Australian financial market falls short in cyber security

New figures released by the Australian Securities & Investments Commission (ASIC) have suggested that Australian firms are struggling to become more cyber resilient, with the regulator stating that firms have improved by 1.4 per cent in two years.

This development, which was included in ASIC’s biannual cyber-resilience report, “Cyber resilience of firms in Australia’s financial markets: 2020–21”, is less than one-tenth of the intended growth target made in the previous report, published in 2019. 

The growth is also a stark contrast to the previous growth of 15 per cent in cyber resilience made between 2017 and 2019. 

However, ASIC has stated that this latest figure can be attributed to overly ambitious target, an escalation in the cyber-threat activity, and a change in priorities related to the COVID-19 pandemic – including the diversion of resources to enable secure remote working and maintaining operations as “supply chains become increasingly burdened and threatened by cyber activists”.

As per the report, this two-year period saw improvements in the management of digital assets (7.2 per cent), business environment (6 per cent), staff awareness and training (4.7 per cent) as well as protective security controls (4.5 per cent). 

It also saw the divide between small and medium-sized enterprises (SMEs) and larger firms shrink, with the former seeing an overall 6.4 per cent improvement under the National Institute of Standards in Technology (NIST) Cybersecurity Framework, a system allowing firms to assess their preparedness against cyber attacks via five functions – identify, protect, detect, respond and recover. 

SMEs reported overall increases of 12.4 per cent in “identify”, a 4.7 per cent growth in “protect”, a 1.5 per cent improvement in “detection” and a 3.7 per cent increase for “respond” compared to the previous report.  

However, 20 per cent of SMEs stated that their “recover” was either partial or risk-informed – the lowest and second-lowest rating out of the four-tier scale. 

By comparison, large firms over this period reported an overall drop of confidence in their cyber-resilience confidence of 2.2 per cent, with 3.4 per cent dip in “identify” and a decline of 6 per cent in “respond”. 

This two-year period also saw increases in partial and risk-informed scores in “protect” (now at 20.6 per cent), “detect” (now at 15.9 per cent of large firms) and “recover” (now at 10 per cent). 

However, while this increase is positive for SMEs, the assessment noted that 40 per cent of SMEs rated their supply chain risk management as either partial or risk-informed. 

Speaking of the results, ASIC commissioner Cathie Armour said that firms, both large and small, are continuing to “be resilient against a rapidly changing cyber threat environment”. 

“The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services,” she concluded.

“However, the response from firms has been robust.”

[Related: SMEs are top cyber-crime target: ACSC]