The extension of the Critical Infrastructure framework to new sectors could become the next headache for companies and organisations’ leaders and boards.
As part of the government’s Cyber Security Strategy, the critical infrastructure framework is to be extended to the banking, finance, transport, communications, data and cloud, defence, education, research and innovation, energy, food and grocery, health and space sectors.
Organisations operating in these industries will have to upgrade their cyber security standards accordingly, potentially by the second half of this year.
In addition, board directors could be in for a nasty surprise, as the new standards should hold boards of publicly-listed companies responsible for the change, or directly liable for failing to implement it. This is a welcome and overdue change that will create accountability for the protection of our citizens’ data at the right level – the very top.
A necessary adjustment
Any government has a duty to put a high priority on the protection of its citizens and organisations, and this is exactly what Australia is doing by revisiting what qualifies as a critical infrastructure. As core functions of our society and economy increasingly rely on digital systems, the potential for hackers to find and leverage vulnerabilities grows.
In FY20, Australians reported a cyber crime every 10 minutes on average to the Australian Cyber Security Centre, and under the notifiable data breach scheme, organisations reported 539 data breaches between July and December 2020. Three data breaches per day!
At this level, Australian organisations putting sensitive information and data at risk is not a theory, but a fact, and is more than enough to justify the government’s cyber security plans.
Curing boards’ complacency
Cybersecurity complacency amongst boards is rife in Australia. Company leaders tend to prioritise investments, such as new products and services that will create business value, and impact their bottom line. But a business is like a house – if foundations are weak, you need to fix them before you make any improvements.
In Australia, the average cost of a data breach in 2020 was $3.35 million. I don’t know a good business leader who would want to leave their business exposed to this type of financial burden. Many advocate for changing mindsets among executives, but it takes time, and isn’t a luxury many companies have. If we want to accelerate change, businesses have to consider bringing profiles with IT skillsets in their boards.
Anticipate the change
Even though the specific rules that will apply to these new sectors haven’t been released yet, there is a wealth of existing cybersecurity standards and guidance that provide a good basis for proactively building a plan of action.
Banking and financial companies are already operating under different standards, defined and monitored by the Australian Prudential Regulation Authority, and that upcoming rules should be largely inspired from.
The ACSC also provides guidance via their Essential Eight cyber security strategies, which mentions the importance of patching systems as early as possible. I still see many organisations taking months to patch systems after major vendors release them, which is the equivalent of leaving your door open at all times, when thieves are roaming around. This should be one of many businesses’ first priority.
Another essential piece is about building consistency in securing everything from their organisation that connects to the internet. This can be achieved with identity management and access control solutions, allowing entities to implement rules around the type of data and information that employees have access to based on their roles and responsibilities. This is a crucial initiative, especially for companies with a scattered or remote workforce, that can help prevent minor cyber incidents from spreading like fire.
There are many proactive steps that organisations can start taking today. But at the end of the day, even diligent cyber preparedness will only get businesses so far. Taking full responsibility for customer data loss will prove to be the true test of a board's mettle — and I’m not certain everyone will emerge unscathed.
Raymond Maisano is the head of Australia and New Zealand at cyber security and web performance company Cloudflare.