What Does the Australian Cyber Security Strategy Mean for Your Business?

The Australian government is not short of ambition. On launching its new Cyber Security Strategy 2023-2030 in November, it claimed the document would provide a roadmap to becoming a “world leader” in the field by the end date. It has a long way to go, given a spate of high-profile breaches over the past few years.

The message it sends is clear: for critical infrastructure (CNI) providers and tech manufacturers, there will be new obligations designed to raise the bar on cybersecurity. For regular businesses, there is promised support and clarity intended to help improve baseline security standards.

Australian organisations should, therefore, be looking to the new government strategy as an opportunity. Those who address security posture gaps today will find they have more time tomorrow to focus on growing their business rather than worrying about meeting government requirements. For those not covered by specific mandates, it could be a useful moment to revisit and update the security strategy.

Why Does Australia Need a New Cyber Strategy?

Australian organisations are an increasingly popular target for state-backed and financially motivated threat actors. The Australian Signals Directorate (ASD) claims that during FY 2022-23, nearly 94,000 reports were made to law enforcement through ReportCyber. That amounts to one every six minutes – although many more will likely have gone unreported. It highlights several challenges:

⦁ State actors targeting government and CNI assets for espionage and disruption – especially potential IP theft stemming from the AUKUS partnership
⦁ A growing threat to CNI from remote actors, such as the raid against DP World
⦁ A surge in ransomware and DDoS attacks
⦁ Major data breaches, including big names such as Optus, Medibank, Telstra and Latitude
⦁ The rapidity with which new vulnerabilities are being exploited. The ASD says one in five was leveraged within 48 hours

Not only have cybercrime reports risen 23% annually, but the cost of each incident is up 14%, the ASD says.

What’s in the Cyber Strategy?

The Australian Cyber Security Strategy consists of six “cyber shields” covering the following areas:

1) Supporting SMBs and citizens to strengthen cybersecurity
2) Improving the safety of technology for Australians
3) Creating a world-class threat sharing and blocking network
4) Protecting critical infrastructure
5) Enhancing the domestic cybersecurity industry and workforce
6) Providing resilient regional and global leadership

Each of these shields contains various action items listed in the government’s Action Plan. From an information security perspective, the most important parts of the strategy are shields 1-4. They include government plans to:

Shield 1:

⦁ Create health checks and guidance for SMBs
⦁ Work with industry to co-design a no-liability ransomware reporting obligation for businesses
⦁ Provide industry with information on cyber governance obligations under current regulation

Shield 2:

⦁ Working with industry to co-design a mandatory cybersecurity standard and voluntary labelling scheme
⦁ Co-design a voluntary security code of practice for app stores and app developers
⦁ Develop a framework to assess national security risks presented by vendor products and services
⦁ Develop options to protect Australia’s most sensitive and critical data sets, which aren’t appropriately protected under existing regulations
⦁ Embed cybersecurity to ensure AI is developed and used safely and responsibly
⦁ Set standards for post-quantum cryptography

Shield 3:

⦁ Incentivise industry participation in threat-sharing platforms
⦁ Incentivise threat blocking across the economy, especially in CNI firms like telcos and ISPs

Shield 4:

⦁ Align telcos to the same standards as other CNI entities
⦁ Clarify the regulation of managed service providers
⦁ Incorporate cyber regulation into aviation and maritime sectors
⦁ Protect the CNI providers’ critical data
⦁ Activate enhanced cybersecurity obligations for “Systems of National Significance”
⦁ Finalise a compliance monitoring and evaluation framework for CNI
⦁ Expand crisis response arrangements
⦁ Strengthen the cyber maturity of government departments and agencies, including zero trust
⦁ Designate ‘Systems of Government Significance’ that need to be protected with a higher level of cybersecurity
⦁ Conduct national cybersecurity exercises across the economy
⦁ Build playbooks for incident response

What Should Australian Organisations Be Doing?

While the most prescriptive requirements are for CNI firms and tech providers, there are some quick wins that organisations of all types can shoot for, according to Jacqueline Jayne, APAC security awareness advocate at KnowBe4.

“The biggest gap is addressing human error, and this is consistent globally,” she tells ISMS.online. “So implement an ongoing, relevant and engaging security awareness program that includes an opportunity for applying that new knowledge with simulated social engineering activities.”

Other easy-to-achieve best practices include turning on multi-factor authentication (MFA) and deploying password managers for strong, unique passwords, as well as ensuring automatic updates are turned on, and data is backed up regularly offline. “Irrelevant or outdated data” should also be managed “appropriately” to minimise risk exposure, she adds.

For Inversion6 CISO Damir Brescic, the first port of call for Australian organisations should be a risk assessment to establish a baseline for identifying and prioritising threats. Encryption of sensitive data, network segmentation to limit the spread of attacks, incident response planning, continuous monitoring/analysis of security logs, and adhering to the access policy of least privilege are also important, he adds.

“If an organisation wants to improve their overall cybersecurity posture, start with a number of enhancements and conduct an annual review to assure that your overall posture is continuing to improve and mature,” he tells ISMS.online.

Nozomi Networks technical support director Marty Rickard warns about the dangers of “shadow” devices which may be unmanaged and unpatched. “As IoT devices become more widely used and accepted, the risks associated with them increase. Devices with poor or unknown provenance are likely to result in higher quantities and severities of vulnerabilities and risks,” he tells ISMS.online.

“Organisations should look to implementing software bills of materials (SBOMs) and vendor security management processes, not only for IoT devices. These devices should be carefully selected and deployed in appropriately secured enclaves within an organisation’s infrastructure to limit the exposure and potential effects of an unknown vulnerability being exploited.”

How ISO 27001 and Best Practice Frameworks Can Help

Much of the above advice tallies with the recommendations of the ASD’s Strategies to Mitigate Cyber Security Incidents. The Essential Eight is a pared-down list which will be more manageable for smaller organisations and those lower down on the cyber-maturity scale.

However, larger organisations may also benefit from ISO 27001 compliance. This globally recognised standard sets out the requirements for an information security management system (ISMS). Compliance can help improve baseline security and provide assurances that critical assets are protected across 93 controls grouped under organisational, people, physical and technological.

“Australian businesses need support both to defend against common threats and develop their cyber confidence,” argues CyberSmart CEO, Jamie Akhtar. “Standards like ISO 27001 can help them do this by allowing them to build a culture of continuous improvement for their cybersecurity practices – ultimately making them and Australia better equipped to combat cyber-threats.”

If the government is going to meet its “world-leading” ambitions, Australian organisations will need to get proactive about mitigating cyber risk. Industry frameworks and standards can be an important ally on this journey.

“Whether it be ISO 27001 compliance, the Essential Eight, NIST or any other framework, every organisation needs to find the most appropriate one that aligns with their organisation,” concludes KnowBe4’s Jayne.