Are you ready for the Great Risk Review of 2022 ?
If you’ve been reading a bit about the pandemic’s after-effects on businesses globally, you will have been hearing a lot about the Great Resignation. As leading enterprise commentators and analysts continue to demonstrate the that Great Resignation “is real and its happening”, organisations are at greater risk than ever of losing those very people who know how and why their organisation needs to operate the way it does. And cybersecurity is one key risk area where this loss of knowledge and talent has the potential to hit the hardest…just in time for a raft of new changes to hit Australian cybersecurity frameworks during 2022.
Read on and make sure you’ve got the following boxes ticked heading into 2022.
- Nominate, elevate and empower a CISO (Chief Information Security Officer) in your organisation to champion your cyber security future
- Get across the top 4 changing cybersecurity frameworks in Australia in 2022, and make sure your CISO is keeping you on track!
“Never let a good crisis go to waste” – Winston Churchill
And the bad guys, certainly didn’t! If you still haven’t prioritised cybersecurity in your organisation, here is how the pandemic has infinitely upped the stakes! The latest round of cybersecurity threat reports from the ACSC and the ACCC have some alarming statistics to report on the impact pandemic-driven cyber activity affected businesses over 2020-2021.
The Australian statistics show:
- Some 67,500 cybercrime reports, representing a 13% increase YoY increase
- Self-reported financial losses of some $33 billion
- 25% of cyber incidents impacted entities associated with critical infrastructure
- There are approximately 4 / day pandemic-related cyber reports
- 75% of pandemic-related cybercrime resulted in both a loss of personally identifiable information and substantial sums of money
- Ransomware saw a 15% YoY jump
- Now some 50% of cyber incidents are rated in the higher end of the severity and impact scale at “substantial”
“I never think of the future. It comes soon enough.” – Albert Einstein
Sorry Albert, but in the world of cybersecurity soon enough is usually too late! Whilst Australia has made some firm steps forward to pulling Australian government and private sector organisations into the cyber present with the release of Australia’s Cyber Security Strategy 2020 and the consolidation of the Notifiable Data Breaches Scheme, two factors are now driving our acceleration towards future initiatives – the rise of pandemic-related cyber crime and the rise of nation-state sponsored malicious actors.
The top 4 changing cybersecurity frameworks that look set to take fuller shape in 2022!
1. Changes to the Essential Eight Maturity Model
Throughout 2020, the Essential Eight underwent a makeover – with a tightening up of the recommendations for each of the Essential Eight, the addition of a fourth Maturity Level, and a change in the self-assessment process, requiring organisations to meet all the requirements for their target maturity level across all eight areas before being deemed to have achieved that Maturity. You can read more detail on these changes here.
2. OAIC Investigation into Remote Working Arrangements
During its quarterly reporting on data breach statistics during 2020-21, the Office of the Australian Information commissioner was looking at how the data breach statistic would shift in the remote-working pandemic environment. Early signs have suggested a sustained uptick in both malicious and human-error based incidents, but of a changing nature. But they’ve called it too early to tell – so going forward the OAIC will be looking more closely at the link between certain types of reported data breaches and changed information handling practices, and will be providing advice to business and boards to proactively undertake new Privacy Impact Assessments to factor in their new remote or hybrid-work practices.
3. The Australian Government’s Ransomware Action Plan
In a big move slated for introduction next year, the Ransomware Action Plan will see the introduction of mandatory reporting of Ransomware incidents by organisations with an annual turnover of more than AUD$10 million. And the time frames are TIGHT – 12 hours for incidents impacting on the availability of a critical asset and 72 hours for incidents impacting availability, integrity, reliability or confidentiality of critical assets, with affected organisations receiving formal advice and directives from authorities on response and remediation.
4. Security Legislation Amendment (Critical Infrastructure) Bill 2020
This is a major proposed amendment that sees the current list of 4 critical infrastructure sectors (Electricity, Gas, Water and Maritime Ports) expanded to 11 (Communications, Financial services and markets, Data storage and processing, Defence industry, Higher education and research, Energy, Food and grocery, Health care and medical, Space technology, Transport, and Water and sewage). Basically, under the proposed amendment, organisations operating and managing systems of national significance in these sectors will have a range of new security obligations, include mandatory reporting of all cyber incidents, and be subject to government “assistance” (i.e. intervention powers for information gathering, executing directions and measures and disconnecting assets at risk).
And finally…Attention: CISOs, IT Leaders, Executive Managers & Board Members
Now that you know what you need to factor into the Great Risk Review of 2022, make sure these points are on your 2022 IT Security meeting agenda!
- Seek or revisit legal and regulatory advice on your obligations under
- The Privacy Act (APPs and NDB) and others
- New regulation changes in play
- VPDSS and other reporting frameworks
- Seek or revisit IT governance and compliance advice
- Data breach response planning and process design
- Technical and non-technical mitigation measures
- Testing and measuring plan and process effectiveness
- Keep up to date with changes currently underway
- Upcoming review of the Privacy Act
- Ransomware Action Plan
- Security of Critical Infrastructure (SOCI)
- Revised implementation guidance around the Essential Eight & VPDSS