close
close

Industry response to the Protective Security Policy Framework Directive

Posted on by darion

The cybersecurity industry has responded to the Australian Government’s Protective Security Policy Framework (PSPF) Directive 002-2024, issued on 8 July 2024. The Directive requires Australian Government entities to identify and proactively manage the risks associated with vulnerable technologies they manage for themselves and others.

“We appreciate this great initiative by the Department of Home Affairs to require Australian government entities to identify and proactively manage the risks associated with vulnerable technologies,” said Ashwin Ram, Cyber ​​Security Evangelist at Check Point Software Technologies. “As we have seen time and again, vulnerable assets available on the internet are easy prey for threat actors as an entry point into any organisation, not just our critical infrastructure. Any change in government policy that mandates security professionals to develop cyber risk management capabilities within their organisations is a step in the right direction. To ensure Australian government entities proactively mitigate the risks associated with vulnerable assets, the PSPF could go a step further and suggest that Australian government entities be cautious when purchasing assets from manufacturers, suppliers and service providers who consistently produce vulnerable technology assets.”

Wayne Phillips, field technology director for Asia Pacific and Japan at SentinelOne, said a series of recent breaches involving third-party service providers and unpatched internet services had drawn the attention of the Department of Home Affairs. “The Department is taking proactive steps to strengthen the foundational framework of the Australian Government’s security practices,” he said. “It is strengthening its position on the risks associated with internet-facing cloud services to ensure proactive measures are taken to address risks associated with assets most likely to be targeted. The need for secure sovereign cloud services with robust systems in place to identify cybersecurity gaps across government has never been greater.”

Pieter Danhieux, co-founder and CEO of Secure Code Warrior, said PSPF Direction 002-2024 has the potential to shape a broader movement toward stronger security programs across the country. “While this mandate is specifically designed to strengthen current technology security processes across the government, it is an opportunity for them to lead by example on non-negotiable cybersecurity issues as they relate to connected technology assets,” he said. “I certainly hope these directives catch on at the enterprise level. Ultimately, a mandate is one thing, but working on the resources to effectively respond is another, and that’s where we need to dig in and try a different approach or risk another well-thought-out plan that ends up being toothless.”

Anthony Daniel, ANZ regional director at WatchGuard Technologies, said these measures strengthen the overall security posture of government networks and protect sensitive information. However, to further enhance the security and risk management of technology assets, he suggests that Australian government entities consider the following additional steps:

  • Implementing ongoing training for staff to enable them to remain current on security practices and recognize potential cyber threats;

  • Conducting regular third-party security audits and assessments to identify and mitigate risks that may be missed during internal reviews;

  • Regularly reviewing and updating security policies and procedures to adapt to the changing cyber threat landscape;

  • Continuously investing in and improving security technologies such as encryption, multi-factor authentication, and secure access controls.