Cybersecurity strategy should focus on corporate Australia

The Australian government is developing the next cybersecurity strategy to protect Australians from cyber threats. The current version was launched in 2016 and, while novel for its day, was largely underfunded when considering the task ahead. It’s now time to learn the lessons from that experience.

Every organisation uses technology—in service delivery, product development, manufacturing and a multitude of other instances. However, many organisations don’t fully appreciate how tech-heavy they actually are. One of the cybersecurity sector’s biggest issues is to get organisations to undertake basic risk management processes and develop an understanding of what technology means to them. It is there that the next strategy should focus. Getting corporate Australia to take ownership of detecting and deterring cyber attackers targeting their organisations is where the rubber needs to hit the road.

There are many aspects of the online environment affecting Australian governments, the private sector, non-profits and individuals that could be covered in the 2020 strategy. However, it should focus on doing a few things very well. One of these is get corporate Australia to do the simple things first, and that starts with understanding the cyber risk and taking a strategic view.

The constant rise in ransomware attacks, phishing attacks, and compromises of business email systems is a clear indicator that the corporate sector needs help—Australian businesses reported more than 5,800 such scams in 2018, a 53% increase compared with the previous year. The government should put its resources into assisting Australian businesses to harden themselves against being targeted, with the view to other jurisdictions becoming the ‘low-hanging fruit’ for international cyber criminals.

Fortunately, we have the opportunity for a running start. The most recent version of the Australian government information security manual, released earlier this month, uses a risk management framework based on the guidance issued by the US National Institute of Standards and Technology. The manual focuses on implementing cybersecurity principles in a maturity model—a concept that relies on continuous improvement to obtain a desired state.

Too often, organisations see cybersecurity as binary, with a focus on achieving compliance with a particular standard or framework. The next strategy should focus on providing resources (and by that I mean holding their hands) for corporate Australia to implement the recommendations in the information security manual that are relevant to their business requirements and to their sector (with guidance from the appropriate regulatory authority for that sector).

A good first step is to determine the organisation’s risk appetite and level of risk tolerance. Without this strategic overview it’s hard to put meaningful resources into tactical and technical cybersecurity measures. Cyber risk should be a category assessed by a company’s risk and audit committee just like all other risks, and the relationships between risks should be recognised. Responsibility for managing cyber risks should be clearly defined, and reporting should be done through a chief risk officer, not the chief information officer role that many organisations opt to assign it to.

As the Australian Institute of Company Directors suggests, organisations should establish a formal process to ensure cyber risk is regularly monitored and reviewed, so that it remains relevant to the company’s needs and reflects current regulatory requirements and risk committee best practice.

An important input to the risk management process will be resources to help organisations defend their staff and networks through ‘blue teaming’, which aims to identify malicious tactics, techniques and procedures and execute response strategies for them. This needs to be a combination of technical capabilities, such as intrusion-detection systems, and human capabilities, such as analysing intelligence. While it’s important to conduct penetration testing, putting too much focus on ‘red teaming’ to imitate attacks against an organisation is not the answer.

The 2020 cybersecurity strategy shouldn’t seek to boil the ocean. Ransomware, phishing and business email compromises are remarkably untechnical cyberattacks, yet pose the greatest issue for Australian businesses. Creating and providing resources to make Australian organisations resilient to cyber threats will be key to success.