Share this article on:
Following a spate of disastrous data breaches over the past 12 months, it seems like the government is only now realising the importance of cyber security and, more specifically, how Australian organisations can get better at protecting their data.
Its new cyber war games initiative is a great example of how the government is thinking differently about delivering more practical solutions for building cyber resilience.
Unfortunately, when it comes to regulating against evolving threats, the government, in general, is not best positioned to lead these conversations because, quite simply, it moves far too slowly. While regulation is absolutely necessary and a step in the right direction, it’s often too little too late by the time it comes to fruition. This is especially true when technology is involved.
Government legislation and initiatives are unlikely to ever be able to keep pace with cyber attacks and bad actors.
Why regulation won’t stop cyber threats
Too often, the government creates multiple pieces of legislation (that take years to write) and realistically can’t be applied to every scenario, and in some cases, are so specific or restrictive that they can be counterproductive. We’ve seen it with data sovereignty laws as well as recent discussions around changing the Privacy Act – both of which are still ongoing while technology speeds ahead. For example, the Privacy Act should be addressing generative artificial intelligence (AI), but realistically, the impact of tools like ChatGPT will have changed by the time the act is updated.
Even more frustrating, once written, the legislation is incredibly hard to modify despite the fast-changing nature of cyber security threats it’s designed to protect us from. Instead, the government needs to be creating more effective and flexible frameworks that can be drafted quickly and provide broad guidance to Australian organisations while keeping pace with change.
Proactive steps to improve cyber resilience
While the government is working on legislation and regulatory frameworks, the march towards cyber resilience needs to be led, perhaps unsurprisingly, by the board.
While we’re starting to see this shift, mostly as a result of board members now facing personal liability for attacks, the reality is that security acumen among board members is not at the level required to deliver tangible outcomes. We need to get board members with cyber experience to drive the conversation and keep businesses accountable.
Now, it’s all well and good to have the right skills on the board, but this needs to be implemented at a practical level, and it should start with data and information management. Data and information management is not a specific need of only specific industries like banking or healthcare; it affects every industry sooner or later.
It is crucial for organisations to recognise that data and information possess significant value, making them valuable assets that should be treated with the utmost seriousness. Merely storing data and information without proper consideration is not sufficient. Implementing a data lifecycle management plan is essential to mitigate risks. Failing to do so will only lead to an escalating threat posed by your organisation’s data.
A data lifecycle management plan outlines a strategic approach to how data and information are managed throughout their entire lifespan within an organisation. Meaning data and information won’t stay in your organisation for longer than it needs to, significantly reducing risk and liability in the event of an attack. Consider the significant relief the Medibank hack could have brought if dormant account details had been promptly deleted. Even insurance providers are acknowledging the importance of this by granting reduced premiums on cyber insurance to organisations that have implemented robust data lifecycle management.
We all know that cyber attacks are almost inevitable, yet few, if any, organisations possess the resources to completely ward off such attacks. However, the way an organisation manages risk is entirely within its control. In the absence of robust governmental regulations, organisations should prioritise educating their leadership about cyber risks and adopt a proactive and preventive approach to data and information management.
These two relatively simple steps can make the difference between staying out of the headlines or becoming one.
Bruce Berends is the product strategy lead at AvePoint.