Businesses will soon have access to industry-specific cybersecurity standards intended to better suit their individual operational requirements.

Standards Australia has launched a new task force of industry representatives tasked with establishing baseline cybersecurity standards and industry-specific extensions.

The new task force, which met for the first time this month, aligns the industrial standards-setting body with cybersecurity development group AustCyber and the NSW government in an effort that its members agreed would “improve the practice of cybersecurity across Australian industry through sector-specific initiatives and technical guidance, greater cooperation between technologies, and learning from global examples”.

Its membership includes NSW Customer Service Minister Victor Dominello, representatives of AustCyber and Standards Australia, and senior executives from the likes of Defence NSW, Energy Networks Australia, university body Group of Eight, Fintech Australia, the Australian Private Hospitals Association, Australian Industry Group, cybersecurity firm CyberCX, security executive body CISO Lens, and others.

“With our daily lives so reliant on technology, and as we give more and more of our data to government and businesses, Australians are more vulnerable than ever before in regards to the potential malicious use of data,” said Mr O’Connell in launching the initiative.

“Tackling a problem of this magnitude should not fall to one company to manage in isolation, rather it should be industry-wide as part of a comprehensive response.”

Extending the Essential 8

With input from a broad range of industries, the task force will have access to a wealth of topical cybersecurity experiences that should improve the industry relevance of the guidance it produces.

This would position that guidance as an alternative to the Australian Signals Directorate (ASD) Essential Eight, which outlines general cybersecurity hygiene practices that all companies should follow but does not offer industry-specific guidance.

Prime Minister Scott Morrison referred to two of the Essential Eight guidelines – promptly patching systems to fix security bugs, and using multi-factor authentication to foil would-be hackers – in the recent press conference where he warned that Australia was under increasing attack from a “sophisticated state-based cyber actor” across “a range of sectors”.

Many industries already have access to guidelines for securing everything from energy systems to medical device security, as well prescriptive requirements like those imposed by the Defence Industry Security Program (DISP).

Adding to the roster of available guidance are the broad and deep ISO/IEC 27000, 27001, 27002 and 27032 standards, the US NIST Cybersecurity Framework, and the UK Minimum Cyber Security Standard that was imposed as a baseline on government bodies in 2018.

Different standards “have frameworks that tackle information security and risk management from different angles,” a recent Compliance Council comparison noted.

“The right choice for an organisation depends on the level of risk inherent in their information systems, the resources they have available and whether they have an existing cybersecurity plan in place.”

Simplifying cybersecurity guidance

Yet with even well-resourced government agencies failing to live up to their own standards time and again, achieving standards compliance can be daunting for more normal businesses.

Resolving this challenge is a key goal of the Standards Australia task force, whose work will not only develop clear cybersecurity guidance but will inform the ongoing development of the government’s 2020 Cyber Security Strategy – which has received over 210 submissions as part of what Department of Home Affairs guidance calls “an ongoing conversation between governments, industry, academia and the community”.

Standards Australia already has experience normalising a baseline of cybersecurity controls across geographies, with its Pacific Islands-focused Cyber Security Regional Standardisation Enhancement Program delivering its final report in January.

Similarly, the new task force will work to evaluate existing domestic and international cybersecurity guidance to an escalating attack climate that has left many businesses exposed to rapidly changing COVID-19 and post-pandemic business environments.

“Recent events have highlighted the genuine threat posed by cybersecurity,” O’Connell said. “To be part of leading a national response to this challenge is something Standards Australia takes very seriously.”