The Australian Securities and Investments Commission (ASIC) has had a reasonably long interest in corporates maintaining proper cyber security. Last year it successfully prosecuted a claim in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) for RI Advice Group failing to maintain proper cyber security. The chair of ASIC today released Spotlight on cyber: Findings and insights from the cyber pulse survey 2023. The warnings about weaknesses in cyber defences is not surprising to those who work in the privacy and cyber security space. Some organisations take the problem seriously, many don’t. It is yet another clarion call for proper regulation and then proper enforcement.
The statement provides:
The Australian Securities and Investments Commission (ASIC) has called for organisations to prioritise their cybersecurity after a recent survey shows 58 percent of Australian businesses have limited or no capability to protect confidential information adequately.
The inaugural Cyber Pulse Survey commissioned by ASIC, also highlighted that 44 percent of participants do not manage third-party or supply chain risk and 33 percent of participants do not have a cyber incident response plan.
ASIC noted the results of the voluntary self-assessment survey have exposed deficiencies in cybersecurity risk management of critical cyber capabilities, indicating that organisations are reactive rather than proactive when it comes to managing their cybersecurity.
Joe Longo, chair at ASIC said for all organisations, cybersecurity and cyber resilience must be a top priority.
“ASIC expects this to include oversight of cybersecurity risk throughout the organisation’s supply chain – it was alarming that 44 percent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.
Participating organisations indicated well-developed capabilities in identity and access management, governance and risk management, and information asset management, with large organisations consistently self-reporting more mature cyber capabilities.
Due to competing demands for limited human and financial resources, the survey showed that small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.
“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cybersecurity risks,” Longo said.
“An effective cybersecurity strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”
Air marshal Darren Goldie, national cybersecurity coordinator said cybersecurity must be a priority for everyone, including individuals and businesses large and small.
“Support is available – the national office of cybersecurity works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents,” he ended.
The Executive Summary of the Report Read the rest of this entry »