Cyber Security and Data Security: What Next?

In the last month, several major Australian companies have suffered cyberattacks. Cyber security experts warn hackers will now see “Australia as a soft target.” While awareness is growing, and the government has turned to tighten cybersecurity legislation, companies are confronting scrutiny on their security measures and increasing calls for companies to protect sensitive information.

UNSW cybersecurity expert Nigel Phair estimated that the cost of cybercrime damages Australia’s economy by about $42 billion annually. In 2021, 67,500 cybercrimes were reported in Australia, but Mr Phair estimates this is only about one-fifth of the total amount of online crime. Meaning around 300,000 cybercrimes are committed in Australia each year.

Minister for Home Affairs and Cyber Security, the Hon. Clare O’Neil, MP, has announced that the Albanese government is set to reform former Prime Minister Scott Morrison’s $1.7 billion, 10-year cybersecurity strategy.

Government Response to the Risk

In late August, Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP, announced cybersecurity as a top priority for the Albanese government. Minister O’Neil highlighted that the new strategy is to focus on building closer links with Quad partners to accelerate the shift from reliance on China for critical technologies amid concerns about Beijing’s global supply chain.

Following recent high-level cyberattacks, the Hon Clare O’Neil MP, in partnership with Attorney-General the Hon Mark Dreyfus MP, and Deputy Prime Minister the Hon Richard Marles MP, announced that the Albanese government was working towards a new Cyber Security Strategy and a review of the Privacy Act. The Albanese government’s new Cyber Strategy will take an offensive approach, with Minister O’Neil stating they will “hunt them down and disrupt operations“. Additionally, the government is pushing for a multilateral approach, encouraging engagement with other international governments to combat the global issue.

The Minister for Cyber Security highlighted that targeting this new crime type requires international cooperation and concerted efforts domestically between businesses, government and Australian citizens. Attorney-General Mark Dreyfus MP last week introduced a bill to amend the Privacy Act to increase fines for massive data breaches to a minimum of $50 million.

Australia’s current data breach notification laws only require companies with an annual turnover of $3 million or more to notify the privacy commissioner about sensitive customer data. University of Sydney data breach researcher Jane Andrew said smaller organisations affected by cyberattacks were likely “keeping it quieter” to avoid scrutiny.

Professor Andrew added that current legislation only required companies to disclose to the commissioner but not the public.

“Organisations [such as] Optus are telling us, not because they have to under the law, but because they know they’re going to be subject to scrutiny,” she said.

Minister O’Neil warned that there are no promises that cyberattacks will go away, and the focus should be on adapting the approach and thinking towards this new crime type.

Redspice

In the Morrison Government’s March 2022 Federal Budget, former Treasurer Josh Frydenberg pledged $10 billion to see electronic spy agency Australian Signals Directorate ramp up its ability to launch offensive cyber operations, which was named ‘Redspice’. The funding was spread over ten years, and only $4.2 billion was intended to be spent in the first four-year budget cycle. Under the package, the ASD was expected to add 1,900 jobs over the decade, including data analysts, computer programmers and software engineers.

The Albanese government has committed to prioritising Australia’s cybersecurity by building upon the foundations of Redspice.

Corporate Responses

Australian businesses are reassessing their current cybersecurity management strategies and making changes to protect their data. Companies have started to bolster their cybersecurity teams and build expertise.

ANZ Banking Group quickly recruited Dan Stivala as their new ‘Incident Communications Advisor’. Mr Stivala’s role is to manage communications across ANZ customers and employees during “major technology, cybersecurity incidents.”

The Commonwealth Bank of Australia (CBA) recruited for a role titled ‘Senior Manager Cyber Defence GRC & Findings Management’ to help lead their Cyber Defence Division. Alongside the CBA’s red and blue teams (teams within the Cyber Defence Operational unit tasked with regularly penetrating and probing the bank’s security infrastructure), the new Manager is responsible for “evaluating the relationship between cybersecurity issues and the bank’s governance, risk management, and compliance (GRC) obligations.”

Recruiting cyber security specialists to liaise between technical staff, companies, and the public is a new approach for any business responsible for managing data. This change allows for a more front-footed and fast response by Australian companies in the face of any potential threat.

International Perspective

The Australian Federal Police reported that the most recent ransomware attack on one of Australia’s largest private health insurers was the work of cybercriminals in Russia.

Cybersecurity experts have said the criminals are likely linked to REvil, a Russian ransomware gang notorious for large attacks on targets in the United States, United Kingdom and most of the western world. Australian Federal Police Commissioner Reece Kershaw states, “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibility and accountability.”

As outlined by Minister O’Neil’s call for international cooperation in Cyber Security Strategy, cybersecurity and cybercrime are global problems.

Founder of the UK’s National Cyber Security Centre, Ciaran Martin, said there was a “serious haven problem” faced by countries such as Australia and Britain regarding Russia, China and several other countries allowing cyber gangs to operate freely or with encouragement within them. Hosting of these gangs in foreign countries without law enforcement arrangements adds a complex layer to the policing of these crimes and contributes to a growing global destabilisation in the post-Cold War era.

Lessons For Organisations In Australia

Australian organisations are looking to better understand and respond to the complex cybersecurity environment.  Most appreciate that they too could have a cyber security challenge ahead.  There are a myriad of opportunities available to be better prepared for this ever-changing landscape.  Our team has aligned on three important lessons for organisations in Australia:

Be Proactive, not reactive. 

Develop a comprehensive and regularly updated cybersecurity plan. A proactive approach is the key to eliminating the need for companies to respond to a data breach in the first place. The Office of the Australian Information Commissioner’s Data Breach Preparation and Response Guide is an excellent place to start. The guide helps government agencies and private sector organisations prepare for and respond to data breaches. The five-part guide can be found here.

Focus on building a cybersecurity-centric culture.

Within businesses, cybersecurity must be a central aspect of the organisational structure and product development – it must be woven throughout every process and not tacked on at the end. The importance of cybersecurity and being vigilant must be stressed across all parts of the organisation.

Build a strong relationship with Government in advance.

Businesses with solid professional relationships with the necessary political and departmental stakeholders will have the best (and fastest) access to the expertise needed to respond to any cyberattack.   Recent examples have shown how organisations can be mis-aligned with government expectations which can result in additional challenges in the middle of an issue.  Advanced preparation and understanding are the key.

Tweet of the Week: