In Australia, cyber security threats have increased and have caused major damage to businesses. Even large institutions have suffered due to poor information security. Recent incidents, like the one at Optus, have resulted in customers taking legal action against corporations. So, it is crucial to protect digital assets and infrastructure as our dependence on technology grows.
The need to enhance cyber security for businesses has led the Australian government to propose a Cyber Security Act. With it, the government could develop and roll out new security regulations for organisations at the business and government levels. Admittingly, this response isn’t surprising. Slow, yes, but not a move that should catch business leaders off guard.
But the question of the day is this: what would a Cyber Security Act look like for modern Australia? And most importantly, what would it mean for businesses?
Setting the record straight: what does ‘cyber security act’ mean?
Considering Australia’s recent history with cyber threats, a security act would likely be a piece of legislation designed to protect critical infrastructure and assets from malicious threats, such as hacking and data breaches.
Based on the little information we have at the moment, we can predict that the act would usher in a new set of obligations that businesses and government organisations would have to follow to secure their digital assets.
The cyber threat landscape: a borderless world of dangers
Anybody that works in the technology industry would tell you that the cyber threat landscape can be chaotic. Every day, people wake up to the news of another data breach, researchers uncovering new strains of malware, and another organisation issuing an apology over data theft.
Threat actors are becoming more aggressive. Case in point, as shown in the Office of the Australian Information Commissioner’s (OAIC’s) Notifiable Data Breaches Report, the number of data breaches that were caused by “malicious or criminal attacks” grew by 41% between July and December in 2022.
There are countless threats Australia and its businesses are dealing with. Some of these include:
- Ransomware attacks – malware that encrypts files, rendering them inaccessible until a ransom is paid.
- Phishing attacks – a social engineering attack in which perpetrators attempt to trick victims into revealing sensitive information by posing as a trustworthy entity.
- Data breaches – an invasive incident that occurs when unauthorised individuals gain access to sensitive data, such as personal information or commercial secrets.
- Distributed denial-of-service (DDoS) attacks – a type of attack that floods a network with compromised traffic, making the system stagnate.
- Insider threats – internal cyber security threats, such as employees willingly stealing data or accidentally installing malware via phishing links.
- Malware – malicious programs that cover worms, spyware, Trojans, and more.
- Password attacks – when a malicious entity pilfers an authorised password to gain access to sensitive information.
As you can see above, the list of threats Australian organisations have to protect themselves from is long. And thanks to constant advancements in technology, threat actors and the risks they pose are going to become more sophisticated. If the government goes through with it, a Cyber Security Act would provide Australia with another resource that offers guidance on how organisations can protect themselves from these threats.
We already have regulations that give us incentives to maintain cyber security solutions and measures – think OAIC’s Notifiable Data Breach (NDB) scheme. What we need now is an outline that we can use as a blueprint to strengthen our own security postures.
A Cyber Security Act may be one piece in an existing puzzle
If the Cyber Security Act came to fruition, it wouldn’t be the only one in existence. Tech-centric national security has been at the forefront of many countries’ minds. Let’s use Singapore as an example. As stated by the Cyber Security Agency of Singapore (CSA), “[t]he [country’s Cybersecurity] Act establishes a legal framework for the oversight and maintenance of national cybersecurity”.
It’s a comprehensive approach to digital security as it covers numerous bases. For example, under the Act, the country’s Commissioner of Cybersecurity has the power to look into digital security incidents and analyse them to improve the nation’s overall security posture and the government’s response to digital threats.
Australia and Singapore are obviously different, so their acts would vary. But there are other areas in the world that enforce digital security policies of their own. We can use them as case studies and seek the guidance of local experts while developing our own regulations.
But at the same time, when developing a new Security Act, we would have to do more than just reinforce what existing Australian laws already cover.
When speaking to Law Society Journal (LSJ), Melissa Fai (a partner at the law firm Gilbert + Tobin) revealed that “many businesses need more help with prevention.” Moreover, Fai also explained that the Security of Critical Infrastructure Act 2018 doesn’t offer much in the way of a united response to data breaches – a possible blindspot that a new Cyber Security Act could cover.
As the Security Act does not exist at the time of my writing this, we can only make educated guesses about what it could include. Keeping in mind Fai’s points and general observations from working in the technology industry, some possible components of a Cyber Security Act for Australian businesses might include:
- Streamlined reporting of cyber security incidents – a designated government agency may serve as a point of contact for companies experiencing threats. This could follow a similar idea to how the NDB scheme requires certain businesses to report their security incidents. But whereas the scheme does not apply to all companies, the new Cyber Security Act would.
- Minimum cyber security standards – while we do have risk mitigation frameworks (e.g., the Essential Eight), the new legislation could lay out a set of foundational security standards that all institutions should follow. While enforced compliance may not be the way to go for businesses, I don’t see the Australian government ruling it out.
- Greater penalties for government oversights – cyber security threats have a way of leveling playing fields. As the Chair of the Expert Advisory Board helping to create Australia’s Cyber Security Strategy, Andrew Penn, said, “[the] Government must lead by example and demonstrate its own commitment to … defending against cyber threats.” So, why not enforce greater penalties on government institutions that fail to follow the new Cyber Security Act?
Challenges, opportunities, and how we can prepare…
With the promise of a stronger security posture and (hopefully) access to a greater pool of government support and resources, a new Cyber Security Act may be the initiative Australia needs to innovate all its industries. After all, greater security is never a bad thing.
At the same time, the introduction of a Cyber Security Act in Australia would likely present challenges for business managers and owners. From operational disruptions to navigating potentially complex regulations, rolling out a new Cyber Security Act is sure to slow companies down as they take the time to learn a new set of cyber security solutions and regulations.
But the adjustment period may be a necessary evil for Australia’s industries. By now, we can expect to see the cyber security threat landscape grow in different ways, further putting us at risk of compromised Internet of Things (IoT) devices, online fraud, and malicious codes.
As the Australian government considers new regulations around cyber security solutions for the nation’s sectors, we should already be investing in our cyber security and business processes to make it easier for us to adopt new rules as they are launched.
We can do this with the following:
- Conducting regular security assessments – we need to regularly assess our networks and security posture to ensure that we have the means to take on additional legislation.
- Implementing cyber security best practices – we should be adopting security best practices, such as multi-factor authentication (MFA), data encryption, and updating our IT infrastructure regularly.
- Cultivating a cyber security-centric culture – every single person in an organisation needs to be aware of the importance of digital security. We should understand what a new Cyber Security Act would mean for our processes and possibly introduce company-specific penalties for not complying with the Act.
- Staying informed about potential regulatory changes – we ought to stay up-to-date with developments in cyber security regulation, ensuring we are aware of any potential changes and are well-prepared to adapt to them.
Cyber Security Act: a cornerstone for Australian society
A Security Act has the potential to kickstart a cultural shift in Australia, providing companies with another incentive to rework their cyber security solutions. We know that the consequences of cybercrime extend beyond financial gain for threat actors – there can be mental ramifications for individuals.
New security legislation can help protect the safety of all Australians, but if the government wants it to roll it out seamlessly, it must be accessible to all (no matter if someone has a technology background or not). And if companies can understand what their new responsibilities are, they will have a much easier time creating cyber security strategies that are modern, compliant, and well-suited to defend against present and emerging cyber threats.
Do you think a Cyber Security Act will benefit Australia and its businesses?