Australian organisations and the government are playing catchup when it comes to cybersecurity, with the remote work experiment, ransomware attacks, and an uptick in cyberthreats around the world revealing weaknesses in the national cybersecurity defences. While Australia\u2019s new Ransomware Taskforce will help limit current threats, it\u2019s still not enough, with some experts saying Australians need to be looking ahead now to understand emerging threats and avoid damaging attacks in the future.The Australian government\u2019s recently announced Ransomware Taskforce is a step in the right direction, but the government should be establishing now the task forces for emerging threats, says Alana Maurushat, a professor of cybersecurity and behaviour, and associate dean international at the School of Computers, Data, and Math Sciences at the University of Western Sydney.\u201cThey need to start thinking about the thing that\u2019s going to happen in the next three years. Ransomware is going to move further into personal medical information. Sensors will increasingly be interwoven and built into all critical infrastructure, but the security isn\u2019t keeping pace with what the cybercriminals intentions are in this space,\u201d Maurushat tells CSO Australia.Maurushat says there is nothing to lose in predicting potential threats. \u201cEven if you put three ideas out there that may emerge as cybercrime and cybersecurity threats in the next three to five years, and one of them was just completely off the mark and dumb or wrong, it would not have been time wasted, because one or two of the other ideas you would have nipped in the bud before they happened,\u201d she says.Australian CISOs must work together to combat cybercriminalsCybercriminals typically don\u2019t work along national lines but instead target sectors. Yet there\u2019s an important leadership role for government in strengthening the national position, Maurushat says.\u201cRight now, ransomware is hitting certain sectors and that\u2019s a global phenomenon. To counter this, sectors need to work together, and it\u2019s something cybersecurity experts have been saying for 15 years, she says. \u201cNo one CEO or one cybersecurity team can shut an attack down, no matter how mature advanced they are, unless they\u2019re sharing intelligence and working within that sector.\u201dCross-sector coordination provides an overall benefit to the sector in terms of strengthening cybersecurity, but it requires letting go of thinking about it as a competitive advantage. \u201cIn other parts of the world, sectors have come together better to fight certain types of cybersecurity threats and that has led to them emerging with a slightly more mature cyber posture,\u201d she says.Maurushat says government has a role to play in incentivising people to work together, and in a country like Australia it\u2019s more easily done because there is a smaller population compared to, say, the US. \u201cIt\u2019s a lot easier to get 40 people to a table to talk than it is to get 4,000 people,\u201d she says.\u201cThe government in Australia has done a lot recently with different types of initiatives to try and get that ball rolling much quicker,\u201d Maurushat says. Of course, \u201cit needed to be done a decade ago\u2014a lot of countries are [now] realising it needed to be done back then.\u201dMaurushat says the cost of cyber insurance has \u201cgone through the roof\u201d in Australia, revealing the fear of being underprepared for an attack. \u201cIt demonstrates companies are at least taking that first step with cyber insurance, but it\u2019s nowhere near enough. It\u2019s like a Band-Aid solution,\u201d she says.A decade ago, Australian ISPs established the icode, one of the first sector-wide\u00a0 incident-response procedures, which was copied by other providers around the world. \u201cWe were the leaders globally in ISPs\u2019 approach to safety and security and other countries adopted these models,\u201d Maurushat says .Things have changed a lot, and new \u2018clean pipes\u2019 laws to help ISPs block cyberthreats have recently been proposed. Still, the lesson from the ISPs remain valid today: A collaborative, industry-wide approach that needs to be adopted by other sectors to foster strong security measures across the board, Maurushat says.Unfortunately, that cross-sector mentality isn\u2019t uniform across industries and, added to that, Australian government and organisations have a habit of jumping into new programs too readily and then abandoning them. It doesn\u2019t leave sufficient time to properly evaluate the programs, which ultimately inhibits the country\u2019s ability to mature and strengthen security programs. \u201cA program will be up and running, and then they\u2019ll just abandon it,\u201d Maurushat says.Australia boards and the government are all playing catchupThe spate of highly publicised recent attacks has Australian boards and executives alarmed\u2014and realising they need to rapidly educate themselves of the changing threat landscape. \u201cWe\u2019ve had more requests from boards and executives than we have ever had for a variety of different things,\u201d PwC cybersecurity leader Mike Cerny tells CSO Australia.Cerny says this ranges from upskilling their own understanding, education, and awareness. \u201cEven though threats have been around for a while, the impact of recent incidents is that it has put a lot of fear into them,\u201d he says.Boards and executives are also responding to increased government and regulatory scrutiny as a result of the increased attack activity. \u201cWe\u2019re seeing that in the financial services sector, from regulators such as APRA [Australian Prudential Regulation Authority], and then obviously elements around the privacy commissioner and also now with the critical infrastructure regulation coming,\u201d he says.\u201cThe Australian government is actually now really stepping up and pushing hard into this space in a really aggressive way, and is probably catching up to other countries or groups of countries such as the EU in terms of regulations,\u201d Cerny says. \u201cWe are not as mature as a lot of other major countries, such as the US and European countries, but it\u2019s rapidly improving. And there\u2019s just a greater level of scrutiny now from regulators and the government to make sure that that\u2019s in place.\u201dOne of the significant developments is with a regulator like APRA moving from reviewing to effectively auditing cybersecurity capabilities of the organisations that come under its remit. \u201cWhat they\u2019re doing this financial year is having one of the big professional services organisations independently audit their level of cybersecurity within the organisation and then present that back to the regulator,\u201d Cerny says.\u201cAPRA then has a much greater level of comfort as to the security posture of each of those organisations, but also an ability to perform a level of benchmarking to understand the level of capability across the sector. It has stared with the financial services sector, but we\u2019re seeing that [approach now] across government.\u201dFor CISOs, the response to the increased government scrutiny is about taking a compliance perspective and working through the areas they need to cover by understanding the gap and then having an established capability uplift program. \u201cIt might be in the different areas of cybersecurity, but it needs to remedy those gaps,\u201d Cerny says. \u201cIf a regulator sees a roadmap that is showing progress, then they are usually comfortable with that.\u201dHowever, Cerny notes that being compliant doesn\u2019t mean an organisation is secure. CISOs need to understand what is relevant to their organisation and then adapt appropriately. \u201cThere\u2019s the Essential Eight, which all organisations should adopt, and there\u2019s the NIST security framework.\u201dMore Australian organisations also need an incident response plan, says John Borchi, a partner at business consultancy BDO Australia. He was Queensland Health CISO a year ago as COVID-19 hit, so he had a firsthand look at how organisations with a fully developed plan fared better with the rapid uptake in remote work and heightened threat landscape.Borchi was involved in a joint AusCert and University of Queensland survey which found organisations that had proper senior CISOs and planned for attacks did better than those that just had IT people. \u201cThey could pick up the malware and ransomware incidents that were occurring more often and be able to respond to them quickly and effectively, versus those who didn\u2019t have that visibility,\u201d Borchi says.Borchi also notes the importance of ongoing cybersecurity training and awareness for staff, which needs to be treated like occupational health and safety as both a daily challenge and an ongoing task to identify and minimise potential risks. From such training, staff \u201cwill understand the difference between a good or bad email, or a text message that\u2019s fake,\u201d he says.Additionally, Australian organisations need to understand the threats that come from their reliance on third-party vendor software, Borchi says. \u201cThere have been incidents not directly within that organisation but with their supplier. So if your third-party supplier has an incident how can it impact your operations as well.\u201d The Colonial Pipeline attack in the US and the Kaseya attack across several countries, including Australia, are examples.\u201cIf an organisation had a proper incident response plan that\u2019s been practiced and had constant visibility of the environment through a security operation centre they did a lot better,\u201d he says. \u201cNow a catchup is happening to have some of these things. But I think the challenge is still that the mentality is \u2018an issue can be fixed as a problem occurs\u2019, versus being prepared to protect, prevent, and then respond\u2014not just respond. By the time you wait for something to happen, it\u2019s a bit too late,\u201d Borchi says.