Cyber and information security

Today’s customers and workforce expect security by design

Increased levels of malicious cyber activity are confronting organisations, businesses and executives like never before. Recent data breaches around the globe have heightened the pressure to pay closer attention to building cyber resilient organisations. According to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report, between July 2021 and June 2022, ACSC received nearly 13 per cent more cybercrime reports than in the previous financial year. This equates to one report every seven minutes^disclaimer.

Cybercrime is big business and is expected to cost USD$10.5t globally by 2025^disclaimer. In Australia alone, the ACSC saw a rise in the average cost per cybercrime report to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business. The evolution of Cybercrime-as-a-Service (CaaS) continues to drive the growth in cybercrime overall, lowering the barrier to entry for actors seeking to conduct cybercrime.^disclaimer

Businesses today are operating in a hybrid working environment and have rapidly moved to the cloud. Their data and analytics for improving customer experiences and working with a complex network of suppliers and service providers are almost completely digital. This has provided a lot of benefits, including increased flexibility, time and cost savings and better business outcomes. But leaders should contemplate how these factors, if not well managed, could change their security posture.

Industry research indicates that 56 per cent^disclaimer of Asia–Pacific* employees want flexible work and over 40 per cent^disclaimer of Australians continue to regularly work from home. It is important for businesses to support and enable their workforce with secure technology, experience, and education so that their people are equipped with the knowledge and skills to operate securely no matter where they are working. From a customer’s perspective, their expectations include security to be built into the products and services they consume by design, and it is essential to build trust. A recent study by PwC suggests that over 60 per cent of Australians would consider changing providers if they were impacted by a cyber attack that affected their essential service^disclaimer.

In 2023, most organisations are expected to face challenges as a result of mandated disclosure, testing of resilience, and pressure to get data security and privacy right^disclaimer.

By understanding the cyber threat landscape in which we operate – what opportunities a cyber criminal may be looking for, and how they go about exploiting an identified vulnerability – businesses can address potential risks and empower the organisation to succeed by securely taking advantage of the opportunity technology presents.

Increasing sophistication of cyber attacks and pressure from regulators

Cyber criminals understand the new complexities that businesses are facing and the opportunities that these present. Like any successful business, cyber criminals are quick to adapt and change their approach to capitalise on any vulnerabilities they identify. Globally, the majority of executives expect an increase in reporting of attacks on cloud services, ransomware, Business Email Compromise (BEC), malware via software updates, attacks on software supply chain and cryptomining over the next 12 months^disclaimer.

According to the ACSC^disclaimer ransomware remains a key threat of concern. A new business model for the selling and management of ransomware, known as ‘Ransomware as a Service’ (RaaS), has paved the way for low level criminals with little technical knowledge to deploy attacks by essentially ‘renting out’ the malicious software.

Attacks on the supply chain are especially concerning. One on hand, outsourcing to third and fourth parties has helped create efficiencies within business operations and is more accessible than ever, however this has also increased businesses’ risk exposure where security has not been built into the service proposition.

A lot of the recent breaches across the globe have occurred as a result of exploitation of critical vulnerabilities such as vulnerability in Confluence^disclaimer. The time between vulnerability disclosure and exploit is closing rapidly – what once took weeks can now take days or even hours. The ACSC observed an increasing trend of state actors and cybercriminals rapidly exploiting publicly reported critical security vulnerabilities.

Governments globally have recognised the increasing risks associated with a cyber attack and are rapidly introducing or amending existing regulations to ensure that essential services are better protected. Changes are being introduced to the Privacy Act via the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 in Australia following recent breaches^disclaimer. The definition of essential services is also being expanded to include more industries, increasing regulatory pressure for many organisations to implement security measures to comply with the legislation.

Fadl Rossier, Institutional Banking Director for Wholesale Digital at ANZ said:

“Increasingly we’re seeing regulatory changes introduced in an attempt to minimise the disruption on products and services deemed to be critical infrastructure. The definition of ‘critical infrastructure’ is also rapidly expanding, with the UK government recently releasing plans to include Managed Service Providers (MSPs) in the definition and therefore in scope for relevant regulations. Here in Australia, changes to the SOCI Act to expand to further industries^disclaimer have recently been applied and APRA’s CPS 230^disclaimer has increased what's required from an operational resilience perspective. It’s clear there is a lot of change happening to regulations globally in response to the heightened threat environment.

“Recent media coverage of events around the world serve as a reminder for commercial and institutional businesses to enhance their cyber security posture by remaining vigilant, staying on top of the latest threats and trends and practising good cyber security hygiene.”

Changing negative sentiment from ‘security is a blocker’ to ‘security by design’

Security can play a valuable role in the way an organisation identifies and responds to cyber risks in the environment. Far beyond being a reactive function whose sole purpose is to stop hackers when they attack, a security team can contribute to the improved performance of an organisation. Security by design enables organisations to take advantage of new opportunities in a secure way, building confidence and trust in services. It’s time to embrace cyber security and recognise that it is an enabler to drive future digital ambitions.

At ANZ, we practice defence in depth. Instead of relying solely on processes, people or our technology to protect us, we try to have many measures in place working together to provide the best possible protection, response and resilience to a cyber attack.

{CFINFOGRAPHIC: anz-simplifying-cyber.png}

Simple, actionable tips and information for business

The ASD’s Essential 8^disclaimer is a great place to start for any organisation looking for support to get their security basics right. Essential 8 is a prioritised list of mitigation strategies developed to assist organisations protect their systems against a range of cyber threats and while it is not always easy to implement, it can be customised based on an organisation’s risk profile as well as the threats they are most concerned about.

Organisations may also use internationally recognised standards such as NIST (National Institute of Standards and Technology) Cybersecurity Framework^disclaimer. It is not only critical to focus on identifying and protecting against cyber risks to key systems, people, assets, data, and capabilities, but also of equal importance to implement processes that support the timely identification of cyber security anomalies and events and establish capabilities to respond to and recover from cyber incidents.

A holistic approach to cyber security is incomplete without regularly exercising cyber incident response plans and playbooks to build resilience.

The list below outlines simple, actionable tips and information organisations can consider when it comes to cyber security.

1. Activate Multi-Factor Authentication (MFA)
   Multi-factor authentication should be implemented across all systems and applications where it is available.
2. Run Regular Back-Ups
   Regular back-ups are necessary to recover from a cyber-attack that destroys data or prevents technology from functioning. Ransomware is an example.
3. Patch and Update Systems and Software
   Keep operating systems and software up-to-date with the latest versions to mitigate security vulnerabilities. The ACSC encourages patching or mitigating critical vulnerabilities within 48 hours.
4. Restrict Privileged Access
   Privileged accounts should only be used for administrative purposes and should be restricted and reviewed regularly.

Useful resources for businesses

ANZ’s Simplifying Cyber Security Guide A guide published by ANZ that seeks to simplify cyber security for businesses by sharing strategic and actionable tips and information that can help defend against cyber threats.

ACSC/ANZ Cyber Security for Small Business Guide This guide has been developed by the ACSC to help small businesses protect themselves from the most common cyber security incidents.

ANZ Security Centre ANZ’s resource that provides guidance on how individuals and organisations can bank securely online.

Australian Cyber Security Centre (ACSC) The ACSC provides advice and information about how to protect both individuals and businesses online.

IDCare IDCARE is Australia and New Zealand’s national identity and cyber support service. They are a registered charity and help support Australian and New Zealand individuals and organisations reduce the harm they experience from the compromise or misuse of their information.

Scamwatch is run by the Australian Competition and Consumer Commission (ACCC). It provides information to consumers and small businesses about how to recognise, avoid and report scams.

Australian Institute of Company Directors (AIDC) Cyber Security Governance Principles These principles provide a framework for directors to oversee and engage with management of cyber security risks. They were developed in conjunction with the Cyber Security Cooperative Research Centre (CSCRC).

National Cyber Security Centre - New Zealand (NCSC) The NCSC provides assistance and information to public and private sector organisations regarding cyber threats, and how best to protect their information systems.

CERT NZ CERT NZ works to support businesses, organisations and individuals who are affected (or may be affected) by cyber security incidents. We provide trusted and authoritative information and advice, while also collating a profile of the threat landscape in New Zealand.

Hong Kong’s Office of the Government Chief Information Officer (OGCIO) The OGCIO is responsible for formulating information technology strategies, programmes and measures as well as providing resources to the wider community on cyber security.

Singapore’s Cyber Security Agency (CSA) CSA is the government agency tasked with protecting Singapore's cyberspace. It provides legislative support as well as advice for the broader community on how to protect their cyber security.