Last month, the Sydney Morning Herald published an article detailing Home Affairs Minister Karen Andrews’ call to counter cyber crimes that, in her words, represent a “real and present danger” to Australians and our economy.
Her presentation to Parliament comes off the back of last year’s Cyber Security Strategy and a new government discussion paper that will consider whether proposed reforms should be dictated by law. New standards could result in company directors being held personally responsible for the cyber crimes against them, which, unsurprisingly, will take cyber security issues straight to the top of board priority lists.
The debate centres around the cost of a mandatory regime – can companies deal with the time and funds commitment of implementing new cyber security measures or will it be too debilitating for them within the context of the current economic recovery? The real question should be: can we afford not to up our game when it comes to cyber security, whether we like it or not?
According to a report released by the Australian Institute of Criminology (AIC), cyber crime equates to an economic cost of around $3.5 billion a year. This figure makes it clear that threats to our cyber security come at substantial cost. What they do not detail is another aspect of neglecting cyber security – the potential injury and loss of life – especially when it comes to malicious activity against our operational technology, which cannot be measured in dollars and cents.
The possibility of mandated organisational cyber security measures may seem like a huge undertaking but it does not come without precedent. If we look at workplace safety, we can draw distinct parallels to what we’re seeing today with proposed governance laws for our cyber security. In her Parliamentary presentation, Karen Andrews even compared these “extra responsibilities for directors of large Australian companies” to “those they already have for workplace health and safety.”
Our current workplace OH&S approach formally commenced in July 2008 through a process of harmonisation where the federal, state and territory governments signed an intergovernmental agreement to align health and safety laws under one national framework. This resulted in the Work Health Safety (WHS) Act of December 2009, which was implemented as a rolling process across jurisdictions towards a 2012 deadline.
While the WHS harmonisation model suffered its fair share of detractors, the Act’s positive effect on OH&S in Australia is undeniable, with steadily declining rates of workplace injury and death, and the promotion of safety putting it front-of-mind in workplaces. Hazchem signage, protective clothing and strict reporting protocols are now a matter-of-course here, especially within industry sectors, to such an extent that we’d be shocked if they disappeared. You could say they’ve become part of our workplace DNA because they’re now so inextricably woven into the fabric of our work culture.
A similar thing is happening (or needs to happen) with cyber security.
In 2008, when the WHS harmonisation model for safety was set in motion, cyber threats to our information and operational technology were minimal compared to today. But the situation has changed remarkably, with an increasing need for cross-sector protection against IT and OT compromise. Just as our OH&S protocols had become outdated requiring a unified, legislated pathway, the same is happening with our cyber security.
Yet, there is a bright side to this situation, in that we have a workable framework with the implementation of the WHS Act that we can transplant onto cyber security. While the details will be different, the template remains the same, and so does the requirement to drag our industries – even if they’re kicking and screaming – into a new age of enlightenment for protecting the critical infrastructure upon which we all rely, and through which economies and lives can crumble if disrupted.
Company directors and managers may have griped and grumbled when they were forced to introduce the criteria of the WHS Act into their workplaces but, with the passing of the years and the reaping of many benefits, safety has become a central tenet of worklife in Australia. Could we do the same with cyber security? Let’s hope so.
Get your industrial cyber security levelled up before it becomes mandatory. Talk to the experts at SIS.