NAB Chief Security Officer Sandro Bucchianeri today joined the AFR Cyber Summit’s ‘Big Picture’ panel in Sydney, alongside the Deputy National Cybersecurity Coordinator, Tony Chapman, and representatives from Deloitte Australia and Wesfarmers.
The following excerpts from the discussion highlight how government and industry are responding to key cyber security issues including the interconnected nature of systems, advances in AI and sticking to the basics of cyber security protections.
NAB welcomes the Government’s ‘safe harbour’ provisions
“We welcome the Government’s stance. If there’s safe harbour [rules], then you’re not punishing the victim, essentially,” Mr Bucchianeri said.
“I think the other part of it is that collaboration is key.
“We’ve enjoyed our relationship with the ACSC [Australian Cyber Security Centre], with Abigail Bradshaw [head of ASCS] and the team, in sharing threat intel, because you know for the most part, I’ve got a large security budget… but it’s to help those that cannot afford threat intelligence sharing or whatever the case would be,” he said.
“We feel that it’s a duty for us as a large organisation to help those that don’t have the budget to do certain things and that’s what we’re looking for, and collaboration is the key part.”
Stick to the basics
“Being in security for about a quarter of a century sounds like a long time, but we still talk about the same stuff. We talk about vulnerability management, remote access and so on and so forth,” Mr Bucchianeri said.
“If you look at the incidents that have happened over the last 25 years, it’s exactly the same attack. It’s an API [Application Programming Interface] that wasn’t configured correctly. It’s a vulnerability that wasn’t patched.
“If you stick to the basics, like going to the gym… you’ll live much longer, you’ll have a much longer, healthier lifestyle. The same principles apply with your security environment. If you stick with the basics, you are likely 90- 95% better.”
AI is a double-edged sword
“AI, it’s a double-edged sword,” Mr Bucchianeri said.
“If you think 10 years ago… phishing – you could easily pick it up. You could see the misspellings and all those things, the grammar errors. Now you couldn’t tell the difference between getting an email from me or you’re getting an email from scammer.
“However, on the flip side, AI can help my cyber response team,” he said.
“We act much, much faster and trove through hordes of data they wouldn’t have been able to do in the past so they can look at that proverbial needle in haystack with this powerful electromagnet, which is AI.
“I think that’s the great benefit of it, but like with any other technology, it’s still too early in the process to see where we ultimately are going to go.”
Interconnected nature of systems means mapping interdependencies is critical
“I think the [Prudential Standard] CPS 230… is doing exactly that – you’re understanding exactly what the critical flows in your organisation are that have a massive impact on everything that you do. That then goes across the critical infrastructure environment. So, I think that’s the key thing [responsible for mapping where interdependencies are],” Mr Bucchianeri said.
“It’s [also] about the resilience that you have in your processes and how you recover and how quickly you recover.”
Advice to small to medium businesses
“The [Australian Signals Directorate’s] ‘essential eight’ is a great mechanism for small to medium businesses to follow,” Mr Bucchianeri said.
“Multifactor authentication, patch management, identity. Follow that and I think you’ll be better for it.”
For business and individual cyber security support, go to www.nab.com.au/security