What does the Australian Cyber Security Strategy 2020 mean to you?

The Australian Cyber Security Strategy 2020 (ACS20) was released yesterday. 

We are aware that cyberattacks against our country have been escalating of the years with increasing sophistication and success.

As per the ACS20:

1. Between 1 July 2019 and 30 June 2020, the ACSC responded to 2,266 cyber security incidents at a rate of almost six per day.
2. According to one expert analysis, cyber incidents targeting small, medium and large Australian businesses can cost the economy up to $29 billion per year, or 1.9% of Australia’s gross domestic product (GDP).
3. In 2019, one in three Australian adults were impacted by cyber crime. On average, the ACSC’s ReportCyber tool receives a cyber crime report every 10 minutes.
4. Human behaviour is always part of the problem

How we as a country respond to this cyber situation requires both defence and offence and involves every single one of us. We all have a role to play so it is important that everyone is clear on what their role is and what we can do to stay cyber safe.

After reading the ACS20 'the human' features in all the focus areas of government, businesses and the community. As an advocate for the human (student, employee, volunteer, retiree etc.) my quest is to create human firewalls so it has relevancy for everyone regardless of who they are or what they do.

Before we go any further, what is a human firewall? I'm glad you asked as it is someone who has:

1. Situational knowledge as it relates to cyber security and cyberthreats (e.g. a year nine student requires a different level of knowledge compared to a someone who works in a finance team as part of a larger organisation)
2. A clear understanding of their role and responsibility in staying cyber safe and following best practice (e.g. cyber security is everyone’s responsibility and we all have our part to play)
3. Demonstrates the first 2 points with measurable and observable behaviours (e.g. participates in ongoing training and education coupled with opportunities to demonstrate their learnings such as the use of simulated social engineering tests and actively report all potential cybercrime)

As a group, human firewalls decrease the level of cyber risk factors for organisations and aid in the creation of a group of people who care and are committed to protecting data, people and systems from cyber-attacks. In an ideal world, these people create and nurture a culture of cyber security where humans are making better decisions when it comes to security.

Cyber Security Awareness and Training as per the ACS20

The good news for us all is there is clear messaging when it comes to the importance of cyber security awareness and training as it is mentioned throughout the strategy as part of every section.

Perhaps one of the most compelling statements of the strategy is that “Businesses should take responsibility for securing their products and services and protecting their customers from known cyber vulnerabilities. “ One of the most effective ways to achieve this is to create their own army of human firewalls. We know that anywhere between 70% and 90% of all successful data breaches are the result of a phishing email where a human has unintentionally engaged with a malicious email resulting in the cybercriminal gaining illegal entry to an organisations system causing disruption, financial and reputational loss and more.

Providing a Security Awareness Programs (SAP) that includes the following key elements will result in a decrease of cyber risk factors when it comes to the unintentional actions of humans and creates a cyber security culture where humans are making better decisions when it comes to security.

Key elements of a Security Awareness Program:

• Ongoing, relevant and engaging security awareness training covering all aspects of cyber(security) and social engineering
• Ongoing simulated social engineering testing (e.g. phishing emails etc.)

The ACS20 goes on to say that “The community should take responsibility for practising secure online behaviours and making informed purchasing decisions.” This is absolutely true and poses a great opportunity for us as a community to empower everyone to make better decisions when it comes to cyber security.

For SMEs, the ACS20 acknowledges that there is a need for them to “grow and increase their cyber security awareness and capability” and that they need “cyber security awareness training”

For individuals, it states that “not all cyber security risks can be addressed by governments and industry – individuals should also take steps to protect themselves” going further to say that “The Australian Government will expand efforts to raise awareness of cyber security threats and empower the community to practise secure online behaviours.” The offering of a “dedicated online cyber security training program, expanding our 24/7 cyber security advice hotline for SMEs and families” is a great initiative.

Side Note: I find it interesting that there needs to be a difference between 'the community', 'SMEs' and 'individuals'. I think it's time that we are all treated as humans whom all have a need to know the fundamentals of cyber security safety and how to stay safe online with the addition of situational cyber knowledge based on our needs, demographics, workplace, risk factors etc. A non-cyber example would be driving. There are a fundamental set of road rules we all need to know if we are driving a car - however, there are additional rules and nuances we need to know IF we drive a bus, truck, motorcycle etc. If I am never going to drive a truck I do not need to know the specifics of driving a truck!!!

The message is obvious. 

We all need the information and tools to protect ourselves online which results in us all being able to make education and better decisions when it comes staying cyber safe.

Where to from here? 

The government has a key role to play as they “create an environment where everyone knows what role they play and what the ‘rules of the road’ are – including through legislation where necessary.” They will also be ensuring we have the relevant policies to support the safety of us all online. The first action is to set up the expectations for our critical infrastructure as they relate to cyber security.

As it is abundantly clear that the Australian Government acknowledges the importance and critical nature of cyber security awareness and training for everyone and now is the time to act.  

Take it from me, it is extremely fast and cost-effective to implement a robust security awareness program and get on the front foot in creating your human firewalls. And before you think this is a sales pitch because I work for KnowBe4 – think again. Just like choosing a new car, you decide on the best fit for you and your organisation based on your needs, your budget and your sectors compliance requirements. Do your research on all the security awareness training providers and find the best fit for you - just do it soon!

You can read the complete strategy here The Australian Cyber Security Strategy 2020 or copy and paste the complete address into your browser https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf

I welcome your thoughts and encourage you to start the conversation with everyone you know when it comes to cyber security.

Stay safe out there.

JJ