A government advisory group’s report on ransomware calling on Australian businesses to implement basic cybersecurity practices to mitigate risks is a “missed opportunity”.
The Cyber Security Strategy Industry Advisory Committee, formed late last year and dominated by big business, released a report on Wednesday outlining the threat posed by ransomware, and the basic steps businesses can take to mitigate the risks.
In contrast to a paper on the ransomware scourge released by the Opposition last month, the government’s expert committee does not include any recommendations for government or any calls for new policies. Rather, it focuses on what businesses should be doing, such as implementing the Essential Eight baseline features.
The recommendations include basic steps such as multi-factor authentication, regularly updating software, training staff in cybersecurity, data lifecycle management, backing up data and built-in security features.
The report has been backed by Home Affairs minister Peter Dutton, who is responsible for cybersecurity, saying businesses should move to implement the recommendations quickly.
“Cyber criminals continue to see Australian businesses as an attractive target and ransomware is a particularly disruptive form of cyber-attack that can have devastating impacts,” Mr Dutton said.
“The good news is that many ransomware attacks can be avoided by implementing basic cybersecurity controls and I urge businesses to take the time to review the advisory committee’s advice.
The Labor discussion paper, released by shadow assistant minister for cybersecurity Tim Watts, instead calls on the government to develop a National Ransomware Strategy and take actions to reduce the attractiveness of Australian businesses for hackers.
The advisory committee’s ransomware report “falls short of acknowledging the scale of the $1 billion problem”, Mr Watts said.
“Instead of using the opportunity to launch a debate about the role government can play in shaping the calculus of ransomware gangs sizing up Australian organisations, the Morrison government continues its approach of playing the blame game,” Mr Watts said.
“It’s not good enough to tell businesses to defend themselves by ‘locking their doors’ to cyber-criminal gangs. The Morrison government must do more to actively tackle the ransomware threat and develop a National Ransomware Strategy.”
The committee, which originally offered recommendations on the development of the 2020 cybersecurity strategy, has been criticised for being dominated by big business interests, although representatives from some smaller cyber firms have since been added.
The committee is chaired by Telstra chief executive Andrew Penn, and includes representatives from NBN Co, Northrop Grumman Australia, PwC and Macquarie Group. It also includes AUCloud chair Cathie Reid and FibreSense chair Bevan Slattery.
The 14-page paper warned ransomware is one of the “most immediate, highest-impact cyber threats to Australia”, and said that Australian businesses can’t be complacent, and must take action and understand their legal and regulatory obligations around the issue.
Along with the Essential Eight mitigation strategies, the committee also called for companies to ensure boards are aware of the risk and actively addressing it, and that cyber insurance isn’t relied upon as a strategy in itself.
“Ransomware is one of Australia’s fastest growing threats as business spends more and more time participating in the digital economy,” Mr Penn said.
“There are countless businesses that are attacked every day in Australia, and, in some cases, those victims could have prevented or minimised the financial loss and emotional impact they faced through the use of simple cybersecurity controls and employee education.
“This paper is an important contribution to helping Australian businesses understand the risks of ransomware and prepare accordingly by drawing from the committee’s diverse experience.”
Mr Watts’ ransomware paper instead focused on what actions the federal government could take to mitigate the risk and make Australia a less attractive target for malicious cyber actors.
These policy recommendations included increased law enforcement, targeted international sanctions, offensive cyber actions and the regulation of ransom payments.
“Ransomware is a jobs and investment destroyer at a time when the nation can least afford it. We need a new approach. It’s past time the Morrison government developed a comprehensive national ransomware strategy,” Mr Watts said.