Despite Widespread Data Breaches, Cyber Risk still not prioritised

In 2023, MinterEllison conducted its eighth annual survey to assess contemporary perspectives on cyber risk. In both 2022 and 2023, only around half of survey respondents ranked cyber risk as a ‘top 5’ priority.

“Despite the current landscape, our findings reveal no apparent shift in the importance that organisations attribute to cyber security.

“However, as organisations face increasing exposure and risk as technology evolves, community expectations around data management grow, and regulators increase their scrutiny, organisations that regard cyber risk as a low or medium priority are vulnerable,” the law firm found.

Some of the survey results include:

  • 78% of respondents told us that they have a cyber security incident response plan in place.
  • However, only 53% had assessed their cyber security arrangements against an established framework (such as the NIST Cybersecurity Framework or the ASD Essential Eight).
  • Only 52% told us that test or rehearse this plan regularly (at least annually)

“The threat of a cyber incident can no longer be classified as remote or novel. Cyber security and privacy by design must be embedded within the culture and planning of every organisation. Proactive and agile management and response to cyber risk are the new normal,” said Shannon Sedgwick, MinterEllison Partner.

  • 62% of respondents said that they were not confident, or only somewhat confident, that their organisation understood what data it stores, where it is stored, and who has access to it.
  • 52% of respondents said they were not confident, or only somewhat confident, about their organisation’s understanding of its contractual and regulatory obligations in the event of a data breach
  • 51% of respondents considered that their organisation had sufficient resources to monitor and respond to its cyber security needs.

“In the last 12 months, data breaches increased in frequency and scale, driven predominantly by malicious or criminal activity. Between July and December 2022, malicious or criminal attacks comprised 70% of all notifications to the Office of the Australian Information Commissioner (OAIC).

Australian organisations across every sector have grappled with the repercussions of compromised sensitive information, disrupted operations and reputational damage, with the health and financial services sectors particularly affected.”

The online survey was conducted between February and April 2023. Approximately 50% of respondents were legal counsel, and 20% were C-suite executives. Other respondents included IT, risk and security specialists and Board members.

Click here to view the report.