With the goal of exploring the full breadth of the cyber security sector, gathering cyber security professionals from across the country to analyse its current situation and look towards its future, Cyber Week 2022 was a great success.
Over a week spanning 12 events in 5 cities, we saw 3,000 people register for both online and in-person events. But what are the key learnings we can take from this week?
AustCyber’s Sector Competitiveness Plan 2022 Key Results
This year we launched AustCyber’s Sector Competitiveness Plan (SCP) at Cyber Week, with discussions throughout the week being underpinned by the report and its findings.
The key insights of this report include:
- Australia's cyber security sector will contribute an estimated $2.4 billion to the country's Gross Domestic Product in 2022, up from $2.2 billion in 2020.
- Australia's cyber sector annual revenue growth has averaged 8.7% over the past five years – slower than other leading cyber jurisdictions.
- Australia experienced 745 cyber attacks per day (one every two minutes) in 2021.
- Australian cyber security startups receive 300 times less funding than international peer leaders.
- A cyber attack against Australia (modelled in the 2022 SCP) could cost up to $12.6 billion.
Australia’s current cyber security situation can be surmised through the need to grow revenue. Australia must improve its startup environment, bolster domestic procurement and export capability, and better attract local and international talent. In order to accomplish these goals, the SCP outlines future opportunities that can be taken.
Government’s support for Australia’s cyber security industry
The two recent breaches publicised in the lead-up to Cyber Week represent an unprecedented example of the cost that arises when we as a country do not pay the attention to cyber security. As addressed by Minister Clare O’Neil in her speech at the Cyber Week launch event, there are two crucial actions that have been taken in order to better Australia’s cyber security future.
Firstly, the government has recognised the need to bring a greater focus and attention to the development and nurturing of the cyber security industry. This is highlighted by the appointment of a standalone cabinet minister for cyber security.
Secondly, to improve Australia’s cyber security infrastructure in response to the rise of cybercrime, the government has built a new model of policing designed to actively thwart cyber threats. This model exists as a partnership between the Australian Signals Directorate (ASD) and the Australian Federal Police (AFD).
Cyber security for businesses
Another focus of the week is the implementation of tactics that businesses can utilise to mitigate and respond to cyber threats. As recent reports have shown, over the last financial year, cyber attacks have increased by 13% to over 76,000. The same report highlighted the rise of cybercrime and its impact on Australian businesses, with the average cost rising by 14% to $39,000–$88,000 per attack.
Below are four important steps businesses can implement to mitigate and limit the impact of cyber threats:
1. Creating a team charter
By creating standard practices around how employees should collaborate and communicate internally, businesses can help their staff recognise and avoid falling victim to phishing attacks.
2. Adopting multi-factor authentication
As technology constantly adapts, businesses need to protect their data. Multi-factor authentication (MFA) is an essential tool used to verify a user’s identity, e.g. with a verification code dispatched through SMS or a confirmation action in an app, before granting essential access. MFA prevents the use of compromised credentials for entry to your systems.
3. Understanding social engineering
One threat often overlooked is social engineering, or the idea that hackers target employees through human nature, often standing in as a government agency or an authority figure within the business to elicit sensitive information from unsuspecting victims. To counter this, businesses must implement regular and comprehensive training, sending test phishing emails to gauge employee responses, and implementing a cyber policy.
4. Managing risk with a secure by design approach
Implementation of cyber security by design into a business foundation will not only reduce costs but it will also minimise the vulnerabilities which may allow threats to penetrate the business. To best implement a secure by design approach, businesses must:
- Create and apply a maintainable standard
- Regularly inspect code and source material
- Draw from traditional or reputable libraries
- Ensure your developers are held accountable and have security in mind during the design process.
The condition of Australia’s cyber security industry
Michael Bromley, Stone & Chalk Group CEO, said, “Less than half of Australia's cyber companies export their security services overseas.” As a nation, we represent only 2.1% of the global demand for cyber security. The SCP clearly outlined that we have to be international to be successful, and that exporting is absolutely critical.
This need to grow internationally is one that is echoed by AustCyber Group Executive, Jason Murrell, “Cyber security services require more. We don't do enough to actually support our local industry, which in turn impacts our ability to impact on an international scale.”
Equally important to spotlight is the lack of growth the industry has experienced over the past year, due to reduction in government funding and a limited supply of talent. Mr Murrell also raised the question, “How is it possible that we can see an increase in prevalence and demand, yet less money is dedicated to the industry, this being an industry that is worth more than Australia’s health service?”
Cecily Rawlinson, Director of WA AustCyber Innovation Hub, stated, “The Australian global brand is really strong, but we need to link that to the things that we’re already recognised as being good at. I don't think people realise that the cutting-edge technology that's being spun out of institutions of WA. We have this amazing sovereign competence [and] it’s really something that we could do to revolutionise how we're communicating about cyber as an industry.”
Addressing the talent gap in cyber security
The simple and unassailable fact is that the cyber security industry in Australia is woefully understaffed, representing a major handbrake on the growth of our nation's cyber capability. It has been predicted that there will be a shortage of over 3000 workers by 2026, and the gap between demand and supply continues to widen.
But how do we fix this?
1. Address the issue at the primary education level
Cyber security needs to be better integrated into all levels of education, starting from primary school. Not only should it be treated as a third pillar alongside numeracy and literacy, but teachers also need to have additional support in delivering cyber education to their students.
2. Attract international talent
A layered approach is recommended, including initiatives such as:
- Increase support to skilled migrants currently working or wanting to work in Australia
- Implement immigration programs with financial incentives to encourage international talent to come to Australia
- Place a greater focus on leadership to address the workplace culture challenges facing many skilled migrants
3. Create a more diverse culture
To close the gender imbalance within the industry, there need to be changes to the workplace culture within the cyber security sector. Employees need to feel a sense of belonging and respect at all levels. This could include providing additional support to young women and girls considering cyber security as a career, or getting a better understanding of why there may be resistance to change within the industry as it stands.