How Mining Recruitment Companies Can Stay Cyber Secure Under the New Cybersecurity Bill in Australia

The Australian mining industry depends extensively on recruitment companies to supply skilled workers essential for its operations.

With evolving legislation, it is crucial for all businesses, especially those managing large volumes of sensitive data, to stay updated on the latest cybersecurity requirements.

Australia’s cybersecurity framework is supported by entities like the Australian Signals Directorate and others. These organisations guide safeguarding sensitive data and ensuring robust data security measures across industries.

On Wednesday, 9 October 2024, the Australian Government introduced the Cyber Security Bill 2024 (Cth) in the Federal Parliament. While the Security of Critical Infrastructure Act 2018 (Cth) already enforces cybersecurity obligations for critical infrastructure entities, the Bill represents Australia’s first law aimed specifically at enhancing cybersecurity across both the public and private sectors.

This blog serves as a guide for mining recruiters in Australia, outlining the requirements for compliance with these new legislative changes.

‍

Overview of the Cybersecurity Bill’s Impact on Mining Recruitment

The Cybersecurity Bill 2024 builds on earlier efforts, like the Security of Critical Infrastructure Act 2018, to enhance the nation’s defences against cyber threats. While the 2018 Act primarily focused on sectors such as energy, water, and communications, the new Bill expands these requirements to cover businesses providing services to critical industries, including recruitment firms.

Mining recruitment companies now face greater responsibilities in protecting data related to candidates and employees, with compliance standards designed to reduce risks associated with cyberattacks.

The expanded scope means that recruitment companies must adopt a more proactive stance on cybersecurity. The Bill requires businesses to identify their digital vulnerabilities and implement measures to safeguard their systems against attacks, especially ransomware, which has become an increasing threat in Australia.

The intent is to ensure that the broader supply chain, including recruitment providers, does not become an easy target for attackers aiming at critical infrastructure.

‍

New Compliance Standards for Recruitment Data Security

The Cybersecurity Bill 2024 outlines specific standards for the protection of sensitive recruitment data. This includes personal and professional information about job candidates, which if compromised, could result in significant privacy violations.

Recruitment companies are expected to deploy robust encryption methods for data storage, implement multi-factor authentication for accessing sensitive information, and regularly update security software to defend against evolving threats.

Additionally, the bill mandates that third-party software providers and recruitment platforms used by companies must comply with data protection standards.

Industry Resourcing Experts, in particular, handle sensitive applicant data, and any breach could have far-reaching consequences. Therefore, establishing secure data transfer protocols and restricting access to authorised personnel is crucial.

‍

Reporting Obligations for Cybersecurity Incidents and Ransomware

A major aspect of the Cybersecurity Bill 2024 is the introduction of mandatory reporting for ransomware incidents.

Any company dealing with critical infrastructure data, including recruitment companies serving the mining sector, must report breaches involving ransomware attacks or any unauthorised access to sensitive information. This applies to situations where the data of candidates, employees, or contractors has been compromised.

Moreover, if a ransomware payment is made, it must be reported to the Australian government & Office of the Australian Information Commissioner (OAIC) within 72 hours. This requirement is aimed at deterring companies from quietly paying ransoms and incentivising them to report incidents promptly.

For mining recruitment companies, this means having a clear incident response plan in place to quickly identify and report such events, thus minimising potential damage and ensuring compliance with the law.

Companies can use the government’s online portal for routine submissions, but direct contact is advised for urgent cases. Internal processes must also be put in place to ensure that this reporting timeline is efficient and compliant. If there is a threat to life or risk of harm, call 000 immediately and urgent reports via phone can be made to 1300Cyber1 (1300 292371).

‍

Voluntary Reporting for Significant Cyber Incidents

The Bill also includes provisions for voluntary reporting of significant incidents that may not meet the threshold for mandatory reporting but could still have an impact on privacy or business operations. Industry Resourcing Experts are encouraged to report incidents that could expose candidates’ data, even if it does not involve a direct breach of security controls. This can be via the same methods as mentioned above, Notifiable Data Breach Form or via 1300Cyber1 (1300 292371) or can be done via the Australians Signal Directorate (ASD) reporting portal.

Voluntary reporting allows companies to gain insights from ASD on potential threats and recommendations without fearing punitive action. This can help recruitment firms preemptively address vulnerabilities and reinforce their security measures.

For example, if a suspected phishing campaign targets a company’s email system, voluntary reporting could help prevent a more severe attack while also showing regulators a commitment to transparency and proactive risk management.

The specific designated contact may be different depending on the incident. For instance, scam reports should be filed to Scam Watch and suspected cyber vulnerability would be through ASD reporting portal.

You can find designated Australian agencies for reporting matters listed here: Online Harms - reporting to Australian Government agencies.

‍

Role of the Cyber Incident Review Board

The Cyber Incident Review Board, introduced under the new Bill, is responsible for assessing major cybersecurity incidents and providing recommendations to enhance protection standards.

The goal of the CIRB is to provide guidance and recommendations after reviewing incidents without penalties. The focus is on strengthening security. In mining recruitment, the Board's recommendations may involve revising data storage policies, updating software systems to close security gaps, or enhancing user training programs to increase awareness of cyber threats.

Recruitment firms that take these recommendations seriously can significantly reduce the risk of future incidents and better protect the sensitive data they manage.

It is worth considering assigning an in-house compliance officer to coordinate with CIRB, manage responses, and facilitate ongoing compliance which could involve:

• Email communications and post-incident reports,
• Audits to evaluate data security measures,
• Possible in-person assessments in cases of severe incidents to bolster resilience.

‍

Data Protection Responsibilities for Mining Recruitment Companies

A key aspect of the Bill is its assurance that reported information won’t be used to penalise companies. This encourages recruitment firms to share breach data without fear of punishment, allowing them to focus on strengthening cybersecurity.

This protection is especially beneficial for recruitment specialists in industries like mining, where managing large volumes of sensitive workforce data requires a proactive approach to data security.

Our experts recommend the following steps for mining recruitment companies preparing for the Bill:

• Implement access controls so only specific roles can view or edit sensitive information.
• Enable Multi-Factor Authentication (MFA) and set up alerts for unauthorised access.
• Regularly review data access logs and consider automatic data encryption for an extra layer of protection.

Microsoft Services and Software can make these strategies manageable, and are the the industry standard when it comes to data protection & cybersecurity. Microsoft Purview streamlines compliance with automated assessments and audits, while Microsoft Intune centralises device management, patching high-risk vulnerabilities quickly. Microsoft Defender enhances security with proactive threat detection, enabling timely responses to potential risks.

Though not exhaustive, these are essential actions to implement immediately going forward:

• Establish a breach reporting system that meets the 72-hour timeline.
• Enforce strict access controls and regularly review device security standards.
• Train employees on cybersecurity best practices to minimise human error.
• Conduct regular audits and compliance checks to prepare for potential CIRB reviews.

‍

How Superior IT Can Help Recruitment Companies Achieve Compliance

With the Cybersecurity Bill 2024 introducing new requirements and compliance challenges, recruitment & talent-sourcing companies in the mining sector can benefit from professional support to navigate the complexities of the legislation.

Contact Superior IT today to discuss compliance solutions and discover how we can support your cybersecurity efforts. Whether you need a vulnerability assessment, incident response planning, or ongoing IT services, we are here to help you stay secure and compliant in the face of evolving cyber threats.

For more information on the new Cybersecurity Bill 2024, you can refer to the Australian Cyber Security Centre’s official guidelines, which provide comprehensive details on the compliance requirements and reporting obligations.