Boards Are Falling Short on Cyber Security: Why Governance Must Evolve

For decades, cyber security was relegated to the basement, a technical footnote handled by IT departments. However, in the modern corporate landscape, it has transformed into a critical board-level responsibility. Despite this shift, recent research from the UNSW Institute for Cyber highlights a sobering reality: most Australian company directors are currently ill-equipped to govern cyber risk effectively.

A Critical Skills Gap in the ASX 100

The UNSW study analysed the composition of boards across the ASX 100, revealing a stark disconnect between the threats companies face and the expertise available at the top. The findings include:

  • Less than 1% of directors possess specific cyber security experience.
  • Only 16% have general technology backgrounds.
  • Approximately 80% of boards have neither cyber nor technology expertise within their ranks.

This vacuum is significant. Boards are tasked with overseeing the most sensitive and high-risk areas of an organisation, yet they are often operating without a fundamental understanding of the digital threats at their doorstep.

Cyber Risk as Core Governance

The regulatory and social expectations placed upon directors have undergone a permanent shift. Oversight is no longer limited to financial and operational performance; boards are now expected to:

  1. Understand specific cyber threats and organisational vulnerabilities.
  2. Oversee strategic investment in robust security controls.
  3. Ensure comprehensive preparedness for inevitable incidents, such as ransomware attacks or data breaches.

As Nigel Phair of the UNSW Institute for Cyber suggests, directors must learn to assess cyber security “just as they would any other risk.” To make informed decisions that protect customers and stakeholders, a baseline of digital literacy is non-negotiable.

The Scale of the Australian Threat Landscape

Cyber threats are not hypothetical risks; they are a constant drain on the national economy. Statistics indicate that over 300,000 cyber attacks were reported in Australia within a single year, with cyber crime costing the economy an estimated $42 billion annually.

From sophisticated, state-backed intrusions to common phishing and business email compromise (BEC), no organisation is exempt. The assumption that an industry or business size provides a “shield” is a dangerous fallacy.

Governance, Not Just Technology

The primary issue is not necessarily a lack of technical coding skills, but a lack of governance capability. To fulfill their fiduciary duties, boards must be able to:

  • Ask the right questions of management.
  • Challenge assumptions regarding digital safety.
  • Identify where the organisation’s “crown jewels” (sensitive data) actually reside.

Currently, board composition remains anchored in traditional pillars: finance, law, and executive leadership. While these remain vital, they no longer cover the full spectrum of modern enterprise risk.

Immediate Steps for the Boardroom

Closing the skills gap through recruitment takes time, but boards can begin improving their posture immediately by scrutinising their own internal processes. Many cyber risks do not stem from “Hollywood-style” hacking, but from fragmented information handling. Boards should ask themselves:

  • How does sensitive information flow through our organisation?
  • Are board materials stored and shared through secure, encrypted channels?
  • Do we have total visibility and control over our most critical data?

Reducing Risk by Design with Athena Board

This is where governance meets practical infrastructure. Even a board with high awareness can be compromised if they rely on “shadow IT” or insecure habits—such as emailing board packs in PDF format, storing sensitive strategy documents on unencrypted shared drives, or downloading materials to personal devices.

A purpose-built platform like Athena Board addresses these vulnerabilities by centralising and securing materials. By providing audit trails, granular access control, and a “single source of truth,” it removes the reliance on unsecured channels.

While a platform cannot replace the need for cyber expertise, it ensures that the board operates within a framework that reduces risk by design.

Final Thoughts

The UNSW research is a clear call to action. Cyber security is now a core pillar of professional directorship. While achieving total cyber literacy across the ASX will take time, organisations can act today by hardening their internal governance processes.

In today’s environment, excellence in governance is defined by control, security, and the confidence that your board’s most sensitive decisions are protected from the moment they are conceived.

This article is based on research by the UNSW Institute for Cyber. You can read the original findings here.

Athena Board can help, contact us at sales@athenaboard.com