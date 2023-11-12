A cybersecurity self-assessment of 697 Australian organisations revealed 58% have limited or no capability to protect confidential information adequately. This is despite respondents feeling confident in managing user and administrative privileges, multifactor authentication, protecting their network, and providing cyber security awareness training.\n\nAccording to the Spotlight on cyber: Findings and insights from the cyber pulse survey 2023 from the Australian Securities and Investments Commission (ASIC), 31% of participants do not have controls to prevent unauthorised transmission of confidential information, 29% of participants do not encrypt confidential information and 40% of participants do not manage their data destruction. This is particularly concerning as 42% of respondents hold an Australian financial services licence.\n\nThe surveyed assessed respondents\u2019 cyber resilience against six functions: governance and risk management, identifying information assets, protecting information assets, detecting cyber security events, responding to cyber security incidents, and recovering from cyber security incidents.\n\nASIC warns of third-party and supply chain management risk\n\nAnother concerning point is that 69% of participants indicated they had minimal or no capabilities in supply chain and third-party risk management. \u201cThird-party relationships provide threat actors with easy access to an organisation\u2019s systems and networks,\u201d ASIC chair Joe Longo said in a statement.\n\nIndeed, this was the case of two of the largest data breaches in Australia\u2019s history. Medibank\u2019s data was accessed after the attacker stole the username and password used by a third-party IT service provider. Similarly, an attacker obtained login credentials from an employee using it to \u201csteal personal information that was held by two other services providers\u201d in the case of Latitude Financial.\n\nThe survey found medium and large organisations consistently self-reported more mature cyber capabilities than small organisations. Unsurprisingly, small organisations lagged in supply chain risk management, data security, and consequence management. A recent smaller scale data breach\u2014of 1.2 million customers\u2014suffered by national book reseller Dymocks, where personal identifiable information was published on the dark web, also happened due to a third-party relationship. This happened while Dymocks was changing loyalty providers, and the new provider stored the customers data temporarily in a separate web server in order to import the information. The access keys to the server were stolen resulting in the data breach.\n\nAdditionally, 58% of participants indicated they do not test cyber security incident responses with critical suppliers. \u201cThere is a need to go beyond security alone and build up resilience \u2013 meaning the ability to respond to and recover from an incident. It\u2019s not enough to have plans in place. They must be tested regularly \u2013 alongside ongoing reassessment of cyber security risks,\u201d Longo said.\n\n\u201cAn effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.\u201d