The Australian government has recently unveiled a new cybersecurity strategy designed to bolster the nation’s cyber capabilities and protect the economy and its citizens from cyber threats. The policy, led by Minister Clare O’Neil, seeks to make Australian entities harder targets, and to enable faster recovery from cyber attacks.

The government aims for Australia to become a world leader in cyber security by 2030, outlining specific goals for different time periods within the next decade. Close collaboration between the government and industry is emphasised for successful implementation. The Australian Government is allocating $587 million for the strategy, with a declared focus on supporting small businesses, raising public awareness, fighting cybercrime, and strengthening identity security. Additionally, investments will be made in critical infrastructure defence, establishing consumer standards for smart devices, and building a dedicated threat-sharing platform for the health sector.

The strategy has been met with a positive response from industry groups and small business organisations, who see it as a significant step towards enhancing cybersecurity measures.

Chris Sharp, CEO at Pax8 APAC responded,

“There’s a path in Australia’s cyber security opportunity where the little guys aren’t left out, but the advice to market – particularly to SMBs – needs to be polished.” He went on to say, “The Government’s “health check” program announcement is a valiant effort – the true test will be how it goes about educating the right people across an extremely diverse SMB landscape. ‘Concierge-style’ support only goes so far, particularly if it doesn’t know where to go, and businesses don’t understand why to seek it out.”

Boosting Cyber Resilience for Small Businesses

Recognising the vulnerability of small and medium-sized businesses (SMBs) to cyber incidents, the government has injected $11million as part of the program to assist SMBs in enhancing their cyber resilience. The Small Business Cyber Resilient Service aims to provide step-by-step assistance to SMBs in the aftermath of a cyber attack, cushioning them from the worst of the financial and reputational damage that stems from such attacks. Additionally, the government has introduced a voluntary cyber health check program for businesses to self-assess their cybersecurity maturity.

The boost for SMBs was welcome by many in the industry, including Tim Hartman, Head of Solution Architecture, Australia & New Zealand, Infoblox who said,

“We welcome the Government’s 2023-2030 Cyber Security Strategy and particularly its focus on real-time threat intelligence sharing, working in partnership with our neighbours, and raising all organisations’ and people’s cyber security posture to make the whole stronger than the sum of its parts.”

“While there’s a journey to go to become the most secure nation in the world in seven years, there are some important quick wins organisations ranging from SMEs – which will have the benefit of the new cyber ‘health checks’ the Government has announced – to major enterprises and government agencies.”

Pax8 APAC CEO, Sharp, expanded,

“The problem is SMBs don’t know how to start conversations, nor who to turn to. Working alone makes the cost of cyber security defences untenable, but it doesn’t have to be this way. Your local florist, corner store, or even the grassroots neighbourhood start-up can contribute to building Australia’s resilience; they need the education to know why and how to be government compliant, fight increasing cyber insurance premium costs, and protect their customers’ PII data.”

Protecting SMBs from Cyber Threats

Recent government reforms to privacy laws aim to protect SMBs from becoming attractive targets for cyber criminals. By implementing mandatory reporting obligations for ransomware attacks and creating a single online reporting portal, businesses can now navigate their obligations more effectively. The Council of Small Business Organisations has welcomed these measures, considering cyber risk as a significant concern for the small business sector, which reportedly loses $2 billion annually.

Aidan Tudehope, Managing Director, Macquarie Government, said protecting SMEs was a critical element of the strategy as it would bolster the nation’s cyber posture more broadly.

“SMEs are currently exempt from Australian privacy laws and many data protection, deletion, and governance requirements. But they make up about 95% of all organisations in Australia, and many are part of Government and critical infrastructure supply chains, sharing data and digitally interacting with entities crucial to the nation’s economy and national resilience,” Tudehope said. “Organisations with an immature understanding of cyber and privacy measures could be inadvertently creating risk for other, potentially more critical organisations, and we strongly welcome the Government’s targeted support to help SMEs achieve new levels of cyber security and sophistication.”

Scott Magill, Managing Director, Rubrik A/NZ also welcomed the strategy but said he would like to see the ransomware reporting obligations combined with a stronger push to improve cyber resilience.

“Gaining greater visibility into the ransoms demanded and paid by Australian businesses seems like a step in the right direction, but in isolation will do little to actually protect Australian data,” he said. “If it’s to stop the flow of money to cyber criminals by implementing a punitive ‘big stick’ to fine those who pay a ransom, then it is a misguided approach.”

Magil went on to say, “If it’s to gain greater visibility into the scale of the problem, it is only half the solution. We need to think about the outcome we’re striving to achieve and work backwards to get to the solution. In a perfect world, organisations aren’t paying ransoms because they don’t need to. With that in mind, I would urge the Government to consider supporting organisations to adopt an ‘assumed breach mindset’. This involves understanding attackers will eventually be successful and preparing ahead of time to keep the most critical and sensitive data safe – backups are central to this approach.”

The 6 Shields Approach

The new cybersecurity strategy is underpinned by the concept of the so called ‘6 Shields’, with strong businesses and citizens serving as key components of each shield.

1. Strong businesses and citizens
2. Safe technology
3. World-class threat sharing and blocking
4. Protected critical infrastructure
5. Sovereign capabilities
6. Resilient region and global leadership.

This comprehensive approach emphasises the importance of collaboration between businesses, citizens, and the government in creating a robust cybersecurity environment.

Anthony Stitt, Regional Senior Director, Nozomi Networks was particularly positive about the more proactive stance being taken by the government, along with the aim of enhancing Australia’s offensive capabilities.

“There’s always something an attacked organisation could have done to remain protected, but we can’t forget that cybercrime is crime. Greater involvement and offensive capabilities from law enforcement will help to change that mindset, and it’s great that is a priority from Government through the 2023-2030 Cyber Security Strategy.”  

The launch of Australia’s new cybersecurity strategy marks a significant milestone in the country’s efforts to protect its national economy and community from cyber threats. With support from industry groups and small business organisations, the strategy aims to uplift national cyber capabilities, enhance the resilience of small businesses, and protect them from cyber incidents.

The government’s commitment to collaboration and the involvement of expert advisory board members further reinforces the comprehensive and inclusive nature of the strategy. As Australia strengthens its cybersecurity defences, the hope is to elevate the nation’s position to global best practice standards, and I for one, support this effort in the right direction of helping ensure a safer digital landscape for all our citizens.