Australia's cyber reporting rules 'don’t go far enough'
Mandated reporting of cyber breaches in Australia misses the vast majority of businesses and should be beefed up, as broader compliance-reporting demands would motivate firms to upgrade their security measures and take cyber threats more seriously, an expert says.
Australia mandates reporting of cyber breaches for companies with an annual turnover of more than $3 million and for specific industries, such as health service providers.
SentinelOne Regional Director Australia & New Zealand Jason Duerden says cyberattacks that don't involve data breaches posing risk to individuals do not need to be reported, and Australia lags North America and Europe in cyber-readiness and regulation.
“The law is a good start but unfortunately doesn't go far enough,” Mr Duerden said in an opinion piece shared with insuranceNEWS.com.au.
“Stricter reporting means higher standards of security,” he said. “Mass adoption of change only takes place when it becomes law.”
He notes 93% of Australian businesses have turnover below $2 million, and so only a fraction of companies within the country reach the reporting threshold.
“Reporting mandates are vital to a country's cybersecurity posture because it requires businesses and organisations to implement advanced cybersecurity tools, such as Extended Detection and Response (XDR), to proactively monitor systems for breaches,” Mr Duerden said.
Security teams need to be able to discern between false positives and actual attacks, he said, and quickly investigate breaches and have the tools necessary to gather data and submit reports.
“Many Australian companies currently lack these capabilities and use legacy tools that are inadequate to respond quickly to cyber intrusions. Demanding reporting compliance will motivate them to upgrade and take cyber threats more seriously.”
Cybercrime rose 13% last financial year, according to the Australian Cyber Security Centre, with a new data breach reported every eight minutes and financial losses passing $33 billion.
“This is a staggering figure for our country,” Mr Duerden said. "For Australians to truly feel cyber-safe, the steps we've seen to date must be viewed as the first steps in a long-term prevention and mitigation campaign.”
A study by Cisco last year found two thirds of Australian SMEs were victims of a cyber incident within the last 12 months, and costing their business $645,000 or more.
Mr Duerden recommends a more aggressive adoption of new cybersecurity technologies like XDR and AI-automation.