H. Daniel Elbaum, chairman and joint chief executive of VeroGuard, said: "Whilst the recognition of the cyber security problem in the plan is welcome, an immediate increased focus on preventing the crimes is needed and adoption of enhanced cyber security referred to by the World Economic Forum embraced."
Home Affairs Minister Karen Andrews announced the plan on Wednesday, saying that when it took effect, businesses that had an annual turnover of $10 million or more would have to report ransomware attacks.
She said the government would also introduce new criminal offences and tougher penalties. But Andrews gave no indication as to when the plan would come into force.
"Breaches of software-based 2FA solutions are becoming common, yet significantly ‘enhanced MFA cyber security’ solutions are already available in the market that happen to be developed, produced and run in Australia.”
Elbaum said the government could be doing a lot more to enhance cyber security and protect businesses and citizens online.
He called for the implementation of measures "that would have immediate and material impact on the problem, such as mandating strong MFA rather than any MFA, integrating strong MFA and digital identity into government systems rather than vulnerable applications and biometric-based tools".
"I would like to add that a focus on sovereign solutions will also mean better control over our critical infrastructure, economic outcomes and development of high value jobs in the digital economy," he added.
Scott McKinnel, ANZ country manager at security outfit Tenable, said: "Ransomware isn't just a financial threat, but an urgent national security risk that threatens schools, hospitals, businesses, and governments across the board.
"Cyber attacks — including ransomware — are big money makers, so ultimately we need to do everything in our power to make it more difficult and less lucrative for cyber criminals. For this reason, we welcome the government's action plan.
"We believe that greater sanctions and an increase in government and industry co-operation can play a vital role in keeping Australia safe, and we look forward to more detail being released on the plan.
"Having said that, businesses can't rely on the government alone to protect them.
"It's equally important for businesses to take steps to minimise threats including fixing unpatched vulnerabilities, implementing strong security controls for remote desktop protocol, and ensuring endpoint security is up-to-date - especially in remote environments."
Kate Healy, head of Security Google Cloud AuNZ, said despite attempts to stop it, ransomware continued to affect organisations across all industries, significantly disrupting business processes and critical national infrastructure services and leaving many organisations looking to better protect themselves.
"Robust protection against ransomware (and many other threats) requires multiple layers of defence and the Australian Government's Ransomware Action Plan, along with its reforms to protecting critical infrastructure, is recognition of the need to uplift security in businesses across the economy," she said.
"We are deeply concerned by these trends. Security is the cornerstone of our product strategy, and we've spent the last decade building infrastructure and designing products that implement security at scale. Protecting against ransomware is a critical issue for all organisations, and best practices such as reporting are only the start of building a mature and resilient cyber security posture.
"It's important to remember that you can't focus on a single piece of defence; you need a comprehensive cyber security program that enables you to identify, prevent, detect, respond, and recover from threats. Above all, you need a range of solutions from a battle-tested and highly resilient cloud platform that works across these elements in an integrated way with your business."
Matthew Lowe, ANZ area vice-president for security and service management software provider Ivanti, said: "A lot of the conversations around the Ransomware Action Plan are, understandably, currently focused on the criminal offences for ransomware attackers and the mandatory reporting scheme for ransomware victims. The ‘prepare and prevent’ section of the plan outlines minor measures and updates that have, for the most part, already been captured within the announcement of the Australian Cyber Security Strategy in 2020. This has, unfortunately, diminished the importance of taking a proactive approach to mitigating the risk of ransomware.
“The threat of a hefty fine is still only effective in reducing ransomware if the risk of getting caught is high. Crime is a risk versus reward game, and this plan would need to show a quick and high success rate in fining, and fine collection from, these criminals before we will see a reduction in ransomware.
“Prevention is still the best tool in the arsenal against ransomware. Focusing on cyber education and government sponsored assistance around ransomware prevention and preparedness among businesses would be more impactful in reducing the $3.5 billion lost each year to cyber crime and the damage and pain ransomware inflicts, with almost immediate results.
“Mandatory reporting of ransomware attacks is critical, as accurate information is needed to understand the root cause, and real impact, of ransomware — information that informs some of our strongest and most effective security recommendations like the Australian Cyber Security Centre's Essential Eight. The more credible and up-to-date information the ACSC can provide to mid-sized business around the effectiveness of aligning their security policy to the Essential Eight, the greater the uptake of the framework—leading to less incidents.
“Addressing these gaps in security is a vital process for every business. With the increasing number and variance of threat vectors, companies need to understand the landscape and be proactive about preventing cyber incidents.”
Nityanand Thakur, head of Cyber Security at Koenig Solutions, said: "Most ransomware attacks and ransom payments go unreported, as businesses are reluctant to disclose they were attacked. This results in a vicious cycle of funding of cyber criminals to launch further attacks.
"With ransomware attacks targeting important infrastructure such as the recent attack on the Colonial Pipeline, governments are increasingly coming under pressure to act.
"Implementing a reporting requirement is a tool that will help stem the flow of funding to these criminal organisations."