lucadp -

Australian businesses need to up their game in cyber security

With threat actors becoming more innovative, businesses must start getting their security fingers into every system they buy or build, experts say

Businesses need to appreciate the inherent asymmetry in the state of cyber security and step up their game because the bad guys have proven to be more innovative, according to a panel of experts who spoke at a cyber security event hosted by the Australia-Israel Chamber of Commerce in Sydney.

Against this backdrop, Yuval Illuz, chief information security and trust officer at Commonwealth Bank, said organisations needed to repel all attack attempts, noting that cyber criminals will only need one exploit to succeed.

Dali Kaafar, scientific director at Optus Macquarie University Cyber Security Hub, said Australian enterprises had been struggling with cyber security for two decades. A key challenge is that cyber security is not a purely technical issue, but also requires organisations to educate users and understand user behaviour.

Making things worse was the fact that policy and governance have been disconnected from technical products and vice versa, he added.

“For years we have been approaching cyber security in a reactive way…and not really into the spirit of proactively achieving cyber defence. The bad guys are more innovative than the good guys,” he said.

Illuz, however, was optimistic that corporate Australia would eventually win the innovation stakes in cyber security. “It will become more complex in the future, but in the long term I don’t think they [cyber criminals] can be more innovative than corporations,” he said.

The Commonwealth Bank, for example, meets with cyber intelligence teams of other major banks on a quarterly basis to share insights and experience and has even created a cyber security magazine for customers. Illuz said though, that if he had a budget for just one thing, he would spend it on additional security education.

Security education is also a focus for Australia’s federal government, which has been looking for ways to increase access to cyber security skills nationally. Progress has been made in the vocational education sector in December, with all states and territories, except Northern Territory, agreeing to use a national cyber security training syllabus.

This follows the announcement of two new cyber security accreditations for certified professionals and certified technologists by the Australian Computer Society in September 2017.

Read more about cyber security in Australia

Besides having better access to skills, Stuart Mort, director of cyber security at Optus, said companies would benefit from a security and privacy-first approach when designing and choosing IT systems.

This was particularly important given the continued rise of shadow IT where executives outside of IT bought IT products and services to meet their business needs.

“Whether it’s marketing, procurement or developers, we need to be getting our security fingers into every single pie and we need to be able to veto,” said Mort, concurring with his fellow panellists that this will become even more important from February 2018 when Australia’s mandatory data breach notification law comes into force.

Australian companies saw a 15% increase in cyber incidents in 2016, underscoring Australia’s position as one of the most targeted countries in the Asia-Pacific region, according to a recent threat report by the Australian Cyber Security Centre.

Private sector industries bore the brunt of the attacks, followed by federal government agencies. Ransomware and phishing attacks remain two of the most prevalent cyber threats in Australia.

Read more on Hackers and cybercrime prevention