In today's digital era, the concept of cyber resilience has become pivotal. Cyber resilience refers to an organisation’s ability to continuously deliver the intended outcome despite adverse cyber events. As cyber threats evolve in complexity and frequency, the gap between cyber resilient and non-cyber resilient organisations is widening.

Recent events have demonstrated the undeniable impact of a cyber attack on an organisation’s reputation, finances, operations, and stakeholders. According to the World Economic Forum, cyber attacks are among the top global risks in terms of likelihood and impact, and the COVID-19 pandemic has increased the exposure and vulnerability of organisations to cyber risks.

In FY23, the Australian Government received nearly 94,000 cybercrime reports, a 23 per cent increase from the previous financial year. The average self-reported cost of cyber crime also rose, with businesses reporting the following impacts:

• $46,000 for small businesses
• $97,200 for medium businesses
• $71,600 for large businesses.

With the rising frequency and cost of cyber crime, it is more critical than ever for organisations to understand the steps needed to build and maintain their cyber resilience in an increasingly digital world.

Understanding cyber resilience

Cyber resilience extends beyond traditional cyber security, which focuses primarily on preventing attacks. Instead, it encompasses a holistic approach that includes the ability to prepare for, respond to, and recover from cyber incidents. A cyber resilient organisation is not only capable of defending against attacks but also ensuring continuity and quick recovery when a breach occurs.

Key components of cyber resilience include:

• Prevention: Implementing robust cyber security measures to thwart attacks
• Detection: Rapidly identifying and assessing cyber threats
• Response: Effectively managing and mitigating the impact of cyber incidents
• Recovery: Restoring normal operations promptly, then learning from these incidents to improve resilience.

Cyber resilience requires informed risk management - making decisions based on a thorough understanding of the risks. An informed risk management approach involves gathering and analysing all relevant information, learning from incidents, and ultimately making well-informed decisions that minimise potential negative impacts on the organisation.

Essential elements of informed risk management are:

• Risk identification: Recognising potential risks that could affect the organisation
• Risk assessment: Evaluating the likelihood and impact of those risks
• Risk prioritisation: Determining which risks need immediate attention based on their potential impacts
• Risk mitigation: Implementing a strategy to reduce or manage the identified risks
• Continuous monitoring: Regularly reviewing and updating their chosen risk management strategy to adapt to new information or changing circumstances.

What is the divide between cyber resilient and non-cyber resilient organisations?

A significant divide is growing between cyber resilient organisations and those that have yet to put adequate measures in place, according to the latest World Economic Forum Global Cybersecurity Outlook.

This report states a rise of cyber inequity, with 90 per cent of executives surveyed at the World Economic Forum’s Annual Meeting of Cybersecurity 2023, believing that urgent action is needed to address this divide.

Some organisations are more prepared and proactive than others in addressing cyber risks and building cyber resilience. According to the report, only 17 per cent of organisations are considered cyber resilient leaders, while 74 per cent are still considered cyber resilient novices.

To be considered a cyber resilient leader, an organisation should have:

• A clear and comprehensive cyber strategy
• A strong and supportive cyber culture
• The ability to attract talent
• A robust and agile cyber technology capability, and;
• An effective and accountable cyber governance program.

Non-cyber resilient organisations, on the other hand, typically lack one or more of these dimensions and are more likely to suffer from cyber breaches, business disruptions, and financial losses.

The rise of new technologies is amplifying already existing challenges, as will a widening gap in cyber skills and the talent shortage. Generative AI will undoubtedly advance cyber attacks in the next years, and yet at the same time, it can help organisations better protect themselves.

The importance of cyber resilience

The significance of cyber resilience cannot be overstated in a world where technological advancements are adopted at an accelerated rate and where cyber threats are universal and increasingly sophisticated. The consequences of cyber incidents can be severe, ranging from financial losses and operational disruption to reputational damage and regulatory penalties.

• Financial protection: Cyber attacks can lead to substantial financial losses. Cyber resilient organisations are better positioned to mitigate these costs through swift recovery and continued operations.
• Operational continuity: Maintaining business operations during and after a cyber attack is crucial. Cyber resilience ensures critical functions can continue, minimising downtime and disruption.
• Reputational integrity: Trust is a valuable asset. Organisations that demonstrate robust cyber resilience are more likely to maintain customer trust and confidence.
• Regulatory compliance: Many industries are subject to stringent regulations regarding data protection and cyber security. Cyber resilient organisations are better equipped to comply with these regulations and avoid penalties.

Australian perspectives on cyber resilience

In Australia, both state and federal governments, along with national institutions, recognise the critical need for cyber resilience. Increased guidance, support, and regulation within the Australian cyber regulatory landscape reflect the nation’s commitment to strengthening the defences of organisations. Initiatives from the Australian Cyber Security Centre (ACSC) and frameworks such as the SOCI Act are pivotal in driving this focus.

• 2023-2030 Australian Cyber Security Strategy: The Australian Department of Home Affairs has developed a seven-year strategy that aims to enhance the nation's cyber resilience by addressing critical gaps in cyber defences, building better protections for vulnerable citizens and businesses, and supporting improved cyber maturity across the region. This strategy promotes collaboration between the government and industry to co-design legislative reforms and initiatives to strengthen Australia's cyber security posture.
• Security of Critical Infrastructure Act (SOCI Act): The SOCI Act aims to enhance the resilience and security of Australia's critical infrastructure by imposing new security obligations on owners and operators, requiring them to adopt comprehensive risk management programs. It also grants the government powers to provide support in response to cyber security incidents. Recent amendments to this act have increased the scope of critical infrastructure, protecting additional Australian industries.
• Australian Energy Sector Cyber Security Framework (AESCSF): The AESCSF security controls have been developed to enhance the energy sector’s cyber security posture by providing a comprehensive set of controls and best practices. This framework leverages industry standards such as ISO 27001, NIST CSF, C2M2, and the Australian Signals Directorate Essential Eight (ASD E8) controls. It aims to ensure that energy organisations can effectively manage cyber risks, protect critical infrastructure, and maintain the resilience of their operations.
• Australian Prudential Regulation Authority (APRA): APRA’s regulatory framework focuses on ensuring the safety and stability of the Australian financial sector by mandating robust risk management practices, including cyber security. APRA’s Prudential Standard CPS 234, which governs information security, requires financial institutions to maintain effective measures to protect against cyber threats and ensure the resilience of critical systems. This standard aligns with global best practices, such as ISO 27001 and NIST CSF, and emphasises the need for prompt detection, response, and recovery from cyber incidents, safeguarding the confidentiality, integrity, and availability of sensitive financial data.
• Australian Signals Directorate (ASD) Essential Eight: The ASD Essential Eight controls provide a set of general security controls to small-to-medium-sized organisations to uplift their security posture in a pragmatic and straightforward approach. Implementing these eight controls can significantly improve an organisation’s cyber resilience.
• State Government Specific Security Policies: As well as guiding security from a federal level, Australian cyber security requirements are further mandated at a state level. With many of these frameworks aligned to ISO27001, the current state policies in place to support cyber resilience are:
  • New South Wales: NSW Cyber Security Policy
  • Queensland: Information Security Policy (IS18:2018)
  • Victoria: Victorian Protective Data Security Standards V2.0
  • South Australia: South Australian Cyber Security Framework
  • Tasmania: Tasmanian Government Information Security Framework
  • Western Australia: WA Government Cyber Security Policy.

Strategies to enhance cyber resilience

To bridge the growing gap, there are several proactive steps organisations can take, such as:

1. Develop a cyber resilience plan: Create a comprehensive plan that outlines preventive measures, incident response protocols, and recovery strategies. Ensure the plan aligns with the business strategy and objectives and review and update it regularly to reflect the changing cyber landscape and business needs.
2. Invest in cyber technology: Adopt artificial intelligence (AI) and machine learning (ML)-based technologies that are fit for purpose, scalable, resilient, and secure. AI and ML technologies can support organisations to detect, respond, and recover from cyber threats and incidents while providing valuable resources and the ability to offload and automate low-value tasks.
3. Foster a cyber-aware culture: Encourage a culture where cyber security is a shared responsibility, empowering all levels of the organisation.
4. Conduct regular training: Educate employees on cyber security best practices and the importance of their role in maintaining cyber resilience. 95 per cent of cyber attacks are due to human error, emphasising the tremendous need for in-house learning and development at all levels.
5. Establish cyber governance: Define the roles, responsibilities, and accountabilities of the board, management, and staff and provide clear and consistent policies, standards, and procedures for cyber risk management and compliance monitoring, reporting, and acting.
6. Perform regular audits and assessments: Continuously assess cyber security measures and resilience strategies to identify and address vulnerabilities.

The growing divide between cyber resilient and non-cyber resilient organisations underscores the urgent need to prioritise cyber resilience. By understanding its importance, leveraging global insights, and implementing strategic measures, organisations can safeguard their assets, maintain operational continuity, and build trust in an increasingly digital world.

Cultivating best practices, attracting the right talent, and implementing bespoke technology will help build the necessary resilience.

It is no longer a question of ‘if’ but rather ‘when’ your organisation will be at risk. No country or organisation is being spared from cyber crime. It is crucial that global stakeholders work together to help close the gap.

As cyber threats continue to evolve, so too must our approaches to resilience, ensuring that we are always one step ahead in the cyber security landscape.

How BDO can help

Cyber resiliency is having a mindset that cyber attacks can, and will, happen and to be as prepared as possible. Organisations can achieve this by knowing what assets they are trying to protect, having appropriate controls (and testing these controls), being able to quickly identify attacks, limit the scope of these attacks and removing attackers from the environment as quickly as possible.

Our cyber security team can help you protect your business by providing tailored cyber security services focusing on your specific operating model, technical demands, regulatory environment and industry dynamics. Our team has experience in a range of areas, including IT, operations, data privacy, and forensic technology, which help keep your business online, operational and safe.