THE THREAT ENVIRONMENT
In June 2020, the Prime Minister brought to the Australian public’s attention the vulnerabilities which they may face through unsecure cyber assets. He announced that, after attacks from a “sophisticated, state-based cyber actor”, the Government was on heightened alert to the relatively new threat to Australian industries and businesses. 
The threat of an attack from a state-based actor may not, on first instance, necessarily pose an acute threat to most small to medium-sized businesses. However, business-owners should be aware of the increasing prevalence of online attacks by smaller but nonetheless detrimental adverse actors.
First, it may be helpful to clarify the difference between cyber security and online safety. As provided by the Australian Cyber Security Strategy 2020 (further discussed):
- Cyber security includes providing Australians with secure online protection of their data, information, devices and networks from malicious actors. The Australian Cyber Security Centre (ACSC), via cyber.gov.au, is the main point of contact for the public on cyber security.
- Online safety includes protecting individuals, families, and communities from harmful content and behaviours such as cyber bulling, image-based abuse and illegal and harmful online content. The eSafety Commissioner, via esafety.gov.au, is the main point of contact for the public on online safety
The scope of this article will cover, predominantly, the impacts and expected responses to cyber security as it relates to the operation and protection of Australian businesses and individuals.
In 2016, the ACSC began as an initiative of the Australian Signals Directorate (run by the Department of Home Affairs) to combat, inform of and regulate the role of cyber security within Australia. Since 2019, the ACSC has begun multiple inquiries and reports specifically to address the increasing threat of cyber-attacks. Of particular note to Australian businesses is the ACSC’s current Cyber Security Strategy 2020. This Strategy is largely informed by the ACSC Annual Cyber Threat Report 2019-2020, which provides for statistics that indicate how relevant cyber threats are to all Australians.
Figure 1 below outlines the threats to various groups within Australia, categorised by cyber security incidents (a single event or series of events that threatens the integrity, availability or confidentiality of digital information) that were least severe (Category 1 or C1) to most severe (Category 6 or C6). The largest proportion of incidents (36.5%) were a Category 5 – Moderate Incident.
As provided by the ACSC Report, the increase of cybercrime reports (Figure 2) directly correlates with cyber security incidents to which the ACSC had responded in 2019 to 2020 (Figure 3). Both figures show the general trend of increasing cyber threats from December 2019, with a high spike in the month of April 2020.
In April 2020, the ACSC reported that there were multiple large, co-ordinated attacks which were comprised mainly of phishing emails seeking to obtain sensitive information about Australian businesses and individuals. It is reported the adversary threatened to release the sensitive information of recipients’ friends and family unless paid a ransom.
The threat of fraud and extortion was the most predominant of all cybercrime reports, making up 39.68% of the total reported cybercrimes.  This statistic alone should be of particular concern to Australian businesses given the estimated overall loss of $850 million to Australians in 2020 from cyber scams.  This loss was an increase of 23% from the year prior. It has been estimated that total private sector costs of cyber security incidents are as high as $29 billion per year.
The Cyber Security Strategy 2020
The aforementioned ACSC Cyber Security Strategy 2020 (“the Strategy”) seeks to respond to these concerning statistics by providing both legislative proposals and practical guidance to assist Australians and their businesses. Key actions include:
1. Provisions in the Telecommunications and Other Legislation Amendment (Assisstance and Access) Act to provide law enforcement with broader powers to deter and disrupt dark web adverse actors;
2. The investment of $855.1 million over the next ten (10) years into the Australian Signals Directorate and to “enabling and enhancing intelligence capabilities”;
3. Enforcing positive security obligations for entities responsible for critical infrastructure such as energy, water and mining. This will be done through amending the Security of Critical Infrastructure Act 2018. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently sits before the Commonwealth Parliament with the positive security obligations involving three aspects:
a. Adopting and maintaining an all-hazards critical infrastructure risk management program;
b. Mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and
c. Where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.
4. In line with advice from the 2020 Cyber Security Strategy Industry Advisory Panel and stakeholder feedback, the Australian Government will work with businesses on possible legislative changes that clarify the obligations for businesses that are not critical infrastructure to protect themselves and their customers from cyber security threats. This consultation will consider multiple reform options, including the role of privacy and consumer protection laws, and duties for company directors; and
5. Ongoing consultation with industry and businesses.
Industry and Businesses Consultation
Critical to the consultation with industry and business is the Regulations and Incentives Paper of the ACSC which provides for further proposed strategies to be undertaken by the Government in response to cyber security threats. Its purpose is to offer policy considerations to which industry and businesses may respond to in relation to commercial incentives and costs.
Briefly, the paper considers implementing possible new policies, such as:
1. Minimum standards for personal information to be further enabled by the Privacy Act 1988 (Cth) (“the Privacy Act”);
2. Mandating standards and labelling for smart devices of the ‘Internet of Things’ through the Code of Practice: Securing the Internet of Things for Consumers.
3. Promoting responsible disclosure policies;
4. Promoting health check programs for small businesses, with a basic level of due diligence provided by a third party or Government; and
5. Legal remedies for consumers through Australian consumer law reform and further direct right of action through the Privacy Act.
The Government is currently allowing submissions on its Regulations and Incentives discussion paper, until 11:59pm on Friday 27 August 2021. Visit the Department’s webpage to make a submission.
GUIDANCE FOR CYBER SECURITY PROTECTION
The ACSC has comprised the following guidelines for businesses and individuals to prevent and respond to cyber security incidents which may arise out of fraudulent or compromised emails. Noting the statistics mentioned prior, having a clear understanding of this guidance will mitigate the most pertinent cyber risk Australians face – becoming a victim of email fraud.
Email Security Prevention Protection Guide
- Turn on multi-factor authentication. This kind of authentication requires a combination of something an online user knows (passwords or PINs), something a user has (smartcards, access keys or mobiles) and something a user is (biometric data such as fingerprint scanning). To effectively enable multi-factor authentication, contact your IT provider;
- Protect your domain names. This may mean registering multiple domain names which are similar to your existing domain. The expiry date of domain registration/s should be noted;
- Set up email authentication measures. Discuss with your IT provider the inclusion of Sender Policy Frameworks (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Implementing these protocols will mitigate against emails being sent fraudulently on your business’ behalf;
- Make your personal online presence private. This may involve ensuring that personal social media accounts do not ‘post’ sensitive information about business-related material or documents.
- Ensuring policies and procedures are up to date. There are multiple policies and procedures relevant to the privacy and security of Australian businesses. Such policies are necessary to adopt legal obligations and mitigate against external (and internal) cyber security threat.
- Training and awareness. It is important to ensure that all staff and employees of any business are aware of the expectations clients, customers and employers hold in relation to cyber security. Of particular importance is managing financial and banking practices. Receiving and making payments should be secure.
Emergency Response to Email Hacking
1. Report to authorities. Reporting cyber security incidents through the ACSC’s Report Cyber Portal allows for reports to go directly to the affected person/business’ police jurisdiction. Take note of the Report Reference Number (beginning with ‘CIRS-’) for your records. Report to your banking or financial institution if the incident involves money.
2. Check your account security. There are multiple steps involved in the review of email account security. These steps may be taken if an incident is suspected of having occurred or for general due diligence:
- Change your password/passphrase/PIN;
- Update your account recovery details (third party accounts used for recovery);
- Sign out of all other sessions, including in other open browser tabs or other computer sign-ins;
- Enable multi-factor authentication, as discussed earlier;
- Review account mail settings (including mailbox rules)
- Review third party application access;
- Check login activity; and
- Review your email folders, devices and other accounts.
- Request a domain takedown through the .au Domain Authority, auDA. auDA is the official Australian authority for all “.au” website domains. If there is a suspicion that a domain is acting adversely against your business, you may contact the domain owner through the Registrar Abuse Contact Email, by visiting:
Proper adherence to cyber security principles and expectations involves the consideration of a business’ individual circumstances and capacity. Ensuring adherence to obligations such as those which arise from the Privacy Act and Australian corporate and consumer law are essential for all relevant Australian businesses.
Our expert team at Corney & Lind Lawyers has extensive experience in advising on the provisions of various company policies and procedures (including Privacy Policies), the roles and expectations of company directors and responding to the legal ramifications of cyber security incidents. Contact our team for further assistance and tailored, informed advice.
This article was written by Kerry Copley
 Statement of Malicious Cyber Activity Against Australian Networks; 19 June 2020; Prime Minister, Minister for Home Affairs and Minister for Defence.
 Page 5, ACSC Cyber Security Strategy 2020.
 Figure 2, page 7; ACSC Annual Cyber Threat Report 2019-2020.
 Figure 1, page 6; ACSC Annual Cyber Threat Report 2019-2020.
 Figure 5, page 10; ACSC Annual Cyber Threat Report 2019-2020.
 Page 11, ACSC Annual Cyber Threat Report 2019-2020.
 Page 1, ACCC Targeting Scams: Report of the ACCC on Scams Activity 2020.
 Frost and Sullivan 2018, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, available at https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75- trillion-in-economic-losses/.