Study reveals more needs to be done to improve cybersecurity resilience

A new study by the Australian Institute of Company Directors (AICD), in partnership with the Australian Information Security Association (AISA), reveals that while most Australian directors see cybersecurity as a high priority issue, there is still a lack of formal oversight at a board level.

More than 850 directors were surveyed for the Boards and Cyber Resilience study, investigating board preparedness for cybersecurity incidents and benchmarking current practice to guide further education initiatives for directors.

The survey found that 72 per cent of respondents say cybersecurity is a ‘high priority’ issue for their board. Recent Director Sentiment Index surveys mirrored this finding with cybersecurity having moved up to the top-ranking issue keeping directors ‘awake at night’.

However, at an organisational level, there are gaps in implementing cyber governance frameworks with only half (53 per cent) of directors saying their organisation has a formal cyber security framework or strategy in place.

Other results that indicate there is still room for improvement in board oversight, include:

• Only 44 per cent of directors indicate receiving training in cyber risk, and even fewer (23 per cent) have appointed directors with cyber skills;
• Around 39 per cent of directors say they have made cybersecurity a specific focus of a board committee;​
• 36 per cent of directors say they receive regular reporting on internal training and testing; and​
• Just 21 per cent of directors receive reporting on the cyber performance of key third-party suppliers.

AICD Managing Director and CEO, Angus Armour, said, “Directors are awake to the risk of cyberattacks but that awareness needs to translate into action at a board level to ensure proper oversight of cyber issues.

“These results suggest that many Australian boards need to set higher expectations around the information they receive from management to have effective oversight of cyber practices.

“As well as receiving regular reporting on cyber strategy and cyber security policies, boards that are advanced in cyber governance practices are making cybersecurity a specific focus of a board committee and undergoing dedicated director training.”

AISA Chair, Damien Manuel, said “The pandemic has pushed many organisations to digitally transform without the appropriate level of information and data governance and oversight. Board’s need to rapidly increase their ability to adequately respond to cyber incidents that adversely impact the organisation’s reputation, staff, trust with customers and suppliers.

“Cyber security needs to be aligned to the organisation’s business objectives and strategy. It should be seen as a business enabler and not as a standalone function. It should be integrated at a people, business process and technology level. At the end of the day, it’s a risk we need to manage in our personal and work lives.”

In a positive sign, in the last year alone, three in four directors report increased investment in cybersecurity, with 33 per cent saying that it has increased ‘significantly’.

Other key findings from the Boards and Cyber Resilience study:

• 89 per cent of directors say their businesses have one or more characteristics that make them especially susceptible to a cyber attack, such as holding sensitive customer, client, or member data, or providing a service to government. ​
• Compared to their private sector counterparts, government and NFP sector organisations are more likely to have characteristics that make them vulnerable due to the sensitive nature of the data they hold (94 per cent and 92 per cent respectively).
• Only 36 per cent of SME directors have a formal cyber framework in place, with 45 per cent instead opting for an informal strategy.​ This is compared to about three in four listed companies which have formal frameworks.
• 42 per cent of NFP directors report having a formal cyber framework in place, with 20 per cent reporting the absence of any cyber framework or strategy (whether formal or informal). 
• Small (63 per cent) and medium (52 per cent) sized organisations are more likely than larger organisations (45 per cent) to have limited resources to dedicate to cyber resilience. ​
• Directors of small organisations are five times more likely than directors of large organisations to believe their business will be unable to recover following an attack.
• More than half of directors (56 per cent) state that a lack of resources is impeding the improvement of organisational cyber practices. This number increases to 64 per cent for NFPs. 
• More than half (56 per cent) of directors report having a cyber insurance policy in place with another 15 per cent currently in the market for cover. It is becoming increasingly difficult to obtain appropriate cover.

Helping members to develop their cybersecurity knowledge to fulfil their obligations is a focus for the AICD and we are working on a range of resources to help directors improve their cyber governance, including a new AICD course “The board’s role in cyber”.

Download report here

Media contact: Maegen Sykes 0439 167 567