What Cyber Security Risk Management Should Look Like for Today's Financial Institutions

Combating cybercrime may now be the single most crucial risk-management activity for every Australian company. 

The financial losses to Australian businesses from cybercrime totalled more than $33 billion over the 2020–21 financial year, according to the Australian Cyber Security Centre (ACSC).¹

Cybercrime reporting was up by nearly 13% from the previous financial year, equalling one report of a cyber attack every 8 minutes.

The increase in sophistication and frequency of cybercrime requires a comprehensive approach to cybersecurity that follows global and local best practices for protecting your organisation from security threats. In October 2021, Equifax convened a round table with leading Chief Information Security Officers (CISOs) and security experts to discuss the way forward for mitigating cybercrime in Australia. 

The panellists were unanimous in recommending that organisations look closely at the human element of the threat and the corporate response. With the online economy and digital transformation at the very heart of post-pandemic business recovery, the need for an enterprise-wide security culture is as essential as investing in cyber technology.

The Equifax Red Paper "Exploiting humans: the new insider threat in cybersecurity" focuses on the importance of putting people at the centre of the solution. It includes a checklist of practical steps organisations can take to protect their operations and people from falling victim to cybercrime and large-scale ransom payouts. Here we share some excerpts:

"Understand the risk of human exploitability"

John Yates, Director of Security, Scentre Group, believes that understanding the risk of human exploitability is key to preventing cybercrime.
 
"The way we are structured in terms of looking across the business at all security issues and the insider threat program, which sounds a bit glamorous, we do join up the dots in terms of the human element," he says. "So, we look at all aspects of it."

Organisations need a clear view of their enemy, possible targets and motivations. Conduct a threat assessment to understand the threat, including whether internal staff are vulnerable to manipulation by threat actors or there are gaps in critical systems that cybercriminals can exploit. Get organisational buy-in to address what gaps you need to plug and prioritise. 

"Trend towards ransomware percentage points being offered"

Wayne Williamson, CISO, Equifax Australia and New Zealand, highlights the trend towards ransomware percentage points – or a cut of the money stolen from an organisation - being offered to internal individuals in return for giving up critical business information.

"We need to understand and act quickly against the potential exploitation of our teams from threat actors by arming them with the knowledge, tools and support they need to protect themselves and their organisation," he says.

"You need to be prepared to throw that plan out" 

According to Catherine Buhler, CISO, Energy Australia, organisations should have a plan but be prepared to change it.  

"There are a lot of expectations on you [cybersecurity executives]," she says. "You can come in and have some pretty awful metrics because no one's been in the chair before. So, you can walk in with a plan, but you need to be prepared to throw that plan out. You've got to talk to as many significant people as possible and understand what the actual environment is like."

A good CISO will assess the business and the risks and plan for them, but their approach will be nimble. They'll be prepared to pivot around that plan - fast.

"Sell the message"

Catherine Buhler highlights the importance of targeting – and refreshing – the messages. The latest cybersecurity directive can quickly become background noise for many workers, bombarded with information and processes from multiple departments.

Cybersecurity teams need to work hard to keep the message fresh, and top of mind for staff whose attitude towards training ranges from indifferent to fearful to receptive. Constantly reinvent, tailor and test those messages, or they'll become ineffective. Get expert help to boost engagement.

"Everything you do, you've got to make a case for it"

Cybersecurity needs to sit within an overarching business mindset with solid buy-in from the top, says John Yates. "We drive a very lean business model, so everything you do, you've got to make a case for it. We have a very sensible board. They see that an existential threat is emerging, and they know responsible boards should be delivering a proportionate response to that threat."

To drive cybercrime resilience, be realistic about what you're asking for and have the ear of senior leaders. Explain where the investment is needed and why it needs to be injected, not left to retrofit. You need to explain the risk and the potential scale of that risk to mobilise resources. Make it your mission to get on the radar of the CEO and ensure there are regular action-oriented conversations about cybersecurity around the boardroom table. 

"Training must do more than tell staff what to do"

Jamil Farshchi, CISO, Equifax Group Global, emphasises that real success comes from a holistic approach to risk, of which training is an essential element. 

"It's not just the cybersecurity scorecard. It's not just the bonus. It's not just the reporting lines. It's not just the board exposure. But when you bring them together, and you work at it together, it really does make a big difference," he says.

Cybersecurity training needs to do more than pass on information about risks – it needs to cement the right behaviours through KPIs and regular assessments. For Equifax, training their global workforce and introducing a monthly benchmarking scorecard for measuring security behaviours has driven increased employee cybersecurity accountability across their enterprise. 

Following a 2017 attack by hackers on their US network, Equifax invested AU$2 billion in rebuilding their security and technology systems from the ground up and empowering their global workforce to feel accountable for cybersecurity. Their security capabilities now exceed every major industry benchmark in multiple independent ratings. Their leadership role on security now sees them share learned lessons with other organisations on improving cyber best practices and using data, analytics and technology capabilities to prevent cyber attacks.

For more information, download the Equifax Red Paper & Cybersecurity Checklist by clicking here.

Equifax has a full suite of solutions that can help improve or maintain your organisation's cybersecurity best practices. Book a demo with one of our experts today to learn more about our comprehensive cybersecurity products, including FraudCheck, IDMatrix, PEP & Sanctions, Device intelligence and email risk, biometrics, face-to-face verification (ZipID), and remote facial verifications (InstaID).

¹ ACSC Annual Cyber Threat Report, 1 July 2020 to 30 June 2021