Australian organisations must improve their cyber-security practices now, rather than waiting for the next high-profile data breach to prompt change, Dragos Founder and Chief Executive Robert Lee told CEDA’s State of the Nation audience.
“Anybody in 2023 who is still looking for wake-up calls is 15 years too late,” he said.
Mr Lee said geopolitically tense times had contributed to a rise in cyber risk, with many countries losing control of their supply chains and even “targeting human life directly”, referencing the attempted modification of a petrol facility safety system in Saudi Arabia in 2017, which if successful, could have killed up to 60 workers.
Mr Lee also discussed the homogenisation of cyber infrastructure, warning that growing “commonality in software” across organisations was giving adversaries the capabilities to maliciously target more industries, and sometimes attack the same organisation multiple times.
Mr Lee was joined by Gilbert + Tobin Partner Simon Burns and Australian Banking Association Head of Future Policy Nicholas Giurietto for the panel discussion.
When asked whether businesses could have both secure, resilient cyber infrastructure and the capability to innovate, Mr Burns said there should be a balance that incorporates resilience, in addition to “just hard cyber security”.
“We can’t pay for a world that has no risks in it … that’s also a pretty unexciting world,” he said.
The panel, facilitated by Governance Institute of Australia Chief Executive Megan Motto, agreed there was work to be done in strengthening data governance across the country’s businesses.
Ms Motto said businesses must skill up in this area to build digital literacy in an age where organisations were becoming more reliant on data and digital technologies than ever before.
“There are only two types of organisations in Australia: those that have been breached and those that are about to be breached,” she said.
Mr Burns said there was a wide spectrum of cyber maturity amongst Australian organisations. While the top end were integrating secure, successful systems with robust simulation training, the majority still had work to do.
Mr Lee said despite Australia’s strong talent and unique capabilities in the security space, such as the Australian Cyber Security Centre (ACSC), a large portion of industries were reaching only the bare minimum of security requirements.
Discussing the skills required to improve data-protection standards across Australian organisations, Mr Burns said understanding the data architecture of your organisation, including the externalities and risks, was crucial to get a broader picture of how to improve standards within businesses.
Mr Giurietto said companies must ensure they hire individuals to change the current workplace culture and attitudes surrounding cyber security, so everybody understands it is a shared responsibility.
He also explained that current cyber-security education was becoming “tired”, with people often speeding through or sharing answers during training modules.
Additionally, Mr Lee said the present path was broken for hiring cyber security experts.
He said companies were often “posting jobs requiring five years of experience in a technology that’s three years old”.
The panel agreed that swift and comprehensive collaboration was also vital to making widespread improvements.
Mr Giurietto said collective action was the appropriate approach, encouraging businesses to pursue preventative measures through verified digital-identity credentials to safeguard organisations and their people.
Speaking on private and public sector collaboration, Mr Lee said governments must play to their strength” and leave the “how” to private firms.
“I cannot name one technology that has come out of the National Lab for Cyber Security that has been used across the industry,” he said.