Author
Vaughan S.
Vaughan Stemmett

As cyber attacks continue, cyber risk has become one of the top enterprise-wide risks facing entities. Entities need to remain vigilant and governance committees need to ensure they understand the impact of cyber risk on business strategy.

Entities and governance committees should consider cyber threats as part of their risk management and governance framework, with risk registers reflecting the potential risk of cyber attacks on key assets and business processes.

Entities that operate critical infrastructure—such as rail, ports, water, and electricity networks—should check and re‑check their security arrangements. QAO’s performance audit Traffic management systems (Report 5: 2013–14) identified that the systems managing traffic-critical infrastructure in Brisbane’s metropolitan area were demonstrably not as secure as they should have been, and were susceptible to targeted attacks. Our ability to successfully penetrate some components of the systems meant that the risk of unauthorised access was unacceptably high at that time.

A recent Australian National Audit Office report, Cyber Security Strategies of Non-Corporate Commonwealth Entities (Report No. 32 2020–21), noted that government departments and agencies reported 436 cyber security incidents to the Australian Signals Directorate in 2019–20. The most common type reported was ‘malicious email’/phishing as a means of obtaining initial access into a network. This was followed by ‘compromised systems’, where unauthorised access had been gained to a network, account and database.

Furthermore, recent articles from the Australian Financial Review (April 2021) identified that:

  • cyber attacks on computer systems disrupted more than half of Australian businesses in the past 12 months, and they lost, on average, four days of productivity in attempts to get back online
  • more than half of businesses hit by ransomware cyber attacks paid their attackers, but a quarter of those did not get their data returned
  • 95 per cent of chief executive officers cited cyber risks as the top threat to business growth this year.

Governance committees have an important role in ensuring that their entities have appropriate cyber security defences. They should lead governance and policy to strengthen cyber resilience.

Cyber awareness should become an agenda item for governance committees, not just the chief information officer, with the ultimate goal of integrating cyber risk discussion into the discussion of overall operational risk.

The following table provides entities and governance committees with questions to consider in managing cyber security risks.

Questions to consider

  • Do we know what our mission critical assets are and where they are located?
  • Do we know who has access to these critical assets, who is responsible for protecting them and how well they are protected?
  • Do we know what our compliance obligations are and the implications if we are in breach of our obligations?
  • What level of cyber security risk is considered acceptable and do we understand the real impact of cyber risk in business terms, such as business interruption or impact on product/service quality or reputation?
  • How does our cyber risk program align to industry standards and peer organisations?
  • How do we ensure we gain sufficient information and knowledge about cyber risk?
  • Has our data been properly classified?
  • Do we know how to respond to a cyber security incident?
  • What level of cyber liability insurance is necessary and what should it cover?
  • How secure are our supply chains and what controls are in place to monitor cloud and supplier networks, as well as software running on company devices such as mobile devices?
  • Do we have a patch management policy and how often are patch management processes reviewed?
  • How is the information technology function changing its strategic priorities in the short, mid, and long term and are resources sufficient to achieve these priorities?

We encourage entities and governance committees to undertake a self-assessment of their risk assessment processes and governance arrangements to ensure they have the right control environment and culture regarding cyber security risks.

Further references

Related article