In recent months, cyber security has been thrust into the public spotlight in Australia as household name companies suffered some of the largest data breaches in our nation’s history.
The incidents have generated countless media headlines, enormous angst with customers and enlivened important discussions around boardrooms on just how much personal data is held by business, and how well it is being protected.
No organisation wants to be the victim of the next mass data breach though, regrettably, Australia’s current cyber threat outlook signals nothing good. There will be cyber-attacks with greater frequency and of worse consequence in the months and years ahead.
Cyber extortion continues to be a highly lucrative business model for criminal enterprise, whose actions and methodologies continue to be influenced by geopolitical forces. Most notably, the Australian Cyber Security Centre (ACSC) has observed a distinct uptick in cyber threats to Australia since Russia’s invasion of Ukraine in February. More recently, the Australian Federal Police attributed the Medibank breach to a criminal group based in Russia, further highlighting the externalised consequences of volatility in that region playing out in Australia’s cyber environment.
In addition to the threat presented by Russian hackers, other state and non-state actors alike engage in large and small-scale cyber-attacks against Australian targets every day, with a cybercrime report made every seven minutes in Australia in the past year, down from one every eight minutes in the previous period. These actors are increasingly targeting Australian critical infrastructure; the systems we rely upon most – such as banking, telecommunications and energy. A successful cyber-attack against these systems could bring about even more dire consequences than those we have witnessed in recent months.
It is imperative, then, that every Australian organisation ensures they regularly take a full and frank assessment of their cyber security posture.
For operators of Australian critical infrastructure, these considerations will be increasingly mandated by government. Reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act) are now in effect, imposing a host of obligations on our critical infrastructure sectors.
Organisations captured under the SOCI Act will be subject to requirements to register their assets as critical infrastructure, assess material risks to their assets and report cyber-attacks when they occur. Operators of the most critical infrastructure may have their assets designated as systems of national significance and be subject to additional ‘enhanced cyber security obligations’, which include mandated cyber security uplift. The full demands of the SOCI Act regime are not insignificant, though they are proportionate with the risk they seek to address.
The administrative and financial costs on businesses of any new regulation are never welcome – but the SOCI reforms are seeking to nudge organisations in a direction in which they should already be travelling. Rather than just another layer of regulation, the SOCI Act’s requirements should be viewed as an opportunity for boards to seriously assess their organisations’ cyber security maturity and invest in appropriate mechanisms to ensure they are able to effectively respond to cyber threats.
If the financial and reputational costs to business of inaction on cyber were not readily understood before, they should be now.
Not only do cyber-attacks and data breaches harm customers – financially, psychologically and potentially physically – but they cost business millions in incident response capabilities and digital forensic investigations as well. The attendant reputational damage of a cyber-attack can be catastrophic, and difficult to fully quantify financially.
Heavy fines under legislation changes
Amendments to the Privacy Act passed by Parliament late in 2022 will add to this calculation, levying heavy fines on businesses which suffer repeated data breaches to the tune of over $50 million, 30 per cent of domestic company revenue, or three times the value gained from misuse of stolen data.
Australian businesses can no longer afford to think of themselves as immune to cyber threats. Nor is any business isolated from the nation’s critical infrastructure. Each Australian organisation composes a key thread in the complex tapestry of the highly interconnected and interdependent assets which are vital to the functionality of Australian society.
In some ways, industry already sees itself as highly interconnected. Organisations of every size have embraced digital transformation and continue to leverage the incredible upsides of the digital economy. Here, a broader appreciation for the inclusion of cyber security is needed. The whole is only as secure as its weakest link and no business is an island.
Consequently, more mature organisations which are vunerable to increasing cyber threats are taking proactive steps to ensure cyber security is not relegated to the exclusive purview of IT departments. Cyber security needs to be a C-suite discussion and comprehensively incorporated into business strategies at the same level that financial, legal and regulatory risk calculations are made.
Maintaining robust cyber security requires business to make strategic investments, not only in adequate technical protections, but also in the education and training of personnel. Not every staff member needs to be a technically trained incident responder, but a baseline level of cyber security awareness needs to be part of everyone’s portfolio. Fostering a culture of cyber awareness and investing in organisational capability from boardroom to basement will help make people the strongest cyber security asset. Conversely, those ill-educated on cyber security can be the biggest liability for business.
Due diligence around data-sharing arrangements is also required to ensure business partners, supply chains and other connected entities are similarly cyber-mature. Threat actors covet critical business-to-business data to a similar degree, if not more, as customer information.
On the other side of the equation, Australian consumers have borne the brunt of recent large scale data breaches and are now acutely aware of the cyber threat environment. Thus they will be placing a high premium on the importance of protecting their personal data going forward.
Businesses with a strong focus on cyber security will be able to reassure concerned customers – and win the trust of future customers – by demonstrating an ongoing commitment to protect their most sensitive data.
The current environment will drive more robust cyber security and privacy protections as an increasing requirement, as well as a competitive advantage, for Australian firms. Put simply, good cyber security is good business.
More about the author
Grant Walsh is a senior manager at Cyber CX, which is a leading provider of professional cyber security services across Australia and New Zealand.
Already a member?
Login to view this content