Australia beefs up cyber defences after major breaches

Australia will give cyber health checks for small businesses, increase cyber law enforcement funding and introduce mandatory reporting of ransomware attacks under a security overhaul announced last week after a spate of attacks.

The federal government said it will also subject telecommunications firms to tougher cyber reporting rules which apply to critical infrastructure, seek migrants to build up the cyber security workforce and set limits on inter-agency data sharing to encourage people to report incidents.

The A$587 million ($382 million) plan shows the centre-left Labor government trying to get on the front foot after a year in which nearly half the country’s 26 million population had personal information stolen in just two data breaches at companies, while a cyber attack at its biggest port operator this month brought supply chains to a standstill.

“We cannot continue as we have,” Cyber Security and Home Affairs Minister Clare O’Neil told reporters in Sydney.

“We can’t have a situation where we have data flying around the country, where we have critical infrastructure starting to fail, where we have small business and citizens who are continually telling us they feel vulnerable and unable to cope with the cyber threats themselves.”

Prime Minister Anthony Albanese said national security typically meant “military assets in the traditional sense but increasingly, we’re talking about cyber … because of the economic impact that it can have.”

Cybercrime reports in Australia jumped by nearly a quarter in the year to June, with the average cost to victims up 14 per cent, the Australian Cyber Security Centre said in a report this month, which noted a new defence agreement with the US and Britain had made the country a bigger target.

Unveiling the seven-year strategy, O’Neil said that while large businesses received some of the biggest cyber attacks, they typically recovered, but attacks on small and medium-size businesses could be terminal.

The Australian Securities and Investments Commission (ASIC) said this month that 44 per cent of companies it surveyed had no plan to stop data breaches originating from supply chain partners.

Companies backed the plan, saying the country’s estimated 2.5 million small and mid-sized businesses were the engine-room of the economy but largely unprepared for cyber crime.

“The small-business sector is a huge driver of economic growth but they continue to face alarming rates of cyber crime,” said Patrick Wright, head of technology and enterprise operations at No. 3 lender National Australia Bank (NAB.AX).

Aidan Tudehope, co-founder of Macquarie Technology (MAQ.AX), which supplies data services for 42 per cent of Australian federal agencies, said the strategy was a “unifying nationwide endeavour” after the country’s cyber policies had become fragmented.

Under the strategy the government said it would set up a single portal for reports of cyber attacks and establish “cyber rapid assistance” teams to respond to incidents in the Pacific region, as well as identifying network vulnerabilities.

The government would meanwhile seek to cut the amount of customer data companies were required to keep. Breaches in 2022 on No. 2 telco Optus, which is owned by Singapore Telecommunications, (STEL.SI) and No. 1 health insurer Medibank Private (MPL.AX) exposed information stored sometimes years earlier including data belonging to people who were not customers.