The role of government in Australian cyber security

If governments continue to become increasingly involved in cyber security through legislation such as mandatory breach notification, they should also increase support for businesses to secure their data, argues Daniel Johns

Security automation: locks on an assembly line.
Just Super / Getty Images

The Australian government has taken an increasing interest in the cyber security of private-sector organisations. For example, the Office of the Australian Information Commissioner (OAIC) is in charge of overseeing the mandatory notifiable data breaches scheme which, under the Privacy Act, requires qualifying organisations to report data breaches that may affect individuals.

Furthermore, the Clarifying Lawful Overseas Use of Data (CLOUD) Act became law in the USA in March 2018 and lets the United States enter into ‘executive agreements’ with foreign governments such as Australia to access data held by technology companies.

Governments can use the CLOUD Act as an alternative to the mutual legal assistance treaty, which currently protects the privacy of citizens. The Australian government is moving closer to agreeing to work with the US under the CLOUD Act, potentially putting the data of Australian citizens into the hands of the US government.

It’s essential for Australian citizens and organisations to understand their own rights and responsibilities when it comes to information security and privacy. There’s not much the government can do to stem the tide of phishing or other malicious attacks against Australians. However, the government could consider offering a subsidy to educate people on how to spot fraudulent emails or scams - call it cyber risk awareness training.

Australians lost almost half a billion dollars to scammers in 2018 and that number is likely to remain similar in 2019 unless significant action is taken. Cyber security technology failure makes up only about 5 per cent of the causes of breaches, and human error makes up 35 per cent, while deliberate, malicious attacks make up the remaining 65 per cent on the list of causes of data breaches.

Educating end users, perhaps starting at high school levels, is crucial. By familiarising these students with the tell-tale signs of a scam today, they will be better-equipped to avoid falling victim to scams when they enter the workforce.

It might also be useful for the Australian government to consider a model whereby the different security products and vendors are rated or certified. Today, when consumers and small business owners go into a shop looking for security products like firewalls and routers, they’re not necessarily sure what they need or which products will suit their requirements; the marketing jargon and technical descriptions are confusing enough to make anyone lose their mind. So maybe a government seal of approval to confirm that certain products perform according to the vendor’s promise could go a long way towards dispelling that confusion.

Currently there aren’t enough checks and balances for consumers or organisations implementing security. With no one monitoring the efficacy of security products, it’s often not until a breach occurs that anyone realises there is a problem. The average time for an Australian business to identify a data breach was 200 days in 2019, with a further 81 days required to contain the threat. (3) Then, eligible organisations have to report the breach to the OAIC and often aren’t sure how to do this, or even which breaches need to be reported.

It’s now imperative to have a plan in place for organisations to follow when there’s a cyber breach, much like it is imperative for organisations to have a disaster recovery or business continuity plan. The plan should include guidance on how to remediate the breach as well as whether to report it and, if so, how to do that.

If governments are going to become involved in cyber security through legislation such as mandatory data breach notifications, and are going to request access to information, then they should also offer support and a mechanism for businesses to be successful in their cyber security efforts.

Setting businesses up for success in mitigating cyber security risks will benefit the Australian economy as a whole, so it’s a worthwhile investment for the government.

Daniel Johns is head of services, ASI Solutions and vice chair, ANZ Channel Community, CompTIA.


Copyright © 2020 IDG Communications, Inc.

8 simple ways to clean data with Excel
Shop Tech Products at Amazon