The study, produced with the Australian Information Security Association (AISA), found gaps in implementing cybersecurity frameworks and strategies, with board members lacking cyber risk training despite cyber attacks increasing in both prevalence and sophistication.

Damien Manuel, chair of the AISA, said the results suggest many Australian boards need to set higher expectations around the information they receive from management, specifically around cyber practices.

“The pandemic has pushed many organisations to digitally transform without the appropriate level of information and data governance and oversight. Boards need to rapidly increase their ability to respond to cyber incidents that adversely impact the organisation’s reputation, staff, trust with customers and suppliers,” he said.

“Cybersecurity should be seen as a business enabler and not as a stand-alone function. It should be integrated at a people, business process and technology level. At the end of the day, it’s a risk we need to manage in our personal and work lives.”

Recent cyber attacks on local firms include a major offensive against JBS Foods, which shut down Australian abattoirs, and Toll Group, which was hacked and shut down twice in 2022.

The AICD’s survey found that only 44 per cent of directors indicate receiving training in cyber risk and even fewer (23 per cent) have appointed directors with cyber skills.

Only 39 per cent of directors say they have made cybersecurity a specific focus of a board committee and 36 per cent of directors say they receive regular reporting on internal training and testing.

Forecasts show Australia will need nearly 17,000 more cybersecurity professionals by 2026.

More than 850 directors were surveyed for the Boards and Cyber Resilience study, which found that 72 per cent of respondents say cybersecurity is a “high priority” issue for their board

“Directors are awake to the risk of cyber attacks but that awareness needs to translate into action at a board level to ensure proper oversight of cyber issues,” AICD managing director and CEO Angus Armour said.

“These results suggest that many boards need to set higher expectations around the information they receive from management to have effective oversight of cyber practices.

“As well as receiving regular reporting on cyber strategy and cybersecurity policies, boards that are advanced in cyber governance practices are making cybersecurity a specific focus of a board committee and undergoing dedicated director training.”

It comes amid data from PwC’s global risk survey showing business leaders are increasingly stressed about cybersecurity as they scramble to adjust to “Covid-normal” amid interest rate hikes and supply chain disruptions.

The data shows Australia’s business leaders are more concerned about cybersecurity risks than their global counterparts (32 per cent versus 20 per cent).

Local leaders rated cybersecurity risks more highly on their “risk radars” than pandemic impacts, economic volatility, or climate change. Cyber risk ranked as the number one risk to revenue growth, followed by business operating model, geopolitical risks, talent and people.

The report also found that while attracting and recruiting talent is a big issue for Australia‘s business leaders, it’s a much lower priority for global leaders and does not even make it on to the global top five concerns.

More Coverage

Aussies world’s worst for malicious app downloads

Joseph Lam

More related stories

Technology

Farquhar serves up data centres, with AI on top

Australia can play a world-leading role in the development of data centres, Atlassian billionaire Scott Farquhar has claimed, a move he says could help the nation become a leader in artificial intelligence innovation.

Read more

Politics

Albanese to spruik Labor’s child social media ban at UN

Anthony Albanese is calling on other nations to follow Australia’s lead as YouTube faces inclusion in the crackdown.

Read more