The Australian Government has proposed changes to the Security of Critical Infrastructure Act 2018 to include a broader range of industries. If you operate in one of these industries, there may be important changes you need to know about.
If you think cyber security is only important for high-risk sectors, think again. A whole range of industries are vulnerable to cyber-attacks and data breaches. And the government agrees.
They’ve recently proposed changes to the Security of Critical Infrastructure Act 2018 to include more industries that aren’t traditionally considered “critical infrastructure” like banking and finance, communications, education, research, food and groceries, health, defence, and transport.
So if you operate in one of these industries, there may be new security rules you’ll need to comply with or risk possible fines.
Changes to the Security of Critical Infrastructure Act 2018
The Security of Critical Infrastructure Act has been around since 2018 and was created to protect Australian infrastructure against espionage or cyber-attacks that threaten national security. Until now it’s only covered “high-risk” sectors: ports, gas, electricity and water. But this is about to change under proposed reforms that have been sent out for consultation. If the changes are accepted, the Act will be broadened to include more industry verticals. Sectors being discussed include:
- Banking and Finance
- Communications
- Data and the Cloud
- Defence
- Education, Research and Innovation
- Energy
- Food and Grocery
- Health
- Space
- Transport
- Water
Unlike traditional critical infrastructure sectors, many of these industries haven’t considered themselves a target for cyber criminals. Consequently, cyber security hasn’t been a high priority for many organisations that operate in these industries, with banking being a notable exception.
By putting a framework in place, currently termed “positive security obligations”, the government is hoping to make organisations more accountable and address security issues that may impact not only infrastructure, but also services and supply chains that are critical to our economy.
Expanding on existing data breech protection laws
The Notifiable Data Breach (NDB) Scheme, which has been in force since 2018, applies to virtually all businesses turning over more than $3 million annually. If you store personal or confidential customer information and it is accessed or stolen, you must notify the affected individuals (and the Office of the Australian Information Commission). Failure to do so can result in fines in excess of $2 million.
Consider the personal or confidential client information the average user may hold on a mobile phone, on a laptop or tablet or in email or a cloud service. All items that are easily stolen, or compromised through phishing attacks. All of these instances are notifiable data breaches.
The Notifiable Data Breach scheme was put in place to protect individuals; most organisations would prefer to sweep a data breach under the rug, rather than deal with the reputational fallout or litigation that may result from mishandling personal information.
Just as the government is looking to enforce “positive security obligations” for critical infrastructure, the NDB scheme was introduced to make businesses handling personal information accountable to their customers. Should they choose not to do the right thing for fear of the reputational or financial damage they may incur through litigation, they will become liable to substantial fines.
So what’s changing?
The reforms are currently in discussion and there’s still speculation around what the changes will be.
One topic of contention is whether the government should have overarching power to access privately owned systems to remediate and forensically identify where the breach has come from and what’s been compromised.
Initially it looks like the government won’t audit for compliance with the “positive security obligations”. However, if your organisation is breached and you’re not adhering to the guidelines, you will likely be liable for fines. What those fines will be is still up for debate.
The only certainty is that your organisation’s approach to infrastructure and information security will look very different to what most organisations are doing right now.
The team at S5 Technology Group is monitoring the changes closely and will keep you up to date with the situation as it unfolds.
Three simple measures to protect your organisation
Although the changes to these laws have not been finalised yet, it’s important to start prioritising your organisation’s security ahead of these changes. Here are three things you can do now to protect your organisation:
1. Assess your security posture
- Understand your exposure.
- Understand the types of data your organisation holds and where it resides.
- Understand how this data may be breached or how your systems can be compromised (your attack surface).
- Understand the impact to your business should a cyber-attack occur. The impact to a business is often multifaceted:
- Financial damage through lost revenue.
- Financial damage through government fines for not adhering to the respective legislation.
- Financial damage through litigation from customers or associates.
- Reputational damage which often results in a mass exodus of clients.
Information Security and Infrastructure Security Audits should be carried out by experienced cyber security professionals to provide your organisation with a detailed understanding of your security posture.
2. Put measures in place to ensure that ALL attack surfaces (devices, applications, cloud and systems) are protected
Many industries noted in the proposed legislative changes operate their IT environments in line with small business practices, and have not seen the value in investing correctly in their IT systems. Ultimately, this is why the government has been forced to introduce legislation to ensure that organisations considered critical to the economy and the Australian way of life are resilient to a cyber-attack.
Most organisations noted in this legislation will have a security baseline of Antivirus software on their endpoints, firewalls at their network edge, spam filters in some instances, and cyber-insurance, believing that they are protected.
Unfortunately, this could not be further from the truth.
With more companies transitioning to cloud computing to support an increasingly mobile workforce, an organisation’s security stack must be larger and more complex than ever.
A common belief is that migrating data to the cloud removes the security risk, however this is a myth. If you have acquired or are responsible for the systems and/or data, regardless of where it resides, your organisation is responsible and liable for any compromise. Cloud service providers, such as Google, Microsoft and Amazon, make it very clear they are not responsible for a breach. The responsibility is on you. All major cloud providers offer integrations with robust security solutions to provide adequate security, although most organisations forgo this.
Another consideration is using devices outside of the office. Many companies have made significant investment in firewall protection to prevent advanced attacks. But when people take their laptop out of the office, they lose this protection. All of a sudden the laptop, with its email and access to all corporate systems and information, is vulnerable.
And if you allow employees to Bring Your Own Device (BYOD), these should be included too. If a device has access to the data in your organisation, it’s the organisation’s responsibility to secure this.
Mobile phones often have access to many corporate systems, if not as many as a laptop or desktop computer. In many organisations, mobile phones are the weakest link, whereby phishing or smishing attacks can capture private and confidential information, including corporate credentials, completely undetected.
Make sure you have a BYOD policy in place to protect yourself. Whether that’s sandboxing (separating off corporate data and applications within that device) or choosing to fully manage that device, each organisation needs to find the best option based on the data they’re holding and the risk that presents.
The path to securing your information and systems may seem daunting, but it’s not!
If you fully understand your Security Posture, you can implement a Zero Trust Security architecture that provides protection at every entry point and every point of compromise.
Zero Trust Security architecture ensures that all your devices, systems, cloud environments and users are secured, and provides centralised logging and forensics to ensure that your organisation is protected.
3. Implement and maintain organisation-wide security policies
Make sure you have both infrastructure security policies and information security policies in place. These take the information gathered when assessing your security posture and help you understand what data you have, what your risk is, and what systems or processes are in place to address that risk.
It’s important to note that what works for one organisation is not going to work for another; there’s no one-size-fits-all policy with security.
Your security policies must constantly evolve with your organisation and be frequently audited to ensure compliance, and identify new data, systems, attack surfaces and organisational risk.
Time to act
Although the changes to the Critical Infrastructure Act haven’t yet been finalised, the Notifiable Data Breach laws are already in full effect. By taking some simple steps to secure your data now, you can protect your organisation (and your valued customers) from damaging data breaches.
The S5 Technology team is keeping abreast of this changing legislation. We can ensure your organisation remains compliant in line with the changing environment. Get in touch to see how we can help you.
About the Author
Guy Coble is the Managing Director of S5 Technology Group and an experienced Network and Security Engineer with a depth of experience in Data Centre, Network and Critical Infrastructure Security.
S5 Technology Group is an award winning Managed Service Provider and Enterprise System Integrator, with offices located in the Central West and Mid North Coast of New South Wales. S5 Technology Group provides design, deployment and management of data centre, network, and security environments, for Government and private enterprise.