We wrote this article in response to the sweeping changes introduced by the updated Cyber Security Bill 2024, fundamentally reshaping Australia’s approach to cybersecurity. This new legislation mandates rigorous reporting requirements for ransomware payments and enforces enhanced security standards for connectable devices, among other measures. Our goal is to explain what these legislative updates mean for businesses—from ensuring compliance with stricter cybersecurity protocols to protecting critical assets from increasingly sophisticated threats—and provide actionable insights to help you navigate this evolving landscape.
Understanding these changes is essential in today’s digital environment, where cyberattacks are increasing in frequency and complexity. By examining the implications of the Cyber Security Bill 2024, we aim to empower business leaders with the knowledge needed to make informed decisions and adopt adequate security measures. This article is a practical guide to help you align your operations with the new regulatory framework and enhance your organisation’s resilience against the rising tide of cyber threats.
The legislation we are referencing in this article is over 100 pages long. It’s no wonder organisations struggle to understand their obligations in our modern, security-conscious world. There is barely enough information informing directors of their obligations under such legislation, let alone enough service providers willing (or able) to educate their customers.
This is what the legislation essentially says and what’s likely to happen as the new Cyber Security Bill 2024 is enacted:
Businesses meeting the specified turnover threshold must report any ransomware or cyber extortion payments within 72 hours. This will enable the government to build a comprehensive threat picture and respond more effectively to emerging cyber risks.
Manufacturers and suppliers must ensure that smart devices sold or supplied in Australia meet strict cybersecurity standards, including providing a statement of compliance. This measure reduces vulnerabilities and protects consumers and businesses from attacks exploiting insecure devices.
An independent, no-fault review board will analyse significant cybersecurity incidents, identify contributing factors, and issue recommendations to the government and industry, helping prevent future breaches.
The Bill introduces a range of enforcement measures—including compliance, stop, and recall notices, along with associated civil penalties—to ensure that entities adhere to the new reporting and security requirements, ultimately reducing the financial and operational risks posed by cyberattacks.
Let’s break it right down, as an organisation your exposure, and therefore what you need to protect yourselves against, are the following two security matters;
The average cost of cybercrime is substantial: small businesses pay an average of $46,000, medium businesses $97,200, and large businesses $71,600 per reported incident.
Ransomware payments can vary widely, with median payments around USD $381,980 in 2023. Additional costs include forensic experts, investigations, and reputational damage.
Ransomware can cause severe disruptions or complete shutdowns of operations. Recovery periods for businesses average 22 days.
Cyber extortion can expose sensitive data, resulting in loss of customer trust and reputational damage. A quarter of ransomware incidents reported to the Australian Signals Directorate involved data exfiltration.
Ransomware attacks can severely impact businesses, with some small businesses shutting down within six months of an attack. Financial strain may also lead to workforce downsizing or executive resignations.
Many ransomware attacks go unreported, limiting the government’s ability to understand the full scope of the problem and provide adequate support.
Cybercriminals constantly evolve their tactics, making it difficult for businesses to stay ahead of threats.
Both large entities and small to medium-sized businesses are significant targets for cybercriminals.
Use clear, non-technical language to explain ransomware and cyber extortion.
Highlight financial risks, including ransom payments, recovery costs, and reputational damage.
Emphasise potential operational disruption and the risk of data breaches.
Stress that these are real risks, with many Australian businesses experiencing significant losses.
Explain the importance of mandatory ransomware payment reporting under the new legislation.
The answer is, of course, no—not anymore. At alltasksIT, we actively require our customers to elevate their security posture because we cannot assume the risk on their behalf. We are responsible for protecting our clients, which necessitates adopting new tools, investing in cutting-edge solutions, and adhering to evolving regulatory standards. Ignoring these requirements is not an option, especially given the stringent notifiable data breach provisions and potential fines for directors failing to meet their operational and disclosure obligations.
Ransomware and cyber extortion represent significant and evolving threats to Australian businesses, with substantial financial, operational, and reputational consequences. By understanding these threats, business owners and decision-makers can better prepare their organisations and make informed decisions to protect themselves.
Chief Executive Officer (CEO)
Founder and Principal of alltasksIT with 30+ years IT experience, John has a broad and varied experience across cloud computing strategies.
John has been successfully realising IT and networking solutions for small to medium businesses for over 25 years.
