Australia, we need to talk about cybercrime

Zak Khan, director, advanced cyber defence at Trend Micro Australia and New Zealand

The recent announcement by the Turnbull government saw $230 million allocated to a host of policies that made up its new cyber security strategy. This is a great step forward from our tech-savvy prime minister and includes a raft of important and valuable measures. I, like so many of my industry peers and colleagues have commented following the cyber security strategy launch, believe it’s just not enough.

Don’t get me wrong, $230 million is a lot of money, and I applaud a government willing to address the problem, look forward and take action. But $230 million over four years equates to less than $60 million per year, and when we start to look at all the actions outlined in the strategy, we start to question how they can all be funded adequately.

Particularly, as the government’s strategy points out, if technology-enabled business models could create up to US$625 billion in economic activity per year by 2030 in Asia Pacific, representing 12 per cent of the region’s total projected GDP.

While the digital economy promises productivity gains, jobs and wealth creation, something sinister stands in its way; security, or the lack thereof. Cybercrime, including hacking, data breaches, and ransomware costs the global economy nearly $500 billion annually. Closer to home, cybercrime costs Australia between $1billion and $17billion a year, or roughly 1% of GDP. Organised crime, non-state and state actors, industrial espionage and cyber terrorism are all part of the mix; these groups aim to steal, to disrupt and to cause mayhem.

In an election year, this announcement is more about politics and drama than substance. The Department of Prime Minister and Cabinet could have looked at a rising scale of funding to match the increase in attacks we are seeing. Perhaps challenging the private sector to match funding dollar for dollar and providing tax breaks for this would put some more money behind the initiative.

Build the future of cyber defence

The government pointed out one of the major challenges facing cyber security in Australia, our critical shortage of skilled cyber security professionals. Key to this is tertiary education, as mentioned in the cyber security strategy. The aim is ambitious but the tools outlined lack detail, and more can be done. We need to build a nation of people who are educated about cybercrime and can join the fight against it.

Funding this skills shortage through tax breaks or subsidised fees for appropriate training and tertiary education would propel a larger pool of qualified personnel to help with the problem.

Promote awareness

Awareness is one of the most important factors in preparing and adequately arming our businesses and consumers against cybercrime. Cyber defence can no longer solely remain the realm of the security or IT teams – it requires education, knowledge and awareness amongst all staff and all consumers on how to keep themselves safe.

The cyber security strategy outlined the need for awareness and education initiatives and campaigns, which is terrific, but again we can and should do so much more. We need financial and criminal penalties for senior management ignoring the problem.

Make it law

A cyber security strategy is nothing without data breach notification laws. Data breaches continue to affect every industry and businesses of every size. We need real action on the long proposed mandatory data breach notification laws. Data breaches and cyberattacks need to be made public, not simply to ‘name and shame’ but for the benefit of us all, so we can all learn from it.

Without notification laws, no company will freely admit to breaches. This is the biggest hurdle; if we aren’t going to talk about data breaches and cyberattacks, the business community is not going to understand it. Reporting and discussing data breaches will allow the industry as a whole to better discuss and educate. Take ransomware as an example; this is a challenge that has been widely discussed and analysed in public so we’re all more aware and able to tackle the problem.

Bringing notification into law could mean that those coming out and confirming data breaches against them could get advice and protection. Those not disclosing could be fined. Unless we bring stronger laws in place forcing the acceptance that cyber security is a problem, we can’t expect to address it.

Review. Every year.

The cyber security landscape is changing dramatically every year. Cyber criminals and the tools that they use are evolving, adapting and becoming increasingly more sophisticated. For this reason, a strategy for today is going to have little relevance in four years’ time. We need to review this every year. We need to identify and analyse the threats and put in place strategies that will help defend against them for the year ahead.

As the government points out in its cyber security strategy, all of us—governments, businesses, communities and individuals—need to tackle cyber security threats to make the most of online opportunities. Ultimately, though, the government holds the central responsibility for cyber security policy.

I applaud Mr Turnbull’s initiative and foresight. The cyber security strategy is a good mix of actions comprising public-private cyber security partnerships, intelligence sharing and innovation. Yet we are up against a multi-billion dollar enemy that grows stronger by the day. More resources, and pointedly a change in attitude at both the government and private sector levels is needed to reverse this malaise.

Zak Khan is the director of custom cyber defence at Trend Micro Australia and New Zealand. www.TrendMicro.com.au

Join the CSO newsletter!

Error: Please check your email address.

Tags asia pacificCyber defencehost of policiesCyber Security StrategyAwarenessTurnbull governmentcybercrime

More about Trend MicroTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zak Khan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place