A whole of community approach: Safeguarding your business from cybercrime

Despite the growing prevalence and sophistication of cybercrime, one of the best defences for businesses and individuals is getting the basics right, and utilising a ‘whole-of-community’ approach – it  takes a village to achieve security.

Cybercrime has been an issue since the launch of the internet and has continued to grow. Each year, the number and types of attacks continue to rise. Geopolitical tensions have also played a part , giving bad actors a dual motivation – sabotage as well as profit. Most recently, the advent of generative AI, with its ability to easily produce deep fakes of people and impersonate organisations, has introduced a potent new threat.

The proof is in the numbers. Recent cybercrime statistics show that an attack is carried out every 10 minutes in Australia. Globally, 80% of organisations were targeted in 2023 by online fraudsters, up from 65% in 2022. The impact of these attacks is growing: the global average cost of a data breach in 2024 is US$4.9 million, up 10% on last year and the highest total ever. 

The calls to tackle this problem have never been more urgent. As Leigh Mahoney, Head of Wholesale Digital, ANZ Institutional, says: The current situation makes the customers increasingly vulnerable to financial theft through digital means, This situation underscores the urgent need for both our customers and us to take decisive actions.

There is much that companies and individuals, and banks like ANZ, can do to protect themselves and their customers’ data and money.  ANZ’s IT security experts highlight the importance of collaborating closely and regularly with industry, government and the community. This ‘whole-of-community’ approach allows everyone to benefit from the experiences and expertise of others, and helps to raise  defence capabilities towards the level of ‘best practice’. The foundation of a solid defence is getting the basics right.

What are the threats?

While there have been changes in the methods used by bad actors to gain access to victims’ systems, data and assets, these still fall into two main categories:

Hacking: Using technology tools and a deep understanding of how online sites are constructed and defended to exploit vulnerabilities, gain access, and copy, damage or steal the contents. The most common forms of attack are denial-of-service assaults that overwhelm the target site with network traffic and cause it to collapse; the theft of data; and the insertion of malware that changes how the target site functions and may give the hackers control of it.

Social engineering: Communicating with victims in a variety of ways and persuading them to drop their defences by convincing them that a request or instruction is authentic and presents no danger. This is often the most successful tactic, as individuals lack the more rigorous built-in defences that computer systems have.

A growing method, which could use either or both of these two primary approaches, has hackers breaking into one relatively unguarded system to get into another, more prized target. Supply chains are a good example. Once criminals have breached one company’s defences it is often easier to get past those of its business partners by using the shared network rather than attempting to penetrate their external security measures.

Another increasingly prevalent threat is invoice and billing fraud, where a criminal modifies or fabricates an invoice in the hope that a business or their vendor will mistakenly pay it.

What should companies do?

So, what can businesses and consumers do to better protect themselves against cybercrime? A few over-arching priorities are worth mentioning:

Understand the threat. Assess and determine your information landscape and its vulnerability to the latest kinds of attack. Many C-suite executives and board members underestimate the risk posed by their cyber adversaries and a lack of awareness of the risks and support in the ranks of the senior leadership will cascade down, says Alice McCracken, Cyber Threat Intelligence and Offensive Security Lead, ANZ.

Reinforce the security of your IT estate. Invest in IT security measures. Businesses in some sectors allocate less than 3% of their IT budget to security, which is a lot lower than the 7-20% recommended by many cyber specialists. This discrepancy must be addressed.

Invest in people. Employees must be educated about the level and nature of threats faced by their business so they can be constantly vigilant, and willing to adhere to secure practices even when these practices are inconvenient, or when they are off-duty.

A simple, easy and low-cost first step that can be taken at the level of an individual – would be to switch on multi-factor authentication, says Luke Steller, Security Operations, Intelligence, and Influence Head, ANZ.

Have a plan. Keep it up to date, and practice it. Simulations are a good way of testing the effectiveness of your remediation strategy and identifying weak points. Your playbook should be a dog-eared working document, not something drafted and then stored until a crisis arises. A plan is also useful in the event of a breach to manage and contain the fallout, says Mahoney.

Use the latest technology, including generative AI. As McCracken explains: “AI gives us the ability to receive threat information, in a variety of formats, and to understand its significance without having to wait for the security analysts. It then works out what the best response is and automates an effective set of remediation measures, in real time.”

AI and machine learning technology have helped ANZ automate the bank’s incident response system, according to Dr Maria Milosavljevic, ANZ’s Chief Information Security Officer. These tools are used to analyse email content and sender behaviour to combat phishing and malware, as well as study software characteristics to identify and block other threats. The system’s ability to learn and self-train means it continuously accelerates automation, improves detection, and responds faster with greater accuracy. It can even generate decoy patterns in a network to draw hackers’ attention away from a real vulnerability or asset.

Stand together as a community

Yet another effective response to the cyber security challenge is the ‘whole-of-community’ approach. Key to this is the recognition that cybercrime is not just a consumer problem, or a banking problem, but one that affects the entire community – and is best countered together, rather than individually.

There are already a number of networks and forums – global, regional and local – that banks like ANZ and other corporations are a part of. Many include government agencies and technology companies, especially those offering cyber security products and services. Law enforcement is also a committed participant and, in Australia, entities like the Australian Financial Crimes Exchange play a vital role.

These communities serve a number of functions. Firstly, they enable members to share what they are experiencing – the types, frequency and intensity of cyber activity, and their success in mitigating them. Secondly, they can be an invaluable resource when a member comes under attack. When you’re scrambling to work out what’s happening and unsure how best to respond, it can be reassuring to have calm counsellors at hand who have been through it themselves and can offer battle-tested solutions. A less dramatic but equally important benefit is that community networks help raise and maintain vigilance around a topic that seldom enjoys front-of-mind status.

Finally, information sharing networks lay the foundation for an effective, concerted response. “It’s really important that banks develop good working relationships,” says Steller. “When a suspicious transaction is detected, time is of the essence if we’re to stand a chance of recovering the funds. So is having an agreed, familiar response protocol. You only get that if you’re working together as a community.”

This approach is not without its challenges, however. Networks often lack a sufficient number and diversity of participants, and sharing of information can be unbalanced, leading some to question the give-and-take. There is also a risk of crucial intelligence falling through the cracks. But these issues can be managed – again with the help of technology. For example, with solutions like the creation of a central repository of information, and the automation of data-sharing between various stakeholders.

While it is easy to get absorbed in the technology, as Dr Milosavljevic points out, there is one more vital – and decidedly human – ingredient necessary for the success of the whole-of-community approach. “Trust is our most valued asset; it takes years to build and can be lost in seconds,” she notes. “That’s why a holistic approach to security is essential and why, in 2024, collaboration, innovation and village vigilance will be our strongest defence.”