Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Internal Audit, Risk, Business & Technology Consulting
Cyber Health Check Comparison Report
Comparing the ASX 100 listed companies to non-ASX 100 organisations.
Cyber Health Check Comparison Report · 1protiviti.com.au
Cyber security is a critical aspect of
conducting business safely within the
digital age. Unfortunately, non-ASX 100
organisations (private and government)
are significantly less prepared and governed
in this area than ASX 100 companies. This
is not primarily about money. It is about
prioritising and managing risk in a smart
and agile manner where many non-ASX
100 organisations are more active online
and have more responsibility for critical
national infrastructure than the ASX 100.
The ASX 100 Cyber Health Check Report provides a
baseline upon which companies can measure their
cyber security preparedness against their peers.1
Protiviti has surveyed non-ASX 100 organisations
to assist them to determine their cyber security
preparedness and to provide a broader baseline and
catalyst for action.
The comparison showed that non-ASX 100
organisations:
• do not engage with or report to their boards on
cyber security to the extent of the ASX 100.
• are much less confident in their cyber security
preparedness and risk management than the
ASX 100.
• are not as well prepared as the ASX 100 for a
breach of sensitive customer information.
• are not identifying the same growth rate in cyber
security incidents as the ASX 100.
• have not allocated budget and have not acquired an
appropriate level of expertise to test defences and
to understand the extent of risk and occurrence of
cyber attacks against them.
Executive Summary
1 ASX 100 Health Check Report, Australian Securities Exchange: www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf.
2 · Protiviti
Key Findings
01 Most boards of directors are not engaged with cyber security and are not playing an active role to address
cyber security related risks. Many also do not receive cyber security related reporting.
02 Leaders are not entirely confident in the cyber security measures employed by their organisation and a
significant number believe there is more to do to protect the organisation from cyber threat.
03Organisations have not properly prepared for the possibility of a breach of sensitive customer information.
This includes a lack of understanding of their breach disclosure obligations and a lack of planning as to how to
communicate breaches to their customers or clients. A large proportion of organisations have not adequately
tested their recovery and response plans.
04 Organisations are not identifying cyber security incidents at the same rate as in the past, even though the level
of attacks and breach disclosures is increasing.
05 Leaders stated that their organisations do not have any specific budget allocated to cyber security. Where
cyber security funding is considered, it is included in an overall IT budget.
Cyber Health Check Comparison Report · 3protiviti.com.au
KEY INSIGHTS
Board level engagement in cyber security is lacking
Cyber security is part of the fiduciary duty for the
executive team and board of directors. Failure to
monitor and address cyber risk can result in business
disruption and major legal, regulatory and reputational
consequences. Despite this, Boards of non-ASX 100
organisations are not engaged with cyber security
and are not playing an active role to address cyber
security related risks. Many did not even receive cyber
security related reporting.
Comparison to ASX 100
A direct comparison of the ASX 100 and non-ASX 100
shows a clear disparity of board level involvement in
cyber security between the two groups. Throughout
almost all measures, ASX 100 companies stated that
Board engagement in cyber security was over double
the level reported by non-ASX 100 organisations.
Action Items
• Increase communications with the Board and
executive management through various channels
to educate and inform them of cyber security
threats and initiatives both within the organisation
and industry trends outside of the organisation.
• Improve cyber security reporting practices and
ensure that adequate measurement systems, cyber
risk tolerance levels and key metrics are defined
and agreed upon by the Board. Ensure that reports
are presented and understood by the Board and
speak the language of the business.
• Apply an organisation wide cyber security manage-
ment framework aligned to good industry practice
to ensure controls are applied to address areas of
high risk.
OF NON-ASX 100 ORGANISATIONS report penetration test findings to the board, even though conducting vulnerability or penetration tests through external parties is the norm.
33%
35%OF NON-ASX 100 ORGANISATIONS reported that the Board viewed and also challenged reports on the security of their customer data.
ONLY
27%OF NON-ASX 100 ORGANISATIONS’ Boards had not clearly defined a cyber risk appetite both for existing business and for new digital innovations.
OVER
90%OF NON-ASX 100 ORGANISATIONS have no form of reporting to the Board around the number and type of cyber attacks.
OF NON-ASX 100 ORGANISATIONS state that the Board has a limited understanding of cyber security and has no plans to increase these skills in the future.
ONLY
33%
4 · Protiviti
Most organisations lack confidence in their security
Confidence in how cyber security risks are managed
is a telling indicator of the actions taken by the
organisation to address cyber risk management. An
organisation in which staff do not believe in its
cyber security capabilities may not be investing in
the right areas to ensure that they are able to conduct
business safely, or the investment and associated
benefits may not be garnering adequate visibility.
Most non-ASX 100 organisations highlighted that
they are not entirely confident in the cyber security
measures employed by their organisation and a signif-
icant number believe there is more to do to protect the
organisation from cyber threat.
Comparison to ASX 100
ASX 100 companies are more comfortable about the state
of their cyber security than non-ASX 100 organisations.
Almost half of the ASX 100 companies state that they are
confident or very confident about their ability to detect,
respond and protect against cyber incidents. The vast
majority of ASX 100 organisations shared cyber security
trends and data with other organisations.
Action Items
• A high performing information security program
should be developed and actioned as a priority.
The first step is to develop high levels of engage-
ment and understanding by the Board on cyber
security, and the second is to implement core
information security policies. Additionally, teams
should establish data sharing arrangements to
gain a baseline understanding of cyber risk within
their environment.
KEY INSIGHTS
OF NON-ASX 100 ORGANISATIONS stated that they were somewhat or not very confident that their organisation was properly secured against cyber attacks.
80%OF NON-ASX 100 ORGANISATIONS were confident or very confident in their organisation’s ability to detect, respond and manage a cyber intrusion.
0%
OF NON-ASX 100 ORGANISATIONS indicated that their organisation has not implemented any form of ongoing cyber awareness training for staff.
MORE THAN
50%OF NON-ASX 100 ORGANISATIONS did not perform any form of data sharing on cyber security with other organisations within its environment.
ALMOSTALMOST
60%OF NON-ASX 100 ORGANISATIONS feel that they had more to do in terms of protecting the organisation against cyber threat. Almost all stated that the organisation did not have a dedicated security budget.
85%
Cyber Health Check Comparison Report · 5protiviti.com.au
A large proportion of organisations are not prepared for a breach
Recent mandatory breach notification legislation and
requirements under the Privacy Act have compounded
the pressure that organisations already face from
their customers and clients to appropriately respond to
and report on security breaches. Many non-ASX 100
organisations have not properly prepared for the pos-
sibility of a breach of sensitive customer information.
This includes a lack of understanding of their breach
disclosure obligations and a lack of planning as to how
to communicate breaches to their customers or clients.
A large proportion of organisations had not adequately
tested their recovery and response plans.
Comparison to ASX 100
ASX 100 companies are at least 50% more likely than
non-ASX 100 organisations to have a clear under-
standing of their breach disclosure requirements and
to have also considered how they would communi-
cate to their customers and to clients in the event
of a security breach.
Action Items
• Dedicate time to identify external stakeholders
including regulators and third parties, and their
requirements for breach notification.
• Ensure that communication and response plans in
the event of a breach are documented and have
been tested.
• Incident response plan testing can either be
conducted internally or by a third party subject
matter specialist.
KEY INSIGHTS
OF NON-ASX 100 ORGANISATIONS have not considered the use of cyber insurance policies.
LESS THAN
ONLY
50%
OF NON-ASX 100 ORGANISATIONS stated that they have no clear under-standing of the organisation’s current disclosure requirements.
OF NON-ASX 100 ORGANISATIONS have actually tested their response, recovery or resumption plans despite the majority of them having the plans available.
OF NON-ASX 100 ORGANISATIONS have not considered or prepared a plan for how they would communicate to customers or clients a breach of their confidential data.
52%39%
50%
6 · Protiviti
Non-ASX 100 organisations have not identified a higher rate of attacks
Countless sources have noted that the rate and
prevalence of cyber threats have increased rapidly in
previous years which has subsequently driven more
attention to the field of cyber security. Contrary to
reports from various other organisations, most non-
ASX 100 organisations did not identify or report the
same level of growth in cyber security incidents.
Comparison to ASX 100
Almost two thirds of ASX 100 companies report
that they have experienced more cyber attacks in
the past twelve months. Almost one out of three
ASX 100 companies believe their cyber net residual
risk will increase significantly over the next twelve
months compared to only one out of ten for non-
ASX 100.
Action Items
• Remain diligent on cyber security practices
and ensure that cyber security measures are
continually maintained and improved where
needed due to changes in the external threat
environment. Continue to monitor for possible
intrusions and ensure that the organisation is
fully prepared in the event of a cyber security
incident occurring.
KEY INSIGHTS
OF NON-ASX 100 ORGANISATIONS anticipate that their cyber net residual risk in terms of likelihood of occurrence would only increase slightly in the next twelve months, a further one third believe that there would be no change at all.
50%OF NON-ASX 100 ORGANISATIONS reported that there had been no change in the number of cyber attack attempts over the past twelve months, with 17 percent stating that they experienced no cyber attacks at all. Only 13 percent reported experiencing more attacks.
30%
Cyber Health Check Comparison Report · 7protiviti.com.au
Many non-ASX 100 organisations do not have a cyber security budget
The presence of a specifically allocated cyber security
budget is a key indication that an organisation is
investing to protect their organisation from cyber
attacks. Without a clear line drawn between general
IT spend and security specific spend, there are risks
that security will take a back seat when competing
against other projects. The temptation to prioritise
other spending over security is significant. Almost
half of non-ASX 100 organisations reported that
there was no specific cyber security budget in the
organisation, whilst those reporting that they had a
budget stated that it was part of a wider IT budget.
Comparison to ASX 100
The majority of the ASX 100 organisations have a
specific cyber security budget, whether it be stand-
alone or grouped into a wider budget. In compar-
ison, the number of ASX 100 organisations that
reported having a specific cyber security budget was
almost double that of non-ASX 100 organisations.
Action Items
• Leaders should lay down clear definitions for
what is to be considered cyber security specific
expenditure versus general IT expenditure.
• Organisations should clearly demarcate the line
between general IT and cyber security spending.
It is critical that the budget for cyber security
initiatives be agreed upfront based on need, and
remain standalone to other expenditure.
KEY INSIGHTS
OF NON-ASX 100 ORGANISATIONS reported that they have no specific budget dedicated to cyber security expenditure.
OF NON-ASX 100 ORGANISATIONS stated that their cyber security budget was included in an overall IT budget and not clearly separated or standalone.
46% 50%
8 · Protiviti
Appendix
1.2 Which of these titles best describes your role?
Other
Chair of Board sub Committee (e.g. Audit or Risk Committee)
Chair of the Board
CEO/CFO/COO Chair of Board sub Committee (e.g. Audit or Risk Committee)
CAO
CISO
CIO
Other
4%
82%
14%
12%
7% 6%5%
32%
26%
12% Department Head
100Results or comments related to the ASX 100 Cyber Health Check Report results.*
Non- 100
Results or comments related to the Protiviti non-ASX 100 respondents.
The following graphs in this appendix section are
a collection of the raw data results that were used
to compile this report. The data has been divided
by colour and icon legend to denote the difference
between results or comments related to either the
ASX 100 or non-ASX 100 organisations.
100
Boards were well represented with the majority of respondents being chairs of Boards.
Non- 100
The respondents from the non-ASX 100 organisations were of the Department Head level, followed closely by C Suite executives.
* ASX 100 Health Check Report, Australian Securities Exchange: www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf.
Q1 Respondent Profile
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 9protiviti.com.au
1.3 Which sector classification best applies to the company’s main business?
Other
Consumer and Leisure
Industrials
Financial Services
Utilities, Energy and Resources
Technology, Communications and Healthcare
OtherGovernment
Financial Services
Industrials
Utilities, Energy and Resources
Technology, Communications and Healthcare
Consumer and Leisure
18%
17%
13%
11%
22%
18%
24%20%
5%
2%
7%
15%
27%
100
Respondents came from a broad range of sectors, with greatest representation from the financial services sector.
Non- 100
The respondents from the non-ASX 100 organisations came from a similar range of sectors, with the inclusion of a large number of government entities.
May not add to 100% due to rounding
10 · Protiviti
1.4 Please indicate which of the following risk factors apply to your company.
10 20 30 40
Our shareholder value is significantly dependent on securing and/or keeping
secret our critical information assets
We handle high value financial transactions or other assets at
high risk from theft or fraud
We run safety-critical automated systems (e.g.,
failure can put lives at risk)
We deliver services vital to the critical
national infrastructure
More than 50% of our revenue comes through
online interactions
11%
10%
14%
29%
17%
27%
22%
37%
27%
32%
0
100Shareholder value and handling high value financial transactions were the risk factors facing most organisations.
Non- 100
The top risk factors were similar for non-ASX 100 organisations, however a combination of other risk factors were more prominent across the organisations, predominantly related to the use of technology and responsibility for critical national infrastructure.
May not add to 100% due to multiple response options allowed
Cyber Health Check Comparison Report · 11protiviti.com.au
100
Key information and data assets include intellectual property, financial, corporate, strategic, and customer/personal data. The loss of or disruption to key information and data assets can impact on customers, share price and/or reputation.
Non- 100
Results for both groups were largely similar, however there was a clear indication that boards have a lower understanding of the impact of cyber incidents among the non-ASX 100 organisations.
2.3 What is the Board’s understanding of the potential impact from the loss of or disruption to key information and data assets?
Limited understanding
Reasonable understanding
Clear understanding
No, the information has not yet been presented to the Board
10 20 30 40 50 60
4%
3%
51%
45%
42%
41%
3%
10%
0
May not add to 100% due to rounding
Q2 Understanding the Threat
12 · Protiviti
2.7 Do you understand where the biggest vulnerabilities/risk exposures are in your IT security perimeter?
Yes, however my understanding is limited
Yes, I am confident in my understanding of
key vulnerabilities
No
10 20 30 40 50 60
9%
7%
37%
45%
54%
48%
0
100The majority reported a limited or no understanding of the biggest vulnerabilities/risk exposures in their IT security perimeter.
Non- 100
Results for both groups were largely similar, however non-ASX 100 organisations showed slightly higher confidence in understanding their organisational perimeter and related key vulnerabilities.
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 13protiviti.com.au
2.8 Does your organisation engage external parties to perform regular vulnerability or penetration assessments?
Yes, tests are performed and results reported to the Board
Yes, tests are performed
No
10 20 30 40 50 7060 80
7%
10%
20%
57%
73%
33%
0
100Engaging external parties to perform regular vulnerability or penetration assessments is the norm for most organisations.
Non- 100
Penetration testing was the norm among most organisations, however a significant number of non-ASX 100 organisations do not report the results to board level.
May not add to 100% due to rounding
14 · Protiviti
2.11 How confident are you that your company is properly secured against cyber attacks?
Very confident
Confident
Somewhat confident
Not very confident
10 20 30 40 50 60 8070
7%
10%
50%
70%
42%
20%
1%
0%
0
100
That half are only “somewhat” confident that they are properly secured against cyber attacks indicates that there is more work to do by organisations to understand and protect against cyber threats.
Non- 100
Approximately four out of five non-ASX 100 organisations indicated that they are only “somewhat” or “not very” confident that they are secured against cyber attacks.
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 15protiviti.com.au
2.13 Is cyber net (residual) risk expected to increase or decrease, in terms of likelihood of occurrence over the next year or so?
10 20 30 5040 60
Increase significantly
Increase slightly
Stay the same
Decrease slightly
Decrease significantly3%
4%
7%
4%
11%
31%
53%
50%
28%
11%
0
100Most respondents expect the likelihood of cyber attacks to increase over the next 12 months or so.
Non- 100
The majority of non-ASX 100 organisations believe that cyber attacks are likely to increase, however they hold a view that the level of increase will be lower than that anticipated by the ASX 100 respondents.
May not add to 100% due to rounding
16 · Protiviti
3.6 Does the Board include a Director with a good understanding of Information Security and cyber security in particular?
Moderate understanding
At least one Board member is well versed
in cyber security
Limited understanding and we have no plans to include this expertise on the Board
10 20 30 40 50 60
20%
33%
29%
8%
51%
58%
0
10020% of respondents have no plans to include information security or cyber security expertise on their board.
Non- 100
A larger proportion of non-ASX 100 organisations either do not have any board members with cyber security expertise or have no plans to include this expertise in the future.
May not add to 100% due to rounding
Q3 Leadership
Cyber Health Check Comparison Report · 17protiviti.com.au
3.7 Do you feel the company is doing enough to protect itself against cyber threats?
10 20 30 40 50 60 8070
8%
15%
12%
15%
80%
69%
0
Yes, however there is more we need to do
Yes, we're doing enough
No, there is more we need to do
100Most organisations feel that there is more they need to do to protect themselves against cyber threat.
Non- 100
A larger proportion of non-ASX 100 organisations believe that their organisations are not doing enough to protect themselves against cyber threats.
May not add to 100% due to rounding
18 · Protiviti
3.14 Does your organisation have a specific cyber security budget?
10 20 30 40 50 60 70
16%
46%
20%
4%
64%
50%
0
Yes, it is included in the overall IT budget
Yes, it is a standalone security budget
No, there is no specific budget for cyber security
100Many organisations have allocated a cyber security budget, but for most it is still included in the overall IT budget rather than being standalone.
Non- 100
A significant proportion of non-ASX 100 organisations do not have any specific budget for cyber security.
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 19protiviti.com.au
4.3 To what extent has your Board explicitly set its appetite for cyber risk, both for existing business and for new digital innovations?
Cyber risk appetite has not been defined
Cyber risk appetite is
clearly defined and understood
Cyber risk appetite is partially defined/
has not yet been communicated
Cyber risk appetite is clearly defined and understood
Cyber risk appetite is
partially defined/has
not yet been communicated
Cyber risk appetite has not been defined
34%38%
28%
42%
8%
50%
100
Most respondents have either not defined or only partially defined their cyber risk appetite.
Non- 100
Similarly, over 90% of non-ASX 100 organisations have either not defined or only partially defined their cyber risk appetite.
Q4 Risk Management
May not add to 100% due to rounding
20 · Protiviti
4.5 Does the Board have an understanding of where the company’s key information or data assets are shared with third parties?
Limited understanding
Reasonable understanding
Clear understanding
No, not yet presented to the Board
10 20 30 40 50
11%
13%
11%
4%
47%
54%
32%
29%
0 60
100 Third parties includes suppliers, customers, advisors and outsourcing partners.
Non- 100
Results for both groups were largely similar, however a larger proportion of non-ASX 100 organisations did not have a clear understanding of where information is shared with their third parties.
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 21protiviti.com.au
4.12 Does the organisation assess its cyber security culture?
Yes, but not on a regular schedule
Yes, annually
It has never been assessed
Yes, every 2-3 years
10 20 30 40
1%
8%
30%
40%
31%
24%
38%
28%
0 50
100Assessment of cyber security culture is not yet done on a regular basis for the majority of organisations.
Non- 100
A larger proportion of non-ASX 100 organisations have either not assessed their security culture at all or do so infrequently (2-3 years).
May not add to 100% due to rounding
22 · Protiviti
4.13 Do you have a clear understanding of your company or organisation’s disclosure requirements regarding a cyber breach?
Did not respond
Yes
No
No
1%
80%
18%
48%
52% Yes
100
A large majority of organisations have a clear understanding of their disclosure requirements, which is particularly important given the new data breach notification regulations that have recently been enacted.
Non- 100
Only half of the non-ASX 100 organisations were able to state that they understood their disclosure requirements regarding a cyber breach.
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 23protiviti.com.au
5.4 Have you considered using cyber insurance?
Yes, we have considered it and decided not to
implement a policy
Yes, we are implementing a policy in the next 12 months
Yes, we have a cyber insurance policy
No
10 20 30 40
11%
46%
38%
37%
16%
0%
36%
17%
0 50
100Almost as many respondents have considered and decided against a cyber insurance policy as those who actually do have a policy.
Non- 100
Almost half of non-ASX 100 organisations have not considered using cyber insurance at all.
Q5 Awareness of Help
May not add to 100% due to rounding
24 · Protiviti
5.6 Has your organisation implemented an ongoing cyber awareness training program for staff?
Yes, in the last 12 months
Yes, it has been in place for over 12 months
No, however we plan to implement a program in
the next 12 months
No
10 20 30 40 50
7%
20%
18%
37%
21%
8%
54%
33%
0 60
100 For most organisations cyber awareness training programs are a fairly recent practice.
Non- 100
The rate at which ASX 100 organisations are implementing cyber awareness training programs is more than double that of non-ASX 100 organisations.
May not add to 100% due to rounding
Cyber Health Check Comparison Report · 25protiviti.com.au
5.9 Does the Board encourage the cyber security team to engage in data sharing arrangements with other organisations in its environment?
10 20 30 5040 60
Yes, peer organisations
Yes, Government agencies
Yes, customers, vendors and suppliers
Yes, competitor organisations
No13%
58%
13%
4%
20%
12%
25%
29%
30%
25%
0
100 Most respondents report some level of data sharing with other organisations.
Non- 100
A large majority of non-ASX 100 organisations do not perform any data sharing.
May not add to 100% due to multiple response options allowed
26 · Protiviti
6.1 From reporting provided to the Board, has the company experienced more or fewer cyber attack attempts over the last year?
10 20 30 40
Steady state/no change
Slightly more
Significantly more
Slightly less
Significantly less
There is no reporting provided to the Board
There have been no cyber attack attempts
4%
17%
1%
4%
3%
0%
17%
30%
38%
9%
24%
4%
0
13%
35%
100 Cyber attack attempts were on the rise for most respondents in the last 12 months.
Non- 100
Over the past 12 months, non-ASX 100 organisations mostly experienced either no change in the number of cyber attacks or no attacks at all, however reporting rates were lower.
May not add to 100% due to rounding
Q6 Cyber Incidents
Cyber Health Check Comparison Report · 27protiviti.com.au
6.4 Have you considered how you would notify your customers or clients of a breach of their confidential data?
Yes
No
No
75%
24%
52% 48%
Yes
100
Nearly a quarter of respondents still need to determine how they would communicate a confidential data breach.
Non- 100
Less than half of non-ASX 100 organisations have determined how to communicate a confidential data breach.
May not add to 100% due to rounding
28 · Protiviti
6.5 Are you confident in your organisation’s ability to detect, respond and manage a cyber intrusion to minimise impact to your business?
10 20 30 40 50 60 70
3%
39%
51%
61%
16%
0%
0%
0
Confident
Very
Somewhat
No
29%
100It appears that more needs to be done around detecting and responding to cyber intrusions given the majority response of only ‘somewhat’ confident.
Non- 100
None of the non-ASX 100 organisations were confident or very confident in their ability to detect and respond to cyber intrusions.
May not add to 100% due to question non-response
Cyber Health Check Comparison Report · 29protiviti.com.au
6.6 Does the organisation have a documented and approved response, recovery and resumption plan and is the plan tested?
10 20 30 40 50
11%
17%
24%
35%
59%
39%
0
Yes, the plan is tested
No, a plan is in place however it has not been tested
No, there is no documented plan
60
100 Most respondents appear to be prepared for what to do after a cyber attack occurs.
Non- 100
Most non-ASX 100 organisations have a plan in place, however over a third have not tested it.
May not add to 100% due to question non-response
30 · Protiviti
7.1 Does the board review and challenge reports on the security of your customers’ data?
Yes
Did not respond
No
No
43%
1%
55%
73%
27%
Yes
100
It appears that at the moment boards don’t have a lot of input into the security of customer data.
Non- 100
Only a quarter of non-ASX 100 organisations have reports on security reviewed and challenged by the Board.
May not add to 100% due to rounding
Q7 Investment and Customer Data
Cyber Health Check Comparison Report · 31protiviti.com.au
7.2 What are the drivers for the priority of the Board’s review of security reports?
10 20 30 40 50 60 70
1%
5%
1%
14%
9%
36%
63%
36%
15%
9%
12%
0%
0
The Board does not review security reports
Other
Concern about reputation with customers
Cyber security is a key risk
Upcoming legislation or regulatory reporting
Investor concern
100 Cyber security is a key driver of board reviews of security.
Non- 100
A high proportion of non-ASX 100 organisations do not have board review of security reports, and less consider cyber security as a key risk compared to ASX 100 organisations.
May not add to 100% due to multiple response options allowed
32 · Protiviti
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
David Adamson +61.420.279.937 [email protected]
Ewen Ferguson + 61.478.491.056 [email protected]
Schalk Kock +61.459.990.390 [email protected]
CONTACTS
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0617-108185 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
© 2
01
5 P
roti
viti
In
c. A
n E
qu
al O
pp
ort
un
ity
Emp
loye
r. M
/F/D
isab
ilit
y/Ve
t. P
RO
-05
15
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Fort Lauderdale
Houston
Indianapolis
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE MIDDLE EAST AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
SOUTH AFRICA*
Johannesburg
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
ASIA-PACIFIC CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
INDIA*
Bangalore
Hyderabad
Kolkata
Mumbai
New Delhi
AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
*MEMBER FIRM