Protecting critical infrastructure is essential. Without effective cybersecurity, the lights will go out. Literally. And leaders need to champion that.
This was the key takeaway from an invite-only panel discussion on the Security of Critical Infrastructure Act (SOCI) 2018 reforms in Melbourne this week.
Hamish Hansford, Home Affairs’ Head of Cyber and Infrastructure Security Centre, contributed alongside a panel of cyber and personnel security leaders in a discussion that attracted about 200 guests in-person and online.
The Australian Cyber Collaboration Centre and its members – including Providence Consulting Group, DTEX Systems, MITRE Corporation and Commonwealth Bank of Australia – hosted the event to give representatives across critical infrastructure industries an opportunity to gain valuable insights in the spirit of elevating protective security of critical infrastructure.
With cyber breaches at an all-time high amid a constantly changing threat environment, security has never been more important. It’s also become an increasingly hot dinner table topic, with high profile breaches such as those from Optus and Medibank demonstrating how far sensitive data can travel when exploited.
The discussion centered around the draft Risk Management Program Rules as an upcoming requirement for certain critical infrastructure asset owners and operators. The program is designed to enable critical infrastructure entities to uplift their personnel security and introduce measures to mitigate insider risk.
Panel moderator Mohan Koo – who is also Co-founder and Chief Technology Officer for cybersecurity company DTEX Systems – said there needed to be cultural change from the CEO down to understand and manage insider risk, and that everyone needed to understand and be educated on the risk.
“Cybersecurity has a strong people element, but the importance of people has not been fully recognised. And we know that organisations often have a glass ceiling where it becomes almost impossible to have this conversation on insider risk all the way up to the top,” Mr Koo said.
Providence Consulting Group Senior Director, Enterprise Protective Security, Tim Slattery – who featured on the panel – noted the recent attacks on Optus and Medibank demonstrated an increasingly complex and dynamic threat to Australia’s critical infrastructure.
“People are our most significant critical asset but may also pose the greatest security risk,” Mr Slattery said.
The panel noted the real threat to cybersecurity is not a rogue nation but the ‘threat within’ – possibly an unintentional trusted insider who makes a mistake that leads to a risk occurring. For example, clicking a malicious link unknowingly (known as a phishing attack) or credential compromise.
According to the 2022 Cost of Insider Threats Global Report (Ponemon Institute), insider threat has seen a dramatic 44 per cent increase in both frequency and cost over the past two years.
Of note is that 56 per cent of insider threat incidents are a result of negligence. In other words, most breaches are a result of unintentional human error which, on average, costs $6.6 million per year per entity.
There was strong support among the panel for the need to take a preventative approach to protective security by embracing ‘teachable moments’. This means giving an individual timely explanation of how their actions could pose a risk – without imparting blame or breaching privacy.
Underpinning all of this is security culture – which benefits the whole enterprise.
“If staff feel trusted, respected and protected, they will deliver the best outcomes for your organisation’s profile, productivity and bottom line. And when you cultivate an engaged workforce built on those values, security becomes a natural by-product,” Mr Koo said.
Joining Mr Hansford and Mr Slattery on the panel were Simon Lee-Steere of NBN; Min Livanidis of Amazon Web Services; Bruce Moore of VicTrack; Rahn Wakeley of Dubber; Ben Rix of National Australia Bank; Jonathan Wotton of MITRE Corporation and Matthew Salier of the Australian Cyber Collaboration Centre.
Australian Cyber Collaboration Centre CEO Matt Salier said the overwhelming interest and engagement from the crowd was testament of how industry and government can collaborate to drive and accelerate meaningful change.
“The Centre was established to bring a wide range of members together to grapple with the complexity of issues facing businesses in their cybersecurity operations. This event, and subsequent training programs we’ll deliver in 2023, demonstrate how this approach to collaboration can bring new insights and positive actions to educate our community and support businesses cyber resilience,” Mr Salier said.
There will be a subsequent panel in March 2023 to review progress and provide an ongoing forum for sharing insights in the spirit of driving a more secure nation.