Half of Australian organizations are underprepared for cyber attacks

A global cyber survey highlights Australia’s most at-risk sectors, pointing to areas that need strengthening.

In brief

• Sectors like hospitality, retail, tourism, travel at higher risk than highly regulated industries like finance and telco.
• As a starting point to achieve cyber uplift, the government agencies serving vulnerable industries should strengthen their own cyber practices.
• Key areas to focus improvements include increased automation, enterprise-wide simplification and enhanced cyber risk quantification.

The Australian Government’s aspiration is for the nation to become the world’s most cyber-secure nation by 2030. This national priority is evident in recent budget allocations – at all levels. In the last Federal Budget, cybersecurity was one of only two areas being afforded funding increases, receiving an additional $330m on successive spends in previous Budgets. This focus was reflected around the country, with the Victorian and Queensland governments committing $54m and $73.5m respectively to cybersecurity.

Such investment is essential given the constant and ongoing attacks that have become business as usual across the public and private sectors, with agencies themselves prime targets. According to the Australian Government’s Australian Cyber Security Centre, over the last 12 months, more than two in five (43%) of reported cyber incidents were in federal or state agencies, or health organisations.

New global research points to next cyber investment priorities

In early 2023, the global EY organisation surveyed 500 C-suite and cybersecurity leaders across 25 countries, including Australia. We asked these leaders to evaluate their organisations against mean time to detect, mean time to respond, number of cybersecurity incidents, integration of cybersecurity within the organisation and cybersecurity’s impact on innovation and value creation.

The resulting data was segmented into geographies and industry sectors to provide granular information from a C-suite perspective. Its most compelling insight was the emergence of a segment of higher-performing organisations – a group we call “Secure Creators”. Compared to their lower-performing counterparts, “Prone Enterprises”, Secure Creators have fewer cyber incidents and are quicker at detecting and responding to incidents.

Critically, our survey found that organisations with these better outcomes are:

• Already using ML/AI cloud and automation, DevSecOps and in the late stages of implementing passwordless authentication and SOAR.
• Significantly more likely to allocate more than 40% of their cybersecurity budgets to detection and prevention.
• Typically from industries that are already heavily regulated.

Secure Creators concentrated in highly regulated sectors

Not surprisingly, the survey found that organisations in the most compliance-driven sectors – financial services, telcos, utilities – are less likely to be satisfied with the effectiveness of their approach to cybersecurity even though they are investing significantly more than those in Government and more lightly regulated industries, including hospitality, retail, tourism and travel.

The strong cyber security procedures required by Australia’s Security of Critical Infrastructure Act and its subsequent amendments have driven critical infrastructure stakeholders to implement emerging technologies. Artificial intelligence, machine learning, and security orchestration, automation and response are helping to create seamless, organisation-wide defence.

According to our survey, such approaches are major predictors of strong cybersecurity performance. Secure Creators are quick to adopt emerging technology and use automation to orchestrate their cybersecurity technology and streamline processes. Whereas, in Australia’s more lightly regulated sectors, businesses and the agencies serving them, are less likely to use these practices, making them markedly more prone to attack.

Where should Prone Enterprises prioritise?

As well as increasing their use of automation, the data suggests priority areas for attack-prone organisations to address, including:

• Simplification – Clutter in the technology environment makes it harder to pick up signals and get on top of issues quickly. Agencies need to simplify the technology stack to reduce risk and improve visibility, giving cybersecurity teams gain greater coverage using fewer tools. When all systems “talk” to each other, telemetry flows to the surface more easily, helping security teams to detect incidents more efficiently. Simplification could also help to address skills shortages, taking cyber organisations from a group of specialists – each one with expertise in a single tool – to an integrated team of generalists who can back-stop each other. A joined-up cyber organisation can also make greater use of automation, taking some of the pressure off human resources.
  
  
• Risk quantification – Cyber risk quantification is an emerging area where automation and data analytics can add insight and aid risk prioritisation. In our survey, “too many attack surfaces” was the most cited internal challenge to an organisations’ cybersecurity approach, driven by cloud adoption at scale and ecosystem business models. Most dangerous of all are supply chains, which were responsible for 62% of system intrusion incidents in 2021. Our survey found that, while Prone Enterprises tend to focus more on financial risk, Secure Creators are almost twice as likely to be highly concerned about the risks posed by supply chain. Investing in tools to better quantify cyber risks is essential to help security professionals make informed decisions about where and how to streamline cyber approaches and tangibly measure progress on resilience.

Should the CISO role be elevated?

Our survey also found that, to reduce cyber vulnerabilities, government agency CISOs will need increasing levels of influence. For example, they will have to partner with Chief Operating Officers and other senior leaders, including becoming more involved in vendor selection decisions and ensuring cyber security is embedded at all operational levels.

Cybersecurity is already a top three issue for most agency executives, but they need a cybersecurity peer to work with to achieve true resilience. To this point, Secure Creators are more likely than Prone Enterprises to integrate cybersecurity at all levels of the entity – including the C-suite.

With agency CISOs typically at Branch Head level or below, this suggests agencies should consider their elevation. When CISOs have a seat at the executive table, cybersecurity operations are more embedded with core business priorities and strategies, leading to higher odds of experiencing fewer incidents.

The role of CISO is relatively new, meaning cyber leaders lack strong communities and champions. Agencies would be well advised to rethink where this often-under-valued position fits in their hierarchy. By having the CISO on the executive team, cybersecurity strategies are more likely to be aligned with agency goals and objectives. This could enable a more comprehensive and integrated approach to managing cybersecurity risks in an increasingly complex digital landscape. Such appointments would also send a timely message that security is a priority and a shared responsibility across all government agencies.

Cybersecurity transformation essential

Finally, our study offers context around why it is still important for cyber organisations to focus on transformation – not just technology. Simplification begins with technology. But its success also requires ongoing change management so cyber teams are ready to use new tools and engage in more strategic ways of working.

In an increasingly digitised world, safeguarding Australia’s vulnerable sectors requires a proactive approach, starting with government agencies setting the cybersecurity standard and embracing innovation for a resilient future.