Culture key to combating cybersecurity risk

Over the last two years  Australians have experienced the full impact of cyber risk with some of Australia’s biggest companies – and millions of their customers – affected.

Click image to zoom Tap image to zoom

And while cyber risk has certainly gained a higher profile over the past few years, our new report reveals there is still much to do to protect our data. The report found organisations’ effectiveness in managing cyber threats is being hampered by under-resourcing, under-preparedness and a limited understanding of the data they store and process within their operations.

"With corporate data breaches costing an average of A$6.5 million, it's essential for organisations to embrace a culture-focused strategy in mitigating cyber risk.”  

MinterEllison’s 2023 Cyber Risk Report found only 56 per cent of respondents ranked cyber risk as a top five priority within their organisation while 63 per cent said they were not confident, or only somewhat confident, their organisation understood what they had, where that data was stored and who had access to it. 

Key Points

  • Organisations must adopt a culture of cyber security to combat threats.
  • Cyber fatigue a danger to effective management of cyber risk
  • The financial services sector is the most advanced in terms of cyber preparedness

In addition, only around one half (51 per cent) of respondents considered their organisations had sufficient resources to monitor and respond to cyber security threats.

It may be these survey results can be attributed to a view of heightened cyber risk as representing a ‘new normal’, whereby cyber-attacks are considered ubiquitous or inevitable and that by ticking the minimum set of boxes – creating an incident response plan, obtaining cyber insurance and running basic cyber training – organisations conclude they have built and done all they can.

However, the severity of the incidents that have occurred during the last six months – as well as the increasingly aggressive posture being adopted by regulators – should provide reason enough to appropriately prioritise and resource cyber risk mitigation.

The outlier in the survey was the financial services sector where 82 per cent of respondents ranked cyber security as a top five priority and 62 per cent were confident their organisation understood where their data was stored.

For many organisations, cultural change is required.  This means implementing measures to embed a culture of cyber security, including promoting an understanding of this risk throughout the organisation and incentivising commitments to mitigating cyber risk from the very top, with concrete actions that flow down to all aspects of the business.

Creating a culture of cyber security means placing cyber risk at the heart of strategic planning, resourcing, product and service design, hiring and training. It also extends to an assessment of key suppliers and their cyber posture.

With corporate data breaches costing an average of A$6.5 million, it's essential for organisations to embrace a culture-focused strategy in mitigating cyber risk.

Connecting cyber security to the performance indicators (KPIs) of key people should also be considered as it will shape how they approach their role and those of their teams and colleagues.

Organisations around the world are at an inflection point where the likelihood of suffering a cyber-attack is far higher than the likelihood of not being attacked.   Although the report found 78 per cent of respondents have a cyber response plan in place, these plans need to come out of the bottom drawer and be regularly refreshed as new threats emerge and the nature of an organisation’s business and operations change.  In this way, cyber preparedness is a continuous journey – one with no destination.

Paul Kallenbach is a Partner at MinterEllison


Data was collected through our annual online survey between February and April 2023. From more than 200 respondents, approximately 50 per cent of respondents were legal counsel, and 20 per cent were C-suite executives. Other respondents included IT, risk and security specialists and Board members. The year's key sectors represented in the survey included finance, energy, health, infrastructure and government.

For the full report go to

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

31 Mar 2023

Why are we such suckers for financial scams?

Steve Worthington | Professor at Swinburne University

Scam alert messaging is everywhere yet we still lose millions to scams every day. Understanding innate human fallibilities can help protect us.

15 Aug 2022

Fighting the next war against scams

Shaq Johnson | Head of Customer Protection, ANZ

As the threat from financial scams and identity theft evolves, banks and customers must be increasingly agile and savvy to keep up.