Businesses in the dark: Disconnect in cybersecurity culture and cyber resilience
Australian organisations have the least familiarity with the concept of cyber resilience when compared with their Asia-Pacific counterparts, despite the evolving and highly sophisticated threat landscape.
The revelation comes following the release of McAfee's Asia-Pacific cyber risk and resilience research.
The McAfee Cyber Resilience Report (MCRR), which surveyed 480 cybersecurity decision-makers across eight Asia-Pacific countries including Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, Singapore and Thailand, showed just 73% of Australian respondents are familiar with the concept of cyber resilience, compared to 97% of Indians and 95% of Indonesians.
The results show 27% of Australian respondents describe their organisation’s cybersecurity culture as ‘strategic’ (meaning decisions are made from the top), while 60% believe cybersecurity is ‘embedded’ (meaning security is always included in the decision-making process) within their organisation.
Notably, despite the fact Australian respondents demonstrated a strong culture of cybersecurity, over a third (35%) of Australian respondents still don’t feel their organisation is cyber resilient.
“An impressive 87% of organisations are taking the right steps towards building a solid culture of cybersecurity. However, this isn’t translating as it should into an adequate level of cyber resilience with our Australian respondents.," says Joel Camissar, regional director, MVISION Cloud, Asia-Pacific McAfee.
"This indicates a disconnect between the priorities and investment required to build cyber resilience, and the decisions made at the board level," he says.
“Organisations that don’t put cyber resilience at the forefront of their approach to security expose networks and infrastructures to an expanding range of cyber risks, gifting cybercriminals the opportunity to exploit clear gaps in their security posture,” explains Camissar.
“The survey found 55% of Australian respondents named data breaches as one of the top three cyber risks. To truly combat this, cyber resilience has to become a higher priority for Australian organisations," he states.
“While having effective technology and security tools in place is an important piece of the puzzle, cyber resilience is not a technological capability alone – it’s an organisational one. A core ingredient to being cyber ready involves empowering business leaders to minimise business down-time, while responding to a cyberattack at the same time."
Investing in cybersecurity
In Asia-Pacific, 15% of Australian respondents said they’re not planning to invest more in security, despite 75% saying cybersecurity regulations impact their organisation, according to the research. Australia has one of the lowest levels of investment in the region, compared to the two percent of India respondents who are not planning to invest more in security due to regulation.
“The heightened regulatory environment in Australia, highlighted by the introduction of the Notifiable Data Breaches scheme in the last two years, means businesses cannot afford to deprioritise their investment in cybersecurity,” says Camissar.
Australian organisations cited ‘culture, education, and awareness’ as the lowest investment priority to improve cybersecurity maturity.
“In the latest Notifiable Data Breaches Statistics Report from the Office of the Australian Information Commissioner, human error accounted for one third (34%) of data breaches, from April to June, that allowed hackers access to information. Clearly, there is much work to be done to change the emphasis that Australian organisations place on cybersecurity education and awareness in the workplace,” he says.
Risky perceptions of cyber incidents
One in six (16%) Australian respondents believe cybersecurity incidents have a ‘high’ impact on the business, and a concerning 18 percent believe cybersecurity incidents have a ‘low’ impact on the business.
“While some Australian respondents feel in better control of their cybersecurity response, it’s risky to lose sight of the dire financial, reputational and operational impacts a cyber incident can have both in the short and long term,” Camissar says.
When asked whether they could put a cost on their recent cyber incidents, Australian organisations were well behind their counterparts, with just 46% able to quantify the financial impact. By contrast, companies in India (91%), Malaysia (85%), and Thailand (83%) were more confident they could measure the cost of a data breach.
Of the 46% of Australian survey respondents who could place a cost on cybersecurity incidents in the past 12 months, they believe the estimated average cost is approximately $332,044.
McAfee commissioned StollzNow Research to conduct a survey of 480 cybersecurity decision-makers across eight Asia-Pacific countries, including Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, Singapore and Thailand.