Gap in cyber preparedness between Australia, UK, & US

New research by RSM Australia reveals a significant gap in cyberattack preparedness and response capacity between Australian businesses and those in the US and UK.

The report "Cyber Storm Rising: Navigating the Path to Resilience for Australian Businesses" surveyed 150 c-suite executives, revealing that only 50% of Australian business leaders are confident in their staff's ability to manage cybersecurity risks. This contrasts starkly with 84% of leaders in the UK and US who share the same confidence in their employees.

According to the findings, just one-third of large Australian organisations express a very high level of confidence in their staff's capacity to handle breaches.

RSM Australia's Security and Privacy Partner, Ashwin Pal, commented on the survey's outcomes, noting that "while it was positive that a majority of Australian leaders (64%) say their business is prepared to respond to an attack, this is considerably less than in the US and UK (94%)."

Pal elaborated, "While almost two-thirds of Australian businesses feel they are prepared and are gearing up to respond to cyber threats, this is mostly driven by large businesses and there is an opportunity to improve cyber readiness for businesses of all sizes." He highlighted the disparities in preparedness, stating that "only 14% of large businesses and 25% of mid-sized businesses say they are not prepared to face a serious cyber incident, with the bulk of under-preparedness coming from the small business sector."

The research findings also emphasised the urgency for Australian organisations to invest in risk management, tailored security measures, and regular testing to brace for potential cyber incidents. Pal stressed, "There's an urgent need for Australian organisations of all sizes to invest in risk management, tailored security measures and regular testing to get prepared for the next major glitch, outage or attack. You only have to look at the Optus and Medibank breaches (both in 2022) to see that even large organisations haven't been getting the basics right, let alone smaller organisations with fewer resources."

The Australian Signals Directorate data showed that Australian businesses experience a cyberattack every six minutes, with 94,000 cybercrime reports recorded in the 2022-23 financial year. The report also noted several statistics about cybersecurity incidents in Australia, such as 29% of large businesses and 16% of medium-sized businesses experiencing one or more cyberattacks in the past year.

The survey revealed that 32% of Australian businesses reported a third-party data breach in the past year, higher than the 26% reported in the UK and US markets. Furthermore, only 66% of large firms and 55% of mid-sized firms have carried out a response test to a cyberattack in the past year.

Pal warned about the lack of rigorous internal and external testing, stating, "Our research shows almost half large organisations have done no internal testing and more than half have not tested their wifi or web applications or done external testing, which means they are extremely vulnerable to attack." He emphasised, "The need for robust cyber security preparation must be a top priority for any organisation, or they will face serious negative financial and reputational consequences."

The research also investigated the growing threat of AI-enabled cyberattacks, noting that over half of Australian businesses are prioritising protection against these types of threats. RSM Security and Privacy Risk Partner Darren Booth remarked, "Clear communication of risks, and incentivising proactive risk management through KPIs, are part of the shift in mindset required for Australian organisations." He added, "The increased investment is promising but more needs to be done to decrease the risk and consequences of the attack."