Australian organisations reported losses of more than $33 billion from cybercrime over the 2020-21 financial year, according to the Australian Cyber Security Centre (ACSC).
Consumer crediting reporting agency Equifax recently released a report based on a panel of cybersecurity experts from the business community to discuss the growing threat of cybercrime in Australia.
Equifax is no stranger to cybercrime, in 2017, the company was the victim of a cyber attack where 143 million customers had personal information leaked. The company spent US$1.5 billion over the following two years building up its cybersecurity.
The panel was moderated by James Turner, Founder, CISO Lens and featured Wayne Williamson, Chief Information and Security Officer (CISO), Equifax Australia & New Zealand; Jamil Farshchi, CISO, Equifax Group/Global; John Yates, Director of Security, Scentre Group; and Catherine Buhler, CISO, Energy Australia.
As Australia continues to see increasingly sophisticated cybercrime threats, Equifax’s newly released whitepaper highlights that organisations must also evolve their security culture and adapt reporting structures and levels of preparedness to prevent cybercrime-related losses.
Equifax's Williamson says cybersecurity preparedness is ever-evolving, and the responsibility lies with the entire organisation, not just CISOs, to address cyber risks head-on.
“Common themes emerged from our conversations with security leaders at the top of their field: namely, involving a business’ security culture driven from the top and conducting threat assessments on people and technology remain core principles to managing these risks.”
The Equifax report identified several common elements that help drive a change in the cybersecurity culture, which were armoury, remuneration and embedded culture.
Armoury
To win against cybercrime, employees must be trained. The panellists say training must do more than just tell staff what to do, it should be training that effectively changes behaviour.
“At Equifax, every employee gets security training with a monthly benchmarking scorecard that measures their security behaviours and compares that to averages across their peers and the organisations they’re working with.
The combination of training, remuneration incentives and tech-enabled communication against KPIs means all staff members – across Equifax’s global operations – feel accountable for cybersecurity.
Organisations that seek to drive cultural change using the measures outlined above
will move the cybersecurity dial. But real success comes from a holistic approach to
the risk.
Jamil Farshchi says, “It’s not just the cybersecurity scorecard. It’s not just the bonus. It’s not just the reporting lines. It’s not just the board exposure. But when you bring them together, and you work at it together, it really does make a big difference.”
Remuneration
One other key tool in driving a cultural shift is reporting lines. At retail property giant Scentre Group, for instance, John Yates reports directly to the CEO. A 2021 CISO Lens report suggests that the number of CISOs reporting directly to the CEO was around 3 per cent in 2020 – but increased rapidly to 8 per cent this year.
Reporting lines alone however don’t guarantee cultural change, according to the whitepapet. John Yates says it highlights the seriousness with which security is treated at an organisation.
Yates says, “At Scentre Group, we’ve come on a very fast journey in terms of cyber over the last five years. We now have a pretty mature outlook really led by the CEO.
“We drive a very lean business model. Everything you do, you’ve got to make a case for it. We have a very sensible board. They see that an existential threat is emerging, and they know responsible boards should be delivering a proportionate response to that threat.”
Embedded Culture
While cybersecurity may only be the role for a handful of employees, it is up to the whole organisation to instil it.
In Australia, there has been a dramatic increase in the number of CISOs brought on board by businesses, according to the panel.
Williamson says, “Companies need to ensure that the CISO doesn’t fight the battle alone. If you’ve set up your program in such a way that the CISOs are the arbiters of all things good, then you haven’t done it right.
“You want a cybersecurity mindset built into the DNA of the company at large, and one that can be carried by the masses versus just one individual,” he ends.
