Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes. The ASD provides cybersecurity advice in its publication, ‘Strategies to Mitigate Targeted Cyber Intrusions’. The guidelines are designed for implementation by IT specialists, and are based on the ASD’s analysis of reported security incidents and identified vulnerabilities. The guidelines address targeted cyber intrusions, external adversaries with destructive intent, ransomware, ‘business email compromise’ and industrial control systems.

How does the government incentivise organisations to improve their cybersecurity?

The government is investing significantly in cybersecurity research and development. In early 2017, the Australian Cyber Security Growth Network, coordinated by the Cyber Security Growth Centre, commenced operations to facilitate enhanced cybersecurity innovation and R&D. The Growth Centre seeks to develop workforce skills in the cybersecurity sector and seek opportunities for Australian cybersecurity businesses to access global markets. Data61 is a branch of the government-funded agency CSIRO that is encouraging information-sharing, cross-collaboration and growth across Australia’s cybersecurity research, government and industry cohorts. The Department of Industry, Innovation and Science is also improving the capabilities of its Entrepreneurs’ Programme Business Advisers to assist businesses facing a high cyberthreat and provide advice about cybersecurity.

Additionally, the government released its Cyber Security Strategy in 2016, which, among other things, invests in the Australian Cyber Security Centre and increases its capacity to work with Australian businesses (particularly those businesses providing critical services). As part of the Cyber Security Strategy, Australia’s Computer Emergency Response Team (which has now been subsumed within the ACSC) has also commenced the development of Voluntary Cyber Security Guidelines. The voluntary guidelines will promote good practice that all organisations can use and will be aligned with international standards where possible.

The government also offers a research and development tax incentive, which is a powerful tool in accessing funds at the start of research. This incentive is available for cybersecurity research and development and should be increasingly utilised for such purposes as the government continues to promote the importance and value of investing in cybersecurity.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

See question 1.

Are there generally recommended best practices and procedures for responding to breaches?

The first issue companies must address when they suffer a data security incident is limiting and remedying the initial damage of the incident. Companies must then identify how the incident occurred and take appropriate steps to rectify any vulnerability in their data systems in order to protect against similar incidents in the future. Depending on the type and scale of the incident, this may take some time and be costly for organisations, particularly when business disruptions are factored in. Companies must also try to limit the harm such data security incidents cause to their brand and reputation. Such incidents can diminish customers’ trust in an organisation, particularly if records are lost or stolen that contain personal, sensitive, financial or other confidential data. This may ultimately result in the loss of customers. Therefore, a quick and effective response can positively impact public perceptions of a businesses’ trustworthiness in the event of a breach.

In addition, as discussed further at question 28, entities subject to the Privacy Act 1988 (Cth) are also subject to a mandatory data breach notification regime. Under this regime, if a relevant business or government agency suspects there has been a data breach, it has 30 days to make an assessment as to whether there are sufficient grounds to believe that there has been a breach that is likely to result in serious harm to any of the affected individuals and make certain notifications to the Office of the Australian Information Commissioner (OAIC) and affected individuals. In this context, best practice is to develop and implement an effective data breach response plan to ensure a timely and streamlined response to breaches. The OAIC has released a guide to managing data breaches in accordance with the Privacy Act in which it also recommends that businesses prepare a data breach response plan to meet their obligations under the APPs to take reasonable steps to protect personal information, limit the consequences of a breach, and preserve and build public trust.

Appointing a PR consultant is a step that some businesses take when faced with major data breaches. To minimise delay in responding in the event of a data breach or suspected data breach, best practice is for businesses to include in their data breach response plans the contact details of an external PR consultant or a particular individual or position within the businesses as responsible for PR issues associated with a breach.

The Australian Cybercrime Online Reporting Network allows individuals to report cybercrimes that breach Australian law. It also provides advice on how to recognise and avoid cybercrime. The government encourages businesses that have or may have been a target of a cyberattack to contact the Computer Emergency Response Team Australia (CERT) through the ACSC. This is particularly important where the attack threatens infrastructure. Faster identification and reporting may minimise the extent of potential damage.

The government’s strategy in this respect is to streamline reporting of incidents and obtain a higher-level view of cyberthreats in Australia. Eighty-six per cent of organisations surveyed in the ACSC Cyber Security Survey (2016) indicated that all or some of the cyber incidents experienced had been reported to the organisation’s board. Eighty-two per cent of participants in the survey indicated they would request help from the ACSC in respect of a cyberattack. However, the number of participants reporting to external agencies was at just 40 per cent in 2015 to 2016. The ACSC recommends that more be done to encourage reporting to external agencies of both attempted and successful incidents, so that the government can better understand the cyberthreat environment.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

As part of the government’s strategy to mitigate the risk of cyberattacks, it actively encourages the sharing of cyberthreat information. The ACSC reports that 81 per cent of surveyed organisations reported regularly receiving cyberthreat intelligence. However, organisations considered information sharing as the least important factor in mitigating cybersecurity risks. The ACSC considers that the sharing of cyberthreat information is crucial for two reasons. First, it allows filtering of sophisticated threats from unsophisticated threats, which provides insight into the evolution of sophisticated adversary tradecraft. Second, sharing information about the factors of the compromise increases the costs and limits the effectiveness of cyberattacks.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The government recognises that private sector entities need easy and consistent access to government cybersecurity agencies and it is facilitating an online cyberthreat sharing portal to allow real-time sharing of information about cyberthreats. It also recognises that cyber­security is a serious strategic issue for community leaders, not just for IT and security staff, but including ministers, senior executives and board members. The ACSC works with businesses, government, and academic partners, including the owners and operators of Australia’s critical infrastructure, and advises these entities on investigating and developing solutions to cybersecurity threats. The ACSC also encourages and assists these businesses to take responsibility for their own cybersecurity and works closely with other cybersecurity response teams to promote information exchange and, as a result, Australian cybersecurity. The ACSC also organises and facilitates information exchanges with its business partners. The government encourages business leaders to do more to raise cybersecurity prominence within their organisations and promotes cybersecurity as a top priority for corporate boards and organisation leaders.

The government has also reorganised its cybersecurity interface with members of the business community, as part of the Cyber Security Strategy, bringing together both the policy and operations areas of its current interface. Public or private sector initiatives under that strategy include the following:

  • The Prime Minister is supported by a minister assisting with cybersecurity, who is responsible for working with businesses to implement the government’s cybersecurity initiatives and has, among other things, hosted quarterly dialogues with industry. The 2017 Annual Update on the Cyber Security Strategy notes that recent dialogues have focused on cybersecurity incident response and increasing cybersecurity capacity in small to medium-sized enterprises.
  • CERT (which has now been subsumed within the ACSC) drafted national cybersecurity exercise programme guidelines as part of the Cyber Security Strategy and has started developing Voluntary Cyber Security Guidelines in concert with its public and private sector partners.
  • A pilot Joint Cyber Security Centre was opened on 24 February 2017 with representatives from more than 20 organisations within the energy, water, finance, transport and mining sectors, as well as the Queensland government, the ACSC, the Australian Federal Police and the Australian Criminal Intelligence Commission. Priorities for that Joint Cyber Security Centre are automated information sharing and targeted analysis of specific cybercrime threats against Australian industry networks.
  • The Prime Minister has also appointed a special adviser on cybersecurity. The Department of the Prime Minister and Cabinet is also set to strengthen its current lead on cybersecurity policy, continuing its current role as the central point for policy issues. The special adviser has been tasked with ensuring that the government is effectively partnering with the private sector.

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cyber insurance is becoming increasingly popular in Australia. Australia’s Cyber Security Strategy estimates that demand for cybersecurity services and related jobs, such as legal services, insurance and risk management, will grow by at least 21 per cent over the next five years. However, the ACSC warns that cybersecurity insurance it is not an adequate substitute for investing in appropriate cybersecurity measures. The policy may not adequately compensate for lost intellectual property, comprising personal information and irreparable reputational damage.