Australian CISOs least prepared for cyber attacks

Nearly eight in 10 Australian chief information security officers (CISOs) said their organisations are unprepared to detect, deter and recover from a cyber attack – the highest among 14 countries and up 21% from 2021, according to a survey by Proofpoint.

In addition, 68% felt their organisation is at risk of suffering a material cyber attack in the next 12 months, compared with 48% of CISOs globally.

Some 76% of Australian CISOs also consider human error to be their biggest cyber vulnerability, with established work-from-anywhere setups and employee turnover presenting new challenges.

Yvette Lejins, resident CISO at Proofpoint Asia-Pacific and Japan, noted that the Australian government’s landmark A$9.9bn investment in cyber security preparedness demonstrates how critical it has become for governments and organisations to step up their defences.

“Yet our research shows Australian CISOs feel the least prepared globally to deal with the consequences of a cyber attack,” she said. “Not only that, Australian CISOs are feeling the pressure of their role much more than other countries.”

Proofpoint’s survey polled more than 1,400 CISOs from organisations across industries and countries, including US, Australia, Canada, UK, France, Germany, Italy, Spain, Sweden, Netherlands, United Arab Emirates, Saudi Arabia, Japan and Singapore.

The survey explored three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organisational preparedness facing them and the impact of supporting a hybrid workforce. It also uncovered the challenges CISOs experienced in their roles, their position among the C-suite and business expectations of their teams. In Australia, for example, 63% of CISOs felt that expectations on their role were excessive, up from 44% last year.

At the same time, the perceived lack of alignment with the boardroom has increased, with only 25% of Australian CISOs strongly agreeing that their board sees eye-to-eye with them on issues of cyber security.

When considering cyber risk, Australian CISOs listed significant downtime, disruption to operations and impact on business valuation as top board concerns – even as there was a lack of consensus among them on the most significant threats targeting their organisation.

This year, insider threats, whether negligent, accidental or criminal, topped the list for Australian CISOs at 36%, but were closely followed by business email compromise and supply chain attacks, both at 31%.

As the hybrid workforce becomes more prevalent, two in three Australian CISOs saw an increase in targeted attacks in the past 12 months, compared with 51% of CISOs globally, and 68% noted that increases in employee transitions means protecting data has become a greater challenge.

When it comes to guarding against growing ransomware attacks, 72% of Australian CISOs revealed that they had purchased cyber insurance and 75% are focusing on prevention over detection and response strategies to mitigate such attacks. A concerning 30% of Australian CISOs admitted they have no ransom payment policy in place.

“We must start seeing greater internal alignment across boardrooms on critical threats like ransomware to create effective cyber security practices that put people front and centre,” said Lejins.

“With rising geopolitical tensions, ongoing conflict in Ukraine and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged to weather an increasingly volatile threat landscape,” she concluded.