Brady says Telstra has invested heavily in its security capability and will continue to do so. More importantly, it has developed strong working relationships with government agencies to share intelligence and risks as part of its telco network protection.
Berroeta says cybersecurity must be the top priority for all businesses in 2023.
Westpac CEO Peter King says his bank is “constantly investing in cybersecurity and upgrading our systems”.
ANZ boss Shayne Elliott says cybersecurity is an operating risk for many businesses, and acknowledges ANZ needs to remain vigilant to ensure “we have robust and market-leading measures in place to protect customer data and funds”.
The two CEOs under the harsh spotlight for cyber failures, Kelly Bayer Rosmarin at Optus and David Koczkar at Medibank, say all companies need to bolster their defences.
Bayer Rosmarin and Koczkar are awaiting the outcome of forensic investigations into what happened at their companies and why their cyber defences were inadequate.
“Cyber warfare is an arms race, and we all must keep lifting our game as the cybercriminal industry expands and emboldens,” Bayer Rosmarin says.
Koczkar says he will share with other businesses what Medibank has learnt from the ransomware attack, “so that Australian businesses and the broader community can be better placed to navigate any similar challenges in the future”.
The CEOs of the two largest supermarket chains – Brad Banducci at Woolworths and Steven Cain at Coles – provided valuable insight into the scale of investment required to protect the privacy of millions of customers.
“We have significantly stepped up investment in cyber resilience – doubling our cybersecurity budget over the past three years,” Banducci says.
“Woolworths Group has a dedicated team of around 120 cybersecurity team members, and we’ll invest around $60 million in cybersecurity programs in fiscal 2023.
“While we all wish it did not happen, the MyDeal data breach was a powerful learning experience for all of us, and has really helped us lift our game.”
Cain says Coles recognises the importance of cybersecurity in terms of keeping data private and ensuring the business can continue to operate.
“Our cyber investment has nearly doubled since fiscal 2020 and is focused on the Essential Eight Maturity [Model] covering cyber operations, infrastructure and other applications, as well as broader education of our team on good security practices,” he says.
The Essential Eight Maturity Model is an initiative of the Australian Cyber Security Centre, which has been designed to protect Microsoft Windows-based, internet-connected networks.
It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cybersecurity incidents, and conducting penetration testing.
Many CEOs said they had employed external experts to check and test their cyber protection measures to ensure they meet global best practice.
AGL Energy’s interim CEO, Damien Nicks, says cyber threats are escalating, which is why AGL is increasing its investment in cyber risk reduction and associated regulatory compliance.
“Our cybersecurity maturity benchmarking indicates we are well-placed thanks to investment in leading cyber capabilities and platforms, but we are far from complacent and will continue to actively invest,” he says.
A focus on hygiene
CSL chief executive Paul Perreault, who is being replaced by Paul McKenzie in March, says his company has put a focus on proper cyber hygiene.
“While we have a specialised team of cyber experts, we have learnt through external, high-profile disruptions that keeping CSL safe, secure and compliant is the responsibility of everyone,” he says.
“Ensuring everyone is behaving with simple yet effective cyber hygiene will be a priority for 2023.”
Cochlear CEO Dig Howitt says his company has significantly stepped up its investment in cyber protection and data privacy over the past five years.
“We maintain a defence-in-depth approach to security, with multiple layers of controls and countermeasures in place to protect our information technology systems and data,” he says.
“We have strong resilience controls which are tested regularly, and we conduct incident response drills to ensure our teams remain vigilant and ready to respond.”
Third party testing
Lynas CEO Amanda Lacaze is also a strong supporter of bringing in third parties to test the company’s systems. The rare earths miner has regular training and testing for staff.
“Like most businesses, we have invested more significantly in our cybersecurity systems and defences,” she says.
“However, this is a fast-moving environment and continual testing of our defences is a key feature of our ongoing approach.”
Bendigo and Adelaide Bank CEO Marnie Baker was one of the few leaders to draw attention to the need for education of consumers.
“As we look for new ways to detect and neutralise threats to the online security of our customers, it’s important they, too, are aware of the role they play in keeping their information secure,” she says.
Richard White, the CEO of WiseTech Global, says cyber protection is a business issue not just an IT issue, which is why he is actively involved in the company’s cybersecurity strategy.
“WiseTech has always placed data and cybersecurity at the forefront of our business management and technology development process,” he says.
“We have a structured, proactive approach to managing information security risks, using a strong internal set of controls related to data protection.
“This means a constant watch on the world of cyber and a proactive and focused effort on many levels of defence, and ensuring that all information security risks are identified and managed.
“We’ve focused on embedding cybersecurity into all critical processes from the beginning, and developing the tools to respond effectively.”
Understanding who is likely to be attacking your company is part of the strategic response at investment banking and global funds manager Macquarie Group.
Understanding threat actors
CEO Shemara Wikramanayake says: “Every industry has an ongoing focus on cybersecurity, understanding the threat actors, their motivations and methods they use to ensure we are adequately prepared and protected, and we continue to invest in security and tools as well as in education for our customers.”
Jonathan Davey, the new CEO of Tyro Payments, says the problem with protecting against cyberattacks is that the attacks have an increasing level of sophistication.
“While ongoing reviews provide a level of confidence we have the right controls, recent attacks highlight that no one is safe and constant vigilance is required,” he says.
Woodside CEO Meg O’Neill highlighted one of the emerging issues that will affect an increasing number of companies – protecting assets connected by mobile networks.
“Our focus is on ensuring we are resilient to a broad range of cyber threats,” she says.
“Although we do not hold significant amounts of consumer data, we do operate increasingly digitally connected assets.
“We have built a strong internal cyber capability that aims to protect our people, assets and information, and we collaborate closely with peers, government and our partners to ensure that we build and maintain the right culture, processes and tools.”