Thursday, 23 November 2023 The Federal Government has released its long-awaited cybersecurity strategy. It came with a reported allocation of an additional $587 million in expenditure and 20 promised actions. These actions form six ‘shields’ the government intends to build by 2030 to make Australia a world leader in cybersecurity. They are: Strong businesses and citizens; Safe technology; World-class threat sharing and blocking; Protected critical infrastructure; Sovereign capabilities; and Resilient region and global leadership. In this long and ambitious to-do list, what matters most to medium to large businesses? As cybersecurity experts, here is our take on the most important actions in the strategy. Extend the reach and accessibility of cyber awareness programs We know from responding to cyber incidents that the vast majority of these incidents happen as a result of human actions, whether through mistake, ignorance, carelessness, or even malice. Cybersecurity education is essential to reduce these risks and contribute to the security of every business. Enhance the visibility of and guidance for ransomware threats Individuals and businesses face increasing and everchanging threats. Understanding and mitigating these threats is essential. While it has flow-on implications for anti-money laundering and counter terrorism financing for business in Australia, a focus on enhancing visibility and providing guidance by the government is a good thing. Clarify business expectations of cyber governance The governance expectations on businesses in terms of cybersecurity are increasing. This is important to protect businesses and therefore the national economy. However, many businesses find it difficult to understand the risks they face, what is required of them in terms of governance and how to comply. It is not uncommon for businesses to do nothing because they do not know where to start, rather than seek help. Promote access to trusted support after an incident This can be critical for businesses that experience a cyber incident. We see so frequently that the incident response support engaged by the business to restore its systems fails to appropriately investigate the incident and find out who was responsible and what data was exfiltrated. In the process, they often inadvertently destroy evidence that may be necessary for regulatory, insurance, or court purposes. It is vital during the incident response and forensic phase that the integrity of the data is preserved and handled with utmost care from collection through to analysis. Should the matter end up in court, easily defensible reports that outline the chain of custody and analytical methodology are crucial. Protect our datasets of national significance This is crucial from a national resilience and business operations point of view. Critical infrastructure outages can bring much of the nation to a standstill. Thus, it is essential to identify the most important data to the business and the data most likely to be targeted by threat actors, then make sure it is secure through appropriate risk management approaches such as access controls and encryption. It’s also good to ensure that data minimisation techniques are employed so unnecessary data can be safely disposed of when no longer needed. Support safe and responsible use of AI Artificial Intelligence is bringing great advantages to our nation, how it goes about on a day-to-day basis, and the benefit it brings to operational efficiency for businesses. But it also comes with cyber threats. AI-based threats include the use of AI to create ever more convincing phishing messages, which can now look and sound even more as if they come from real people, increasing the likelihood of the scam’s success. A focus on this by the Government is prudent and welcome. While we welcome the intent of the strategy and the actions outlined, we are concerned that the reported funding will be inadequate to achieve these ambitious goals and fund so many programs over the years to 2030. Despite this concern, we would like to see the strategy succeed and for Australia to indeed become a world leader in cybersecurity.