The ASIC cyber pulse survey 2023 shows organizations are still reactive, not proactive, when it comes to cybersecurity

The results of the Australian Security and Investment Commission’s (ASIC) cyber pulse survey show most companies are not investing in preparing for an attack to minimize the risk and impact and streamline the recovery process following the event.  

The survey covered businesses in general, not just the financial sector, as in previous surveys, providing some interesting insights into how companies address the increasing cyber-attack threat.

Taking a holistic response to the Cyber threat, the survey asked about incident response and recovery, along with questions on governance, risk management, and identifying and protecting information assets. You can download the full report from the ASIC website.

The results show that companies are improving at detecting and responding to cyber-attacks. However, these results also demonstrate that organizations must think holistically and not just focus on detection and response.  

The implication is that senior management and Boards are still not treating cybersecurity as a critical risk to the business that requires a comprehensive plan.

At a strategic level, the results show businesses are:

• ‘More reactive than proactive’ in terms of managing their cybersecurity, particularly when it comes to understanding the risks within their environment before an incident and
• failing to test their cyber response plans.

Tactically, the main areas of concern are:

• Failure to manage supply chain/third-party risk
• Security of critical and sensitive data
• Managing the consequences of a breach
• Lack of adoption of cybersecurity standards

Let’s explore some key findings and recommendations, and I will also provide some opinion and insight along the way.

Managing supply chain risk

69% of those surveyed had no or minimal ability to manage third-party or supply-chain risk. ASIC cites the recent MOVEit vulnerability, still claiming victims globally, as an example of third-party risk.  

In many cases, respondents did not have visibility into the risk position or the controls that third-party suppliers had in place.

These results are in line with those of Australian Prudential Regulation Authority's (APRA) cybersecurity stocktake.

Our take

We would agree that this is a considerable risk for all organizations increasingly dependent upon cloud services for information management and processing services. Customers of cloud services need to hold their suppliers more accountable for the security of the information stored.  

Map out the critical or sensitive information lifecycle and understand where a third party manages it. Don’t allow a third party to manage your data unless they can demonstrate the controls they have to secure it.  

For more on this subject, read our coverage in this edition of the FILED newsletter or listen in to our interview with Aaron Spiteri, director of third-party risk management at UpGuard.

Lack of independent audit of security controls, especially for smaller organizations

33% of smaller organizations do not benchmark or audit themselves against industry standards or benchmarks (e.g., SOC 2 Type 2, IRAP, or ISO27001).

For smaller organizations, ASIC recommends applying the Australian Cyber Security Centre (ACSC)  ‘Essential Eight’ as a good starting point to begin that journey.  

Our take

While the Essential Eight is a good start, there is a real lack of affordable independent security control audit options for SMEs in the Australian market.  

For SMEs who cannot afford to go down the path of the more expensive certifications, we would like to see something like the UK Government’s Cyber Essentials offering, where businesses can submit an online self-assessment, which a third-party auditor validates. While not as comprehensive as a complete third-party audit, it is a better solution than providing guidelines.

Understanding the flow of information assets between systems

Although most organizations surveyed are effective in identifying key business critical and sensitive information assets, there is a lack of visibility of how these assets are stored and how information flows between systems. This creates a risk of ‘distributed and unprotected confidential information.’

Our take

Mapping and understanding where critical information is stored and if it has been moved somewhere insecure is vital to reasonable information security management. Many RecordPoint customers use our platform to audit and understand the location of their information assets, particularly sensitive information that may contain confidential or Personally Identifiable Information (PII).

Increasingly, information rapidly moves from system to system. Keeping track and identifying content stored in ‘the wrong place’ is crucial to modern information management.

Limited protection of confidential information

The survey found that most organizations are confident in their controls surrounding identity and access management (user management, privileged/admin users, deploying MFA, etc), but this is only part of the picture when protecting information.  

Apart from inconsistent adoption of encryption (29% do not encrypt sensitive data) and controls to protect against information leaving the organization (31% have no data loss prevention (DLP) controls), the most disturbing response was that 40% of organizations have no data retention or destruction policies or processes.  

Our take

It was encouraging to see ASIC call out data retention as a concern. Proper information lifecycle management, including data disposal, is central to effective cybersecurity. Recent breaches have all demonstrated the dangers of failing to manage information assets from creation to destruction. In the Optus example, many ex-customers complained that their personal information was exposed even though they had ceased being customers many years before.

Following good information and records practice reduces your exposure. Bad actors can’t expose data that you don’t have!  

Detecting cyber security events

There is positive news in this area, with most organizations showing increasing maturity in monitoring for suspicious activity, vulnerability scanning, and patch management.  

The primary advice is for organizations to invest in automation to improve these areas and reduce the period when suspicious activity goes undetected or unpatched assets are vulnerable.

Our take

While encouraging that organizations are taking these technical controls seriously, it is notable that IT organizations still take a narrow ‘technical’ view of cyber security controls rather than the more holistic information asset-centric approach that is required, particularly with the dominance of cloud services in most organizations’ IT strategy.

Incident Response and Recovery need executive buy-in

While most respondents have a well-defined Incident Response plan, the survey found that 35% had not tested their program, implying a lack of senior executive ownership and support. It is also surprising that with an increase in reliance on third parties, there was inconsistent consideration of suppliers and other third parties when managing security events.

When it comes to recovering after an attack, around a third of organizations did not have a recovery plan to follow after an incident.

Our take

The implication is that many organizations still don’t have senior management buy-in for their cybersecurity plans, leading to programs that are designed just to ‘tick the compliance box’ rather than being a tested and verified process.  

The ‘perception gap’ regarding whether third parties and suppliers are considered part of the Incident Response Plan is consistent with the broader theme of a failure to think holistically.

Post-incident recovery was focused on ‘technical recovery,’ missing crucial non-IT aspects – reaching out to support those affected by an incident, being transparent, and communicating with regulators and other stakeholders.  

There is still work to be done

Organizations that are the most effective at managing cyber risk are those that treat cybersecurity as more than just a technical IT problem.  

Good cybersecurity practice also considers information lifecycle management, people management, external communications, and demanding leadership from senior executives and the Board.  

The survey results show there is still work to be done to effectively manage the existential threat of cyber attacks and build resilience into how organizations prepare and react.

‍