The price of security is vigilance

Good businesses know where their risks lie.

At ANZ, when we speak to our customers and other business leaders it’s clear cybersecurity – and the impact of scams and fraud, in particular – is right near the top of every organisation’s list of risks.

The digitisation of Australia’s economy, which rapidly gained pace during the COVID-19 era, has brought innumerable benefits but also increased risk. In recent years few organisations have been unaffected by the threat of cybercrime to their ongoing operations.

The costs for business can be significant. In 2022, PwC said the total annual cost for Australian businesses from cyberattacks could be around $A10 billion annually. One very high-profile recent cybercrime victim put the cost of its data breach at between $A40 million and $A45 million. In July, IBM reported the average cost of a breach in Australian had risen to more than $A4 million.

The reputational cost may be even greater. According to a 2021 PwC survey, 64 per cent of respondents in Australia would consider changing providers in the event they were caught up in a cyberattack on an essential service. Among the millennial and Gen Z generations, that rises to 77 per cent.

But advanced forms of attacks are not the only types that can come with a significant bill. According to a November report from the Australian Cyber Security Centre, the total cost of each cybercrime reported in the country in 2022 rose by an average of 14 per cent – to figures of $A39,000 for small business, $A88,000 for medium business, and more than $A62,000 for large business.

Scams and fraud alone cost Australian citizens $A3.1 billion in 2022, according to the Australian Competition and Consumer Commission – an annual record, and 80 per cent higher than 2021.

In October I wrote about the impact of scams on consumers and the broader economy. The message I shared there was banking, shopping and interacting online free from scams was possible if the right precautions were taken.

The challenge for businesses, particularly at the institutional level, is different - but just as significant. And the lessons on precaution are very similar.

Quickly

The pace of the modern digital landscape means in many cases businesses can have just hours, or even sometimes minutes, to address incidents which can have devastating impacts on their organisations.

For large companies, business email compromise, a specific type of ‘phishing’, is a clear and present risk. According to the ACAC, self-reported losses thanks to BEC increased to more than $A98 million in 2022. Common BEC scams see bad actors pose as trusted figures – like executives, suppliers or staff members – in a bid to fool recipients.

Rising cyber events, fraud and scams are an insidious problem, and ANZ is working closely with other banks, industries and the government as we tackle the issue. If scammers are to be defeated, the issue must be tackled by the community. Everyone from banks, regulators, law enforcement, social media and the telcos have a role to play.

Australia’s policymakers have taken positive steps. The 2023 Federal Budget included planned spending of $A86.5 million to combat scammers and fraud.

For its part, ANZ has been active, including recently notifying around six million ANZ and ANZ Plus customers about the increase in sophisticated scams and fraud. In the last 12 months, ANZ has prevented more than $A100m from being transferred into the hands of cybercriminals.

To counter the harmful impacts of scams, fraud and data loss, the whole ecosystem needs to be innovative and collaborative in the way we work together.

Layers

There’s no single solution or precaution businesses can take to ensure they are safe from cybercrime. Leading businesses take a more holistic view, applying cybersecurity best practice across all elements of their organisations – technology, processes and people.

ANZ’s guidance includes four key preventive measures. The first is to ensure multi-factor authentication is implemented across all systems where available, helping limit unauthorised access and providing certainty around user identity in the battle against fraud.

Indeed, it’s recommended accounts with privileged system access only be used for administrative purposes and be subject to regular reviews.

The next recommendation is to perform regular system backups. This can form a vital part of recovery plans in the event of an incident, particularly one that destroys data or impacts technological performance.

And finally, ensuring systems and software are patched and up to date is critical.

At ANZ, keeping data and payments systems secure is our number-one priority. ANZ runs a security operations centre that operates 24 hours a day, 365 days a year, and is continually evolving its technology and processes to combat the rapidly changing nature of cyberthreats.

To protect our banking infrastructure and reduce the risk of digital security threats we have implemented several innovative controls, including artificial intelligence capabilities, across our security systems. Machine learning and AI help the banks security operations centre ingest over 12 billion data points a day, allowing us to quickly respond to potential events. ANZ has also deployed machine learning to help detect ANZ accounts being used to receive funds from scam victims.

The bank has worked with biometric capabilities to identify anomalies on its digital-banking platforms. We employ sophisticated algorithms to help detect and prevent customer scam losses across multiple payment channels. ANZ has also put in place measures to stop scammers from adopting the ANZ label in text messages.

While ANZ is investing heavily in cybersecurity, all businesses have an equally important role to play in protecting the industry from cybercrime.

At ANZ, we encourage all our customers work with us to increase the security practices in place to protect their banking. The scope of scams and fraud can vary wildly, but the key message on precaution remains the same.

Shayne Elliott is CEO at ANZ