Cybercrime is the biggest threat facing corporate Australia today, costing the economy more than an estimated $3trillion.
With the sophistication, agility, and frequency of attacks increasing (one every 8 minutes in Australia), it’s encouraging to see the federal government implementing new legislation in response. However, while the intention is to better protect Australia’s critical infrastructure, this new cybersecurity framework could do the opposite.
Originally designed in 2018 the reformed ‘Critical Infrastructure Protection Act 2022’ came into effect in July this year. With an improved framework for handling cyber threats, it includes an array of measures to which Australian businesses and services must adhere.
In theory, the new act is imperative for safeguarding a modern Australia. Its existence provides a benchmark for IT and OT professionals across a greater variety of industries, and ensures security is a collective responsibility.
The importance of addressing this responsibility cannot be overstated in an environment of increased cyber threats to essential services and businesses over the past few years – including federal parliamentary networks, the medical sector, universities, and key software businesses.
Take the most recent attack on Optus’ network as an example, which has seen millions of customers potentially affected, with full names, date of births and contact details stolen. While Optus was covered by insurance, it’s a reminder that sufficient scenario planning and risk mitigation is integral to preventing these increasingly sophisticated attacks. Potentially one of the largest attacks Australia has seen to date, it’s a warning to us all that cybersecurity has never been more critical.
The introduction of the new act then is a positive sign that Australia is taking cybersecurity threats more seriously. However, some of the amendments foreshadow an evolution of increasingly stringent rules that could become unrealistic and unachievable – ultimately threatening system effectiveness and integrity.
One such update is the change to incident reporting deadlines. In line with the new law, organisations are now required to notify the Australian Cyber Security Centre (ASCS) within 12 hours of becoming aware of an incident. Failure to comply can result in fines starting at $11,000.
Not only could this have implications for smaller businesses, which often have fewer resources to identify and manage attacks on their assets, it detracts from what should be the priority of risk management. The standard 12-hour reporting deadline also doesn’t take into consideration the challenges and processes of different industries – finance vs the food sector, for example. The sophistication and complexity of cybercrimes mean that, in many instances, the time it takes to correctly identify an attack and potential solution is also difficult to predict.
On a global scale, reporting time for incidents was previously around 72 hours, meaning deadlines have reduced from three days to one. The risk in this continued reduction of reporting times is that requirements may get so low – potentially to immediate notification or ‘zero hours’ – that it’s simply unsustainable. Organisations must have adequate time to identify a breach, investigate the incident and produce an accurate report without fear of potentially devastating legal, cost and brand ramifications.
While the latest guidelines hint at a stricter framework in future, the current requirements are achievable for organisations that are prepared. For any organisation, whether 300 or 30,000, the key to effectively managing cyber-security is understanding responsibilities and having a clear plan.
To implement the most effective cybersecurity, you must first have visibility over all your systems. At Schneider, we work with businesses daily to understand their unique challenges and ensure open lines of communication. We also have dedicated cybersecurity leads to ensure clearly defined roles and responsibilities.
To practice what we preach, we upskill our people through mandatory annual cybersecurity certification, and we have a customer-facing Cybersecurity Virtual Academy, an online resource providing educational cybersecurity content, as well as opportunities to engage with industry experts through webinars and Q&As. We also partner with other leaders in the cybersecurity space to help our customers best leverage the investment they've made in their existing IT environment.
Whether you’re a start-up, SME, or global enterprise, the new guidelines are an important reminder that investing in cybersecurity is not just the right thing to do, but critical for your business.