The changes to critical national infrastructure regulation in relation to cyber security will need a coordinated, Australia-wide communications campaign that embraces small and medium sized companies in order to carry maximum impact.
Email security and cyber resilience specialists Mimecast’s country manager Nick Lennon says changes to critical national infrastructure legislation in Australia is a positive step forward. The regulation of cyber risks is a good thing and will ultimately lift cyber standards across the economy. In order effect change, there needs to be a complete commitment across all levels of government and private sectors, as without the necessary changes, there is the potential risk for considerable socioeconomic impact.
The new regulations are ultimately a way of introducing standards to manage cyber risks in Australia, just as financial reporting requirements and audits through regulations have been a way to manage financial risks across the economy.
Changes to the critical national infrastructure regulations will result in the introduction of minimum standards. The key to its roll-out in the early stages will be in a mass communications campaign that reaches the small and medium-sized companies that will be ‘captured’ by the new legislation.
“The critical national infrastructure changes effectively introduce ‘table stakes’ – or minimum standards – for companies, to enable them to participate in the new economy and the new environment,” Mr Lennon said. “That’s a positive thing and it really should be promoted.”
“This is regulation catching up in cyber, and supporting modern businesses to operate effectively in the current environment.”
“Longer term, it is easy to see a world where cyber security is regulated in the same way that the accounting and financial services industry is stood up today.
“So, we are obliged to check and report our [financial] books every 12 months, and we have multiple government agencies that analyse the quality of that information, to make sure that there’s transparency and due diligence around these organisations so they are able to trade appropriately,” he said.
In the same way government financial regulation is an effective measure to ensure the financial services sector meets and exceeds global standards, Australia’s new cyber regulations needs to be in lockstep with other countries to meet our obligations as global citizens in terms of cyber security standards. These new cyber regulations are about creating clear standards that enable trust across the systems of the economy, allowing customers and businesses to invest in one another. This is the same scenario that underscored the introduction of standard financial reporting, Mr Lennon said.
The key in cyber would be to make these new standards “more visible, more accessible and more in your face.”
“It is easy to envisage a world where organisations are reporting on their cybersecurity standards in a similar manner to how they are considering their financial auditing in today’s terms,” Mr Lennon said.
“So the question becomes, how does a small to medium-sized organisation consider what that means to them? And how do they meet or exceed those standards that are being asked of them around positive security objectives and the processes associated with reporting cybersecurity event. Of note the private sector has asked what will it cost businesses to meet the new cybersecurity standards, and where will that cost burden lie?”
It is a complex communications challenge, but not dissimilar to issues that governments have helped solve effectively in the past with national and coordinated campaigns. Think Slip, Slop Slap or the ongoing anti-smoking campaigns or any number of health campaigns. These aim at registering a broad community and individual benefit for action.
This can work with cyber.
Mr Lennon points to Mimecast’s own authoritative State of Email Security 2021 report for the numbers that illustrate the massive scale of cybersecurity problems across the economy.
In Australia, the report found that an incredible 64 per cent of companies had experienced some form of business disruption through ransomware in the past year, a massive increase from the 48 per cent reported in the previous year.
Of those companies, 54 per cent paid the ransom. And of the companies that paid a ransom, 76 per cent recovered their data, but 24 per cent paid and never recovered their data – a true nightmare scenario for any business. In terms of downtime, there is a big impact, with the report revealing that business disruption caused an average of 4 days of downtime, and for 26 per cent of businesses it was one week or more. This downtime can greatly impact our supply chains and the economy, and underscores the immediacy of protecting our critical national infrastructure.
“If you do the maths on that, you find that the scale of the ransomware ‘industry’ is massive. And that fact is not as well publicised as it should be in terms of communicating why regulation through changes to the critical national infrastructure legislation is so important,” Mr Lennon said.
This article was produced in partnership with Mimecast as a member of the InnovationAus Leadership Council.
Do you know more? Contact James Riley via Email.