Cyber security: Top 3 focus areas this financial year
With cybercrime on the rise and a new financial year underway, businesses should focus their efforts on cyber security, maturity and resilience.
Key Takeaways
- The Critical Infrastructure Bill now broadens the definition of critical sectors and mandates a 12-hour reporting requirement for cyber security incidents.
- Cyber insurance now demands stronger minimum security standards, so improving fundamentals like MFA and backups is essential before renewal.
- Businesses must integrate cyber security into their continuity plans to boost resilience, focusing on vulnerability management, asset management and identity governance.
The importance of focusing on cyber security
Cyber security has taken precedence in the minds and actions of both business and national leaders.
The recent appointment of the country’s first dedicated Minister for Cyber Security, Claire O’Neil, has reinforced Australia’s commitment to security, with more regulatory compliance expected for both government agencies and the private sector.
This comes as no surprise as reported instances of cybercrime continue to escalate. Over the 2020–21 financial year, the ACSC received more than 67,500 cybercrime reports – an increase of nearly 13 per cent from the previous financial year – with self-reported losses totalling more than $33 billion.
As the new financial year gets underway, organisations must shift their focus towards three key areas.
1. Critical Infrastructure Bill enforcing cyber maturity
The Critical Infrastructure Bill focused on traditional infrastructure assets such as electricity, gas, and water. However, recent amendments to the Bill have broadened the scope of industries considered as critical infrastructure and introduced new obligations.
The Bill now includes financial services and markets, healthcare, higher education and research, transport, and more. These changes place specific reporting criteria and obligations on these industry sectors to maintain a baseline level of cyber security maturity.
The most recent change to come into effect is a 12-hour reporting requirement for all security attacks on organisations who are responsible for assets defined as critical under the Bill.
With the focus on regulatory compliance set to increase even further in this space, an organisation’s ability to demonstrate a level of cyber security maturity will become increasingly important.
Cyber maturity starts with the ability to identify and understand the critical systems and assets of your organisation and ensuring your business continuity plan (BCP) reflects this. So, if your business is disrupted, you know what to do to get back online and what you must report under the Critical Infrastructure Bill.
2. Cyber insurance – the devil is in the detail
Cyber insurance is another key component of the regulatory landscape in 2022/23. As ransomware attacks become more frequent and sophisticated, cyber insurers are putting additional obligations on businesses seeking insurance around their level of cyber maturity.
According to the latest ACSC Annual Cyber Threat Report, there were almost 500 ransomware related cybercrime reports received in the 2020-21 financial year – an increase of almost 15 per cent compared to the previous financial year – with ransom demands ranging from thousands to millions of dollars.
In many cases, organisations that have fallen victim to ransomware have failed the basic fundamentals. In light of this, insurance companies are now seeking more stringent minimum-security standards.
Businesses will need to answer much more detailed questions about the effectiveness of specific security measures and controls. Detailed questions such as “what internet facing web portals hosted in your data centre, are not MFA enabled?” and “what is your backup frequency, recovery point objective (RPO), and test failure rate on your critical assets?” are commonplace when renewing a cyber insurance policy. Organisations should be prepared to have a mini audit on their hands when it’s time to renew their insurance policy.
3. Business Resilience and its missing link
Cybercrime is big business, and the more money or assets criminals can access, the better. And, despite their size, SMBs are not immune to an attack.
Compared to 2021, 77% of organisations increased their security budgets, however despite more and more money being invested into cyber security, businesses still struggle with resiliency. This is because cyber security continues to be left out of organisations’ business continuity plans.
This misstep can cause major disruption during a cyber security event including serious reputational damage. Organisations need to start thinking about cyber security in terms of business resilience, it can no longer be left out on its own.
This, alongside improving your cyber security fundamentals is key – focussing on three key areas: vulnerability management, asset management, and identity governance.
By putting the right systems in place like this, organisations will be ready for any regulatory requirements on the horizon for Australian organisations as well as defending themselves against a cyber attack.
