November 24, 2021

Changing mindset for digital risks – NAB cyber security roundtable

The breathtaking pace of cyber attacks in a constantly evolving threat landscape needs an even faster shift in thinking for today’s business leaders.

A cyber attack is reported once every eight minutes in Australia according to latest government figures, with security analysts saying this is just the tip of the iceberg.

What’s needed to stem this tide is a change in mindset to empower business leaders against sophisticated criminals and state-based actors taking advantage of our increasingly connected digital future.

This is the message from NAB Group Executive Technology and Enterprise Operations Patrick Wright and fellow panellists at a recent cyber security roundtable discussion aimed at helping business navigate this complex and ever-evolving threat landscape.

“The most important thing is to change mindset,” Wright told the virtual event presented by NAB Corporate & Institutional Banking. “The velocity and the sophistication that these actors are using is really quite breathtaking.

“It’s really difficult for a lot of business leaders to get their mind wrapped around the complexity of fighting this, the speed with which the actors are moving and how difficult it is to keep them at bay.”

Threat escalation

The latest figures from the Australian Cyber Security Centre (ACSC) paint a stark picture of the rising threat: self-reported losses from cyber crime totalled more than $33 billion across the 2020-21 financial year, including a 15% increase in ransomware attacks on the previous period.

This has coincided with an increase in the average severity and impact of reported incidents, with nearly half classified as “substantial”. Alarmingly, about a quarter of the total reported were associated with critical infrastructure and essential services – from healthcare to energy and food security.

Wright says it’s important for boards and management to press their tech leads on the security standards and improvements their business is applying rather than accept any initial rosy assessment. Put simply, this is going to be wrong in today’s environment.

When a breach does occur – as data suggests it inevitably will – he urges CEOs to come forward to share what they have learned to help strengthen Australia’s overall cyber security environment rather than feel like they have failed.

“This is a team sport, it’s not an individual one,” Wright says. “We don’t view it as a competitive ecosystem.”

Protecting data vulnerability

Fellow panellist and ACSC head Abigail Bradshaw said the recent upsurge in attacks has come from both criminals and state-based actors exploiting vulnerabilities across virtually all public and private sectors and levels of business.

“In plain terms, if you are connected to the internet you are vulnerable,” Bradshaw says. “The strategic environment, as well as the cyber threat environment, has on any view deteriorated. It is more contested and complex and you are more vulnerable as businesses.”

ACSC is part of the Australian Signals Directorate foreign intelligence network, with access to a deep array of security information shared among our Five Eyes alliance partners in the US, UK, New Zealand and Canada.

As well as the eight minute recorded frequency of attacks, ACSC’s latest threat report shows how business and personal data is increasingly the target of attacks like ransomware across all sectors. Extortionists have moved from simply freezing a network to stealing sensitive information for sale or outright destruction.

Bradshaw says: “A real focus now in our advice to companies is about knowing where your data is, ensuring you’ve got the best controls around your highest value data, knowing you have a plan for having backups and that access to those backups is made separate from your normal day-to-day operations.

“Business continuity plans and cyber security plans cannot stand separate. They must coexist and you must be asking questions, even if you are not a technical person, about what is the standard that your IT team is holding itself to in terms of cyber hygiene.”

Eyes on target

ACSC advocates an “Essential Eight” controls for mitigating cyber risk as a starting point to respond to today’s fast-moving and deteriorating cyber security environment.

With cyber security increasingly a boardroom conversation, specialists like panellist and CEO Ashish Gupta’s firm Bugcrowd offer a wide range of tests for business systems.

Gupta says the method is to bring together a “crowd” of more than 200,000 highly-vetted cyber security researchers from around the globe to help customers find and fix vulnerabilities in their operations and digital connections.

“More eyes on target gets you better results,” he says. “Security has to become part of the business process. Increasing the cost of attack [for criminals] while reducing the benefit from that attack is something we do very, very well.”

For NAB’s Wright, it is this sort of response that will help to make Australia “too hard” a target for cyber criminals and other actors.

“We think this is a ‘Team Australia’ thing and we really do want to make this country the place where the bad guys don’t want to come,” he concludes.




  • Bugcrowd are offering NAB customers a special promotional offer until 31st December 2021 – receive 15% off all Bugcrowd offerings: Learn more.


Speak to a specialist