The Australian Cyber Security Centre’s first unclassified threat report has established a baseline against which Australian enterprises can track the growing threat and sophistication of online attacks.
Armed with that insight, the ACSC wants more organisations to take responsibility for protecting their vital information resources and computer systems.
The ACSC’s report noted that in 2014, CERT Australia, the national computer emergency response team, responded to 11,073 cyber security incidents affecting Australian businesses.
Of those incidents, 153 involved systems of national interest, critical infrastructure and government. The main sectors affected were energy, banking and finance, communications, defence and transport.
Established in November 2014, the ACSC aims to operate as a form of security clearing house, collecting a more comprehensive understanding of the risks Australian businesses face. It is a key role given the absence of mandatory data breach notification in Australia, although legislation is expected to be introduced in parliament this year.
ACSC co-ordinator Clive Lines said this first cyber security threat report provided a useful springboard for enterprises that want to start an “informed conversation about protecting their vital information”.
Those conversations are likely to remain behind closed doors, however. The CIO of a leading Australian listed company reflected the hesitancy many IT leaders feel about publicly discussing the issue of IT security when he said: “On most subjects, I love to share my opinion but I’m very hesitant on security. Right now, we’re not doing it well and I don’t want to expose us on our vulnerabilities.”
Despite that wariness, Lines said: “If every Australian organisation read the report and acted to improve its security posture, we would see a far more informed and secure Australian internet presence.”
To at least broach the subject with senior executives, Australian software company Nuix, which provides forensic data and security solutions, has hired industry heavy hitter Rod Vawdrey to act as a boardroom security evangelist.
Vawdrey’s challenge will be to grab the attention of senior executives who have yet to grasp what is needed to address the growing computer security threat despite headline-grabbing attacks last year against Sony and Target in the US, and Telstra and Optus in Australia.
“A lot of people out there have to have an event before they take action,” said Vawdrey.
Former CEO of Fujitsu in Australia and president of the organisation’s global cloud business, Vawdrey has taken on the role of Nuix’s chief operating officer and will leverage more than three decades of contacts across Australia to sell the message about the need to improve security solutions and computer security culture.
This is critical, he said, because “the greatest threat to the human race potentially is a cyber threat”.
Vawdrey said that although there is growing boardroom awareness of the problem, most organisations still try to protect themselves with a perimeter defence. “The fact is that they are in a race against people working out how to get under, over or through walls,” he said. A more sophisticated and holistic approach to computer security is needed in Australia, said Vawdrey.