The launch of the National Cyber Security Strategy in 2016 was a positive step toward securing Australia, but there is still more do be done, according to Jeremy Hulse, General Manager, Cyber Security, Australia and New Zealand, Thales Group.
“We’ve gone for 18 months with high level discussions, but the action time is upon us,” he said. “I am aware of some of the areas they are starting to implement, and they are strong steps forward, but it’s a massive task.”
The main barrier to a more effective cyber security posture in Australia is simply the fact that it is such a huge task. Because of this, we are still essentially scratching the surface, and the biggest issues still need addressing.
Mr Hulse points to the recent Australian Cyber Security Centre’s Threat Report as an example. The report cites the fact that many computer networks are still being compromised by known vulnerabilities that have existing solutions.
The report also goes on to say that too many incidents that the ACSC responds to could have been prevented by established and straightforward cyber security measures.
With over 30 years in the cyber security area, Mr Hulse has pretty much seen it all, but he said the reality comes back to the fact that cyber security, at its core level is a business risk.
He said that there are essentially two schools of thought when it comes to security. The first is that there is lots of talk about policy and procedures, and the second is the actuality of an attack.
“The challenge is the gap between those two things,” he said. “Policies and procedures are critical, but you need to actually do something about them today.”
The common ground for business is having an idea of where you want to be from a cyber security perspective, and a vision of where the business wants to be. Every company needs to decide for themselves where the tension point is between locking everything down, and enabling flexible business.
As far as the government is concerned, in terms of making national cyber security investments, it becomes a matter of understanding and addressing what business, the general community and consumers need from cyber security infrastructure.
“Every dollar that the government spends is pushing in the right direction in terms of national cyber safety,” he said.
A recent report from ASIO found that the Agency is unable to keep up with the growing level of espionage and foreign interference being carried out in Australia. It also found that the level of interference in Australian government, defence and economic interests was massively expanding in its scope and complexity.
This is where an informed national conversation about cyber security is critical.
Mr Hulse said that there is still a large disconnect in business and consumer understanding of cyber security issues, and education is something that business and government could spend more time and money on.
There are early adopters, he said, who spend the money and go off and do something about cyber security, but it’s the next level down where the confusion lies.
“In many cases people are unaware of the issues, and so it becomes a hidden threat,” he said.
One of the solutions to this knowledge gap is to start cyber security education early, when people are still in school. It doesn’t need to be a highly technical education, but it does need to raise awareness, particularly of behavioural risks, such as what to do and how to identify a phishing email.
“This sort of awareness should be promoted,” he said. “It’s more the psychological issues than the technical ones.”
There’s much discussion amongst government and the technical community about whether Australia is training enough cyber security professionals to meet the needs of the years ahead.
“There is a cacophony of noise about training, and yes we need to train people, but they need to be the right people,” Mr Hulse said. “Cyber security is an extension of IT, it’s an extension of psychology, and it’s an extension of criminology.”
He is also positive about the mandatory data breach notification laws that come into effect early in 2018, and said that based on the US experience, Australia is going to have a massive increase in the number of breaches that are made public.
With the arrival of breach notification laws comes the need for boards and businesses to be aware of the reputational risks that will come with a breach, he said. They also need to be aware of the threats posed by bad actors, both non-government groups and nation states.
“We need to give people a life-line, something they can do about it,” he said. “There’s a lot of noise in the marketplace and business owners are struggling to understand where to turn, and what to spend their money on.”
InnovationAus.com has joined with Thales Group as a presentation partner for the upcoming Cyber Security: The Leadership Imperative forum in Melbourne on October 26. You can secure you seat at this important event here.