Australian financial-services companies fall short of cybersecurity goals

Companies continue targeting supply-chain risk after two years of little improvement in achieving resilience to attacks.

cyber resilience shutterstock 635387594 1200x800
OpenText

Cybersecurity practices in Australia’s financial sector have improved marginally but are still falling far short of expectations, according to the latest in a series of ASIC audits that is tracking the maturity of cybersecurity controls in the critical industry sector.

Many companies had “overly ambitious targets” for improving their cybersecurity posture when ASIC conducted its last audit, the organisation concluded in its “Cyber Resilience of Firms in Australia’s Financial Markets: 2020-21” review, noting that the overall 1.4% improvement in reported cybersecurity resilience was well short of the 14.9% target those organisations had set for themselves in the previous review.

The national financial regulator also flagged the impact of an overall escalation in the threat environment during 2021, as well as the “reprioritisation” caused by the ongoing COVID-19 pandemic that had “caused firms to reassess priorities and divert resources to firm up the resilience of critical business activity” around secure remote working and supply-chain risks.

Interestingly, small and medium-sized businesses reported an overall 3.5% improvement in their cybersecurity resilience, leading ASIC to conclude that they are “continuing to close the gap on larger firms”, which actually saw confidence drop by 2.2%.

Participants reported overall improvements in areas including the management of digital assets, business environment, staff awareness and training, and protective security controls—with 90% reporting stronger user and privileged access management, and 86% saying they have a mature cybersecurity incident response plan in place.

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022