Australia is now more at risk than ever from attacks on society, according to security experts.
The warning comes after a significant data breach at telecommunications giant Optus, with the personal information of up to 9.7 million customers stolen by hackers.
Following amendments made to the Security of Critical Infrastructure Act 2018 (SOCI Act), which took effect on 8th July, many more Australian businesses are now subject to strict 12-hour cyber incident reporting requirements.
Furthermore, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) from April 2022 introduced a new obligation for responsible entities to create and maintain a critical infrastructure risk management program.
However, a global report by security expert Thales – Cyber Threats to Critical Infrastructure 2022 - has found that critical infrastructure industries around the world are still facing major challenges and gaps in their approach to protection and risk management.
A lack of protection around cloud-hosted data and apps, combined with a rise in the scope and severity of attacks in the past 24 months, has increased the threat level from hacktivists and nation-state actors.
When it comes to Australia, Thales Cloud Security ANZ Director Brian Grant said there are specific challenges.
“Previously, few viewed Australia as a significant global defence player, posing minimal threat to the strategic interests of other countries.
"This changed significantly in the last two years with Australia’s membership to security pacts, AUKUS and The Quadrilateral Security Dialogue (The Quad), placing us firmly in the ‘democracy bloc’. As a result, we have become a target. We are now more at risk than ever from attacks on our society.
“Attacks on our critical infrastructure and essential services are not always financially motivated. Malicious actors often want to significantly damage things or cause physical harm to people. The reality, therefore, is that many companies may have already been attacked without knowing it.
"Once malicious actors have compromised their target, they often stay hidden under the radar ready for an economic, geopolitical, or financial event before they attack.
“The pandemic has reshaped and extended what Australians view as ‘critical’. Retailers and logistics providers have proved to be just as vital as utility companies and telcos.
"Now, many industries and organisations that have never had to worry about Government regulations must comply with strict requirements.
"Those that have recently been added to the critical list are the ones finding it hard because there is not yet a standardised or coherent approach to critical infrastructure cybersecurity within their industry."
Organisations that operate within critical infrastructure industries need to do six things to increase protection levels, according to Grant.
1. Assess what’s truly important to the sustained functionality of the organisation
2. Map that onto physical and digital assets within the organisation to discover the critical elements that must be protected
3. Treat the assessment of critical elements as an instinctive and embedded process. Assets and data are continually evolving so one-off audits will quickly become outdated
4. Apply security as soon as critical data or infrastructure is identified – don’t wait
5. Protect sensitive data and infrastructure at rest, in motion and in use, making it useless if accessed by an unauthorised individual
6. Control access with multifactor authentication and centralised key management across on premises and hybrid cloud environments
“The key take away is that securing the edge is no longer a sufficient approach to minimising the impact of attacks on critical infrastructure. The CEO’s laptop might be important to him or her, but it’s unlikely to be critical to the ongoing functionality of the business.
"Organisations must ensure they are protecting their vital assets and data to avoid significant financial damage, loss of employment or, even, loss of life."