Cybersecurity – building trust in the digital economy
By Cody Kieltyka (pictured), CISO at Australian Payments Plus (AP+)
Building trust in the digital economy and digital transactions is one of the core challenges of our time.
“How do you build trust when it’s a very human emotion and you’re trying to do that in a really digital way, in a really digital ecosystem?” asks Nicola Nicol, Chief Security Officer at Commonwealth Bank of Australia.
For CBA, maintaining customer trust means implementing robust cybersecurity protections. The bank’s digital app serves 8.5 million customers who depend on safe and secure banking services around the clock.
The growing cyber threat landscape
Cybercrime continues to rank among the top challenges for organisations across Australia, with threats accelerating at an alarming pace, as Nicol explained during an episode of the Australian Payments Plus Point of View podcast on trust and cybersecurity.
Cody Kieltyka, AP+ CISO, offered his perspective on trust, stating, “You ultimately have to know something to trust it. The devil you know is better than the devil you don’t. And I think that’s applicable both in life, but also when you think about cyber as well.”
Global cybercrime is projected to cost $10.5 trillion annually by 2025, making it the world’s third largest “economy” after the US and China, according to researcher Cybersecurity Ventures.
Australia faces significant threats as well. The latest Annual Cyber Threat Report from the government’s Australian Cyber Security Centre states that Australia is confronting the most complex and challenging strategic environment since the Second World War.
During FY2023–24, the Australian Signals Directorate (ASD) received over 36,700 calls to its Australian Cyber Security Hotline, an increase of 12% from the previous year. ASD also responded to over 1,100 cyber security incidents, highlighting the continued exploitation of Australian systems and ongoing threat to our critical networks.
Intelligence-led cybersecurity strategies
CBA takes an intelligence-led approach to cybersecurity. The bank prioritises understanding potential threat actors, whether they are ‘hactivists’ or nation states, and their motivations. This intelligence informs how the bank adapts its cyber defences.
The bank leverages global intelligence from the Australian government, which participates in the Five Eyes intelligence alliance, and receives threat information from tech partners like Microsoft.
CBA’s cybersecurity capabilities include a 1000-strong team with a dedicated ‘Red Team’–ethical hackers who attempt to breach the bank’s systems by thinking like attackers. This proactive approach reveals vulnerabilities that can be addressed before malicious actors can exploit them.
Managing third-party cyber risk
Kieltyka said organisations also need to manage third-party cyber risk – the possibility that hackers gain access to systems by compromising a customer, supplier or partner.
“It’s a very hard problem to solve,” Kieltyka said. Companies need to acknowledge the scope of the problem and thoroughly understand their supply chain and potential weaknesses.
Nicol elaborated on this complexity, comparing it to mapping a family tree, adding, “Organisations need to understand that environment because that is essentially you expanding your attack surface as well because attacks are coming through third parties,” she said.
AI: both threat and opportunity
In recent years, businesses have been navigating the increasing sophistication and capabilities of artificial intelligence across their operations, including cybersecurity.
Kieltyka describes it as both a threat and an opportunity. Using AI introduces risks such as losing sensitive company data to third parties if the AI application lacks adequate security. There’s also the risk of poor decision-making if the technology isn’t used correctly.
While agreeing with these concerns, Nicol emphasised that AI is a massive opportunity that cyberteams can’t simply reject by becoming the “Department of No”.
“The businesses are going to use AI and we need to be in it with them, looking at how we do that safely,” Nicol said. Sometimes this comes back to third-party and supply chain risk, she said, because organisations need to also consider how their partners or suppliers are using AI and the security implications.
Progress in combatting cybercrime
Despite concerning statistics, Australia is making progress in combatting cybercrime.
Nicol highlighted national-level initiatives, including the 2023-2030 Australian Cyber Security Strategy, a roadmap toward the Australian Government’s vision of becoming a world leader in cyber security by 2030.
The strategy supports individuals and small and medium businesses in defending themselves from cyberthreats, disrupts and deters cyber threat actors, works with industry to combat ransomware, and creates a whole-of-economy threat intelligence network.
She also noted new requirements for organisations to report ransomware attacks, providing better visibility into the size of the problem. The Cyber Incident Review Board conducts reviews of significant cyber security incidents in Australia and makes recommendations to government and industry about preventative measures.
Kieltyka pointed to enhanced security for individuals that comes with AP+’s ConnectID , a digital identity exchange that lets consumers prove their identity to make payments and open accounts without having to hand over documents or large amounts of personal information.
He added that the elevation of cybersecurity is a board-level and executive-level conversation represents progress, demonstrating acknowledgement of the issue and commitment to solving it.
When educating company boards about cybersecurity, Kieltyka stressed the importance of moving beyond compliance to focus on risks and the scenarios relevant to the organisation.
Nicol agreed, noting that real-world scenarios and their implications resonate strongly with board members. She recommended that the organisation’s cybersecurity leader, such as the chief information security officer, should take an active role in board education.
Summing up, podcast host Dave Ellet, Chief Commercial Officer at AP+, emphasised that cybersecurity is inextricably linked to trust.
“We as an industry, if we get this wrong, we’ll lose trust, but as long as we keep doing our jobs we’ll keep the trust as it is or hopefully build trust into the future,” Ellet said.
