AUTHORS

Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM Melbourne, specialising in cybersecurity, cloud security, and technical security assessments for multinational corporations and Australian organizations across public and private sectors.
Darren Booth
National Head of Cyber Security and Privacy Risk Services
Image of Ashwin Pal, Partner in the Risk Advisory division at RSM Sydney. Ashwin specialises in privacy and security consulting, governance, risk, and controls advisory, IT security testing and compliance, cyber risk management, cyber security transformation, and security technology implementation for clients in energy, utilities, government, health, mining, and manufacturing sectors.
Ashwin Pal
Partner

There is a concerning gap in preparedness and capacity of Australian businesses to effectively anticipate and respond to cyberattacks, compared to their US and UK counterparts, research by RSM Australia has found.

The RSM report, Cyber storm rising: navigating the path to resilience for Australian businesses, includes a survey of 150 c-suite executives that shows only 50% of business leaders are confident in their staff’s capacity to manage cybersecurity risk, compared to 84% of UK and UK leaders. 

Only one in three large organisations have very high confidence in their staff’s ability to handle breaches.

RSM Australia’s Security and Privacy Partner, Ashwin Pal, said the firm joined its US  and UK  counterparts in undertaking research on how business leaders are approaching cybersecurity, to understand the threat environment and develop best practice mitigation strategies.

Mr Pal said while it was positive that a majority of Australian leaders (64%) say their business is prepared to respond to an attack, this is considerably less than in the US and UK (94%). 

“While almost two-thirds of Australian businesses feel they are prepared and are gearing up to respond to cyber threats, this is mostly driven by large businesses and there is an opportunity to improve cyber readiness for businesses of all sizes,” Mr Pal said.

“Only 14% of large businesses and 25% of mid-sized businesses say they are not prepared to face a serious cyber incident, with the bulk of under-preparedness coming from the small business sector.

“There’s an urgent need for Australian organisations of all sizes to invest in risk management, tailored security measures and regular testing to get prepared for the next major glitch, outage or attack.

“You only have to look at the Optus and Medibank breaches (both in 2022) to see that even large organisations haven’t been getting the basics right, let alone smaller organisations with fewer resources.

Australian Signals Directorate data show Australian businesses are hit by a cyberattack every six minutes, with 94,000 cybercrime reports recorded in the 2022-23 financial year. 

RSM’s Australian cybersecurity survey findings

  • 29% of large businesses and 16% of medium businesses experienced one or more cyberattacks in the past 12 months
  • 32% of Australian businesses (compared to 26% in UK and US markets) had a third-party data breach in the past 12 months, with 23% reporting financial, reputational or operational impact
  • Phishing is the most common form of attack (20%), then data leaks (13%) and ransomware (10%)
  • 46% of large organisations have experienced a phishing attempt, with 42% of firms’ existing security plans unsuccessful in limiting the damage related to direct data extraction
  • 40% of those who experienced phishing took between a week and a month to recover from ransomware and extortion; 27% took more than a month to recover
  • A third (34%) of large organisations have either never vulnerability tested, or not tested in the past 12 months. This rises to 45% for mid-sized firms, making them extremely vulnerable to attack cyberattack in the past year
  • A quarter of large Australian firms and 58% of mid-sized firms don’t have cyber insurance

“Our research shows almost half large organisations have done no internal testing and more than half have not tested their wifi or web applications or done external testing, which means they are extremely vulnerable to attack,” Mr Pal said.

“The need for robust cyber security preparation must be a top priority for any organisation, or they will face serious negative financial and reputational consequences.

“It’s concerning that Australian entities are lagging their US and UK counterparts. 

“Regular testing is essential for identifying and fixing gaps in incident response and business continuity plans.

“Without rigorous testing, organisations may overestimate their level of preparedness, leading to disastrous outcomes during actual cyber incidents.”

AI the focus of future attacks

The RSM Australia research found that just over half (51%) of businesses are making protection against AI-enabled cyber-attacks their top priority, followed by protection against ransomware and extortion attacks.
Businesses say their current top three cyber risks are:

  • Constantly evolving threat landscape
  • Complexity of their IT infrastructure
  • Lack of staff compliance and insufficient staffing and training

Pal’s colleague, Security and Privacy Risk partner Darren Booth, warns too many Australian businesses are still operating with a mindset of apathy or complacency.

“Clear communication of risks, and incentivising proactive risk management through KPIs, are part of the shift in mindset required for Australian organisations,” Mr Booth said.

He said one positive finding was that 89% of large organisations have increased their investment in cybersecurity in the past 12 months (only 65% of mid-sized organisations, and 52% of organisations of all sizes, have increased investment).

“The increased investment is promising but more needs to be done to decrease the risk and consequences of the attack,” Mr Booth said.

October is national Cyber Security Awareness Month and the 2024 theme is “Cyber security is everyone’s business”.
 

Related Insights