In a global environment of increasingly damaging cyber-attacks, causing public fatigue and national efforts to regulate and control cyber and data security, Australia has witnessed a perfect storm of attacks, public lawsuits, and regulatory overhauls. By looking at what is happening in Australia, businesses around the world can gain critical insight into the converging, complex challenges which are increasingly posed by the cybersecurity threat landscape, and how they can best prepare to identify, predict and mitigate diverse risks which attacks trigger.
Organisations worldwide are likelier than ever to be subjected to a cyber-attack
Rapid digitalisation of society, economy and services globally has driven the uptake of technology to new highs and deepened our dependency on IT-driven solutions to everyday issues. At the same time, threat actors such as cyber criminals have continued to innovate new attack methods, vectors and strategies, from abusing novel, “zero day” vulnerabilities in common software, to utilising AI to write social engineering lures.
This increased adoption of technology by all parties exposes all organisations to more potential avenues of security compromise, with threat researchers claiming an 81% increase in known cybersecurity incidents occurring in Australia from July 2021 to July 2022. Furthermore, no organisation is safe, with Control Risks’ Threat Intelligence team identifying significant cyber attacks occurring across at least eleven sectors and services in Australia during the calendar year 2022, with the financial sector, government and IT and telecommunications being the most frequently targeted but with significant attacks also impacting defence, energy, manufacturing and logistics.
Hacked: a growing blast radius
As cyber-attacks occur with increasing frequency, the challenges they pose to an organisation’s short-term function and long-term success appear to be greater than ever. No longer limited to technical disruption and user inconvenience, cyber incidents nowadays can trigger a cascade of complex, highly impactful requirements of business leaders, in order to respond to financial, operational, reputational, legal, ethical and safety concerns.
Recent, visible demonstrations of the complex web a cyber incident can weave include large-scale data breaches at private health insurer Medibank and telecommunications carrier Optus, impacting the personal information of millions of Australian citizens and residents.
The Australian Cyber Security Centre’s 2022 Annual Cyber Threat Report reflected the increasing impact of cyber-attacks, with 15% of all reported incidents falling in the top half of its severity classification matrix, up from 6% the year prior. Control Risks researchers predict this trend will not slow in 2023, as actors continue to share tools, improve their technical abilities and develop extortive and malicious attack techniques in order to maximise the scope, severity and monetary gain of their intrusions.
Business leaders must approach cybersecurity risk not as a technical problem, to be reactively handled only when it is already a crisis. It is no longer enough simply to fix a compromised device and get back to business as usual. Instead, organisations should proactively anticipate, manage and prepare for the realisation of high-impact cybersecurity risks which pose legal, reputational, operational, ethical and financial quandaries. This initiative requires collaboration across governance, compliance and operational functions and often raises challenges at the highest levels of executive management.
Commercial, public, and reputational challenges
Businesses worldwide have found themselves subject to increased contractual burdens relating to potential and successful cybersecurity incidents , which can include: a prompt disclosure of an incident to clients, partners and other third parties; information sharing relating to the incident; as well as a commitment to specific risk mitigation and remediation actions which may impact, compromise or contradict the victim’s own strategic aims.
At the same time, increasing public awareness of and concern regarding cybersecurity incidents – most recently prompted in Australia by Medibank and Optus – has driven media interest and social commentary on how seriously large organisations approach the security of their public operations and consumer data. The media’s tone in Australia is sharpening, reflecting increasing public outcry at these public, damaging, messy incidents, and creating thorny questions for a victim organisation’s communications teams . It is highly likely that similar stories globally will also prompt damning coverage.
These public, externally driven, uncontrollable drivers can significantly challenge and even derail the incident response and crisis management process of an unprepared organisation.
Legal, regulatory and contractual challenges
Protecting Individuals
In an unsurprising development to the Optus and Medibank breaches, law firms in Australia including Maurice Blackburn and Baker & Mackenzie, have publicly launched or threatened class action lawsuits on behalf of individuals whose data has been compromised by the attacks. While class action lawsuits are often observed in parallel with public data breaches, authorities in Canberra are demonstrating increased, public concern as to the nationwide impacts of cybersecurity incidents, and will continue to mandate new, critical regulatory requirements for organisations to adopt in response.
Firstly, personal data protection legislation in the country has already been strengthened in the last months of 2022, raising the stakes for organisations facing or about to face data breaches and compliance issues. Personal data protection requirements are set to further increase in the coming years – following the Attorney-General’s review of the Privacy Act 1988, the AG has confirmed that far stronger controls, influenced by the EU’s General Data Protection Regulation (GDPR), are set to enter Australian law. It is likely that these coming controls will reach beyond post-breach and enforcement actions to legislate broader changes around organisations’ collection, retention, handling, and destruction of personal data, prompting businesses operating in Australia to review in detail their governance, compliance, and operational controls covering personal data.
Similar government commitments to and enforcement of increased regulatory control of personal data have been reported on by our analysts in, among others, India, Vietnam, the United States, China, and the Republic of Korea. It is highly likely that the regulatory bar globally will be raised with respect to personal data over the coming months and years.
Protecting National Security
Personal data protection is not the only developing story for Australian organisations attempting to manage compliance. Amendments to the Security of Critical Infrastructure Act 2018 (or “SOCI Act”) have introduced new legal controls relating to the cybersecurity management and incident management of assets designated to be “critical infrastructure”. The list of potential and real assets regulated by the law continues to grow, which we assess adds significantly to business’ current and imminent obligations regarding the security of their systems and the response plans which cover them.
More broadly, in the wake of the Optus and Medibank breaches, the Australian government has committed to overhauling the 2020 cybersecurity strategy developed by the previous administration with a new 2023-2030 strategy, to be led by industry experts. Clare O’Neil, current Home Affairs and Cyber Security Minister, has emphasised her commitment to make Australia “the world’s most cybersecure nation by 2030”. Privacy and security laws, current, future, and yet to be developed, will continue to increase both proactive and reactive security and breach requirements for a growing list of private and public industries across Australia.
This initiative reflects efforts by authorities globally to improve protections and oversight of nationally significant and / or critical resources in cyberspace. China’s Cybersecurity Law (CSL), Thailand’s Cyber Security Bill, Zimbabwe’s Cyber Bill, and piecemeal, sector-focused but increasing requirements passed by authorities in the US and UK, all covered by our experts at the time of their announcement, contribute to an increasingly complex global picture for organisations attempting to maintain compliant, efficient, innovative data and technology-aided operations, including in the face of growing cybersecurity threats.
So how can businesses prepare?
Organisations must understand and prepare for emerging, complex risks to their assets, arising both through advancing threat actor capabilities as well as through the corresponding efforts of authorities and businesses to respond to those threats.
A successful approach requires, for some organisations, a change of perspective, where cybersecurity risk management is not a technical issue to react to when it is a business crisis – but rather it is an essential part of good corporate governance which can be proactively controlled and anticipated.
Governance, compliance, and operational functions all have a part to play in managing cybersecurity risk and preparing for cybersecurity incidents.
1. Understand your current legal obligations; monitor for inevitable updates.
- Evaluate the regulatory risk landscape in your region
- Get the deep-dive on the countries, sectors and services you operate in
- Identify compliance gaps and design a comprehensive, effective roadmap to remediation.
2. Identify and document your risks; set direction with confidence
- Seek expert advice on the design, build and implementation of cyber and digital transformation strategies
- Conduct threat-led risk assessments taking an all-hazards approach to get the best visibility of your security
- Conduct appropriate, thorough due diligence across third parties, acquisitions, and your supply chain
- Benefit from best-in-class threat assessments and support to identify tactical and strategic cyber threats to your assets and people.
3. Develop and improve organisational resilience and planning for attempted and successful cybersecurity incidents.
- Conduct periodic, thorough and challenging crisis management exercising and training initiatives.
- Conduct regular, targeted, specific red-team assessments and comprehensive penetration testing.
- Ready the troops – prepare your crisis management, insurance, legal, forensics and extortion advisers for quick, integrated, effective activation for when the worst happens.
All mentions of our experts, analysts and assessments refer to published Seerist articles, accessible to our subscribers.