

The top three threats were rated as business email compromise (13 per cent), ransomware (17 per cent) and phishing (26 per cent) and the report identified four areas for improvement: supply chain risk management, data security, consequence management and adoption of cyber security standards.

ASIC chair Joe Longo said some aspects of the report were of special concern.

“For all organisations, cyber security and cyber resilience must be a top priority,” he said.

“ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44 per cent of participants are not managing third-party or supply chain risks.”

The survey showed 44 per cent failed to manage the risk from vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information.

It also found 58 per cent of organisations had limited or no capability for the adequate protection of confidential information.

“Ransomware threat actors target confidential information,” the report said. “To limit the impact of cyber breaches, organisations should identify, classify and secure confidential information – and limit what is stored.”

One-third lacked a cyber incident response plan that would allow an organisation to quickly respond if its protection measures failed while 20 per cent had yet to adopt a cyber security framework to help identify and manage risks.

“An organisation should adopt and implement a cyber security standard that is proportionate to the nature, size and complexity of the organisation,” it said.

“Implementing a cyber security standard begins with a cyber risk assessment and identification of gaps in cyber risk management.”

Mr Longo said the capacity to rebuild after a cyber attack had to be part of any strategy.

“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident,” he said. “It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks,” Mr Longo said.

“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

The report singled out smaller organisations with four recommendations:

  • Engage a cyber security expert to evaluate the key cyber risks and implement an appropriate security standard.
  • Strengthen cyber defences and implement risk controls while efficiently managing cyber security investments.
  • Adopt risk management practices that prioritise critical assets, key cyber risks and potential threats.
  • Ensure limited resources are used efficiently to protect against cyber threats that have the potential to impact their operations (for example, by outsourcing cyber security functions to specialised experts).

The voluntary survey was completed by 697 participants with representation across different organisation sizes, types, sectors and sub-sectors, with 42 per cent holding an AFS licence.

The survey asked participants to assess their cyber resilience against six functions: governance and risk management, identifying information assets, protecting information assets, detecting cyber security events, responding to cyber security incidents and recovering from cyber security incidents.

The survey came just days after a cyber attack forced stevedore DP World to shut port terminals across the country, stranding thousands of shipping containers.

You need to be a member to post comments. Become a member for free today!
Philip King

Philip King

AUTHOR

Philip King is editor of Accountants Daily and SMSF Adviser, the leading sources of news, insight, and educational content for professionals in the accounting and SMSF sectors.

Philip joined the titles in March 2022 and brings extensive experience from a variety of roles at The Australian national broadsheet daily, most recently as motoring editor. His background also takes in spells on diverse consumer and trade magazines.

You can email Philip on: This email address is being protected from spambots. You need JavaScript enabled to view it.

You are not authorised to post comments.

Comments will undergo moderation before they get published.