Release of the Australian Cyber Security Strategy

22 April 2016

Australia’s Cyber Security Strategy a warning beacon for businesses of all sizes and sectors  

Today’s release of Australia’s Cyber Security Strategy by the Federal Government is an important step forward in determining the best approach to enhancing our nation’s cyber resilience.

The Strategy’s success will be determined by the ability of government and industry to effectively collaborate on the issues that matter. This concept is something I’ve discussed previously, albeit in relation to the Queensland Government’s Cyber Security Unit, but as far as I’m concerned, the principle is the cornerstone of cyber security best practice, regardless of the context.

Key to enabling this collaboration is recognition that cyber security is not just an IT issue, but rather a business issue that requires ownership by the C-suite and understanding by all departments. Government is setting an example and has indicated it will designate a Minister to focus on cyber security and appoint a Special Advisor on cyber security for the Prime Minister. It will be important for industry to take a similar approach and have someone on the C-suite team dedicated to cyber security, who can provide regular briefings to management and the Board on cyber security.

Industry collaboration will underpin success

While the Federal Government has taken a significant step in releasing its plan to mitigate cyber risks, it’s now time for each and every business to step up and play its own role in fighting cyber crime.  The Strategy calls out that both industry and government needs to better educate and empower their employees to be smarter online. 

Cyber safety is not a competition, and the Strategy’s focus on collaboration - between government and industry as well as between organisations – is the correct one. The Strategy calls for closer collaboration and joint cyber exercises to be better prepared for cyber-attacks. Industry players of all types and sizes should be working together and pooling their knowledge and resources in order to defend their organisations, employees and customers against cyber criminals.

Voluntary governance health checks – SME’s should do them too

The Strategy’s recommendation of voluntary governance health checks for ASX 100 organisations certainly highlights the particular risks faced by these high-profile organisations. However, private, small and mid-sized companies make up the vast majority of the business community and can be just as vulnerable to cyber-attack, especially those with an online presence and less mature IT security measures in place.

I urge all businesses, including SMEs, to undertake some level of self-assessment on a regular basis in order to understand their cyber risk exposure and their ability to respond to and recover from a cyber incident.  While there are certainly technical mitigation strategies to address, again this is not just an IT issue, but a core component of business strategy. BDO’s own cyber security checklist for example outlines the importance of integrating cyber as part of strategic planning, new market entry and corporate risk management.

Public-private sector threat information sharing

To defend against cyber criminals, it’s imperative that all businesses work together to share information about cyber threats and the steps taken to defend against these.

Currently, the most significant barrier for sharing threat information is the lack of a coordinated forum through which to do so and the ability to contextualise this into real and actionable threat information. Banking organisations have demonstrated that sharing their cyber threat information and lessons learned is the best way to help the entire financial sector become more cyber resilient. AusCERT, a non-for-profit member based organisation, Telstra and various other technology vendors have developed capability to provide their members/customers threat information.

PULL QUOTE: Government’s call for public-private sector threat centres is a positive first step towards sharing timely and actionable cyber threat information.

Boosting skills and education

The Federal Government’s commitment to increasing the number of its own cyber security specialists is another positive example for industry. Education and training, of both current and future employees, will be one of Australia’s most important defences against cyber criminals.

To ensure we get it right, industry should be taking a much larger role in collaborating with academia, to advise on cyber strategy skills gaps and inform the curriculum across both IT and general business courses. Businesses should also be looking at ways to provide students with opportunities for industry involvement in order to provide real-life work experience, and to increasingly incorporate those with cyber skills into the workplace. As a professional services firm, for example, BDO is always looking to bring in graduates with a variety of new skills in order to boost its capabilities in emerging focus areas.

I welcome your views on Australia’s Cyber Security Strategy and how your organisation will respond. If you have any questions about improving the cyber resilience of your business, please connect with me.

You can view the Strategy online.