Australian businesses are bracing for a storm of risk and security challenges, with a majority of executives predicting a significant worsening in the coming year.
McGrathNicol Advisory has released a new report into the perceptions and attitudes of Australian business leaders towards risks, including geopolitical threats, insider risks, cyber security, issues in the supply chain, and financial, legal and regulatory concerns. In partnership with YouGov, McGrathNicol surveyed over 300 C-Suite executives and Board-level directors across Australian businesses with 50 or more employees.
The findings show that most surveyed executives (89 percent) expect risk and security issues to worsen in the next 12 months. Despite this, many organisations are struggling to recognise the ‘flow on’ effects of different risk areas and implement effective mitigation frameworks. Business leaders are also perceiving fewer short-term impacts from geopolitical threats despite the landscape becoming more contested and hostile in the last year.
Further, new cyber security obligations were introduced this month under the Security of Critical Infrastructure Act 2018 (“SOCI Act”). Australian organisations operating in sectors such as communications, defence, higher education and research, financial services, healthcare, energy, and transport, may also be required to submit a Critical Infrastructure Risk Management Program by 28 September this year.
Key findings of the research include:
- Businesses underestimating the secondary impacts of geopolitics: Australian businesses are struggling to identify the link between geopolitics and other enterprise risks such as cyber, insider and supply chain threats. This is despite the Russian invasion of Ukraine and the Israel-Hamas war clearly illustrating how geopolitical events can create significant disruption. If re-elected, a second Trump administration has proposed the introduction of new tariffs targeting Chinese-made goods of between 60-100 percent. This would almost certainly reinvigorate trade disputes and directly impact Australian businesses.
- Cyber concerns grow as supply chains increasingly targeted: Cyber security is top of mind for Australian businesses, with 68 percent of organisations placing cyber risk within their top five concerns for 2024—the highest of any risk category. Surprisingly though, 71 percent of organisations do not conduct due diligence on their key suppliers’ cyber security practices, and more than three quarters (77 percent) do not require mandatory reporting of any cyber or data breaches affecting their suppliers.
- Insider risk is a ‘human’ problem: While 87 percent of surveyed organisations were confident that their business has a comprehensive insider risk management program in place, less than a third have implemented fundamental insider risk controls. Only 28 percent use a risk-based vetting and due diligence framework for employees and suppliers or contractors, while 27 percent have education and awareness programs in place, and just 18 percent have appointed an authority that is accountable for insider risk.
- Practical testing of supply chains is required: Most enterprise risk management programs (80 percent) now include supply chain risk as a core pillar. Similar to last year’s results, most organisations (74 percent) acknowledge internal issues in addressing supply chain challenges though, due to a shortage of expertise, insufficient data and visibility tools, budgetary constraints, and competing priorities.
- Data management adds new layers of legal and regulatory complexity: Regulatory bodies have shifted focus from market education and awareness to enforcement, and in the past few years, new legislation has been introduced with regards to payment times reporting, wage underpayments, changes to the Privacy Act and the SOCI Act. As a result, more than half of surveyed business leaders (55 percent) see legal and regulatory risk as a top concern for their organisation and 27 percent expect these risks will continue to increase in severity.
- Multiple risk factors fuel financial pressure: High inflation, wage increases, interest rate rises, and higher energy costs mean that the spotlight is firmly fixed on the CFO to identify areas where costs can be cut and this trend is expected to continue into 2025. While cyber risk was the highest-ranking risk among organisations surveyed, financial risk ranked second, with 66 percent categorising it as a top five concern.
The average data breach cost has snowballed over the years, causing companies more financial damage than ever. Despite considerable investments in security technology and solutions to prevent cybercrime, the average data breach cost has grown by more than one million over the past six years, reaching a whopping $4.88 million in 2024. Still, this figure significantly varied depending on the country and industry in which the data breach took place and whether the company used security AI and automation to identify breaches and reduce costs.
According to data presented by AltIndex.com, companies that used security AI and automation reported a $1.8 million lower average data breach cost in 2024.
AI to rescue?
Artificial intelligence and automation have transformed the cybersecurity world, making it easier for cyber criminals to launch attacks and for defenders to identify threats and automate responses.
However, the technologies have also significantly cut the average data breach cost, saving millions of dollars for companies and organizations that use them regularly. According to the latest Ponemon Institute`s Cost of Data Breach Report, the difference between the average data breach cost in a company using AI security and the one that doesn’t is striking.
Statistics show organizations that weren’t using security AI and automation had an average data breach cost of $5.72 million in 2024, up from $5.36 million last year. On the other hand, those making extensive use of AI and automation had a 31% lower cost of $3.84 million, saving more than $1.8 million per single data breach. Even the limited use of AI and automation in cyber threat detection made a huge difference, bringing one million dollars lower average data breach cost.
AI and automation in cyber threat detection not only lead to lower breach costs but also significantly faster response times. Statistics show that companies and organizations using these technologies identified and contained data breaches almost 100 days faster than those that didn’t.
31% of Organizations Used AI to Prevent and Identify Data Breach in 2024, 3% more than Last Year
Overall, using AI and machine learning insights was the second most crucial factor in reducing data breach costs, following employee training, which continues to be an essential element in cyber defense strategies, specifically when detecting and preventing phishing attacks.
The 2024 Cost of Data Breach Report also showed that the number of organizations that extensively used AI security and automation increased. In 2024, 31% of organizations used these technologies to prevent and identify a data breach, or 3% more than last year. The share of those using AI and automation on a limited basis also grew, rising from 33% in 2023 to 36% in 2024.
“As the SOCI reporting deadline approaches, many Australian organisations will be required to submit Risk Management Programs addressing areas like cyber, geopolitical, regulatory and supply chain risks for the first time. Following a data breach, a cyber incident can rapidly escalate throughout the supply chain to customers and employees, becoming a regulatory issue with severe financial and reputational consequences,” commented Matt Fehon, Head of Advisory, McGrathNicol Advisory.
“Too often, we see organisations react only once a risk event has occurred. But this can be costly due to the interconnected nature of risk areas. We would prefer to arm businesses with the tools to face the changing landscape of business risk head on.”
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.