This opinion piece by Patrick Wright, CTO NAB, was first published in The Australian Financial Review on 5 June 2023.
Masses of data, the privacy of millions of Australians and the stability of our biggest businesses are disappearing in seconds. If the recent high-profile cyber breaches taught us anything, it's that cyber-attacks are increasingly devastating to our community. The importance of a national cyber security response cannot be overstated.
Cyber criminals are organised, trans-national gangs; often basing their operations in countries beyond the legal reach of their victims and law enforcement agencies. They target households, governments and businesses and sometimes are more appalling than we can imagine, such as the recent attack on the Crown Princess Mary Cancer Centre.
These are just the tip of the iceberg in terms of what cyber criminals are capable of. They serve as a poignant reminder that cyber security can't be achieved as a solitary endeavour. It requires coordination, communication and a shared commitment to protecting our digital infrastructure and our fellow citizens.
The Government is rightly preparing for more of these injurious breaches. Its announcement in April to conduct a series of cross-sector cyber war games is a welcome step. It's another important example of how we're working with Government - alongside our own investment and preparedness - to tackle the challenge. Efforts like these place Australia among countries showing the greatest progress and commitment to enhancing cyber security, according to a new Massachusetts Institute of Technology (MIT) report.
Yet our smallest businesses continue to be relentlessly targeted by criminals. Last year, they were the number one victims of cyber-crime with a reported loss of $33 billion. This adds to the pressure small business owners are already under as they face continued cost pressures, labour skills shortage and rising inflation.
As Australia's largest business bank, we take cyber security seriously. Our defences are up 24/7 through our global security capabilities, where we're blocking more than 50 million attacks on our digital channels every month. We've invested years to deepen our relationship with the Australian Cyber Security Centre (ACSC), law enforcement and other government agencies to share threat intelligence and resources, because we all have a collective responsibility to protect our community.
A cross sector approach to protect our most vulnerable
Cyber security in Australia has a strong foundation, but a robust economy with a thriving digital ecosystem at its core requires ongoing regulatory reform to build on our cyber security regimes.
Initiatives like Clean Pipes can be hugely beneficial. It requires industry and government to share threat intelligence and work alongside telcos to block malicious activity at the national level, and before it reaches the customer.
Some telcos are paving the way with their own Clean Pipes program, but it's not yet mandated, creating inconsistent protections for Australians. More work needs to be done to encourage - and where necessary - mandate the private sector to embed cyber resilience at a national level, so Australian businesses and individuals are protected at the earliest stage possible.
Encourage free flowing information sharing
Regulatory reforms aren't effective on their own. We also need to support education, awareness, and skills development for those that need it most. The demand is there; in the last three years, we've helped more than 13, 000 businesses and individuals with cyber security training. But the lack of education, combined with a fear of being blamed, shamed or held responsible if attacked, has meant many victims resist sharing intel. We need free flowing information sharing between industry, government and the community. Without it, we simply will not be effective.
The recent debate on whether fines should be imposed on organisations who have paid a ransom is in no way restorative. It imposes further impact on victims and could cause companies to withhold information sharing which is critical to an effective cyber response. Paying a ransom and negotiating with cyber criminals is never advised, but many businesses feel trapped into thinking it is their only option. Alarmingly, about 80 percent of businesses that faced a ransomware attack last year chose to pay it. Introducing rigid regulation to prohibit payment of ransoms could backfire, causing businesses to pay the ransom and neglect to report it.
What we need is a Safe Harbour, where information can be safely provided to agencies such as the ACSC during a cyber incident to encourage full, frank and prompt disclosure by businesses who are being attacked, without fear. The more intelligence that government, industry and the community can share about what threat actors look like, the better our collective response can be.
If we are going to make Australia the most cyber secure country in the world by 2030, it's going to take a 'Team Australia' approach to get us there. Cyber criminals are tenacious. They are good at what they do, and so we must be better.