The Australian government’s Cyber Security Strategy 2023-2030 is a robust and ambitious plan that aims to take Australia from being highly vulnerable to cyber risk, to being one of the world leaders. 

This will be achieved over three “phases.” According to that strategy, the country needs to be acting on phase one now while preparing the ground for phases two and three. Moving fast with phase one is important, in light of the recent ASD report that found that the number of cyber attacks is increasing rapidly (up 14% in the last year alone), as is the cost to individuals and businesses.

The good news is that phase one is a practical and well-structured way to prepare the foundations for what will come next, and it should in itself deliver an immediate improvement to Australian cybersecurity. 

This phase primarily aims to strengthen the foundations of cyber security by addressing critical gaps in cyber defences and building better protections for vulnerable citizens and businesses. We can expect to see various supports for resource-strapped SMEs, for example, as well as wide public education campaigns that will be designed to help the less technically aware understand best practices in cyberspace.  

There will also be a particular focus placed on critical infrastructure, given that those environments are typically more vulnerable as targets. This is also in response to the increasing rate with which state actors are introducing threats to the cyber sphere. For example, Russia’s Federal Security Service introduced the “Snake” malware to further its cyber espionage strategy, and China’s state-sponsored actors have mastered “living-off-the-land” techniques to target and compromise critical infrastructure targets.

What is particularly positive to see in light of these threats is the collaborative tone that the government has taken with its Cyber Security Strategy and that the government understands the importance of co-designing legislative reforms with input from the industry to bolster cyber defences. 

For businesses, it will mean preparing for a raft of new cyber obligations, and it will require that they understand that there is a new reality where there is an exponential increase in threats and vulnerabilities are being exploited in hours. However, taking the right steps in response will put better structures in place than exist currently, such as streamlined reporting processes, improved incident response mechanisms, and better sharing of lessons learned post-cyber incidents. 

In short, these measures are not just reactive but proactive, aiming to prevent cyber threats before they occur but also acknowledging that they will happen and making sure that Australia, as a nation, can learn the critical lessons from these incidents to build better protections out of those lessons.

How to think about phase one

Across industry and government, the immediate priorities that this first phase requires include:

1. Approach The New Strategy With Positivity: The first phase of the strategy highlights the importance of being proactive in cyber security. Rather than waiting for cyber threats to materialise, Australia should anticipate them and take preventive measures. This includes regular risk assessments, continuous monitoring of cyberspace, and staying updated with the latest cyber threat intelligence.
2. Promote Public-Private Partnerships: The strategy’s emphasis on co-designing legislative reforms with the industry underscores the need for stronger public-private partnerships in cyber security. Companies and political organisations should be looking to actively engage with the government now, because the shape that these cyber security foundations take will determine the ultimate success of the later phases, and the overall strategy and vision.
3. Invest in Cyber Maturity: The strategy’s goal of supporting improved cyber maturity uplift across the region is a critical lesson for Australia. It is not enough to have advanced cyber defences. It is equally important to have a mature cybersecurity culture behind those technology investments.
4. Act on Existing Best Practices: There are already several best practices strategies that have been structured by the government, including the OWASP Top Ten Proactive Controls. These involve regular vulnerability scans, patching, multi-factor authentication, strong passphrase policies, blocking unauthorised Internet-facing services, decommissioning unnecessary systems, and user training to recognise phishing. Implementing these will help to prepare the organisation for future cyber policies.

Overall, for Australian companies and political organisations, this stage of the strategy is a call to action, and largely about establishing a mindset that the country will be more proactive with its cyber security than it has in the past. 

The foundations set here will dictate the tone for the rest of the strategy, so expect the consultations and collaborations between industry and government to be particularly robust over the next two years, and, by the end of it, we should see an environment where individuals, business and government are aligned with what we need to do build resilience while embracing the digital future.

Services that can help organisations stay on top of Phase one

For many organisations, one of the big challenges in meeting the challenges presented by phase one will be the lack of internal resourcing to fully bridge the scope of the strategy. For these organisations, partnering with experts like Excite Cyber can address these challenges.

Solutions that are related to the Cyber Security Strategy 2023-2030 include:

Comprehensive Risk Assessments and Audits: These services evaluate an organisation's current cybersecurity posture, identify vulnerabilities, and provide recommendations for improvement. This should include network security, endpoint protection, and application security assessments.

Data Protection and Encryption Services: Given the emphasis on data breaches in the strategy, these solutions for data encryption, both at rest and in transit, to protect sensitive information. This includes encryption for stored data, database security, and secure communication protocols.

Advanced Threat Detection and Response: Implementing systems that proactively monitor networks for signs of intrusion or unusual activity, using AI and machine learning technologies where applicable. Offering incident response services to quickly address and mitigate any breaches that occur.

Ransomware Protection and Recovery: Developing and implementing ransomware mitigation strategies, including robust backup solutions and recovery plans to minimise the impact of ransomware attacks.

Identity and Access Management (IAM): Providing solutions for robust IAM, including multi-factor authentication (MFA) and strong passphrase policies to mitigate the risk of stolen credentials and unauthorised access.

Patch Management Services: Offering services to manage and apply security patches and updates to client systems. This includes regular scanning for vulnerabilities and ensuring timely application of fixes.

Phishing and Social Engineering Defence Training: Conducting regular training sessions for client staff to recognise and respond to phishing and social engineering attempts, which are common initial attack vectors.

Compliance and Regulatory Advisory Services: Assisting clients in understanding and complying with relevant cybersecurity regulations and standards, ensuring they meet industry-specific security requirements.

Managed Security Services: Offering ongoing managed security services, including 24/7 monitoring, threat intelligence sharing, and regular security reporting to keep clients informed and prepared against evolving cyber threats.

Supply Chain Security: Providing services to assess and secure clients’ supply chains, ensuring that third-party vendors and partners adhere to stringent cybersecurity standards to prevent breaches through the supply chain.

Security Architecture Design and Review: Offering services to design or review an organisation's security architecture, ensuring it aligns with best practices and effectively mitigates risks. This includes secure network design, segmentation, and implementing secure-by-design principles.

Cloud Security Solutions: As many businesses migrate to or operate in the cloud, there is a need for specialised services to secure cloud environments, including cloud access security brokers (CASB), secure cloud storage, and cloud-specific vulnerability assessments.

Internet of Things (IoT) Security: Providing services to secure IoT devices and networks, which are increasingly targeted due to their weaker security measures. This includes securing connections and ensuring the safe integration of IoT devices with existing networks.

Mobile Security Solutions: Developing solutions to secure mobile devices and applications, as these are becoming more prevalent in business environments and can be a source of vulnerabilities.

Zero Trust Implementation: Promoting and assisting with implementing a Zero Trust security model, where trust is never assumed, and verification is required from everyone trying to access resources in a network.

Cybersecurity Awareness Campaigns: Conducting campaigns to raise cybersecurity awareness within client organisations, emphasising the importance of everyone’s role in maintaining security.

Disaster Recovery Planning: Providing services for developing and testing disaster recovery plans, ensuring businesses can continue operating or quickly resume operations after a cyber incident.

Vendor Risk Management: Helping clients assess and manage risks associated with their vendors and third-party service providers, ensuring that these external entities do not become a weak link in the security chain.

Regulatory Compliance Automation: Offering solutions that automate parts of compliance monitoring and reporting, reducing the burden on clients and ensuring ongoing adherence to relevant regulations and standards.

Dark Web Monitoring: Monitoring dark web forums and marketplaces for stolen data or credentials from clients’ domains, providing an early warning of data breaches or misuse of company information.