The Australian Securities & Investment Commission said most companies are being “reactive rather than proactive when it comes to managing their cyber security”, exposing Australians to malicious threats from criminals and state-sponsored hackers.

Crucially, almost two-thirds of Australian companies have limited or no capability to protect confidential information, according to an ASIC ‘pulse’ survey based on almost 700 voluntary participants. This “significant gap” is costing Australians $42bn a year, based on the latest data from the Australian Cyber Security Centre.

The report underscores how Australian businesses have so far failed to learn the lessons of a series of high profile cyber assaults on companies including Optus, Medibank, Toll, Nine Entertainment, Latitude Financial – and now DP World, which operates 40 per cent of the nation’s maritime freight.

The DP World attack has led to about 30,000 shipping containers being stranded, potentially sparking a supply shock that could push up inflation and force the Reserve Bank to raise interest rates for a fourteenth time, highlighting the risk cyber crime exposes to the broader economy.

The spate of attacks has prompted new government policy to force companies to report cyber ransom demands under Australia’s first mandatory no-fault reporting system.

But the centrepiece of the Albanese government’s cyber security strategy, will not ban companies from paying criminal gangs and state-sponsored offenders, despite a 45 per cent surge in global ransomware attacks this year.

Other key elements of the government’s seven-year cyber strategy includes an early-warning system for ransomware attacks, a ransomware playbook and a fightback strategy targeting “thugs and criminals”.

ASIC chair Joe Longo said: ‘For all organisations, cyber security and cyber resilience must be a top priority”.

“ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44 per cent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.

Cyber criminals hacked into the Medibank’s customer database of more than nine million policyholders after buying a logon from a Russian language website. When it didn’t pay a $15m ransom, it published a trove of personal information, including health claim data relating to pregnancy terminations, drug and alcohol abuse and various mental health conditions – leaving it with $150m clean-up bill.

At Optus customers were exposed to financial crime after cyber criminals hacked into its customer database in September last year and published a cache of personal and identity information, including drivers licence, passport and Medicare numbers and personal addresses.

Meanwhile, Australian Information Commissioner Angelene Falk is suing pathology group ACL, alleging it “seriously interfered with the privacy of millions of Australians” – an action that led to hackers stealing scores of sensitive health records, in February last year.

The data breach of ACL’s Meblab businesses wasn’t disclosed to Ms Falk for another six months, while the broader public and market were not informed until last October.

“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach,” Ms Falk said

“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web. As a result of their ­information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”

Mr Longo said competing demands for limited human and financial resources often meant small organisations lagged behind in third-party risk management, data security and adoption of industry standards than larger entities.

But Mr Longo said there was a need to go beyond security alone and build up resilience.

“It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks.

“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

But more promising, 95 per cent of survey participants have opted to receive an individual report which provided important insights on how their cyber resilience compared to their peers, “demonstrating a commitment to improving their organisation’s cyber resilience”.

The National Cyber Security Coordinator, Air Marshal Darren Goldie, welcomed the results of the report and acknowledged ASIC’s work to map out key gaps in corporate Australia’s cyber resilience.

“Cyber security must be a priority for us all, including individuals and businesses large and small,” he said.

“Support is available – the National Office of Cyber Security works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents. The 2023-2030 Australian Cyber Security Strategy will enable Australia to build and strengthen its cyber shields and develop our resilience to bounce back quickly.”

More Coverage

TPG’s $6.3bn deal with Vocus collapses

JARED LYNCH

Optus CEO’s call that came too late

JARED LYNCH, GREG BROWN

More related stories

Business

Lack of investment holding back innovation – and green solutions

Government regulation to make big business adopt a recycling mindset will ensure Australia becomes a truly circular economy.

Read more

Technology

ReadyTech doubles down on backing Tassie tech talent

Canva co-founder Cameron Adams moved there, so have more Atlassian employees, now a top executive has revealed why Tasmania is fertile ground to develop tech talent.

Read more