That’s according to a panel of leading cyber security experts speaking in Sydney today at an event hosted by Aura Information Security on the state of play in the Australian cyber security sphere.
The event was a lunchtime media briefing at the O Bar in Australia Square, and I was able to film the entire event. As it was over lunch, you'll hear the clinking of cutlery on plates, but the discussion was excellent, and I hope you'll find value from the video a little further below and the rest of the article, which is effectively a reprint of the media release following the event.
You'll also notice that I started off by zooming in to the main speaker, but as each speaker spoke, I raced around the room to position the camera opposite that person, or at least in 95% of cases, and yes, you'll see the camera moving as I do this, but for 90% of the video, it is focused on the person speaking - and any video is better than no video.
Speaking during the forum, Michael Warnock, Australia Country Manager at Aura Information Security, said there are major opportunities for enterprises which are able to manage their protection requirements successfully.
“They’re often quiet achievers but it’s Australia’s medium sized businesses that underpin the country’s GDP and prosperity. Cyber-readiness can be a ‘make or break’ issue for them, as they look beyond their traditional markets and expand globally,” said Warnock.
Here's the full video of the event, the article continues below, please read on!
A mixed report card for local enterprises
Carl Woerndle, Principal Advisor of Cyber Security and Incident Response at Ecosystm, the technology research and advisory firm, said Australian businesses are simultaneously leaders and laggards when it comes to cyber-readiness and resilience.
“Where we fall behind is in the SME space with cost and awareness being driving factors behind their lag in progress compared to enterprise organisations which are forging ahead with improved data security practices. However, Ecosystm’s data shows that 80 per cent of Australian enterprises now consider they have mature security controls in place,” said Woerndle.
Risk management strategies as well as industry and regulatory compliance requirements are driving the spend, as enterprises step up their efforts to ensure they don’t run afoul of increasingly punitive reporting regimes.
“More than half of the organisations we’ve studied are planning to implement incident response and threat analysis and intelligence solutions this financial year,” said Woerndle.
However, Australian firms have been slow to engage with third party advisory firms, one of the accepted measures of cyber-security maturity in the developed world.
Ecosystm’s research has found that just 29 per cent of Australian businesses have done so, compared with the global figure of 50 per cent. Cyber insurance uptake is also low: it stands at 40 per cent in Australia, compared to 64 per cent in the United States.
Navigating regulatory regimes
“While trying to grow revenue and become more competitive, ‘compliance confusion’ is becoming an increasing challenge for Australian organisations as they strive to ensure they’re not in breach of the growing volume of regulatory requirements ushered in by the digital era,” said Michelle Price, CEO of AustCyber, a federally funded not-for-profit organisation tasked with growing the sector.
She believes that the often-complex interplay between security and privacy standards, regulations and legislation – in Australia and elsewhere for those exporting – contribute to unintended consequences of rapid technological development.
“There’s an overall lack of coordination across the Australian regulatory landscape and it can be hard for businesses to keep pace with this while also contending with supply chain implications, digitalisation and workplace cultural disruption,” said Price. “The top end of town is finding this challenging to varying degrees in all verticals and the smaller end certainly is.”
More than just a business risk: the national security threat
“Historically, within the private sector cyber-security incursions were viewed first and foremost from a commercial standpoint, but changes to the threat landscape and increasing organisational maturity have driven-home the importance of also applying a national security lens to cyber security,” said Jennifer Stockwell, National Cyber Security Advisor at Telstra.
“In an ecosystem where we are seeing more global attacks motivated by espionage and sabotage, it’s vital that we understand not just how, but why our adversaries are carrying out certain activities. This includes developing and maintaining a picture of the broader geo-political drivers of cyber threat.”
“Cyber is now an extension of state power, and the objectives of malicious actors are much broader than stealing credit card details for illicit use. Taking a team-based approach with other large organisations and government, as well as engaging small businesses is key to the creation of a stronger cyber-security environment in Australia,” said Stockwell.
Seizing the commercial opportunity cyber-security solutions present
“Maintaining high standards of cyber-protection in the community cannot remain the exclusive remit of regulatory bodies,“ said Ashish Mahajan, Security Advisor to industry start-up initiative, IoTSec Australia.
“Encouraging businesses to take ownership of the issue by conducting their own risk assessments and analysis, and raising end user awareness should result in the development of a more robust, cyber-resilient community,” said Mahajan.
“Analysis of some of the biggest breaches in recent years will show that the activity involved was not ‘rocket science’. There’s a responsibility to advance safer cyber practices all the way from regulators down to consumers. Australia is home to a growing eco-system of cyber-security businesses and the current threat landscape represents a significant commercial opportunity.”
Working together for better results
The speakers all agreed that governments, the business community and cyber security professionals all had important roles to play in ensuring Australian organisations keep pace with the challenges created by rapid technological change.
Suggestions for immediate actions should include:
- Focus on fixing known vulnerabilities - many vulnerabilities discovered during routine network penetration tests are known, with some having been public for more than a decade.
- When you consider web-based applications are a key gateway to organisational data, that’s simply not good enough. No Australian business should have known, published vulnerabilities sitting in their networks waiting for a malicious hacker to exploit them.
- Know the Australian Government’s ‘Essential Eight’ cyber security risk mitigation strategies, published by the Australian Signals Directorate.
- Invest in organisational training and raise awareness, including the responsibilities of all staff in managing what is a set of business risks, not IT risks.
- Add cyber security to your overall risk and compliance strategy reviewed regularly ‘top down’.
- Recognise no organisation is immune from a cyber-attack, underscoring the importance of cyber resilience.
- If you’re not sure where to start, engage a trusted third party organisation to perform a security gap analysis on your business.
“Cyber-security has ceased to be an ICT issue – it’s everyone’s business and we need to work together to create a robust protective landscape,” Warnock concluded.