The risk of cyber attacks on critical infrastructure is on the rise. All countries must heed the wake-up call that no nation is immune from attack, and act with a sense of urgency to strengthen cyber resilience at national, organisational and individual levels.
While recent cyber attacks appear sophisticated, many hacks are the result of poor cybersecurity hygiene, and a breakdown in cybersecurity processes and procedures. A case in point, the hackers that took down Colonial Pipeline — the largest fuel pipeline in the US — accessed the network using a compromised password through a VPN account. A textbook breach that can keep every cybersecurity professional awake at night.
The federal government has proposed new laws to harden Australia’s cyber posture, recognising that threats are evolving rapidly, and criminals are expanding their targets.
Under the Security Legislation Amendment (Critical Infrastructure) Bill 2020, government departments — and the soon-to-expand list of sectors deemed ‘critical national infrastructure’ — will need to scrutinise supply chain partners and their security protocols. It underscores the importance of keeping internal security incidents to a minimum to reduce lines of attack.
Critical partnership in cybersecurity supply chain
Individual companies will need to review cybersecurity practices to ensure they align with government and industry standards. Government departments need to carefully review and vet security partners in their own supply chain to ensure they satisfy the requirements of robust cyber resilience.
In an effort to lead by example, the federal government is investing in the cybersecurity posture of its own agencies through the National Data Security Action Plan, ensuring that governmental departments walk the talk.
Privacy incident reporting — individual weaknesses
Resilience across private and public sector organisations and departments, while guided by a national security framework, involves day-to-day protocols around managing privacy. This is where Australian organisations have weak links, according to Mimecast privacy research, which revealed around one-third of organisations fail important security provisions by not providing detailed privacy briefings when on-boarding new staff, regular training on privacy and protecting personal information, secure data transfer processes and comprehensive remote work protocols.1
Mimecast’s research also found government fared better than most industries at committing to awareness training2. However, public sector staff fell short when it came to reporting all privacy incidents, with 31% not declaring an incident, compared to 19% across all sectors, indicating a real need to address this element of training.
Other Mimecast research shows that 76% of companies have been hurt by their lack of cyber preparedness3. Human error has been found to be involved in the majority of cyber incidents, and the risk increased drastically as remote and hybrid work patterns became the norm. With the wave of cyber attacks, many government departments and organisations are simply struggling to keep up, which is why we’ve designed an Enterprise Cybersecurity Platform to help mitigate cyber risks and address the ongoing cybersecurity challenges.
Slip, slop, slap for cyber
To navigate this complex and higher-risk environment, investment in a broad public awareness and education strategy, much like the hugely successful ‘Slip, Slop, Slap’ sunscreen campaign of the 80s — or the more recent ‘Dumb Ways to Die’ Melbourne Metro safety campaign — is essential. Cybersecurity now requires the same constant awareness and reminders of responsible behaviour as sun and transport safety.
At Mimecast we process tens of millions of emails every day across Australia and from around the world, allowing us to see and block many attacks before they impact local organisations. We are part of the national threat intelligence community, sharing our own intel and receiving insights from the government to help better protect all levels of Australia’s government, industry and citizens. This is what we call “community defence”.
1 Source: ACA Research commissioned by Mimecast April 2021
2 Source: ACA Research commissioned by Mimecast April 2021
3 Source: Mimecast State of Email Security Report 2021