When the heads of 19 countries and the EU flew into Brisbane last November for the two-day, $400 million G20 conference, they floated in on a three-year bonanza for the channel that has reoriented Queensland as a centre for information security opportunities.
Even before the VIPs took the scorching ride from the tarmac to their five-star hotel rooms, the 4000 delegates, 2500 journalists and some 1000 assorted hangers-on attending the Group of 20 event were protected almost one for one by 5000 police and 1900 soldiers.
The physical security bill was eye-watering: the Australian Government gave $100 million and the Australian Defence Force $8 million to lock down the G20. Security guards cost $34 million, and then there was the bill for an ammunition stockpile ($25 million) and bomb-proof Mercedes-Benz limos to ferry leaders in style ($1.8 million). There was even $2.9 million to hire 27 kilometres of 2.8 metre-high steel fences, barriers and gates (apparently sheep farmers snapped them up for $500,000 after the crowds went home).
But spending also flowed into information security. One of the requirements for hosting the prestigious event was the state spend $457 million over 15 years on a secure digital radio network, to be managed by Telstra (about $50 million has been spent, to date).
The Department of Science, IT, Innovation and the Arts also committed $3.12 million over two years to 2015 for its Tactical Cybersecurity program. The Queensland Police Service spent $1 million of its $2.07 billion annual budget last year upgrading its IT systems for the G20.
And it spent $18.5 million on mobile devices providing real-time information so beat cops could respond to incidents more quickly. And security testing, risk and compliance will take a chunk of the state’s $19 million one-stop shop eGovernment portal.
Information security consultancies say G20 spending, coupled with the state government ousting an infosec consulting incumbent, caused their businesses to flower even while traditional IT is stagnant or in retreat. And there was a sense that Queensland had fallen behind in securing its critical infrastructure, highlighted in a 2013 Queensland Audit Office report that found Brisbane transport systems vulnerable to cyber attack.
The new services and intense scrutiny led to issues such as compliance, penetration testing, and guarding against social engineering and other malicious attacks landing on the desks of decision-makers.
Urgency was amplified by high-profile attacks in the past 18 months on the likes of Sony and Target in the US. But still too many of Australia’s boards are too intransigent to see the danger, says Phil Kernick, the founder of Adelaide-based security consultancy CQR.
“They have no experience in [information security]. The industry I live in didn’t exist until the late 1990s,” says Kernick, who opened a Brisbane office on the back of G20 business. CQR has about 40 staff in Adelaide, Melbourne, Sydney and the UK.
“For board members in their 70s, for 50 years of their life, IT didn’t matter. If you talk to these boards, they will say it’s a marketing problem and that’s neither true nor sensible. There’s merit to having younger people on boards who understand the issues.”
Kernick says boards are very bad at managing risk. “People don’t even understand the concept. Risk is like cattle, it’s not like bugs. You have to understand and manage it; it can’t be eliminated.”
Technologists scaring people with threats such as director liability are also culpable. Kernick, who advises the Queensland Government and ASX-listed companies, instead advocates enlightened self-interest.
“The issue comes down to personalising the risk but without the beat-up. If you tell [directors] they’re personally liable, they say, ‘Show me a single board member that has ever been sued’.
“Instead, you say, ‘But if you don’t protect the information your organisation keeps, when the bad guys get in they will know your home address and what you pay in school fees’. And at that point [the response] is, ‘Holy crap!’ You can imagine the look on their face: ‘It didn’t occur to me before’.”
Kernick says his compliance-management business is growing “hundreds of percent year on year”.
Intalock’s Julian Haber is also riding high on Queensland’s heightened information security posture, reporting “monstrous growth” last year. Intalock, the Brisbane consultancy he founded with his wife, has seen a dramatic uptick in business each year since it formed out of Symantec’s consulting organisation five years ago. It now specialises in Symantec solutions, data security and management, and managed security services.
And while he’s not seeing as much compliance work as there might be if Australia’s compliance laws had teeth, Haber says penetration testing and sales of hardware and managed services is rocketing. The Sydney office it opened a year ago to serve its financial institution customers is also growing.
One of the biggest contributors to growth was a “significant win” with the Queensland Government’s Tactical Security Progran to support the G20. “The state government has made major inroads in cyber-policing, but the job is never over,” Haber says. “They’re probably leading the way among state governments: not as mature as some federal government departments, but for state governments they’re doing a pretty bloody good job as long as they keep it up.”
Intalock provides vulnerability assessments to the Queensland Government and managed services for gateways responding to malware traffic, he says.
Although Queensland was “incredibly effective” at thwarting distributed denial-of-service attacks, malicious actors are escalating. “If they had reached their destination target, they would have downed whole government departments.”
Many organisations, oblivious to what is on their network, exacerbate the problem. “We also work with clients to build out a response plan if a critical asset were compromised. The best technology won’t keep bad guys out. We need a balanced approach to cybersecurity; it should be about monitoring and response, as well.”
He says a budget split of 60 percent to prevention and the rest to clean-up and analysis is about right for many big organisations.
Next: Security acquisitions