Australian Cyber Security 2023-2030: Key Actions And Takeaways
The recent release of the 2023-2030 Australian Cyber Security Strategy outlines the government’s strategic vision and objectives for bolstering cyber outcomes, and rightfully so. But what can organisations take away from this strategy to help themselves?
Share This Article:
This blog article breaks down the strategy and provides an analysis to derive the prioritised challenges and best ‘bang for buck’ management. This is contextualised for general actionable plans for organisations.
Why do this? After all, to create a strategy, analysis of the starting point and prioritisation for the endpoint (in this case resilient cyber environment) needs to be undertaken. The Australian Government with its significant investment on thousands of highly trained and skilled professionals and access to a global network of intelligence, is very well placed to determine what the current cyber environment looks like and what works should be prioritised to get to a resilient cyber environment. A bit like ‘reverse engineering’ the National strategy to then come up with an organisational plan to fit the Australian environment and context.
The Strategy lists 6 ‘Cyber Shields’ priorities from a National Security perspective:
- Strong cyber resilience for businesses and citizens
- Safe technology
- World-class threat sharing and blocking
- Protected critical infrastructure
- Sovereign capabilities
- Resilient region and global leadership
If we look across these ‘shields’ as common themes, the following stand out as aspects that businesses can action now:
Accurate understanding of targets of protection and ‘make or break’ assets
The Strategy aims to strengthen and provide capabilities to assist small-medium businesses and citizens, indicating that assessments have identified this sector as the most vulnerable within Australian society. In today’s interconnected landscape where technology has interlinked vast numbers of people and entities, everyone is considered ‘fair game’ by malicious actors seeking to exploit vulnerabilities. Highlighting this as the first shield underscores the significant threat to these groups and their current state of vulnerability.
A prerequisite for protection is to understand what it is that needs to be protected – distinguishing what is important and what is not. This may seem logical, but the speed and complexity of technology create intricate links and reliance between assets that previously haven’t been considered. With the speed and spread of malicious activities, the ability to prioritise defence and response is essential. Organisations must actively and consciously examine and form an understanding of their assets, priorities, and interlinks/reliance. This encompasses data, services, and reputation.
Data
- Call to action (CTA): understand and make records about important data; where it is, what the thresholds of acceptable unavailability and thresholds of integrity are required. Consider seemingly unimportant data that, if missing or tampered with, could have flow-on effects.
Services
- CTA: similar to data interlink, all organisations use services to function. Include services that are seemingly non-critical, but in combination with others, could form a critical mass impacting business operations.
Reputation
- CTA: understand and document aspects that impact the organisation’s reputation. This includes the primary consumer groups and their thresholds of acceptable behaviours of the organisation, any regulatory requirements that may result in poor press (along with any financial or licencing penalties). It may also be relevant to examine public sentiment from those beyond immediate consumer groups.
Suppliers, products and third-party understandings and trust
All organisations rely on technology suppliers, extending to those producing technology products that rely on a supply chain of other technology, utilities, consumables and any number of critical products for operating their organisation. The strategy puts a spotlight on technology products not only through a dedicated shield that is listed second but related principles are dispersed through other shields.
Safety as described in the Strategy is “safe, secure and fit for purpose” is contextualised to an organisation, a point in time, its operating environment and who is impacted. Advancements in complex technologies like AI, quantum computing, and cloud services make it tough for individuals and medium businesses to fully grasp and assess risks for effective risk management.
It would be easier to understand the threat by splitting this into two aspects:
- Understanding the technology – provide standardised consumer information that offers sufficient information for consumers to make decisions without needing extensive technical knowledge (similar to ‘Health Stars’ on food products).
- Understanding the desired outcomes of a product – define the desired outcomes and ‘out of bounds’ criteria for a product, and how to measure each so that they can be tracked, monitored and managed.
The Strategy, advocating for the adoption of standards, embedding standard secure practices and developing frameworks, primarily addresses the technology understanding aspect. However, it falls short of understanding the consumer’s context:
- CTA: organisations need to understand their own contexts, that is what technology (or people) agnostic things must (or must not) happen. What is the outcome that is to be achieved by tools and what are the measures to track performance?
- CTA: organisations need to understand their comfort level on who and where they procure services and technology. Even without formal government adoption of standards or secure development practices, some vendors are already following these and can provide related assurances. There are also certifications that can be checked for different providers and technologies that demonstrate levels of security or trust. They can include international standards like ISO or Australian Government certifications like the Hosting Certification Framework (HCF) program. By actively documenting acceptable comfort levels for this assurance and pairing it with the knowledge of what data is critical/sensitive, organisations can make their own informed decisions prior to formal government frameworks or mandates for suppliers. And once this happens, organisations are more agile in alignment.
- CTA: organisations need to examine and understand their comfort level with new technologies, including AI and quantum computing. This does not mean organisations need to become experts in these areas, just that they are aware of the generalised risks these technologies pose and be prepared for the additional oversight workloads required to reduce these to organisational acceptable levels. This is especially important for technologies related to AI as once intertwined, they can be difficult to extract from an organisation and data used within an AI algorithm is impossible to retrieve or delete.
Understand how you can continue functioning (safely) when defending or responding to an incident
The final major theme that can be drawn from the Strategy is the need for organisations to be self-reliant to continue functioning for a period of time. The shields include strengthening capabilities for response and acknowledging the inevitability of attacks and disruptions.
For small to medium businesses and individuals, responding to incidents is challenging, with a time delay between impact and recovery. Organisations can build their resilience now by proactively preparing for outages and disruptions, approaching cyber incident preparedness with a similar mindset to preparing for natural disasters or fire seasons.
The following recommendations are derived and distilled from standard Business Continuity and Recovery frameworks and practices:
- CTA: develop a plan for critical assets when they are no longer available or trustworthy. Be realistic about the plan’s sustainability and its alignment with realistic outage durations. It may appear better in documents and reports that the plan is within expected outage thresholds, but if the reality is your organisation’s resources mean you can’t sustain operations for weeks, it is better to be aware of that early and plan for that contingency.
- CTA: know who to call (not Ghost Busters) for various outages and incidents, differentiating between scenarios such as website breakdowns versus phone line issues. Conduct an audit of contracts and Service Agreements to clarify organisational expectations and liabilities to be dealt with.
For many small businesses and individuals, there is a sense of community and sharing especially in times of trouble. Similar to preparations for natural disasters like fire plans, it is advisable to communicate, plan and collaborate with others to strengthen collective resilience in the event of a cyber incident. Consider how to assist those that less technology-literate, such as older people, in protecting themselves, recovering and resuming their activities post-incident.
In navigating the complexities of the 2023-2030 Australian Cyber Security Strategy, we have delved into the key insights for organisations, emphasising the importance of understanding and safeguarding critical assets, fostering trust in suppliers, and fortifying resilience in the face of cyber incidents.
At Anchoram, our teams are comprised of talented and experienced professionals with wide enterprise skills including Data, Commercial Contract, Technology, Enterprise Risk and Cyber. With experience spanning industries of Government, Critical Infrastructure, Education, Resources and Utilities. Our collective skills and expertise, and decades of diverse experience contextualise and best advise on all things cyber as relevant to your organisation. Reach out to our team for personalised guidance in elevating your cybersecurity stance.
The recent release of the 2023-2030 Australian Cyber Security Strategy outlines the government’s strategic vision and objectives for bolstering cyber outcomes, and rightfully so. But what can organisations take away from this strategy to help themselves?
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.