Cyber Security Bill 2024, impact to the SMB!

In recent years, Australian enterprises, from tech giants like Canva to healthcare platforms such as MediSecure and even large corporations like Optus and MediBank, have fallen victim to cyberattacks. Despite their robust resources and dedicated security teams, these organizations were unable to shield themselves from sophisticated breaches. Australia has over 2.5 businesses, of which 98% are Small to medium businesses, many do not have high level technical people to guide them through the data & cyber protection outcome!

The answer is troubling. With limited budgets and minimal cybersecurity expertise, small businesses are becoming prime targets for cybercriminals. In 2023, Australian small businesses faced an average loss of AUD 46,900 per cyber breach. For many, these costs are devastating, threatening their financial stability and, in some cases, their survival.

The scale of the crisis is undeniable. The Australian Signals Directorate (ASD) reported a staggering 36,700 calls to the Australian Cyber Security Hotline in the past year, reflecting a 12% increase. That equates to approximately 100 calls per day from businesses and individuals grappling with cyber threats. These statistics underscore the urgent need for a national strategy to address the escalating threat landscape.

A Legislative Lifeline: The Australian Cyber Security Bill 2024

Enter the Australian Cyber Security Bill 2024—a landmark piece of legislation poised to redefine the nation’s approach to digital security. As ransomware attacks grow in frequency and sophistication, this bill introduces a forward-thinking framework centered on three core pillars: protection, prevention, and recovery.

The Australian Cyber Security Act 2024 introduces several key components aimed at strengthening the nation's cybersecurity framework:

Mandatory Ransomware Payment Reporting: Brid & Brid a specialist lawyers in this space states that although the government has not set a reporting threshold, Businesses with an annual turnover exceeding $3 million may be required to report any ransomware payments to the Australian Signals Directorate (ASD) within 72 hours of making the payment or becoming aware of it.

Cyber Incident Review Board (CIRB): An independent board is established to conduct no-fault reviews of significant cybersecurity incidents. The CIRB analyzes these events and provides actionable recommendations to prevent and mitigate future incidents.

Mandatory Security Standards for Internet of Things (IoT) Devices: The Act empowers the Cyber Security Minister to set minimum cybersecurity standards for "connectable products," such as smartphones, smart home devices, and other IoT products. Manufacturers and suppliers must comply with these standards and may be required to issue statements of compliance. Non-compliance can lead to penalties, including product recalls.

Limited Use Protections for Disclosed Information: The Act ensures that information disclosed under mandatory or voluntary reporting obligations is restricted to specific uses, primarily related to incident response and public safety. This provision aims to encourage businesses to share information without fear of unrelated civil or regulatory actions.

Obviously, being cyber aware and protecting your business has a cost, neglecting protecting your own business will have significant costs if breached. The Cyber criminals breach your systems and they stay laying low for sometime collecting data about your business. This is where building a formal solid collaborative partnership with an Information Technology (IT) Specialist, will help the Directors and Owners of Small Medium Businesses. How? like the way you are good in your services and product delivery, the IT Businesses that focus on taking the responsibility to manage your business provide a truly managed service. These MSP’s will initially conduct a business to technology alignment conversation, then ensure that your team is fully aligned with the right Cyber Awareness Training, the Devices are protected, Secured, updated with the up to date security updates, and then if something goes wrong there is a way to recover. I work closely with many MSP Partners, a MSP Partner who has an IT business in Port Melbourne, said to me a few weeks ago that one of their Customers got breached, fortunately, they had the right tools & procedures in place, whereby they were able to avoid paying the ransom demand. So, I trust you will agree that having a Managed Services Partner and treating them as part of your business, has significant value.?

MSPs offer a range of services that can be particularly beneficial for SMBs:

• Cost Efficiency: By outsourcing IT services to MSPs, SMBs can reduce their annual IT costs and have a better level of skill. MSPs have technology specialists who live and breath TECH every day. As their teams spread across many different network topologies, the exposure they accumulate is very vast that an internal corporate IT Team member can never have.?
• Access to Expertise and Advanced Technology: MSPs provide SMBs with access to expert IT personnel and advanced technology without the need for heavy upfront investment. Also as the MSP Teams are constantly challenged, as TECH people they are motivated to stay with the organisation.
• Proactive IT Management: MSPs offer proactive monitoring and maintenance, identifying and resolving potential issues before they result in system failures or data breaches. With Cloud SaaS (Software as a Service Data & Security) platforms such as Acronis, Kaseya, N-Able MSP partners now can protect your business with ease, by Managing , Educating,Securing, Protecting, Recovering and in the worst case mitigating the breach with the tools they have implemented. ?
• Scalability: As businesses grow, MSPs can scale their services accordingly, ensuring that the IT infrastructure keeps pace with business expansion.

To protect your health you have Health Cover, to protect your business you have Business Insurance and Cyber Insurance, now you need to engage with an IT Partner and give them the responsibility to manage and protect your data and security 24 x 7, because they can. Think about it like, your business is like a high performance race car (economically that supports a wider ecosystem), you would find a great team of mechanics to maintain this machine, so why not find a solid Managed Services Provider, with the right tool-set to educate, manage and protect your business too (Don't have one or like to review the IT Partner you have right now, connect with me via LinkedIn, I can introduce you to a number of specialists in the Australian market).

In summary, compliance with the Australian Cyber Security Act 2024, collaboration with the ASD, and partnering with MSPs can significantly enhance your businesses cybersecurity posture, operational efficiency, and overall resilience against cyber threats.

‘--------------------------------------------------------------------------------------------------------

Disclaimer: The opinions and views expressed here are based on my 30+ years experience as a Data & Cyber Protection Consultant, industry research, and are my personal thoughts. They do not represent the views of my employer.

About Shamal Tennakoon,? I am a Data & Cyber Protection Consultant at Acronis ANZ. Above all, I am a husband, a proud father, and a lifelong learner committed to personal and professional growth.