Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Australian Security Leaders Assess Impact of New Amendments to the Security of Critical Infrastructure Bill

January 20, 2022

  • Blog
  • Archive

The global events of 2021 again made it difficult to plan and execute most face-to-face gatherings as a security and technology community. Nothing quite beats eye contact and an elbow bump in real life.

After two false starts, I was thrilled to join BeyondTrust and 16 security and technology leaders in Melbourne toward the end of November 2021. The opportunity to share stories from the past 18 months, feel aligned to peers, and ask questions for the benefit of all around the table felt foreign, but comfortable all at once.

Critial infrastructure organisations have been the target of a significant number of cyber breaches over the past 12 months, including the Colonial Pipeline ransomware attack in May 2021. With the Security of Critical Infrastructure Bill passing in Australia just days before we met (which made us feel fortunate for the delays in hosting this roundtable meeting), all attendees were eager to discuss the bill’s impact and how their peers around the table were planning to address the new regulations.

With a mix of industries from healthcare to education and government, the large representation from engineering companies in attendance at the roundtable surprised me the most. As suppliers to critical infrastructure, the mounting pressure on third parties is already being felt, long before the industries who are new to the SOCI list have their heads around the regulator's new expectations.

When the bill passed in November, it was split into two parts. Part one includes reforms seen as urgent and, therefore, a subset of the original bill. This new bill expanded the coverage of the Act from 4 sectors (electricity, gas, water, and ports) to 11, and now encompasses:

  • Communications
  • Data storage and processing
  • Financial services and markets
  • Water and sewerage
  • Energy
  • Health care and medical
  • Higher education and research
  • Food and grocery
  • Transport
  • Space technology
  • Defence

You can read more about the reforms here: https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-coordination/security-of-critical-infrastructure-act-2018-amendments

Around the table, the level of understanding of the impact of the reforms was mixed. Despite this, the overarching topic that weaved throughout the entire conversation was that of third-party risk--both for entities within critical infrastructure sectors and those who supply it. We discussed data protection in detail as well as cyber hygiene (including the ACSC Essential 8) and how the burden of third-party risk assessments was being felt by all around the room.

User access of both authorised internal users and third parties was raised as a considerable concern as the cyber risk through partnerships becomes ever more evident. The control (or lack of) most IT teams have over third parties (and their partners) makes it harder for organisations to set up trusted agreements. Even with contracts in place, having an understanding of who has access, from where, and why is key when it comes to awareness of a potential exposure and the ability to subsequently remediate a cyber incident.

An estimated 51% of organisations have experienced a breach caused by a third party. For those organisations in Australia already regulated for example by APRA (the Australian Prudential Regulation Authority), third-party risk has been on the agenda for some time. For instance, financial services regulated by APRA have spent the past 2+ years striving to gain an understanding of their critical data and who has access to it.

Organisations considered a third party to a critical infrastructure provider are beginning to grasp what these reforms might mean for their cyber security maturity and their ability to continue critical infrastructure partnerships, should their security risk posture not meet expectations.

Mandated cyber controls are unheard of for many organisations now included in the list of critical infrastructure services in Australia,. For most, the use of the Essential 8 was called out as something put in place due to third-party partners requiring that surveys and spreadsheets be populated to attest to their cyber resilience being in line with specific standards. This is subjective and, for some attendees, there was concern that ticking the box on these third-party assessments was all the requestor was after.

Some CIOs and CISOs are seeking ISO certification or SOC II compliance to sidestep the third-party surveys, which in many cases, peers around the table saw as sufficient for attestation of controls. But truly achieving ongoing cyber hygiene (not just a point-in-time attestations), requires a risk management program. The SOCI bill that was passed in 2021 did not include the obligations for a risk management program as this requirement was not as urgent as some of the other components of the Bill.

Since our roundtable convened in November, the federal government has begun consulting with industry on the proposed ‘part two’ critical infrastructure bill. Part two includes obligations to implement and maintain risk management programs concerning critical infrastructure, and the ability for government to declare Systems of National Significance (with accompanying enhanced cyber security obligations). On this bill, the government will take industry submissions until February 1, 2022.

Since the passing of the Security of Crtical Infrastructure reforms. many organistions are feeling the pressure to meet the obligations of regulators or partners in order to continue to do business. Many businesses have not previously had a Board-level focus on cyber security. However, this can only be a good thing for business, customers and third parties alike, as we see a rising tide lifting all boats. Dedicated cyber security leaders and advisors must be engaged by organisations to ensure that they are protected and can, in turn, provide sufficient protection to their third-party partners..

From our discussions, the reforms to the Act are not just about the 11 industries, but also about the supply chain that feeds them. While many organisations are already on top of assessing and knowing the information security ‘values’ of their partners, many are at the start of this journey.

When it comes to your supply chain, how confident are you in the security controls of those who have access to your systems?

Whitepapers

Complying with the Australian Cyber Security Centre (ACSC) Mitigation Strategies

Photograph of ​Claire Pales

​Claire Pales, Guest Author

Claire Pales is a best-selling author, a podcast host, and Director of The Security Collective, a consulting company committed to strengthening cyber security in every business. Claire's experience includes establishing teams and leading award-winning security strategies throughout Australia and Asia, including Hong Kong, China, and India. Her focus is to coach boards and executives to enable their organisations to establish exceptional information security practices. In addition to a postgraduate qualification in eCrime, Claire is a qualified coach and graduate of the Australian Institute of Company Directors (GAICD). In 2019, Claire was named a Fellow of the Australian Information Security Association (FAISA). Based in Geelong, Claire is a mum to four children, a passionate security leader and an advocate for all people in cyber.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From January 20, 2022:
Privileged Remote Access 22.1 Introduces New Features to Better Secure Your IT/OT Environments
From January 25, 2022:
Operational Technology (OT) Cybersecurity – What should be Prioritized?

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.