“[They] accept that the likelihood of an attack happening will remain high despite the investment in preventative controls and that the most effective way to treat that residual risk is to reduce the impact by improving the organisation’s ability to recover,” he says.
Undertaking a “bare-metal” rebuild without being able to count on lights, phones or computer networks is not for the faint-hearted.
“It is somewhat of a lost art, given how resilient to faults technology systems have become over the past few decades,” Sayer says.
While risk mitigation is behind a lot of this activity, regulation is also motivating it.
In response to a surge in ransomware attacks, the government fast-tracked through Parliament regulatory amendments allowing it to assume control of critical infrastructure if a cyberattack threatens national security.
It is also introducing security obligations to new sectors – including banking and finance, communications, data storage and processing, defence, education and research, food and grocery, health, space, and transport. Dell is one of those companies captured by the expanded scope.
In the landscape beyond critical infrastructure entities, the government is debating whether existing provisions in corporations, consumer and privacy law are sufficient to deal with cyber threats.
Industry is lobbying for more guidance over a prescriptive approach.
“The pathway forward is not to impose new regulation or change existing legislation around consumer law and corporations law to specifically include cybersecurity,” Andy Penn, Telstra chief executive and chair of the federal government’s Cybersecurity Industry Advisory Committee, says.
“But developing voluntary standards of best practice will be helpful and inform whether directors’ duties have been properly discharged,” he says.
Even if it successfully side-steps prescriptive new rules, big business will not be afforded a leisurely adoption period. The threat is simply too great.
“We’re seeing directors becoming more aware of cybersecurity risks and more concerned about their liability if their respective organisations aren’t doing what’s considered a ‘reasonable’ job of protecting…