{"id":72778,"date":"2022-05-24T13:00:47","date_gmt":"2022-05-24T03:00:47","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=72778"},"modified":"2022-05-24T12:46:55","modified_gmt":"2022-05-24T02:46:55","slug":"cybersecurity-rulings-important-for-all-australian-businesses","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/","title":{"rendered":"Cybersecurity rulings important for all Australian businesses"},"content":{"rendered":"
<\/figure>\n

The world of cybersecurity is overflowing with principles. Principles about patching, passwords and people. Principles about physical security, phishing and firewalls. But until recently, there has been little legal precedent supporting these principles\u2014and without such precedent, principles can be difficult to enforce.<\/p>\n

However, the past month has served up two landmark cases that will help establish a new level of precedent for cybersecurity in Australia\u2014one in the Federal Court and one in the ACT Civil and Administrative Tribunal. Both cases deserve utmost attention from senior management, boards and directors as our nation navigates a new era of cybersecurity uplift. These cases should not be dismissed as just technical \u2018principles\u2019.<\/p>\n

After years of legal wrangling, on 5 May the Federal Court released its highly anticipated judgement into action brought by the Australian Securities and Investments Commission in 2020 against RI Advice Group. ASIC claimed RI Advice had inadequate cybersecurity controls in place, which the company failed to remedy despite being aware of the issues. This resulted in sensitive client information being compromised multiple times over a six-year period, a brute-force ransomware attack and one client losing $50,000.<\/p>\n

It its judgement<\/a>, the court found that RI Advice had contravened the Corporations Act \u2018as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience\u2019.<\/p>\n

While the judgement\u2019s level of detail was reasonably limited given a settlement had been reached, RI Advice was ordered to pay a contribution towards ASIC\u2019s costs, totalling $750,000, and to undertake a comprehensive cybersecurity overhaul, to be monitored by the court, within a month of the judgement.<\/p>\n

Importantly, in the judgement, Justice Helen Rofe highlighted the critical role of organisational cybersecurity, stating: \u2018Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.\u2019<\/p>\n

Ultimately, this judgement highlights that ASIC will be paying close attention to the cybersecurity practices of organisations that fall under its remit\u2014and is prepared to take action. More broadly, it is a clear signal to all organisations right across the economy that the Corporations Act will be enforced as it relates to cybersecurity and it\u2019s only a matter of time before more cybersecurity-related actions are brought before the courts.<\/p>\n

The second case, a civil dispute between a vendor and a customer in the ACT Civil and Administrative Tribunal, is pertinent to all businesses, but small and medium-sized enterprises should pay careful attention. They are a prime target for cybercriminals and generally have lower cyber protections\u2014the soft underbelly of Australia\u2019s cybersecurity ecosystem.<\/p>\n

The case involved a machine supply company (the applicant) and a diesel-fitting business (the respondent). \u00a0Their relationship began when the respondent sought to purchase a machine from the applicant. A deal was struck and bank details for the $5,499 purchase exchanged.<\/p>\n

Unfortunately, the respondent\u2019s emails had been compromised by a cybercriminal. Within hours the criminal sent a fake email informing the buyer that the bank account details had changed, with the funds to be deposited in a different account. By the time both parties realised what had happened, the money was long gone.<\/p>\n

This type of crime, known as business email compromise, or BEC, is on the rise. According to the Australian Cyber Security Centre, Australians reported more than\u00a04,600\u00a0BECs equating to $81 million in thefts in 2020\u201321.<\/p>\n

In this case, the applicant brought the matter to the tribunal to recover the $5,499 owing. The respondent argued that payment had been made in good faith and therefore there was no case to answer, despite the money being stolen by a cybercriminal and the applicant never receiving the funds.<\/p>\n

Ultimately, the tribunal ruled in favour of the applicant, finding that<\/a> \u2018responsibility for correct payment rests with the respondent and it was incumbent upon the respondent to exercise care in ensuring payment was made. The money was paid into an account that did not belong [to] the applicant\u00a0and it remains unpaid.\u2019<\/p>\n

As Australia races towards an increasingly digitised economy and more businesses, large and small, house valuable data on internet-facing systems\u2014which is a good thing\u2014unfortunately cases like these may become more prevalent. But they don\u2019t have to.<\/p>\n

While there\u2019s no perfect solution to the cybersecurity puzzle and no silver bullet to prevent cybercrime, there are steps all organisations can and should be taking to bolster their cyber defences. There are also a range of incentives that small businesses in particular can take advantage of, like the instant write-off for cyber uplift and training<\/a> announced in this year\u2019s federal budget.<\/p>\n

And while principles are essential, there are three key concepts upon which all organisational approaches to cybersecurity should rest: risk, resilience and recovery.<\/p>\n

Know what the key risks are and manage them appropriately in a way that uniquely suits your organisation. There is no one-size-fits-all approach. Cyber risk cannot be eliminated but can be effectively managed.<\/p>\n

Build up cyber resilience to deal with identified risks, but also ensure that people are central to resilience. Make cybersecurity intrinsic to your organisation\u2019s culture.<\/p>\n

And finally there\u2019s recovery, because when things do go wrong you need to have a plan. Organisations with a clear continuity plan can recover more quickly, potentially reduce the impacts of a cyber incident, and get back to business.<\/p>\n","protected":false},"excerpt":{"rendered":"

The world of cybersecurity is overflowing with principles. Principles about patching, passwords and people. Principles about physical security, phishing and firewalls. But until recently, there has been little legal precedent supporting these principles\u2014and without such …<\/p>\n","protected":false},"author":1025,"featured_media":50461,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[1513,391,2138,1580],"class_list":["post-72778","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-business","tag-cyber","tag-cybersecurity","tag-resilience"],"acf":[],"yoast_head":"\nCybersecurity rulings important for all Australian businesses | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity rulings important for all Australian businesses | The Strategist\" \/>\n<meta property=\"og:description\" content=\"The world of cybersecurity is overflowing with principles. Principles about patching, passwords and people. Principles about physical security, phishing and firewalls. But until recently, there has been little legal precedent supporting these principles\u2014and without such ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-24T03:00:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-05-24T02:46:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"724\" \/>\n\t<meta property=\"og:image:height\" content=\"483\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Rachael Falk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rachael Falk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\",\"width\":724,\"height\":483,\"caption\":\"Business, technology, internet and networking concept. Young businesswoman working on his laptop in the office, select the icon security on the virtual display.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/\",\"name\":\"Cybersecurity rulings important for all Australian businesses | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#primaryimage\"},\"datePublished\":\"2022-05-24T03:00:47+00:00\",\"dateModified\":\"2022-05-24T02:46:55+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/8960af01fe98f59d4359389f5581c89d\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity rulings important for all Australian businesses\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/8960af01fe98f59d4359389f5581c89d\",\"name\":\"Rachael Falk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/174c15abbe245de6d56c684d7849378a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/174c15abbe245de6d56c684d7849378a?s=96&d=mm&r=g\",\"caption\":\"Rachael Falk\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/rachael-falk\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybersecurity rulings important for all Australian businesses | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/","og_locale":"en_US","og_type":"article","og_title":"Cybersecurity rulings important for all Australian businesses | The Strategist","og_description":"The world of cybersecurity is overflowing with principles. Principles about patching, passwords and people. Principles about physical security, phishing and firewalls. But until recently, there has been little legal precedent supporting these principles\u2014and without such ...","og_url":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2022-05-24T03:00:47+00:00","article_modified_time":"2022-05-24T02:46:55+00:00","og_image":[{"width":724,"height":483,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg","type":"image\/jpeg"}],"author":"Rachael Falk","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Rachael Falk","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg","width":724,"height":483,"caption":"Business, technology, internet and networking concept. Young businesswoman working on his laptop in the office, select the icon security on the virtual display."},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/","url":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/","name":"Cybersecurity rulings important for all Australian businesses | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#primaryimage"},"datePublished":"2022-05-24T03:00:47+00:00","dateModified":"2022-05-24T02:46:55+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/8960af01fe98f59d4359389f5581c89d"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-rulings-important-for-all-australian-businesses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity rulings important for all Australian businesses"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/8960af01fe98f59d4359389f5581c89d","name":"Rachael Falk","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/174c15abbe245de6d56c684d7849378a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/174c15abbe245de6d56c684d7849378a?s=96&d=mm&r=g","caption":"Rachael Falk"},"url":"https:\/\/www.aspistrategist.ru\/author\/rachael-falk\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/72778"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1025"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=72778"}],"version-history":[{"count":2,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/72778\/revisions"}],"predecessor-version":[{"id":72781,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/72778\/revisions\/72781"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/50461"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=72778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=72778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=72778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}