Australia’s top 100 companies are increasing their levels of cyber security awareness and capability – but there is still much to improve. And not surprisingly the one-third of companies that have a clearly defined risk appetite for cyber are significantly better-placed than those that do not.
Those are the headline findings of the ASX 100 Cyber Health Check, launched by the Hon Dan Tehan MP, Minister assisting the Prime Minister for Cyber Security, at the ASX in Sydney yesterday. The ASX100 Cyber Health Check is the first attempt to gauge how the boards of the ASX100 view their exposure to the cyber world – and give them a benchmark against which to assess their performance.
The online economy growing at twice the speed of the rest of the global economy shows the need for companies to access its benefits; the flip side is they have to manage their exposure to its risks.
KPMG, which led the preparation of the report, and the other Big Four firms, surveyed clients in the top 100 to establish their cyber preparedness as part of Australia’s cyber-security strategy launched a year ago by the Federal Government.
Participation in the survey was voluntary with a 76 percent response rate. Impressive when compared with a less than 50 percent in the UK FTSE350 in a similar exercise and an encouraging assertion of corporate Australia’s awareness of the importance of the issue.
The findings, as with all surveys, can be viewed as positive or negative depending on whether you have a glass half full or half empty perspective.
The headlines are:
- 34 percent of boards have a clearly defined risk appetite for cyber – this is crucial
- 80 percent of respondents expected an increase in cyber risk over the next 12 months – probably explaining the high participation rate
- 32 percent assess their cyber culture annually – this could be improved
- 43 percent were confident they are properly secured against cyber-attacks with another 50 percent ‘somewhat’ confident
- 66 percent believed they had appropriate level of investment but planned to increase it
- 75 percent had considered how they would notify customers/clients of a data breach
- Just 11 percent had a clear understanding of where the company’s key information or data assets are shared with third parties
- Also 11 percent are taking pro-active approaches to reassure investors and customers about the company’s cyber security.
The last three findings are the ones I would argue need most urgent attention. A much higher proportion need to be clearer on who has the keys to the company’s crown jewels – its data.
And one-quarter have not really planned a ‘what-if?’ scenario for a breach of customer data. In an era of social media, that is too high a proportion at risk of serious potential brand and reputational risk. More needs to be done to reassure customers and shareholders.
Data is the new currency – everyone is after it, including sophisticated hackers and criminals, as KPMG’s Fraud Barometer showed earlier this year.
While you would not expect board directors to be cyber-experts, the commitment to improve is shown by the fact that 67 percent have undergone information security training in the past year.
The key, to me, is formulating a clear risk appetite or strategy for cyber. Those that do are shown by our research to elevate the cyber issue from an IT department issue to a board level one. The appropriate priority and investment more easily follows, where the CFO is directly involved.
Effective governance is key to addressing cyber risk and building the company’s resilience. Taken collectively across corporate Australia, that is a genuine enabler for the national economy.