NAB Chief Security Officer Sandro Bucchianeri today joined the AFR Cyber Summit’s ‘Big Picture’ panel in Sydney, alongside Deputy National Cyber Security Coordinator Tony Chapman and representatives from Deloitte Australia and Wesfarmers.
The following excerpts from the discussion highlight how government and industry are addressing key cybersecurity challenges, including the interconnected nature of systems, advances in AI, and adherence to basic principles of cybersecurity protections.
NAB welcomes government’s ‘safe harbour’ provisions
“We welcome the government’s position. If there are protection rules, then the victim is not punished,” Bucchianeri said.
“I think the other aspect is that collaboration is essential.
“We’ve enjoyed our relationship with the ACSC (Australian Cyber Security Centre), with Abigail Bradshaw (ASCS director) and the team, in sharing threat intelligence, because you know for the most part I have a large security budget… but this is to help those who can’t afford to share threat intelligence or whatever,” he said.
“We believe it is our duty as a large organisation to help those who don’t have the budget to do certain things and that’s what we’re looking for, and collaboration is the key part of that.”
Stay true to the basics
“We’ve been working in security for a quarter of a century, but we still talk about the same topics. We talk about vulnerability management, remote access, etc.,” Bucchianeri said.
“If you look at incidents over the last 25 years, it’s exactly the same attack. It’s an API (Application Programming Interface) that wasn’t configured properly. It’s a vulnerability that hasn’t been patched.
“If you stick to the basics, like going to the gym… you’re going to live a lot longer and have a healthier lifestyle. The same principles apply to your safety environment. If you stick to the basics, you’re probably going to be 90 to 95 percent better off.”
AI is a double-edged sword
“AI is a double-edged sword,” Bucchianeri said.
“Ten years ago, you could easily spot phishing. You could see the spelling mistakes and all those things, the grammar mistakes. Now, you can’t tell the difference between an email from me and an email from a scammer.”
“However, on the other hand, AI can help my cyberattack response team,” he said.
“We’re moving much, much faster and going through hordes of data that they couldn’t have done in the past so they can look at that proverbial needle in a haystack with this powerful electromagnet that is AI.
“I think that’s its great advantage, but as with any technology, it’s too early to know where we’re ultimately going to go.”
The interconnected nature of systems means that mapping interdependencies is essential
“I think CPS 230 (Prudential Standard) … does exactly that: you understand exactly what the critical flows are in your organization that have a huge impact on everything you do. That then trickles down to the critical infrastructure environment. So I think that’s the key piece (responsible for mapping the interdependencies),” Bucchianeri said.
“It’s (also) about how resilient you are in your processes, how you recover and how quickly you recover.”
Advice for small and medium-sized businesses
“The (Australian Signals Directorate) “The Eight Essentials” “It’s a great mechanism for small and medium-sized businesses to follow,” Bucchianeri said.
“Multi-factor authentication, patch management, identity. Follow these tips and I think you’ll be better off.”
For cybersecurity support for businesses and individuals, visit www.nab.com.au/security