Businesses in the dark: McAfee survey reveals disconnect in cybersecurity culture and cyber resilience


New research shows 35 percent of Australian respondents don’t feel their organisation is cyber resilient, despite most (87 percent) saying cybersecurity decisions are made at the board or executive level or security is always included during decision making processes.

Research highlights:

  • More than 4 in 5 (87 percent) of Australian respondents describe d their organisation’s cybersecurity culture as ‘strategic’ or ‘embedded’ within their organisation
  • Over a third (35 percent) of Australian respondents don’t feel their organisation is cyber resilient
  • Members of the C-Suite in Asia-Pacific are more likely to believe their organisation is cyber resilient (79 percent), compared to 66 percent of department heads/line of business and middle management
  • Only 16 percent of Australian organisations believe cybersecurity incidents have a ‘high’ impact on the business
  • In Asia-Pacific, businesses from Australia have the lowest appetite (78 percent) to invest in cybersecurity technology and services despite regulations impacting their organisation

McAfee has released findings from its Asia-Pacific cyber risk and resilience research. It found Australian organisations have the least familiarity with the concept of cyber resilience when compared with their Asia-Pacific counterparts, despite the evolving and highly sophisticated threat landscape.

The McAfee Cyber Resilience Report (MCRR), which surveyed 480 cybersecurity decision-makers across eight Asia-Pacific countries including Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, Singapore and Thailand, showed just 73 percent of Australian respondents are familiar with the concept of cyber resilience, compared to 97 percent of Indians and 95 percent of Indonesians.

The results show 27 percent of Australian respondents describe their organisation’s cybersecurity culture as ‘strategic’ (meaning decisions are made from the top), while 60 percent believe cybersecurity is ‘embedded’ (meaning security is always included in the decision-making process) within their organisation.

Notably, despite the fact Australian respondents demonstrated a strong culture of cybersecurity, over a third (35 percent) of Australian respondents still don’t feel their organisation is cyber resilient.

According to Joel Camissar, Regional Director, MVISION Cloud, Asia-Pacific McAfee, “An impressive 87 percent of organisations are taking the right steps towards building a solid culture of cybersecurity. However, this isn’t translating as it should into an adequate level of cyber resilience with our Australian respondents. This indicates a disconnect between the priorities and investment required to build cyber resilience, and the decisions made at the board level.

“Organisations that don’t put cyber resilience at the forefront of their approach to security expose networks and infrastructures to an expanding range of cyber risks, gifting cybercriminals the opportunity to exploit clear gaps in their security posture,” says Camissar. “The survey found 55 percent of Australian respondents named data breaches as one of the top three cyber risks. To truly combat this, cyber resilience has to become a higher priority for Australian organisations.

“While having effective technology and security tools in place is an important piece of the puzzle, cyber resilience is not a technological capability alone – it’s an organisational one. A core ingredient to being cyber ready involves empowering business leaders to minimise business down-time, while responding to a cyberattack at the same time,” he adds.

Investing in cybersecurity

In Asia-Pacific, 15 percent of Australian respondents said they’re not planning to invest more in security, despite 75 percent saying cybersecurity regulations impact their organisation. Australia has one of the lowest levels of investment in the region, compared to the two percent of India respondents who are not planning to invest more in security due to regulation.

“The heightened regulatory environment in Australia, highlighted by the introduction of the Notifiable Data Breaches scheme in the last two years, means businesses cannot afford to deprioritise their investment in cybersecurity,” says Camissar.

Australian organisations cited ‘culture, education, and awareness’ as the lowest investment priority to improve cybersecurity maturity. “In the latest Notifiable Data Breaches Statistics Report from the Office of the Australian Information Commissioner, human error accounted for one third (34 percent) of data breaches, from April to June, that allowed hackers access to information. Clearly, there is much work to be done to change the emphasis that Australian organisations place on cybersecurity education and awareness in the workplace,” continues Camissar.

Risky perceptions of cyber incidents 

One in six (16 percent) Australian respondents believe cybersecurity incidents have a ‘high’ impact on the business, and a concerning 18 percent believe cybersecurity incidents have a ‘low’ impact on the business.

“While some Australian respondents feel in better control of their cybersecurity response, it’s risky to lose sight of the dire financial, reputational and operational impacts a cyber incident can have both in the short and long term,” Camissar said.

When asked whether they could put a cost on their recent cyber incidents, Australian organisations were well behind their counterparts, with just 46 percent able to quantify the financial impact. By contrast, companies in India (91 percent), Malaysia (85 percent), and Thailand (83 percent) were more confident they could measure the cost of a data breach.

Of the 46 percent of Australian survey respondents who could place a cost on cybersecurity incidents in the past 12 months, they believe the estimated average cost is approximately $332,044.