Cyber awareness among Australian businesses has improved over the last two years, but it still may take the first widely publicised example of a company being pinged by data protection laws to permanently change our cyber culture.
“Things are moving,” says PwC Asia Pacific Cyber Lead Steve Ingram of the growing depth of understanding of cyber issues within Australia’s corporate leadership. “At the boardroom level the discussion is getting more mature, and whilst the boardroom is not full of cyber specialists – nor should it be – the issues are well understood and we are seeing a lot of boardroom folk taking the matter seriously.”
National mandatory data breach regulations went live in February and has lifted awareness around the need for cyber risk insurance, however Mr Ingram believes the new legislation’s true impact is yet to be felt.
The first widely publicised case involving the mandatory disclosure of a data breach is likely to “get heads turning”, he says.
The laws will have a major effect on general cyber consciousness “once there’s been an example of the laws being applied”, says Mr Ingram who will deliver a keynote at the InnovationAus.com Cyber Leaders: The Collaborative Imperative event in Sydney on May 15.
“Given there’s been no demonstrable action taken in a landscape where there’s a lot of noise about other things like Royal Commissions and other compliance activities, unfortunately people may be thinking ‘it won’t be me, it will be someone else’.”
“A lot of organisations are confident in their systems at the moment, but whether that confidence is well founded or not, is yet to be tested,” says Mr Ingram.
It’s a case of the principle of ‘shoot one and terrify a thousand’ being yet to come into action.
It could be that the biggest lift to local cyber consciousness comes from Europe where the EU General Data Protection Regulations (GDPR) are set to be enforceable from May 25.
Australian businesses may be caught by GDPR if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
GDPR penalties for breaches range up to EURO20 million or four percent of global turnover, whichever is higher.
“I think the one that will terrify will be the GDPR because the financial penalties are four percent of global turnover – these are serious penalties,” says Mr Ingram. “That will get heads turning.”
Then there’s the issue of how a company responds to a breach. Markets increasingly judge organisations by how they respond to a breach, Mr Ingram says.
“People are starting to realise the market will judge not that they have been breached but how they respond to a breach.
“Millennials will happily share information with you online but they expect you are going to protect it. Most damage is done not by the actual breach but by the organisation’s response to the breach.”
The reputational damage comes when the response is “ham-fisted, not well thought out and looks like they are not in control.”
“Yet if they pause (after a breach) and really think about what they are doing the market won’t be as brutal to them.”
The Federal government’s National Cyber Strategy, launched two years ago, has been effective at raising cyber awareness, Mr Ingram says.
“It does get the message out there that the nation is serious about this and that we do need to look at our collective response to make the economy stronger by working together. Government and individual organisations can’t do it on their own.”
Federal Cyber Security Adviser Alastair MacGibbon gets a tick for his stewardship, as does the Coalition’s Dan Tehan and newly-appointed Minister for Law Enforcement and Cybersecurity Angus Taylor. He also ticks Coalition’s decision to make cyber a Federal budget item.
“The government’s continued to improve that (cyber initiative) and has now created the Australian Cyber Security Centre.
“The other thing the government’s doing well is that they will share their embarrassing laundry. They will talk about the breaches they have had and the breaches their contractors have had.
“These are an example of how private companies should be disclosing their issues,” says Mr Ingram. “It is leadership from the front.”
Despite some progress, the Australian cyber workforce is still short of enough troops and in need of non-degree courses to fill the ranks. Tech college courses are part of the answer, says Mr Ingram.
“We are still short of talent and we are seeing recognition that not everyone in cyber needs a degree. Victoria and NSW have TAFE courses. You can put someone through a TAFE course and have them as a security operator monitoring screens and taking initial reactions.
“That’s great. It gets more people in the workforce faster and they can continue to upskill if they want to do a degree later on.”
While there are more tertiary cyber degree subjects being taught, Mr Ingram believes academia has more work to do in developing the tertiary cyber arena.