Winning Business with Cyber Maturity
Next Article |
Written by Peter Maynard, CEO, CyberMetrix
There have been some significant events occurring in Australia’s cyber security landscape over the past 12 months. Events that were so significant, it compelled the federal government to commit to making Australia the most secure nation in the world by 2030 (read here). So, what will this mean for Australian businesses and government entities?
Let’s start with the big ones first: Optus and Medibank.
At the end of 2022, two major cyber incidents led to the exposure of more than 9.7 million health records and over 10 million individuals’ personal information. Two of the largest data breaches in Australian history within a month of each other. This was a breaking point for the federal government. Decisive and aggressive action was taken by Minister O’Neil to seriously escalate cyber security as a national priority that included significant changes to Australia’s privacy penalties for offending companies.
In March this year, a piece of legislation (Security of Critical Infrastructure Act 1998) came into force for businesses and governments that are categorised as Critical Infrastructure Providers. These businesses and governments now need to take steps to minimise or eliminate cyber risks associated with their suppliers. In simple terms, they need to ensure the suppliers they engag are cyber secure.
According to an article by the Cyber and Infrastructure Security Centre:
“The regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act) now places obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry. The SOCI Act was amended to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes the SOCI Act applies to, and to introduce new obligations.” Read More
So what will this mean for small and medium sized businesses (SMBs) – which make up 99% of Australia’s economy and supply chains?
I’m confident it will mean opportunity. Opportunity for businesses with high cyber maturity to stand out from their competitors and secure more business. The good news is that the smaller a business is, the easier it is to build high cyber maturity, but, we have to address one huge misconception first:
We can’t rely on our IT departments to ensure our cyber security!
I completely understand why almost every business owner and CEO says, “our IT team have got us covered!” But let me ask you this: Would you go to your general practitioner for heart surgery? No. This situation is no different and it’s not the IT department’s fault if your organisation is the target of a cyber-attack. They’ve inadvertently ended up with the role of de facto cyber security expert to the hundreds of thousands of SMBs. ‘Cyber’ is a business risk issue, not just a tech issue. IT experts are a critical part of a business’s cyber risk management capability, but they are not a silver bullet.
Hackers know that businesses think and act this way, so they target what the IT department isn’t responsible for: people and policies. If you haven’t heard of social engineering, it’s important that you understand it. It’s the primary attack technique that is used in almost every cyber incident. These techniques are designed to attack staff inside a business and rely on a business’s lack of formal processes, policies, and recovery plans to slip through the gaps. These are the gaps that businesses need to close to improve their cyber maturity.
How does a business achieve cyber maturity? Where does a business go for guidance on how to close the gaps if it’s not the IT department?
Unfortunately, Australian cyber security guidance has focused on eight technical controls which have only had the effect of amplifying the problem that cyber security is a “tech only” issue. Businesses need to look to standards for effective cyber risk management guidance. Especially ones like ISO/IEC 27001 and SMB1001:2023AU that larger business and government customers are going to be expecting their suppliers to comply with as part of their new legislated requirements. Non-compliance may very well mean the loss of contracts.
The pain of losing a highly valuable customer is close to the pain of dealing with a cyber incident itself. Talk to anyone that has experienced a cyber incident and I promise you will hear two things:
1. “We thought our IT department had us covered"
2. “It’s the worst thing we’ve ever had to deal with”
Businesses that build and demonstrate good cyber security will increasingly win customers. These businesses will also be the ones that are equipped to better manage a cyber incident when they occur. Sadly, that will happen. Insurance premiums have doubled each year for the last three years; a good indicator that cyber incidents are becoming “when” events and not “if” events for every business and government. Leverage good cyber risk management practices and make it a business enabler. The timing has never been better or more urgent.
If you would like a list of actions that you can take to help close these gaps and build your business’s cyber maturity, contact us at Local Buy. We want all our suppliers to be cyber secure and have a competitive advantage.