Ready on paper, not in practice: The incident response gap in Australian organisations

Most Australian organisations believe they are ready to face a cyber crisis, with 97% reporting they have incident response plans in place. This is an encouraging statistic at first, but when the same organisations are asked about the practical details and real-life effects of those plans, a different (and more chaotic) story emerges.

76% of Australian organisations experienced at least one high-impact cyber incident that stopped their critical business functions in the past year. This type of disruption could severely impact business continuity, leading to extended downtime and financial consequences that may escalate into the millions.

To make matters worse, nearly 40% of organisations suffered multiple major incidents in the past year.

It begs the question, why arenʼt organisations' cyber response plans driving stronger business resilience?

The truth is, security teams often build their plans around assumptions rather than real-world threats and trends. That gap becomes painfully obvious during an actual incident, when organisations realise they aren't adequately prepared to respond.

Recent findings of a Semperis study titled The State of Enterprise Cyber Crisis Readiness revealed a strong disconnect between organisations' perceived readiness to respond to a cyber crisis and their actual performance. The study also showed that cyber incident response plans are being implemented and regularly tested, but not broadly. In a real-world crisis, too many teams are still operating in silos.

With the global cost of cybercrime estimated to reach as much as 10.5 trillion dollars in 2025, Australian organisations must invest in their cyber resilience now. Simply hiring more people isnʼt the answer. To drive resilience, organisations need to fix gaps in cross-team communication and coordination, but this is not always a simple task.

The key challenges in launching an effective cyber response

In the survey, Australian organisations were asked if any key factors were blocking their ability to launch an effective cyber response. Only 10% said they didn't face any roadblocks, revealing a common sense of frustration among respondents.

• Communication gaps

Communication gaps topped the list of roadblocks, and for good reason. Consider a scenario where an organisation has suffered a ransomware or other severe attack, which has disrupted its email and messaging systems, rendering them unusable. Without a dedicated communication tool that sits outside the affected email and messaging server, teams often struggle to communicate effectively.

• Out-of-date response plans

Organisations were also stymied by outdated or one-size-fits-all response plans. Often, companies in crisis find that their playbooks donʼt reflect the way their business actually operates. Unless incident response plans are tailored to the organisationʼs specific industry and business needs, the results can be chaotic. For example, a generic plan might drive people through an unrealistic escalation path that they canʼt actually implement because it doesnʼt match their technology, staffing, or budget capabilities.

• Unclear roles and responsibilities

Having unclear roles and responsibilities can further add to the chaos. To stop breaches from threatening crucial systems and services - and even causing denial of cyber insurance claims - incident response actions must be followed in a specific order by specific people, sometimes including those outside of IT and cybersecurity. However, many companies struggle with this during a crisis.

Three ways to improve your cyber response plan

A cyber crisis response plan must be executable at a moment's notice, whatever the threat. That is where practice comes in.

1. Tailor the plan to your organisation's specific needs

To ensure that your playbooks are tailored to the specific cyber challenges of your industry and organisation, you need to determine:

• Your risk tolerance: What is an acceptable level of cyber risk your organisation can withstand, quantified in terms of potential impacts, such as downtime or financial loss? The risk tolerance of a retail store will be very different to a hospital. 
• Identify your most critical assets and Tier 0 resources: What are your crown jewels that, if compromised, could lead to a complete takeover or severe disruption of your operations?
• Dedicate roles to carry out specific actions in a specific order - not just for IT operations and cybersecurity leadership, but also for other critical business unit leaders, and even Board stakeholders.

2. Practise, practice, practice!

A robust, integrated, and well-practiced cyber crisis response plan is paramount for cyber and business resilience. After all, the faster you can respond and recover, the less severe the financial impact of a cyberattack will be.

Organisations can increase their agility by conducting tabletop exercises that simulate attacks. By practicing incident response regularly and introducing a range of new scenarios of varying complexity, organisations can train for the real thing, which can often be unpredictable. Security teams can continually adapt their response plans

based on the lessons learned during these exercises, and any new emerging cyber threats.

3. Implement dedicated out-of-band communication tools

In the event of a cyber-attack, an organisation's primary communication systems including email servers and collaboration tools may be compromised or unreliable. That's why having a secure, out-of-band communication channel that can be activated during a crisis is not optional, but essential.

The takeaway:

Cyber criminals donʼt wait for organisations to be ready - they strike when they least expect it. Having a thorough, well-tested incident response plan is the best way to improve operational resilience at a time during times of need.