Accountability Gap Creates Cyber Risk

New research has revealed a concerning gap in accountability for cyber security in many Australian organisations.

Security firm Trend Micro polled 100 Australian IT leaders to better understand their attitudes toward Attack Surface Risk Management. They found that most organisations lacked clear leadership buy-in and sufficient resources to measure and mitigate cyber risks.

The top three gaps in cyber resilience were:

1. Insufficient staffing for round-the-clock cybersecurity coverage. 

2. Inadequate techniques to measure and manage attack surface risks.

3. Not using proven regulatory and other frameworks, such as the NIST Cybersecurity Framework.

   
   

Only 37% of those surveyed said their organisation had satisfactorily closed each of these exposures.

The buck stops… nowhere?

Seeking root causes for unclosed gaps in organisational cyber resilience, Trend found that the failures could be traced back to a lack of leadership and accountability at the top of the organisation.

More than a third of respondents claimed their leadership didn’t consider cybersecurity to be their responsibility. When asked who does or should hold responsibility for mitigating business risk, respondents gave a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (32%) said the buck stopped with organisational IT teams.

Trend spokesperson, Srujan Talakokkula, said the “lack of clear leadership on cybersecurity, can have a paralysing effect on an organisation, leading to reactive, piecemeal and erratic decision making”.

“A lot of that comes down to collaboration and communication across the business,” he said. “Companies need CISOs to clearly communicate in terms of business risk to engage their boards.

“Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk, and automatically remediate issues for enhanced cyber-resilience,” he added.

ASIC Cracking Down

Trend’s warning comes on the heels of reports that Australia’s corporate regulator is preparing legal actions against some company directors for their lack of governance relating to cyberattacks.

ASIC has previously cautioned directors that they need to prepare for hacks, and that sanctions would be applied to those who didn’t. They told The Australian Financial Review that companies wouldn’t get away with paying lip service to cyber defence and must provide evidence they had performed their duties if their organisation was breached by cybercriminals.

“With one cyberattack reported every six minutes in Australia, ASIC’s message for directors is to make sure your organisations have appropriate cybersecurity measures in place – this is your responsibility,” a spokesperson said.

Not just “an IT Issue”

ASIC’s heightened investigations show that cyber security is no longer a fringe issue that can be relegated to technical staff. However, a survey of in-house lawyers by Herbert Smith Freehills recently found many boards are not yet engaged on the topic of cyber resilience. 58% said it would take an actual cyberattack to motivate their organisation to meaningfully improve their data risk management.

Owning and managing the risk

Rather than letting cyber resilience slip between the cracks in org charts, directors need to put cyber resilience at the top of their companies’ board agendas. Executive management should be requested to report on the measures and investments they’re making to keep cyber thieves at bay.

A Managed File Transfer (MFT) solution such as the class-leading GoAnywhere MFT can encrypt data at rest and in transit, complying with the highest data security standards. It manages inbound and outbound file transfers across an organisation, using industry-standard file transfer protocols and encryption to protect data in transit and at rest.

Advanced Threat Protection and Adaptive Loss Prevention add a further layer of defence. SFT Threat Protection enables safe collaboration with external parties, preventing malware from entering an organisation, and reducing the risk of employees losing or mishandling sensitive data.

Local Experts On Hand

Generic Systems Australia are local experts in Managed File Transfer and Advanced Threat Protection.  We’ve assisted hundreds of organisations across the Asia-Pacific region to secure their data and keep cybercriminals at bay.

If you’d like to discuss how we can help improve your company’s cybersecurity, please feel welcome to contact me, Bradley Copson. I’m always happy to have an obligation-free discussion, explain how simply we can transition you from outdated software and approaches, and offer you a zero-cost Proof of Concept.