Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers.
Rather there are three new regulatory forces impacting specific points of the cyber security posture of the Australian economy, where relevant businesses will face all kinds of trouble if they fail to keep up to speed.
There are lessons to be learned from all three of these external obligations. At a simplified level, the NDB scheme addresses the security of people’s data; the Security of Critical Infrastructure Bill addresses the technology that supports our lives, and CPS 234 addresses the processes and governance that protect our wealth.
In short it is people, technology and process.
In February, the NDB scheme went live and we’ve subsequently discovered that in the first three months of this year, there were 63 eligible breaches reported to the Office of the Privacy Commissioner.
The purpose of the NDB scheme is really to encourage organisations to understand the personally identifiable information they have, understand the impact that an unauthorised disclosure could have on the people that information is about, and make informed decisions about how to pragmatically protect this data.
In other words they have to respect the people by respecting their data.
Australia also has the recently passed Security of Critical Infrastructure Bill, which places significant emphasis on critical infrastructure organisations having a clear and current view of their assets, as well as who can control these – financially and electronically.
There is incredible value in knowing what assets you’re actually dealing with. This is visibility at its simplest and enables better decisions, responsible application of resources, and faster responses.
It is also important to be able to accurately forecast the interactions between the physical and the cyber domains, so heightened levels of maturity around asset management and deep insight into the supply chain are now expected.
The third external obligation is APRA’s draft of Prudential Standard CPS 234.
This document states up front that, “The board of an APRA-regulated entity (the board) is ultimately responsible for ensuring that the entity maintains the information security of its information assets in a manner which is commensurate with the size and extent of threats to those assets, and which enables the continued sound operation of the entity”.
There’s a lot to unpack from that sentence, but I think the key word there is “commensurate”. Who decides what is commensurate?
It won’t be a regulated entity in a vacuum, and cross-organisation and cross-industry comparisons will play an increasingly important role.