ACSM
Is Australia finally coming to grips with the Cyber Threat? By Jason Duerden, Regional Director, Australia, and New Zealand for SentinelOne
L
ast month, Australia appointed Clare O’Neil as Federal Minister for Cyber Security. This is the first time Australia has ever had a dedicated minister for cybersecurity and highlights a trend of cybersecurity measures taken by the Australian government dating back to the beginning of this decade. In 2020, the government announced a $1.67B investment as part of the country’s Cyber Security Strategy 2020, which was intended to uplift the security and resilience of Australia's critical infrastructure. A year later, in 2021, the government turned its attention to upgrading the Essential Eight, a set of cybersecurity mitigation strategies intended to protect enterprises and organizations against all types of cyberthreats. The new version includes maturity levels, advising organizations and enterprises of appropriate cyber countermeasures based on their organization's size and cybersecurity needs. Australia has made significant strides to upgrade its cybersecurity posture since it initially published the Essential Eight in 2017, but it hasn’t progressed enough to keep critical industries safe. The Australian Cyber Security Centre reported a 13% year-over-year increase in cybercrime during the 202021 fiscal year. In the same period, a new data breach was reported every 8 minutes, with financial losses totaling over AU$33B. This is a staggering figure for our country.
26 | Australian Cyber Security Magazine
Even though it may seem that we’re losing the war, it’s important to acknowledge the government’s attempts to drive improvements in the Australian security posture as a whole. These are all positive steps for a country that once considered cybercrime an IT problem. However, for Australians to truly feel cyber-safe, the steps we've seen to date must be viewed as the first steps in a long-term prevention and mitigation campaign.
Stricter Reporting Means Higher Standards of Security Mandatory cybersecurity reporting is an essential regulation in much of the world. The European Union and the United States have mandatory incident reporting within 72 hours of an incident, while India recently enacted a 6-hour mandatory reporting window. In 2018, Australia mandated reporting for cyber breaches for companies with an annual turnover of more than $3M and specific industries, such as health service providers. The law is a good start but, unfortunately, doesn't go far enough. The only cyber attacks that require reporting are those where the breach is "likely to result in serious harm" to individuals. Cyberattacks that don't involve data breaches that are a risk to individuals do not need to be reported.
