ra2 studio - stock.adobe.com

Australian organisations underinvesting in cyber security

Over half of Australian organisations failed to invest enough in cyber security over past three years, though awareness is improving in aftermath of high-profile data breaches

Over half of Australian organisations have not invested enough in cyber security in the past three years, with nearly one in five believing it was not a priority, a study has found.

The underinvestment was more stark among small companies, of which 69% had not invested enough in cyber security, according to the study conducted by Netskope, a supplier of secure access service edge (SASE) services.

Major data breaches over the past year, however, have cast the spotlight on cyber security, with over three-quarters (77%) of 300 respondents who participated in the study noting that their leadership’s awareness of cyber threats had increased.

Some 70% also noted an increase in their leadership’s willingness to bolster investments – the proportion of organisations that are planning bigger cyber security budgets between 2022 and 2023 jumped to 63%, compared with 45% that saw increases between 2020 and 2022.

This increase is most pronounced among larger organisations with over 200 employees, where over 80% are increasing cyber security budgets. Among small firms with fewer than 20 employees, 41% planned to spend more on cyber security between 2022 and 2023, up from just 23% between 2020 and 2022.

“The data breaches that occurred last year deeply impacted the Australian community, but it seems there are some positives to draw from those events,” said David Fairman, chief information officer and chief security officer for Asia-Pacific at Netskope.

“In the last decade, attitudinal gaps between technology and business leaders regarding cyber security have been a key factor slowing down cyber security improvements, and it seems that both teams are now – at last – on the same page, ready to bolster cyber defences for their organisation and customers.

“Even though no organisation is ever fully protected from cyber threats, we need this united front to show cyber criminals that we won’t make it easy for them and Australia won’t be an easy target any more”
David Fairman, Netskope

“Even though no organisation is ever fully protected from cyber threats, we need this united front to show cyber criminals that we won’t make it easy for them and Australia won’t be an easy target any more,” he added.

Divided on incident response

How well an organisation responds to cyber security incidents is an indicator of its cyber resilience. According to Netskope’s research, just 27% of Australian tech leaders today have well-defined and stringent incident response plans to face a variety of scenarios, and regularly exercise them.

Furthermore, there is no consensus on how to handle an incident. The survey respondents were divided, with just half (51%) stating they would be unlikely to pay if they became a victim of ransomware.

They also pointed out other impediments, with 17% of tech leaders noting that the lack of prioritisation of cyber security among business and technology leadership was the biggest obstacle to cyber security improvements.

Fairman also noted the lack of “financial or human resources to bring their plans to fruition, especially in a challenging economic environment with ongoing geopolitical instability”.

“As a country, we need to do what we can to accelerate the production of industry professionals and graduates, making use of both public and private initiatives,” he said.

The Australia government plans to develop a new cyber security strategy that aims to strengthen the country’s critical infrastructure, among other goals, following a spate of high-profile cyber attacks against Australian companies, including Optus and Medibank in 2022.

The strategy will be led by Cyber Security Cooperative Research Centre CEO Rachael Falk, former Telstra CEO Andy Penn, and former chief of air force Mel Hupfeld. There will also be an expert panel drawn from around the world, led by former UK National Cyber Security Centre CEO and Oxford University professor Ciaran Martin.

Read more about cyber security in Australia

Read more on IT risk management

Data Center
Data Management