Australian small and medium financial firms are investing in cyber security in order to develop their cyber resilience, but there is still a long way to go.
This assessment is according to Report 555 Cyber resilience of firms in Australia’s financial markets, published by the Australian Securities and Investments Commission (ASIC).
Surveying 101 Australian firms, including 29 large and 72 SMEs, the Australian corporate regulator's report revealed that larger firms demonstrated a relatively high degree of cyber resilience.
The report analysed the results of self-assessments of investment banks, market operators, post-trade infrastructure providers and credit rating agencies.
SMEs have found information risk management challenging with almost half reporting that they are currently at 'partial' or 'risk-informed' maturity – indicating significant room for improvement, according to the report.
The report explains ‘partial’ as when policies are non-existent or not formalised, and ‘risk-informed’ when policies are rarely updated and are not followed consistently.
User access management is the strongest area for SMEs with 83 per cent reporting current maturity as 'repeatable' or 'adaptive'.
‘Repeatable’ is when are regularly updated and measures are in place to ensure they are followed, and 'adaptive' when policies are always evolving with the market.
Almost 40 per cent of SMEs reported shortcomings in monitoring and detection practices. However, they are targeting a 32 per cent improvement in the next 12–18 months.
User education and awareness is another area that requires work by SMEs with only 61 per cent at 'repeatable' or 'adaptive' maturity in this area.
This is a priority for larger firms, which have 21 per cent in 'partial' or 'risk-informed' positions but all firms indicated that they plan to prioritise user training and awareness going forward.
Protective IT security policies and processes are a relatively strong area for SMEs, although there is still room for improvement, especially around mobile security and removable media – where 40 per cent of SMEs reported a 'partial' or 'risk-informed' maturity level for both areas.
Significant improvements are required around incident response management, with more than 40 per cent of firms currently at 'partial' or 'risk-informed' maturity.
The common theme is a lack of formalised processes. The same applies to larger firms according to the report.
“Cyber resilience is now widely regarded as one of the most significant concerns for the financial markets sector and the economy at large,” ASIC commissioner, Cathie Armour, said.
“While our report shows greater engagement by firms on the issue, there is disparity between firms and insufficient investment in cyber resilience measures.
“Cyber resilience is not just an IT issue but one that requires a whole-of-organisation response. The dynamic nature of cyber threats requires a comprehensive and long-term commitment to cyber resilience by all organisations operating in the Australian economy."