Is Australia finally coming to grips with cybersecurity?
Last month, Australia appointed Clare O’Neil as Federal Minister for Cyber Security. This is the first time Australia has ever had a dedicated minister for cybersecurity and highlights a trend of cybersecurity measures taken by the Australian Government dating back to the beginning of this decade.
In 2020, the government announced a $1.67bn investment as part of the country’s Cyber Security Strategy 2020, which was intended to uplift the security and resilience of Australia’s critical infrastructure.
A year later, in 2021, the government turned its attention to upgrading the Essential Eight, a set of cybersecurity mitigation strategies intended to protect enterprises and organisations against all types of cyberthreats. The new version includes maturity levels, advising organisations and enterprises of appropriate cyber countermeasures based on their organisation’s size and cybersecurity needs.
Australia has made significant strides to upgrade its cybersecurity posture since it initially published the Essential Eight in 2017, but it hasn’t progressed enough to keep critical industries safe.
The Australian Cyber Security Centre reported a 13% year-over-year increase in cybercrime during the 2020–21 fiscal year. In the same period, a new data breach was reported every 8 minutes, with financial losses totalling over AU$33bn. This is a staggering figure for our country.
Even though it may seem that we’re losing the war, it’s important to acknowledge the government’s attempts to drive improvements in the Australian security posture as a whole.
These are all positive steps for a country that once considered cybercrime an IT problem. However, for Australians to truly feel cyber-safe, the steps we’ve seen to date must be viewed as the first steps in a long-term prevention and mitigation campaign.
Stricter reporting means higher standards of security
Mandatory cybersecurity reporting is an essential regulation in much of the world. The European Union and the United States have mandatory incident reporting within 72 hours of an incident, while India recently enacted a 6-hour mandatory reporting window.
In 2018, Australia mandated reporting for cyber breaches for companies with an annual turnover of more than $3m and specific industries, such as health service providers. The law is a good start but, unfortunately, doesn’t go far enough. The only cyber attacks that require reporting are those where the breach is “likely to result in serious harm” to individuals. Cyber attacks that don’t involve data breaches that are a risk to individuals do not need to be reported.
Furthermore, the Australian Bureau of Statistics reported that in 2020–21, 93% of businesses had a turnover of less than $2m. Clearly, only a fraction of companies within the country reach the $3m annual turnover threshold.
Reporting mandates are vital to a country’s cybersecurity posture because they require businesses and organisations to implement advanced cybersecurity tools, such as Extended Detection and Response (XDR), to proactively monitor systems for breaches. Security teams need to be able to discern false positives from actual attacks, quickly investigate breaches, and have the tools necessary to gather data and submit reports.
Many Australian companies currently lack these capabilities and use legacy tools that are inadequate to respond quickly to cyber intrusions. Demanding reporting compliance will motivate them to upgrade their security posture to tools like XDR and take cyberthreats more seriously.
Develop cyber education programs for business
Small businesses frequently feel immune to cyberthreats. They believe their relative obscurity keeps them floating safely beneath the radar of threat actors. Unfortunately, we have seen this is not the case. A 2021 study by Cisco found that 65% of Australian SMBs were victims of a cyber incident within the last 12 months, and two out of three say the incident cost their business $645K or more.
Threat actors target small businesses for several reasons. SMBs lack sophisticated cybersecurity protections and are easy to attack. While ransomware payments and the value of the data is lower than that of a large corporation, smaller enterprises give threat actors a playground to practice.
Additionally, while SMBs may not be an attractive target on their own, the relationships small businesses have with larger companies could provide a back door to a larger enterprise.
The Australian Cyber Security Centre needs to prioritise cyber-education for these businesses. By creating a series of educational programs, short videos, webinars and brochures, they can use SMBs to raise the floor of cyber protections and mitigations across the country.
Promote cybersecurity diversity
As of 2018, only 25% of the Australian cybersecurity workforce was female, and even fewer were First Nations Australians. The Australian Government can increase the talent pool by encouraging more women and First Nations Australians to view cybersecurity as a career choice.
Appointing Clare O’Neil as the first Federal Minister of Cyber Security was an inspired choice and one that should drive more women and First Nations Australians into the field. Coupled with industry mentorship programs, university scholarships and flexible work arrangements, Australia has the potential to become one of the first countries with an equal number of male and female cybersecurity professionals.
It’s time to make the Essential Eight truly essential
The Essential Eight is Australia’s cybersecurity mitigation strategy playbook. The eight strategies are mandatory for non-corporate Commonwealth entities, but private enterprises of all sizes are not required to adhere to these recommendations.
These guidelines were designed to set a foundation for cybersecurity controls. Together with the maturity models, they offer guidance for any business trying to stay safe. They help prevent attacks through application control, patch applications, configurations, and application hardening. Companies that implement all eight strategies may limit damage from attacks through restricted administrative privileges, patching operating systems, and requiring multi-factor authentication. Regular Backups form the third prong of the Essential Eight as part of data recovery.
However, even the updated version of the Essential Eight is little more than a good baseline that offers a compliance checklist. To take the next step and develop into a risk management framework, it needs to follow the lead of the US Government, and mandate accepted cybersecurity tools like Endpoint Detection and Response (EDR) and zero trust networks.
If Australia is ready to take its cybersecurity to the next level, upgrading the Essential Eight and turning it into an official regulation for all businesses would be a substantial step.
Leading the Asia–Pacific region
Australia has made some significant strides over the last few years. It is leading the way in the Asia–Pacific region and has taken actions demonstrating that it is ready to fight cybercrime. However, the country is still lagging behind North America and Europe in cyber-readiness and regulation.
If Australia wants to be a truly safe environment for its businesses and citizens, it must continue raising the security bar for its enterprises and SMBs, by driving improvement in security posture. Unfortunately, taking history as a guide, the mass adoption of change only takes place when it becomes law. Australian organisations can benefit from a more aggressive adoption of new cybersecurity technologies like XDR and AI-automation, which would enable them to replace siloed security and address cybersecurity challenges from a unified standpoint.
Today’s cyber attackers move fast. Fast enough that even some next-generation protocols like the 1-10-60 rule have become obsolete models for effective detection, investigation and response. True XDR allows faster, deeper and more effective threat detection and response than legacy EDR, collecting and collating data from a wider range of sources.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.