With the 2016 Federal Budget, the Australian Government has announced how it intends to fund its new Cyber Safety Strategy (CSS) package, with funding also aimed at assisting those businesses who traditionally haven’t focussed on cyber security as a priority. The Budget has allocated $2.7 million for a “Cyber Ambassador” and $10 million for a public education campaign to stop computer users clicking on malicious web links. The $230 million Cyber Safety Strategy package announced as part of the Budget will also include an extra $36.4 million to help the Australian Federal Police and Australian Crime Commission fight online crime, $12.3 million to assess vulnerabilities in government systems, and $3.5 million for cyber security educational institutions. A further $38.8 million will be spent moving the Australian Cyber Security Centre from its current home in Canberra.
Key details of the Cyber Security Strategy set out exactly where the Federal Government will be investing and how it will assist mid-size businesses to fend off cyber security threats, including:
- Establishing a national cyber security partnership
- Creating strong cyber defences to detect, deter and respond to threats
- Taking a global leadership role to champion a free internet and shut safe havens
- Focusing on growth and innovation
- Building a cyber-smart nation by building skills and awareness
The question, for mid-size business in particular, is how these measures will actually assist them, and whether it’s enough. The new CSS package announced also fails to adequately address the elephant in the room: the delay in the revision of the original security plan which was released in 2009 – some seven years ago. As technology and threats change rapidly, so too must government policy and initiatives and seven years between cyber security strategies is too long. It is likely that yesterday’s package announcement was in direct response to the recommendations made in the Final Report of the Financial System Inquiry (or ‘Murray Inquiry’ after its Chair, David Murray) by the Abbott Government in December 2014, which highlighted cyber security and technology related fraud risks as an emerging trend for the financial services industry. That report specifically recommended an update to the 2009 whole-of-Government Cyber Security Strategy to reflect changes in the threat environment, improve cohesion in policy implementation, and progress public–private sector and cross-industry collaboration. It was recommended that such an update be in conjunction with the establishment of a formal framework for cyber security information sharing and response to cyber threats. Is this new package the framework hoped for? The devil really is in the detail.
In 2014, with the release of the Murray Inquiry, it was noted then that due to the advances in technology and the sophistication of cyber-crime, even in the space of 5 years the CSS was largely out of date and lagged behind similar strategies adopted in the US, UK, Canada, New Zealand, France, Germany, Japan and Singapore. While financial institutions as well as mid-size businesses obviously retain ultimate responsibility for maintaining the security of their own systems, an updated CSS can provide a framework that will allow organisations to collaborate with Government and co-ordinate their efforts. Interestingly, the package announced as part of the Federal Budget does not go so far as to formally recommend a model that was under consideration at the time of the Murray Inquiry, being something akin to the Financial Services Information Sharing and Analysis Center (FS-ISAC) in the US, which is a collaboration between financial institutions and government. It does, however, include a greater push for public and private sector collaboration.
The new package announced as part of the Federal Budget should be applauded for bringing to the table a cyber security health check scheme for the public and private sector, as industry collaboration will be the key to the success of the Cyber Security Strategy. The onus, however, is on organisations to step up and play their own role in fighting cybercrime, particularly in those industries that operate critical infrastructure. Even for those negotiating insurance to cover cybercrime risks, costs arising from loss of goodwill and reputational harm as well as attributable to negligent data security are usually exclusions to such policies. Ensuring your breach response policies are up to date will be business critical to minimise the effects of data breaches or cyber-attacks.