Most Australian board members feel ill-equipped for cyberattacks
After a tumultuous year for cybersecurity, the topic of cyber risk is prevalent in Australian boardrooms. But, despite prioritising cybersecurity more—and despite making investments in it—most board members feel unprepared for cyber attacks, new research shows.
Proofpoint surveyed 659 board members globally for the second annual “Cybersecurity: The 2023 Board Perspective.” The findings reveal that 84% of participating board members in Australia view cybersecurity as a priority, higher than the 73% global average. Furthermore, 81% believe they have invested adequately in cybersecurity, and 88% anticipate their cybersecurity budgets will increase in the next 12 months. These findings are encouraging, especially since Australia lagged behind other countries last year in terms of prioritising cyber risks.
However, investing time and money into cybersecurity has not produced the expected results. Nearly three-quarters of surveyed Australian directors feel that their organisation is at risk of a material attack in the next 12 months, compared to just over half the previous year. Additionally, 59% feel unprepared to cope with a targeted attack, higher than the 53% global average.
The events of the past year may have contributed to the disconnect between awareness and preparedness. According to news reports, the Australian Information Commissioner said that the number of cyber attacks grew by 67% between the first and second half of 2022. We also experienced several massive data breaches.
Emerging threats such as generative artificial intelligence (AI) may have also impacted the directors’ sentiments, as 71% expressed belief that tools such as ChatGPT create a security risk for their organisation. Increased targeted email fraud is one of the biggest concerns currently, considering that the new AI tools can help create more convincing phishing emails in various Asia Pacific languages. Concerns will grow further as cybercriminals begin to take advantage of open-source generative AI to perpetrate cyber crimes.
The disconnect between awareness and preparedness suggests that organisations understand they can be compromised in many ways, yet the fear of the unknown makes them feel vulnerable. One of the biggest challenges is the board’s lack of education. Every business is unique and complex, and its risk profile has many nuances. With a large number of organisations planning to increase their cybersecurity budgets, this is an opportune time for boards to boost their cyber knowledge and lead conversations that can drive meaningful change.
Is business risk ‘lost in translation’?
The Australian Parliament’s passage of the Privacy Legislation Amendment Bill 2022 upped the ante on privacy last year. The substantial increase in penalties certainly has the boardroom’s attention. The Proofpoint report confirms that boards are demonstrating their fiduciary responsibility to improve cyber resilience. However, it also suggests that there is a big knowledge gap around cybersecurity, and this lack of knowledge will hinder the boards’ effectiveness in managing cyber risks.
Around three-quarters of surveyed Australian directors believe that their board clearly understands the cyber risks their organisation faces. This assessment is overly optimistic, given the large number of directors who are not seeing the impact of the time and money they are spending on cybersecurity.
The lack of a direct connection between directors and their Chief Information Security Officer (CISO) is one of the biggest challenges for boards seeking answers. Only 57% of Australian directors say they interact with their CISO regularly. Even when they are communicating, boards may not be receiving the right information or asking the right questions. Far too often, the risks are presented to the board in an ad hoc and IT-centric fashion. If the technical data doesn’t get translated into business risks, boards simply cannot be effective at providing cybersecurity oversight.
Looking at risk broadly rather than through the lens of an organisation’s specific situation is also a common mistake. Understanding overall cybersecurity trends is important for directors, but it is equally important to understand how factors such as their organisation’s business model and sector impact their risk profile. For example, a company may not have customer data or conduct online transactions but may own valuable research and development data. This company may be targeted for very different reasons compared to an e-commerce retailer.
Boards have a steep learning curve to come up to speed, and the first step is to stop asking boilerplate, generic questions. What makes your business unique, and how do those variables make it vulnerable to attacks? What are the implications of the different types of data your organisation holds? How are all these cyber risks driving your business risks? These are the types of questions that can help ensure that information is not lost in translation as it makes its way through the C suite to the boardroom.
Bridging the knowledge gap
Cyber expertise on the board is one of the top three desired changes on surveyed Australian board members’ wish lists. Cyber education is an essential step in gaining this expertise, and education is not a “one-size-fits-all” endeavour. Each board must seek out an educational program that is tailored to their company, risk profile, and risk appetite.
By narrowing their knowledge gap, directors can feel more comfortable asking the right questions and ensuring they’re adequately analysing, prioritising, and monitoring risks. Strong relationships with CISOs are also key to this effort as cyber risk grows more complex.
The good news is that “Cybersecurity: The 2023 Board Perspective” shows gradual improvement in the CISO-board relationship. Board members who pursue better education and collaborate strategically with their CISO will be in a much better position to understand what they need to do to protect their organisation. Only then will they be able to confidently answer the question of whether they’re doing enough and investing in the right cybersecurity resources.