On 21 April 2016, the Federal Government launched its long-awaited new Cyber Security Strategy, following 18 months of public consultation and review. Prime Minister Malcolm Turnbull’s foreword to the Cyber Security Strategy states that the strategy gives cyber security “the attention it requires in an age where cyber opportunities and threats must be considered together and must be addressed proactively”.
This is a sentiment with which our Corrs Cyber experts strongly agree. Leaving aside issues of national security, we often see first-hand the financial and reputational cost of cyber security incidents, particularly data security breaches. The absence of cyber resilience, and accompanying effective regulation has serious implications for the public and private sectors, and individuals.
The Cyber Security Strategy (an update to the inaugural strategy released in 2009) aims to balance the need for Australia to innovate in the online environment against the “real and growing” cyber security threats. It outlines the Government’s plan to develop national cyber resilience, for the public and private sectors, and as individuals, with a view to “unlocking” Australia’s digital potential.
It also includes a significant investment by the Federal Government in cyber security: $230 million over four years, in addition to the separate defence-related investment in cyber security announced in the 2016 Defence White Paper. These funds are to be applied to improving cyber capability and to deliver new initiatives, with over $30 million to be invested in an industry-led Cyber Security Growth Centre. This is positive news for innovative and disruptive Australian companies with products or services aimed at addressing cyber threats or improve cyber resilience within the public and private sectors.
National cyber partnership between government, research and business
Strong cyber defences
Global responsibility and influence
Growth and innovation
Developing a cyber smart nation
Support for cyber security professionals
Establishment of the Academic Centre of Cyber Security Excellence
Fostering STEM participation in schools.
There is general acceptance among the business community that a cyber incident will affect every organisation at some point. As recognised in the Cyber Security Strategy, being cyber resilient is not “an IT issue”. It is also more than a compliance issue: it “belongs at the centre of business strategy for organisations across the public and private sectors”. Cyber security is a real business risk to be prioritised, managed and funded by both public and private sector organisations.
A key component of the Cyber Security Strategy is to raise the bar on cyber security performance. This includes a plan to co-design national voluntary cyber security “good practice” guidelines, aligned with international standards, as well as voluntary “health checks” (for ASX100 listed companies), to help organisations understand their cyber security strengths and gaps. We would expect that these guidelines would include a corporate road-map and other practical tools for preparing and responding to malicious cyber activities, including data security breaches (similar to the Corrs Dealing with Cyber Security Corporate Road-Map).
But, as we see with privacy (or indeed any regulatory) compliance, for guidelines and “health checks” to be effective, they need to be properly implemented and adopted by the organisation through an organisation-wide change program. They also need the support of the Board and senior executives. Hopefully the release of the Cyber Security Strategy will help get cyber security issues, and the need to become cyber resilient, the attention it requires within organisations, particularly at the Board and executive levels.
Need more information? Contact one of our Corrs Cyber Security experts today.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.