Cyber security: more than a checked box

Agencies need to shift their mindset from seeing cyber security as a ‘checked box’ and move towards a comprehensive alignment with best-practice cyber strategy that is reviewed on a regular basis.

In recent years, there have been a high number of cyberattacks, including 67,500 incidents over the 2020-21 financial year, according to the Australian Cyber Security Centre.

That amounts to a cyber-attack every eight minutes, with a total of more than $33 billion in self-reported financial losses, or roughly $90million per day, or $62,000 per minute.

Federal and state governments have begun taking measures to counter these attacks with a range of legislations.

This rapid pace of digital acceleration can’t succeed without security and privacy capabilities to back it up, especially considering the highly sensitive data hosted by agencies.

That’s why the government has put a range of measures and policy changes in place over the last few years to inspire agencies to bolster their security capabilities.

Changing digital climate

However, these legislations are constantly being updated in response to the changing digital climate and it can be difficult for agencies to keep up and embed them in active projects.

These projects can often take years to implement. It’s likely that many agencies will finish off what they’re doing now without adapting to the new policies that are in force and pushing compliance to any new projects.

But delaying the process of ensuring cloud compliance can have consequences.

As agencies seek to retrofit security controls long after implementation it can leave them vulnerable to an incredibly sophisticated threat landscape and raises a wealth of compliance challenges.

Cloud compliance is the act of complying with regulatory standards of cloud usage in accordance with industry guidelines and laws.

In Australia, industry groups estimate there have been over 4,500 legislative changes since 2020.

On a federal level, the biggest and most consequential change has been amendments to the Security of Critical Infrastructure (SOCI) act.

The bill was split into two distinct sections, with the first introducing a new reporting regime and expanding the definition of critical infrastructure beyond electricity, gas, water and ports.

The new definition now also includes data storage or processing, financial markets, communications, healthcare, higher education, food and grocery, transport, space technology and defence.

This amendment will mean many government agencies will now be subject to the laws for the first time.

The Department of Home Affairs has released an exposure draft of the second of the two bills, which seeks to introduce risk management programs for critical infrastructure entities and enhanced cyber security obligations.

Getting ready for SOCI

There are three steps agencies can take to prepare for SOCI.

They can begin by assessing their obligations, understanding timelines and expectations in line with their existing data and reporting practices and then identifying gaps to build a plan for resolution.

Many agencies still wrongly view themselves as not being party to SOCI’s obligations, carefully assess the bill’s new definitions and how they’re likely to impact you.

It’s critically important that agencies quickly determine the extent of their new reporting or privacy obligations, and how long they have to change their practices

While some agencies might find they’re already up to speed, many will fall short due to staffing or resourcing shortages.

With a variety of new and upcoming legislation, the complicated Australian compliance landscape for agencies will become more complex.

Vault Cloud recommends three ways for agencies to address this complexity, beginning with ASD’s Essential 8.

While not a legislated requirement, it provides a benchmark that helps agencies reduce the cost of change and provides a basis for compliance to constantly shifting regulatory practices.

Agencies can also develop an ‘evergreen’, forward-thinking mindset and cyber governance, risk and compliance strategy and then lean on their vendors for help.

Bringing a provider on board could be helpful.

To manage a complex and constantly shifting compliance web, you need a partner that’s based in Australia, with an elaborate understanding of agency requirements. 

Vault Cloud is the first and remains the only sovereign cloud capability designed and built to the federal government’s ISM control list and holds the least number of caveats to these controls.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required