iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The federal government has announced that it will be introducing new legislation designed to bolster protections for businesses that suffer from cyber attacks.
In particular, Home Affairs and Cyber Security Minister Tony Burke announced that businesses would be granted a “safe harbour” for cyber security reporting, in which they would be allowed to share the details of a cyber attack against them with government cyber agencies without risking that information coming back to bite them in other investigations.
Now, industry leaders have commented on the new legislation and have largely said the projections are much needed but should not be treated as a get-out-of-jail-free card for businesses that fail to protect data.
Here is what they had to say.
Jaqueline Jayne
The Independent Cybersecurity Expert and Online Safety Specialist
“There is a definite need for more sharing when it comes to unsuccessful and successful cyber attacks of all types. If these ‘safe harbour’ measures prompt more businesses to come forward and share information, we, as a nation, can only benefit from it.
“It shouldn’t, however, remove the basic levels of cyber protections that businesses need to have in place. To that end, it would be beneficial to include a support framework with the goal to increase cyber protections.
“For example, if a report comes in and the cause of a data breach was human error when someone engaged with a phishing email, there should be an audit of awareness and education programs at that business. Depending on the outcome of the audit, the business may need to implement a corresponding program to reduce that risk occurring again.”
Sandro Bucchianeri
Chief security officer, NAB
“We welcome the government’s stance. If there’s safe harbour [rules], then you’re not punishing the victim, essentially.
“I think the other part of it is that collaboration is key.
“We’ve enjoyed our relationship with the ACSC with Abigail Bradshaw [head of ACSC] and the team, in sharing threat intel, because you know for the most part, I’ve got a large security budget … but it’s to help those that cannot afford threat intelligence sharing or whatever the case would be.”
Craig Searle
Global director – cyber advisory, Trustwave
“The safe harbour provisions the government is proposing as part of the Cyber Act are a step in the right direction; however, there needs to be a consistent yardstick by which Australian corporations can measure themselves to in order for directors to then assess the reasonableness of their response and address the concerns raised by the Australian Securities and Investments Commission (ASIC).
“While the Essential Eight is undoubtedly effective as a set of preventative measures, it is very difficult and expensive even for mature and well-funded organisations to achieve, as evidenced in Australian National Audit Office (ANAO) reports such as ’Management of Cyber Security Supply Chain Risks’. It also does not address response and recovery. This means it is unlikely to be suitable as a nationwide measure of resilience without significant caveats being adopted.
“Over time, it is likely that the scope of the Security of Critical Infrastructure Act will continue to expand to incorporate sectors of interest to the government as the threat landscape evolves. Financial incentives for good corporate behaviour and vice-versa, as utilised in the US, are the most likely method to have a meaningful impact. Cyber insurance also has a significant role to play here, particularly as there are likely to be impacts to a policy payout as a result of disclosure by an organisation.”
Be the first to hear the latest developments in the cyber industry.
