Australian organisations and the government are playing catchup when it comes to cybersecurity, with the remote work experiment, ransomware attacks, and an uptick in cyberthreats around the world revealing weaknesses in the national cybersecurity defences. While Australia’s new Ransomware Taskforce will help limit current threats, it’s still not enough, with some experts saying Australians need to be looking ahead now to understand emerging threats and avoid damaging attacks in the future.
The Australian government’s recently announced Ransomware Taskforce is a step in the right direction, but the government should be establishing now the task forces for emerging threats, says Alana Maurushat, a professor of cybersecurity and behaviour, and associate dean international at the School of Computers, Data, and Math Sciences at the University of Western Sydney.
“They need to start thinking about the thing that’s going to happen in the next three years. Ransomware is going to move further into personal medical information. Sensors will increasingly be interwoven and built into all critical infrastructure, but the security isn’t keeping pace with what the cybercriminals intentions are in this space,” Maurushat tells CSO Australia.
Maurushat says there is nothing to lose in predicting potential threats. “Even if you put three ideas out there that may emerge as cybercrime and cybersecurity threats in the next three to five years, and one of them was just completely off the mark and dumb or wrong, it would not have been time wasted, because one or two of the other ideas you would have nipped in the bud before they happened,” she says.
Australian CISOs must work together to combat cybercriminals
Cybercriminals typically don’t work along national lines but instead target sectors. Yet there’s an important leadership role for government in strengthening the national position, Maurushat says.
“Right now, ransomware is hitting certain sectors and that’s a global phenomenon. To counter this, sectors need to work together, and it’s something cybersecurity experts have been saying for 15 years, she says. “No one CEO or one cybersecurity team can shut an attack down, no matter how mature advanced they are, unless they’re sharing intelligence and working within that sector.”
Cross-sector coordination provides an overall benefit to the sector in terms of strengthening cybersecurity, but it requires letting go of thinking about it as a competitive advantage. “In other parts of the world, sectors have come together better to fight certain types of cybersecurity threats and that has led to them emerging with a slightly more mature cyber posture,” she says.
Maurushat says government has a role to play in incentivising people to work together, and in a country like Australia it’s more easily done because there is a smaller population compared to, say, the US. “It’s a lot easier to get 40 people to a table to talk than it is to get 4,000 people,” she says.
“The government in Australia has done a lot recently with different types of initiatives to try and get that ball rolling much quicker,” Maurushat says. Of course, “it needed to be done a decade ago—a lot of countries are [now] realising it needed to be done back then.”
Maurushat says the cost of cyber insurance has “gone through the roof” in Australia, revealing the fear of being underprepared for an attack. “It demonstrates companies are at least taking that first step with cyber insurance, but it’s nowhere near enough. It’s like a Band-Aid solution,” she says.
A decade ago, Australian ISPs established the icode, one of the first sector-wide incident-response procedures, which was copied by other providers around the world. “We were the leaders globally in ISPs’ approach to safety and security and other countries adopted these models,” Maurushat says .
Things have changed a lot, and new ‘clean pipes’ laws to help ISPs block cyberthreats have recently been proposed. Still, the lesson from the ISPs remain valid today: A collaborative, industry-wide approach that needs to be adopted by other sectors to foster strong security measures across the board, Maurushat says.
Unfortunately, that cross-sector mentality isn’t uniform across industries and, added to that, Australian government and organisations have a habit of jumping into new programs too readily and then abandoning them. It doesn’t leave sufficient time to properly evaluate the programs, which ultimately inhibits the country’s ability to mature and strengthen security programs. “A program will be up and running, and then they’ll just abandon it,” Maurushat says.
Australia boards and the government are all playing catchup
The spate of highly publicised recent attacks has Australian boards and executives alarmed—and realising they need to rapidly educate themselves of the changing threat landscape. “We’ve had more requests from boards and executives than we have ever had for a variety of different things,” PwC cybersecurity leader Mike Cerny tells CSO Australia.
Cerny says this ranges from upskilling their own understanding, education, and awareness. “Even though threats have been around for a while, the impact of recent incidents is that it has put a lot of fear into them,” he says.
Boards and executives are also responding to increased government and regulatory scrutiny as a result of the increased attack activity. “We’re seeing that in the financial services sector, from regulators such as APRA [Australian Prudential Regulation Authority], and then obviously elements around the privacy commissioner and also now with the critical infrastructure regulation coming,” he says.
“The Australian government is actually now really stepping up and pushing hard into this space in a really aggressive way, and is probably catching up to other countries or groups of countries such as the EU in terms of regulations,” Cerny says. “We are not as mature as a lot of other major countries, such as the US and European countries, but it’s rapidly improving. And there’s just a greater level of scrutiny now from regulators and the government to make sure that that’s in place.”
One of the significant developments is with a regulator like APRA moving from reviewing to effectively auditing cybersecurity capabilities of the organisations that come under its remit. “What they’re doing this financial year is having one of the big professional services organisations independently audit their level of cybersecurity within the organisation and then present that back to the regulator,” Cerny says.
“APRA then has a much greater level of comfort as to the security posture of each of those organisations, but also an ability to perform a level of benchmarking to understand the level of capability across the sector. It has stared with the financial services sector, but we’re seeing that [approach now] across government.”
For CISOs, the response to the increased government scrutiny is about taking a compliance perspective and working through the areas they need to cover by understanding the gap and then having an established capability uplift program. “It might be in the different areas of cybersecurity, but it needs to remedy those gaps,” Cerny says. “If a regulator sees a roadmap that is showing progress, then they are usually comfortable with that.”
However, Cerny notes that being compliant doesn’t mean an organisation is secure. CISOs need to understand what is relevant to their organisation and then adapt appropriately. “There’s the Essential Eight, which all organisations should adopt, and there’s the NIST security framework.”
More Australian organisations also need an incident response plan, says John Borchi, a partner at business consultancy BDO Australia. He was Queensland Health CISO a year ago as COVID-19 hit, so he had a firsthand look at how organisations with a fully developed plan fared better with the rapid uptake in remote work and heightened threat landscape.
Borchi was involved in a joint AusCert and University of Queensland survey which found organisations that had proper senior CISOs and planned for attacks did better than those that just had IT people. “They could pick up the malware and ransomware incidents that were occurring more often and be able to respond to them quickly and effectively, versus those who didn’t have that visibility,” Borchi says.
Borchi also notes the importance of ongoing cybersecurity training and awareness for staff, which needs to be treated like occupational health and safety as both a daily challenge and an ongoing task to identify and minimise potential risks. From such training, staff “will understand the difference between a good or bad email, or a text message that’s fake,” he says.
Additionally, Australian organisations need to understand the threats that come from their reliance on third-party vendor software, Borchi says. “There have been incidents not directly within that organisation but with their supplier. So if your third-party supplier has an incident how can it impact your operations as well.” The Colonial Pipeline attack in the US and the Kaseya attack across several countries, including Australia, are examples.
“If an organisation had a proper incident response plan that’s been practiced and had constant visibility of the environment through a security operation centre they did a lot better,” he says. “Now a catchup is happening to have some of these things. But I think the challenge is still that the mentality is ‘an issue can be fixed as a problem occurs’, versus being prepared to protect, prevent, and then respond—not just respond. By the time you wait for something to happen, it’s a bit too late,” Borchi says.