Tackling Cyber Risks from the Boardroom

Since before the pandemic, Australia has seen a significant surge in cybercrime, and there is no end in sight. In the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) reported over 67,500 cybercrime incidents, a 13% increase from the previous year. With high-profile breaches over the past year and no end to this upward trend, it’s evident that no company is immune. This rise in cybercrime is fuelled by factors like global supply-chain vulnerabilities, increasing phishing and ransomware attacks, and the disruption of critical infrastructure attributed to sophisticated adversarial actors. As a result, Australian company directors must be aware of the cyber risks and challenges their companies face, as these risks can also personally impact their livelihoods.

The Challenge

Australian boards face immense challenges in owning and managing cyber threats while figuring out the changes and requirements from regulatory reforms. Australian regulators, such as the OAIC, ACCC, ASIC, and APRA, scrutinise cyber security practices and use expanded supervisory and enforcement tools to hold companies accountable.

A litany of considerations is now under review in boardrooms across Australia. As the government shows signs of clamping down on underperforming cyber programs, especially in large businesses, government departments or organisations with a high potential of widespread impact should a breach occur, we are fast approaching an event horizon marking the end of the era of tolerance. Here are just a few of the considerations, but there are many more depending on specific sector requirements and industry compliance standards:

  • Complexity of cyber threats: Cyber threats keep changing, making it difficult for directors to keep up with the latest criminal tactics and techniques. Cyber security requires continuous learning, awareness, and staying updated with the latest cyber security developments, which takes a lot of time and effort. 
  • Limited technical expertise: Not all directors have the in-depth technical knowledge required to understand the nature of cyber threats and the impact of vulnerabilities within their organisations. This gap can hinder them from making informed decisions, and oftentimes, technical explanations don’t resonate with business decision-making criteria. 
  • Regulatory compliance: Directors must ensure their organisations comply with cyber security regulations and standards locally and internationally. Navigating the implications of these regulatory environments can be as challenging as keeping up with the changes themselves.
  • Balancing cyber security investments: Directors must balance the need for robust cyber security with other priorities and constraints. Allocating sufficient resources to cyber security without compromising other business imperatives can be difficult.
  • Supply chain vulnerabilities: Cyber threats can also originate from third-party vendors and partners, making it essential for directors to assess and manage the cyber security practices of their supply chain. This is complex and time-consuming.
  • Incident response and recovery: Directors must ensure their organisations have effective incident response plans to minimise the impact of a cyberattack. This involves coordinating efforts across different departments and stakeholders to respond quickly and effectively to potential threats.

Key Lessons

Directors and executives must ensure that their company’s cyber security and cyber resilience risk management systems are adequate. Here are a few of the critical lessons Sekuro has learned that can help you to ensure compliance concerning obligations and duties:

  • Regularly update cyber-risk assessments based on the organisation’s context and business model
  • Adapt cyber-risk assurance processes to address risks posed by the digital supply chain and make sure your organisation is compliant with the requirements of your insurance policy
  • Maintain compliance with the appropriate standards and engage in-house and outside advisors for assistance
  • Board-level advisory is recommended, as this level of support can assist in translating the technical and process-oriented aspects of cyber security programs into recommendations that allow for fast and efficient decision-making

Taking Action

As criminals continue to target Australian businesses, directors must adapt their strategies and ensure robust cyber security practices are in place. To navigate this complex landscape and foster executive-level discussions on cyber security, engage with security consulting firms such as Sekuro. By collaborating with experts, you can better understand and manage the ever-changing cyber risks, ensuring your company is prepared and resilient in the face of growing cyber threats.

Tony Campbell

Director of Research & Innovation, Sekuro

Tony has been in information and cyber security for a very long time and delivered projects and services across a bunch of different industries through a variety of different roles. Over the years, Tony has always tried to bridge the growing skills gap through his employment, by mentoring, teaching and working with other disciplines to help them understand the complexities of what we do.

Scroll to Top