- 60% of Australian organisations will increase their cyber budget in 2023
- 90% reported public information sharing and transparency was a risk that could lead to a loss of competitive advantage
- 81% felt new requirements for mandatory disclosures of cyber incidents to investors or national cyber authorities would discourage sharing information with law enforcement
- Cyber criminals and insider threat identified as top two to significantly impact Australian organisations
- Australian organisations are more reactive in their approach to cyber disruption, with 63% invoking plans post-incident and focusing on recovery and remediation
- Just 37% (53% globally) reported taking an anticipatory and preventative approach by assuming incidents will occur and embedding mitigations accordingly
AUSTRALIA – In an age of growing transparency, with consumers increasingly concerned about how their data is stored and used, domestic results indicate that Australia is lagging behind its global counterparts, according to local data released today from PwC’s 2023 Global Digital Trust Insights Survey.
The survey examined the views of more than 3,500 CEOs and other C-suite executives globally, including Australia.
Of particular concern were attitudes towards public information sharing and transparency, with 90% of Australian respondents reporting it was a risk that could lead to a loss of competitive advantage, compared to 70% globally. Furthermore, 81% felt new requirements for mandatory disclosures of cyber incidents to investors or national cyber authorities discourage them from sharing information with law enforcement authorities, compared to 64% globally.
PwC Australia Cybersecurity and Digital Trust Leader Rob Di Pietro said stakeholders are clamouring for more information about how companies manage their cyber risk exposure.
“Regulators want visibility into cyber practices because they want to protect citizens from fraud and loss of privacy, help investors make better decisions and prevent industry or system-wide disruptions. Investors are looking for consistent and comparable disclosures so they can put their money in companies that fit their needs. Cyber incidents can affect shareholder value, temporarily or permanently.
“As cyber threats continue to increase in frequency and sophistication, cybersecurity should be seen as a team sport – it should not be siloed within departments or organisations. To build a truly inclusive and holistic cybersecurity culture, entire organisations must be taken on the transformation journey, which the C-suite should lead. Cybersecurity uplift must be expressed as an opportunity, not a burden, and ultimately a vehicle to help organisations achieve their goals.”
Eight-nine per cent of Australian respondents agreed mandatory disclosures of cyber incidents requiring comparable and consistent formats were necessary to gain stakeholder trust and confidence (79% globally). In addition, organisations want the government to help set standards, with 90% of respondents stating they expected the government to develop cyber techniques for the private sector, based on the knowledge base built from mandatory disclosures of cyber incidents (75% globally).
Dealing with data
The top three policies or practices related to management and governance of customer data identified by Australian organisations included following an opt-in, privacy-first strategy in our marketing efforts (83%); vetting all the third parties and partners with whom we share customer data (82%); and using the newest techniques to pseudonymise our customers’ data (81%).
Mr Di Pietro said, “Data is valuable to organisations and cyber criminals alike – some have called it the ‘new oil’ – and it is increasingly being commoditised. Australian businesses are becoming adept at using data to better understand what customers want and give it to them and it is now part and parcel of customer-centric digital transformation.
“However, to capture lasting value from this transformation, companies need to process and manage data and algorithms intelligently and efficiently. At the same time, security, ethical and privacy concerns need to be front and centre, in lock-step with regulatory compliance.
“Recent high-profile data breaches have shown that more than ever before, customers expect that their data is effectively protected and, when it is no longer required, is not retained. Business must be alive to this trend, which will only become more important in Australia as changes to the Privacy Act are implemented. Customer consent and privacy must be taken seriously.”
Cyber threat actors have also leveraged digitisation
Australia’s C-suite put cyber criminals at the top of the list of threat actors most likely to significantly affect their organisation in 2023 (67%), in line with global trends (65%). However, unlike their global counterparts, Australian respondents also expect insider threats and competitors to present a significant challenge (58% and 57%; 44% and 42% global), according to local data released today from PwC’s 2023 Global Digital Trust Insights Survey.
Third-party providers (46%), web applications (44%) and mobile devices (43%) were reported as the top three pathways adversaries would use to gain access to business systems in 2023, with the key threat vectors predicted to be attacks against cloud management interfaces (39%), software supply chain compromise (37%), intellectual property theft for commercialisation (33%), and attacks on industrial internet of things (IIoT) or operational technology (OT) (33%).
Communicating with key stakeholders
In relation to communicating cyber to priority stakeholders, Australia’s top three targets over the next year ranked as CEOs, regulators for consumer protection and value chain participants. Yet there was a discrepancy to note with boards which ranked first globally but fifth in Australia.
“This result is surprising given the key role boards must play in setting the cyber agenda, as well as the increasing responsibility Australian directors bear under regulation in relation to cyber posture. Therefore, it is advisable Australia’s C-suite engage better with their boards, and make this engagement a priority,” said Mr Di Pietro.
While cybersecurity presents significant challenges for Australian organisations, it also offers opportunities. Building trust – with customers, the community and shareholders – is central to harnessing the opportunities presented by digital transformation, and creating a cybersecurity culture lies at its heart. This culture must be driven from the top, by the C-suite.
“Our report shows Australia’s C-suite is on the right track, but there is still a lot of work to do. And this work will inevitably be occurring against the backdrop of an evolving regulatory landscape, new and sophisticated threat vectors and budgetary constraints. Therefore, the key takeaway for our nation’s C-suite when it comes to cyber must be to work smarter and hit the message home harder,” concluded Mr Di Pietro.
Notes to editors
To request an interview with Rob Di Pietro, Cybersecurity and Digital Trust Leader at PwC Australia, please contact Christine Kardashian on 0416 005 703 or email@example.com.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 152 countries with over 327,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.au.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
© 2022 PwC. All rights reserved.
Reputation Business Lead
Assurance, Corporate and PwC’s Indigenous Consulting (PIC)
Direct: +61 416 005 703
One International Towers Sydney
Watermans Quay Barangaroo NSW 2000