A week after the Australian Prudential Regulation Authority (APRA) warned it was running out of patience with Cybersecurity Non-Compliance in the financial sector, the Australian Securities and Investments Commission (ASIC) has issued results of a survey that has exposed gaps in cyber security risk management across all industries. It comes in the wake of the attack on DP World that has caused havoc at Australian ports.

The ASIC survey of nearly 700 companies was designed to allow private companies to benchmark their cyber maturity against their peers.

The survey was designed to assess participants’ cyber resilience against six functions: governance and risk management, identifying information assets, protecting information assets, detecting cyber security events, responding to cyber security incidents, and recovering from cyber security incidents.

While previous ASIC surveys were restricted to the financial markets sector, the 2023 survey invited participation from public companies, large proprietary companies and entities that hold licences or authorisations from ASIC.

One major concern that emerged was the finding that 70% of participants showed “minimal to no capabilities in mapping information flows between their information assets.

“Mapping information flows helps an organisation identify risks from potential weaknesses, redundancies or single points of failure,” the report notes.

“Visualising potential risks associated with critical business services allows an organisation to determine the security controls needed to mitigate those risks and protect the system overall.

“Failure to map information flows between critical business services may lead to distributed and unprotected confidential information. Critical business systems rely on the distribution, storage and processing of information. Without a clear view of the flow of information an organisation would not be able to determine the appropriate level of protection.

“Mapping information flows is not a one-time task – it should be an ongoing process. Regularly updating and refining information flow maps can help organisations adapt to changes in technology and the threat environment.”

The survey found medium and large organisations consistently self-reported more mature cyber capabilities than small organisations. Small organisations lagged behind in supply chain risk management, data security, and consequence management.

“A concerning 69% of participants indicated they had minimal or no capabilities in supply chain and third-party risk management. In particular, 58% of participants indicated they do not test cyber security incident responses with critical suppliers.

“Organisations should consider the risks introduced by external third parties. These parties could be vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information.

“Third-party relationships provide threat actors with easy access to an organisation’s systems and networks. An organisation can implement robust cyber security measures for its internal networks and IT infrastructure. However, unless these efforts are extended to third parties, it will be exposed to supply chain vulnerabilities.”

ASIC Chair Joe Longo said, ‘For all organisations, cyber security and cyber resilience must be a top priority. ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.’

Other findings include:

• 58% have limited or no capability to protect confidential information adequately.
• 33% do not have a cyber incident response plan.
• 20% have not adopted a cyber security standard.

Download the full report HERE