Australia Introduces First Standalone Cybersecurity Law: What it Means for Recruiters

With the introduction of Australia’s Cybersecurity Bill 2024 on 9 October 2024, businesses across the nation, including recruitment firms, now face new obligations and standards for data security.

This first standalone cybersecurity law is designed to address escalating cyber threats and better protect both public and private sector information. For recruiters, who handle vast amounts of sensitive candidate and client data, understanding and adapting to this legislation is essential for compliance and client trust.

Here's a breakdown of the major changes and what they mean for recruitment companies.

1. New Security Standards for Sensitive Data

Recruitment firms, especially those involved with critical sectors like mining, healthcare, and government, handle personal and professional details which are prime targets for cybercriminals.

The Cybersecurity Bill 2024 mandates enhanced data protection measures, requiring that sensitive information is securely stored, encrypted, and accessed only by authorised individuals.

Recruitment companies should review their current data management systems and consider solutions like Microsoft SharePoint for secure storage or role-based access controls to limit data visibility to essential personnel.

Achieving data security compliance requires investing in systems that prioritise the protection of information across all platforms, from candidate databases to email servers, ensuring alignment with updated security standards. Here are some examples of software to support these efforts:

• Microsoft Purview can centralise compliance management, conduct automated assessments, facilitate audits, and improve insider threat mitigation
• Centralise device management with Microsoft Intune to patch critical and high-risk vulnerabilities, ensuring up-to-date protection efficiently.
• Microsoft Defender offers proactive threat detection and response, providing ongoing monitoring and reinforcing security across your digital infrastructure.

Investing in systems and establishing efficient processes that enable robust role-based access controls and secure data storage is essential for achieving compliance.

2. Mandatory Reporting of Ransomware Payments

Under the new Bill, businesses (with revenue over a certain threshold) are now required to report any ransomware payments made to resolve cyber incidents to the Australian Signals Directorate (ASD) or the Australian government & Office of the Australian Information Commissioner (OAIC) within 72 hours.

This change is a move towards discouraging ransom payments by fostering transparency and enabling authorities to respond to broader security concerns. For recruitment firms, this translates to the need for clear protocols in case of a ransomware attack.

Having an incident response plan, complete with designated staff for emergencies and a ready reporting procedure, will help recruitment companies respond swiftly and comply with this requirement.

Breaches or ransomware events should be reported within 72 hours to OAIC at www.oaic.gov.au. For breach events the governments online portal can be accessed here Notifiable Data Breach Form.

3. Voluntary Reporting of Cyber Incidents

In addition to mandatory ransomware reporting, the Bill also encourages businesses to voluntarily report significant cyber incidents that may impact client privacy or public interest.

Unlike mandatory reports, this information will be protected from use in legal actions against the reporting entity, making it easier for businesses to report incidents without fear of repercussions.

By leveraging voluntary reporting, recruiters can enhance their security posture while benefiting from government support in managing threats. Businesses are encouraged to report incidents that could expose candidates’ data, even if it does not involve a direct breach of security controls.

Voluntary Reporting will be protected from use in legal actions against the reporting entity. Reporting can be done via the Australian Signal Directorate (ASD) reporting portal.

4. Cyber Incident Review Board (CIRB)

A significant addition to the Bill is the establishment of the Cyber Incident Review Board (CIRB), which will assess major cyber incidents and offer recommendations. CIRB’s no-fault approach means it focuses on helping businesses improve their security rather than assigning blame. For recruitment companies, this provides an opportunity to strengthen their security practices based on CIRB findings.

For example, if CIRB reviews an incident affecting the recruitment sector, the Board may recommend improved multi-factor authentication (MFA) or better access management practices that other recruitment firms can adopt proactively. Staying informed of CIRB’s reports and recommendations can help recruiters prevent similar incidents and demonstrate a proactive approach to cybersecurity.

Businesses may consider assigning an in-house compliance officer to coordinate with CIRB, manage responses, and facilitate ongoing compliance which could involve:

• Email communications and post-incident reports,
• Audits to evaluate data security measures,
• Possible in-person assessments in cases of severe incidents to bolster resilience.

Regular communication with CIRB can support updates and improvements in your cybersecurity practices, and it may be worth assigning a compliance offer to correspond with them.

How Recruitment Firms Can Reach Compliance with Australia's New Bill

To prepare for these upcoming changes, recruitment companies should undertake a thorough cybersecurity assessment. Well-established IT & cyber security firms like Superior IT Solutions, will offer tailored support to help businesses secure software, strengthen access controls, and establish effective incident response plans.

With a lot to navigate in cyber security compliance, our expert team's immediate recommendations for key processes include:

• Implementing a breach reporting system that adheres to the 72-hour reporting requirement.
• Enforcing strict access controls with regular reviews of device security standards.
• Training staff on cybersecurity best practices to reduce risks of human error.
• Conducting regular audits and compliance checks to prepare for potential CIRB assessments.

Final Thoughts on the New Bill

Australia’s Cybersecurity Bill 2024 sets a new standard for protecting sensitive data across industries, and recruitment firms are now expected to strengthen their defences against cyber threats. By embracing the changes in the Bill and effectively implementing the above recommendations, recruitment companies can better protect client and candidate information, build trust, and ensure their operations align with Australia’s commitment to cybersecurity.

If your recruitment firm is looking for guidance on complying with the new Bill or needs support with cybersecurity planning, contact our team for a consultation.

Between issues, stay connected by following the Superior IT LinkedIn page for the latest updates on data security, compliance, and tech solutions. Visit us at Superior IT to discover how we're driving innovation and delivering excellence with our IT services.

References:

• Australian Government. (2024). Australia’s Cyber Security Bill 2024: Ransomware Reporting, Safeguards for Voluntary Co-operation, and More. Available at: https://www.asd.gov.au/australias-cyber-security-bill-2024-ransomware-reporting-safeguards-for-voluntary-co-operation-and-more/ (Accessed: 31 October 2024).
• Australian Signals Directorate (ASD). (n.d.). Australian Government ASD Home. Available at: https://www.asd.gov.au/ (Accessed: 31 October 2024).
• New South Wales Bar Association. (2024). Implications of the Proposed Cyber Incident Review Board. Bar News. Available at: https://bn.nswbar.asn.au/article/implications-of-the-proposed-cyber-incident-review-board (Accessed: 31 October 2024).
• Parliament of Australia. (2024). Cyber Security Bill 2024: Bill Search Results. Available at: https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r7250 (Accessed: 31 October 2024).