Predictions of Lani Refiti, Regional Director ANZ, Claroty
1. The Australian Federal Govt will increase its involvement in critical infrastructure on regulatory and oversight matters:
The recent string of breaches affecting Optus, Telstra and MyDeal have empowered the Federal Government to take a more active role in cybersecurity from a national perspective (covering all industries) and specifically within critical infrastructure. With the amendment to the critical infrastructure act now completed and numerous cyber risk programs starting to be rolled out, we will continue to see the Federal Government increase their involvement in cybersecurity matters within the critical infrastructure sector in 2023.
2. Australia’s critical infrastructure sector will increasingly be targeted by ransomware and nation-state actors:
While we’ve seen an increase in ransomware attacks across all industries, cybercriminals will particularly focus their efforts towards the critical infrastructure sector in 2023. Cybercriminals know that critical infrastructure operators cannot afford any downtime, as this could wreak havoc on the general public and even cause health issues. Therefore, there is a higher likelihood of the ransom being paid so that operators can get their critical services back up and running, such as health networks, electricity grids and water treatment plants. The level of skill and expertise required to breach a critical infrastructure organisation has also fallen significantly. Adversaries no longer need to gain specific access to the OT/ICS network, which was once isolated from the internet. Due to the increasing connection of legacy OT with modern IT networks, adversaries can simply use standard ransomware designed for corporate IT networks that will enable them to jump into the OT/ICS network, and shut down/take over the operation of critical equipment. Furthermore, given Australia has provided its support for western allies’ sanctions on Russia and provided military supplies to Ukraine, nation-state actors will seek either retribution or look to dissuade Australia and other nations from their continued support for the war effort. There are also potential motives for nation-state actors in Asia concerning China’s geopolitical activities and their heightened influence in the South Pacific, particularly the Solomon Islands.
3. Defence/National Security will become a focus for cybersecurity:
In late 2021, the SOCI (Security of Critical Infrastructure) Act was amended to extend coverage to the Defence sector, along with 6 other sectors. The Defence industry sector covers all Government and Defence contractors as well as their relevant supply chains. Along with this amendment, Australia has increased its focus on developing sovereign capability for its own use and export and has signed up to both the Quad and AUKUS alliances, which has raised an eyebrow in competitive nation-states. This increased investment and alliance activity means that the Defence industry will not only become a larger target for both cyber criminals and nation-states, it will also have additional overhead of increased regulatory obligations under the Security of Critical Infrastructure Act over the next few years.
Predictions of Scott Leach, Vice President APJ at Varonis
1. Public disapproval of businesses will increase:
Public sentiment has grown increasingly negative towards organisations that are not properly protecting their customers’ personal information. Not only will this lead to increased penalties (which have already been proposed by the Federal Government), but it will also drive further regulations. It’s highly likely that Australia will end up with legislation similar to GDPR, which governs data use in the EU.
2. Stale data will become ‘toxic’:
In the last decade, many companies got into the habit of collecting any and every piece of data they could (including hordes of personal information) and keeping it forever in the hope they may discover a way to monetise it in the future. Holding on to excessive protected data is highly risky, and the mindset of organisations will shift as they realise that excess data is a liability they must actively eliminate to avoid data breaches.
3. Substantial costs involved for businesses in data breach:
The recent public breaches will end up costing organisations more than $1 billion. Beyond the fines imposed by government bodies, businesses that have been breached are going to be up for substantial costs over the next few months to years, including the cost of replacing impacted passports and drivers’ licenses, identity theft monitoring for impacted individuals, further class action lawsuits, loss of revenue and investigative costs.
