In August 2020, the Australian Cyber Security Centre (ACSC) released its plan to strengthen the security of Australian businesses online. (Strengthening Australia’s cyber security regulations and incentives) The 68 page-long document talks about the government’s plans and suggestions on how to raise awareness of the importance of cybersecurity from both businesses’ and consumers’ point of view. The Australian government is now seeking input from the community in the steps necessary and what kind of incentives would encourage the strengthening of cybersecurity of both big and small businesses. In this article, I will focus on explaining what small businesses in Australia need to know about the government’s measures on improving cybersecurity.
1. What impact would the new measures bring to small businesses?
Cyber Health Checks
Cyber Health Checks is not an official name but it would be a voluntary check program with some questionnaires about your cybersecurity status. When the health check program is completed, small businesses which satisfy the requirements for the health check would be awarded a mark that can be used when advertising. The mark would symbolise that customers can trust that your business is doing its best to protect customers’ sensitive information from cyber-attacks. We still do not know what kind of checklist or criteria that will constitute passing a cyber health check. It is possible that it may be similar to the questions on ‘Cyber Security Assessment Tool’ provided by the department of industry, science, energy and resources.
So far, the Strengthening Australia’s cyber security regulations and incentives suggests only two options for small businesses – keeping the current rules or implementing cyber health checks. And there is a high chance that there would be new options as the discussions between the government and the public continue.
2. Is it mandatory yet?
It is ‘voluntary’ until it becomes a mandatory policy.
Every time the government wants to implement new regulations, they do not change the rules completely the next day. To avoid confusion or opposition, the government wants to try suggesting pilot programs or give incentives to the ones who are willing to try the new ‘suggestions’. But you also need to understand that what used to be suggested and voluntary eventually becomes a new mandatory policy. For example, electronic invoicing (e-invoicing) was only mandatory for public sectors but the government has been implementing plans to make it mandatory for all public and private sectors. Click here for the source.
3. Earning a trust mark, done, and then what?
Even if there are only two options suggested by the government, the finalised regulations in the near future may look different from what you can find in the current discussion paper. We expect to see many new criteria to be added in response to the changing trends of cyberattacks. For example, let’s say there is an owner of an e-commerce business who logs into their website as an admin using a very complicated and safe password. If the password is strong or better yet two-factor authentication is added, you can pass one of the very basic criteria in the current ‘Cyber Security Assessment Tool’ mentioned above. But if there is a malicious attack on their website server with a strong intention of stealing customers’ credit card information and personal data, just having a strong admin password does not save the company’s valuable data. It is not only about passing all the security assessment tool criteria and getting a pass mark. Cybersecurity is about securing your businesses’ important assets.
4. What you need to be ready for
It is not just about earning a trust mark. Cyber threats are real and you can lose a lot of money and the reputation of your business once a breach happens when you don’t have a safeguard. Cyberattacks are inevitable. Anyone can be a victim of a ransomware attack or you may not even realise that your information has already been stolen. But you can protect your business with Network Security Monitoring (NSM) which monitors the traffic of your network. Some of the best services provide 24/7 monitoring. To small and medium business owners, this may sound overwhelming. You may even wonder if it is really necessary for you. If you are wondering if NSM is crucial for your business, please contact us for a consultation.
5. Share your opinions with the government
The government is holding a virtual open forum about these new cybersecurity regulations and incentives this July and August. Depending on where you live, you can register for the event and share your opinion about the reform. (Click here for the event.) If you don’t have time but have questions you can leave them in the comment section below and we will ask them on your behalf. Helmsman Information Security will be on the NSW and ACT open forum on Friday 23 July, 2:00pm to 3:30pm (AEST). Stay tuned for a post about the event!
