Australia is stepping up efforts to combat rising cyber threats. According to insights from industry leaders at the Australian Financial Review’s (AFR) inaugural Cyber Summit, held recently in Sydney, new risks emerging alongside increased digitisation and connectivity have made cyber resilience a top priority.
Cybercrime in Australia: Pedestrian thugs to industrialised networks
Cybercrime has advanced into sophisticated business models run by industrialised networks. Specialised hacking tools and malicious code are openly traded on hidden dark web forums. These organised dynamics allow criminals to execute mass attacks with precision and efficiency. It is worth noting that some of these criminal “businesses” even operate their own call centres for ransom negotiations.
Artificial intelligence (AI) amplifies risks further. Hackers are increasingly using AI tools like ChatGPT to craft personalised social engineering at scale, probe systems automatically for flaws and discover vulnerabilities rapidly. They leverage machine learning to refine attacks, such as generating better phishing emails or hacking strategies.
Government makes cybersecurity a priority
The Australian federal government aims to make the nation cyber resilient by 2030, releasing an updated national cybersecurity strategy by year’s end. Goals include enabling real-time threat intelligence sharing between agencies and businesses, developing sovereign security capabilities and coordinating global enforcement actions.
Home Affairs stated cyber threats are evolving faster than any other national risk. The government convened over 25 working groups last year across critical infrastructure sectors, wanting transparent data sharing but noting privacy challenges. Immigration policies are also being updated to attract global cyber talent more quickly. Moreover, the government has acknowledged the necessity to play a far more significant role in the fight against cybercrime. Efforts are underway to streamline the process for enterprises seeking guidance post cyberattack, aiming to reduce the current bureaucratic maze involving 30-40 government contacts.
Data: From new oil to new asbestos
As we delve deeper into the digital age, data has transitioned from being the “new oil” to potentially becoming the “new asbestos.” This metaphor draws attention to the latent risks associated with data collection, likening it to asbestos, which was initially hailed as a miracle material but later revealed to have severe health risks.
In 2023, 42% of legal leaders in Australia are concerned about their organisations’ data collection and retention practices. Under this theme, it is essential to emphasise data minimisation strategies to mitigate risks associated with aged data stores, one of the top three cyber risk concerns for enterprises.
New voices needed in cyber governance
Summit speakers noted board awareness of cyber risks has substantially improved. Auditors and regulators even see cybersecurity governance as a core board duty. However, many directors still lack the technical fluency needed to provide effective oversight and have strategic conversations.
Additionally, digital key performance indicators are rarely implemented to track cyber risk management. Until enough current leaders with governance gaps retire, speakers noted that substantial progress aligning senior priorities with security teams will remain difficult.
Emerging technologies expand corporate attack surfaces
The escalating reliance on the cloud, the Internet of Things (IoT), third-party vendors and the digitisation of infrastructure greatly expands potential corporate attack surfaces. A significant risk with IoT is the use of devices like security cameras and baby monitors, which come with factory passwords, some even as simple as “0000,” that cannot be reset. This, coupled with third-party players that manage cybersecurity for enterprises and governments being susceptible to hacks themselves, presents a layered threat landscape. Most small businesses lack adequate resources to monitor these risks, and even large enterprises struggle to balance cloud productivity benefits with new security vulnerabilities.
AI offence vs defence dynamics
The battle of AI, pitting HackGPT against ChatGPT, creates clear risks with criminals leveraging algorithms to compromise systems faster than humans and craft precisely targeted social engineering at scale. However, AI also aids defence, accelerating secure code development, vulnerability discovery and threat intel analysis beyond human speeds. The uncertainty remains whether AI defence can outpace AI offence in the long term. Australia must thoughtfully leverage algorithms to its advantage while mitigating risks as threats evolve.
How to deal with hackers amid ransom threats
Experts admit that arresting a hacker is often a fantasy. In the critical first 24 hours post-hack, there are several vital decisions to be made, emphasising the importance of a well-prepared incident response team and the necessity to run frequent, unannounced simulations to stay prepared.
Negotiating with threat actors is a delicate dance, often involving live chats and high-pressure tactics, including data leaks and countdown clocks. The focus should be on harm minimisation, carefully weighing the pros and cons of negotiating based on the leverage the hackers have.
Lack of cyber talent: Cybersecurity’s Achilles’ heel
Australia faces an acute cybersecurity talent shortage, with over 80,000 additional professionals needed by 2026. While immigration helps, developing homegrown skills is critical for building sustainable cyber resilience. Government, academia and industry must collaborate to foster expertise at all levels — from students to executives. Cybersecurity life skills should become ubiquitous across society. With broad collaboration, Australia can get ahead of threats through collective vigilance, investment and innovation. Achieving true resilience by 2030 in the face of sophisticated threats will require substantial focus on these emerging trends.
Conclusion
As Australia navigates the complex landscape of cyber threats, it is imperative to foster a culture of preparedness and resilience. Leveraging AI responsibly, nurturing homegrown talent and fostering collaboration across sectors will be pivotal in safeguarding the nation’s digital frontier. The road ahead is challenging, but with concerted effort and focus on the identified trends, Australia can aspire to build a cyber-resilient future.
Bibliography
AFR Cyber Summit 2023, Sydney, Australia.
Herbert Smith Freehills Cyber Risk Survey 2023. Survey of 120 legal leaders in Australia.
Owen, David. Partner, Risk Advisory, Deloitte Australia. Presentation at the AFR Cyber Summit 2023.
For more information, please contact us at: technology@lek.com.
L.E.K. Consulting is a registered trademark of L.E.K. Consulting. All other products and brands mentioned in this document are properties of their respective owners. © 2023 L.E.K. Consulting