Cybersecurity rulings important for all Australian businesses

Cybersecurity rulings important for all Australian businesses

The world of cybersecurity is full of principles. Principles about patches, passwords and people. Principles on physical security, phishing and firewalls. But until recently, there have been few legal precedents that support these principles, and without this precedent, the principles can be difficult to enforce.

However, two historic cases have been filed last month that will help set a new precedent for cybersecurity in Australia: one in the Federal Court and another in the ACT Civil and Administrative Court. Both cases deserve the utmost attention from senior management, councils and directors as our nation navigates a new era of rising cybersecurity. These cases should not be ruled out only as technical “principles”.

After years of legal disputes, on 5 May the Federal Court issued its long-awaited ruling on an action brought by the Australian Securities and Investment Commission in 2020 against RI Advice Group. ASIC claimed that RI Advice had inadequate cybersecurity controls, which the company did not resolve despite being aware of the issues. This caused sensitive customer information to be compromised several times over a six-year period, a brute force ransomware attack, and a customer losing $ 50,000.

In its ruling, the court found that RI Advice had violated the Companies Act “as a result of the lack of documentation and controls on cybersecurity and cyber resilience that were adequate to manage cybersecurity risk and cyber resilience “. .

Although the level of detail of the judgment was reasonably limited since an agreement had been reached, RI Advice was ordered to pay a contribution to the costs of ASIC, for a total of $ 750,000, and to carry out a comprehensive review of cybersecurity, which will be overseen by the court, within one month of the trial.

It is important to note that in the judgment, Judge Helen Rofe highlighted the critical role of organizational cybersecurity, stating: “The risk of cybersecurity is a significant risk related to the conduct of business and the provision of financial services. It is not possible to reduce the risk of cybersecurity to zero, but it is possible to materially reduce the risk of cybersecurity through appropriate cybersecurity documentation and controls to an acceptable level.

Ultimately, this ruling highlights that the ASIC will pay close attention to the cybersecurity practices of the organizations that fall within its remit and is willing to take action. More broadly, it is a clear signal to all organizations throughout the economy that the Corporations Act will apply to cybersecurity and that it is only a matter of time before more cybersecurity-related actions are brought forward. before the courts.

The second case, a civil dispute between a seller and a customer in the ACT Civil and Administrative Court, is relevant to all businesses, but small and medium-sized businesses should pay close attention. They are a major target for cybercriminals and generally have lower cyber protections: the soft bottom of Australia’s cybersecurity ecosystem.

The case involved a machine supplier (the applicant) and a diesel assembly company (the defendant). Their relationship began when the defendant tried to buy a machine from the applicant. An agreement was reached and the bank details of the $ 5,499 purchase were exchanged.

Unfortunately, the respondent’s emails had been compromised by a cybercriminal. Within hours, the criminal sent a fake email informing the buyer that the bank account details had changed, and the funds had to be deposited in another account. By the time both sides realized what had happened, the money was gone.

This type of crime, known as corporate email engagement, or BEC, is on the rise. According to the Australian Cyber ​​Security Center, Australians reported more than 4,600 BECs equivalent to $ 81 million in theft in 2020-21.

In this case, the plaintiff took the matter to court to recover the $ 5,499 due. Defendant argued that the payment had been made in good faith and therefore there was no case to answer, even though the money was stolen by a cybercriminal and the applicant never received the funds.

Ultimately, the court ruled in favor of the plaintiff, finding that “the responsibility for the correct payment lies with the defendant and it was up to the defendant to take care to ensure that the payment was made.” The money was deposited into an account that did not belong [to] the applicant and is unpaid. ‘

As Australia moves towards an increasingly digitalized economy, more and more companies, large and small, are hosting valuable data on Internet-connected systems, which is a good thing, unfortunately, cases like these may be more common. But they don’t have to.

While there is no perfect solution to the cybersecurity puzzle or a silver bullet to prevent cybercrime, there are steps that all organizations can and should take to strengthen their cyber defenses. There are also a number of incentives that small businesses in particular can take advantage of, such as instant cancellation for cyber augmentation and training announced in this year’s federal budget.

And while principles are essential, there are three key concepts on which all organizational approaches to cybersecurity must be based: risk, resilience, and recovery.

Know your key risks and manage them appropriately in a way that is unique to your organization. There is no single approach. Cyber ​​risk cannot be eliminated, but it can be managed effectively.

Increase cyber resilience to address identified risks, but also ensure that people are critical to resilience. Make cybersecurity intrinsic to your organization’s culture.

And finally there is the recovery, because when things go wrong you have to have a plan. Organizations with a clear continuity plan can recover more quickly, potentially reduce the impact of a cyber incident, and return to business.

Source link

Related post

EDUCAUSE 2022: How Data Collection Can Improve Student and Faculty IT Support

EDUCAUSE 2022: How Data Collection Can Improve Student and…

At Indiana University, Gladdin said, to make life easier for students and faculty, they implemented a course template for the Canvas…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…

Leave a Reply

Your email address will not be published.