Working alongside the Prime Minister’s special adviser for all things cyber gives Jacob Boyle a unique perspective on the government’s role in securing the country – not just with all the services offered by government but also in working with businesses and the security industry.
During the Emerging Cyber Threats Summit held in Sydney during June 2017, Boyle discussed where the country is at in protecting itself from emerging threats and how work on implementing the fully-costed cybersecurity strategy is progressing.
The strategy, costed at over $200M consists of 33 initiatives. Boyle said a recent review found that work on six of the initiatives has been completed with “pretty good progress” made against a further 11.
“Each of these initiatives will help to foster and enhance security culture across Australia as well as foster digital investment to harness the economic and social innovation that this space will bring,” added Boyle.
By working with industry, businesses and vendors across the entire information security gamut, Boyle says the team he is in looks at what is working, what isn’t working and puts their effort where it is needed. For example, as part of the assessment of the national cybersecurity strategy it was recognised that more needs to be done to get small to medium businesses engaged – a theme that was reiterated several times during the summit.
Other areas Boyle said required further attention were understanding the vulnerabilities within our critical infrastructure and communicating who does what in government when it comes to implementing the strategy.
One of the big trends Boyle identified was the increasing use of mobile data by individuals and businesses. Data he presented showed that we used over seven exabytes of data last year – if every word ever spoken by humans was stored it would only take up five exabytes.
And while this highlights our increasing use of data, it also represents a growing threat surface that can be exploited. For businesses, it represents both an opportunity and a risk. And as well as being a board issue in business, it is also on the Prime Minister’s agenda with several senior bureaucratic appointments and the establishment of the ACSC.
Although the review of the cyber security policy found SMBs aren’t yet getting the message, an audit of the hundred largest businesses on the ASX has been completed to establish a benchmark for cybersecurity preparedness.
The review of the strategy has identified changes in nature of the threats facing Australian businesses. Ransomware, credential harvesting, spear-phishing, attacks on managed service providers and interference in political processes have all emerged as rising threats. DDoS attacks using IoT devices was also noted.
One of the areas Boyle said needed further attention was the development of a cybersecurity culture.
“We need the Australian public and private sectors to move beyond a tickbox compliance culture when considering cybersecurity risks. This was highlighted in the review of the eCensus failings last year. Organisations focussed on complying with just audits and following safety checklists could harm their security by ignoring evolving cyber-threats,” he said. “We need to focus on understanding our own organisational risks”
Boyle also noted that resilience is under-considered. While we can take all possible steps to reduce the risk of an attack we need to be ready for a breach or incident to occur and have a plan in place to react accordingly.
From the government’s side, a number of communication efforts have been initiated and continue. The ASCS is relocating from the Ben Chifley Building in Canberra’s parliamentary district to Brindabella to make it more accessible to private companies and citizens. And a new cybersecurity centre has opened in Brisbane with other cities to follow. This will be a place for cybersecurity experts, businesses and law enforcement to work together.