Clare O'Neils announcement of a $600m investment to make Australia the world's most cyber-safe country shows that Cybersecurity can be a source of competitive advantage - not just for individual businesses but an entire nation.
With an extensive tenure spanning over a decade in the cybersecurity domain, the observable shift is stark. Traditionally viewed as an expense, cybersecurity investments were predominantly associated with risk mitigation rather than revenue generation or amplified profitability. Quantifying the return on investment in this realm was challenging, especially considering the unpredictability of potential data breaches and their consequential impact.
However, the landscape is evolving. The aftermath of COVID-19's disruptions on supply chains has led astute business leaders to acknowledge the pivotal role of robust cyber hygiene as a competitive differentiator. Requests for Proposals (RFPs) increasingly scrutinise the cybersecurity credentials of potential suppliers, while public trust in organisations experiencing high-profile breaches has been significantly eroded.
One topic of debate this year has been whether to make the paying of ransoms illegal. While we should avoid providing additional funding to cyber criminals, such legislation would risk incentivising the wrong behaviour where organisations would pay a ransom but avoid reporting the breach, robbing other organisations (and the Government) of the ability to prepare for a similar style of attack.
A more pragmatic approach entails fortifying Australia's cyber resilience to such an extent that it ceases to be an attractive target for cybercriminals' core objective of the recently unveiled 2023-2030 cybersecurity action plan by the Albanese Government. Collaborating with industry stakeholders to devise a mandatory ransomware reporting obligation devoid of fault or liability is a key facet of this strategy.
Drawing parallels with the aviation sector, where investigations into incidents and near misses have engendered a sustained reduction in fatalities despite a surge in air travel, underscores the importance of learning from past cyber breaches. As has been observed in the Airline sector, investigations into reports and near misses have caused a long-term downward trend in airline fatalities since the 1970s, even while air travel has increased dramatically.
Nassim Taleb even pointed out the phenomenon in his book Antifragile: Failure saves lives. In the airline industry, every time a plane crashes, the probability of the next crash is lowered by that. While that may be a morbid example, learning from the breaches of the past will help us prevent the breaches of the future. Imagine the situation today if airlines refused to share information about airline accidents or near misses for fear of embarrassment.
When a major cyber incident does occur, the horse has already bolted. Fines can be levied, and penalties can be incurred, but neither of these things will have a major impact on preventing future breaches from occurring. What can we do instead?
We can learn from these incidents - the good, the bad, and the ugly. By helping businesses and consumers become more cyber aware and building a culture where all Australians do the right thing (and commend the right response when incidents do occur), we will achieve Clare O'Neils ambitions and all contribute towards protecting Australia's way of life in this digital world.