|
Cat Matson
- From 2014 to 2020, I served as Brisbane’s Chief Digital Officer, focusing on leading
digital transformation of the City’s economy.
- This involved supporting a startup ecosystem and exploring how innovations like the
sharing economy (e.g., Uber) would impact Brisbane.
- Back then, cyber security was seen as a ‘big company’ issue, not something that
small businesses needed to worry about.
- However, the situation is very different today; two-thirds of small businesses would
fail if they were targeted by a ransomware attack. This highlights the urgency of
cyber security.
|
|
Karla Day
- As Chief Technology and Transformation Officer at QBANK in Brisbane, cyber
security is critical to my role given the bank’s regulatory and compliance obligations,
and critical accountability function.
- QBANK’s members are people who serve our community. Safeguarding data and
finances is a top priority.
- To do this, I’m passionate about fostering innovation across the organisation and
ensuring everyone can effectively collaborate to deliver secure, high-quality services
and products. This is a challenging but essential task, to protect our members and
fulfill our responsibilities at QBANK.
|
|
Bruce Irwin
- As the Principal Consultant for Cyber Security Risk at Business Aspect and having
been in the IT industry for over 30 years, I’ve witnessed a major shift in security being
an afterthought, to becoming a central concern for organisations.
- Business Aspect helps other organisations like QBANK to protect their stakeholders.
- My primary passion lies in privacy – which it critical for organisations, society and
government institutions, now and in the future.
- Privacy is at the heart of the challenges we’re facing. Overcoming this challenge will
require strong governance, effective practices and a focus on people and processes.
Once this is achieved, the technology solutions will follow.
|
|
Professor Ryan Ko
- UQ Cyber is an interdisciplinary research centre that bridges industry, IT departments,
research and teaching. We bring together around 13 entities from four faculties, a
research institute and a research centre, covering a breadth of topics including quantum
computing, policy and cryptography.
- Our team includes about 60 academics and nearly 100 PhD students working on diverse
aspects of cyber security.
- My passion in cyber security research focuses on people and processes, as this is
where the frontiers of threat prevention lie, more so than in technology.
- Small and medium businesses, which comprise over 90% of developed nations, often
lack resources for cyber security.
- As such, we aim to address these challenges by identifying research questions and
solutions tailored to small and medium enterprises.
- To support this, I co-founded Cyber Security Certification Australia, an industry council
dedicated to creating standards and certifications for these businesses.
|
|
Ivar van den Berge
- Sime Darby Australasia is a large Malaysian organisation operating across the AsiaPacific. The organisation fully embraces cyber security beyond mere compliance, which
is a major motivator.
- Sime Darby provides equipment for the mining and resource industries, so we must
prioritise strong protections to ensure quick recovery and continuity in case of a cyber
incident; when our operations stop, it impacts other companies across Queensland and
Australasia that rely on our services.
- While technology is essential, people and processes are a critical element in cyber
security. To achieve success, we must foster a cultural shift – moving away from a strict
compliance mentality to one that values proactive security. To do this requires
leadership from the top.
|
| What are the real and emerging cyber security risks that we’re now navigating? |
|
Karla Day
- Identity theft has long been a challenge, particularly for the banking industry.
- With AI and deepfake technology, the threat level has significantly escalated, making
it harder to verify peoples’ identities. For example, someone can even submit a video
of themselves, making it difficult to detect identity theft from a physical or even
technical perspective.
- As such, combating identity theft, fraud and scams is a major challenge in the industry.
This is highlighted by the $2.7 billion lost to scams last year, which highlights the
ongoing risk to our members and bank customers.
- While government support, initiatives and accords aim to tackle scams, it remains
essential to educate our members on recognising and preventing these threats.
|
|
Cat Matson
- The $2.7 billion figure highlights the scale and complexity of the scam industry.
We have moved from these threats coming from unorganised actors to becoming
large organisations.
|
|
Bruce Irwin
- We’ve recently seen extensive media coverage on AI and its impact on organisations.
Karla mentioned AI impersonation, and I’ve observed early instances of video
impersonation attempts on Teams calls.
- While AI brings risks, it also has opportunities. It is critical to prepare organisations to
use it effectively and securely, just like past technological developments.
- Given AI accelerates data processing, it has the potential to reveal flaws in processes
and data security, or ‘spill’ data faster, which can lead to rapid data leaks.
- As such, organisations must be cautious with the adoption of this technology to avoid
unintended vulnerabilities.
|
|
Professor Ryan Ko
- Ransomware and scams are highly prevalent issues faced by people and
organisations today.
- One of my research areas is tracking cryptocurrency payments to identify criminal
activity. We have found through analysis and tracing of cryptocurrency payments that
in the last two years, scam payments have surged to nearly five times the volume of
ransomware payments globally.
- This growth reflects how organised and opportunistic criminals are targeting the ‘lowest
hanging fruit’ – ordinary people rather than heavily protected organisations or entities.
- However, this also reflects on the above discussion around small and medium
businesses – given that around 60% of small and medium businesses go bankrupt
following a data breach, ransomware attack or scam.
|
|
Ivar van den Berge
- Ransomware and scams result because of tactics which employ social engineering
through email, to get into organisations or businesses, leading to business email
compromise and identity theft.
- Malicious actors now use AI to gather personal information from the internet, building
detailed profiles and crafting highly targeted messages. This makes it increasingly easy
to fall for these scams due to this personalised approach.
- To protect against this, I believe the best approach is to ‘fight AI with AI’, as AI-based
solutions are becoming more accessible and affordable, enabling both large and small
businesses to protect themselves more effectively.
|
|
Karla Day
- On the topic of ‘fighting AI with AI’ – from my perspective, this would rely on partnering
with the right organisations to support our cyber security needs.
- This adds complexity around third-party security, as we must ensure the trustworthiness
and security of third-party vendors. Another challenge is the overwhelming number
of vendors offering solutions across these emerging technologies, making it hard to
choose the right fit.
|
| |
|
|
How are you building a culture of security in your organisation?
|
|
Ivar van den Berge
- Setting the tone at the top is important for leaders, as it reflects that cyber security is as
a business-wide responsibility.
- Most organisations use phishing simulations to educate employees. This is a good
method of supporting employees to learn but should not focus penalties for employees
who click on the simulated problem emails.
- AI has led to phishing emails becoming increasingly sophisticated and frequent, making
it critical to combine technology and user awareness approaches to protect against
these threats.
- In my organisation, we borrowed the concept of ‘safety shares’ from Zero Harm physical
safety protocols to create ‘cyber safety shares’ in meetings.
- This has sparked a positive ripple effect and led to others in meetings sharing their
cyber security experiences.
- This example highlights how the culture can be shifted in businesses, and how cyber
security can be made relatable and actionable by emphasising people, family and the
community.
|
|
Cat Matson
- From my experience in delivering safety leadership training, I’ve seen how safety shares
can keep a high level of awareness for daily safety practices.
- With new psychosocial wellbeing regulations, there’s growing pressure to introduce
‘psychosocial shares’, and cyber security can easily be a part of this. For example,
cyber safety shares could help reduce the mental anguish that employees might
feel if they accidentally click a harmful link, knowing the potential
consequences for the organisation.
|
|
Bruce Irwin
- In building a security culture within organisations, it is important to measure the right
things. Organisations often focus on counting how many people clicked a phishing link
during tests but should be focused on how quickly the first person reported the phishing
attempt, as this is what enables IT to eliminate the threat.
- Rewarding that first responder reinforces the right culture by encouraging proactive
reporting, rather than punishing people for honest mistakes.
|
|
Karla Day
- Early reporting is essential, so organisations should remove scare tactics and a blame
mentality from their approach. If people are afraid to report incidents, they won’t share
when they’ve made a mistake – and this will lead to the threat not being resolved.
- Cyber threats tend to strike when we’re busiest, often using urgent, distracting tactics
to catch even the most vigilant person off guard. Additionally, phishing attempts often
play on emotions, mentioning things like family, which makes people more likely to fall
for them.
- Organisations must create a blame-free environment to encourage employees to report
incidents immediately, allowing them to quickly and effectively resolve any threat.
|
