Australia has been “off the pace” for too many years when it comes to the rapidly evolving cybersecurity threat, according to Prime Minister Anthony Albanese. He says the national cybersecurity capacity is not at the level it needs to be, and the government is determined to change that.
To lead Australia’s fight against mass cyberattacks by state-sponsored hackers and criminal gangs, the Government will set up a new agency under a seven-year strategy to strengthen defences. A new co-ordinator for cyber security will be appointed at the National Office for Cyber Security within the Department of Home Affairs to help end blame-shifting inside government and across the private sector.
This important initiative follows last year’s revised Critical Infrastructure (CI) Act and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), which aim to strengthen Australia’s ability to resist a Critical Infrastructure cyberattack and protect our people and way of life.
In November the government announced it is launching a new cybersecurity policing operation to break networks of hackers stealing the private information of Australian citizens. Australian Cybersecurity Minister Claire O’Neil has pledged to bring the Russian hackers allegedly behind the Medibank data breach to justice.
On 28 November the Australian Parliament also passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. This was a dramatic, but much-needed change in regulations. The new law will make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.
The price tag of cybersecurity negligence can be catastrophic for businesses, especially small to medium sized businesses. Companies that fail to take adequate care of customer data will face much higher penalties than the current $2.22 million – they will now potentially face a significant fine of $50 million. The Bill also provides the Australian Information Commissioner with more powers to resolve privacy breaches and quickly provide information about data breaches to help protect customers.
To highlight the costs associated with a breach, Medibank recently announced it would be spending up to $45 million over the second half of the year to update its systems. It also gave details for the first time about how hackers gained access to the private details of about 9.7 million customers, causing the company significant reputational damage.
In early February the Government announced a major rewrite of Australia’s 40-year-old privacy laws in the light of the Medibank breach, and an earlier breach at telecommunications firm Optus.
The new laws would ensure consumers get much stronger rights to insist companies delete their data, which would create new costs for business.
Later in February the Government announced that the Australian Signals Directorate could controversially be given authority to directly commandeer the IT systems of almost every company in the country that suffers a cyberattack under reforms proposed after the Optus and Medibank hacks.
The growing cybersecurity threat
The privacy breaches in Australia demonstrate that existing cybersecurity safeguards are not sufficient and that the bar needs to be raised by both businesses and the government.
The hack of the Colonial pipeline in the United States in 2021 demonstrates that when it comes to cybersecurity, you can never let your guard down – the attack shut down major infrastructure which caused fuel shortages in five states and resulted in a major jump in prices.
Australia’s Critical Infrastructure is also under threat from attacks from cyber criminals. Microsoft‘s latest Cyber Signals report says critical parts of the energy grid and essential services such as sewage treatment plants could be hit by cyberattacks, shutting down operations and threatening lives.
The report found that 75 per cent of the most common control technologies used by critical infrastructure companies such as energy operators are severely vulnerable to cyberattacks. Energy companies are at higher risk as criminals realise the financial impact and extortion leverage of shutting down energy and other Critical Infrastructures.
Companies are increasingly finding weak links in their systems, with a 78 per cent jump in those disclosing “high-severity vulnerabilities” from 2020 to 2022 in industrial control equipment, according to the report.
Cyberattacks in Australia increased 80% in 2022, at over double the global rate, according to Check Point Research (CPR) data about last year’s cyberattack trends. Australia is among the worst impacted countries over the past year and cyberattack activity is up from a 52% increase in 2021. Meanwhile global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organisation.
The table below outlines the attacks per organisation and industry in Australia, with Insurance/Legal being the hardest hit.
|Country||Industry||Rank||Avg. Weekly Attacks Per Organization in 2022||Change from 2021|
How organisations can protect themselves from cyberattacks
Across all industries, regardless of the size of complexity of the individual business, entities across the regulated CI sectors will require different levels of assistance depending on the maturity of their existing Cyber Security and Incident Response Plans (IRP).
For Critical Infrastructure, having a mature Incident Response Plan helps minimise the loss or theft of information and reduces the disruption of services caused by incidents. Additionally, a well-constructed IRP provides a mechanism for organisations to learn from previous incidents so they are better prepared for handling similar incidents today, and can plan to prevent further incidents happening in the future.
Attacks frequently compromise business data and operating systems and it is critical to respond quickly and effectively when security incidents occur. Having a mature, layered security posture in place, coupled with an incident response capability, enables CI assets to respond to incidents systematically, in order to take appropriate and timely actions.
The recently passed amendments to the Security of Critical Infrastructure Act are a clear attempt by the Government to reduce the amount of variation in Cyber Security and Incident Response across sectors in order to improve the maturity in these programs and provide more consistent guidance to those with CI assets.
All organisations will urgently need to abide with the new regulations as the threat of cyberattack is increasing. However, organisations who are able to demonstrate maturity in their Cyber Security and Incident Response programs are unlikely to be significantly impacted by the changes and should be in a position meet most of the requirements being put forward in the latest legislation changes.
Regardless of the Cyber maturity level, Australian businesses will need a variety of services that can assist owners and operators of Critical Infrastructure to meet their obligations under the act. Incident Response Planning & Capability, Vulnerability Assessments, Table Top Exercises, Compromise Assessments, Cyber Resilience (Vulnerability Assessment Readiness), and Access to System Information will all need to be undertaken in order to properly assess cyber risk.
Incidence Response is key. At any moment, day or night, your organisation can be victimized by devastating cybercrime. You can’t predict when cyberattacks will happen, but you can use proactive Incident Response to quickly mitigate its effects or prevent them altogether.
Conduct a cyber risk assessment today and speak with our Incident Response team who can assist your organisation in its preparation, response, and mitigation of the risks.
Scott Mann, Incident Response Team Lead – APAC at Check Point Software, explores the evolving Australian regulatory landscape and how organisations can protect themselves from cyberattacks.