Has the nation’s response to the cyber security challenge been adequate or has it fallen short? Jason Duerden from SentinelOne explores.
Last month, Australia appointed Clare O’Neil as federal Minister for Cyber Security. This is the first time Australia has ever had a dedicated minister for cyber security and highlights a trend of cyber security measures taken by the Australian government dating back to the beginning of this decade.
In 2020, the government announced a $1.67 billion investment as part of the country’s Cyber Security Strategy 2020, which was intended to uplift the security and resilience of Australia’s critical infrastructure.
A year later, in 2021, the government turned its attention to upgrading the Essential Eight, a set of cyber security mitigation strategies intended to protect enterprises and organisations against all types of cyber threats. The new version includes maturity levels, advising organisations and enterprises of appropriate cyber countermeasures based on their organisation’s size and cyber security needs.
Australia has made significant strides to upgrade its cyber security posture since it initially published the Essential Eight in 2017, but it hasn’t progressed enough to keep critical industries safe.
The Australian Cyber Security Centre reported a 13 per cent year-over-year increase in cyber crime during the 2020-21 fiscal year. In the same period, a new data breach was reported every eight minutes, with financial losses totaling over AU$33 billion. This is a staggering figure for our country.
Even though it may seem that we’re losing the war, it’s important to acknowledge the government’s attempts to drive improvements in the Australian security posture as a whole.
These are all positive steps for a country that once considered cyber crime an IT problem. However, for Australians to truly feel cyber-safe, the steps we've seen to date must be viewed as the first steps in a long-term prevention and mitigation campaign.
Stricter reporting means higher standards of security
Mandatory cyber security reporting is an essential regulation in much of the world. The European Union and the United States have mandatory incident reporting within 72 hours of an incident, while India recently enacted a six-hour mandatory reporting window.
In 2018, Australia mandated reporting for cyber breaches for companies with an annual turnover of more than $3 million and specific industries, such as health service providers. The law is a good start but, unfortunately, doesn’t go far enough. The only cyber attacks that require reporting are those where the breach is “likely to result in serious harm” to individuals. Cyber attacks that don’t involve data breaches that are a risk to individuals do not need to be reported.
Furthermore, the Australian Bureau of Statistics reported that in 2020-21, 93 per cent of businesses had a turnover of less than $2 million. Clearly, only a fraction of companies within the country reaches the $3 million annual turnover threshold.
Reporting mandates are vital to a country’s cyber security posture because it requires businesses and organisations to implement advanced cyber security tools, such as extended detection and response (XDR), to proactively monitor systems for breaches. Security teams need to be able to discern between false positives and actual attacks, quickly investigate breaches, and have the tools necessary to gather data and submit reports.
Many Australian companies currently lack these capabilities and use legacy tools that are inadequate to respond quickly to cyber intrusions. Demanding reporting compliance will motivate them to upgrade their security posture to tools like XDR and take cyber threats more seriously.
Develop cyber education programs for business
Small businesses frequently feel immune to cyber threats. They believe their relative obscurity keeps them floating safely beneath the radar of threat actors. Unfortunately, we have seen this is not the case. A 2021 study by Cisco found that 65 per cent of Australian SMBs were victims of a cyber incident within the last 12 months, and two out of three say the incident cost their business $645,000 or more.
Threat actors target small businesses for several reasons. SMBs lack sophisticated cyber security protections and are easy to attack. While ransomware payments and the value of the data is lower than that of a large corporation, smaller enterprises give threat actors a playground to practice.
Additionally, while SMBs may not be an attractive target on their own, the relationships small businesses have with larger companies could provide a backdoor to a larger enterprise.
The Australian Cyber Security Centre needs to prioritise cyber education for these businesses. By creating a series of educational programs, short videos, webinars, and brochures, they can use SMBs to raise the floor of cyber protections and mitigations across the country.
Promote cyber security diversity
As of 2018, only 25 per cent of the Australian cyber security workforce was female, and even fewer were First Nations Australians. The Australian government can increase the talent pool by encouraging more women and First Nations Australians to view cyber security as a career choice.
Appointing Clare O'Neil as the first federal Minister of Cyber Security was an inspired choice and one that should drive more women and First Nations Australians into the field. Coupled with industry mentorship programs, university scholarships, and flexible work arrangements, Australia has the potential to become one of the first countries with an equal number of male and female cyber security professionals.
It’s time to make the Essential Eight truly essential
The Essential Eight is Australia’s cyber security mitigation strategy playbook. These are mandatory for non-corporate Commonwealth entities, but private enterprises of all sizes are not required to adhere to these recommendations.
Initially published in 2017, the Essential Eight is a set of mitigation strategies intended to protect enterprises and organisations against all types of cyber threats. These guidelines were designed to set a foundation for cyber security controls. Together with the maturity models, these offer guidance for any business trying to stay safe.
These help prevent attacks through application control, patch applications, configurations, and application hardening. Companies that implement all eight strategies may limit damage from attacks through restricted administrative privileges, patching operating systems, and requiring multi-factor authentication. Regular backups form the third prong of the Essential Eight as part of data recovery.
However, even the updated version of the Essential Eight is little more than a good baseline that offers a compliance checklist.
To take the next step and develop into a risk management framework, it needs to follow the lead of the US government and mandate accepted cyber security tools like endpoint detection and response (EDR) and zero-trust networks.
If Australia is ready to take its cyber security to the next level, upgrading the Essential Eight and turning it into an official regulation for all businesses would be a substantial step.
Leading the Asia-Pacific region
Australia has made some significant strides over the last few years. It is leading the way in the Asia-Pacific region and has taken actions demonstrating that it is ready to fight cyber crime. However, the country is still lagging behind North America and Europe in cyber-readiness and regulation.
If Australia wants to be a truly safe environment for its businesses and citizens, it must continue raising the security bar for its enterprises and SMBs, by driving improvement in security posture. Unfortunately, taking history as a guide, the mass adoption of change only takes place when it becomes law.
Australian organisations can benefit from a more aggressive adoption of new cyber security technologies like XDR and AI-automation, which enable them to replace siloed security and address cyber security challenges from a unified standpoint.
Today’s cyber attackers move fast. Fast enough that even some next-generation protocols like the 1-10-60 rule have become obsolete models for effective detection, investigation, and response. True XDR allows faster, deeper, and more effective threat detection and response than legacy EDR, collecting and collating data from a wider range of sources.
Jason Duerden is the regional director, Australia and New Zealand at SentinelOne.