ASIC report identifies cyber security gaps

An Australian Securities and Investments Commission (ASIC) report has revealed the holes in Australian organisations’ cyber security capabilities and risk management.

The report was drawn from the results of the corporate watchdog’s recent cyber pulse survey, released amid a fresh wave of cyber attacks crippling several organisations’ systems in the past few months.

The results showed 44 per cent of survey respondents do not manage third-party or supply chain risk, more than half (58 per cent) have limited or no capability to adequately protect confidential information, 33 per cent do not have a cyber incident response plan, and one-fifth of participants have not implemented a cyber security standard.

ASIC said the results indicate organisations take a reactive approach when it comes to managing cyber security and threats, rather than a proactive approach.

The report highlighted positive results related to organizational capabilities in identity and access management, governance and risk management, and information asset management. However, smaller organisations lacked adequate third-party risk management, data security, consequence management and adoption of industry standards, which ASIC said was “understandable due to competing demands for limited human and financial resources”.

“For all organisations, cyber security and cyber resilience must be a top priority. ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks,” ASIC Chair, Joe Longo, said.

“Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.

“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks.

“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

Air Marshal Darren Goldie, National Cyber Security Coordinator, said he was pleased to see the regulator’s work in highlighting key deficiencies in corporate Australia’s cyber resilience.

“Cyber security must be a priority for us all, including individuals and businesses large and small. Support is available – the National Office of Cyber Security works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents,” he said.

“The 2023-2030 Australian Cyber Security Strategy will enable Australia to build and strengthen its cyber shields and develop our resilience to bounce back quickly.”