Is Australia doing enough to build cyber resilience in a heightened threat environment? Pieter Danhieux from Secure Code Warrior explores.
Cyber criminals are winning the war. Even the countries and organisations with the best cyber security standards, regulations, laws and talent are suffering significant data breaches and cyber incidents on a regular basis, both in the private and public sectors.
Attacks for self-interest and governmental destabilisation are only expected to increase into the future, and yet, many countries fall short of a quality cyber security plan.
For Australia, this issue is being exacerbated due to three reasons:
- Australia tends to be reactive, rather than proactive, when it comes to dealing with malicious attacks;
- Governmental bureaucracy can create delays to swift action; and
- The current IT skills shortage, which is impacting every sector including cyber security, means experts are in short supply.
Australia should get behind a proactive approach to software security and utilise current personnel, especially developers actively writing code, in a more meaningful security role.
This requires a robust security program that includes upskilling for developers in secure coding and awareness but helps to close the ever-widening chasm of the cyber security skills shortage when it comes to common vulnerabilities.
Our laws need to be updated
Australia’s current cyber security regulations and laws are fragmented, and only include those contained in the Criminal Code Act 1995, privacy laws generally and the Notifiable Data Breach Scheme, the Consumer Data Right regime, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), and sector-specific standards such as the APRA Prudential Standard CPS 234 (Information Security).
Beyond these regulations, Australia doesn’t have clear, mandatory minimum cyber security standards for businesses. The standards to date are voluntary, with the key one being the Essential Eight, which are mandatory for non-corporate entities, but not for corporates.
As a nation, Australia has a way to go to protect its interests in an ever-changing cyber security threat landscape.
Recently, the US called on Australia to accelerate the processes in doing so, after a major cyber incident crippled the meat industry in both the US and Australia.
And yet, action is still slow. The government has committed to investing $320 million over 10 years to support the corporate and education sectors in upgrading cyber security education and practices.
Unfortunately, the threats evolve on a much faster timeframe so collectively we need to do more to be ready.
The current budget will be spread across a number of programs and initiatives such as the Cyber Skill Partnership Innovation Fund, designed to provide industry and education providers with funding to deliver projects that will improve the quality or availability of cyber security professionals in Australia.
This patchwork, reactive approach to cyber security means our IP and infrastructure are vulnerable.
The way forward
At the moment, cyber security standards are available for businesses, but none of these are mandatory, except for some specific industry regulations. In addition, the budget is not nearly enough to help fix all cyber security issues businesses are facing, including the increasing skills shortage, or overall standards across the private sector.
The ramifications of not getting cyber security right are severe. Secure Code Warrior recommends that organisations prioritise security best practices across the board, with every team sharing responsibility for goals and outcomes.
The consequences of a data breach are far-reaching, with companies set to have more than their bottom line affected.
The resulting customer mistrust and reputational damage is hard to remedy, but with strong software security and emphasis on code quality, not to mention a culture of security awareness, businesses can be far more protected and prepared for malicious attacks.
Pieter Danhieux is the CEO and co-founder of Secure Code Warrior.