Login
iscover
Supply chain risks singled out as a key weakness in the regulator’s survey.
Newsletter
ASIC slams ‘alarming’ neglect of cyber security
14 November 2023
•
10 minute read
An “alarming” number of organisations neglect cyber security and fall short when it comes to protecting confidential data or managing supply chain risks, a survey by ASIC found.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
It said the Cyber Pulse Survey “exposed deficiencies” in critical cyber capabilities and revealed organisations were reactive rather than proactive, with smallest companies faring worst.
“Understandably, due to competing demands for limited human and financial resources, small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities,” the report said.
The top three threats were rated as business email compromise (13 per cent), ransomware (17 per cent) and phishing (26 per cent) and the report identified four areas for improvement: supply chain risk management, data security, consequence management and adoption of cyber security standards.
ASIC chair Joe Longo said some aspects of the report were of special concern.
“For all organisations, cyber security and cyber resilience must be a top priority,” he said.
“ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44 per cent of participants are not managing third-party or supply chain risks.”
The survey showed 44 per cent failed to manage the risk from vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information.
It also found 58 per cent of organisations had limited or no capability for the adequate protection of confidential information.
“Ransomware threat actors target confidential information,” the report said. “To limit the impact of cyber breaches, organisations should identify, classify and secure confidential information – and limit what is stored.”
One-third lacked a cyber incident response plan that would allow an organisation to quickly respond if its protection measures failed while 20 per cent had yet to adopt a cyber security framework to help identify and manage risks.
“An organisation should adopt and implement a cyber security standard that is proportionate to the nature, size and complexity of the organisation,” it said.
“Implementing a cyber security standard begins with a cyber risk assessment and identification of gaps in cyber risk management.”
Mr Longo said the capacity to rebuild after a cyber attack had to be part of any strategy.
“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident,” he said. “It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks,” Mr Longo said.
“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”
The report singled out smaller organisations with four recommendations:
- Engage a cyber security expert to evaluate the key cyber risks and implement an appropriate security standard.
- Strengthen cyber defences and implement risk controls while efficiently managing cyber security investments.
- Adopt risk management practices that prioritise critical assets, key cyber risks and potential threats.
- Ensure limited resources are used efficiently to protect against cyber threats that have the potential to impact their operations (for example, by outsourcing cyber security functions to specialised experts).
The voluntary survey was completed by 697 participants with representation across different organisation sizes, types, sectors and sub-sectors, with 42 per cent holding an AFS licence.
The survey asked participants to assess their cyber resilience against six functions: governance and risk management, identifying information assets, protecting information assets, detecting cyber security events, responding to cyber security incidents and recovering from cyber security incidents.
The survey came just days after a cyber attack forced stevedore DP World to shut port terminals across the country, stranding thousands of shipping containers.
You need to be a member to post comments. Become a member for free today!
