Has the cyber threat finally hit home?
We now have a cyber security minister, but Australia needs to do more or risk costly attacks.
The appointment of Clare O’Neil as the first federal Minister for Cyber Security last month highlights an increasing government focus on the topic dating back to the beginning of this decade.
In 2020, the government announced a $1.67 billion investment as part of the country’s Cyber Security Strategy 2020, which was intended to uplift the security and resilience of critical infrastructure.
A year later, the government turned its attention to upgrading the Essential Eight — a set of cyber security mitigation strategies designed to protect enterprises and organisations against all types of cyber threats. The new version includes maturity levels and advice on appropriate measures based on an organisation's size and cyber security needs.
Australia has made significant strides to upgrade its cyber security posture since it initially published the Essential Eight in 2017, but it hasn’t progressed enough to keep critical industries safe.
The Australian Cyber Security Centre reported a 13 per cent year-on-year increase in cyber crime during 2020-21. In the same period, a fresh data breach was reported every eight minutes with financial losses totalling over $33 billion — a staggering figure for our country.
Even though it might seem that we’re losing the war, it’s important to acknowledge the government’s attempts to drive improvements in Australia’s security posture. These are positive steps for a country that once considered cyber crime an IT problem.
However, for Australians to truly feel cyber safe, the steps we've seen to date must be viewed as the just the first in a long-term prevention and mitigation campaign.
Stricter reporting
Mandatory cyber security reporting is an essential regulation in much of the world. The European Union and the US have mandatory incident reporting within 72 hours while India recently enacted a six-hour mandatory reporting window.
In 2018, Australia mandated reporting for cyber breaches for companies with an annual turnover of more than $3 million and specific industries, such as health service providers. This law is a good start, but unfortunately, doesn't go far enough. The only cyber attacks that require reporting are those where the breach is “likely to result in serious harm” to individuals. Cyber attacks that don't involve data breaches that are a risk to individuals do not need to be reported.
The vast majority of businesses — 93 per cent according to ABS figures for 2020–21 — have a turnover of less than $2 million. Clearly, only a fraction of companies reach the reporting threshold.
Reporting mandates are vital because they require businesses and organisations to implement advanced cyber security tools, such as Extended Detection and Response (XDR), to proactively monitor systems for breaches. Security teams need to be able to discern between false positives and actual attacks, quickly investigate breaches, and have the tools necessary to gather data and submit reports.
Many companies lack these capabilities and use legacy tools that are inadequate to respond quickly to cyber intrusions. Demanding reporting compliance will motivate them to upgrade their security posture to tools like XDR and take cyber threats more seriously.
Cyber education
Small businesses frequently feel immune to cyber threats. They believe their relative obscurity keeps them beneath the radar of malign actors. Unfortunately, this is not the case. A 2021 study by Cisco found that 65 per cent of Australian SMEs had been victims of a cyber incident within the previous 12 months, and two out of three said it cost their business $645,000 or more.
Small businesses become targets because they lack sophisticated cyber security protection and are easy to attack. While ransomware payments and the value of the data are lower than of a large corporation, smaller enterprises give threat actors a playground to practice.
Additionally, while SMEs may not be an attractive target on their own, the relationships they have with larger companies can open a backdoor.
The Australian Cyber Security Centre needs to prioritise cyber education for these businesses. By creating a series of educational programs, short videos, webinars, and brochures, it can use SMEs to raise the floor of cyber protection and mitigation across the country.
Cyber security diversity
As of 2018, only 25 per cent of the Australian cyber security workforce was female, and even fewer were First Nations Australians. The Australian government can increase the talent pool by encouraging more women and First Nations Australians to view this industry as a career choice.
Appointing Clare O'Neil as the first Minister for Cyber Security was an inspired choice and one that should drive more women and First Nations Australians into the field. Coupled with industry mentorship programs, university scholarships, and flexible work arrangements, Australia has the potential to become one of the first countries with an equal number of male and female cyber security professionals.
Essential Eight
The Essential Eight is Australia’s cyber security mitigation strategy playbook. The measures are mandatory for non-corporate Commonwealth entities, but private enterprises of all sizes are not required to adhere to these recommendations.
Initially published in 2017, the Essential Eight is a set of mitigation strategies intended to protect enterprises and organisations against all types of cyber threats. The guidelines were designed to set a foundation for cyber security controls. Together with the maturity models, they offer guidance for any business trying to stay safe. They help prevent attacks through application control, patch applications, configurations, and application hardening.
Companies that implement all eight strategies may limit damage from attacks through restricted administrative privileges, patching operating systems, and requiring multi-factor authentication.
Regular backups form the third prong of the Essential Eight as part of data recovery.
However, even the updated version of the Essential Eight is little more than a good baseline that offers a compliance checklist. To take the next step and develop into a risk management framework, it needs to follow the lead of the US government and mandate accepted cyber security tools like Endpoint Detection and Response (EDR) and zero trust networks.
If Australia is ready to take cyber security to the next level, upgrading the Essential Eight and turning it into an official regulation for all businesses would be a substantial step.
Leading the Asia-Pacific
Australia has made some significant strides over the last few years. It is leading the way in the Asia-Pacific region and has taken actions demonstrating that it is ready to fight cyber crime. However, the country still lags North America and Europe in readiness and regulation.
If Australia wants to be a truly safe environment for its businesses and citizens, it must continue raising the security bar for its enterprises and SMEs by driving improvement in its security posture.
Unfortunately, taking history as a guide, the mass adoption of change only takes place when it becomes law. Australian organisations can benefit from a more aggressive adoption of new cyber security technologies like XDR and AI-automation, which enable them to replace siloed security and address cyber security challenges from a unified standpoint.
Today’s cyber attackers move fast. Fast enough that even some next-generation protocols like the 1-10-60 rule have become obsolete models for effective detection, investigation, and response. True XDR allows faster, deeper, and more effective threat detection and response than legacy EDR, collecting and collating data from a wider range of sources.
Jason Duerden is regional director, Australia and New Zealand, for SentinelOne.