what you need to know about the new australia cyber security act banner

What You Need to Know About the New Australia Cyber Security Act

The digital world is an increasingly dangerous place for Australian organisations. A string of high-profile data breaches and ransomware attacks over the past few years has eroded customer trust in online services—not to mention corporate finances and reputations.

Even though most of these attacks were financially motivated, a new Microsoft report shows that the lines between cybercrime and nation-state threats are becoming blurred. This means that such incidents are increasingly being treated as a matter of national security.

All of which explains the proactive stance taken by the Albanese administration. First came the 2023-2030 Australian Cyber Security Strategy, which sets out a roadmap for Australia to become a “world leader” in the field by 2030. And now, a landmark piece of legislation positions cybersecurity as the key to protecting national security and economic stability. Although the details are still being finalised, Australian IT and security leaders would do well to start planning.

What’s in the New Legislation?

The Cyber Security Act is not short on ambition. As Australia’s first standalone piece of cybersecurity legislation, it promises to implement seven key initiatives outlined in the aforementioned Cyber Security Strategy. According to the Department of Home Affairs, the act is designed to plug “legislative gaps” and future-proof the country’s “cyber environment” and critical infrastructure (CNI), focusing on the following:

  • New cybersecurity standards for smart devices to establish a baseline of improved security for consumers, including unique passwords, regular updates and data encryption
  • Mandatory reporting of ransomware payments (for some unspecified business types) to help the authorities better understand the scale of the problem
  • A “limited use” obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) which will restrict how these bodies use info shared with them by victim organisations. The end goal here is to encourage more reporting
  • A new Cyber Incident Review Board which will conduct “no-fault” investigations following severe incidents and publicly share anonymised insights

The Cyber Security Act will also advance and implement reforms outlined in the Security of Critical Infrastructure Act 2018 (SOCI Act). These are designed to:

  • Clarify obligations for organisations holding business-critical data
  • Improve government assistance to mitigate the impact of incidents affecting CNI
  • Simplify information sharing across industry and government
  • Enable the government to force CNI entities to address serious risk management deficiencies
  • Align regulation for telecommunications cybersecurity into the SOCI Act

What Australian Businesses Can Do Now

There were 483 data breach notifications in the second half of 2023, up 19% from the first part of the year. According to the Office of the Australian Information Commissioner (OAIC), the vast majority (67%) were caused by malicious or criminal attacks. Such elevated threat levels prompted lawmakers to take action in the first place, and they should constantly remind boards that such risks must be managed in a more holistic manner.

While the Cyber Security Act has yet to be finalised, according to experts ISMS.online spoke to, there’s plenty that Australian organisations can do now to prepare for its mandates. This is especially true of smart device manufacturers.

“For manufacturers down under – and pretty much everywhere – now’s a good time to look at current security practices, review where there are any gaps or areas for improvement and put in place plans to align them to the new requirements,” KnowBe4 lead security awareness advocate, Javvad Malik tells ISMS.online.

“Manufacturers of smart devices should have a ‘secure by design’ mindset where security is baked into the products from the moment they are planned and designed and never as a bolted-on after-thought.”

Daniel Schell, co-founder and CTO of Airlock Digital, predicts that the eventual standards that IoT manufacturers will need to follow will likely be aligned with the European Standard Cyber Security for Consumer Internet of Things (ETSI EN 303 645).

“This includes controls for prohibiting default passwords, implementing secure updates, protecting sensitive data, ensuring secure communication and minimising attack surfaces,” he tells ISMS.online. “Like similar regulations in Australia such as Regulatory Compliance Mark (RCM) for electronic equipment, these regulations will be challenged by overseas direct sales, especially in the age of Temu and AliExpress.”

Black Duck senior director Kelvin Lim adds that Australian organisations should also be prepared to establish mandatory incident reporting protocols “and work closely with the Australian Cyber Security Centre.”

KnowBe4’s Malik highlights the importance of continuous monitoring and reporting.

“Make it a habit to conduct regular audits and assurance reviews to ensure that all security controls are working as designed and intended on an ongoing basis,” he argues. “This is not just for your own security, but also for the benefit of regulators who will scrutinise organisations more closely in light of the new requirements.”

Best Practice Standards Can Help

The good news is that following security standards and frameworks like ISO 27001 can help organisations create a solid foundation for compliance with the incoming legislation, whatever its final form.

“Australian companies are increasingly relying on digital systems to advertise and sell their products and services, making cybersecurity essential for every business,” Phosphorus Cybersecurity regional CTO for APJ, Alex Nehmy, tells ISMS.online. “Best practice cybersecurity standards and frameworks help Australian companies improve their cyber security posture and reduce the likelihood of experiencing a serious incident such as ransomware.”

Airlock Digital’s Schell goes further.

“Standards such as ISO 27001 and NIST help organisations with governance and the operation of their Information Security Management System (ISMS),” he says. “Mature organisations operating a healthy ISMS will have incident response policies and playbooks in place, along with supporting registers such as their legal requirements, and will be able to integrate regulatory changes into their current processes in a structured manner.”

Thanks to next-gen compliance software providers, meeting the requirements of such standards is no longer as time—and resource-intensive as it once was. By following internationally recognised frameworks, Australian organisations can also go a long way to fulfilling their obligations in other areas, like compliance with GDPR and assorted industry regulations. In the meantime, many will keep a close eye on the finalised text of the Cyber Security Act.

Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 15 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

Explore ISMS.online's platform with a self-guided tour - Start Now