Some of the most significant steps forward in Australia’s corporate cyber security strategy took place in recent weeks with implications for every industry, property included. First, ASIC released findings from its 2023 cyber pulse survey Report REP 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023 (asic.gov.au) that detailed alarming deficiencies in business cybersecurity defences and set out basic cyber security management practices for companies. The report was followed by this month’s release of the Federal government’s long-awaited Cyber Security Strategy for 2023-2030. Hailed as a roadmap to “help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030”, it outlines a series of measures to improve cyber security and risk management across the nation for both business and the community.
Breaches galore
Cybercrime has shot to the top of business concerns following widescale breaches across numerous organisations including giants like Medicare and Optus. Commercial property agencies and their stakeholders are as vulnerable as the rest, especially as smart buildings filled with new technologies linked to large amounts of data are providing increasingly tempting targets for those skilled in gaining unauthorized access.
In its submission to the federal government’s Cyber Security Strategy earlier this year, the Real Estate Institute of Australia (REIA) noted that property companies of all sizes had suffered cyber-attacks in the 12 months to April 2023 with the average cost of a breach totalling $33,442 for a medium-sized enterprise. In addition, 30 per cent of property agencies surveyed by the REIA said issues around data privacy and security were proving a barrier to implementing new technology.
Growing cyber threats
The cyber threat is far from diminishing, too. The Australian Signals Directorate (ASD) latest Annual Cyber Threat Report issued the day after ASIC’s cyber pulse survey showing cybercrime rose 23 per cent during 2022-2023. ASD Cyber Threat Report 2022-23.
Some of the more concerning findings from ASIC’s cyber pulse survey give clues as to why:
- Third-party risk and supply chain management – 44% of respondents did not manage third-party or supply chain risk, and it was noted that because most Australian companies outsource their IT systems to third party providers this was a common source of attack.
- Protecting confidential information – 58% of respondents had limited or no capability to protect confidential information adequately, including a lack of data encryption policies, data retention policies and information flow mapping capabilities.
- Cyber incident response plan – 33% of respondents did not have a cyber incident response plan, and many of those with incident response plans were not testing them.
- Cyber security standard – 20% of respondents had not yet adopted a cyber security standard.
Organisations of all sizes and across every industry are clearly grappling with how to mitigate the occurrence of cybercrime as well as the damage they incur. Cybercrime consultant Brendan Read advises organisations impacted by data breaches and has acted as a computer forensic expert on an investigation into a cyber incident at a property investment firm. His top tips for business and agency owners include:
- Stepping up cyber awareness for all employees: “We know from responding to cyber incidents that the vast majority of these incidents happen as a result of human actions, whether through mistake, ignorance, carelessness, or even malice,” he says. “Cybersecurity education is essential to reduce these risks and contribute to the security of every business. Cybersecurity education is essential to reduce these risks and contribute to the security of every business.”
- Promoting safe and responsible use of AI
Artificial Intelligence is bringing great advantages to our nation … but also comes with cyber threats,” Mr Read says. “AI-based threats include the use of AI to create ever more convincing phishing messages, which can now look and sound even more as if they come from real people, increasing the likelihood of the scam's success.”
- Ensure there is access to trusted support after an incident
“We see so frequently that the incident response support engaged by the business to restore its systems fails to appropriately investigate the incident and find out who was responsible and what data was exfiltrated,” Mr Read explains.
NEXT WEEK: Cyber security and its importance in smart buildings