A new think tank report by BlackBerry says that Australia's cyber risk is changing all the way down to infrastructure and even to the people behind it.
With digital attacks increasing and the potential price tag reaching around $2 billion per year, the report aimed to find out the varied challenges we face in the future and how to develop better risk management strategies.
The report, titled 'Is your organisation ready for a crisis? The future of security in Australia', drew on opinions from Australia's top executives, including Former US Ambassador to Australia; Jeffrey Bleich, John Durbridge, head of campus security at Macquarie University; Jetstar CIO Claudine Ogilvie, Craig Davies, CEO of Australian Cybersecurity Growth Network; and Rex Stevenson, former Director General for the Australian Secret Intelligence Service.
The first major challenge is how government and private enterprise come together to collaborate. The foundation is there, but the next steps need to be taken, says BlackBerry's VP of Government Solutions, Sinisha Patkovic.
“There are some considerable challenges in bringing government and private enterprises together when it comes to cybersecurity. Everyone has a slightly different expectation and view about what a nationally coordinated approach would look like. Fortunately, I think Australia already has a lot of the right foundations in place for such collaboration, it's now about taking the next steps,” he says.
According to the report, the next steps could be about educating Australians about cyber protection, improving dialogue between government and enterprise, particularly breach reporting, better government transparency about emerging and likely cyber attacks, and closer collaborations between private organisations themselves.
Organisations are also facing a rapid scramble to arm themselves against attacks and protect their networks, the support says.
“At times it really does feel like an arms race. The better we get at finding countermeasures, those countermeasures then become a training ground for adversaries to find better exploits. As a company, you need be methodical about removing classes of threats completely. Keeping focused on the root cause is very important,” comments Dr Liming Zhu, CSIRO's research director of Software and Computational Systems.
The report also talks about ‘script kiddies', hackers who use off-the-shelf DDoS products to bring down organisations. While most participants weren't specifically concerned by these attacks, it does show that organisations must be vigilant.
Participants were also concerned about IoT security, but those connections can also better protect cities.
“The notion that people think differently in the virtual and physical world is a fiction. We need to observe human nature and apply this to both spheres, where we are now operating simultaneously,” Bleich comments.
The human factor is also addressed in the report.
“Unless security is driven from the very top of the organisation, you're not going to get any real change. The CEO needs to get behind it and push it, otherwise all of your effort trying to change the rest of the organisation is lost. You need the commitment right through the organisation, but it needs to start with the most senior executives,” Stevenson says.
The think tank came up with four ways that the ‘human element' to security can be overcome: Educate and test employee adherence to security strategy; design strategies for the people, not the product; and maintain awareness of how behaviour patterns shift over time.