Cybercrime is the second most-reported economic crime in Australia and costs the economy an estimated $17 billion annually, but despite this there are widespread “frailities” in the governance of cyber security among executives in both the public sector and private enterprise, according to a newly published report.
The survey of Australia's security preparedness by the Macquarie Telecom Group and the National Security College found that there is considerable variation in cyber-risk governance arrangements and an absence of cyber-risk knowledge at the executive/board level.
In government agencies, the report says knowledge of cyber risks is still inadequate, and among respondents to the survey, 41% regard their executive team/board as having poor or limited knowledge of cyber risks. Only 50% of executive teams are provided cyber threat reports monthly or more frequently.
And, in medium-sized business in the private sector, the study found that there was insufficient executive knowledge of cyber risks, with 58% of respondents stating their board had a sufficient understanding of cyber risks, and 30% saying their board or executive team never received reports of cyber threats, while 46% reported their board discusses cyber security “rarely or never”.
And, among private enterprises, awareness of government services was found to be limited, with just 46% of respondents aware of the Australian Cybercrime Online Reporting Network (ACORN), while 47% tended not to report attacks stemming from malware or distributed denial of service (DDoS).
In government agencies, the survey found that cyber risk management is still not prioritised across all agencies, with 84% having an individual chiefly responsible for cyber security, yet only 64% of the executives sitting on the executive team or board, “indicating that cyber risk management is not embedded at the highest decision-making levels”.
According to the survey, knowledge of cyber risks is still inadequate in government agencies.
Among government agency respondents, 41% regarded their executive team/board as having poor or limited knowledge of cyber risks, and only 50% of executive teams are provided cyber threat reports monthly or more frequently.
And, the report says there is infrequent consideration of cyber risks in the government sector, with no agency reporting cyber risk management was reviewed monthly or weekly.
“This contrasts with private business, where 31% review cyber risk management at least monthly. This reinforces the possibility that the culture of cyber security is not yet mature,” the report says.
On the risks and implications of their report, Macquarie Telecom and the National Security College say the “patchwork of governance arrangements” — shown in the variation of titles, responsibilities and executive team membership — “reflects latent problems with executive knowledge over the risks of cyber threats, their responsibilities, and how to improve cyber threat management”.
The two organisations also observe:
• It is likely that medium-sized companies and agencies remain unable to acquire the requisite experience and expertise in cyber security management. There is significant variance in cyber security roles, processes and internal/external reporting. The relative absence of systematic cyber risk discussion at board level indicates a cyber compliance culture rather than an active cyber risk management culture.
• The data indicates that executive/board knowledge of cyber risks is inadequate. The indication that executive knowledge of cyber risks is poor underlines the reduced capacity to adequately understand, and take seriously, the full range of threats to companies or agencies.
• It is likely that the full range of risks is not being adequately reported. The relatively high levels of tolerance for persistent — and perceived "low-level" — threats, such as malware and DDoS, suggests that the relevant Australian cyber security initiatives do not receive information on the range of cyber threats faced by Australia. This means authorities may lack the accurate and comprehensive information needed to appropriately prioritise national cyber defence initiatives.
• Government cyber security initiatives are not achieving purchase with medium-sized businesses. With just 38% of companies familiar with CERT Australia (the Computer Emergency Response Team), and 46% with ACORN, medium-sized enterprises are not taking full advantage of the services available to them.
In their recommendations, the two organisations say cyber-risk management should be “normalised” as core board business, and “asserted as a priority on a par with financial risk management as part of all government and business decision-making”.
According to the report, the benefits of implementing this recommendation are that the increasing array of digital risks are integrated into core organisational decision-making, risk assessments, investments and strategy planning. “Consequently, executive teams develop better situational awareness of their organisation’s key threats and opportunities,” the report notes.
The report also says that collaboration with government cyber security agencies should become the default policy setting for businesses and agencies, and “non-reporting of cyber threats should become the exception, not the rule”.
According to the two organisations, the collective security of all Australian companies is enhanced with the timely sharing of threats to public and private organisations.
“Sharing by default enhances the government’s awareness of the threat landscape and improves its capacity to act in the national and sectoral interest.
“The Commonwealth should offer incentives to companies and organisations to provide early and full disclosures of cyber breaches. In addition, executive teams should mandate the disclosure of all information security breaches to the relevant government agencies,” the report concludes.