The general attitude in Australia towards cybersecurity has raised concerns about whether the country is falling behind global standards. In our recent chat with Mark Belfanti, our Head of Cybersecurity, he highlighted some critical issues that shed light on this topic.
Reluctance to Transparency
Mark Belfanti discussed the reluctance of Australian organisations to be transparent about their cybersecurity practices.
He mentioned, “The problem we’ve got is people in Australia seem to be hunkering down and going, ‘She’ll be right’ or ‘we’re not going to tell anybody about our cybersecurity practices.'”
This attitude of secrecy and non-disclosure might stem from a belief that staying under the radar can prevent potential threats. However, this approach may also hinder the overall improvement of cybersecurity standards within the country.
Investment Issues in Cybersecurity
Additionally, Mark pointed out a significant issue with investment in cybersecurity. He said, “Organisations tend to say, ‘We’re not going to advertise. We’re not going to put money into cybersecurity. We’re not going to hire people for those roles.’”
In fact, he shared, new LinkedIn data reveals that Australia’s demand for cybersecurity professionals has cooled in recent months, despite industry leaders warning that the threat of data breaches remains high.
The share of cybersecurity-related jobs posted on LinkedIn in Australia grew by 1.07% from the 12 months to May, representing a slight boost. But it’s a decline when compared to the compound annual growth rate from May 2021 to May 2024 of 1.4%. And since the end of last year, the share of cyber jobs advertised has plateaued entirely and even started to decline — from a peak of 2.6% in December last year to 2.57% in May this year.
This lack of investment suggests that many organisations do not prioritise cybersecurity, possibly viewing it as a non-essential expense rather than a critical aspect of their operations. This reflects the ongoing struggle of CISOs and security leaders to secure adequate investment in their departments.
Boardroom Disconnect
Research in 2022 suggests that board-level buy-in to prioritising cybersecurity lags well behind global counterparts. Key findings include:
- Only 58% of Australian board members prioritise cybersecurity, the lowest among 12 countries surveyed (global average 77%).
- A mere 54% of Australian board members are confident in their board’s understanding of systemic cyber risks, placing them second to last among all countries surveyed (global average 75%). Despite this, 72% believe their cybersecurity investments are adequate.
- Half of Australian boards support mandatory reporting of material cyber attacks to regulators within a reasonable timeframe, the lowest among the 12 countries surveyed (global average 80%), while 34% oppose this requirement, the highest of all countries.
- Just over half (56%) of Australian boards discuss cybersecurity at least monthly, compared to 76% globally.
- Two-thirds (66%) of Australian boards expect an increase in their cybersecurity budget over the next 12 months, the lowest of any market surveyed (global average 87%). Additionally, 22% anticipate budget cuts, significantly higher than the global average of 5%.
Public Sector Vulnerabilities
A report on the preparedness of Australia’s public sector for major cybersecurity incidents revealed significant deficiencies.
For instance, recovery plans do not cover all critical systems, and there is a lack of regular testing for backup recoverability. This gap highlights the public sector’s lag in adopting comprehensive cybersecurity practices compared to global standards.
Australian public sector agencies are particularly vulnerable to cybercriminals due to the vast amount of sensitive data they manage.
For example, in 2024, the ATO reported experiencing 4.7 million cyber attacks each month, largely because it holds 50 petabytes of data.
A significant data breach occurred when the South Australian superannuation fund operator, Super SA, was compromised, exposing personal information of numerous individuals.
These incidents underscore the challenges faced by government entities in maintaining robust cybersecurity measures amidst an increasingly threatening cyber environment.
value proposition
One potential reason for this “she’ll be right” attitude, according to Mark, is a marketing challenge. He explained, “Perhaps it’s because they don’t see it as a value proposition.” The perception that cybersecurity does not add tangible value to the business might discourage companies from allocating resources towards it.
This marketing issue could be a fundamental barrier to improving Australia’s cybersecurity landscape.
Many organisations fail to recognise that robust cybersecurity can be a significant selling point, offering peace of mind to customers and enhancing brand reputation. By not leveraging cybersecurity as a marketing advantage, businesses miss the opportunity to differentiate themselves in a competitive market.
Long-term Implications
The reluctance to invest in cybersecurity and the tendency to avoid transparency could have long-term negative implications.
- Increased vulnerability to cyber attacks
- Reputational damage
- Financial losses
- Regulatory and legal consequences
- Operational disruption
- Loss of competitive advantage
- Decreased customer confidence
- Intellectual property theft
- Internal impact
- Long-term strategic setbacks
As cyber threats continue to evolve, staying behind in cybersecurity measures could leave Australian organisations vulnerable to attacks, potentially causing significant damage to their reputation and operations.
The Need for a Cultural Shift
Addressing this issue requires a cultural shift towards recognising the importance of cybersecurity. Organisations need to understand that investing in cybersecurity is not a cost but a crucial aspect of protecting their business, their people, and their customers.
Moreover, promoting transparency and sharing best practices can help elevate the overall standard of cybersecurity across the country.
In conclusion, Australia’s current attitude towards cybersecurity raises concerns about the country’s ability to keep pace with global standards.
By prioritising investment in cybersecurity and fostering a culture of transparency, Australian organisations can enhance their resilience against cyber threats and ensure they are not left behind in the digital age.