According to Frost & Sullivan, cyber security incidents can cost Australian businesses up to AU$29 billion a year. In Australia, in the last few months alone, we have seen high-profile cyber incidents at Toll Group, Bluescope Steel, the Australian Taxation Office (ATO) and a large state-based attack targeting all levels of government, political parties and private businesses. According to IBM, the average cost of a security breach is almost $3 million in 2020.
Cybercriminals are becoming increasingly sophisticated in their methods and target vulnerabilities in both technology and human behaviour in order to infiltrate sensitive or high-value systems. While there are still many ‘smash and grab’ attacks, bad actors are now also willing to be patient, gathering information over time to maximise their opportunity; the average time to identify and contain a breach is now 296 days.
At the same time, Australian organisations are grappling with increasingly complex cyber systems to protect critical infrastructure for Australian society. In industries such as banking, transport, and utilities, we have seen a shift to public cloud offerings that allow businesses to innovate rapidly, while also presenting unique challenges for securing systems.
The Australian Cyber Security Strategy
It is against this backdrop that the Australian Government has recently released its cyber security strategy, in which it outlines how we should prepare ourselves in Australia to tackle cyber security. There will be an impact on every level, from government to business to the community. The Government will invest $1.67 billion over 10 years, and will be expanding its offensive and defensive capabilities, putting a greater onus on business to uplift their cyber security maturity, implementing government-private cyber security initiatives, increasing cyber security training, providing community orientated cyber security resources and promoting cyber security awareness across all levels of society.
Prime Minister Morrison states that the cyber strategy includes ‘all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure’. This means that every aspect of government and the private sector must address security as a primary concern. It is likely to be particularly disruptive for banking and finance, communications and data, defence, education, utilities and communications, health, and transport.
For financial services organisations, this is likely to have a significant impact due to the current use of individual profiling in the Financial Services Industry (FSI). Whilst profiling for mortgage eligibility is likely to remain permissible, big data projects with outputs including targeted marketing, fraud detection or favourable customer identification will all be affected. Profiling for marketing purposes will always require explicit consent.
What Does This Mean for your Organisation?
While the fine details are yet to be released, organisations are going to be obliged to meet more regulatory compliance requirements. Already heavily regulated industries such as financial institutions will have an increased burden, particularly around data privacy. We expect legislation to be enacted similar to the General Data Protection Regulation (GDPR) enforced in Europe in 2018 or the California Consumer Privacy Act (CCPA) launched earlier this year. An ‘obligation’ to secure your data will likely be introduced, which will impact lightly regulated industries that are critical to the infrastructure of Australia, as they will soon need to meet industry compliance standards for cyber security.
Some of the changes we expect to see include:
- Increased justification on holding of personal information – Organisations will be required to inform individuals of the data they hold on them and how it is being used.
- Reporting on data breaches – Currently, organisations only need to report a data breach if it meets certain limited criteria such as, when there has been unauthorised access to or disclosure of personal information; that is likely to result in serious harm to any of the individuals to whom the information relates; and the organisation has been unable to prevent the likely risk of serious harm with remedial action. We expect the criteria to become stricter, enforcing more data breaches to be disclosed.
- Increased reporting of security capabilities – It is expected organisations will be required to report on their policies and procedures that include all legal, physical and technical controls involved in information risk management processes.
- Changes to requirements for holding personal data – We expect to see changes to organisations’ obligations around storing personal data. Examples of alterations may be; the requirement to expunge personal data after a certain amount of time, changes to the way that data and backup data is stored, improved process for wiping personal information of those who have chosen to remove themselves from a business database, and being aware of personal information held by third parties.
It is also possible we will see an entirely new classification for regulated infrastructure which might change how businesses approach technology entirely.
For small to medium-sized organisations which are less experienced in compliance obligations, it could prove challenging to keep up with the additional workload. Whatever the change in strategy brings, it certainly will not be easier than it is now.
How Can Sourced Help?
Cloud at Scale™ for critical regulated infrastructure is more important than ever. Now is a great time for you to get a better understanding of your current environment to ensure you are fully prepared to meet requirements. Sourced can help you take the time now to review the maturity of the controls you have in place and assess whether they are fit for the purpose of meeting your imposed obligations as well your own business objectives.
Organisations need to look beyond a piece of security software used to patch systems and take a wider view. Great security also includes processes and procedures, education, and protocols to prevent breaches as a result of human error and behavioural attacks.
Whilst the nuts and bolts of the requirements remain to be seen, the overarching goal of the strategy is to shift Australia’s view of cyber security from reactive – because of a cyber incident – to proactive – prevention of an incident. While a robust security system can seem like a large investment, the cost of a breach is significantly larger, and organisations can no longer keep security on the sidelines.
Rohan is a senior cloud security and compliance consultant with extensive experience in the practical design and assessment of AWS services. He specialises in mapping internal architectural frameworks to business objectives, aligning with internal governance requirements.