Why Australian financial services firms need to shore up their cyber defences

Australian financial services customers have become the latest victims of data breaches and senior management of financial institutions has been on high alert given the frequency and sophistication of recent attacks. Despite the efforts of chief information security officers (CISOs) to establish cyber capabilities to defend and protect their organisations, Australia’s big four banks and other financial institutions continue to face the consequences of vulnerabilities that result from legacy systems, outdated data classification models, perplexing privacy legislation, and organisational capabilities.

Cyber attacks against financial institutions have increased to 2.7 million in the first half of 2022 from approximately a million in the second half of 2021, according to a recent Money Management report. The increased sophistication of the attacks launched against financial institutions has created a situation that requires a multifaceted strategic response that isn’t driven by technology alone. Strategic planning that embeds security considerations into all business products and processes is crucial in preventing and overcoming the reputational impact of a breach while maintaining the pace of innovation.

In other words, to shore up their cyber defences, financial institutions need to align their transformation strategy with the kind of investment that improves the quality of how security is positioned, established, and managed within organisations. There are three main areas that should be informing security transformation strategy and investment considerations: the so-called shift-left approach to design for early testing and evaluation, security hygiene, and a multi-pronged workforce approach to upskill workers and uplift capability to shore up cyber defences.

Security transformation strategy helps financial organisations identify how to invest in what matters. Automation and efficient processes continue to provide the most cost-effective way to administer the high volume of security changes and to accommodate the ongoing requirement for improved design, security hygiene, and test control effectiveness. Implementing concepts such as secure by design or shift-left security establishes and embeds process automation from the onset across all aspects of the information security framework.

Using shift-left concepts and embedding information security processes at the onset is a far more powerful means of ensuring cyber security is not an afterthought, but an integrated feature that supports the entire organisation. The efficiency gained from such an approach allows cyber security professionals to dedicate their efforts to timely detection and response to threats to stay ahead of the game.

However, the pressure on financial institutions to stay ahead of the game should not be underestimated. It takes an almost “Swiss clock”-like coordination to perform cyber hygiene processes with regularity and work in harmony with the shift-left thinking at the organisational level to catch, prevent, and mitigate vulnerabilities.

Cyber hygiene performed on a regular basis to secure users, devices, networks, and data quickly reveals poorly applied practices, the impracticality of security plans, processes, and other response activities to tackle serious incidents in a real-world situation. Hence, financial organisations need to establish a continuous control maintenance regime and the means to assess the effectiveness of their cyber hygiene and determine if it’s assisting the organisational effort to stay ahead of the game by recognising and isolating the business from contagion risks and market volatility caused by data breaches.

Implementing these strategies takes time and people, but the projected shortage of cyber-skilled staff is estimated to reach 30,000 by 2026. That leaves financial institutions little option but to approach their cyber security capabilities at scale and consider a range of combined options. Those include buy, build, bot, balance, borrow or bind to meet demand in any transformation strategy. Financial institutions should also urgently consider the benefits of reskilling and upskilling employees whose roles are affected by automation to be retrained in cyber security roles, while reserving the hire of highly specialist roles from the market.

As the practice of cyber security evolves, we can expect future professionals to have multidisciplinary skill sets that sit outside technology, but are necessary to combat the legal, social and criminal aspects of security.

In summary, financial institutions are facing substantial pressure from cyber security criminal activities that are impacting their reputation among customers and industry. Well-defined design processes, a mature operational environment committed to cyber hygiene, and the retraining and upskilling of staff are essential to shoring up any existing cyber security weakness and ensuring future defences are well established.

Rohit Rao, EY Asia-Pacific financial services cyber security leader

The views expressed in this article are the views of the author, not Ernst & Young. This article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.