Finding a middle ground: Legal action and the quest for cybersecurity culture.
In the ever-evolving world of cybersecurity, the need for strong protection against cyberattacks is clear. Recent developments show that corporate regulator ASIC is taking a tougher stance on holding board directors and executives responsible for their organisations’ shortcomings in this area.
While this approach might seem promising to boost cybersecurity culture, the situation is far from straightforward. In this article, we’ll dive into the implications of this approach and why achieving the right cybersecurity culture demands a more nuanced perspective.
The changing regulatory landscape
In response to the increasing threat of cyberattacks, regulators are taking a more proactive approach. They aim to set a precedent by pursuing legal action against companies that have suffered security breaches due to their failure to take adequate precautions to protect their customers and infrastructure from hackers. At first glance, this seems like a strong deterrent, sending a clear message that neglecting cybersecurity won’t be tolerated.
However, it is far more complex than a simple risk-and-reward equation. While some attackers are driven by financial gain, others have different motivations, often related to geopolitics. Nation-state actors, for instance, might infiltrate organisations not for monetary gain but for strategic advantage or intelligence gathering. This distinction highlights the multifaceted nature of cyber threats, making it challenging to attribute blame solely to victimised organisations.
The challenge of defining “Recklessness”
Another obstacle is determining what qualifies as “recklessness” in cybersecurity. It is constantly evolving, and the threat landscape is constantly shifting. What might have been considered adequate protection one year could fall short the next? Therefore, labelling an organisation as “reckless” often relies on subjective judgments and the benefit of hindsight. This approach could inadvertently encourage a culture of fear and concealment within organisations, undermining the transparency necessary to protect potential victims.
Instead of concentrating solely on punitive measures, a more balanced approach might involve promoting transparency within organisations. Encouraging companies to openly share information about their cybersecurity practices, vulnerabilities, and breach response plans could foster a collaborative environment for addressing cybersecurity threats. This approach can help organisations learn from one another’s experiences and collectively enhance their defences.
Regulation undoubtedly plays a crucial role in cybersecurity, establishing a minimum standard for what is expected of organisations in safeguarding their customers and data. However, achieving the right equilibrium between regulation and cultivating a culture beyond compliance is essential. These regulations should provide a security framework and be adaptable to the ever-changing threat landscape, encouraging proactive measures rather than solely penalising shortcomings.
The intention behind legal action against companies that fall victim to cyberattacks due to inadequate protection is to cultivate a sense of responsibility and preparedness. Nevertheless, the cybersecurity landscape is far from uncomplicated, with numerous motivations behind attacks and a constantly shifting threat environment. While regulations are vital, they shouldn’t discourage organisational transparency and cooperation.
In pursuing a robust cybersecurity culture, striking a balance is imperative. Encouraging open dialogue, sharing best practices, and staying flexible in the face of emerging threats are all essential components of a comprehensive strategy.
Staying proactive and informed is crucial
Ericom is leading the charge by assisting many Australian businesses in compliance with the Australian Cyber Security Centre (ACSC) Essential Eight Maturity Model. By incorporating our managed security services model, we guide these enterprises through each critical step of this indispensable compliance journey and offer ongoing support vital for maintaining a robust cybersecurity posture.
This continuous assistance benefits businesses by providing immediate response to security incidents, ongoing monitoring for threats, and expert advisory on the evolving cybersecurity landscape, ultimately safeguarding your business, board of directors, and executives in a dynamically changing threat environment. Taking proactive measures with Ericom’s support ensures your business is resilient, secure, and aligned with industry-leading best practices, fortifying your defence mechanisms against sophisticated cyber threats.
This is a shared responsibility, and by taking proactive steps, we can collectively create a safer digital environment for all. Don’t wait until it’s too late – act now to protect your business and data.
30 November, 2023