Australian orgs expect risk and security issues to worsen

Ahead of the introduction of new reporting requirements for Australian critical infrastructure operators, McGrathNicol Advisory has released research finding that 89% of executives expect risk and security issues to worsen in the next 12 months.

New obligations introduced this month under the Security of Critical Infrastructure Act 2018 will require Australian organisations operating in certain sectors to submit a Critical Infrastructure Risk Management Program by 28 September. Covered industries include communications, defence, higher education and research, financial services, health care, energy and transport.

The report indicates that many organisations may be underprepared for the new obligations. A survey conducted for the report in collaboration with YouGov found that while 68% of Australian organisations name cyber risk as one of their top five concerns, 71% of respondents admitted to not conducting diligence on their key suppliers’ cybersecurity practices. In addition, 77% do not require mandatory reporting of any cyber or data breaches affecting their suppliers.

The report also found that although 87% of surveyed organisations were confident that their business has a comprehensive insider risk management program in place, less than a third have implemented fundamental insider risk controls.

Only 28% use a risk-based vetting and due diligence framework for employees, suppliers or contractors, and only 18% have appointed an authority that is accountable for insider risk. Meanwhile more than half (55%) of surveyed business leaders named legal and regulatory risk as a top concern for their organisation, and 27% expect these risks to continue to increase in severity, the survey found.

McGrathNicol Head of Advisory Matt Fehon said the findings demonstrate the need for Australian organisations to get a better handle on risk.

“As the SOCI reporting deadline approaches, many Australian organisations will be required to submit risk management programs addressing areas like cyber, geopolitical, regulatory and supply chain risks for the first time,” he said. “Following a data breach, a cyber incident can rapidly escalate throughout the supply chain to customers and employees, becoming a regulatory issue with severe financial and reputational consequences.

“Too often, we see organisations react only once a risk event has occurred. But this can be costly due to the interconnected nature of risk areas. We would prefer to arm businesses with the tools to face the changing landscape of business risk head on.”

Image credit: iStock.com/ridvan_celik