BANKS AND HACKERS: SECURITY AMONGST ENTITIES
By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid
Presumably inspired by the recently released “Honor Among Thieves”, a film based on table-top roleplaying game Dungeons & Dragons, the Australian government invited representatives from the Reserve Bank, the AFP and regulators ASIC and APRA for a three-hour session of cybersecurity roleplay. Further exercises are expected to be conducted with major banks and financial services, and eventually with the aviation sector and other critical infrastructure areas.
These table-top exercises test the ability of entities to restore operations and minimise the impact of a successful cyber-attack, which is important, though does little to actually prevent data breaches occurring in the first place. Businesses looking to improve their cybersecurity can run other assessments like penetration testing and vulnerability scans, with the supervision of trained cybersecurity professionals.
Responsible entities for systems of national significance under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) may also be required to undertake cyber security exercises to test their readiness to respond to and mitigate the impact of a range of cyber security incidents.
Last year, Home Affairs Minister Clare O’Neil designated 82 critical infrastructure assets, managed by 38 different entities, as systems of national significance (reported without naming the entities here). In contrast to the table-top scenarios discussed above, the government can use powers under the SOCI Act to require these entities to undertake operational exercises, which involve actual staff responding to a simulated incident.
In contrast to the film about intrepid adventurers, these exercises (and the affected entities) will be kept private so will not be drawing box office crowds!