Handle with Care — Could Data become the new Asbestos?

Under the Federal Government’s long-awaited Cyber Security Strategy this week, business leaders must now consider how excessive data hoarding might expose them to risk, alongside a raft of other cybersecurity obligations designed to improve Australia’s readiness, response and resilience capabilities.

Customer data has long been considered the new oil for companies to collect, hoard and make money from. But if it is not handled with proper care, data could well become the ‘new asbestos’. Hoarded, ungoverned and unprotected data poses a significant hidden risk if it is lost, stolen or exposed in a cyber attack. As such, businesses are now being put on notice to better assess their data governance and manage the full data lifecycle. Business reputation is increasingly about responsible data management and protection. Executives must ask themselves key questions about data storage, accessibility, how long data is being held for, data protection measures, and finally, how data is being destroyed.

The Cyber Strategy will force businesses to report when they have experienced a data hack and will create a special board to learn lessons from major attacks. Businesses will also face future rules limiting hoarding of customer information, with a review to consider any unnecessary burden and vulnerabilities that arise from entities holding significant volumes of data for longer than necessary.

Australia is among the most attacked of developed nations, targeted by organised cyber criminals and nation-state actors alike. This is because the more digitally dependent our nation becomes, the more at risk we are. Cyber security has become a strategic priority for Australia’s overall national security. With the release of the Federal Government’s 2023-2030 Cyber Security Strategy this week, which aims to make Australia the most cyber-secure nation in the world by 2030, it’s vital that we see leaders at all levels step up and collaborate to deliver on this aim.

.

Facing cyber threats on the frontline

As a leading cybersecurity advisory and incident response practice, we experience these challenges on the frontline through our clients and external partners. In the recent McGrathNicol Ransomware Report released in November 2023, we found that many organisations are now factoring in ransomware payments as a cost of doing business. The average ransom payment made by Australian businesses with more than 50 employees has also reached more than $1 million.

It is vital that Australia’s new cyber strategy is effective, contains practical help, and seeks to make a tangible difference. Collaboration is as essential between Government and businesses to build resilience, as it is with our international partners to increase technical threat intelligence and prevent attacks.

The Federal Government’s 2023-2030 Cyber Security Strategy is designed to enhance and harmonise regulatory frameworks, secure government systems, strengthen Australia’s cybersecurity workforce and skills pipeline, build sovereign capabilities to tackle cyber threats and manage emerging threats, increase whole-of-nation cybersecurity efforts to protect Australians and the economy, and ensure critical infrastructure and government systems are resilient and cyber-secure.

The overall strategy builds upon the ‘six shields’ concept announced by Minister for Cyber Security and Home Affairs, Clare O’Neil in October 2023. These shields encompass: an informed citizenry and business sector; safe technology; world-class threat sharing; reliable critical infrastructure; sovereign capability; and a resilient region. Alignment with partners and countries in the APAC region will be vital to achieving these objectives.

No single shield on its own however, will protect Australia from cyber crime. It will take a comprehensive, collaborative approach over time to create impact.

.

Greater collaboration is needed

We welcome this new strategic direction as an important step on the road towards making Australia the most cyber-secure nation by 2030. It aligns with how we, at McGrathNicol, continue to help our clients achieve their aims of being ready, responsive and resilient in the face of increasing cyber threats. The government can make a real difference by investing in the development of the cyber security workforce, building out our critical infrastructure, and setting the right expectations, as well as making new funding available where it is most needed.

The new Cyber Security Strategy’s $18.2 million funding initiatives for SMEs to prepare, respond and recover from cyberattacks is a welcome start. Further, $7.2 million has been earmarked for free and voluntary cyber maturity assessments, as well as $11 million for a cyber attack recovery service. These are all positive investments, however more funds will be needed in these areas to tackle the scale of cyber threats and the growing financial damage to SMEs. By the ACSC’s own assessment, the average financial impact of a cyber incident on a medium-sized business is approaching $100,000.

The government’s role is to provide support and guidance to businesses, but ultimately, it is up to businesses to make appropriate investments and implement cybersecurity measures appropriate to their needs. Business leaders must engage and take greater responsibility for their own cybersecurity postures, investing in robust cybersecurity measures to protect data against cyber threats.

The Australian 2023-2030 Cyber Security Strategy involves a comprehensive approach that will protect Australians from cyber threats and help us to become the world’s most cyber-secure nation by 2030. A concerted effort across government, industry, and the community is now needed to make these goals a reality.