Cyber resilience does not just mean prevention: Survey

| May 3, 2019

Each year, BDO in Australia and BDO in New Zealand, in partnership with AusCERT, measure organisations’ response to the growing cyber threat.

The BDO and AusCERT Cyber Security Survey 2018/2019 found a clear increase in cyber security awareness, a shift that has come primarily from the top in due to broader regulatory requirements such as the General Data Protection Regulation (GDPR) in the European Union and the implementation of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in Australia in early 2018.

However, organisations aren’t just seeing cyber resilience as a compliance exercise – the survey found a genuine commitment to rolling out awareness training and cyber security risk assessments. The increase in risk reporting to the board is also a sign of this.

However, while a lot of resources have gone into cyber threat prevention, not enough attention or funds have been budgeted for resilience when a breach does occur.

A global threat

Even with the most sophisticated prevention measures in place, a data breach will occur at some point. According to the World Economic Forum Global Risks Perception Survey 2019, cyber security is now one of the top global risk, standing alongside natural disasters and weapons of mass destruction. Therefore it’s important that every organisation has a pre-defined, concerted way to respond to cyber security incidents, and its capacity to execute that plan must be regularly tested.

A recent study from the Ponemon Institute’s recent Cost of a Data Breach study, the average cost to an Australian organisation for a single data breach is almost $US 2 million. The non-compliance fines imposed by the GDPR and NDB have made the financial cost of a breach even greater, and this does not include the brand reputation impact, which our survey found to be significant.

This means when a breach does happen, organisations need to understand how to respond. The survey found that proper planning and preparation for cyber incidents resulted in greatly reduced impacts to an organisation following an incident. Areas of focus should include the development of data breach response plans and the adoption of cyber insurance, as these controls can afford businesses the opportunity to minimise the impact of breaches while ensuring rapid investigation.

Although an increase in cyber security awareness is encouraging, the nature of cyber threats is also getting more sophisticated. As such, an effective response plan is essential for an organisation to be truly cyber resilient. To find out more about how businesses can build and maintain their cyber resilience over the long term, read the report in full.