The Federal Government has flagged changes to the country’s cybersecurity agenda following a string of disastrous high profile data breaches at Medibank and Optus.

The new changes to cybersecurity laws aim to address the failings of current acts which do not adequately cover how to respond and deal with data breaches.

The new federal approach to cybersecurity comes after the appointment of a Coordinator for Cybersecurity and the creation of a new national office within the the Department of Home Affairs.

Here’s the impact you can expect from the changes upon your company. 

There are two major pieces of legislation you should be aware of.

1. Ammendments to the Security of Critical Infrastructure act 2018 (SOCI)
2. A new cyber security risk management protocol.

A new Risk Management Protocol signed off by Minister for Home Affairs and Cybersecurity Clare O’Neil will make board members culpable for failure to properly secure assets, and will cover companies across sectors including energy, healthcare, water, food transport and communications.

The SOCI Act was introduced in 2018 in response to the growing threat of attacks against the country’s most important systems, impacting those in the electricity, gas, water, and maritime sectors.

In 2020, the Act went through 18 months of robust community and industry consultation and was amended at the end of 2021, expanding from four to a total of 11 sectors including health care and medical, the defence industry, higher education and data storage and processing.

These are the proposed changes

The proposed changes to the SOCI act aim to encourage companies to enhance their overall protection measures to get up to the required standard. It is designed to build a consistent level of security across sectors, rather than punishing company directors for failing to comply.

The reasoning for this is to help companies feel more comfortable with proactively reporting cyber problems rather then feeling compelled to hide them.

The legislation would require companies within critical sectors to have a cybersecurity management plan. Effectively making Australia a world leader in regulating a baseline for cybersecurity, physical security, personnel security and supply chain security.

What this means for your business

If you are operating within or adjacent to the following sectors. You should be proactively planning to upscale your approach to cybersecurity immediately.

• Electricity
• Communications
• Data storage or processing
• Financial services and markets
• Water
• Health care
• Medical
• Higher education and research
• Food and grocery
• Transport
• Space technology
• Defence industry.

When will this come into effect?

These changes were passed in December 2021 and March 2022. The rules commenced on Friday The 17th of February which initiated a 6 month grace period. During this time the responsible entities for relevant Critical Infrastructure Assets will need to put in place a critical infrastructure risk management program.

“Start hiring now”

Specialist cybersecurity recruitment consultant, Tom Bugden advises that given the current demand within the market, organisations could face a difficult fight for quality cybersecurity talent if they leave their response too late.

“Everybody wants cybersecurity professionals, there are so many roles which tech companies want to fill right now. There’s actually more roles than there are cybersecurity professionals right now.” Tom explained.

“There’s a shortage of about 30,000 cybersecurity professionals in Australia right now, and that is just going to grow as these new laws come in this year.”

Tom went on to suggest that companies which may have never even considered a cyber security disaster recover plan will now be scrambling to hire quality talent to bring them up to the legislated standards.

“Previously only organisations within Government, energy or utilities were required to have this in place. Now it is extending out to pretty much everyone.”

“When this grace period ends in about 6 to 9 months there will be alot of companies who will be needing to have their cybersecurity sorted.”

However the recent layoffs across the tech sector may prove to be a blessing in disguise. Major tech companies like Atlassian have recently been “readjusting” their headcount in response to perceived difficult economic forecasts. Pushing a number of experienced tech professionals into the job market.

Big things ahead for 2023.

Questions? Or thinking about building your cybersecurity team? Reach out to our specialist cyber recruitment consultant, Tom Bugden here!

For the all the latest market insights sign up to our #transformingfutures newsletter