Skip to main content

Maximising identity security to build and maintain public trust

Dr Stephenie Andel

Head of Strategic Policy

Cyber Security Cooperative Research Centre

Government keynote highlights from Dr Stephenie Andel, the Head of Strategic Policy from Cyber Security Cooperative Research Centre – in which she discusses about understanding the ‘State of Identity’ in a post-COVID world.

A changed cyber landscape

With the increase in internet usage as a result of remote work because of the pandemic, there has also been an increase in cyberattacks, both in Australia and around the world. In fact, Dr Stephenie Andal, the Head of Strategic Policy at the Cyber Security Cooperative Research Centre (CSCRC), says that “COVID-19 has proved to be a boon for nefarious cyber actors, and that during the various lockdown periods, Australia has witnessed an exponential rise in cyber activity by malicious cyber actors.” This is something that an organisation like the CSCRC monitors because they are “a Commonwealth-funded entity that builds effective collaborations between industry, government and researchers, creating real-world solutions for pressing cyber related problems.” They are “dedicated to strengthening Australia’s cyber security capabilities.”

The key element of every cyberattack and cyber mitigation strategy is trust. In some ways, public trust is at an all-time high. “It’s hard to understate how much the pandemic has caused a tectonic shift in the way organisations and employees operate.” Everyone, from individuals to corporations and governments has “embraced digital transformations and adopted new technological solutions at a truly astonishing pace.” However, this has led to “many workers and organisations with less than optimal cyber security protections, whilst concurrently, cyber criminals have upped the ante.”

Obviously the pandemic has been and continues to be “a period of profound geopolitical, technological and societal change.” As part of that though, it has also been a “truly a fantastic opportunity to build more digitally enabled services, but these solutions and approaches must come hand in glove with ensuring that innovation remains secure-by-design, with cyber security practices and methodologies embedded into the process.” More than that, cyber security has become “an organisational imperative” because there’s been a surge in internet traffic and activity which has led to criminals “seeking to strategically disrupt critical infrastructure and global supply chains to exploit network vulnerabilities and to gain access to sensitive data.” This is happening globally, and there has been a string of high profile breaches in the last two years, including at organisations that should otherwise be secure, like “NATO, the European Parliament, and nine US federal government departments.” There have also been attacks at some of the largest companies in the world, including the Colonial Pipeline in North America, “which supplies approximately 45% of the fuel to the east coast of the US, and a very significant ransomware attack on JBS Foods, which is the world’s largest meat supplier.” The point being that if attacks can happen at such large and secure corporations, they can happen anywhere, and they have. In Australia there have been attacks at Blue Scope Steel and Lion Dairy & Drink. Several reports indicate that cyber-crimes globally are now “up 50% on 2018 figures.”

Despite all this, and the fact that even the Prime Minister has said that “sustained malicious cyber activity was being directed at Australian networks by sophisticated state-based cyber actors, cyber security is continuing to fly under the radar of organisational decision-makers.” Some studies have said that up to “94% of Asia-Pacific CEOs are not in regular conversation with their cyber security officers or with those responsible for managing their cyber security risks.”

This is of critical importance because of data, “which is today’s virtual gold, since we live in a data-driven age.” In fact, some of the data that is regularly racing around the world “is perhaps the most valuable asset that economies and societies around the globe possess.” The public sector in western countries like Australia is particularly vulnerable, “with 16% of cyber breaches in 2019-20 globally found to have taken place across the public sector.” In Australia in particular “there is an urgent need for a baseline cyber security uplift across the government ecosystem. “

““The Office of the Australian Information Commissioner recently noted that 88% of data breaches in the latter half of 2020 within Australian government departments were caused by human error, and that Australian government agencies remain vulnerable to data breaches. Australian government agencies also took longer to identify breaches, underscoring the need for best practice adherence in order to maintain public confidence in data handling procedures.””

Dr Stephenie Andal, Head of Strategic Policy, Cyber Security Cooperative Research Centre

An opportunity for leadership

The pandemic has changed the way government agencies work, but has also provided an opportunity for “government departments and agencies to act as exemplars.” This has already begun, with the November 2020 introduction of the Data Availability and Transparency Bill “to safeguard public sector data, and to ensure better, more holistic and streamlined delivery and access to that data.” On top of that, the federal government has also released the Digital Economy Strategy 2030 which “really sets forth the steps for Australia to become a leading digital nation by 2030.” This dovetails nicely with a number of other papers and strategies released by various organisations “to harmonise and effectively leverage data sharing across agencies in order to streamline data management and security.” However, it is equally important to take into consideration “security and privacy concerns, especially in relation to citizen data at a time of rapidly evolving public health concerns.”

To mitigate the cyber security concerns, there are number of factors that organisations can employ in order to be world-leading. For instance, “organisational leaders need to start treating online assets and managing data with the same level of care and attention that they pay to real-world assets.” This includes proper storage and protection, as well as “effective cyber security controls and good cyber hygiene.” The most important factor however is people, and building their awareness about the potential threats. After all, “in most cases it comes down to just one person’s actions or misunderstandings for cyber criminals to gain access to a system.”

Directors should therefore adopt cyber security best practices and “implement the ‘Five Knows’ to protect their organisational data.”

These are the five points that the CSCRC recommends:

  1. Know the value of your data – understand who might want to access it
  2. Know who has access to your data – understand the admin privileges
  3. Know where your data is – geographically and / or in the cloud
  4. Know who is protecting your data – what systems are implemented to manage risk
  5. Know how well your data is protected – have visibility into the controls and practices to protect customer data

Apart from all that, “the CSCRC urges all government entities and departments to speak to the Australian Cyber Security Centre (ACSC) and to use their Essential Eight tool, which sets the industry standard and provides a baseline for organisational cyber security implementation.”

““At the end of the day, it’s really the responsibility of all senior decision-makers to be aware of and effectively manage cyber security risks, to ensure that the appropriate measures are in place, and to foster a culture in which cyber security really does matter. If cyber security matters to decision-makers then it will trickle down and become a priority for the whole organisation.””

Dr Stephenie Andal, Head of Strategic Policy, Cyber Security Cooperative Research Centre

8