NAB tech chief’s cyber warfare plan

The federal government is rightly preparing for more of these injurious breaches. Its announcement in April to conduct a series of cross-sector cyber war games is a welcome step.

It’s another important example of how we are working at National Australia Bank with government – alongside our own investment and preparedness – to tackle the challenge.

But our smallest businesses continue to be relentlessly targeted by criminals. Last year, they were the number one victims of cyber crime, with a reported loss of $33 billion.

This adds to the pressure small business owners are already under as they face continued cost pressures, labour skills shortage and rising inflation.

As Australia’s largest business bank, we take cybersecurity seriously. Our defences are up 24/7 through our global security capabilities, where we’re blocking more than 50 million attacks on our digital channels every month.

We’ve invested years to deepen our relationship with the Australian Cyber Security Centre, law enforcement and other government agencies to share threat intelligence and resources because we all have a collective responsibility to protect our community.

Protecting our most vulnerable

Cybersecurity in Australia has a strong foundation, but a robust economy with a thriving digital ecosystem at its core requires ongoing regulatory reform to build on our cybersecurity regimes.

Initiatives like Clean Pipes can be hugely beneficial. It requires industry and government to share threat intelligence and work alongside telcos to block malicious activity at the national level, and before it reaches the customer.

Some telcos are paving the way with their own Clean Pipes program, but it’s not yet mandated, creating inconsistent protections for Australians. More work needs to be done to encourage – and where necessary – mandate the private sector to embed cyber resilience at a national level so Australian businesses and individuals are protected at the earliest stage possible.

Encourage free flowing information sharing

Regulatory reforms aren’t effective on their own. We also need to support education, awareness, and skills development for those that need it most.

But a lack of education, combined with a fear of being blamed, shamed or held responsible if attacked, has meant many victims resist sharing intel.

We need free flowing information sharing between industry, government and the community. Without it, we simply will not be effective.

The recent debate on whether fines should be imposed on organisations which have paid a ransom is in no way restorative.

It imposes a further impact on victims and could cause companies to withhold information-sharing, which is critical to an effective cyber response.

Paying a ransom and negotiating with cyber criminals is never advised, but many businesses feel trapped into thinking it is their only option.

Alarmingly, about 80 per cent of businesses that faced a ransomware attack last year chose to pay it. Introducing rigid regulation to prohibit payment of ransoms could backfire, causing businesses to pay the ransom and neglect to report it.

What we need is a safe harbour, where information can be safely provided to agencies such as the ACSC during a cyber incident to encourage full, frank and prompt disclosure by businesses that are being attacked, without fear.

The more intelligence that government, industry and the community can share about what threat actors look like, the better our collective response can be.

If we are going to make Australia the most cyber secure country in the world by 2030, it’s going to take a “Team Australia” approach to get us there.

Cyber criminals are tenacious. They are good at what they do, and so we must be better.