Cyber Security Strategy 2020: what it mean for companies
Today, cyberattacks from increasingly sophisticated actors threaten organisations across every sector. Whether it is a large ASX 100 company or a local bakery, organisations of all sizes need to take steps to limit the dangers posed by cyber threats, or will potentially face the consequences.
In response to these growing threats, the Australian Government has released the Australian Cyber Security Strategy 2020 and committed to investing $1.67 billion over the next ten years to achieve its vision of creating a more secure online world for all Australians. So what does this mean for Australian company directors and why do we need another new strategy?
Rationale 1 - Reliance on the internet
The world has never been more interconnected; reliance on the internet has never been greater and in-turn poses significant risks. Australia’s response to the COVID-19 pandemic showed the importance of secure online connectivity for businesses to function under new limitations.
With new limitations, Australians are rightfully adjusting to the new realities of operating almost entirely online. However, as more of our daily activities become digital, the threat landscape increases and so do the cyber threats. Well-equipped and persistent state-sponsored actors are targeting critical infrastructure and stealing intellectual property.
Rationale 2 - Cyber threats are increasing
Cybercriminals are wreaking havoc; adversaries are able to infiltrate an organisation’s system from anywhere in the world – and once a breach occurs, they’re able to steal money, identities, and data from unsuspecting Australians.
There are four types of intellectual property (IP): patents, trademarks, copyrights and trade secrets and here I am referring to trade secrets, such as the valuable research developed by universities, but it could also be new products in development, designs or product roadmaps.
Australia needs to stop these evolving threats in their tracks by improving Governance when it comes to cybersecurity.
What the Cyber Security Strategy means
The vision of Australia’s new national Cyber Security Strategy is to create a more secure online world for Australians, their businesses and the essential services that everyone depends on. Improvements to their security posture will be made through complementary action by governments, businesses and the community.
The Australian Government is in the process of developing new capabilities, incentivising industry to protect themselves and their customers. It will build trust in the digital economy so that all Australians, young and old, can be more secure online.
Responsibilities for company directors
Most board members and company directors are not well versed in cybersecurity, nor understand the impact it can have on their business. Meanwhile, many security leaders have approached security as a purely technical challenge, rather than also considering usability and ease of adoption for the organisation and employees.
Company directors will now have responsibilities for cybersecurity under the Government’s new rules, including legal duties to ensure a reasonable standard of cybersecurity. However, the awareness and understanding of cybersecurity at the board C-level is at best, minimal.
continues to promote that cybersecurity is a board-level discussion and that directors have a duty of care and responsibility to improve their knowledge and understanding of cybersecurity to understand the risks and ensure their company’s business strategy is robust with rigorous risk assessment processes. Unfortunately Australian boards simply do not have enough diversity in their basic science, technology, engineering and maths (STEM) skills, let alone more specialised technology fields like cybersecurity. According to a , only three percent of boardrooms have all STEM skills covered.
The Essential 8
To keep up with the ever-evolving threats to an increasingly digital world, the lead Australian agencies for cybersecurity — the ACSC in cooperation with the Australian Signals Directorate (ASD) — have recommended that organisations implement eight essential attack mitigation strategies as a baseline.
The eight mitigation strategies were designed to minimise the potential impact of cybersecurity incidents and to improve cybersecurity maturity. For board directors, The Essential Eight can be a useful framework to assist in assessing the company's maturity level for cyber protection. Many businesses already engage in essential audits to monitor risks within their organisation and a cyber audit shouldn’t be ignored, especially with how COVID-19 has forced an increased reliance on technology. A cyber audit is a sensible step to take to help grasp a better understanding of the Essential Eight maturity model. A cyber audit will also help company directors understand the cyber risks and help to assess and develop appropriate strategies to deal with such threats.
One of the eight mitigation strategies it recommends is Multi-Factor Authentication (MFA) as one of the best and easiest methods to implement to protect themselves. In response to the Prime Minister's announcement about the Essential Eight, the stated that, "During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory - patching of software and the use of multi-factor authentication (MFA) across all internet-accessible remote access services, including web and cloud-based email, collaboration platforms, virtual private network connections and remote desktop services.”
How can MFA help?
MFA is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and stealing sensitive information. MFA is proven to limit the extent of cybersecurity incidents, such as phishing, man-in-the-middle attacks and malware.
Being prepared at all times sounds simple, but cybersecurity prevention is simply the cost of doing business and is essential for businesses of all sizes.
Having a clearly defined cybersecurity management plan in place, which leverages proven mitigation methods such as MFA, will not only keep customers, employees and suppliers safe; it will also give board directors and CEOs greater peace of mind.