According to The Age, the government is considering making company directors liable for cyber attacks. With cyber crime costing Australia around $3.5 billion a year, the government is consulting with industry on ways to help prevent it becoming a “significant handbrake on our economic growth and digital security”. The government wants small and large businesses and consumers to be secure and is looking at placing extra responsibilities on directors of “large Australian companies”. The government is looking to develop cyber security standards – which may be mandatory or voluntary – with industry to cover items such as corporate governance, smart devices and the way that personal data is handled. They are also looking specifically for improved “security labelling” and disclosure of vulnerabilities of internet connected devices and clear legal remedies for cyber crime victims.
The article finishes off with a nice summary of Australian companies that have suffered ransomware attacks in the last 18 months including: Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, and Nine Entertainment. And then an awkward segue to concerns about the criminalisation of paying ransoms.
This article contains a lot of little snippets of information, but the actual picture it paints is incomplete. It raises several questions. What is a large company? There is mention of the ASX, will it only be ASX listed companies. Why just large companies? In our connected world, a small company could have a large digital footprint and lead to a lot of damage. Private companies can also be large, don’t they matter? And why the segue to criminalisation of ransom payments at the end?
I’ve noticed The Age does this, it’s almost like the author hit their word limit and just wanted to squeeze in one more idea. Maybe it is an allusion to further articles on the topic to come.
I also found the comments interesting, I love reading comments. If we filter out the comments by political social media teams, I noticed that most people commenting on the actual security risk, view it as a tech solution with very little consideration for the human element. These provide a good example of the cognitive vulnerability of Pro-Innovation Bias and could fall victim to overconfidence.
