Improving cyber security regulation has the potential to nurture better business practice.
Cyber security is growing rapidly and is increasingly important as we become more deeply connected digitally in life and business.
Threats posed by the digital age have triggered the quick elevation of cyber security and given rise to its inclusion within the environmental, social and governance framework guiding good business practice.
The regulatory nature of cyber security strongly aligns with the governance pillar of the framework but also fits into the social and environmental aspects.
The theft of customers’ personal data can pose significant social impact, while the hacking of infrastructure to cause system failures and consequential environmental damage falls under the third pillar.
Office Solutions IT director Igor Pavic said cyber security had evolved alongside digital development and “100 per cent touches all three pillars of ESG”.
“Historically, say 20 or 30 years ago, cyber was just an IT problem but it has transitioned to be a business problem,” Mr Pavic told Business News.
“It’s now moving, quite rapidly, into being an ESG ‘problem’ and therefore it has become the responsibility of the whole company, not just the job of one department.
“It’s been a bit of an evolution and I suppose that’s on the back of IT developing to this point where it touches every part of life, one way or another.”
Igor Pavic has worked at Office Solutions IT since 2005. Photo: Michael O’Brien
CyberCX chief strategy officer Alastair MacGibbon said the role of cyber security as part of a company’s licence to operate had been increasingly recognised among boards, executive teams and customers alike.
“Companies often hold and retain an enormous amount of data on their suppliers, their people and their customers,” Mr MacGibbon said.
“A customer will hand over their data – their name, their address, passwords, financial details – as part of a transaction with a company with the expectation that it will be held safely and protected.
“When an organisation loses a customer’s data, they risk breaking that social licence.”
Mr MacGibbon said privacy, safety and security must be seen as three legs of the same stool.
“If one of those legs breaks, then a company has put its social licence at risk,” he said.
“A cyber incident can break all three of those legs.”
Business News hosted an event in March, where professionals from the cyber sector converged to discuss the future of cyber security.
A primary discussion point raised at the Sector Briefing on The Future of Cyber Security lunch was the lack of justification for businesses to retain customers’ personal data.
During the panel discussion, Edith Cowan University professor of cyber practice Paul Haskell-Dowland said there was limited reason for companies to keep sensitive information on file.
“For me it really does call into question, first of all, why is any organisation in Australia, no matter what size they are, holding copies of government-issued identity documents?” Professor Haskell-Dowland said.
“[There’s an] idea that your telecommunications provider has to retain a copy of your driver’s licence, your ID card, to be able to continue to provide you with your service.
“I think there’s a bit of a mismatch here between the legislated requirements, which are often rather vague in terms of what’s expected of organisations, and the organisation’s interpretation, particularly from a due diligence perspective.”
The federal government is developing a seven-year strategy to curate better, clearer cyber security laws and regulations in Australia.
Cyber Security and Home Affairs Minister Clare O'Neil launched the 2023- 30 Australian Cyber Security Strategy discussion paper in December last year, outlining the government’s goals for the strategy and inviting the public to contribute ideas.
Ms O'Neil said laws on cyber security were not up to scratch and a new strategy would help to make Australia more cyber secure by the end of the decade.
“As a nation we have a unique opportunity to move cyber security beyond a niche technical field to a strategic national security capability that underpins our future prosperity,” she said in the discussion paper foreword.
“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age.”
Clare O’Neil says cyber security laws are not up to scratch.
Mr Pavic said more supply chain and governance pressure would encourage companies to improve their cyber security measures.
“There will probably be more regulations coming through from government determining a minimum level of protection that IT providers or organisations need to meet,” he said.
“It wouldn’t surprise me if we start seeing more regulatory aspects coming into the IT services industry over the next couple years.
“That is what we’re missing at the moment.”
Mr Pavic said although there were certifications people in the technology industry could attain, the regulations around working in this sector were not as strong compared with other industries.
“To do accounting, you need to be a certified practising accountant, and to be a bank, [there is] a banking code that financial bodies must align with,” he said.
“For IT services providers, there’s nothing.
“You just need to register a website domain and you can start providing services.
“There are also many IT service providers out there who say they do the right things but they don’t and there’s no indicators to measure their performance against anyway.
“This ties back to the point that we must take cyber security more seriously as part of the ESG framework.”
The government’s renewed strategic planning could further consolidate the role cyber security plays in guiding good business practice.
The government established a national cyber security coordinator position within the Home Affairs department in late June and appointed former air commander Australia Darren Goldie to the job.
In this role, Mr Goldie has been working to prevent large-scale data breaches by leading the national cyber security policy, coordinating responses to major cyber incidents, improving government incident preparedness efforts and strengthening cyber security capability.
Mr MacGibbon emphasised the importance of continually updating cyber security systems as technology advances to avoid cyber attacks.
He said new technologies were developed every day and more tech meant the risks were constantly evolving.
“As technology improves and evolves, so do criminals,” Mr MacGibbon said. “In this sense, we need to think about cyber criminals as highly adaptive and responsive to new technologies.”
He said the rise of artificial intelligence had accelerated the integration of cyber security within ESG standards and would continue to do so.
“As an example, we’re already seeing how the mass adoption of new AI tools is being harnessed by criminals too, making scams harder to detect,” Mr MacGibbon said.
“For businesses, this reinforces the importance of developing a robust understanding of cyber within your business and exercising that like a muscle.
“Hoping it doesn’t happen is not a strategy.”
Although AI can be used to facilitate criminal activity, Mr Pavic said it could soon be used the other way around, to protect data.
“AI is at the forefront of everything, including cyber, and various companies have been dabbling in the protective side of things,” he said.
“AI in its entirety runs through IT systems that needs to be protected so cyber security is going to be significantly involved in this anyway.”