Mandatory reporting: a step in the right direction but more needed

Security experts have welcomed the revelation that the federal government is considering implementing a mandatory reporting policy for businesses that have experienced a cyber attack or been extorted by cybercriminals.

During a recent Senate estimates hearing, Home Affairs Secretary Mike Pezzulo said a mandatory reporting scheme is being considered and is “likely” to be introduced at some point.

KnowBe4 APAC Security Awareness Advocate Jacqueline Jayne said such a policy would be a move in the right direction.

“We need more visibility and transparency to encourage more conversations about the actual impact and ferocity of cyber attacks or near misses,” she said.

“[Mandatory reporting] would lead to more conversations and more understanding, with an opportunity to educate and bring awareness of cybersecurity incidents to the mainstream. Reporting can be used as a tool to share and to learn from these incidents.”

She added that mandatory reporting can encourage collaboration and sharing of data within the cyber community.

But DDLS CEO Jon Lang said while mandatory reporting would be a good first step, it is only one piece of the puzzle.

“Without a much stronger focus towards cybersecurity training at an executive and board level, we will simply see more organisations suffer reputational and financial loss,” he said.

“We need to place a much stronger focus on transforming underskilled organisations into cyber-ready organisations, to stop ransomware attacks before they occur or at least reduce their damage. We need to take a preventative approach through education, not a reactive approach following a breach.”

Image credit: ©stock.adobe.com/au/VideoFlow