The boards of the vast majority of Australia's biggest listed companies have non-existent or limited understanding of the biggest IT security risks to their organisation, the ASX's first cyber health check has found.
The ASX late last year asked the top 100 listed companies to participate in a health check of their cyber security posture as part of a directive from the federal government's national security strategy.
Seventy-six of the top 100 agreed to participate in a 67-strong questionnaire and face-to-face interviews that covered their understanding of cyber security threats, leadership, risk management, awareness, cyber incidents, and investment and customer data.
The results of the survey, released today [pdf], show that while there is a broadly high level of risk awareness and a commitment to improve amongst Australia's 76 biggest businesses, there are gaps in preparedness and resilience.
Almost two-thirds of the surveyed boards said they had a non-existent or limited understanding of their biggest cyber security vulnerabilities.
Only 8 percent said they had a clear understanding of their company's key cyber resilience controls.
Almost a third of the surveyed businesses had not yet evaluated the cyber resilience of their suppliers, partners, and other third parties.
And a similar proportion of boards had only a limited understanding of what key company data is shared with third parties, or of their own key information assets more generally.
Positively, the vast majority of board directors said they considered IT security risks "extremely important", and at almost every surveyed company, responsibility for cyber security sat with the CEO or another member of the c-suite.
Most also said their company was doing enough to protect itself against cyber threats, and was also making an appropriate level of investment in the area.
Three-quarters of those surveyed said their business has an ongoing cyber awareness program for staff, and had tested what staff would do if faced with a security threat.
"Our challenge now is to learn the lesson from the report, particularly when it comes to small to medium businesses, who often don't have the resources and wherewithal to deal with the persistent cyber threat," Minister Assisting the Prime Minister on Cyber Security Dan Tehan said today.
"If we can learn that this is important to the top 100, I believe this message will resonate down to the broader community."