Beyond cyber: The changing landscape of security risk
(Sponsored Article)
By Matt Grant, Partner at McGrathNicol Advisory
A well-run enterprise security risk management function underpins Australian businesses’ ability to securely transact with the world. In 2024, for the second year running, McGrathNicol Advisory has published a survey on the changing landscape of business risk based on responses from over 300 Australian business leaders.
Over the last eight years, the Australian government has increased the obligations on organisations to mature their security risk management frameworks and practices through legislative and regulatory changes. These frameworks, even for organisations not directly captured, set out what we consider to be best practice frameworks that, if adopted and maintained, would see organisations well prepared for the dynamic nature of the constantly evolving security threat landscape.
McGrathNicol Advisory’s 2024 report, ‘The changing landscape of business risk’, identified that there is an increasing awareness of enterprise security risks, including cyber, geopolitical, insider, and supply chain risks for business leaders. However, while awareness is growing, organisations are still struggling to understand the intrinsic connections between these risks, bring them together in a coherent manner, and implement robust security risk management procedures and practices. With regulators signalling an increasing willingness to operate in enforcement mode, Australian organisations must urgently identify and address enterprise security risks.
Australia’s enterprise risk regulatory framework
Over the past eight years, the Federal Government has driven a program of legislative and regulatory change focused on encouraging Australian businesses to uplift their security maturity. This has placed security at the forefront of executives’ and board members’ minds, driving better security practices across the broader business community.
In 2018, the Federal Government’s Telecommunications Sector Security Reforms recognised the significant role that telecommunications networks play in the Australian digital landscape. The reforms placed broad obligations on telecom carriers and carriage service providers to “do their best to protect telecommunications networks and facilities from unauthorised interference, or unauthorised access, for purposes of security.”
Also in 2018, the Australian Government passed a broad-ranging National Security Legislation Amendment Act which enhanced Australia’s ability to prosecute espionage and foreign interference offences. The amendment was driven by foreign interference concerns and aimed, in part, at reducing exposure to foreign state-backed insider risk within Australian organisations. Paired with this amendment was the Foreign Influence Transparency Scheme Act 2018, which requires the disclosure of certain actions undertaken on behalf of foreign principals.
The same year, the Government passed the Security of Critical Infrastructure Act (SOCI). This created a framework for regulating the security risk management approach of a subsection of Australian industries deemed critical to the nation’s security. Subsequent amendments in 2021 and 2022 expanded on this framework. A further amendment is currently under review in Parliament.
More recently, enhanced cyber security protocols have been introduced in response to high-profile ransomware attacks and data breaches against Australian businesses. The Government has published a series of successive cyber security strategies in 2016, 2020, and most recently, a strategy spanning 2023 to 2030. In 2023, Australia’s inaugural National Cyber Security Coordinator was also appointed. The Cyber Security Bill 2024 is currently under consideration by Parliament, including further amendments to the SOCI Act and suggesting appetite for the continued uplift of security obligations.
Continued legislative and regulatory reforms demonstrate the Australian government’s focus on developing frameworks and incentives for a growing range of industry sectors to mature their security risk management frameworks and practices. These frameworks address the various pillars of a foundational security program. The SOCI Act, for example, requires organisations to have a Critical Infrastructure Risk Management Program which is specifically required to manage material security risks across a range of hazard vectors. Organisations need to consider physical security and natural hazards, information and cyber security, personnel security, insider risk, and supply chain security, as well as associated corporate governance.
Results of our 2024 Risk and Security survey
Cyber security incidents continue to capture the headlines, with cyber risk now ranking as the number one concern for business. This is up from second place in 2023 behind financial risk. But the conversations that boards and executives are now exploring canvas a broader range of security issues than simply cyber risk.
According to the McGrathNicol report, 89 percent of surveyed executives believe that risk and security issues will worsen in severity over the next 12 months – a 31 percent increase from 58 percent in 2023. These concerns are likely driven by recent high-profile attacks and breaches, as well as consistently high rates of (often undisclosed) ransomware attacks on Australian businesses.
Despite the high concern regarding cyber risk, almost three quarters of surveyed business leaders have no intention to revisit their crisis and business continuity plans. Where we see organisations successfully manage cyber crises is when they have connected their operational cyber risk management and incident response processes to an executive and board-level cyber crisis management plan. Cyber incident tabletop exercises can be a powerful tool aimed at the operational, executive and board levels. We find that these exercises typically drive increased senior level engagement and support for operational cyber team objectives and outcomes.
We are also seeing business leaders have more sophisticated and nuanced conversations around supply chain risks. Encouragingly, 80 percent of enterprise risk management programs now include supply chain risk as a core pillar. However, a troublingly low portion of respondents acknowledged the role of counterparties and insiders as drivers of risk within their supply chains – a mere 7 percent of respondents were focused on insider risk in the supply chain, and only 6 percent on counterparty risk. Understanding the interconnected nature of these risks is a critical first step to incorporating better security risk management practices. Again, regular tabletop scenarios that test incident scenarios in the upstream and downstream supply chains are a great method to test supply chain resilience and ensure crisis preparedness.
Awareness of insider risk as a driver of enterprise security risk remains low. While 87 percent of surveyed organisations were confident that their business has a comprehensive insider risk management program in place, less than a third of businesses have implemented some of the most fundamental insider risk controls – with only 18 percent appointing an authority accountable for insider risk. Crucially, 82 percent of surveyed organisations identified that they were covered under the SOCI Act. This means that they are legally required to take an “all-hazards approach” to risk management which considers insider risk or personnel security as a key hazard vector.
Not unexpectedly, with the volume of cyber enabled security incidents in the last few years, we consistently see organisations focusing resources on cyber security risk management. However, they often neglect to focus on the risks posed by negligent, malicious and sometimes state-backed insiders within their own organisations. Threat actors are well aware of these blind spots and a sophisticated threat actor will pivot rapidly from targeting an organisation via cyber vectors to utilising humans, or supply chains.
Business leaders understand that the threat environment is driving these emerging risks but they struggle to comprehend and connect the dots between these complex risks. In our view, Australian businesses undervalue geopolitical risk as a leading indicator of other enterprise risks. By investing in understanding their geopolitical risk exposure and considering the possible ‘flow-on’ effects of geopolitical events, organisations can pre-empt the next supply chain disruption or uptick in targeting by advanced persistent threat actors. For example, at the time of writing, a second Trump administration has proposed the introduction of significant new tariffs targeting Chinese-made goods if re-elected. This could reinvigorate trade disputes and directly impact Australian businesses – including the 63 percent of agriculture sector organisations who listed this prospect as a concern in our survey. Despite this, only 9 percent of organisations were preparing for changes following the upcoming US election when we conducted our survey in April 2024. Similarly, rising tensions in the South China Sea between Chinese and Philippine coast guard fleets could lead to shipping disruptions if an incident occurred – and Philippine President Marcos Jr. has stated that his government would regard the killing of a Philippine citizen as a “red line”. Australian businesses should consider how geopolitical events may impact their enterprise risk profile – and then monitor for signs that these events are occurring.
Despite awareness of these emerging risks, executives say that they find it difficult to choose appropriate risk frameworks and to ensure that these are fully integrated across their business. This is where the SOCI Act provides a great approach for security risk management best practice. The SOCI principles acknowledge that all threat vectors are critical to a business’ security. The SOCI legislation asks organisations to consider risks as a unified whole instead of splitting them into silos. IN our experience, this approach helps boards to understand the importance of a more comprehensive approach. When faced with increasing volatility and rising risks, risk management can sometimes feel like a game of ‘whack-a-mole’. The SOCI approach helps to ameliorate this.
Changing regulatory approach
The McGrathNicol Risk and Security Report findings should serve as a wake-up call for CFOs and executives. Failure to address and prevent these risks could potentially lead to operational disruptions, financial losses, as well as new legal and regulatory penalties.
The risks of not addressing security issues have been well publicised after recent cyber incidents. Following the 2022 Optus data breach, the Australian Communications & Media Authority (ACMA) brought a legal action against the company, and the Office of the Australian Information Commissioner launched an investigation into the company’s personal information handling practices. ASIC chairman Joe Longo has also warned that the regulator will be looking to hold directors responsible for cyber attacks where they have breached their duties, noting that “if things go wrong, ASIC will be looking for the right case where company directors and boards failed to
take reasonable steps”. The Australian Government’s newly tabled Cyber Security Bill 2024 further introduces cyber obligations for companies, including ransomware reporting obligations for critical infrastructure and penalties for non-compliance.
To counter this, CFOs must be brought into risk conversations early on and work with their risk colleagues to assess the effectiveness and return on investments to date. Organisations often react only once an incident has occurred. This approach can be costly, and we prefer that businesses be prepared with the tools to confidently face the changing landscape of enterprise risk head on.
Matt Grant | Our people | McGrathNicol
Matt is a well-regarded operational and strategic enterprise security risk expert and forensic investigator, with more than 27 years’ experience.