Australian businesses could be made to meet minimum cybersecurity requirements and face tougher penalties for cyber attacks under new rules proposed by a government discussion paper – and it’s not a moment too soon.
Home Affairs Minister Karen Andrews unveiled the discussion paper, Strengthening Australia’s cyber security regulations and incentives, earlier this week. The paper reveals the government is considering a number of cybersecurity-focused reforms to help deliver on last year’s Cyber Security Strategy.
“We cannot allow [cyber] criminal activity to become a significant handbrake on our economic growth and digital security,” Ms Andrews said.
“I want to make sure Australian businesses – big and small – are secure, and consumers are protected.”
The paper is focused on incentivising Australian businesses to invest in cybersecurity, and reveals the government is considering making company directors personally responsible for cyber attacks, in the same way that they can be held personally liable for breaches of workplace health and safety.
“It is widely accepted that cyber security risks are an increasingly important set of risks that most large businesses, including those established in the corporate form, need to oversee and manage,” the paper reads.
“However, there is no explicit requirement that cyber security forms part of many existing obligations, including those applicable to directors.”
The paper flags the introduction of clear minimum expectations on businesses to manage cybersecurity risks, and proposes legal remedies for consumers when businesses fall victim to cyber attacks.
The paper also raises the possibility of a cybersecurity code being added to the Privacy Act, and the introduction of mandatory expiry dates for Internet of Things devices.
The paper says both mandatory and voluntary requirements are being considered, and flags that while a mandatory standard may be “too costly and onerous” for businesses, a voluntary system could lead to lower compliance.
Even a voluntary approach would see new cybersecurity standards written into the ASX’s corporate governance rules and practices, so companies that chose not to adopt them would be forced to explain why to their shareholders.
The cost of cybercrime
The discussion paper was revealed on the same day as a new Australian Institute of Criminology report that estimated the total annual economic impact of cybercrime in Australia at $3.5 billion, including $1.9 billion lost by individual victims.
The report follows a string of ransomware attacks on high-profile Australian businesses over the last 18 months, including Nine Entertainment, Toll Holdings, BlueScope Steel, and Lion Dairy and Drinks.
Cryptoloc founder Jamie Wilson says this trend will continue without government intervention, and welcomes the introduction of new technical standards – including a requirement for multi-factor authentication – to help protect Australians’ data.
“I believe businesses have a moral obligation to protect their customers’ data,” he says, “but the reality is that, left to their own devices, most executives aren’t going to take cybercrime seriously until they fall victim to a catastrophic attack and their data is compromised. That’s when they’ll turn around and say, ‘We’ve got to do something because it’s happened now and it will happen again’.
“That’s too late and it’s not good enough. We can’t wait for attacks to happen. We have to get on the front foot and treat cybersecurity the same way we treat workplace health and safety. There was a time not that long ago when many businesses took a laissez-faire approach to health and safety, and now it’s everyone’s number one priority, because they have to comply with strict legal obligations.
“We need to see these types of expectations being applied to cyber security. It needs to be a basic policy, for instance, for businesses to start securely encrypting their data, and this needs to be driven from the top down. We need to see the government putting forward cyber practices and policies to protect people – because we can’t wait for businesses to police themselves.
“At the same time, there’s a need for the government to educate businesses and the general public alike about the impact of cybercrime, to illustrate why these measures are necessary.
“My advice to business owners is that you shouldn’t wait until these new rules are introduced to start taking cybersecurity seriously and putting procedures in place to reduce your exposure. You need to start educating your employees now about the importance of timely patching for all of your organisation’s software and devices, and you need to be securely encrypting your data, so you can have complete control over who has access to your information and your customers’ information.
“My company, Cryptoloc, has developed the world’s safest cybersecurity platform by combining three different encryption algorithms into one unique multilayer process, with each piece of data assigned its own separate audit trail – and in today’s landscape, that’s the level of protection required to prevent hackers from exploiting vulnerabilities.”
The new cybersecurity standards will be co-designed with industry. Submissions on the discussion paper are being accepted until 27 August 2021.