GovTech Review Q1 2024

CYBERSECURITY CHALLENGES IMPROVING THE PUBLIC SECTOR CYBER STANCE

FRAUD IN HEALTH CARE

AN EVOLVING LANDSCAPE STREAMLINING PROCUREMENT AUTOMATION TO IMPROVE EFFICIENCY

Q1 2024

FEATURES

06 | Overcoming the top cybersecurity challenges faced by public agencies

With the right approach the public sector can improve its cyber stance

14 | The big problem with the big business of government procurement

Low-code solutions

streamline procurement and contract processes

18 | myGov takes a stand on passwords

What the move to passwordless authentication means for public sector organisations

TECHNOLOGY IN CONTEXT INSIDE

22 | Growing fraud trends in Australian health care

As the healthcare landscape evolves, so do the methods of fraud

26 | Navigating the crossroads of cybersecurity and mental health

The need for mental health support within the cybersecurity profession

28 | How Australia can defend against AI-generated cyber attacks

A well-conceived and executed defensive cybersecurity strategy is needed

| Delivering streamlined collaboration for modern workplaces

11 | Anticipating future maintenance expenditure

12 | Improving outcomes for survivors of family and domestic violence

17 | EKA CyberLock: securing critical infrastructure in a connected world Cover

Insider

The hottest topic of today is of course artificial intelligence, and if my inbox is anything to go by the general sentiment is split 50/50 on whether it is a boon or a threat. In both the government and business realms it is now also beginning to have an impact on issues of cybersecurity — another area of deep concern and much discussion these days.

In the area of cybersecurity, of course our governments need to set the example — after all, they are the owners and operators of critical infrastructure and hold some of the most sensitive data about the citizens, the economy and national security.

Now we have the Australian Signals Directorate’s Australian Cyber Security Partnership Program, which enables both government agencies and businesses to engage with the ACSC and to draw on collective understanding, experience, skills and capability to lift cyber resilience across the Australian Government and economy — a move of immense value in strengthening our cyber safety.

But as always there are challenges, and there is nothing like a challenge to make us rethink our long-held strategies — like Services Australia planning for myGov to move towards a passwordless authentication system after recent unfortunate attempts at data breaches.

We are also facing a cybersecurity skills shortage, leading to a lack of skilled resources, both in the public sector and the private sector. Not only is it difficult to recruit the number of skilled cybersecurity professionals needed, but many cybersecurity professionals are leaving their roles due to burnout.

And this is where cybersecurity challenges converge with developments in AI.

AI is now enabling criminals to exploit disclosed vulnerabilities faster than ever before. The time between when a vulnerability is disclosed, such as when a patch is released, and when it is being actively exploited by malicious actors is shrinking.

But AI is also beginning to provide tools to more quickly respond to, and fight, cyber threats. The potential automation that AI can provide may well assist our overstretched cybersecurity professionals to be more effective. This is certainly a hot area of AI development right now.

In a general sense, how we utilise AI in a safe and responsible way has become a central focus in government, with expert groups set up to set the agenda for the future.

We’ve got plenty of articles on these matters and others in this issue of GovTech Review. I hope you enjoy it.

Cybersecurity

OVERCOMING THE TOP CYBERSECURITY CHALLENGES FACED BY PUBLIC AGENCIES

WITH A NEW CYBERSECURITY STRATEGY OUT AND THE RIGHT APPROACH TO KEY CHALLENGES, THE PUBLIC SECTOR CAN IMPROVE ITS CYBER STANCE.

By its own admission, the Australian Government has for some time fallen short of its own standards when it comes to cybersecurity maturity. But with a new cybersecurity strategy out and the right approach to key challenges, the public sector can improve its cyber stance.

In its 2023-2030 Australian Cyber Security Strategy, the federal government noted that “enduring and low levels of cyber maturity across many Australian Government entities have revealed major gaps in our security posture”.

The release of the strategy last year was a step in the right direction and has put the public sector on the path to achieving a new level of cyber maturity and making Australia, in the words of the government, a world leader in cybersecurity by 2030.

Across six focus areas, dubbed ‘shields’ by the government, the strategy adopts a targeted approach to some of the top cybersecurity-related issues Australia faces today. In addition to a renewed focus on securing the vast small- and medium-sized business segment, the strategy focuses on, among other things, threat sharing, sovereign capabilities and critical infrastructure.

At the same time, the strategy aims to bolster the capability of our critical infrastructure and essential government systems to withstand and bounce back from cyber attacks. In a bid to set the right example to private sector owners and operators of such assets, the government itself is striving for a higher level of cyber maturity to show it can meet world-class cyber standards.

LEADING BY EXAMPLE

As the strategy notes, “The Australian Government needs to hold itself to the same standard it imposes on industry.” Why? Because it is an owner of and operator of critical infrastructure, and it also holds some of the most sensitive data about the country’s citizens, economy and security.

However, among the stated challenges that have held the government back from doing a better job of cybersecurity internally is a significant skills shortage in the Australian Public Service and an acknowledgement that many government systems still do not meet the Australian Signals Directorate’s ‘Essential Eight’ strategies for mitigating cybersecurity incidents.

With that in mind, the government has made a commitment to adopt cyber best practices to uplift its collective cybersecurity posture. This uplift includes further driving accountability for cybersecurity across its own departments and agencies. More broadly, the plan to designate ‘Systems of Government Significance’ that need to be protected with higher security standards is a major step in boosting the cybersecurity resilience across the public sector. iStock.com/Wavebreak

These three areas in particular are of interest in the context of securing the public sector. For instance, the importance of threat sharing between government entities in other regions and with the business community locally cannot be overstated. With this in mind, the government plans to create a wholeof-economy threat intelligence network — a highly laudable and eminently effective goal.

Cybersecurity

... the government has made a commitment to adopt cyber best practices to uplift its collective cybersecurity posture.

On a practical level, as the government puts its own entities on notice, a number of challenges remain, the ongoing skills shortage being just one. Other key challenges include a more general lack of appropriate resources, budgetary restrictions and an awareness of the risks associated with cyber threats.

However, there are a number of effective approaches the government can take to help overcome the challenges it faces and move Australia closer to its goal of leading the world in cybersecurity by the end of the decade.

FOCUSING RESOURCES

Beyond budgetary constraints, resourcing remains a top challenge to cybersecurity maturity. Australia is facing a prolonged cybersecurity skills shortage, leading to a lack of resources in the segment, both in the public sector and the private sector.

While it’s clear that there’s an appetite for more cyber skills within government entities and the private sector service providers that partner with them, it’s not always easy to find the skills needed to fill the roles on offer — and meet the needs of the respective organisation.

While there are initiatives in place to help fill the skills pipeline to boost resources further down the track, one approach to help manage the immediate shortfall is to structure things to make the existing resources available go further. And one of the best ways to do this in the government space is to consolidate functions.

One particularly effective approach to consolidating functions is by establishing a shared services model across government. Some shared services already exist, but the consolidation of key cyber skills into a

shared services hub will mean every agency has the chance to tap into a central resource made up of the best cyber skills the government has to offer.

MAKING INVESTMENT GO FURTHER

Public spending comes with public scrutiny, so government agencies need to be able to demonstrate value for money when it comes to the services and infrastructure they invest in. This includes technology and, more increasingly, cybersecurity.

This scrutiny is partly the reason why cybersecurity remains comparatively underfunded in the public sector. A lot of people, both in the public sector and the private sector, still don’t have a comprehensive understanding of cybersecurity. Being able to show the value of investing in something the public may not understand makes it hard for government entities to prioritise it.

Establishing cyber functions like an all-important security operations centre (SOC) internally to actively monitor and take action against threats as they emerge can be a daunting undertaking, even for a government agency, not least because of the investment that needs to go into it.

However, in combination with a shared services approach, third-party providers that offer security suites with on-demand capabilities such as SOCas-a-service can help governments reap the benefits of such services without needing to bear the full cost for them. The best of these should meet industry-leading benchmarks like the US Government’s FedRAMP standard.

MANAGING MINDSETS

As mentioned earlier, a lot of people out there still don’t have a full understanding of cybersecurity risks and what they can

do to minimise them. Both parts of that equation are important. It’s not enough to know the risk without knowing what to do if you’re confronted with a threat.

That’s why it is important for technology leaders in government agencies to facilitate a mindset change within their organisations, communicating implementable and scalable solutions effectively to decision-makers. Indeed, leaders at all levels need to be aware of the risks and have some understanding of effective defences.

A good starting point in educating the human capital in a government entity is to identify critical functions in the organisation and make everyone aware of the role they play in the broader agency or department. After all, an organisation is made of individuals, and a united front makes for a stronger defence.

To cultivate continued employee cybersecurity awareness, organisations can issue periodic prompts and reminders to make sure cyber risks are front of mind, or go further by building formal cybersecurity training programs that include explainers, videos and other informational formats to illustrate what risks to watch out for and what to do in the event of an active threat.

Together, these approaches can help the federal government make decent progress in overcoming some of the key challenges it faces as it works towards its goal of making Australia a world leader in cybersecurity by 2030.

*Martyn Beal is currently Federal Government Strategic Lead at Trend Micro based in Canberra and is responsible for the development of the federal market. He has over 30 years’ hands-on experience delivering reform and transformation value to government. He has a deep understanding of the Commonwealth procurement process and how government partners with industry.

DELIVERING STREAMLINED COLLABORATION FOR MODERN WORKPLACES

Modern workplaces have transformed from closed-door meeting spaces to meet-anywhere, multipurpose workspaces designed for hybrid collaboration. According to recent IDC data, communication and collaborative tools are the most used tools for employees in their day-to-day work with 71% using them daily.

As the office becomes the destination for collaboration, users are craving a simpler way to connect. The problem with video meetings in the past was overcoming the ‘can you see me; can you hear me?’ challenge. Put simply, yesterday’s rigid solutions don’t meet the needs of today’s workforce.

Neat, a Norwegian video technology company, addresses the complexities of the modern workplace with flexible and simple solutions. The Neat Board 50, a portable, all-in-one digital canvas, transforms idea generation and collaboration workspaces.

The Neat Board 50 is a movable, all-in-one collaboration solution that goes beyond video and audio, acting as a digital canvas for any creative or collaborative meeting. With a 50″ screen, Neat Board 50 travels on wheels and is adaptable to any space, even creating a space within a space where needed. This provides a flexible collaboration solution that can keep up with the demands of today’s hybrid workplace.

Neat devices natively support Zoom, Microsoft Teams and a range of business applications. The Neat Board 50 also comes equipped with a Neat Marker, providing immediate response and just the right amount of friction to facilitate writing, mark-ups or sketches.

The Neat Board 50 also features Neat’s patented technology, Neat Symmetry. By making virtual meetings feel almost as real as meeting face to face, Neat Symmetry combines advanced AI with a high-resolution sensor to detect everyone in the meeting room whether seated or standing, zooming in to individually pinpoint and auto-frame each person, then presenting them up close on remote participants’ screens.

Neat Board 50 also offers Neat Boundary, removing any background distractions and ensuring that project discussions stay focused. Neat’s audio processing technology also ensures that the conversation flows naturally, without any echo or static.

The Neat Board is an affordable and value-packed option, designed to be the ‘Swiss Army Knife’ of workplace operations — especially in the public sector.

Every government agency is focused on delivering critical services to citizens as quickly and cost-effectively as possible. Neat video devices allow government employees to collaborate and engage with both internal and external stakeholders with ease. For example, healthcare providers can connect face to face with patients and local government offices can communicate directly with their tax-paying residents.

In May 2023, Neat utilised this technology to aid the Royal Australasian College of Surgeons (RACS). The non-profit organisation needed help maintaining relations with hospitals, health clinics and departments around Australia, while also allowing its members to train, examine and workshop. By installing the Neat Boards on wheels in RACS, they were able to move the screens into different rooms when required. The smooth incorporation of Neat devices, and streamlining the set-up process for video meetings, enabled RACS members to concentrate on their primary focus — their surgical duties.

Headlines

Speedcast signs extended contract with NT Government

Satellite communications provider Speedcast has signed an extended and expanded contract with the Northern Territory Government to continue to provide connectivity services to multiple government agencies.

The company has secured an extension of its STARS (Satellite To All Remote Sites) program contract, which involves providing the connectivity needs for schools and distance education providers, police, health and parks and wildlife.

The expanded contract will include delivery of Speedcast’s SIGMA edge compute platform, as well as the introduction of low earth orbit connectivity from Starlink satellites to complement the existing geostationary satellite communications-based service.

Under the STARS contract, Speedcast also owns and operates a teleport in Darwin which is owned by the NT Government to manage the network traffic.

Speedcast EVP for Global Sales and Marketing

James Trevelyan said the company is pleased to have expanded its longstanding existing relationship with the NT Government.

“Reliable connectivity service is essential to a region like the Northern Territory, which we have served for more than a decade,” he said. “Every technology advancement in the service we deliver to NT has a material impact on the people, businesses and government of the territory and we’re proud of the longstanding partnership that makes it possible.”

Austroads to lead development of Digital Trust Service

Austroads is seeking partners to develop a Digital Trust Service that will initially be focused on verifying digital driver licences and proof of age credentials.

The government-funded agency, an association of Australian and New Zealand transport agencies, plans to lead a national pilot for verifiable credentials this year, working closely with issuing authorities of digital credentials across the two markets.

Austroads plans to release an expression of interest later this month to seek experienced providers capable of contributing to the goal of nationally harmonising digital driver licences and other photo IDs. The planned Digital Trust Service will be based on the International Standards Organisation standard ISO 18013-5, and will seek to ensure that digital drive licences can provide robust privacy protection, security and crossborder compatibility.

The pilot will build on Austroads’ role in developing the National Document Verification Service for driver licences. The agency has led development of digital credentialing standards with partner peak bodies from the US and Europe since 2018. The global partnership also consists of vendors including Google, Apple, Samsung, Thales, Idemia, HID, NEC and Get Up Group.

Austroads CEO Dr Geoff Allan said Austroads plans to bring technology already in use in Europe and North America to Australia.

“More than 80% of the adult population have a driver licence and use it as a form of identity. Harmonising digital driver licences across all jurisdictions is an important and complementary step to the larger national digital identity agenda,” he said.

The project will be led by Austroads’ new National Harmonisation Lead – Digital Identity, Christopher Goh, who previously led the development and pilot for the Queensland Digital Licence.

“We will work closely with issuing authorities of digital credentials across Australia and New Zealand,” Goh said. “We also maintain a strong rapport with our North American and European counterparts. Our pilot aims to demonstrate the feasibility of verifying credentials across Australia and to coordinate tests with our international partners, ensuring international alignment.”

ANTICIPATING FUTURE MAINTENANCE EXPENDITURE

Australian federal and state governments are enthusiastic about investing in new infrastructure projects to fuel economic growth, improve connectivity and enhance overall quality of life for Australian residents. In every Federal Budget, a range of measures are announced to invest in key infrastructure projects.

However, what is rarely discussed when the ribbons are cut on shiny new infrastructure is the ongoing cost of these projects. Significant capital spending on new infrastructure often overlooks the crucial consideration of long-term maintenance costs.

By its nature, infrastructure needs to be rebuilt, expanded, retired and replaced. The majority of an asset’s maintenance operating budget is defined during the design phase, though it often isn’t considered until much later. While the initial construction may be funded generously, the failure to adequately plan for the upkeep of this newly built infrastructure can result in the deterioration of the assets at a faster rate than anticipated, leading to premature degradation and costly repairs or replacements.

Failure to consider maintenance costs perpetuates the unsustainable ‘build it and forget it’ mentality, leading to a bloated portfolio of infrastructure assets that become increasingly burdensome to maintain. This pattern strains government budgets, disrupts essential services and undermines public trust in the effectiveness of infrastructure investments. At worst, it puts public safety at risk.

Addressing this issue requires understanding and accounting for the full lifecycle costs, including maintenance and ongoing operational expenses.

Modern asset management software can resolve many of these issues by tracking and managing the condition of assets of any type, from bridges to computers. When integrated into core business financial systems, it can ensure maintenance is tracked and funded, and that crews are mobilised in a timely manner.

MANAGE ASSETS SMARTER, NOT HARDER

SaaS company TechnologyOne’s Enterprise Asset Management is a solution built for government that gives visibility into the entire cost and performance of every asset. When integrated with

finance systems, governments can know exactly what impact these assets are having on the annual budget.

INVEST IN THE RIGHT AREAS

TechnologyOne’s asset management solution enables governments to take a strategic approach to projects, from inception to completion. Intelligent infrastructure planning ensures governments meet their long-term capital objectives on time and within budget, allowing for better resource allocation, budget forecasting and risk mitigation. By having a single source of truth for all asset data, governments can make informed decisions, track progress and anticipate maintenance needs accurately.

PLAN SMARTER

With TechnologyOne’s strategic asset management software, governments can forecast future infrastructure needs, plan for upgrades or replacements, and mitigate risk associated with asset failure through comprehensive data insights. This ensures the delivery of reliable and resilient infrastructure that meets the evolving needs of communities while maximising return on investment.

LIGHTNING-FAST TIME-TO-VALUE

TechnologyOne’s SaaS Plus Enterprise Asset Management is a pre-configured solution designed to increase time-to-value with accelerated implementation while delivering improved effectiveness and efficiencies.

With more than 30 years’ experience partnering with government in Australia and New Zealand, TechnologyOne’s Enterprise Asset Management and SaaS Plus makes it easier to plan, deliver and manage government assets, forecast budgets, reduce organisational risk and improve time-to-value.

For more information, visit www.technologyonecorp.com/ products/asset-management/experience-eam.

TechnologyOne

www.technologyonecorp.com

TECHNOLOGY IN CONTEXT

IMPROVING OUTCOMES FOR SURVIVORS OF FAMILY AND DOMESTIC VIOLENCE

More Australians are at risk of serious harm from family and domestic violence than ever before, according to data from the Australian Bureau of Statistics (ABS). Exacerbated in part by the stresses of the COVID-19 pandemic, these crimes increased by 12% in 2020 alone.

The South Australian Government’s Family Safety Framework (FSF) was implemented in 2013 to provide a coordinated crossagency, cross-sector service response to at-risk women and children. Unfortunately, the framework’s initial paper-based processes and Excel spreadsheet-managed systems were not sustainable, impacting both the delivery of services and the protection of victims.

To identify specific opportunities to drive efficiency through digital transformation, the South Australian Government Department of Human Services (DHS) brought in Satalyst — a leading Microsoft cloud partner, now part of Canon Business Services ANZ (CBS) — to develop a comprehensive Domestic Violence Management Solution that would improve outcomes for the state’s most vulnerable citizens.

INEFFICIENT DELIVERY THREATENS CRITICAL SERVICES

Delivering against the aims of the Family Safety Framework requires extensive collaboration between stakeholders across industries, geographies and agencies — from social workers through to the South Australian Police (SAPOL). Yet despite the importance of this collaboration, DHS previously lacked a single source of truth that could facilitate proper communication.

For instance, referring at-risk victims to Family Safety Meetings (FSMs) — the fortnightly sessions held in each policing region to share information and enable action — used to be a manual process involving the sharing of highly confidential information through email, without appropriate document control measures.

This resulted in a number of problems, notably:

Unstructured and untraceable data sharing: While members involved in the process did sign confidentiality agreements and follow information-sharing protocols, the way information was shared amongst stakeholders was unstructured and was not systematic enough to be traceable or auditable.

Unvalidated data falling through the cracks: No formal process existed to confirm that risk assessment (RA) and FSM Referral forms were coming from a valid source. With no single source of truth, stakeholders also struggled to identify persons who had previously been associated with RAs and FSM Referrals — particularly those who moved between policing regions.

Paper-based processes increase security risks: Because the execution of the framework was heavily paper-based, multiple copies of documents and other related information were being kept, increasing the risk of confidentiality breaches and safety issues.

Manual processes increase frustration and costs: The administrative processes involved in organising and managing the FSMs, as well as keeping track of case registers, multiagency action plans, meeting attendance and follow-ups were cumbersome. This resulted in a disproportionate amount of time being expensed on administrative overhead.

Not only could this time and effort be better utilised in actioning services and supports to help those in need to move through the system quickly, but process limitations also risked re-traumatising victims by requiring them to retell their stories as they sought support.

COMPLETE VISIBILITY THROUGH THE CLOUD FOR KEY STAKEHOLDERS

To resolve these and other challenges, Satalyst designed and built a unified, 360-degree-view Domestic Violence Management

Solution that could track both victims and offenders, in addition to enabling data input and collaboration across services, sectors and workforces in a structured and secure way.

These outcomes were achieved using Microsoft Dynamics 365, Microsoft Azure, Custom Web Apps and Power Apps across a series of discrete modules, including:

• a web-based, self-service Family Support Portal

• a community portal for support agency workers

• a fully digitised case management system with enhanced reporting capabilities for various stakeholders.

Across these modules, Dynamics 365 Customer Service captures and stores the service-specific information required by the FSM Committee. All information and documentation initiated at the Risk Assessment and Referral can then be entered directly into Dynamics 365, which sits on the Microsoft Dataverse to securely store the data. As a result, Domestic Violence Management Solution Officers are now able to manage data via Microsoft Dynamics 365 CRM, run reports that create documents associated with RAs and Referrals, and coordinate with FSM chairs to conduct any necessary meetings.

Any Positive Action Plans, meeting minutes, or follow-up actions that arise from meetings can be communicated back to the officers as updated or newly created documents, which are stored in Microsoft Dynamics 365 CRM against their respective Referrals.

Within Microsoft Dataverse, custom tables specific to the domestic violence case management scenario are created and populated with data from Dynamics 365 and other sources using Power Query. Power Platform services draw on this central data store to create and run apps, flows and intelligent agents, avoiding the need for a third-party integration to unify data.

As the Solution is fully adopted — and as more data is captured through its ongoing usage — DHS will be able to use Power BI and other technologies to produce more advanced analytics and reporting to further improve victim outcomes.

SECURITY BEST PRACTICES CONTROL ACCESS TO SENSITIVE DATA

Given the sensitive nature of the data being shared, security was a top priority for the solution.

Dynamics 365 and Azure Active Directory Identity and Access Management (IAM) mechanisms enable role-based and recordbased security, limiting users’ access to only the level required to do their jobs. User identities are validated by Azure Active Directory and multi-factor authentication, while limitations on print privileges and screen timeouts also help protect confidential information.

Additional security controls within the modules support more granular data-sharing: individual users and teams to be granted access to records they don’t own on an as-needed basis, in order to facilitate specified, collaborative efforts while still preventing unauthorised access to records.

SCALABLE, CENTRALISED SOLUTIONS CREATE A BRIGHTER FUTURE FOR SURVIVORS

By creating a centralised source of information, digitising resources and automating processes, the Domestic Violence Management Solution enables new self-service functionality, reporting capabilities, enhanced security protocols and interactive dashboards that give the department’s key users a clear and detailed overview of current cases.

Apart from this newfound efficiency and security, the most important impact of the solution is the difference it makes for family and domestic violence victims. By facilitating better information sharing about high-risk families, the new modules enable agencies to provide more streamlined, collaborative assistance that makes a difference in the lives of vulnerable residents.

Canon Business Services Australia business.canon.com.au

THE BIG PROBLEM WITH THE BIG BUSINESS OF GOVERNMENT PROCUREMENT

TODAY’S LOW-CODE AUTOMATION PLATFORMS CAN STREAMLINE PROCUREMENT AND CONTRACT PROCESSES WITHOUT MOVING THE DATA.

Government procurement is the business of how government agencies spend citizens’ tax dollars to buy the things those agencies need to fulfil their missions. And it is big business. AusTender, publisher of centralised information on Australian Government procurement, reported 824,178 contracts started between 1 July 2012 and 30 June 2022, with a total value of $565 billion. The top three government spend categories include commercial, military and private vehicles and their accessories and components ($123 billion), management and business professionals and administrative

services ($107 billion) and engineering, research and technology-based services ($57 billion).

“Since 2019, the number of opportunities going through the marketplaces has more than doubled to almost 8000 opportunities in 2022,” said Wayne Poels, General Manager for Digital Investment Advice and Sourcing for the Digital Transformation Agency.

Government agencies are obligated to spend citizens’ dollars efficiently, effectively and transparently. The drivers are the same as in commercial tendering: lower prices, higher quality goods and services, and increased innovation. Agencies have a further obligation to encourage a fair and

competitive bidding process to diminish the risk of favouritism and other fraudulent behaviour while also giving equal opportunity to smaller suppliers that are minority-owned, veteranowned, etc. Despite this, more than 75% of annual federal contracts are currently awarded to big business.

The problem for government is that procurement is a complex form of case management with myriad rules and requirements, long-lived processes that cross departmental and organisational boundaries, and constantly changing data states. Legacy government IT systems are not up to the task of reducing this complexity and providing holistic transparency.

CHALLENGES FACING GOVERNMENT AGENCIES

Growth in the number and scope of government contracts is straining government procurement systems. The implementation of effective procurement case management solutions can enhance functionality to meet compliance, legal and accountability requirements. Further, outdated siloed technology and inadequate management processes prolong the procurement process, create inefficiencies and expose agencies to preventable risks and delays to improved mission outcomes. Government agencies know they must modernise their acquisition

process but identifying the most efficient and cost-effective outcome can be confusing.

Modernisation of procurement systems must successfully integrate the two elements of the procurement process: finance and contract writing systems. Finance teams track and allocate money while contract writing teams manage the creation, execution and administration of contracts, and the integration of their datasets is critical.

Finance and contract writing teams must share budgetary information, cost estimation, real-time obligation and commitment tracking. Additionally, they both need access to invoicing and

payment information, financial reporting and compliance data.

Some agencies decide to modernise their financial system to incorporate contract writing functionality. However, this approach doesn’t incorporate the needs of the contract writing community and lacks important functionality, such as the ability to duplicate contract line item numbers (CLINs).

“While both financial and contracting systems need to be modernised and data standards need to be established to enhance communication between them, they need to be separate products to meet the needs of separate functions,” said Jake Edelman, Specialist Leader at Deloitte Consulting.

Procurement

THE BENEFITS OF A PLATFORM APPROACH

Today’s low-code platforms that provide end-to-end automation with interwoven data fabric technology provide a modernisation layer that sits on top of existing infrastructure. Automation streamlines processes while the data fabric simplifies integration to provide a 360-degree view without moving the data.

It harnesses AI, machine learning and process mining to improve speed, data sharing and process orchestration. A platform approach eliminates the need to adapt legacy technology, infrastructure and knowledge. In this way, such a platform approach improves every aspect of the procurement lifecycle:

• Requirements management: Intelligent requirements gathering simplifies compliance with regulations and mission mandates.

• Award management: Proactive management of funding, spend and contract dates keeps procurement teams on track and on schedule.

• Source selection: A simplified and standardised supplier evaluation process reduces the risk of a protested decision down the line.

• Clause automation: Including generative AI in the process makes it faster and easier to ensure the right contract clauses are selected.

• Vendor management: Breaking down the silos between contracting and suppliers creates a more transparent and efficient marketplace.

According to Gail Guseman, Specialist Leader, Deloitte Consulting, a low-code solution also provides agility, a key requirement of a modern procurement system.

“Taking an agile approach to data is vitally important, as it allows you to easily add new requirements and incorporate user feedback,” she said.

A procurement system should integrate financial, ERP, records management, case management,

“The implementation of effective procurement case management solutions can enhance functionality to meet compliance, legal and accountability requirements.”

enterprise reporting and property management systems. Instead of migrating and restructuring all these datasets, the platform can seamlessly join disparate systems and share data as required.

Modern low-code platforms can provide robotic process automation (RPA), a critical component of a contract writing solution that allows connection between systems without APIs, so data can be automatically copied and pasted rather than requiring manual data entry.

“I think that embracing some of these next-generation technologies will make acquisitions better for everyone,” Guseman said.

SUCCESSFULLY MANAGING CHANGE

One of the risks of modernising a wellentrenched system is that end users can reject its replacement, resulting in organisations losing valuable employees with historical knowledge. Introducing intuitive case management solutions requires thoughtful adaption and training. However, there are numerous benefits: streamlined processes, improved user experience and a significant reduction in manual, time-consuming tasks. Such solutions act as the backbone of modern procurement systems, seamlessly navigating through complex contracts and compliance.

When working with government agencies, the educational component of change management is almost more

important than the technology. Bringing end users in and letting them know what to expect from the process should be an integral part of the project. This includes a thorough understanding of improved case management capabilities — how it helps navigate through complex procurement tasks, ensures nothing is overlooked and makes their daily work easier. Communication elements must help stakeholders to understand what is changing, why and how it will affect their role.

The most powerful change management feature of low-code platform development is how it brings the end-user community closer to the development process. A low-code platform facilitates engagement and feedback from all stakeholders throughout the creation and implementation process, resulting in a user-friendly interface that improves staff retention and employee satisfaction.

As well as achieving the faster development of a system that meets the precise needs of end users, a lowcode platform takes users along on the journey, providing them with a sense of ownership of the system.

“Stakeholders shouldn’t be surprised by change,” Guseman said. “Communications and change management elements are critical to successful project rollout.”

*Kal Marshall is Appian Regional Vice President, Public Sector APJ. Over a 25-year career spanning Workday, Accenture, SAP and Appian, Kal has helped government agencies, commercial organisations and government business enterprises achieve successful outcomes from their technology investments. He understands that public sector investments in technology are under increasing scrutiny so works to maximise technology investments amidst constant change in the industry.

TECHNOLOGY IN CONTEXT

EKA CYBERLOCK: SECURING CRITICAL INFRASTRUCTURE IN A CONNECTED WORLD

There are a myriad of challenges when operating in one of the 11 sectors and 22 asset classes that are now deemed as Critical Infrastructure by the Australian Governments Department of Home Affairs. These challenges extend beyond access control and cybersecurity. The implications of a major malfunction will put thousands of lives at risk.

The mechanical master key systems that have long been used in critical infrastructure organisations are not equipped to address the many convergences across industry, such as regulatory requirements with flexible workforces, physical security and cybersecurity.

The benefits of having a physical security system that has all the features of a hardwired system with the simple operation of a mechanical master key system, whilst providing virtual real-time access control even in remote areas and without being on your network, will severely reduce the risk of it being compromised.

EKA CyberLock is such a system, combining the attributes of a proximity card access control system with those of a mechanical master key system. By eliminating the wire between the lock and the managing software, EKA CyberLock can be installed virtually anywhere. EKA CyberLock’s integration capability enhances its application, addresses specific challenges and provides robust solutions and benefits in high-security environments like government agencies and public sector organisations.

With EKA CyberLock, an access control system has been designed that can be configured for virtually any facility. The adaptable solutions are built around a range of durable, electronic lock cylinders. With over 370 different cylinder designs, EKA CyberLock seamlessly retrofits into existing mechanical hardware, providing scheduled access control without the need to install network or power cables: effectively they provide an IP68-rated padlock with access control and no batteries. In addition to supplying power to the locks upon contact, CyberKey smart keys include Bluetooth keys that provides virtual real-time access control regarding user activity, denied access alerts, schedule changes, expirations and more.

Another benefit of EKA CyberLock is the ability to integrate the CyberAudit Web management software with other security and compliance systems. The software development team based in NSW has developed an API integration with Gallagher Command Centre that allows users to walk up to a card reader, scan their access card and then be given access to a CyberKey (for a set period of time and for a set number of locks or locations). Another example is the native ‘Dynamic Tags’ within CyberAudit Web, which allows organisations to automatically adjust access permissions based on whether or not a tag-criterion is satisfied. For example, if an employee fails to complete their WHS training within the required timeframe, CyberAudit Web will automatically revoke the employee’s access permissions on the expiration date without the need for continual database management.

EKA CyberLock has been installed across sites in Australia since 2000. The system is installed in water utilities, power utilities, roads and transport (such as the Queensland Department of Transport and Main Roads and Sydney’s WestConnex Transurban), telecommunication sites such as BAI Communications, higher education facilities and many airports across the country.

In 2023, an Australian water utility assessed the security risks to treatment plants, reservoirs and hundreds of pumping stations across a large council area. Mechanical key access was highlighted as a major risk due to keys not being able to be controlled. CyberLock was chosen to replace the existing lock cylinders due to the ease and speed of installation. Software-powered CyberKeys allowed the organisation to control access to specific sites to only those who require it and completely mitigated any risk of lost keys.

EKA Cyberlock www.ekacyberlock.com.au

myGov TAKES A STAND ON PASSWORDS

WHAT MYGOV’S MOVE TO PASSWORDLESS AUTHENTICATION MEANS FOR PUBLIC SECTOR ORGANISATIONS.

The Australian Government recently announced that its myGov portal, which allows citizens to access government services online in one place, is transitioning to passwordless authentication to enhance the security of government services online. This represents a significant change for all public

sector organisations and government departments that will require phishingresistant multi-factor authentication (MFA) options like passkeys to sign into myGov going forward.

The adoption of this technology by myGov is driven by the need to counteract the high incidence of scams and phishing attacks targeting myGov.

Last year, between January and August

alone, more than 4,500 individual myGov phishing scams were identified, which contributed to thousands of myGov accounts being suspended due to suspected fraud activities.

The myGov portal, a crucial gateway for accessing various government services, has over 15 million unique users. The integration of passkey technology into myGov is likely to drive rapid uptake due to its enhanced security and ease of use. Unfortunately, major breaches for Optus, Medibank and others resulted in a large number of customer credentials becoming available on the dark web, and so a more secure authentication method is clearly needed. With the introduction of passkeys, this technology can reduce

the risk of large-scale data breaches and identity theft, as identity credentials will no longer be stored on a central server.

DRIVING THE ADOPTION OF PHISHINGRESISTANT MFA AND PASSKEYS

The new authentication system allows for the use of passkey technology, which uses private encrypted keys on mobile devices, computers and hardware security keys. Passkeys

seamlessly authenticate users by using cryptographic security keys stored on their computer or device. They are a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen

or intercepted. Device-bound passkeys like security keys provide the highest protection against phishing attacks because they require something you know (a PIN password) and something you have (a security key), a deliberate user action to insert into the device and physically touch it to access accounts.

Over 80 international websites, including major platforms like Google, Amazon, Air New Zealand, PayPal, Uber, TikTok and Shopify have already embraced passkey technology.

myGov’s move to this standard is expected to spur similar adoption by Australian private sector sites, particularly in sectors like banking and telecommunications.

The Australian Government is taking a bold stance by prioritising phishing-resistant MFA and significantly raising the security bar for the country and its citizens. Following these announcements, we can expect more aggressive moves in the coming months led by the government for all public sector online services to adopt passkeys as phishing-resistant MFA.

This transition marks a significant shift in how government agencies and businesses handle digital security. The move is being closely watched and may influence the digital security strategies of Australian state government service portals and private sector organisations.

“The integration of passkey technology into myGov is likely to drive rapid uptake due to its enhanced security and ease of use.”

A NEW GOVERNMENT CYBERSECURITY STRATEGY

In addition, the Australian Government also released its Australian Cyber Security Strategy 2023–2030 last November, which will impact government, critical infrastructure, citizens and public servants working in the departments tied to myGov, and citizens accessing government services online.

UPDATES TO THE ESSENTIAL EIGHT

Around the same time as the cybersecurity strategy announcement, the Australian Government updated the Maturity Model for the Essential Eight, in which MFA is among the eight mitigation strategies.

The updated Essential Eight framework includes MFA requirements, which have been bolstered to require phishing-resistant MFA by organisations at a lower maturity level. Previously required at Maturity Level Three, these revisions have amplified the use of phishing-resistant MFA such as passkeys, applying them to Maturity Level 2 and not just Maturity Level 3 (ML3). This framework, supported by the recently released Cyber Security Strategy, should be the guide for all

public sector organisations to use to assess their cyber posture.

CONCLUSION

This strategic move aligns with the Australian Government’s broader cybersecurity efforts, and these initiatives reflect a comprehensive approach to strengthening the nation’s cyber defence mechanisms, ensuring that both government and critical infrastructure are equipped to handle the evolving cyberthreat landscape.

For public sector organisations, the transition to passwordless authentication via passkeys presents an opportunity to enhance their cybersecurity posture significantly. It necessitates a re-evaluation of current security measures and an acceleration in the adoption of phishing-resistant MFA technologies. This shift will likely influence digital security strategies within government agencies and the private sector as organisations aim to meet the new security benchmarks set by the government.

myGov’s move to passwordless authentication through the adoption of passkeys is a clear indication of the Australian Government’s commitment to safeguarding its digital services against

the increasing threat of cyber attacks. It marks a new era of digital security, where MFA becomes the standard, offering a more secure, efficient and user-friendly way for Australians to access government services online. This move is expected to significantly transform how public sector organisations and the wider Australian market approach cybersecurity, setting a precedent for others to realise a more secure digital future.

*Geoff Schomburgk is responsible for driving the Yubico business across the Asia Pacific and Japan (APJ) region, working with partners and enterprise customers to implement modern phishing-resistant authentication. He is an experienced senior executive with a background in engineering and strategy consulting and over 30 years’ experience in the global ICT industry. Geoff has a Bachelor of Engineering (Honours) and MBA and is also a qualified Company Director (FAICD).

The role of wireless connectivity in fighting natural disasters

We all know the usual components necessary to fight disasters like a fire, whether it be a house fire, an apartment building, or even a bushfire. The water, the firefighters, the trucks are all vital. However, a resilient network also has a crucial role to play in fighting natural disasters.

Strong and exible networks enable the communication that is so important in an emergency response situation. is includes the sharing of data, status updates and even communicating instructions to citizens. An easy to manage and deploy wireless wide area network (Wireless WAN) approach provides a network that can reliably uphold communications in these critical moments.

Network resilience for first responders

In modern emergency services the operational headquarters must have reliable data connectivity to the emergency vehicle and first responders at all times. Although many emergency services like fire brigades still use MPLS for connectivity to their fire stations, it’s common for these stations to use Wireless WAN routers for failover. These routers can switch to a different transport type if there is an issue with the primary network. Response time in any emergency situation is critical and therefore there can’t be any delay in incoming

transmissions or communications to vehicles that need to respond.

But what happens when the re ghters and vehicles need to respond to an event?

e modern re truck and ambulance is often equipped with technology that must communicate with headquarters and be able to share critical data in real time. With a Wireless WAN approach to connectivity on these vehicles, routers can switch to di erent transport types as the vehicles move through service providers or mobile transport service types from headquarters to the scene of the incident. Taking a Wireless WAN approach will become even more critical in the future as IoT technology becomes more prominent in places like fire departments. A stronger dependence on IoT devices presents the need for network interruption mitigation when IoT devices are communicating critical information. It also means taking a zerotrust approach to securing those devices, because they cannot be secured through user credentials. e right network hardware and network management software can help secure IoT transmissions through zero-trust features and allow departments to prioritise IoT transmissions during emergency situations.

Responding to a natural disaster

In times of natural disaster, clear, secure and uninterrupted communication can help prevent loss of life and potentially minimise damage to infrastructure and property.

When State Emergency Services arrive at a

major ood site for example, an incident team often must set up a remote base of operations. In these cases, they need resilient communication that doesn’t stop just because there’s interference with the network. Often the right approach depends on where the ood is taking place. Based on the location, Wi-Fi may provide a su cient connection and is therefore the primary technology powering the network. At other times, cellular, whether LTE or 5G, or satellite is the way to go.

e right routers can power a Wireless WAN approach that intelligently recognises and leverages the strongest transport type whether it be Wi-Fi, LTE, 5G or even Satellite and can switch if network circumstances change. With this approach, emergency personnel can communicate with headquarters and additional relevant parties as they work to save lives.

Now more than ever, rst responders need a strong network that can match the fortitude and resilience they show as they respond to a crisis. A Wireless WAN approach that is secure, adaptable, and powered by the right management platform, can keep networks strong when rst responders need them most.

GROWING FRAUD TRENDS IN AUSTRALIAN HEALTH CARE

Jayesh Kapitan, National Leader – Health for RSM Australia

AS THE HEALTHCARE LANDSCAPE EVOLVES, SO DO THE METHODS OF FRAUD.

Health care is a vital sector that directly impacts the wellbeing of individuals and the broader Australian community. However, like any other industry, it is not immune to fraud risks. Healthcare fraud can have detrimental consequences, from compromising patient safety to draining valuable resources.

Healthcare fraud can take various forms, including billing for services that were never provided, falsifying patient records, kickbacks and pharmaceutical fraud. And while many organisations have internal controls in place to combat fraud or corruption perpetrated by an employee or other associates related to the organisation, it can be easy to overlook these internal controls.

Identity theft in health care is a key area of concern and can involve fraudsters stealing patient information to submit fraudulent insurance claims or obtain medical treatment, prescription medications or government benefits.

According to the Office of the Australian Information Commissioner, health care was the most targeted sector for data breaches in the January–June 2023 period, with 15% of all reported data breaches occurring in the healthcare sector1

WHY HEALTHCARE ORGANISATIONS ARE BEING TARGETED

Health care is one of the largest sectors of the Australian economy at approximately 10% of GDP2. With substantial government funding, private insurance payments and outof-pocket expenses from patients, the vast financial resources flowing through the healthcare system present an attractive target for fraudsters.

In addition, Australia’s healthcare system is a complex mix of public and private funding sources, including the government’s Medicare program and private health insurance.

This complexity creates opportunities for fraud, as the billing and reimbursement

processes can be challenging to navigate and monitor effectively. Fraudsters exploit this complexity to submit inaccurate or inflated claims, engage in code manipulation schemes and engage in other fraudulent billing practices that may go undetected.

PREVENTION AND DETECTION OF HEALTHCARE FRAUD

In Australia, the Australian Standard AS 8001:2021, Fraud and Corruption Control, has been the pre-eminent guide on how to prevent, detect and respond to the risks of fraud and corruption.

Healthcare organisations can use AS8001:2021 as a guide to prevent and detect fraud by implementing a robust anti-fraud framework or program. This means ensuring that healthcare organisations create and regularly update policies and procedures that clearly outline their approach to fraud prevention and detection.

In addition, healthcare organisations should conduct regular risk

assessments to identify areas where fraud is most likely to occur. In the healthcare sector, this may involve evaluating billing processes, financial transactions and data security.

Finally, healthcare staff should receive regular training on recognising and reporting fraud. AS8001:2021 suggests

developing training programs to educate employees about the types of fraud that can occur within the healthcare industry and how to report suspicions.

Another effective detection method is for healthcare organisations to implement fit-for-purpose whistleblower reporting mechanisms. According

to the Association of Certified Fraud Examiners (ACFE)

Occupational Fraud 2022

A Report to the Nations report, 58% of fraud in the Asia–Pacific region is detected by a tip3. Therefore, it is imperative for healthcare organisations to provide avenues for employees, contractors and other stakeholders to

Health care

report suspected fraud and corruption. This can involve implementing secure and anonymous reporting channels where individuals can safely report their concerns. These channels should be easily accessible to all stakeholders.

It is also important to ensure that healthcare organisations have a robust data analytics program that can help detect and prevent fraud. Data analytics can be used as an early detection tool as it enables healthcare organisations to identify unusual patterns and anomalies in claims, billing and patient data.

This early detection can help prevent fraudulent activities before they escalate, reducing financial losses. Data analytics can also be used for predictive modelling as it can forecast potential fraud risks based on historical data, allowing healthcare organisations to take pre-emptive measures to prevent fraud. This can include monitoring high-risk providers or regions more closely.

Finally, data analytics can be used to identify unusual patient and provider behaviour by flagging unusual activities that may indicate fraud. This can include assessing patient–doctor relationships, identifying multiple claims for the same condition or detecting providers with higher-than-average billing rates.

Overarching the prevention and detection methods listed above is

governance. Governance plays a critical role in combatting fraud in the healthcare sector in Australia for a number of reasons:

• Regulatory compliance: The healthcare sector in Australia is subject to numerous regulations, including laws related to privacy, billing and fraud prevention. Effective governance ensures that healthcare organisations adhere to these regulations. It establishes clear policies and procedures to guide employees and providers in their daily operations, reducing the likelihood of inadvertently violating laws and regulations related to fraud.

• Ethical and cultural influence: Strong governance sets the tone for an organisation’s culture. When leaders prioritise ethical conduct, transparency and accountability, it sends a clear message to employees and providers

that unethical behaviour and fraud will not be tolerated. An ethical organisational culture encourages employees to report suspicious activities, ensuring that fraud is detected and addressed promptly.

• Risk management: Fraud in health care can result in significant financial losses, damage to an organisation’s reputation and legal liabilities. Effective governance involves implementing robust risk management strategies, such as identifying and assessing fraud risks, establishing internal controls and monitoring for signs of fraudulent activities. By proactively managing these risks, healthcare organisations can reduce the likelihood of falling victim to fraud and minimise its impact.

CONCLUSION

Healthcare fraud is a growing trend in Australia, with various areas of vulnerability. As the healthcare landscape evolves, so do the methods of fraud. Staying vigilant and implementing comprehensive strategies to prevent and combat healthcare fraud are essential to ensure the continued integrity of the healthcare system and the wellbeing of patients.

This article is an abridged version of a white paper originally published by RSM Australia.

1. Office of the Australian Information Commissioner 2023, Notifiable Data Breaches Report: January to June 2023, Commonwealth of Australia

2. Australian Institute of Health and Welfare 2023, Health expenditure Australia 2020-21, Commonwealth of Australia

3. Association of Certified Fraud Examiners 2022, Occupational Fraud 2022: A Report to the Nations

Enhancing road safety through wireless vehicle communications

Reiner Stuhlfauth, Rohde & Schwarz*

In recent years wireless automotive communications have grown from a mere service application into a large vertical tenant of new applications and services in the automotive domain.

With ever-growing a uence in many developing as well as industrialised countries, increases in individual mobility are becoming apparent. However, the increase in transportation system e ciency through traditional road building often reaches its limits in terms of land consumption and lack of public acceptance and engineers and scientists are looking for processes and technologies to enhance tra c ow through sophisticated tra c management.

e established intelligent transportation system (ITS) ITS-G5 is expected to avoid tra c congestion and increase overall tra c e ciency. End-to-end digitisation from single vehicles to road infrastructure and backend servers provides the basis for continuous tra c- ow control and management. Technological progress in the automotive industry towards automated driving and development of advanced driver assistance systems (ADAS) is propelling the fully digital transportation system.

e Cooperative ITS (C-ITS) transportation system enables all road users including pedestrians to communicate and cooperate with each other, and promises to increase e ciency and reduce road tra c fatalities

and serious injuries — a primary goal of government agencies around the globe. What is required is a mobile communications system that supports the reliable exchange of road tra c data even in scenarios where road users are travelling at high speed.

Two major motivations and objectives are driving the technology evolution: enhanced comfort in vehicles thanks to sophisticated entertainment services, and safety-related applications. e latter in particular is advancing several communications technologies such as the eCall introduction and the rst direct communications scenarios. Policymakers and the automotive industry are striving to improve vehicle safety. A new technology enables vehicles to directly communicate with each other as well as roadside units. Devices such as smartphones, backpacks and bicycles will include technology to communicate with vehicles. ese devices would alert drivers to the presence of a cyclist on the road or a pedestrian on a crossing in order to greatly reduce the number of pedestrianrelated injuries and fatalities. ese direct communication systems are known by many di erent acronyms, such as V2V, V2I, ITS-G5 and C2x.

New communications paths like the ‘sidelink’ introduced in Release 12 of the 3GPP speci cations, o er new connection scenarios such as V2X where ‘X’ stands for

‘everything’ in the communications path. 3GPP Long Term Evolution (LTE) Release 14 speci es the vehicle-to-everything (V2X) communications service. is feature sets the starting point for the evolution of applications not previously supported by mobile communications technology. Release 15 contains the de nition of enhanced V2X communications scenarios and Release 16 links cellular-based V2X communications to 5G New Radio (NR) radio technology, o ering much greater exibility, higher data rates, lower latency, QoS-driven connectivity and future-proof deployments of direct communications. ese technology enhancements are paving the way for ubiquitous and future-proof connectivity.

*Reiner Stuhlfauth is Technology Manager (Wireless) at Rohde & Schwarz GmbH and has more than 20 years’ experience in teaching and promoting mobile communication technologies. He is involved in several projects concerning 5G, 5G advanced and 6G research.

Rohde & Schwarz (Australia) Pty Ltd

www.rohde-schwarz.com.au

NAVIGATING THE CROSSROADS OF

CYBERSECURITY AND MENTAL HEALTH

THE NEED FOR MENTAL HEALTH SUPPORT WITHIN THE CYBERSECURITY PROFESSION HAS BEEN EVIDENT FOR QUITE SOME TIME.

In the realm of cybersecurity, stre ss and hypervigilance are constants. The relentless task of detecting and preventing attacks, coupled with the blame game when things go awry, exerts an unspoken toll on the mental health of cybersecurity professionals. The unceasing onslaught of attacks and disruptions and the looming spectre of burnout further complicate the already challenging task of recruiting and retaining cybersecurity talent.

According to research psychologist Dr

Andrew Reeves, cyber professionals are burning out faster than frontline workers 1 . In fact, nearly a quarter (22%) of Australian cybersecurity professionals are already thinking of leaving their current role.

Yet, many businesses fall short in addressing the mental health concerns of their cybersecurity workforce. The imperative for Australian businesses in 2024 and beyond is to foster awareness, provide education and offer support. They must equip cyber professionals with the necessary tools and resources to alleviate the mental burden.

CYBERSECURITY AND MENTAL HEALTH IN THE CURRENT DIGITAL AGE

The field of cybersecurity may be thankless, yet it remains indispensable. The need for mental health support within the profession has been evident for quite some time. Factors contributing to stress and burnout include security budget cuts in organisations, which are forcing security teams to cut back on multilayered security solutions and rely on single solution providers like Microsoft365. These budget cuts are occurring at the same time as cyber attacks are becoming more frequent. There’s also heightened media coverage, which adds to anxiety, and a sense of underappreciation in the workplace. Relentless and evolving cyber attacks are taking a physical and mental toll, fostering a sense of

hopelessness among professionals. Unfortunately, outside of cybersecurity teams, the issue is unappreciated, with 45% of Australian cybersecurity workers reporting that ransomware attacks are either misunderstood or disregarded by leadership, adding to the complexity.

According to Mimecast’s State of Ransomware Readiness report, 54% of cybersecurity professionals openly admit that cyber attacks have a detrimental impact on their mental health. Moreover, 31% of Australian businesses grapple with workforce burnout due to debilitating cyber attacks. The situation is compounded as 70% of Australian businesses continue wrestling with email-based threats. The mental health toll inflicted on cyber professionals is driving many to leave the industry, a potential outcome with far-reaching,

albeit unspoken, implications. Systemic vulnerabilities in cybersecurity defences could affect society at large, especially when essential services and critical infrastructure are at risk. Leaders across the industry must therefore recognise this growing convergence between cybersecurity and the mental health of professionals and take proactive steps to mitigate it.

PRIORITISING ROBUST CYBERSECURITY DEFENCES AND MENTAL HEALTH IS CRITICAL

As the prevalence of cyber attacks continues to rise, businesses must invest in safeguarding their operations, employees and reputations. However, since cybersecurity and mental health are intricately linked, addressing both concerns simultaneously is an imperative. Unfortunately, many Australian businesses have yet to embrace this approach, which is often rooted in misconceptions at the executive level regarding the nature of cybersecurity work and the needs of IT specialists. Considering the high demand and competition for cybersecurity professionals, too few companies ensure a secure and supportive working environment.

Australian businesses should assess the wellbeing of their cyber professionals and take steps to reduce stress and attrition. These steps should involve providing better resources, enhanced training and improved working conditions. Simple yet effective measures include offering a flexible workplace and implementing mental health initiatives. Adopting innovative technologies and methodologies can ease the pressure on professionals, and at the same time further enhance cybersecurity.

EMBRACING CUTTINGEDGE TECHNOLOGIES AND METHODOLOGIES IS KEY FOR BUSINESSES

Businesses must shift their focus from mitigation to proactive prevention,

improving threat detection capabilities and response mechanisms, which ultimately reduces the cost of cyber attacks. This necessitates the adoption of better security solutions and training. Mimecast’s research revealed 45% of Australian cybersecurity leaders would like more frequent security awareness training for end users to prevent and prepare for a ransomware attack, while nearly half (48%) felt they needed additional security systems.

Human error is a common cause of data breaches and cyber incidents, underscoring the importance of holistic staff training and the analysis of high-risk areas within an organisation. Drawing an analogy to exam stress, training programs should address email threat awareness and equip employees with strategies to counter subtle psychological manipulations. This approach ensures that every staff member comprehends their role in preventing cyber attacks, alleviating stress among cybersecurity personnel and minimising the risk of burnout.

The other facet of the equation lies in investing in emerging technologies. Cybersecurity is a dynamic field, with cybercriminals constantly devising creative strategies and tools to achieve their objectives — something that is only becoming easier thanks to the rise of AI. Now anyone can create convincing phishing emails and malware.

Businesses must remain vigilant by keeping their systems up to date and partnering with security providers that constantly improve their solutions to adapt to the evolving threat landscape.

As cybercriminals continue to evolve their methods, cybersecurity professionals and organisations will face greater threats. Acknowledging the mental health challenges faced by cybersecurity professionals and taking immediate action is essential to ensure smooth operations in the future.

1. Spotify, The Get Cyber Resilient Show: Ep 130 - Cyber’s toll on Mental Health with Dr Andrew Reeves, Director at Cybermindz

To defend Australia against AI-generated cyber attacks, federal and state governments as well as the private sector must work closely together. Threat vectors haven’t changed, but AI is now making it faster, easier and cheaper for nationstate hackers and criminal syndicates to carry out attacks. This means data sharing between the Five Eyes and our other allies has never been more important. Together governments need to identify emerging AI threats and provide advice to the private sector and citizens on what we need to address and be prepared for.

The rapid evolution of generative AI has not gone unnoticed by cybercriminals. While ChatGPT, Bard and others are gaining popularity in the business world, tools such as WormGPT and many others have emerged on the dark web. These enable threat actors to create more effective phishing emails and new malware variants at scale and faster than ever before.

The types of threats and risks facing governments and businesses in Australia are not new. According to the Australian Cyber Security Centre (ACSC), ransomware, email scams and business email compromise remain the most significant risks. But the capacity for criminals to create and deploy these attack methods is unprecedented and the increased automation that powers these threats has empowered unskilled threat actors.

AI is also enabling criminals to exploit disclosed vulnerabilities faster than ever before. The time between when a vulnerability is disclosed, such as when a patch is released, and when it is being actively exploited by malicious actors is shrinking. In 2022, Mandiant found that

the average time between disclosure and exploit was about a month. More recent research has found that time has shrunk to less than a week.

That’s the bad news. But there is good news as well. While the volume and velocity of attacks has increased, and threat actors are exploiting known vulnerabilities faster than ever before, tried and true defensive measures remain effective.

SHARING THREAT INTELLIGENCE IS CRITICAL

No organisation in Australia operates in a vacuum. Sharing information about successful and thwarted attacks is vital in the fight against cybercrime. The federal government shares information with its Five Eyes partners and there are formal networks such as the Australian Signals Directorate’s Australian Cyber Security Partnership Program. This program enables Australian organisations and individuals to engage with the ACSC and fellow partners to draw on collective understanding, experience, skills and capability to lift cyber resilience across the Australian economy.

There is immense value in industry groups, local business collectives and other informal arrangements that find ways to share intelligence about cybersecurity threats and risks. Cybercriminals focus on specific sectors that use common tools. For example, if a shared service provider to government is attacked, then that information needs to be quickly shared to minimise the risk to other departments and agencies.

THE BASICS OF CYBERSECURITY STILL MATTER

The ASD’s Essential Eight has been around for well over a decade and has evolved to meet the changing nature

of cybercrime. More than ever, it is a robust foundation for all government departments and agencies.

Ensuring all applications and operating systems are promptly updated with the latest security patches minimises the risk that a known vulnerability is exploited by criminals. It’s also essential that all application preferences and settings are configured to minimise the risk of intentional or accidental data loss.

Most information security breaches occur when user credentials and access are misused. Multi-factor authentication (MFA) is no longer a ‘nice to have’: all access should be protected with MFA and users should only have access to the systems and data they need to do their job. Similarly, the links between applications should also be locked down to ensure one breached application doesn’t lead to wider, more damaging attacks.

Regular backups must be undertaken and regularly tested. When a backup is complete, it should be physically and logically isolated from core systems. Many forms of malware start their activity by making backups inaccessible. Ensuring you have reliable backups will aid recovery should an attacker succeed in breaching your other security controls.

While there is a lot to be concerned about as criminals start using AI and other emerging technologies, a well conceived and executed defensive cybersecurity strategy will continue to thwart most attacks. Following a set of robust guidelines such as the Essential Eight, or other standards such as NIST or ISO270001, will help secure Australian organisations against emerging threats.

MULTI-FACTOR AUTHENTICATION HAS MULTIFACETED PROBLEMS

RECENT DEVELOPMENTS IN CYBER ATTACKS HAVE EXPOSED VULNERABILITIES IN MFA, PROMPTING THE NEED FOR A MORE COMPREHENSIVE APPROACH TO IDENTITY VERIFICATION.

In today’s digital landscape, securing user identities is paramount to safeguarding sensitive information and systems from cyber threats. Multi-factor authentication (MFA) has long been regarded as a powerful security measure. However, recent developments in cyber attacks have exposed vulnerabilities in MFA, prompting the need for a more comprehensive approach to identity verification.

Zscaler’s ThreatLabz uncovered a significant phishing campaign that bypassed MFA by utilising adversary-in-themiddle (AiTM) tactics. This sophisticated attack involved redirecting users to a malicious site, intercepting passwords and MFA-verified session cookies. With this, attackers were able to steal users’ credentials and gain access to sensitive information without raising alarms.

Apart from AiTM attacks, simpler methods have also been employed to bypass MFA. By bombarding a target with MFA notifications and employing social engineering techniques, threat actors have successfully convinced contractors to authenticate the MFA requests, enabling them to bypass without any technical skill. Furthermore, SIM swapping has emerged as another technique, where threat actors manipulate telecom providers to switch a target’s phone number to an attacker-

controlled SIM card. This allows the attacker to receive MFA requests and effortlessly circumvent the security measure.

IDENTITY ACCESS MANAGEMENT: EMBRACING A HOLISTIC APPROACH

While MFA remains a valuable layer of security, it is crucial to recognise its limitations and consider a more comprehensive approach to identity verification. Rather than relying solely on MFA, organisations should embrace identity access management (IAM) technologies. IAM offers various approaches to verify user identity, minimising susceptibility to the exploits successfully leveraged against MFA. Additionally, IAM encompasses identity verification for devices, networks and services, providing a holistic solution for comprehensive security.

THE SHIFTING LANDSCAPE OF AUTHENTICATION

Cybersecurity measures must adapt continually to keep pace with evolving threats. The transition from single passwords to MFA was an important step, but as the vulnerabilities of MFA become evident, it is vital to integrate new authentication methods. IAM providers, AI analysis, biometrics and location data are some of the tools organisations can leverage to enhance identity verification.

BALANCING SECURITY AND USER EXPERIENCE

Authentication is a delicate balance between security and user experience. Instead of employing a one-size-fits-all MFA approach, organisations should adopt a more granular authentication process based on the sensitivity of the resource being accessed. Lower value resources may require simple MFA from any device and network, while higher-sensitivity applications may demand a compliant, corporate-managed device along with MFA. Highly sensitive resources should incorporate more elaborate measures, such as a compliant, managed device, MFA with a physical token, and access restricted to a known network or zero trust network access (ZTNA) service. It’s important to remember that passing an MFA challenge only verifies the authenticator but does not guarantee identity, necessitating additional security measures for highly sensitive resources.

In an evolving threat landscape, it is paramount for organisations to invest in technologies that provide end-to-end visibility across the entire IT ecosystem which thereby helps IT teams configure a more comprehensive cybersecurity approach — including identity verification.

When it comes to identity verification, IAM enables organisations to adapt to the rapidly changing cybersecurity landscape and ensure robust protection against evolving threats. The evolution of authentication is an ongoing journey, and staying ahead of adversaries requires embracing new tools and strategies to secure user identities effectively.

The magazine you are reading is just one of 11 published by Westwick-Farrow Media. To receive your free subscription (print or digital plus eNewsletter), visit the link below.