We have witnessed a significant rise in the number of cyber-attacks in recent years, with high-profile incidents (such as the Latitude Financial breach) flooding our media with the ramifications of having less-than-stellar cyber security measures.
We hear about the risks that come with our personal information leaking to the Dark Web or the possibilities of cyber threats demolishing our technical ecosystem. But whenever some type of cyber security threat targets our infrastructure and data, the Australian government has a tendency to respond quickly with words, but is slow to marry their intelligence with that of organisations to gain a full understanding of the cyber threat landscape. At the same time, we can’t solely blame the government for its lack of action.
The data breaches we witnessed in the past few years have been a lesson learned for companies, serving as real-world case studies in close proximity to their own operations. But despite the number of press releases and news reports covering the issue, why does Australia’s cyber security response continue to underperform?
Passing the buck does not equate to action
When there is a lack of understanding across the board, it can be easy for us to place the weight of responsibility on the entities that are closer in nature to the issue at hand. And in this case, I want to address a specific proposal put forth by the government. In short, the government is considering placing more responsibility for software and device security on those of us working in the technology industry.
While I can understand the thought process behind this, the very idea of making IT solutions providers – the entities who have been warning people of the threats to their technology solutions for years – responsible for the security of businesses (and society at large) is a bit misguided. According to their 2022 “Digital Defense Report”, Microsoft says cybercrime has evolved to leverage the latest technologies (for example, cryptocurrency) to stay one step ahead of cyber security solutions.
Any digital security expert would tell you that the cardinal rule of cyber security is: no solution is invulnerable. No matter where we are as a society, our technology solutions will always have some weaknesses that can be exploited. And threat actors are all too happy to test the strength of our defences. The best course of action for businesses is to constantly monitor and update networks, adhere to compliance regulations (where necessary), and stay updated on the latest cyber threats.
And with this in mind, perhaps that is why there are such significant gaps in Australia’s cyber security response? If there’s a conflict of ideas (and expectations) between organisations and governing bodies, no wonder the country’s response to cybercrime is so poor. Nobody seems to understand their responsibilities, instead choosing to rely on reactive policies to get by. If we continue down this path, we’re going to be met with a lot more than data loss.
What is Australia’s cyber security response?
Since cyber security impacts every level of society, we need to break Australia down into 3 spaces: individuals, businesses (of all sizes), and governments. With this in mind, and to be fair, we can say that the country’s security response is already comprehensive enough to cover all bases.
Cyber security for individuals
Since cyber security solutions and services are versatile enough to apply to institutions (as discussed below) and individuals, you will often find that there is some overlap between the security solutions (including their practices) that are recommended by industry experts.
For example, the Australian Cyber Security Centre recommends individuals invest in the following 4 security practices:
- Shoring up defences regarding the use of public and private Wi-Fi.
- Implementing device security solutions and protocols, such as updating software and using encryption.
- Exercising secure account management and protection.
- Installing and using anti-virus software.
While these cyber security solutions can help civilians protect their devices and information, it is critical to remember that vigilance is a trait that can never be overlooked. In 2022, it was found that Australians “lost $526 million to scams”. Technically speaking, scams and cybercrime can be separate. But more often than not, cybercrime that targets individuals are connected to scams in some way.
We know that text message scams are incredibly common. But the fact that they are so successful is a testament to a lack of vigilance and understanding on people’s part. In this way, it could be argued that Australia’s cyber security response is not providing its citizens with enough solutions to protect themselves.
Software and device security for businesses
Thanks to the media and history, when people think cyber security, they think of companies of any size, in any industry, and in any location. The cyber security solutions that are offered to businesses are more numerous compared to those for individuals.
These services are far-reaching and can consist of the following:
- Data backup and disaster recovery solutions.
- Cloud security.
- Mobile device and account access management.
- Security assessments and audits.
- Compliance and regulatory services.
- Security awareness training.
- Penetration testing.
- Effective incident response.
- And more.
If you were to compare the offerings listed above to the security practices for individuals, it would be like comparing an apple to a fruit salad. Obviously, companies are more likely to have the budgets and legal obligations to invest in security services. But don’t forget that no software or device security solution is vulnerability-free.
More than 90% of cyber security issues are caused by human error. Again, a lack of understanding and vigilance (perhaps even complacency) may be the root of the issue here. That is why it is important for companies to invest in security awareness training and other solutions that can help educate employees on how to secure their technology solutions effectively. At this stage of the game, Australia cannot use ignorance as an excuse for improper cyber security responses.
Australia’s cyber security response at a government level
After the security disasters that were the Medibank and Optus data breaches, the Australian government turned to reworking its cyber security strategy to implement “[a] national cyber office … to lead emergency responses to cyber attacks”. According to Home Affairs Minister Clare O’Neil, there was a stage where the private sector and different areas of government “[were] doing important things [concerning cyber security] but all [parties were] rowing in different directions”.
Now that those 2 incidents have passed – and there has even been talk of deploying “a specific Cyber Security Act” or expanding the current Security of Critical Infrastructure Act to classify ‘systems’ and ‘customer data’ as “critical assets” – we can say that the government’s attitude toward cyber security has improved.
And with the Office of the Australian Information Commissioner (OAIC) confirming via a statement that it is actively working with the previously mentioned Latitude Financial and other government bodies to address LF’s incident, we can be sure that Australia’s cyber security response at a government level will continue to improve (even though it should have been top-tier in the first place).
How can businesses and the government bridge the gap between them?
While the resources for individuals and companies may be somewhat different from each other, the same principles of cyber security apply across the board. Regarding software and device security, if there’s anything the government has gotten right in the past few years, it’s that they (and, quite frankly, everyone else) ought to step up and rethink their approach to digital security.
The concept of a national cyber office is intriguing. If done correctly, it could bridge the divide between companies and the government to ensure that Australia’s cyber security response is cohesive, inclusive, and adaptable to changing conditions.
To accomplish this, the new office would need to:
- Leverage various secure communication channels to share information, resources, and best practices with other organisations.
- Create and maintain relationships with key players in the business and cyber security landscape.
- Demystify established policies.
- Ensure that any new regulations are concise, easy to understand, and provide concrete guidance.
- Frequently liaise with leading cyber security experts and organisations, and never make society-impacting decisions without their input.
- Serve as the epitome of cyber security standards.
Australia knows threat actors are growing, and it’s time to act
If Australia becomes any more complacent, poor cyber security will become the nation’s Achilles heel. It should be clear that the software and device security solutions we need to protect our technology solutions are readily available.
But, we are currently caught between the warning signs of an impending cyber security epidemic and the reality that no matter what we do, cybercriminals will always find some way to exploit network vulnerabilities. The roles and responsibilities related to proper security practices depend on our ability to innovate and adapt as a society.
Australia’s cyber security response has been slow (and, in the case of some organisations, wholly unacceptable), but the last thing we should be doing is stewing over what we could have done. Instead, we ought to focus on what we are going to do.
If the country wants to reduce the number of security incidents that occur within its networks, Australia will have to step up and map out an incident response process that generates a unified front. The technology that cybercriminals need to unleash more havoc on our systems will soon be real, and a clear set of incident response steps will help us respond to threats quickly. But most importantly, it will allow us to have a solid foundation to build a stronger cyber security response strategy for future risks.
