The 2024 Australian Financial Review Cyber Summit gathered the nation’s foremost experts, policymakers, and industry leaders to share the insights and strategies businesses need to safeguard their operations and deal with incidents efficiently and effectively.
Given the evolving threat landscape, conversations centred around how organisations can deal with the increasing prevalence of threats, align with federal recommendations and laws, educate boards and leadership, and handle the disruption of technologies such as artificial intelligence.
Session 1: Keynote by Tony Burke, Minister for Home Affairs
Speaker:
Key Takeaways
- Critical Infrastructure Protection: Strengthening cybersecurity for essential services such as energy, finance, and telecommunications must be a top priority.
- Regulation and Compliance: Organisations need to align with national cybersecurity frameworks and international standards to mitigate the risks of cyberattacks.
- Investment in Cyber Workforce: A skilled cyber workforce is key to building resilient systems and adapting to the evolving threat landscape.
- Holistic Cyber Strategy: A comprehensive strategy should include technical safeguards, regulatory compliance, incident response plans, and education.
Detailed Takeaways
- Cybersecurity as a National Priority
Tony Burke underscored that cybersecurity has escalated from being a technical issue to a national priority with broad economic and security consequences. The increasing cost of cyberattacks on Australian businesses and government institutions requires urgent action. Burke urged that cyber resilience be instilled at all organisational levels, from the boardroom to operational teams. He called for immediate and unified national efforts to counter increasingly sophisticated cyber threats. - Critical Infrastructure Protection
Burke drew attention to the vulnerability of critical infrastructure sectors such as energy, banking, and telecommunications, which are vital for national security and public safety. Recent cyberattacks on these sectors have exposed weaknesses, leading to service disruptions and financial losses. Securing these industries is essential to ensuring they can withstand cyberattacks without affecting society.
Example: The Australian energy sector, represented by speakers from AGL and AEMO at the summit, is a prime target for cybercriminals due to its critical importance. Burke advocated for stronger collaboration between industries and government agencies to protect these essential assets. - Regulation and Compliance
Burke emphasised the growing influence of regulatory frameworks and international standards on how organisations manage their cybersecurity. He highlighted that compliance with these regulations is key to maintaining protection and responding swiftly to threats. He recommended that organisations adopt comprehensive frameworks such as the Australian Cyber Security Strategy and the Essential Eight to build a more secure environment. - Investment in Cyber Workforce
Burke called for increased investment in cybersecurity talent, recognising the significant skill shortage in this area, which is hampering organisations’ ability to defend against complex attacks. He encouraged collaboration between the private sector, educational institutions, and the government to create cybersecurity training programs that will cultivate the next generation of cyber professionals. - Holistic Cyber Strategy
Burke stressed the importance of a holistic cybersecurity approach that integrates technological solutions with policy reform and workforce development. He pointed out that cybersecurity strategies must extend beyond basic defences like firewalls and encryption. Instead, they should include comprehensive incident response plans, governance structures, and education programs to foster a culture of cyber resilience.
Example: Burke cited the financial sector, where companies like Westpac are leading by adopting multi-layered security approaches. These include governance, real-time data analytics, and public-private partnerships, ensuring they stay ahead of cybercriminals.
Session 2: The Big Picture
Speakers
- Daniella Traino, Group Chief Information Security Officer, Wesfarmers
- Tony Chapman, Deputy National Cyber Security Coordinator
- Adam McCarthy, Partner, Cyber and Strategic Risk, Deloitte Australia
- Sandro Bucchianeri, Chief Security Officer, NAB
- Paul Smith, Technology Editor, The Australian Financial Review
Key Takeaways
- Resilience and Basic Cyber Hygiene: The panel stressed the critical role of basic cyber hygiene as the foundation for mitigating security risks, regardless of technological advancements.
- Collaboration: There was a strong emphasis on the need for improved collaboration between government and the private sector to effectively tackle cybersecurity challenges.
- AI’s Dual Role: AI was acknowledged as both a valuable asset and a potential threat, highlighting the need for careful implementation and regulation.
- Safe Harbour Provisions: The panel supported government policies, such as safe harbour provisions, which protect victims of cyber incidents, advocating for a less punitive approach to handling cyber breaches.
Detailed Breakdown
- Resilience and Cyber Hygiene
Sandro Bucchianeri, Chief Security Officer at NAB, emphasised the importance of focusing on basic security practices, such as vulnerability management and remote access controls. Many recent cyber incidents resulted from known vulnerabilities that had not been properly addressed. Bucchianeri likened this approach to maintaining good health—just as regular exercise supports overall health, basic cyber hygiene significantly strengthens a system’s security posture. - AI as a Double-Edged Sword
The dual nature of AI was a key discussion point. Bucchianeri highlighted that while AI can enhance cybersecurity through faster data analysis and threat detection, it can also be used for sophisticated cyberattacks. This complicates distinguishing between legitimate communications and phishing attempts, posing new challenges for cybersecurity teams. - Interconnected Systems and Mapping Dependencies
The panel discussed the complexity of interconnected systems, emphasising the critical need to map dependencies across sectors, particularly in critical infrastructure. Understanding these dependencies is crucial for identifying potential failure points and minimising the impact of cyber incidents. This was deemed essential for building a resilient cyber environment. - Government Policies and Collaboration
Tony Chapman from the National Cyber Security Coordinator’s office voiced support for the Australian Government’s ‘safe harbour’ provisions, which protect organisations from punitive actions following cyber breaches, as long as they meet certain standards. The panellists also advocated for stronger collaboration with entities such as the Australian Cyber Security Centre, particularly for organisations with limited resources, to improve threat intelligence sharing. - Future of Cybersecurity and Emerging Technologies
Adam McCarthy from Deloitte emphasised the need for proactive strategies to manage emerging risks from technologies like AI and quantum computing. He highlighted the importance of building trust, maintaining compliance, and ensuring long-term security as digital threats evolve.
Session 3: Keynote by Abigail Bradshaw CSC
Speaker:
Key Takeaways
- Growing Threat Landscape: Cyberattacks targeting Australia, including espionage and foreign interference, are increasing in both frequency and sophistication.
- REDSPICE Program: The ASD is investing billions through the REDSPICE program to enhance its cyber defence and intelligence capabilities by 2031.
- Collaboration Across Sectors: The ASD, particularly through the Australian Cyber Security Centre (ACSC), plays a critical role in improving national cyber resilience across government and private sectors.
- Offensive Cyber Operations: Bradshaw underscored the necessity of offensive cyber operations to protect Australia’s interests in an increasingly hostile digital environment.
Detailed Breakdown
- Escalation of Cyber Threats
Bradshaw noted a substantial rise in cyberattacks from state actors and financially motivated criminals, often targeting critical sectors like healthcare and telecommunications. The breaches of Medibank and Optus were cited as examples of incidents that have driven Australia to prioritise national cybersecurity. He also highlighted how these high-profile attacks have exposed vulnerabilities, increasing public awareness and governmental focus on improving cyber defences. - REDSPICE Investment
The ASD is committing AUD 9.9 billion under the REDSPICE initiative to significantly bolster cyber and intelligence capabilities. By 2031, this investment aims to enhance threat detection, intelligence collection, and Australia’s capacity to conduct offensive cyber operations. REDSPICE will expand the ASD’s workforce, improve collaboration across sectors, and develop more advanced cybersecurity infrastructure to tackle increasingly complex threats. - Collaboration and National Resilience
Bradshaw emphasised the role of the Australian Cyber Security Centre (ACSC) in coordinating with both public and private entities to build a stronger national defence. This collaboration includes providing cybersecurity support to critical sectors and sharing intelligence to prevent attacks.
Session 4: The data dilemma
Speakers
- Carly Kind, Privacy Commissioner, Office of the Australian Information Commissioner (OAIC)
- Cameron Whitfield, Partner, Head of APAC Cyber Security, Herbert Smith Freehills
- Daniella Kafouris, Lead Partner, Data Privacy & Transformation, Cyber, Deloitte Australia
- Louise Schuster, Head of IT Risk & Cybersecurity, LGT Crestone
- Tess Bennett, Technology Reporter, The Australian Financial Review
Key Takeaways
- Data Governance & Privacy: The panel discussed the importance of strong data governance to ensure compliance with privacy regulations, such as GDPR or Australia’s Privacy Act, and the need for businesses to prioritise consumer data protection.
- Regulation vs. Innovation: Balancing regulatory requirements with the need to innovate was a central theme, exploring how companies can leverage data while staying compliant with stringent data privacy laws.
- Data Breach Risks: As cyberattacks targeting valuable data increase, companies were encouraged to enhance cybersecurity measures to mitigate the risk of breaches.
- Technology’s Role: Emerging technologies, like AI and blockchain, can help manage data effectively and securely, mitigating the risks associated with data misuse and breaches.
Detailed Breakdown
- Incident Response and Preparation
The panel stressed the importance of a tried and tested incident response plan. Carly Kind emphasised the need for ensuring all communications are ready to deploy quickly in the event of an attack. Incident response should also focus on backing up data to mitigate the impact of attacks. The Medibank case was cited as a key example, where the severity of breaches prompted a re-evaluation of governance and security protocols. - Data Extortion and Dark Web Risks
Cameron Whitfield highlighted how leaked data often ends up on dark web marketplaces. Once there, criminals can combine various pieces of personal information into detailed identity packs, making it easier to exploit victims. - Ransomware and Ransom Payments
The panel revealed that companies are increasingly refusing to pay ransoms, with only about a third of attacked organisations making payments. Stronger security measures have made recovery easier without paying, although certain life-or-death situations may still warrant payment. Negotiations have become more complex, with fewer ransom payments but higher demands. - Future Challenges for Businesses
Daniella Kafouris pointed out that businesses continue to face long-standing challenges, such as understanding where their data is stored and whether they need to retain all of it. She recommended conducting data audits and reducing data hoarding by setting up access controls and alerts for sensitive information. - Governance and Accountability at the Board Level
The panel discussed how cybersecurity has become a board-level concern, using organisations like Medibank as cautionary examples. Penalties and fines for breaches have highlighted the need for strong governance and technical and organisational measures to protect data. The risk of fines and reputational damage is driving more serious conversations in boardrooms. - Regulatory and Legislative Clarity
There was a call for clearer guidance on compliance with cybersecurity legislation, as businesses often find it overwhelming to interpret requirements. Clearer regulatory paths would help organisations navigate data protection obligations more easily. - Digital Identity as a Solution
The concept of using digital identities to combat identity theft and other cyber risks was discussed as a potential long-term solution. Digital identities could help secure personal information and reduce the impact of data breaches.
Session 5: From “Department of No” to c-suite star, the evolving role of the CISO
Speakers
- Nicola Nicol, Chief Security Officer, Commonwealth Bank of Australia
- Andrew Haddad, Chief Information Officer, AGL
- Tim Daly, Chief Information Security Officer, Australian Energy Market Operator (AEMO)
- David Cullen, Director Cyber Advocacy and Uplift, CISO Lens
- Sally Patten, BOSS Editor, The Australian Financial Review
Key Takeaways
- CISOs as Strategic Enablers: CISOs have shifted from being gatekeepers of security to critical enablers of business strategy and digital transformation.
- Cybersecurity as a Business Function: Cybersecurity is now recognised as a key business risk, not just a technical issue, demanding that CISOs develop business acumen.
- Effective Communication and Collaboration: CISOs need to communicate cybersecurity risks clearly to non-technical executives and work across departments to align security with business objectives.
- Regulatory Compliance and Governance: With increasing regulatory pressure, CISOs must focus on compliance, governance, and incident response, particularly in critical industries like banking and energy.
- Building Organisational Resilience: The role now includes preparing organisations for potential breaches through proactive risk management and strengthening resilience.
Detailed Takeaways
- The Evolving Role of CISOs
Nicola Nicol from the Commonwealth Bank emphasised that the CISO’s role has transformed from being perceived as the “Department of No” to a pivotal player in driving digital innovation while managing heightened cybersecurity risks. Cybersecurity is no longer a standalone concern but integral to business strategy. - CISOs as Business Leaders
Andrew Haddad of AGL highlighted the shift from a purely technical focus to a business-oriented approach. CISOs are increasingly involved in executive decision-making and must balance risk mitigation with business growth. Cybersecurity is now a critical business risk, requiring CISOs to possess both technical expertise and business acumen. - Communication and Collaboration
Tim Daly from AEMO stressed the importance of CISOs effectively communicating cybersecurity risks to non-technical C-suite executives. CISOs must be able to translate technical risks into business-relevant terms, ensuring security measures support operational objectives rather than hinder them. - Regulatory Compliance and Governance
David Cullen pointed out that the rising regulatory requirements demand that CISOs not only ensure compliance but also maintain robust governance frameworks. This includes regular risk assessments and incident response plans, especially in highly regulated sectors such as banking and energy. - Building Organisational Resilience
All panellists agreed that cyber incidents are inevitable, and the key to minimising damage lies in preparation. Nicol emphasised continuous improvement in incident response capabilities and proactive risk management, especially for industries handling sensitive data or critical infrastructure.
Session 6: When the business world meets the criminal world
Speakers
- Abigail Bradshaw CSC, Director-General, Australian Signals Directorate
- Tom Casey, Senior Vice President, Products & Technology, Splunk
- Richard Johnson, Group Chief Information Security Officer, Westpac
- Luke Achterstraat, CEO, COSBOA
- Max Mason, Senior Reporter, The Australian Financial Review
Key Takeaways
- Evolving Cyber Threats: Cybercriminals are becoming more sophisticated, using well-researched and complex attacks to exploit business vulnerabilities.
- Importance of Data Analytics: Leveraging real-time data analytics tools, such as those from Splunk, enhances the ability to detect, respond to, and recover from cyberattacks.
- Collaboration is Key: Effective collaboration between government and private sectors strengthens defences and improves incident response capabilities.
- Board-Level Accountability: Boards are increasingly responsible for ensuring robust cybersecurity governance, with cyber risk becoming a top executive concern.
- Challenges for SMEs: Small and medium-sized enterprises (SMEs) face unique challenges in implementing advanced cybersecurity measures but remain attractive targets for cybercriminals.
Detailed Breakdown
- Sophistication of Cyber Threats
Abigail Bradshaw of the Australian Signals Directorate highlighted the increasing complexity of cyberattacks, where criminals conduct in-depth research on targets before exploiting specific vulnerabilities. These threats have evolved from basic ransomware attacks to more advanced data extortion schemes, in which attackers steal sensitive data and demand ransom to avoid public exposure on the dark web. - Data Analytics in Cybersecurity
Tom Casey from Splunk emphasised the critical role of data-driven insights in cybersecurity. Organisations must invest in real-time analytics tools to detect unusual patterns and potential breaches early. Splunk’s platforms provide real-time data analytics, enabling companies to identify emerging threats and respond effectively before attackers can exploit system vulnerabilities. - Collaboration Between Government and Business
Several speakers, including Abigail Bradshaw and Richard Johnson of Westpac, stressed the importance of collaboration between public and private sectors. Government agencies, such as the Australian Signals Directorate, play a crucial role in sharing threat intelligence and providing guidance, while businesses must also contribute by sharing information on cyber threats and best practices. - Westpac’s Cybersecurity Approach
Richard Johnson explained that Westpac has developed robust cybersecurity frameworks through partnerships with government agencies and other financial institutions. These partnerships have helped the bank prevent and mitigate attacks within the financial sector, which is particularly vulnerable due to the sensitive nature of the data it handles. - Board-Level Accountability
Cybersecurity has shifted from being an IT issue to a major board-level concern. The panel discussed how cyber risk is now one of the top priorities for corporate boards, especially in light of recent high-profile attacks such as those on Optus and Medibank. Directors are expected to ensure comprehensive cybersecurity governance, including regular risk assessments, audits, and clear incident communication plans. - Challenges for SMEs
Luke Achterstraat, CEO of COSBOA, discussed the unique challenges SMEs face in implementing advanced cybersecurity defences. Despite limited resources, SMEs are attractive targets for cybercriminals because of their often weaker security protocols. Achterstraat urged SMEs to adopt basic security hygiene practices, such as software updates, phishing training, and multi-factor authentication. He also advocated for collaboration among SME networks to share resources and knowledge. - Ransomware and Incident Response
Richard Johnson noted that while many companies are moving away from paying ransoms, ransomware remains a significant threat, particularly when sensitive customer data is at risk. The panel agreed that while paying ransoms is generally discouraged, certain situations, such as those involving critical life-or-death consequences, may warrant careful consideration.
Session 7: Cybersecurity in the AI era
Speakers
- Maria Milosavljevic, Group Chief Information Security Officer, ANZ Banking Group
- Daryl Pereira, APAC Head of Office of the CISO, Google Cloud Asia-Pacific
- Stela Solar, Director, National AI Centre, Department of Industry, Science and Resources, Co-chair, Commonwealth AI Consortium
- Trent Telford, CEO, Founder & Chairman, Cocoon Data
- Kylar Loussikian, Deputy Editor, Business, The Australian Financial Review
Key Takeaways
- AI’s Dual Role in Cybersecurity: While AI enhances detection and response capabilities, it also empowers cybercriminals. Organisations must invest in AI-driven defences to counter evolving threats.
- Data Security in an AI-Driven World: As reliance on AI increases, securing corporate data becomes critical. A zero-trust approach is essential to safeguard data at every level.
- The Need for Standards and Skills: Many organisations are unprepared for the risks AI introduces, highlighting the need for standardised safety measures and a blend of cybersecurity and AI expertise.
Detailed Breakdown
- AI in Cybersecurity
AI is revolutionising the field of cybersecurity, as noted by the panel. AI-powered systems enhance detection and response times, allowing organisations to identify and mitigate threats more quickly. However, the same AI technologies are being leveraged by cybercriminals to launch increasingly sophisticated attacks. Maria Milosavljevic from ANZ Banking Group highlighted that AI can be a double-edged sword—improving defence capabilities while also introducing new risks. She stressed that organisations must be proactive in deploying AI-driven protection systems, such as decoy “honey pots,” to mislead attackers. - Impact on Banks
In the financial sector, AI has played a transformative role in boosting operational efficiency. Maria Milosavljevic shared that ANZ has automated approximately 35% of its detection and response efforts, freeing up security teams to focus on more critical tasks. However, banks are also prime targets for AI-driven attacks. With the rapid adoption of AI, it is crucial for the financial industry to stay ahead of cybercriminals by improving their understanding of how AI shapes both attack and defence strategies. - Data Security and Zero Trust
Stela Solar, Director of the National AI Centre, emphasised the growing importance of data security in an AI-driven world. As companies increasingly rely on AI systems, protecting corporate knowledge—especially data that can be easily replicated—is critical. A shift toward a zero-trust model is essential, with security measures applied at every level of data handling. Zero-trust frameworks limit access to data based on verification, preventing unauthorised access to sensitive information. - AI Risks and the Need for Standards
Daryl Pereira from Google Cloud APAC highlighted the lack of consistent practices for deploying AI safely. Despite the growing use of AI, many organisations are not adequately prepared for the risks it introduces. In fact, while 78% of organisations believe they are AI-compliant, only 29% are taking appropriate actions to mitigate risks. The panel discussed the need for an AI safety standard, which would provide clear guardrails for responsible AI usage and help mitigate potential dangers. - Recruitment and Skills Development
The increasing reliance on AI has reshaped recruitment strategies, according to Trent Telford of Cocoon Data. Companies now seek candidates with a blend of cybersecurity and AI expertise to manage the growing complexity of cyber threats. There is also a rising demand for skills that allow professionals to effectively monitor and train AI systems to ensure they function securely from the outset. - Quantum Computing and AI
The panel discussed the future implications of quantum computing on AI and cybersecurity. As quantum computing capabilities advance, they will challenge existing data protection measures. Organisations will need to revisit their data protection strategies, particularly when it comes to safeguarding legacy systems. The potential for quantum computing to break traditional encryption methods means that companies must start preparing now to secure their data in a post-quantum world.
Session 8: Power and responsibility – the role of board directors in cyber defence
Speakers
- Anna Leibel, Non-Executive Director, AMP Ltd, AMP Bank Ltd, and SERV
- John Mullen, Chairman, Brambles Ltd, Treasury Wine Estates & Qantas Airways
- Mark Rigotti, Managing Director & CEO, Australian Institute of Company Directors (AICD)
- James Paterson, Shadow Minister for Home Affairs, Shadow Minister for Cyber Security
- Paul Smith, Technology Editor, The Australian Financial Review
Key Takeaways
- Proactive Risk Understanding: Boards must broaden their view of cybersecurity beyond just enterprise risk, addressing complexities associated with third-party data sharing and enhancing overall preparedness.
- Collaboration is Key: Building trust among organisations and regulators is vital; effective information sharing can significantly strengthen collective cybersecurity defences.
- Tech-Savvy Governance: There is a growing recognition of the need for technology-focused board members, with many boards incorporating cybersecurity into their skills matrix, highlighting the importance of informed governance in navigating cyber threats.
Detailed Breakdown
- Board Education
The panel highlighted that cybersecurity is frequently viewed narrowly as an enterprise risk, leading to inadequate preparation. Anna Leibel emphasised the need for boards to take a proactive approach to understanding cyber risks, which now encompass a complex landscape involving third-party data sharing. Past cyber incidents illustrate the necessity for better preparedness and cooperation among stakeholders, particularly in overseeing a company’s entire supply chain, not just its internal cybersecurity. - Collaboration and Information Sharing
A recurring theme throughout the session was the significance of building trust among organisations and regulators. The speakers advocated for robust information sharing as a means to enhance collective cybersecurity resilience. James Paterson pointed out that government-imposed fines for organisations hit by cyberattacks can undermine trust between parties, detracting from a “we are in this together” mentality. - Evolving Board Competencies
There is an increasing recognition within boards of the necessity for tech-savvy members. Mark Rigoa reported that 23% of ASX200 boards now include cybersecurity as a component of their skills matrix, signifying a shift towards understanding the complexities of cybersecurity as essential for effective governance. The need for boards to comprehend cyber threats and their implications is now paramount. - Lessons from Past Incidents
The discussion also covered the importance of having incident response plans in place. Organisations that have prepared and practised these plans tend to navigate crises more successfully. The panel noted the growing awareness of risks related to ransomware and the importance of adopting proactive measures to mitigate potential damages. - Paying the Ransom Isn’t a Simple Yes/No
The panel explored the complex dilemma surrounding ransomware attacks, particularly the question of whether to pay the ransom. It was argued that, especially for small businesses, the decision to pay can be very tempting, as the potential loss of company data or the costs associated with recovery can pose significant threats to the business’s viability. This highlighted the broader discussion around the ethical and strategic considerations involved in such decisions.