A University of Queensland study has identified a need to prioritise cybersecurity training for board directors, to better protect Australian organisations from cyberattacks like the recent data breach at Optus.
Dr Ivano Bongiovanni from the UQ Business School said his research found board directors were not always sure about their duties and liability for cybersecurity, and often did not fully understand its importance.
โAs the data breach at Optus this month demonstrates, no organisation is immune to cybercrime,โ Dr Bongiovanni said.
Related article: Aussie firms face fines for failing to report cyber incidents
โWe interviewed non-executive directors of 43 organisations about cybersecurity; a lot of uncertainty emerged in terms of current best practices or industry guidelines for cybersecurity strategies.
โThere is a misleading perception of cybersecurity being a purely technical topic and directors werenโt engaged or confident talking about it.
โConsidering the responsibility to oversee cyber risk management in modern organisations lies with their board of directors, an uplift of cyber-skills at the board level is necessary.โ
Cybersecurity failure is considered one of the top threats facing Australian businesses, and with customer information accessed in an attack on Optus, the Australian Cyber Security Centre is warning companies to remain alert.
Study co-author and UQ honours graduate Megan Gale said the potential impact of data breaches on Australian organisations was massive.
โA disruption to IT infrastructure could force a company to shut down, leading to financial loss or even more severe consequences,โ Gale said.
โIn the Optus breach, sensitive, personal customer information along with identity documents have been accessed, putting people at risk of being victims of fraud.โ
The researchers have called for clearer regulations and reporting practices and for cybersecurity training to be made a priority for all board directors.
โItโs not just boards of large companies that need to be better equipped in this area,โ Gale said.
โBoards of small to medium-sized organisations across all sectors in Australia, including not-for-profits and community-run organisations, need to be vigilant.โ
Director of Cybersecurity at UQ and the Australian cyber emergency response team AusCERT, Dr David Stockdale, said the study showed Australia has some work to do for boards to include cybersecurity in their enterprise risk management activities.
Related article: Energy firms up the ante on cyber threats
โAs weโve seen with Optus, cyber threats are a matter of โnot if, but whenโ, and organisations must be prepared,โ Dr Stockdale said.
โMore cyber risk training and regular communication between executives and their security teams will ensure the best course of action and prevention.โ
The study also involved Associate Professor Sergeja Slapnicar from the UQ Business School.