Three ways Australia can protect its businesses from cyberthreats

Within a rapidly shifting threat landscape, the Australian Government is doing all it can to bolster its cybersecurity defences. As nation-states like Russia and independent attackers leverage AI to level up their attacks, Australia has been ranked number one among countries on MIT’s Cyber Defence Index showing the greatest progress and commitment to enhancing cybersecurity.

To lead this national effort, Prime Minister Albanese announced the creation of a National Office for Cyber Security in February, with a National Coordinator for Cyber Security responsible for developing and maintaining a capability including promoting cyber resilience across business, critical infrastructure and civil society. But, with the details of the government’s commitment to cyber yet to become clear, for Australian businesses, it may be too little, too late.

Only a quarter (27%) of IT and cybersecurity decision-makers believe that the Australian Government is doing enough to support businesses in the fight against cyberthreats, according to a survey of cybersecurity and IT decision-makers from Australia and New Zealand conducted by Arctic Wolf earlier this year. Those decision-makers are seeking better frameworks and best practices for cyber defence from the government, as well as more openly shared timely threat intelligence and additional funding for infrastructure protection and public sector services.

The requests are timely, as a report from the Australian Cyber Security Centre (ACSC) indicated that state-sponsored attackers from China, Iran, and Russian groups have made Australian cyberspace a key battleground. And it’s likely that many organisations in Australia and New Zealand have already seen the effects of insufficient government cyber assistance, with 25% of respondents claiming their ANZ-based organisations have knowingly concealed a cyber attack to preserve the reputation of their business. That number isn’t sustainable, especially not with 25% of respondents in the survey claiming they cut IT/security headcount last year, and 15% also expecting to conduct layoffs in 2023.

So, what can Australia do to become the “world’s most cyber secure country by 2030,” as Clare O’Neil, the Minister for Cyber Security, said in the country’s recently released seven-year cybersecurity strategy discussion paper? The first step could be to leverage national protections and standards to instil more confidence in the security of digital products and services sold to Australian businesses. Australians should feel at ease knowing that their digital purchases are compatible with the best cybersecurity practices and include the best security protections available. The government could also review existing regulatory frameworks to speed up and simplify that process, including streamlining reporting obligations and response requirements following major cyber incidents.

In the discussion paper, O’Neil said the national government is aware that “a package of regulatory reform is necessary”, but the government sought feedback from businesses and other stakeholders on what exactly needs to be done, including what new standards and new cybersecurity legislation should look like. As Australian cybersecurity business leaders reported in the survey, there’s also a huge demand for more information-sharing between government agencies and businesses. Improved threat-sharing will require technical analyses and considerations of more qualitative issues, like how the national government handles declassification of intelligence and other existing regulatory frameworks, according to the discussion paper.

But if businesses are aware of the cybersecurity threats lurking in the shadows, they’ll be much more capable — and incentivised — to take action on their own, in the form of hiring more security personnel, expanding their security budget or even procuring cyber insurance to cover their assets. Cybersecurity awareness can be a top-down endeavour if the government is able to share information quickly and efficiently. In the event of major cyber incidents affecting the public or private sector, for example, businesses would benefit massively from government agencies sharing the root cause of the attack, as well as post-incident reviews.

The Australian Government also has an opportunity to ensure a robust security industry for years to come by investing in security infrastructure and public sector services, specifically to help small and medium-sized businesses build their cybersecurity skills and offer support to victims of cybercrime. Investing in these protections and programs will also assist the country in attracting cybersecurity talent and business, which is a critical element in sustaining a strong public-private security relationship.

Australia’s cybersecurity strategy has multiple steps to take to gain the confidence of its private sector business leaders, but setting the bar high by addressing the most pressing concerns of those leaders is a great place to start. The nation is taking cybersecurity seriously with a proactive and preventative approach, and continuing to share information, invest and establish best practices in cybersecurity will maintain that trajectory.

Image credit: iStock.com/Vladimir_Timofeev