Following a stint of high-profile data breaches, security is back on the national agenda. And while it has long been a priority for DSPs, it's evident more needs to be done by both businesses and government to safeguard sensitive data.
Data breaches are not new to Australia but Medibank and Optus brought the issues back into the limelight. Both breaches saw highly sensitive information not just breaches but also traded online and resulted in thousands of Australians needing to replace their IDS - including drivers licenses and, in some cases, passports.
This renewed public focus is something we haven't seen in recent years, in part due to an already overloaded news agenda; the pandemic and other world events left little room for other topics.
In fact, there's been little action on cybersecurity since the Morrison Government's Cybersecurity Strategy. This was predicated on large enterprises being responsible for the security of their supply chains and then, by proxy, including small businesses. But this approach ignored the different security needs of small businesses.
Now, as the conversations around security surge, some may think back to five years ago when the Equifax breach spurred international conversation on the need for increased security. Australia's Notifiable Data Breach (NDB) legislation came into effect at a similar time and has been in place since. What has changed since then?
While the recent public attention may make it seem as though there's been a sudden increase in the rates of cybercrime and data breaches, that's not necessarily true - what there is, however, is increased focus from government, media and the general public on the topic.
This is partially because breaches are now being reported due to NDB. The NDB scheme received 853 notifications last financial year, many of which would have otherwise gone unnoticed. But given at least 12 million Australians have had their data exposed recently and sensitive details, like myGov logins, are being sold on the dark web for as little as USD$1. there is undoubtedly cause for concern.
At DSPANZ, we have long advocated for simplified security reporting guidelines and government policy to
make it easier for Australian businesses to protect themselves and their data. We spoke to Ian Gibson, chair DSPANZ's security committee,
about the current state of cybersecurity in A-NZ, the challenges we face and what can be done to improve it.
Security is often seen as a tick box or compliance exercise. For many businesses, implementing security measures usually follows a tender process or to meet government requirements such as the ATO's Operational Security Framework for those working with the ATO. This has many organisations simply doing the bare minimum - and not approaching security proactively.
This isn't always for a lack of trying, though. Many organisations struggle to do more than the bare minimum because there's so much complexity and confusion around what they should be doing. If no one can clearly say what they need to, it's easier to wait for those guidelines and tenders. Small businesses want to do the right thing but it's hard for them without proper guidance.
This is why we need a shift away from compliance to make security embedded in how we do business; the challenge is there hasn't been a burning platform for this as the risk to organisations has been minimal. Hopefully the increased national attention will change this, and potentially the recent increase in data breach penalties.
Some mistakenly believe cyberinsurance is the solution. But its cost is going up and effectiveness going down as there's no consistency. For example, cyberinsurance won't cover incidents if your patches aren't up to date - but many incidents wouldn't happen if the systems were patched to begin with!
That's why we need to get the basics right. Equifax was caused by a basic patch failure, despite having processes in place; this led to 163 million records being breached. In many cases it's these basics, whether around patching, passwords or encryption, that cause cracks to appear. Often this is due to user error and the simple reality that humans don't always do things right. This is why it's all the more important to factor it into how you address the fundamentals.
The government's Essential Eight guidelines started off as a few simple guidelines that recognised the need to cover these basics - the Fab
Four. It's now skyrocketed to 97 controls which is a huge amount to be across. If we got the security foundations right a lot of problems
would go away or at least be more easily managed.
You mentioned security standards - do these need to be improved?
Security standards are an important tool to help DSPs and other Australian businesses manage security. However, there's currently too much variation in the standards which makes it difficult for businesses to stay on top of them all.
There's ISO 27001; IRAP, NIST, and GDPR overseas; plus the ATO guidelines if you work with them. All of this adds to the complexity and distracts people from doing progressive work.
Reducing this complexity has been a focus of DSPANZ for some time. We want to see these standards streamlined so it's simpler for smaller DSPs and businesses to meet guidelines.
The recent 2022 update to ISO 27001 was encouraging. It provides detailed information on implementing the security controls, brings the standards up to date with modern risks and deployments (like cloud, privacy and threats) and is aligned to NIST - making it easier for organisations already using NIST controls.
There could be big changes coming next year. Australia's Data Privacy Act is under review and the outcome could have a major impact
for businesses large and small. Currently, companies with turnover less than $3 million annually are exempt from the regulations; if
this is removed it could completely change how small businesses need to manage security. What's important here is to implement this in
a sensible way that makes it practical for them to comply.
You mentioned smaller DSPs and businesses - what are some of the challenges they face around security?
It's unlikely small businesses would have a person or team dedicated to cybersecurity since they operate a much smaller team; many outsource security management of this to an MSP or consultant. Less resources always makes it trickier, especially given the time needed to stay on top of varying standards and tender requests.
Small businesses that work with larger enterprises also have to meet their security standards, which can be complex and differ from business to business. All of this can be extremely costly.
Meanwhile, large organisations have their own challenges too. They often deal with huge volumes of data and are more likely to be targeted by hackers, but also face skills shortages and difficulties getting talent as they have larger teams.
The skills gap is a huge problem across the board, and an ongoing one. Cybersecurity was identified by the National Skills Commission
as the leading in-demand digital skill via job advertisement data and this will likely grow given the Australian government and
industry set the ambitious goal of 1.2 million tech jobs by 2030. The education initiatives already in place are a step in the right
direction but more is needed to support the development of local tech talent.
So, what steps are needed to improve security?
It's not a simple fix. There are challenges on all sides - small organisations, large businesses, government and end users. We need to strike an appropriate balance where there is good security uplift but the burden isn't entirely put on individual businesses. There are three changes that could have an impact:
- The first way is to have more alignment across security standards. There has been progress towards this with ISO 27001, but there is much more than can be done. Some have discussed having a security framework that applies to all Australian businesses, which could be a solution as a baseline. We anticipate updates to the Australian Privacy Act and look forward to contributing to making it an effective policy for DSPs.
- Secondly, the creation of a trusted, low cost digital identity. This would have a big impact and remove the need for data collection of things like passports and Medicare details. It would mean every time a business interacts with an individual it's verified - much like logging on via Google.
- And finally, increased support for the basics. This is where most are still falling short. Things like multi-factor authentication, whist not foolproof, can make a big difference, as well as patching, encryption and testing your backups.
Human nature is always going to be a factor. We make trade offs and calculate risk in different ways. Ultimately, simplifying our approach and factoring in this human element is needed and can go a long way.
DSPANZ has contributed to a number of submissions on security and advocates for the creation of improved standards, like the Essential Eight for MacOS. We refresh membership of our security standards member committee each year and invite members to apply.
A special thank you to Kelly Newton for preparing and writing this article.