Is the ASX 200 Resilient to Cyber Threats? Our Report Says No.

In today’s rapidly evolving digital landscape, managing cyber risk has become essential for sustaining corporate growth and resilience. Cyber risk management requires balancing corporate growth against the evolving tactics of threat actors and governmental regulations – a daunting task that requires continuous measurement and strategic reflection.

Our latest report, State of Cybersecurity 2024 | ASX 200, examines these factors across Australia’s largest companies, identifying technological elements that relate to known threats and upcoming legislation, such as the Cyber Security Bill 2024. By calculating a cyber risk score based on those technical factors, we go further to compare risk between companies, across industries, and over time.

This report is designed for those focused on strengthening Australia's cyber defenses, including:

• Technology implementers looking to identify the most important risk factors and their technical controls.
• Executives looking to benchmark their organizations against peers listed on the ASX or standards like the Protective Security Policy Framework.
• Policy makers looking to understand the key risks impacting Australian industries and critical infrastructure.

In this year’s report, we utilize data from UpGuard’s proprietary scanning technology to identify areas of vulnerability across the ASX and with specific industries. Some highlights include:

• Over 50% of ASX companies show various issues with TLS connections for encrypting traffic, like weak ciphers that “nation-state and sufficiently resourced actors are able to exploit”, expired certificates, or simply no encryption at all. TLS is a well-established best practice, and gaps in TLS implementation have a strong correlation with security incidents. 
• 46% of ASX 200 companies lack DMARC, an email authentication method used to prevent phishing. In May 2024, the U.S. Department of State reported that North Korean groups were actively exploiting organizations with inadequate or non-existent DMARC policies. 
• Overall, we observe improvements in the cyber risk scores of ASX 200 companies and in their industry groupings, but this pattern is not universal. For each industry, we highlight the companies that have improved or declined the most. Notably, one of the two industries to show a collective decline is Utilities – part of Australia’s critical infrastructure covered by the upcoming Cybersecurity Bill. 

In addition to the selected key findings, the report provides an extensive analysis of each of the 11 industries – how they compare to each other, their year-over-year performance, which security domains contribute the most to their risk score, and detailed scoring for the best and worst performers. 

These companies not only represent the largest concentration of capital in Australia, but also represent key vendors for other businesses and consumers. By highlighting both strengths and weaknesses, we aim to advance the shared mission of enhancing Australia’s cyber resilience.

Download the report today.