Gov't cybersecurity policy a good start but private-sector engagement is key: industry

Information-security specialists and business advisors have responded warmly to the federal government's new Cyber Security Strategy but warn that the policy framework has now shifted the onus to private-sector companies to deliver on its potential.

Response to the five-pronged policy – which was launched yesterday and previewed in a speech last week by Department of the Prime Minister and Cabinet first assistant secretary of cyber policy and intelligence Lynwen Connick – reflected the enthusiasm of an industry that has been waiting eagerly for months for the long-delayed strategy declaration, which updates the previous Cyber Security Strategy authored in 2009.

The new policy “tells us the Australian government is getting very serious about cyber security, meaning organisations operating in Australia are going to need to follow suit,” Liam Rowland, APJ head of incident response and forensics with Dell SecureWorks, said in a statement.

“Australia's attitude to security, as a whole, is evolving and it is critical anyone that operates in Australia evolves with it.”

“Estimating what a breach might cost today can help a company better develop a plan for the day when an event does occur. Determining potential losses can highlight key areas of opportunity for enhancing security strategy, focusing budget and resources on the right vulnerabilities, and preparing the company to respond quickly and resolve a breach more effectively.”

The admission by prime minister Malcolm Turnbull that the Bureau of Meteorology was indeed breached in an attack late last year marks a “welcome change to the usual veil of secrecy around breaches of government networks,” said Rob Collins, APAC technical director with Watchguard Technologies.

“Acknowledging that cyber security is a problem for Australia won’t come as a surprise for the many businesses that have been struck by ransomware and financial fraud attacks that have really ramped up in the last 18 months.... IT security professionals understand that cyber warfare can be just as dangerous as a real war, with power stations, water treatment facilities and uranium purification processes all vulnerable to attack."

The new document's more proactive approach to cybersecurity is reflected in its promotion of business opportunities around security in line with the Turnbull government's National Innovation and Science Agenda (NISA).

Launched late in 2015, NISA included $30m for the establishment of the Cyber Security Growth Centre and $26m for the commercialisation of Australia's world-leading quantum-computing research.

CSIRO subsidiary Data61, which also works extensively in security-related areas, will receive $75m in funding through 2019.

ISACA international vice president Garry Barnes said the focus on public-private partnerships (PPP) reflected growing recognition of the need for the government to tap into private-sector security capabilities, which would also benefit from prioritisation of cybersecurity issues at the highest levels of government.

The long-term success of the policy would require enthusiastic involvement from both public and private sectors, Barnes said – and this would necessarily involve give and take on both sides.

“Business and private industry groups need to have a commitment to this to achieve longer-term goals,” he told CSO Australia, “and ISACA has supported where the Australian government is heading with this strategy.” Threat-intelligence sharing, a key plank of the policy, is “excellent and helps build an awareness of what the threats are,” Barnes said while noting that many businesses were still coming to grips with the full implications of more-extensive threat information sharing.

“Part of PPP has to be about threat intelligence and information sharing,” he continued, “but some organisations have been reluctant to share that and I understand their concerns too. We need to have businesses onboard and [getting support for] threat sharing is about trying to build the right framework and processes so that organisations have comfort in what they're sharing in these partnerships is used for the benefit of all.”

There were other concerns, too, around the increasing efforts of governments worldwide to bolster their investigatory capabilities by circumventing privacy protections.

“While business is very interested in supporting development of good practice, surveys of our members show they are also concerned about government backdoor access into encrypted information systems. There will need to be a dialogue around those sorts of things.”

Business-advisory firm Grant Thornton Australia was bullish on the policy's potential to improve cyber defences amongst mid-sized business – a segment that technology advisory partner Matthew Green said in a statement “often finds cyber security challenging and overly complex, leaving it overexposed and prone to attack.... This policy is best placed to position Australia to deal with persistent and increasingly sophisticated cyber-attacks.”

Read more: CSO Insights: 2016 IT Security Strategies Survey – prize terms and conditions

Green noted “positive outcomes” including the grants available under the policy to help mid-sized businesses access cybersecurity experts, increased awareness of cybersecurity, facilitation of trust between larger and smaller businesses, and the ability for mid-sized businesses to be “viewed as increasingly trustworthy partners in the global marketplace, and... to match international security standards.”

Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.

Start Survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags WatchGuard® TechnologiesDell SecureWorksNISA frameworkAPJISACAPPPransomwarecyber securityCSIROMalcolm TurnbullDepartment of the Prime Minster and CabinetapacBureau of Meteorology

More about APACBureau of MeteorologyCSIROCSOCyberSecurityDellGrant Thornton AustraliaindeedISACASecureWorksVisaWatchguardWatchguard Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place