“For all organizations, cybersecurity and cyber resilience must be a top priority. ASIC expects this to include oversight of cybersecurity risk throughout the organization’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organization’s systems and networks.”

The Australian Securities and Investments Commission (ASIC) has issued a stark warning to organizations nationwide, urging them to prioritize their cybersecurity measures. This call to action follows a revealing report based on ASIC’s recent cyber pulse survey, highlighting critical gaps in the cyber capabilities of corporate Australia.

According to the survey, a substantial number of organizations demonstrate a reactive, rather than proactive, stance towards managing cyber risks.

44% of participants are not managing third-party or supply chain risks

ASIC Chair Joe Longo expressed concern, stating, “For all organizations, cybersecurity and cyber resilience must be a top priority. ASIC expects this to include oversight of cybersecurity risk throughout the organization’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organization’s systems and networks.”

While the survey unearthed deficiencies, it also revealed areas where participating organizations have developed robust capabilities, notably in identity and access management, governance and risk management, and information asset management. Larger organizations consistently reported more mature cyber capabilities compared to their smaller counterparts. This discrepancy is largely attributed to the smaller organizations’ limited human and financial resources, impacting their ability to manage third-party risks, data security, and adopt industry standards effectively.

Joe Longo emphasized the need for comprehensive preparedness, stating, “There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cybersecurity risks.”

The National Cyber Security Coordinator, Air Marshal Darren Goldie AM CSC, welcomed the report’s findings and acknowledged ASIC’s efforts in identifying key gaps in corporate Australia’s cyber resilience. He remarked, “Cybersecurity must be a priority for us all, including individuals and businesses large and small. Support is available – the National Office of Cyber Security works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents. The 2023-2030 Australian Cyber Security Strategy will enable Australia to build and strengthen its cyber shields and develop our resilience to bounce back quickly.”

Ninety-five percent of survey participants requested individual reports, indicating a strong commitment to enhancing their organization’s cyber resilience and learning how they compare to peers.

Against the backdrop of the Australian Cyber Security Centre’s estimation of cybercrime costing Australia $42 billion in 2021, the inaugural ASIC cyber pulse survey stands as one of the largest undertakings to gauge Australia’s cyber resilience. The survey assessed participants’ abilities in governing and managing cyber risks, protecting information assets, and responding to cybersecurity incidents.

ASIC encourages organizations to cultivate a culture of cyber awareness and provides resources on its cyber resilience webpage to aid entities in bolstering their cybersecurity and resilience.