Encryption is the Cybersecurity Cornerstone

2022 was the year the Australian government, citizens and cybersecurity regulators finally got angry about the shocking state of cybersecurity. 2023 is shaping to be a once-in-a-lifetime opportunity for the industry, according to Senetas CEO Andrew Wilson…

Just like the insurance industry, cybersecurity is often a ‘bad news’ industry – you only hear from us when things have gone wrong. Given the way 2022 ended, many Australians had heard enough about cybersecurity to last them a lifetime – especially given that about half our population had been adversely affected by a serious cyber-attack resulting in the breach of our important personal information. However, 2023 is proving a rare thing – there’s good news. Serious investments among government and commercial sectors are being made in our future security.

The creation of a new cybersecurity agency (and strategy) in Australia is one such piece of good news, but it’s far from the only one. In the US, the Biden Administration quietly signed into law the Quantum Computing Cybersecurity Preparedness Act just before Christmas. It put in place several new laws and regulations that mandate the migration of federal agencies to quantum-resistant cybersecurity and IT systems. Other countries will soon follow suit.

A once in a lifetime cybersecurity investment opportunity

Despite the awful impacts of the 2022 Optus and Medibank data breaches, it’s clear that too many organisations remain apathetic. Already this year we’ve seen Latitude Financial and IPH Ltd report data breaches affecting customers’ privacy and business secrets.

The primary issue is not weak cyber-defences and vulnerabilities to cyber-attacks, it is the failure to encrypt sensitive data (at the very least). Logically, as in all areas of criminal activities, defences will ultimately be hacked just as in car theft and home robberies. The cornerstone to effective cybersecurity is ‘data protection’ through encryption. It’s been around forever and the world’s most secure organisations continue to encrypt their sensitive data – stored, in use and across their networks. For decades independent experts have highlighted that only encryption can ensure that stolen data is useless to cyber-criminals.

With government backing, sweeping changes can be made. There are a number of ways this can go. Increased penalties (such as we see in Europe’s GDPR) in the event of a breach of unencrypted data is one way to incentivise change. Raising the minimum standard of security (for example, mandating the adoption of a zero-trust architecture that helps stop attackers from gathering huge amounts of data from just one breach) for private organisations that hold sensitive customer data is another. A further change may be severe penalties aimed at companies’ boards and senior management – just like in areas of occupational health and safety.

Throughout these sweeping changes, one cybersecurity technology will remain the cornerstone – encryption. Encryption is how we take data that anybody can read and make it unusable without the keys. Best practice is that keys are only in the hands of the ‘good guys’ (the owners) through best encryption key management practice.

Encryption of data throughout its lifecycle – when stored, in use and in motion across networks – has long been seen as an answer to the “what if” and “why wasn’t it” questions in the event of a successful systems attacks, like we saw with Optus and Medibank. Depending on whom you ask, statistics for the proportion of data being encrypted vary wildly. The fact is that the use of encryption throughout data lifecycles is unsatisfactorily poor given the fact that millions of unencrypted records are stolen every day, often from organisations that should know better.

The once in a lifetime investment opportunity is, therefore, that we should finally mandate that all organisations get encryption and cybersecurity defences up to an acceptable minimum standard as a matter of good governance.

Effective regulations and business realities

This is a far bigger mountain to climb than it initially seems. Adopting zero-trust principles for new technology deployments should be a no-brainer, but businesses find it more challenging when it comes to securing existing infrastructure. Although effective cybersecurity itself should not be negotiable, there is an economic reality associated with companies’ existing IT investments. The upcoming Australian cybersecurity strategy must bear this in mind. There will be considerable resistance if the strategy requires the rip and replacement of critical systems.

Then there is the significant threat to the supremacy of today’s conventional encryption – notably the emergence of quantum computing. The sheer computing power it brings to the table means quantum computers can crack traditional encryption in days instead of years. New, quantum-resistant cryptography is now commercially available from providers like Senetas to address this, but it must be done proactively and that requires the use of cryptographically ‘agile’ encryption solutions in the first place.

If quantum computers arrive before we have widespread adoption of quantum-resistant cryptography, the genie is well and truly out of the bottle. The concept of long life private  and business information (such as identities and intellectual property) being safely stored will be destroyed, and public trust in companies and institutions will go with it.

We are seeing around the world, governments beginning to prepare for what is to come, and addressing varying levels of underinvestment in both the public and private sectors. It’s a genuinely exciting time to be in our industry.

For Australia there is the question of how much of these investments, necessary to address both current cybersecurity weaknesses and a safe post-quantum future, will be made in Australian sovereign cybersecurity solutions. We have a strong domestic cybersecurity sector. But, it has become more reliant on foreign customers and investment than most would expect. A resurgence in domestic demand, particularly for crucial cybersecurity technologies like encryption, will go a long way towards undoing a decade of laissez-faire cybersecurity in Australia lest we continue to repeat history.

This story was developed in collaboration with Senetas, a Stockhead advertiser at the time of publishing.

This story does not constitute financial product advice. You should consider obtaining independent advice before making any financial decisions.