Study found the need for Australian boards to boost cybersecurity skills

A University of Queensland (UQ) study found that board directors should prioritise cybersecurity training to better defend Australian businesses from cyberattacks.

According to Dr Ivano Bongiovanni of the UQ Business School, his research revealed board members were frequently unaware of the significance of cybersecurity and were not always certain of their responsibilities or liabilities in the area.

“As the data breach at Optus this month demonstrates, no organisation is immune to cybercrime. We interviewed non-executive directors of 43 organisations about cybersecurity; a lot of uncertainty emerged in terms of current best practices or industry guidelines for cybersecurity strategies,” Bongiovanni said.

He stated that directors weren’t interested in or at ease discussing cybersecurity due to the false impression that it is an entirely technical subject.

“Considering the responsibility to oversee cyber risk management in modern organisations lies with their board of directors, an uplift of cyber-skills at the board level is necessary,” he added. 

Customer information was accessed in an Optus attack, making cybersecurity failure one of the Australian firms’ most significant concerns. The Australian Cyber Security Centre is cautioning enterprises to be on the lookout.

The potential impact of data breaches on Australian organisations, according to study co-author and UQ honours graduate Megan Gale, is enormous.

“A disruption to IT infrastructure could force a company to shut down, leading to financial loss or even more severe consequences. In the Optus breach, sensitive, personal customer information along with identity documents have been accessed, putting people at risk of being victims of fraud,” Gale said. 

The researchers have urged that all board directors make cybersecurity training a top priority and clearer regulations and reporting procedures.

“It’s not just boards of large companies that need to be better equipped in this area. Boards of small to medium-sized organisations across all sectors in Australia, including not-for-profits and community-run organisations, need to be vigilant,” Gale stated. 

Dr David Stockdale, director of cybersecurity at UQ and head of AusCERT, Australia’s cyber emergency response team, said the study demonstrated that there is still work to be done before boards in Australia include cybersecurity into their enterprise risk management procedures.

“As we’ve seen with Optus, cyber threats are a matter of ‘not if, but when’, and organisations must be prepared,” Stockdale stated.

He added that increased cyber risk training and regular communication between executives and their security teams would ensure the optimum course of action and prevention.