Study finds cybersecurity skills gaps on boards

As the backlash continues over a data breach at Optus that has potentially compromised the details of 9.8 million current and former customers, a University of Queensland (UQ) study has identified shortcomings on boards more broadly when it comes to handling cybersecurity.

The study undertaken by Dr Ivano Bongiovanni, Megan Gale and Sergeja Slapnicar found "boards are not nearly as engaged in cybersecurity as they are in other areas of oversight", with a frequent over-reliance on a single board member with cyber experience.

After conducting interviews with 18 non-executive directors from 43 organisations, the researchers found board members were not always aware of their duties and liabilities surrounding cybersecurity, and often did not understand its importance.

Dr Bongiovanni says a lot of uncertainty emerged during interviews around current best practices or industry guidelines for cybersecurity strategies.

"As the data breach at Optus this month demonstrates, no organisation is immune to cyber-crime," he says.

"There is a misleading perception of cybersecurity being a purely technical topic and directors weren’t engaged or confident talking about it.

"Considering the responsibility to oversee cyber risk management in modern organisations lies with their board of directors, an uplift of cyber-skills at the board level is necessary.”

Cybersecurity failure is considered one of the top threats facing Australian businesses, and with customer information accessed in an attack on Optus, the Australian Cyber Security Centre is warning companies to remain alert.

Following the Optus breach announced on 22 September, Law firm Slater & Gordon (ASX: SGH) is also investigating a potential class action over what its senior associate Ben Zocco describes as "potentially the most serious privacy breach in Australian history" with very real risks created by the disclosure of personally identifiable information such as addresses and phone numbers.

Study co-author and UQ honours graduate Megan Gale affirms the potential impact of data breaches on Australian organisations is massive.

“A disruption to IT infrastructure could force a company to shut down, leading to financial loss or even more severe consequences,” Gale says.

“In the Optus breach, sensitive, personal customer information along with identity documents have been accessed, putting people at risk of being victims of fraud.”

The researchers have called for clearer regulations and reporting practices and for cybersecurity training to be made a priority for all board directors.

“It’s not just boards of large companies that need to be better equipped in this area,” Gale says.

“Boards of small to medium-sized organisations across all sectors in Australia, including not-for-profits and community-run organisations, need to be vigilant.”

Director of Cybersecurity at UQ and the Australian cyber emergency response team AusCERT, Dr David Stockdale, says the study shows Australia has some work to do for boards to include cybersecurity in their enterprise risk management activities.

“As we’ve seen with Optus, cyber threats are a matter of ‘not if, but when’, and organisations must be prepared,” Dr Stockdale says.

“More cyber risk training and regular communication between executives and their security teams will ensure the best course of action and prevention.”

In May, a former subsidiary of ANZ Bank (ASX: ANZ), RI Advice, was ordered to pay $750,000 in legal fees to the corporate watchdog in relation to nine cybersecurity incidents over a six-year period. An investigation had revealed authorised representatives did not have up-to-date antivirus software installed on their computer systems, which also did not filter or quarantine suspicious emails and lacked back-up systems. Poor password practices were also rife.

It is an issue that was also raised by Board Matters managing director Jennifer Robertson in a webinar hosted by Business News Australia in partnership with OnBoard by Passageways, titled How effective is your board? Building leadership teams fit for the future.

"Some of the challenges of now are cyber security and digital platforms, and I would have expected to see a lot more directors – what I fondly call the ‘digital director’ – on boards, but sadly they only seem to be in a thin handful of organisations who are very tech-orientated," Robertson said.