Cyber Health Check Comparison Report - Protiviti...protiviti.com.au Cyber Health Check Comparison Report · 1 Cyber security is a critical aspect of conducting business safely within

Internal Audit, Risk, Business & Technology Consulting

Cyber Health Check Comparison Report

Comparing the ASX 100 listed companies to non-ASX 100 organisations.

Cyber Health Check Comparison Report · 1protiviti.com.au

Cyber security is a critical aspect of

conducting business safely within the

digital age. Unfortunately, non-ASX 100

organisations (private and government)

are significantly less prepared and governed

in this area than ASX 100 companies. This

is not primarily about money. It is about

prioritising and managing risk in a smart

and agile manner where many non-ASX

100 organisations are more active online

and have more responsibility for critical

national infrastructure than the ASX 100.

The ASX 100 Cyber Health Check Report provides a

baseline upon which companies can measure their

cyber security preparedness against their peers.1

Protiviti has surveyed non-ASX 100 organisations

to assist them to determine their cyber security

preparedness and to provide a broader baseline and

catalyst for action.

The comparison showed that non-ASX 100

organisations:

• do not engage with or report to their boards on

cyber security to the extent of the ASX 100.

• are much less confident in their cyber security

preparedness and risk management than the

ASX 100.

• are not as well prepared as the ASX 100 for a

breach of sensitive customer information.

• are not identifying the same growth rate in cyber

security incidents as the ASX 100.

• have not allocated budget and have not acquired an

appropriate level of expertise to test defences and

to understand the extent of risk and occurrence of

cyber attacks against them.

Executive Summary

1 ASX 100 Health Check Report, Australian Securities Exchange: www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf.

http://www.protiviti.com.au

http://www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf

2 · Protiviti

Key Findings

01 Most boards of directors are not engaged with cyber security and are not playing an active role to address

cyber security related risks. Many also do not receive cyber security related reporting.

02 Leaders are not entirely confident in the cyber security measures employed by their organisation and a

significant number believe there is more to do to protect the organisation from cyber threat.

03Organisations have not properly prepared for the possibility of a breach of sensitive customer information.

This includes a lack of understanding of their breach disclosure obligations and a lack of planning as to how to

communicate breaches to their customers or clients. A large proportion of organisations have not adequately

tested their recovery and response plans.

04 Organisations are not identifying cyber security incidents at the same rate as in the past, even though the level

of attacks and breach disclosures is increasing.

05 Leaders stated that their organisations do not have any specific budget allocated to cyber security. Where

cyber security funding is considered, it is included in an overall IT budget.


KEY INSIGHTS

Board level engagement in cyber security is lacking

Cyber security is part of the fiduciary duty for the

executive team and board of directors. Failure to

monitor and address cyber risk can result in business

disruption and major legal, regulatory and reputational

consequences. Despite this, Boards of non-ASX 100

organisations are not engaged with cyber security

and are not playing an active role to address cyber

security related risks. Many did not even receive cyber

security related reporting.

Comparison to ASX 100

A direct comparison of the ASX 100 and non-ASX 100

shows a clear disparity of board level involvement in

cyber security between the two groups. Throughout

almost all measures, ASX 100 companies stated that

Board engagement in cyber security was over double

the level reported by non-ASX 100 organisations.

Action Items

• Increase communications with the Board and

executive management through various channels

to educate and inform them of cyber security

threats and initiatives both within the organisation

and industry trends outside of the organisation.

• Improve cyber security reporting practices and

ensure that adequate measurement systems, cyber

risk tolerance levels and key metrics are defined

and agreed upon by the Board. Ensure that reports

are presented and understood by the Board and

speak the language of the business.

• Apply an organisation wide cyber security manage-

ment framework aligned to good industry practice

to ensure controls are applied to address areas of

high risk.

OF NON-ASX 100 ORGANISATIONS report penetration test findings to the board, even though conducting vulnerability or penetration tests through external parties is the norm.

33%

35%OF NON-ASX 100 ORGANISATIONS reported that the Board viewed and also challenged reports on the security of their customer data.

ONLY

27%OF NON-ASX 100 ORGANISATIONS’ Boards had not clearly defined a cyber risk appetite both for existing business and for new digital innovations.

OVER

90%OF NON-ASX 100 ORGANISATIONS have no form of reporting to the Board around the number and type of cyber attacks.

OF NON-ASX 100 ORGANISATIONS state that the Board has a limited understanding of cyber security and has no plans to increase these skills in the future.

ONLY

33%


4 · Protiviti

Most organisations lack confidence in their security

Confidence in how cyber security risks are managed

is a telling indicator of the actions taken by the

organisation to address cyber risk management. An

organisation in which staff do not believe in its

cyber security capabilities may not be investing in

the right areas to ensure that they are able to conduct

business safely, or the investment and associated

benefits may not be garnering adequate visibility.

Most non-ASX 100 organisations highlighted that

they are not entirely confident in the cyber security

measures employed by their organisation and a signif-

icant number believe there is more to do to protect the

organisation from cyber threat.


ASX 100 companies are more comfortable about the state

of their cyber security than non-ASX 100 organisations.

Almost half of the ASX 100 companies state that they are

confident or very confident about their ability to detect,

respond and protect against cyber incidents. The vast

majority of ASX 100 organisations shared cyber security

trends and data with other organisations.

Action Items

• A high performing information security program

should be developed and actioned as a priority.

The first step is to develop high levels of engage-

ment and understanding by the Board on cyber

security, and the second is to implement core

information security policies. Additionally, teams

should establish data sharing arrangements to

gain a baseline understanding of cyber risk within

their environment.

KEY INSIGHTS

OF NON-ASX 100 ORGANISATIONS stated that they were somewhat or not very confident that their organisation was properly secured against cyber attacks.

80%OF NON-ASX 100 ORGANISATIONS were confident or very confident in their organisation’s ability to detect, respond and manage a cyber intrusion.

0%

OF NON-ASX 100 ORGANISATIONS indicated that their organisation has not implemented any form of ongoing cyber awareness training for staff.

MORE THAN

50%OF NON-ASX 100 ORGANISATIONS did not perform any form of data sharing on cyber security with other organisations within its environment.

ALMOSTALMOST

60%OF NON-ASX 100 ORGANISATIONS feel that they had more to do in terms of protecting the organisation against cyber threat. Almost all stated that the organisation did not have a dedicated security budget.

85%


A large proportion of organisations are not prepared for a breach

Recent mandatory breach notification legislation and

requirements under the Privacy Act have compounded

the pressure that organisations already face from

their customers and clients to appropriately respond to

and report on security breaches. Many non-ASX 100

organisations have not properly prepared for the pos-

sibility of a breach of sensitive customer information.

This includes a lack of understanding of their breach

disclosure obligations and a lack of planning as to how

to communicate breaches to their customers or clients.

A large proportion of organisations had not adequately

tested their recovery and response plans.


ASX 100 companies are at least 50% more likely than

non-ASX 100 organisations to have a clear under-

standing of their breach disclosure requirements and

to have also considered how they would communi-

cate to their customers and to clients in the event

of a security breach.

Action Items

• Dedicate time to identify external stakeholders

including regulators and third parties, and their

requirements for breach notification.

• Ensure that communication and response plans in

the event of a breach are documented and have

been tested.

• Incident response plan testing can either be

conducted internally or by a third party subject

matter specialist.

KEY INSIGHTS

OF NON-ASX 100 ORGANISATIONS have not considered the use of cyber insurance policies.

LESS THAN

ONLY

50%

OF NON-ASX 100 ORGANISATIONS stated that they have no clear under-standing of the organisation’s current disclosure requirements.

OF NON-ASX 100 ORGANISATIONS have actually tested their response, recovery or resumption plans despite the majority of them having the plans available.

OF NON-ASX 100 ORGANISATIONS have not considered or prepared a plan for how they would communicate to customers or clients a breach of their confidential data.

52%39%

50%


6 · Protiviti

Non-ASX 100 organisations have not identified a higher rate of attacks

Countless sources have noted that the rate and

prevalence of cyber threats have increased rapidly in

previous years which has subsequently driven more

attention to the field of cyber security. Contrary to

reports from various other organisations, most non-

ASX 100 organisations did not identify or report the

same level of growth in cyber security incidents.


Almost two thirds of ASX 100 companies report

that they have experienced more cyber attacks in

the past twelve months. Almost one out of three

ASX 100 companies believe their cyber net residual

risk will increase significantly over the next twelve

months compared to only one out of ten for non-

ASX 100.

Action Items

• Remain diligent on cyber security practices

and ensure that cyber security measures are

continually maintained and improved where

needed due to changes in the external threat

environment. Continue to monitor for possible

intrusions and ensure that the organisation is

fully prepared in the event of a cyber security

incident occurring.

KEY INSIGHTS

OF NON-ASX 100 ORGANISATIONS anticipate that their cyber net residual risk in terms of likelihood of occurrence would only increase slightly in the next twelve months, a further one third believe that there would be no change at all.

50%OF NON-ASX 100 ORGANISATIONS reported that there had been no change in the number of cyber attack attempts over the past twelve months, with 17 percent stating that they experienced no cyber attacks at all. Only 13 percent reported experiencing more attacks.

30%


Many non-ASX 100 organisations do not have a cyber security budget

The presence of a specifically allocated cyber security

budget is a key indication that an organisation is

investing to protect their organisation from cyber

attacks. Without a clear line drawn between general

IT spend and security specific spend, there are risks

that security will take a back seat when competing

against other projects. The temptation to prioritise

other spending over security is significant. Almost

half of non-ASX 100 organisations reported that

there was no specific cyber security budget in the

organisation, whilst those reporting that they had a

budget stated that it was part of a wider IT budget.


The majority of the ASX 100 organisations have a

specific cyber security budget, whether it be stand-

alone or grouped into a wider budget. In compar-

ison, the number of ASX 100 organisations that

reported having a specific cyber security budget was

almost double that of non-ASX 100 organisations.

Action Items

• Leaders should lay down clear definitions for

what is to be considered cyber security specific

expenditure versus general IT expenditure.

• Organisations should clearly demarcate the line

between general IT and cyber security spending.

It is critical that the budget for cyber security

initiatives be agreed upfront based on need, and

remain standalone to other expenditure.

KEY INSIGHTS

OF NON-ASX 100 ORGANISATIONS reported that they have no specific budget dedicated to cyber security expenditure.

OF NON-ASX 100 ORGANISATIONS stated that their cyber security budget was included in an overall IT budget and not clearly separated or standalone.

46% 50%


8 · Protiviti

Appendix

1.2 Which of these titles best describes your role?

Other

Chair of Board sub Committee (e.g. Audit or Risk Committee)

Chair of the Board

CEO/CFO/COO Chair of Board sub Committee (e.g. Audit or Risk Committee)

CAO

CISO

CIO

Other

4%

82%

14%

12%

7% 6%5%

32%

26%

12% Department Head

100Results or comments related to the ASX 100 Cyber Health Check Report results.*

Non- 100

Results or comments related to the Protiviti non-ASX 100 respondents.

The following graphs in this appendix section are

a collection of the raw data results that were used

to compile this report. The data has been divided

by colour and icon legend to denote the difference

between results or comments related to either the

ASX 100 or non-ASX 100 organisations.

100

Boards were well represented with the majority of respondents being chairs of Boards.

Non- 100

The respondents from the non-ASX 100 organisations were of the Department Head level, followed closely by C Suite executives.

* ASX 100 Health Check Report, Australian Securities Exchange: www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf.

Q1 Respondent Profile

May not add to 100% due to rounding

http://www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf


1.3 Which sector classification best applies to the company’s main business?

Other

Consumer and Leisure

Industrials

Financial Services

Utilities, Energy and Resources

Technology, Communications and Healthcare

OtherGovernment

Financial Services

Industrials

Utilities, Energy and Resources

Technology, Communications and Healthcare

Consumer and Leisure

18%

17%

13%

11%

22%

18%

24%20%

5%

2%

7%

15%

27%

100

Respondents came from a broad range of sectors, with greatest representation from the financial services sector.

Non- 100

The respondents from the non-ASX 100 organisations came from a similar range of sectors, with the inclusion of a large number of government entities.



10 · Protiviti

1.4 Please indicate which of the following risk factors apply to your company.

10 20 30 40

Our shareholder value is significantly dependent on securing and/or keeping

secret our critical information assets

We handle high value financial transactions or other assets at

high risk from theft or fraud

We run safety-critical automated systems (e.g.,

failure can put lives at risk)

We deliver services vital to the critical

national infrastructure

More than 50% of our revenue comes through

online interactions

11%

10%

14%

29%

17%

27%

22%

37%

27%

32%

0

100Shareholder value and handling high value financial transactions were the risk factors facing most organisations.

Non- 100

The top risk factors were similar for non-ASX 100 organisations, however a combination of other risk factors were more prominent across the organisations, predominantly related to the use of technology and responsibility for critical national infrastructure.

May not add to 100% due to multiple response options allowed


100

Key information and data assets include intellectual property, financial, corporate, strategic, and customer/personal data. The loss of or disruption to key information and data assets can impact on customers, share price and/or reputation.

Non- 100

Results for both groups were largely similar, however there was a clear indication that boards have a lower understanding of the impact of cyber incidents among the non-ASX 100 organisations.

2.3 What is the Board’s understanding of the potential impact from the loss of or disruption to key information and data assets?

Limited understanding

Reasonable understanding

Clear understanding

No, the information has not yet been presented to the Board

10 20 30 40 50 60

4%

3%

51%

45%

42%

41%

3%

10%

0


Q2 Understanding the Threat


12 · Protiviti

2.7 Do you understand where the biggest vulnerabilities/risk exposures are in your IT security perimeter?

Yes, however my understanding is limited

Yes, I am confident in my understanding of

key vulnerabilities

No

10 20 30 40 50 60

9%

7%

37%

45%

54%

48%

0

100The majority reported a limited or no understanding of the biggest vulnerabilities/risk exposures in their IT security perimeter.

Non- 100

Results for both groups were largely similar, however non-ASX 100 organisations showed slightly higher confidence in understanding their organisational perimeter and related key vulnerabilities.



2.8 Does your organisation engage external parties to perform regular vulnerability or penetration assessments?

Yes, tests are performed and results reported to the Board

Yes, tests are performed

No

10 20 30 40 50 7060 80

7%

10%

20%

57%

73%

33%

0

100Engaging external parties to perform regular vulnerability or penetration assessments is the norm for most organisations.

Non- 100

Penetration testing was the norm among most organisations, however a significant number of non-ASX 100 organisations do not report the results to board level.



14 · Protiviti

2.11 How confident are you that your company is properly secured against cyber attacks?

Very confident

Confident

Somewhat confident

Not very confident

10 20 30 40 50 60 8070

7%

10%

50%

70%

42%

20%

1%

0%

0

100

That half are only “somewhat” confident that they are properly secured against cyber attacks indicates that there is more work to do by organisations to understand and protect against cyber threats.

Non- 100

Approximately four out of five non-ASX 100 organisations indicated that they are only “somewhat” or “not very” confident that they are secured against cyber attacks.



2.13 Is cyber net (residual) risk expected to increase or decrease, in terms of likelihood of occurrence over the next year or so?

10 20 30 5040 60

Increase significantly

Increase slightly

Stay the same

Decrease slightly

Decrease significantly3%

4%

7%

4%

11%

31%

53%

50%

28%

11%

0

100Most respondents expect the likelihood of cyber attacks to increase over the next 12 months or so.

Non- 100

The majority of non-ASX 100 organisations believe that cyber attacks are likely to increase, however they hold a view that the level of increase will be lower than that anticipated by the ASX 100 respondents.



16 · Protiviti

3.6 Does the Board include a Director with a good understanding of Information Security and cyber security in particular?

Moderate understanding

At least one Board member is well versed

in cyber security

Limited understanding and we have no plans to include this expertise on the Board

10 20 30 40 50 60

20%

33%

29%

8%

51%

58%

0

10020% of respondents have no plans to include information security or cyber security expertise on their board.

Non- 100

A larger proportion of non-ASX 100 organisations either do not have any board members with cyber security expertise or have no plans to include this expertise in the future.


Q3 Leadership


3.7 Do you feel the company is doing enough to protect itself against cyber threats?

10 20 30 40 50 60 8070

8%

15%

12%

15%

80%

69%

0

Yes, however there is more we need to do

Yes, we're doing enough

No, there is more we need to do

100Most organisations feel that there is more they need to do to protect themselves against cyber threat.

Non- 100

A larger proportion of non-ASX 100 organisations believe that their organisations are not doing enough to protect themselves against cyber threats.



18 · Protiviti

3.14 Does your organisation have a specific cyber security budget?

10 20 30 40 50 60 70

16%

46%

20%

4%

64%

50%

0

Yes, it is included in the overall IT budget

Yes, it is a standalone security budget

No, there is no specific budget for cyber security

100Many organisations have allocated a cyber security budget, but for most it is still included in the overall IT budget rather than being standalone.

Non- 100

A significant proportion of non-ASX 100 organisations do not have any specific budget for cyber security.



4.3 To what extent has your Board explicitly set its appetite for cyber risk, both for existing business and for new digital innovations?

Cyber risk appetite has not been defined

Cyber risk appetite is

clearly defined and understood

Cyber risk appetite is partially defined/

has not yet been communicated

Cyber risk appetite is clearly defined and understood

Cyber risk appetite is

partially defined/has

not yet been communicated

Cyber risk appetite has not been defined

34%38%

28%

42%

8%

50%

100

Most respondents have either not defined or only partially defined their cyber risk appetite.

Non- 100

Similarly, over 90% of non-ASX 100 organisations have either not defined or only partially defined their cyber risk appetite.

Q4 Risk Management



20 · Protiviti

4.5 Does the Board have an understanding of where the company’s key information or data assets are shared with third parties?

Limited understanding

Reasonable understanding

Clear understanding

No, not yet presented to the Board

10 20 30 40 50

11%

13%

11%

4%

47%

54%

32%

29%

0 60

100 Third parties includes suppliers, customers, advisors and outsourcing partners.

Non- 100

Results for both groups were largely similar, however a larger proportion of non-ASX 100 organisations did not have a clear understanding of where information is shared with their third parties.



4.12 Does the organisation assess its cyber security culture?

Yes, but not on a regular schedule

Yes, annually

It has never been assessed

Yes, every 2-3 years

10 20 30 40

1%

8%

30%

40%

31%

24%

38%

28%

0 50

100Assessment of cyber security culture is not yet done on a regular basis for the majority of organisations.

Non- 100

A larger proportion of non-ASX 100 organisations have either not assessed their security culture at all or do so infrequently (2-3 years).



22 · Protiviti

4.13 Do you have a clear understanding of your company or organisation’s disclosure requirements regarding a cyber breach?

Did not respond

Yes

No

No

1%

80%

18%

48%

52% Yes

100

A large majority of organisations have a clear understanding of their disclosure requirements, which is particularly important given the new data breach notification regulations that have recently been enacted.

Non- 100

Only half of the non-ASX 100 organisations were able to state that they understood their disclosure requirements regarding a cyber breach.



5.4 Have you considered using cyber insurance?

Yes, we have considered it and decided not to

implement a policy

Yes, we are implementing a policy in the next 12 months

Yes, we have a cyber insurance policy

No

10 20 30 40

11%

46%

38%

37%

16%

0%

36%

17%

0 50

100Almost as many respondents have considered and decided against a cyber insurance policy as those who actually do have a policy.

Non- 100

Almost half of non-ASX 100 organisations have not considered using cyber insurance at all.

Q5 Awareness of Help



24 · Protiviti

5.6 Has your organisation implemented an ongoing cyber awareness training program for staff?

Yes, in the last 12 months

Yes, it has been in place for over 12 months

No, however we plan to implement a program in

the next 12 months

No

10 20 30 40 50

7%

20%

18%

37%

21%

8%

54%

33%

0 60

100 For most organisations cyber awareness training programs are a fairly recent practice.

Non- 100

The rate at which ASX 100 organisations are implementing cyber awareness training programs is more than double that of non-ASX 100 organisations.



5.9 Does the Board encourage the cyber security team to engage in data sharing arrangements with other organisations in its environment?

10 20 30 5040 60

Yes, peer organisations

Yes, Government agencies

Yes, customers, vendors and suppliers

Yes, competitor organisations

No13%

58%

13%

4%

20%

12%

25%

29%

30%

25%

0

100 Most respondents report some level of data sharing with other organisations.

Non- 100

A large majority of non-ASX 100 organisations do not perform any data sharing.



26 · Protiviti

6.1 From reporting provided to the Board, has the company experienced more or fewer cyber attack attempts over the last year?

10 20 30 40

Steady state/no change

Slightly more

Significantly more

Slightly less

Significantly less

There is no reporting provided to the Board

There have been no cyber attack attempts

4%

17%

1%

4%

3%

0%

17%

30%

38%

9%

24%

4%

0

13%

35%

100 Cyber attack attempts were on the rise for most respondents in the last 12 months.

Non- 100

Over the past 12 months, non-ASX 100 organisations mostly experienced either no change in the number of cyber attacks or no attacks at all, however reporting rates were lower.


Q6 Cyber Incidents


6.4 Have you considered how you would notify your customers or clients of a breach of their confidential data?

Yes

No

No

75%

24%

52% 48%

Yes

100

Nearly a quarter of respondents still need to determine how they would communicate a confidential data breach.

Non- 100

Less than half of non-ASX 100 organisations have determined how to communicate a confidential data breach.



28 · Protiviti

6.5 Are you confident in your organisation’s ability to detect, respond and manage a cyber intrusion to minimise impact to your business?

10 20 30 40 50 60 70

3%

39%

51%

61%

16%

0%

0%

0

Confident

Very

Somewhat

No

29%

100It appears that more needs to be done around detecting and responding to cyber intrusions given the majority response of only ‘somewhat’ confident.

Non- 100

None of the non-ASX 100 organisations were confident or very confident in their ability to detect and respond to cyber intrusions.

May not add to 100% due to question non-response


6.6 Does the organisation have a documented and approved response, recovery and resumption plan and is the plan tested?

10 20 30 40 50

11%

17%

24%

35%

59%

39%

0

Yes, the plan is tested

No, a plan is in place however it has not been tested

No, there is no documented plan

60

100 Most respondents appear to be prepared for what to do after a cyber attack occurs.

Non- 100

Most non-ASX 100 organisations have a plan in place, however over a third have not tested it.

May not add to 100% due to question non-response


30 · Protiviti

7.1 Does the board review and challenge reports on the security of your customers’ data?

Yes

Did not respond

No

No

43%

1%

55%

73%

27%

Yes

100

It appears that at the moment boards don’t have a lot of input into the security of customer data.

Non- 100

Only a quarter of non-ASX 100 organisations have reports on security reviewed and challenged by the Board.


Q7 Investment and Customer Data


7.2 What are the drivers for the priority of the Board’s review of security reports?

10 20 30 40 50 60 70

1%

5%

1%

14%

9%

36%

63%

36%

15%

9%

12%

0%

0

The Board does not review security reports

Other

Concern about reputation with customers

Cyber security is a key risk

Upcoming legislation or regulatory reporting

Investor concern

100 Cyber security is a key driver of board reviews of security.

Non- 100

A high proportion of non-ASX 100 organisations do not have board review of security reports, and less consider cyber security as a key risk compared to ASX 100 organisations.



32 · Protiviti

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

David Adamson +61.420.279.937 [email protected]

Ewen Ferguson + 61.478.491.056 [email protected]

Schalk Kock +61.459.990.390 [email protected]

CONTACTS

mailto:david.adamson%40protiviti.com.au?subject=

mailto:ewen.ferguson%40protiviti.com.au?subject=

mailto:schalk.kock%40protiviti.com.au?subject=

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0617-108185 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

© 2

01

5 P

roti

viti

In

c. A

n E

qu

al O

pp

ort

un

ity

Emp

loye

r. M

/F/D

isab

ilit

y/Ve

t. P

RO

-05

15

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Fort Lauderdale

Houston

Indianapolis

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE MIDDLE EAST AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

SOUTH AFRICA*

Johannesburg

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

ASIA-PACIFIC CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

INDIA*

Bangalore

Hyderabad

Kolkata

Mumbai

New Delhi

AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

*MEMBER FIRM

Documents

Cyber Health Check Comparison Report - Protiviti...protiviti.com.au Cyber Health Check Comparison Report · 1 Cyber security is a critical aspect of conducting business safely within