While third-party vulnerabilities remain the number one cyber risk for Australian organisations, this risk ranks low in terms of cyber investment priorities in the past 12 months, according to a survey from leading global law firm Herbert Smith Freehills Kramer (HSF Kramer).
This is despite the fact that 75% of those surveyed reported their organisation had been impacted by a third-party cyber incident in the past two years.
Now in its third year, HSF Kramer's Cyber Risk Survey captures the views and experiences of legal leaders (general counsel or equivalent) regarding cyber readiness and resilience in organisations across corporate Australia. The respondents work across all sectors of the economy, including consumer services, financial services, resources, health and energy.
AI and social engineering attacks a growing threat
Cameron Whittfield, HSF Kramer Partner and APAC Cyber Security Head, said the survey results must be read against a backdrop of geopolitical tensions, economic headwinds and a new cyber threat landscape.
"The human side of cyber risk management is being stress-tested like never before. We are seeing highly sophisticated social engineering techniques, exacerbated by the use of AI and attacks perpetuated by criminals whose first language is English," Whittfield explained.
These hackers are leveraging these techniques to infiltrate systems in order to then monetise stolen data and credentials. As digital crime evolves, no one is immune – board directors, senior executives, system administrators, customer facing representatives, procurement and IT help desk staff are key targets, according to Whittfield.
This threat was reflected in the survey results, with three quarters of respondents attributing a perceived increase in cyber risk to new and more sophisticated technologies, including social engineering and AI.
"In the face of these adversaries, corporate Australia is confronted with two material challenges. How do we maximise our cyber risk investments? How do we avoid 'cyber fatigue'? We find these challenges are exacerbated when cyber-attacks fall out of the headlines and return on cyber investment is hard to quantify," Whittfield said.
Data governance investment often follows a successful attack
The challenge of demonstrating a clear return on investment is particularly acute when it comes to data risk management. While data risk was identified as a top cyber concern, second only to third-party risk, 63% of respondents believe their organisation would need to be impacted by a cyber-attack to meaningfully focus on their data risk management.
In a context of economic uncertainty and little regulatory guidance on what 'good' looks like, it's unsurprising that cyber-related investment proposals for challenging risks are losing out to other, more established investment priorities, including IT security infrastructure upgrades, particularly when uplift projects can be hard to scope and success difficult to measure.
But with cyber risk management now subject to complex and overlapping regulatory regimes, and vulnerabilities appearing across multiple business units, information security leaders can (and should) no longer bear sole responsibility for managing cyber risk.
According to respondents regulated by the Security of Critical Infrastructure Act 2018, nearly 90% reported the regime had an influence on their approach to cyber security, suggesting regulation is a significant driver of cyber risk management uplift.
"The management of cyber risk needs to be democratised across the business. It is as much a risk for the Chief Information Security Officer, as it is for leaders dealing with data governance, human resources, procurement, legal and finances," according to Whittfield.
"We need our people to no longer feel vulnerable and instead be empowered to act as a front line of defence."
Boards and management must embed cyber in corporate DNA
Risk ownership directly influences how cyber risk is reported up to the board and, in turn, how boards engage with cyber preparedness. However, while there is increased regulatory and media spotlight on the role of boards in overseeing an organisation's cyber preparedness, 45% of respondents admitted they would not describe their boards as 'cyber mature'.
In addition, 32% don't believe their Boards have a clear understanding of the delineation between board and management roles and responsibilities during incident response.
One key decision usually reserved for the board is the decision to pay, or not to pay, an extortion demand, however a third of boards are still yet to form a view as to whether they are open to paying. While no one wants to perpetuate this criminal model, it is important that boards lean into this question during peace time.
Simulations provide optimal conditions to engage with boards on these types of decisions. According to Peter Jones, HSF Kramer Partner and cyber and financial services expert, the importance of simulations is also being recognised by regulators.
"There's an expectation, whether it's explicit or implicit, that organisations should be testing incident response plans and undertaking simulation activities, particularly in and around cyber risk and resilience," he added.
Despite this, the survey results suggest there has been no meaningful shift in board participation in cyber simulations over the past 12 months. Even more troubling is that approximately half of boards have never participated in a cyber simulation exercise, according to those surveyed.
This is despite encouragement from industry bodies such as the AICD and increasing emphasis from regulators, including ASIC, on the importance of incident response testing.
The 2025 HSF Kramer Cyber Risk Survey is available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
