Culture key to combating cybersecurity risk

And while cyber risk has certainly gained a higher profile over the past few years, our new report reveals there is still much to do to protect our data. The report found organisations’ effectiveness in managing cyber threats is being hampered by under-resourcing, under-preparedness and a limited understanding of the data they store and process within their operations.

"With corporate data breaches costing an average of A$6.5 million, it's essential for organisations to embrace a culture-focused strategy in mitigating cyber risk.”  

MinterEllison’s 2023 Cyber Risk Report found only 56 per cent of respondents ranked cyber risk as a top five priority within their organisation while 63 per cent said they were not confident, or only somewhat confident, their organisation understood what they had, where that data was stored and who had access to it. 

Key Points

• Organisations must adopt a culture of cyber security to combat threats.
• Cyber fatigue a danger to effective management of cyber risk
• The financial services sector is the most advanced in terms of cyber preparedness

In addition, only around one half (51 per cent) of respondents considered their organisations had sufficient resources to monitor and respond to cyber security threats.

It may be these survey results can be attributed to a view of heightened cyber risk as representing a ‘new normal’, whereby cyber-attacks are considered ubiquitous or inevitable and that by ticking the minimum set of boxes – creating an incident response plan, obtaining cyber insurance and running basic cyber training – organisations conclude they have built and done all they can.

However, the severity of the incidents that have occurred during the last six months – as well as the increasingly aggressive posture being adopted by regulators – should provide reason enough to appropriately prioritise and resource cyber risk mitigation.

The outlier in the survey was the financial services sector where 82 per cent of respondents ranked cyber security as a top five priority and 62 per cent were confident their organisation understood where their data was stored.

For many organisations, cultural change is required.  This means implementing measures to embed a culture of cyber security, including promoting an understanding of this risk throughout the organisation and incentivising commitments to mitigating cyber risk from the very top, with concrete actions that flow down to all aspects of the business.

Creating a culture of cyber security means placing cyber risk at the heart of strategic planning, resourcing, product and service design, hiring and training. It also extends to an assessment of key suppliers and their cyber posture.

With corporate data breaches costing an average of A$6.5 million, it's essential for organisations to embrace a culture-focused strategy in mitigating cyber risk.

Connecting cyber security to the performance indicators (KPIs) of key people should also be considered as it will shape how they approach their role and those of their teams and colleagues.

Organisations around the world are at an inflection point where the likelihood of suffering a cyber-attack is far higher than the likelihood of not being attacked.   Although the report found 78 per cent of respondents have a cyber response plan in place, these plans need to come out of the bottom drawer and be regularly refreshed as new threats emerge and the nature of an organisation’s business and operations change.  In this way, cyber preparedness is a continuous journey – one with no destination.

Paul Kallenbach is a Partner at MinterEllison