Cyberattacks: think 'when', not 'if'

Against a background of accelerating technological change and disruptive business models, cyber security has become a key operational risk facing organisations of all sizes – especially those in financial services.

But a rising issue for many companies is they still lag behind the increasingly accepted view that cyber security is a business as usual (BaU) issue - and still plan for 'if' and not 'when' a significant cyber-attack may occur.

"The challenge of securing a computer network supporting thousands of employees across multiple countries is increasingly complex."
Steve Glynn, Global Head of Information Security at ANZ

As PwC noted in their recent Global State of Information Security survey, cyber security is now a “persistent business risk.”

“It is no longer an issue that concerns only information technology and security professionals,” the report said. “The impact has extended to the C-suite and boardroom.”

And so it should. The survey reinforces anecdotal evidence and media coverage - security incidents continue to soar, growing 66 per cent since 2009.

Verizon's 2015 Data Breach Incident Report mirrors these findings, supporting similar increases in both the frequency of cyber-attacks, and resultant loss of data. The report estimates a 34 per cent increase in cyber-attacks in Australia last year.

Since not all countries have mandatory data breach disclosure (where organisations are obliged by legislation to advise they have been the subject of a successful cyber-attack), the true cost is difficult to calculate.

In a study by the Ponemon Institute, commissioned by IBM during 2015, they estimated total average costs up from $US3.5 million to $US3.8 million per data breach. Verizon puts the cost at anywhere between $US250,000 to $US8.8 million depending on the number of records involved.

This excludes the cost of reputational damage which in many cases may be greater than the financial impact.


As our digital footprint increases, so does the technology interconnectedness of our personal and professional lives. The challenge of securing a computer network supporting thousands of employees across multiple countries is increasingly complex.

To keep up with the opportunities that social media brings, large organisations are increasingly opening these channels up – for both personal and professional purposes. These opportunities present new security challenges when personal and professional data is co-mingled on social platforms such as LinkedIn.

With contact information in abundance it's no wonder that according to Allen Paller, director of research at the SANS Institute, 95 per cent of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened an attachment that they weren't supposed to.

It's not just an employee's digital footprint that has the potential to compromise online activity. As companies, including banks, increasingly go digital and interact with customers beyond traditional channels, security must grow with it to protect the increasing amount of data being generated.


The concept of “Cyber Resilience” – the preservation and continuation of business operations in the face of a cyber-attack – is now an imperative.

Importantly this is a business issue – not isolated to the technology department – which must be approached in true partnership, incorporating both strong incident management and clear lines of communication across the organisation and beyond.

To cope with greater amounts of information to be protected, a deep understanding of the corporate network environment and the data that traverses it is at the heart of a cyber resilience strategy.

Click image to zoom Tap image to zoom

At ANZ, we take cyber security very seriously and have invested towards gaining deeper understanding of key information to be protected. Given the explosion in data available, new technologies and techniques available, we are also developing advanced data analytics capability to better identity and understand events of interest that might lead to a cyber-attack.

This ability to more deeply analyse cyber security events is the largest deployment of its kind in Australia and augments additional people and processes supporting our 24/7 incident management and response capability.

A holistic understanding of an organisation's data through advanced analytics, combined with a well-planned cyber resilience strategy – prepared by and bought into by all areas of the business - provides organisations with the opportunity to prepare for when, not if, a cyber-attack occurs.

In the future, organisations will not only have to do everything reasonable to prevent and detect a cyber-attack, but equally important, they will be evaluated on how prepared they were in the first place, and how they responded and maintained business resiliency during the incident.

Steve Glynn is Global Head of Information Security at ANZ.

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

07 Oct 2015

Is cyber fear hurting cross-border investment?

Cheng Lim & Michael Swinson | Partners at King & Wood Mallesons

Cyber security is looming as one of the great challenges of the 21st century. Several governments around the world are responding by strengthening online security laws which in some cases are creating a degree of regulatory uncertainty - but, critically, running the risk of deterring cross-border investment.

02 Jul 2015

Humans are the weakest link in the digital war

Guy Boyd | Head of Financial Crime, ANZ

There is no doubt digital is the future and customers want the convenience and speed it provides – not just in banking but many services. But the convenience and revolution of digital comes with the risk of cybercrime. This will be a digital war and humans remain the weakest link – meaning training and education are critical.

16 Jun 2015

Six ways to help save your SME from cybercrime

Christine Linden | General Manager, Regional Business Banking, ANZ Australia

It's easy to think cybercrime and identity theft only happens to big business. It doesn't. With over two million small businesses in Australia, lifting awareness, improving education and taking real action to prevent these incidents is fundamental for the health of the sector.