Addressing new critical infrastructure reporting requirements

As government organisations continue to digitise, the need to safeguard their systems against increasingly sophisticated and ever-present cyber threats is more pressing than ever. The public sector collects and holds a significant amount of personal data, making it an irresistible target for malicious cyber actors. An attack against the industry could potentially affect thousands of organisations and hundreds of thousands of public sector employees and citizens. Since some government organisations are considered critical infrastructure (CI) operators, they face new requirements for protecting their systems and data.

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) introduced new regulations for entities and organisations operating in the CI sector, including some government organisations. The new requirements include mandatory reporting obligations for serious cybersecurity incidents under strict timeframes, placing the onus on businesses and operators to raise the alarm should they fall victim to a cyber incident. And for organisations operating in New South Wales specifically, the Privacy and Personal Information Protection Amendment Bill 2022 calls for public sector agencies, state-owned corporations, local councils and some universities to report breaches “likely to result in serious harm” to both affected individuals and the Privacy Commissioner.

Cyberthreats are getting more sophisticated as cybercriminals continuously expand their capabilities, while organisations’ cybersecurity measures remain one step behind. To combat more frequent, targeted and complex attacks, organisations are turning to managed detection and response (MDR) to improve their security posture and become more cyber resilient.

For the government sector, this type of protection has become necessary for effective detection and response to help safeguard CI. The more highly sensitive information government agencies house, the more likely they will be targeted not only by ordinary cybercriminals but also malicious nation-state actors with a ‘licence to hack’. A major data breach would be detrimental from both a financial and reputation standpoint and emphasises the importance for government to take data security seriously.

It’s no longer enough for government organisations to be cyber ready. They must take proactive measures to enhance resilience by being hyper-aware, vigilant and capable of keeping their organisation safe, which is why MDR is becoming an essential service. As the threat landscape rapidly evolves and requires constant monitoring, the Australian Government is increasing fines for serious breaches amid a spate of high-profile cyber incidents that compromised customer data.

However, establishing and maintaining 24/7 monitoring, response and threat-hunting capabilities is a relatively expensive activity, particularly for state and local governments that are typically less funded than federal government institutions. Moreover, the complexities of deploying and properly configuring specialist technologies, such as extended detection and response (XDR) and security information and event management (SIEM) platforms, across multiple sources including networks, clouds and endpoints, can take months to implement.

Partnering with an experienced MDR provider can ensure that government organisations maintain their security posture instead of going it alone with their in-house cybersecurity team. MDR services augment in-house government security teams by providing 24/7 monitoring, enhanced intelligence, access to experienced analysts and proactive threat hunting and vulnerability assessments.

Before partnering with an MDR provider, it’s important to understand the value that MDR services can deliver to ensure they align with the business. Government organisations should consider:

1. Technology: As government organisations continue to digitise their services, there is a corresponding increase in risks and vulnerabilities. Choose an MDR that has deep experience with XDR and SIEM technologies for comprehensive threat detection and response capabilities.
2. Detection: All MDR providers detect threats; however, it’s important to look at how they detect them. Is it human-led, hypothesis-driven or is it done through automated searching? A quality MDR partner should combine human and technological knowledge to execute threat hunting with 24/7 monitoring and real-time analysis and investigations.
3. Response: Government organisations should partner with an MDR provider that is proactive and focuses on responding to threats by containing them and keeping them from spreading further. The MDR services should be able to remotely act on endpoints, within the network or other applications, to isolate systems and stop threats before they cause damage.
4. Research capabilities: Threat intelligence helps government organisations better understand their attackers, respond faster to incidents and proactively map out the attackers’ next move. Look for an MDR provider with an active research arm that can incorporate other cyber threat intelligence to benefit from the latest information on emerging threats worldwide.
5. Field-testing experience: Ensure an MDR partner has field-tested experience with incident response. Hurried responses can result in negative consequences, like unnecessarily shutting down systems or business processes and causing financial and operational disruptions.
6. Culture: It’s important to determine whether an MDR provider can offer a long-term partnership that aligns with the department’s objectives, needs and culture. Government organisations should consider their potential provider’s operating model, industry reputation and how they will integrate with the in-house security team before engaging with an MDR partner.

Many IT and security teams face a ‘do more with less’ challenge as a result of smaller budgets and scarce resources, and largely rely on third parties and contractors to carry out their core functions and responsibilities. As cyber threats increase, government organisations should use MDR to protect their CI assets. Failing to do so can leave the public sector, as well as the Australian people’s security and privacy, exposed to malicious threat actors. Working with a trusted and experienced MDR provider can help government organisations establish a mature cybersecurity posture and better protect their CI assets from unauthorised access.

Image credit: iStock.com/LeoWolfert