Viewing entries tagged
Cybersecurity

Australian Government introduces Cyber Security Legislative Package: Are you ready?

Comment

Australian Government introduces Cyber Security Legislative Package: Are you ready?

By Simon Liu and Sascha Hess

On 2 October 2024, the Australian Government announced its first standalone Cyber Security Bill as part of a package of reforms in critical infrastructure and national security to bring Australia in line with international best practice on new and emerging cyber security threats. The Cyber Security Legislative Package includes the Cyber Security Bill 2024 as well as amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018 (SOCI Act).

The proposed regulatory framework forms part of the government’s vision of becoming a world leader in cyber security by 2030, according to its 2023-2030 Australian Cyber Security Strategy, and specifically to build the government’s awareness of the ransomware threat, which continues to grow and raise risk for all organisations.

IIS welcomes the four key measures this bill introduces.

Set up a response and learning framework for cyber incidents

Three initiatives work together to systematically enhance Government and Industry’s ability to respond to, and learn from, cyber security incidents:

  • Providing data

  • Lowering barriers to information sharing with the Government, and

  • Creating a ‘no-fault’ cyber incident review board.

These efforts align with existing industry practices and common sense – sharing data fosters an informed, coordinated response, while conducting blameless post-mortems helps embed lessons for future incidents.

The bill does this by:

1. Introducing mandatory ransomware reporting for certain businesses to report ransom payments

Introducing a mandatory reporting obligation for entities who are affected by a cyber incident, within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made. The two categories of entities that have ransomware reporting obligations are:

  • Category 1

    • Entities that carry on business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold (which is likely to be $3 million, yet to be confirmed);

    • Not a Commonwealth body or a State body; and

    • Not defined as a responsible entity for critical infrastructure asset under the SOCI Act.

  • Category 2

    • Responsible entities for a critical infrastructure asset to which the SOCI Act applies. In other words, all responsible entities will be ransomware reporting obligations even where their annual turnover does not exceed the turnover threshold (which is likely to be $3 million, yet to be confirmed), or where they are a Commonwealth or State body.

2. Introducing a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD)

Introducing a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be used and shared with other government agencies, including regulators.

3. Establishing a Cyber Incident Review Board

Establishing a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.

Set up a minimum security baseline for ‘smart devices’

Smart devices are becoming a common feature in Australian homes and businesses. From home security systems and video doorbells to keyless entries and voice assistants, who doesn’t enjoy the added convenience and peace of mind? However, like any software, internet-connected devices have security vulnerabilities that require proper securing and regular patching.

4. Introducing a minimum set of cyber security practices for smart devices

The bill marks the first step in establishing a minimum-security baseline in Australia and follows the lead of the UK in April 2024.

Ready, Steady, Go

The legislation, if enacted, will become Australia’s first standalone cyber security legislation to strengthen protections for and enforcement measures against businesses from the increase in cybercrime.

Businesses will need to adapt to stricter security standards for smart devices and embed their new reporting requirements into their incident response plans.

Please contact IIS to have a confidential chat on how we can support your business to become compliance ready.

If you are interested to understand the impacts of a real major cyber security incident and a serious data breach, see our whitepaper on “What businesses need to know about the Optus 2022 cyber attack and lessons learned from the Service NSW 2020 Data Breach”.

Comment

November 2023 ASD Essential Eight Maturity Model changes

November 2023 ASD Essential Eight Maturity Model changes

By Sascha Hess

The Australian Signals Directorate (ASD) updated its Essential Eight Maturity Model this November. Since 2017 the model has been updated regularly, supporting the implementation of the Essential Eight.

The Essential Eight can be considered a prioritised minimum security control baseline, referred to as mitigation strategies in the guide. The model comprises three maturity levels which can be considered ‘threat profiles’. Insights for refining the model are derived from various cyber-related fields, such as security testing, cyber threat intelligence, and learnings from responding to incidents.

This year, notable changes include:

  • Introduction of “patches assessed as critical by vendors” as an additional prioritisation criterion. Patches for critical security vulnerabilities for internet-facing systems are now required to be applied within 48 hours, even in the absence of a known exploit. Tighter time frames are also established for patching applications processing untrusted content from the internet (e.g., browser, PDF reader).

  • Enhancements to the use of multi-factor authentication (MFA) universally, like expanding the use of phishing-resistant MFA.

  • In response to attacks against citizens that continue to only use passwords, online access to organisation’s sensitive data now requires multi-factor authentication from Maturity level One.

  • A significant tightening of privileged account management practices around validation for requesting accounts, periodic revalidation, accounts with internet access and break-glass accounts.

As adding is typically favoured over removing in standards, it is good to see that the review also resulted in removing or easing a couple of requirements (i.e., macro execution event logging and patching for less important devices).

For a comprehensive list of changes, please visit the dedicated page on cyber.gov.au. IlS has compiled a marked-up table of the Essential Eight Maturity model which highlights the November 2023 changes for easier reference.

The increased focus on timely patching, use of robust multi-factor authentication and tightening the use of administrative access accounts help organisations to better defend against threat actors’ common attacks. IIS recommends all organisations to review their practices now in light of these changes.

IIS can help you review and uplift your current security practices and capabilities. Please contact us if you require assistance.

Top five picks for making privacy a priority (PAW 2021)

Top five picks for making privacy a priority (PAW 2021)

By Lisa Hooper and Chong Shao

The 2021 Privacy Awareness Week (PAW) is scheduled for 3-9 May. The OAIC’s PAW theme is Make Privacy a Priority. Its recent survey of Australian attitudes towards key privacy issues revealed that most Australians have a clear understanding of why they should protect their personal information (85% agree) but half say they don’t know how (49% agree).

This year, the OAIC has published their privacy tips for the home and the workplace. In this post, we have compiled our own top picks that align with OAIC’s message for workplaces, along with our own commentary.

IIS top five picks

1. Making privacy a priority starts from the top

  • OAIC message: A strong leadership commitment to a culture of privacy is reflected in good privacy governance 

  • IIS view: Privacy needs to be front-of-mind for boards 

Good privacy governance enables innovative and trustworthy uses of personal information. This in turn promotes both performance (e.g., improve productivity, offer new digitally enabled products and services) as well as compliance (e.g., meet local and global privacy requirements, reduce and respond to privacy risks).

IIS believes that privacy should be a key consideration for boards and they should provide clear direction for the executive team to implement a privacy management framework that sets out the organisation’s privacy governance.

It is important for organisations in this rapidly changing environment to adopt a forward-looking posture. Organisations should actively monitor the latest privacy developments – including in technology, law and policy – and consider how they may be impacted. Privacy performance and developments should also be reported back up to the board level. 

This is discussed extensively in the book The New Governance of Data and Privacy: Moving beyond compliance to performance, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).

2. Reduce the risks of data breaches caused by human error and prepare a data breach response plan 

  • OAIC message:

    • Reduce the risks of a human error data breach by educating staff and putting controls in place

    • Ensure that your organisation is prepared and equipped for a data breach 

  • IIS view:

    • Educate, prepare, rehearse and assess

    • Your data breach response plan needs to be up to date and fit for purpose. This needs to include the role of third-party providers that would play a key role in the response.

Over the past year, data breaches have continued to increase around the world. Many cyber-attacks are occurring in the context of wider disruptions caused by COVID-19. As large portions of the professional workforce transitioned to working remotely, there was a significant reliance on the use of personal devices and home networks to conduct work tasks, thereby increasing the security vulnerability for organisations.

It is vital for staff to continue to be educated on proper data handling and receive privacy training for their respective roles. How an organisation handles a data breach can significantly impact their reputation; ensuring that staff are well equipped to report a breach is an important factor when implementing action plans for handling a breach. 

IIS believes that now more than ever, organisations must ensure that staff are adequately trained, controls are regularly assessed and that data breach response plans are up to date and fit for purpose. Like other safety drills, the plan should be rehearsed periodically so that the organisation can respond efficiently and effectively if/when the real thing happens. It is better to be proactive than reactive. Is your organisation data breach ready?

3. Build in privacy by design (PbD)

  • OAIC message: Adopt a PbD approach to minimise, manage or eliminate privacy risks 

  • IIS view: Embedding PbD from the very start helps organisations with both privacy compliance and performance

IIS has been a strong advocate for PbD. We believe that implementing PbD strategically helps organisations to achieve their objectives while maintaining a high level of privacy protection. This saves the time and costs of “bolting on” measures down the track. Furthermore, PbD helps organisations  to focus on user-centric practices that are key to building trust with customers and reducing privacy risk over the long run.  

PbD should be prioritised in contexts where the value of the data and the associated privacy risks are high, for example: linking and matching big datasets, mobile location analytics, biometrics, and customer loyalty programs.

4. Put secure systems in place

  • OAIC message: Having strong and secure systems in place helps to protect personal information from misuse, loss or unauthorised access or disclosure

  • IIS view: Ensuring secure systems and appropriate controls are in place is one of the top priorities for preventing privacy breaches.

Cyber security and privacy should not be “set and forget”. Rather, organisations must regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information. This means cyber security is not just an IT issue, but a business and risk issue.

Having policy and procedure documents in place are necessary but not sufficient. Overall, organisations should focus on the basics: know your data assets, manage identity and least privileged access, protect endpoints, train staff and prepare for incidents.

5. Undertake a PIA

  • OAIC message: A PIA is an essential tool for protecting privacy, identifying solutions and building trust 

  • IIS view: A PIA an essential component of the organisation’s risk management process 

A privacy impact assessment (PIA) is an assessment of new or changing technologies (e.g., adopting a new CRM system), products (e.g., introducing a location-based customer service) and/or operational processes (e.g., revising the data governance policy) that might have an impact on the privacy of individuals.

When the organisation proposes to introduce a new project that involves (or could involve) the handling of personal information, it could lead to both anticipated benefits as well as unanticipated consequences. Conducting a PIA prior to and during the project – as part of the project’s overall risk management processes – can ensure that privacy risks are considered and that the potential impacts are mitigated. 

In IIS’s experience, a PIA is more than a compliance check. Conducting a PIA can provide organisations with a wider view on privacy throughout the business, which in turn can help organisations improve their privacy practices beyond the single project under review.

Participating in PAW 2021

IIS will once again be proudly supporting PAW this year. We have previously partnered with our clients during PAW to deliver presentations and participate in live Q&A sessions. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point.

Sign up today with the OAIC or contact IIS to help you and your organisation make privacy a priority.