freshidea - Fotolia

Data breach disclosure law will lift Australia’s cyber security game

New rules underscore Australia’s recent efforts to tackle cyber security challenges on the local and international stage

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Report data break-ins – it’s the law

Australia will kick off the cyber security year with a bang when its new data breach disclosure legislation comes into effect in February 2018.

The mandatory data breach notification law underscores Australia’s recent efforts to lift its cyber security game both locally and internationally, bringing the country into line with other efforts, such as the European Union’s General Data Protection Regulation (GDPR).

Under the Australian legislation, organisations with a turnover of more than A$3m, as well as Commonwealth government agencies, must notify the privacy commissioner and individuals affected by a data breach.

The new laws are enforceable from 22 February and civil penalties for not complying range up to A$360,000 for individuals and A$1.8m for corporate bodies.

The legislation has already raised awareness of the need for cyber risk insurance, which has become the fastest growing commercial segment of Australia’s insurance market.

The new rules are also set to change organisations’ attitudes towards how they report cyber attacks and what they regard as a cyber attack.

In a recent report from the auditor general of New South Wales (NSW), Australia’s biggest state economy, the 39 largest NSW government agencies were required to divulge their cyber attack exposure over the last financial year.

One-third of NSW government agencies reported no cyber attacks at all during that period, which local industry observers described as “ridiculous’’, noting that it was not credible that an agency would have zero attacks over a 12-month period.

Estimates of losses to the Australian economy from cyber attacks vary. A briefing paper from the federal government’s Department of Prime Minister and Cabinet noted that Australians lose about A$1bn a year to cyber crime. But because worldwide losses from cyber attacks are about 1% of GDP, the real impact of cyber crime on Australia could be around A$17bn a year.

International cyber engagements

In October 2017, the federal government launched an international cyber engagement strategy paper that set out broad policy goals for everything from digital trade to cyber security. On the security front, the paper outlined Australia’s cyber sphere of influence, which centres on the Indo-Pacific region.

“Engaging internationally to strengthen the collective cyber security of Australia, the Indo-Pacific and the broader global community is a key objective for Australia,” the paper said.

“The global nature of the internet means that cyber threats emerging anywhere in the world can impact Australia. Our international engagement will seek to build Australia’s knowledge and capabilities and to enhance the cyber security posture of international partners, particularly those with extensive economic, diplomatic and social links with Australia.”

The main point of engagement for the country’s international cyber efforts is through the Australian Cyber Security Centre (ACSC), which collaborates with other international cyber security organisations, law enforcement agencies and industry partners, underpinned by Australia’s cyber policy dialogues with China, India, Indonesia, Japan, New Zealand and South Korea.

Read more about cyber security in Australia

  • With threat actors becoming more innovative, Australian businesses must start getting their security fingers into every system they buy or build.
  • Telcos such as Telstra and industry associations in Australia are chipping in to help enterprises that are being targeted by cyber criminals with phishing and social engineering exploits.
  • Unsanctioned cloud apps continue to be major bugbear among security chiefs in Australia, a Symantec survey has found.
  • The Australian government is aware it has a cyber security challenge, but might not understand the size of the issue, according to experts.

Australia is a member of the Asia-Pacific Computer Emergency Response Team (APCERT), which helps to protect national infrastructure in the region from cyber attacks. APCERT has 30 operational members, including India, Bangladesh, China and Hong Kong, with supporting industry members such as Dell SecureWorks and Microsoft.

Since November 2016, the federal government has employed its first ambassador for cyber affairs, Tobias Feakin, who was a member of the independent panel of experts that supported the Australian Cyber Security Review and, subsequently, Australia’s 2016 cyber security strategy.

Before taking up the ambassadorship, Feakin was director of national security programmes at the Australian Strategic Policy Institute. In a federal government paper outlining the country’s international cyber engagement strategy, he noted the significant role that cyber affairs play in Australia’s international relations.

“Once a technical niche issue, cyber affairs is now a strategic international policy issue,” wrote Feakin. “Australia's interests in cyber space are diverse and interconnected – from capturing the economic prosperity promised by digital trade and technology-enabled development, to securing Australia from the threat of cyber criminals and preserving stability in cyber space.

“Australia’s vision of an open, free and secure cyber space and our ambitions across the broad spectrum of cyber affairs are impossible to achieve alone. All of our efforts, both globally and regionally, will be delivered in partnership. We will combine the unique and complementary skills of other countries, the private sector, civil society and the research community.”

More cyber security experts needed

On the cyber skills training front, Australia has just launched the first skills-based cyber security certificate and diploma-level qualifications for its Technical and Further Education (TAFE) network to meet the country’s demand for an extra 11,000 cyber security specialists over the next decade.

Speaking at the launch of the new qualifications, Angus Taylor, minister for law enforcement and cyber security, said Australian businesses needed “ground-up” initiatives, such as practical skills training, to protect themselves from cyber crime.

“The sad reality is that there are cyber threats to every phone and computer in Australia,” he said. “With the rapid transformation of cyber crime, there is a risk that businesses, smaller businesses in particular, will say it’s all too hard.”

Read more on Data breach incident management and recovery