Cybersecurity: The topic boards still don’t want to think about

Published on the 04/09/2019 | Written by Heather Wright

Cybersecrity at board level_TRA report

Perception vs reality in the world of cybersecurity…

Cybersecurity might be a hot topic, but a new survey of Australian businesses presents a slightly different take on how much of a priority the topic is for businesses – and the frustration level caused by inconsistent prioritisation of cybersecurity by boards.

The TRA report The Future of Cybersecurity in Asia Pacific and Japan – Culture, Efficiency, Awareness, sponsored by security vendor Sophos, suggests that for all the talk about cybersecurity being a key topic for business – and company boards – follow-through isn’t happening unless companies are actually under attack.

While the Notifiable Data Breach legislation should have provided boards with plenty of incentive to increase their focus on security, the message apparently isn’t filtering through.

“Unfortunately, many respondents indicated security was only a priority to management and the board during active incidents.”

The report shows that despite 34 percent of Australia organisations admitting to having been breached in the last 12 months – only Japan at 34.5 percent was higher – 47 percent of Aussie companies surveyed don’t have a cybersecurity team in place that could properly detect, investigate and respond to threats.

Across the region two out of three respondents are struggling to convince the business that security must be a priority.

“There is a perception at the C-level that security isn’t that hard, and you can just buy another magic box and make the threat go away,” Sophos says.

“Unfortunately, many respondents indicated security was only a priority to management and the board during active incidents.”

In Australia that inconsistent focus given to security by boards and executive management committees whose focus on the topic fluctuates depending on how intensively or frequently an organisation is attacked or experiences incidents is a key frustration for those surveyed.

They ranked the top three frustrations as being executives assuming cybersecurity is easy, cybersecurity frequently being relegated in priority with not enough budget.

“The data and executive roundtables jointly confirmed there is a lack of appreciation about the complexity of issues faced – at a board and executive level through to general employees,” the report says.

Australian respondents also noted a feeling that company executives felt they were over-exaggerating threats and issues.

Around 200 Australian business decision makers were surveyed for the report, which also shows only a third of the companies have a dedicated cybersecurity budget, leaving those responsible for security to negotiate for budget, and just 18 percent are making regular changes to their cybersecurity approach.

Change is, however, coming, with 45 percent saying they indent to make changes to their security approach in the next six to 24 months, driven by technology and product developments, compliance and regulation requirements and growing awareness of new attacks. That is, however, well below the APAC average of 82 percent planning to make changes in the next 12 months.

One of the biggest issues being considered across the region remains the human element and education of employees and leadership along with recruitment of new staff and the struggle to stay up to date with new developments, research and news. On the technical front, better network visibility and control is a key capability companies are looking for. Across the region 12 percent of organisations are intending to adopt AI within 24 months while more than 40 percent say they see IT and OT convergence is an area which could help their security posture.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow iStart to keep up to date with the latest news and views...