This morning, PM Scott Morrison announced that Australia’s government and institutions are being targeted by an ongoing, sophisticated “state-based” cyber-attack. According to Mr Morrison’s address, the attacks are widespread, covering “all levels of government” as well as essential service providers and businesses.
Although Mr Morrison emphasised that the attacks are not new, he did stress that the activity has been increasing in frequency over a number of months, with the upsurge in such activity providing a stark warning to the government and private sector to shore up their defences. This would appear to be part of a worldwide trend in an increase in cyber attacks – including against the World Health Organisation.
This recent spate of attacks serves as a timely reminder to organisations to review and refresh their cyber-readiness and data breach response plans.
Implementing (and ensuring any IT suppliers are required to implement) robust preventative IT security systems and controls is critical. All too frequently, human error is the weak link in any organisation’s cyber defence and the proper training of staff is critical.
While specific laws regulate how critical infrastructure providers must secure their assets, all organisations ought to ensure that their cyber-readiness and data breach policies are up-to-date and fit for purpose – particularly at a time where there appears to be an increase in cyber attacks.
Any robust cyber plans will include a data breach response plan. Being able to detect and act quickly in the event of a data breach is vital to limiting any potential loss (financial, reputational and regulatory) following a cyber breach. The Australian Cyber Security Centre (part of the Australian Signals Directorate) is the Australian government’s lead body on cyber security matters, and organisations and individuals are able to report cyber attacks to it.
Where personal information is involved, the Office of the Australian Information Commissioner (OAIC) has developed a user-friendly guide designed to assist organisations to prepare for and respond to data breaches in line with their obligations under the Privacy Act 1988. For more information on this topic, please see our previous articles (Can you hack it? Are you prepared for a cyber incident? and Mandatory Data Breach Notification laws are coming...are you ready?).
For market-based economies like Australia, the private sector provides a multitude of rich targets for state and non-state actors to cause disruption to the Australian economy and society. It is incumbent on all organisations to ensure that they put themselves in the best position to prevent, respond and deal with any cyber attacks.
Authors: Andrew Hii and Nikhil Shah