The recent passing of the Security Legislation Amendment Bill in November 2021 is a clear signal for Australian organisations to take cybersecurity far more seriously – with heavy consequences if they don’t.

As the number of cyber-attacks is increasing every day, critical organisations and systems around the world are already being jeopardised – by both private and state-sponsored threat actors.

With eleven sectors being newly classified as critical infrastructure, many organisations are scrambling to understand how to comply with the rigorous new measures.

So how can organisations remain compliant under the new Bill and how can they ensure that they themselves won’t fall victim to an attack?

Non-compliance leads to disaster

Whilst a year has passed since the Bill was first introduced, many organisations have understandably not yet taken any actions to improve their security responses.

Unfortunately, it is currently far too easy for hackers to successfully target organisations of all shapes and sizes, and this Bill is the wake-up call that many need.

Failure to comply with the Bill can have disastrous consequences:

Vulnerable to breaches

First and foremost, organisations will remain under threat of attack from hackers. Whilst cybercrime may seem like an unlikely occurrence, it has already happened to multiple entities within the Federal Parliamentary Network, in addition to other critical organisations such as medical research facilities and grocery transporters.

Each time a breach occurs, businesses face severe losses in profit, time, and reputation. A serious enough breach can put an entire organisation out of business.

Unable to protect critical assets

While organisations are vulnerable to breaches, many don’t have the infrastructure in place to recognise when they’ve been compromised – which means it’s impossible for them to act quickly or protect key assets.

Without the ability to respond to an attack, critical data and assets can be stolen in minutes, not to mention other, far more sinister consequences.

Putting the lives of civilians in danger

Unfortunately, breaches have put the lives and information of thousands of civilians at risk.

A spate of highly-publicised attacks on the US water supply has recently occurred – including an attempt to poison the water supply of the entire Bay Area in San Francisco.

More locally, multiple government health agencies have been breached in order to steal the health data of Australian citizens.

Regulatory response from the government

In addition to losing critical data and putting the lives of civilians in danger, organisations also face heavy penalties for non-compliance. With fines of up to $110,000 as well as a 2-year prison sentence, it’s clear that complying with this Bill is crucial to the safety of everyone involved.

Adopting the right mindset is key to success

Organisations will need to adopt a new mindset when it comes to complying, as those with a simple checklist mentality will remain more vulnerable than their counterparts that choose to build an agile and responsive culture around risk awareness.

When it comes to cybersecurity, organisations are only as strong as their weakest link. Threat actors are incredibly efficient at finding shortcomings and exploiting them, and it’s imperative that organisations can improve all aspects of their security.

We must get the basics right, and we must focus on ultimately stepping through a maturity curve development around our abilities to respond to security threats.

Andre van der Merwe, IRM Practice Director APJ

Starting your journey to compliance

There are multiple steps that organisations need to take if they want to become compliant and protect against attacks.

Acknowledge the problem

The first step is to acknowledge the problem – the moment that it is acknowledged, organisations can start to work on how to address it.

Ultimately, this is going to be a journey that will require investment across the entire organisation – from the budget capability to change management and new process development. Organisations must look at this end-to-end and recognise that it’s going to be a maturity journey that can take several years.

Build your plan

It’s vital to put together a view of the current state of the organisation’s security and defences to be able to compare it to the minimum requirements needed. This will give you the ability to build a strategy and action plan.

This plan will drive your budget decisions which in turn will drive the hiring decisions, which drive the processes and capabilities that you must focus on building.

Work with a partner

Many organisations may not have the capability to build a plan or put it into action for several reasons, whether it’s a lack of people, knowledge, or experience. Undertaking such a massive and long-term project will require support from a partner that can help.

When it comes to finding the right partner, organisations should look for:

• Practical industry experience – a key differentiator between risk management firms is the experience of their people. Whilst an understanding of the industry is great, having practical experience putting measures in place is key to aligning outcomes to the business; and
• An agile platform for risk management – without the right technology or platform, organisations can’t put the proper measures in place to proactively defend against threats. You should look for a partner that utilises a modern and agile platform to manage risk awareness and compliance.

The positive effects of enhanced security and defences

Putting into place new policies and measures to become compliant under the new Bill will benefit your organisation (and the Commonwealth) as a whole:

Avoid the deep cost of an attack

Critical data being compromised now carries far more costly benefits under the new Bill – so organisations that can protect and defend their critical data against a breach will end up saving on deep costs.

Protect national security interests

A massive event that compromises the security of national infrastructure, as well as the lives of civilians, can have catastrophic effects on the entire country. As a critical infrastructure, your organisation’s continued security and defences can prevent such an event from occurring.

Deliver better outcomes for your people and clients

Adopting a culture around risk awareness will have a ripple effect across the entire organisation – from your people delivering higher quality work to improving your response rates to any sort of emergency or unexpected event (beyond just cyber).

Simply put, creating a culture around risk awareness will benefit your organisation from top to bottom.

Make fewer mistakes on your journey to compliance

Working with the right partner will ensure that your organisation is able to comply much more easily and make fewer mistakes on the journey towards compliance. A partner may be able to see opportunities that you may not and can make the journey smoother.

Take the first step towards compliance with Enable

As with every major change, it will take time for organisations to understand how to become compliant and put plans and strategies in place. It can be difficult to even get the right buy-in needed to start planning.

Having worked with multiple organisations to manage their risk awareness, Enable is uniquely placed to provide a helping hand to organisations that are struggling to understand this Bill and what it means for them.

Our team boasts the expertise of former security operations managers with practical experience in cybersecurity. We utilise the ServiceNow platform for your risk awareness so that you’re able to stay ahead of events, automatically identify risk events, monitor the impact of project risk, and more.

We have also spent the past year developing a new ServiceNow solution pertaining to the Essential 8, which is applicable to all types of organisations but especially important to those identified as critical infrastructure. The Australian Cyber Security Centre (ACSC) has recommended the Essential 8 as a baseline to make it harder for adversaries to compromise systems.

Contact us today to learn more about our IRM capabilities and how we can work together to help you become compliant under the new Bill.