Cybersecurity in the Australian public sector

The Australian public sector is quickly becoming one of the biggest targets for cybercriminals, state-sponsored hackers and malicious insiders, with many government agencies facing increasing ransomware attacks, geopolitical threats, and data breach attempts on citizens’ personally identifiable information (PII). Recent data from the Australian Cyber Security Centre (ACSC) indicates that cyber attacks have increased by 13% from the previous financial year (July 2020 to June 2021).

Any data breach in the public sector is not only a reputational issue; it can also have serious financial and operational consequences. While some have been fortunate to avoid a truly cataclysmic cyber attack, others have not been so lucky. By staying informed about the latest cyber trends, government organisations can be better prepared to face the evolving threat landscape and protect Australia’s national interests.

Here are six cybersecurity trends to watch in the Australian public sector:

1. Data is the new uranium

The message is clear: data is not the new oil, it’s the new uranium. Following significant data breaches in Australia in 2022, there will be an increased focus on the type and amount of data stored in 2023. This extends to regulations the Australian Government imposes on commercial organisations to store PII. Looking ahead, public and private sector organisations will need to work together to reduce the risk of data being exposed. One way to achieve this is by reducing the volume of data stored to ensure it can’t be weaponised against citizens and the organisations collecting and using that data.

2. Increase in cyber warfare

Cyber attacks of a geopolitical nature have grown exponentially, especially in the wake of Russia’s continued invasion of Ukraine as well as increased geopolitical tensions with China. It’s clear that the use of cyber warfare — cyber attacks used to cause comparable harm against a nation-state — for geopolitical purposes presents an undue risk to organisations. In 2023, the Australian Government needs to do more than just ensure its own digital perimeters are safe and work closely with international partners to strengthen cyber capability and safeguard the interests of its citizens and businesses.

3. Device and third-party security

The use of third-party equipment in public sector networks is under scrutiny following the removal of Chinese-manufactured security cameras at government buildings across Australia. To protect PII and prevent significant cyber breaches, government departments must implement an Internet of Things (IoT) and operational technology (OT) policy in 2023. This policy should include an assessment of the potential risk posed by connected devices as well as ensuring service partners are also taking necessary security measures.

4. Critical infrastructure

The Australian Security of Critical Infrastructure (SOCI) Act has been a topic of much discussion in recent months, particularly regarding the changes made to it. However, there are still areas of the critical infrastructure risk management program (CIRMP) that require further clarification. In response to this, the Australian Government has committed to producing guidance material to assist with implementation, which will help clarify any uncertainties. The new CIRMP Rules came into effect in February 2023, marking the start of a six-month grace period for responsible entities to establish a CIRMP for their critical infrastructure assets.

5. Security baseline

Many companies are starting to prioritise data literacy and cyber hygiene due to changes to the Essential Eight framework and the assessment of its maturity, both of which have raised the security bar. The Australian Government has also mandated compliance across all eight cybersecurity controls of the Essential Eight framework, placing greater emphasis on assessors to gather and use high-quality evidence wherever possible and having less room for leniency. To effectively determine if the mitigation strategies are implemented, staff working on Essential Eight assessments will need to improve their technical knowledge and skills in 2023.

6. Crisis simulation

The key to achieving cyber resilience is through conducting crisis simulations. A crisis simulation not only provides a clear understanding of internal processes; it also identifies gaps in security processes and helps government organisations prepare and train staff for the challenges of day-to-day cybersecurity. In 2023, realistic simulation of both current and evolving threats will be the most effective way to test and improve response readiness, while also minimising the impact of a real attack.

As the Australian public sector increasingly becomes a prime target for cyber threats, it’s crucial for government agencies and organisations to remain vigilant and adopt a proactive approach towards cybersecurity. By implementing robust security measures and staying up-to-date with the latest cyber trends, they can better protect their networks, systems and, most importantly, the PII of employees, citizens and third-party vendors from nation-state actors with malicious intent.

Image credit: iStock.com/winyuu