Building muscle memory to tackle cyber risk
Mature organisations must recognise today’s complex kaleidoscope of cybercrime is a business risk that will inevitably be realised – and plan accordingly, leading Australian cyber expert Alastair MacGibbon told a recent Westpac webcast.
In May of this year, Colonial Pipeline paid hackers a USD4.4 million ransom to end a cyberattack that had crippled US fuel supplies from Texas to New Jersey. The following month, global meat processing company JBS Foods paid USD11 million to a criminal gang after a cyberattack froze its global operations.
These are just two of the recent cybercrime wake-up calls for businesses and economies around the world.
A recent report by the Australian Institute of Criminology estimates the economic impact of pure cybercrime in Australia was about AUD3.5 billion in 2019, but renowned cyber expert Alastair MacGibbon believes the figure may be much higher.
MacGibbon is Chief Strategy Officer at cyber security firm CyberCX and a former National Cyber Security Adviser to the Prime Minister. He recently joined Westpac Institutional Bank’s Chief Executive Anthony Miller in a webcast event to discuss the impacts and implications of progressively sophisticated cybercrime. Here’s an edited transcript from the webcast summarising Alastair MacGibbon’s insights.
How would you describe the threat of cyber security attacks today?
The cyber threat that all organisations are facing today is worse than it was yesterday, and it'll be worse again tomorrow. There are three reasons for this. The first is emboldened threat actors, including nation states, criminal groups and the people that we trust in our organisations who do the wrong thing. The second reason is that the threat surface we are protecting is in a state of increasing entropy. And the third is that the consequence of cyber risk being realised increases as we rely more upon technologies.
I’d hazard a guess that the Australian Institute of Criminology’s estimates are quite low. There are very few consequences for the actions of cybercriminals and very little upside for organisations to report it, so there is unfortunately a permissive environment for criminality.
Are we at a turning point now that US President Joe Biden has started to call this out? There have been headlines around Australia and the US recently about accusations of cybercrime from China, for instance. Do you think it's being appropriately addressed in a coordinated way?
I applaud any action from government to try to drive cost into and to change behaviour of criminals and nation states that are just here to do us harm, but I don't think we can hang up a ‘mission accomplished’ sign and say the job’s done.
There's no doubt ransomware has become a hot topic. We've seen incidents around the world where this is now an existential threat and it’s often state-sanctioned criminals just locking up your average business.
That's one part of a very complex kaleidoscope of criminality and I think we should be very cautious that just because nations are starting to flex muscles around ransomware, we've solved the underlying problems that lead to cybercrime. That includes, for example, the pervasive use of cryptocurrencies by criminals and the almost complete lack of regulation in that space.
We've also allowed multi-national internet companies to suggest that they are above the law in terms of what they are required to do to stop people misusing their systems. There's a whole range of environmental stuff we need to do before we tamp down this level of criminality to – and I hate to say it – an acceptable level of white noise in our society.
There's always going to be crime. The question is, how pervasive is it and how much harm does it do to us?
Where do you think Australia, and Australian companies, are at in terms of their understanding and approach to combating this? Who would you say is best-in-class around the world?
In the early 2000s, the level of knowledge around cybercrime was very low. In 2016, when former Prime Minister Turnbull launched Australia's first National Cyber Security Strategy, I think that was the tipping point. We saw global ransomware incidents like NotPetya and WannaCry, which were conducted by nation states, sweep across the world.
In my discussions with boards and C-suites in Australia and in the past five years, the maturation, the types of questions and the engagement has increased exponentially. That's what will save us. As we start understanding this as cyber risk, rather than cyber security, organisations will realise what role they can play to reduce the harm.
You asked who's best-in-class. In terms of nations, I think the UK is a good example of how to engage the industry – and I'm not being critical of my former Australian government colleagues, as I think there have been huge advances.
In terms of companies – and I'm not trying to pump up your tyres – but certainly the banks have done a really good job. They probably spend more than pretty much any other type of entity on cyber security. As a consequence, they've had a better handle on this concept of cyber risk, and the big banks in Australia have done a good job globally in that space.
What should businesses be doing to protect themselves from cybercrime?
Importantly, they should see it as a business issue rather than as a technology issue. This is a risk question. It's about the very survivability of a company or organisation. Indeed, I'm going to say it’s existential for our society.
I know an organisation is more mature when they talk to me about what they're doing to identify the various risks and what the consequences will be in the inevitable case, unfortunately, that those risks are realised.
When they have mechanisms in place for responding to that risk really quickly, that's a mature organisation. It means that their board is having discussions, not about technologies, but about risks and how we prepare for them. They're exercising that muscle. And through muscle memory they’ll have the ability to get it right more of the time and to do it faster.
What are some of the profound questions we’ll have to engage with to respond appropriately to cybercrime?
The worst possible scenario would be that people stop using technologies. We know that there are so many advantages that can come from it, in terms of customer service, scalability, removing cost and, frankly, often just a better experience.
I suggest that in the not-too-distant future, we'll see the equivalent of a ‘Balkanisation’ of the internet, where we don't trust all IP addresses in the same way. So, for example, countries connecting and deciding well, unless it comes from our trusted sources, it's hard for us to allow anyone else to have access.
Where I think the Balkanisation will really occur is in our critical technologies. We saw this with the decision around buying 5G technologies as a nation from more trusted economies.
What are your thoughts on the debate around data and its contribution to helping us address cyber security?
When we talk about cyber security, we're talking about three things – confidentiality, integrity, and availability of data and systems. The bit that keeps me up most at night is the integrity. Imagine if a financial institution, a shipping company or a hospital can't trust the integrity of the information upon which they're making decisions. Put yourself in a self-driving-vehicle world, and then ask the question about what happens if the machines aren't going to be making decisions on the right information. That will have catastrophic events for us as a community.
But, to get back to your question about data, organisations should ask themselves why they are collecting it. Once you're holding the data, you're responsible for it, so sometimes collecting less can be better for us as businesses.
I think we're going to see a whole range of organisations saying, we need to know who you are for the purposes of the Know Your Customer (KYC) regime, for instance, but you're going to hold that data yourself. I think we're going to see some interesting business models come out in the next couple of years.
What's the landscape like from an insurance perspective?
Cyber security insurance is still very nascent. The market has taken much longer to mature than many of us thought it would. But there's no doubt it's growing.
Much of this is done on actuarial modelling and, unlike the knowledge of how often a ship sinks or a house gets burgled, we don't have really good statistics on the incidence of cybercrime or the controls that are most effective in driving down the incidence of cyber events. This means that the policies aren't necessarily costed well.
I am advocating for organisations to insure where it's possible, but the costs are increasing dramatically as insurers realise how exposed they are.
Should governments step up more to fill the insurance gap?
There are things like the terrorism re-insurance pool, where a sum is kept to provide cover for those catastrophic events that go beyond the ability of organisations to insure against. I do wonder about the concept of a re-insurance pool that gives us some economic stability and absorbs shock around significant cyber incidents.
There are no more Black Swan events in cyber security. It is inevitable that large-scale systems that we rely upon around our society will fall foul of cyber incidents.
We need to prepare ourselves for how we will get back up and operating again. Think about the recent horrendous bushfire season – we just wouldn't have expected such large-scale fires impacting entire states, but we got through it as a country. We need to have that same sort of mentality for how we will prepare for cyber matters.
The trouble is, of course, we understand the bush fires in Australia, even though they surprise us from time to time. We’ve not yet developed that sort of muscle memory when it comes to cyber threats. But, in time, we will.
Stay informed with Westpac IQ
Get the latest reports straight to your inbox.
Related articles
Business scams on the rise – be alert!
Beating the scammers
Browse topics
Disclaimer
©2025 Westpac Banking Corporation ABN 33 007 457 141 (including where acting under any of its Westpac, St George, Bank of Melbourne or BankSA brands, collectively, “Westpac”). References to the “Westpac Group” are to Westpac and its subsidiaries and includes the directors, employees and representatives of Westpac and its subsidiaries.
Things you should know
We respect your privacy: You can view our privacy statement at Westpac.com.au. Each time someone visits our site, data is captured so that we can accurately evaluate the quality of our content and make improvements for you. We may at times use technology to capture data about you to help us to better understand you and your needs, including potentially for the purposes of assessing your individual reading habits and interests to allow us to provide suggestions regarding other reading material which may be suitable for you.
This information, unless specifically indicated otherwise, is under copyright of the Westpac Group. None of the material, nor its contents, nor any copy of it, may be altered in any way, transmitted to, copied of distributed to any other party without the prior written permission of the Westpac Group.
Disclaimer
This information has been prepared by the Westpac and is intended for information purposes only. It is not intended to reflect any recommendation or financial advice and investment decisions should not be based on it. This information does not constitute an offer, a solicitation of an offer, or an inducement to subscribe for, purchase or sell any financial instrument or to enter into a legally binding contract. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice. Certain types of transactions, including those involving futures, options and high yield securities give rise to substantial risk and are not suitable for all investors. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision. This information may contain material provided by third parties. While such material is published with the necessary permission none of Westpac or its related entities accepts any responsibility for the accuracy or completeness of any such material. Although we have made every effort to ensure this information is free from error, none of Westpac or its related entities warrants the accuracy, adequacy or completeness of this information, or otherwise endorses it in any way. Except where contrary to law, Westpac Group intend by this notice to exclude liability for this information. This information is subject to change without notice and none of Westpac or its related entities is under any obligation to update this information or correct any inaccuracy which may become apparent at a later date. This information may contain or incorporate by reference forward-looking statements. The words “believe”, “anticipate”, “expect”, “intend”, “plan”, “predict”, “continue”, “assume”, “positioned”, “may”, “will”, “should”, “shall”, “risk” and other similar expressions that are predictions of or indicate future events and future trends identify forward-looking statements. These forward-looking statements include all matters that are not historical facts. Past performance is not a reliable indicator of future performance, nor are forecasts of future performance. Whilst every effort has been taken to ensure that the assumptions on which any forecasts are based are reasonable, the forecasts may be affected by incorrect assumptions or by known or unknown risks and uncertainties. The ultimate outcomes may differ substantially from any forecasts.
Conflicts of Interest: In the normal course of offering banking products and services to its clients, the Westpac Group may act in several capacities (including issuer, market maker, underwriter, distributor, swap counterparty and calculation agent) simultaneously with respect to a financial instrument, giving rise to potential conflicts of interest which may impact the performance of a financial instrument. The Westpac Group may at any time transact or hold a position (including hedging and trading positions) for its own account or the account of a client in any financial instrument which may impact the performance of that financial instrument.
Author(s) disclaimer and declaration: The author(s) confirms that (a) no part of his/her compensation was, is, or will be, directly or indirectly, related to any views or (if applicable) recommendations expressed in this material; (b) this material accurately reflects his/her personal views about the financial products, companies or issuers (if applicable) and is based on sources reasonably believed to be reliable and accurate; (c) to the best of the author’s knowledge, they are not in receipt of inside information and this material does not contain inside information; and (d) no other part of the Westpac Group has made any attempt to influence this material.
Further important information regarding sustainability-related content: This material may contain statements relating to environmental, social and governance (ESG) topics. These are subject to known and unknown risks, and there are significant uncertainties, limitations, risks and assumptions in the metrics, modelling, data, scenarios, reporting and analysis on which the statements rely. In particular, these areas are rapidly evolving and maturing, and there are variations in approaches and common standards and practice, as well as uncertainty around future related policy and legislation. Some material may include information derived from publicly available sources that have not been independently verified. No representation or warranty is made as to the accuracy, completeness or reliability of the information. There is a risk that the analysis, estimates, judgements, assumptions, views, models, scenarios or projections used may turn out to be incorrect. These risks may cause actual outcomes to differ materially from those expressed or implied. The ESG-related statements in this material do not constitute advice, nor are they guarantees or predictions of future performance, and Westpac gives no representation, warranty or assurance (including as to the quality, accuracy or completeness of the statements). You should seek your own independent advice.
Additional country disclosures:
Australia: Westpac holds an Australian Financial Services Licence (No. 233714). You can access Westpac’s Financial Services Guide here or request a copy from your Westpac point of contact. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice.
New Zealand: In New Zealand, Westpac Institutional Bank refers to the brand under which products and services are provided by either Westpac (NZ division) or Westpac New Zealand Limited (company number 1763882), the New Zealand incorporated subsidiary of Westpac ("WNZL"). Any product or service made available by WNZL does not represent an offer from Westpac or any of its subsidiaries (other than WNZL). Neither Westpac nor its other subsidiaries guarantee or otherwise support the performance of WNZL in respect of any such product. WNZL is not an authorised deposit-taking institution for the purposes of Australian prudential standards. The current disclosure statements for the New Zealand branch of Westpac and WNZL can be obtained at the internet address www.westpac.co.nz .
Singapore: This material has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (as defined in the applicable Singapore laws and regulations) only. Recipients of this material in Singapore should contact Westpac Singapore Branch in respect of any matters arising from, or in connection with, this material. Westpac Singapore Branch holds a wholesale banking licence and is subject to supervision by the Monetary Authority of Singapore.
U.S.: Westpac operates in the United States of America as a federally licensed branch, regulated by the Office of the Comptroller of the Currency. Westpac is also registered with the US Commodity Futures Trading Commission (“CFTC”) as a Swap Dealer, but is neither registered as, or affiliated with, a Futures Commission Merchant registered with the US CFTC. The services and products referenced above are not insured by the Federal Deposit Insurance Corporation (“FDIC”). Westpac Capital Markets, LLC (‘WCM’), a wholly-owned subsidiary of Westpac, is a broker-dealer registered under the U.S. Securities Exchange Act of 1934 (‘the Exchange Act’) and member of the Financial Industry Regulatory Authority (‘FINRA’). In accordance with APRA's Prudential Standard 222 'Association with Related Entities', Westpac does not stand behind WCM other than as provided for in certain legal agreements between Westpac and WCM andobligations of WCM do not represent liabilities of Westpac. This communication is provided for distribution to U.S. institutional investors in reliance on the exemption from registration provided by Rule 15a-6 under the Exchange Act and is not subject to all of the independence and disclosure standards applicable to debt research reports prepared for retail investors in the United States. WCM is the U.S. distributor of this communication and accepts responsibility for the contents of this communication. Transactions by U.S. customers of any securities referenced herein should be effected through WCM. All disclaimers set out with respect to Westpac apply equally to WCM. If you would like to speak to someone regarding any security mentioned herein, please contact WCM on +1 212 389 1269. Investing in any non-U.S. securities or related financial instruments mentioned in this communication may present certain risks. The securities of non-U.S. issuers may not be registered with, or be subject to the regulations of, the SEC in the United States. Information on such non-U.S. securities or related financial instruments may be limited. Non-U.S. companies may not be subject to audit and reporting standards and regulatory requirements comparable to those in effect in the United States. The value of any investment or income from any securities or related derivative instruments denominated in a currency other than U.S. dollars is subject to exchange rate fluctuations that may have a positive or adverse effect on the value of or income from such securities or related derivative instruments.
The author of this communication is employed by Westpac and is not registered or qualified as a research analyst, representative, or associated person of WCM or any other U.S. broker-dealer under the rules of FINRA, any other U.S. self-regulatory organisation, or the laws, rules or regulations of any State. Unless otherwise specifically stated, the views expressed herein are solely those of the author and may differ from the information, views or analysis expressed by Westpac and/or its affiliates.
UK and EU: The London branch of Westpac is authorised in the United Kingdom by the Prudential Regulation Authority (PRA) and is subject to regulation by the Financial Conduct Authority (FCA) and limited regulation by the PRA (Financial Services Register number: 124586). The London branch of Westpac is registered at Companies House as a branch established in the United Kingdom (Branch No. BR000106). Details about the extent of the regulation of Westpac’s London branch by the PRA are available from us on request.
Westpac Europe GmbH (“WEG”) is authorised in Germany by the Federal Financial Supervision Authority (‘BaFin’) and subject to its regulation. WEG’s supervisory authorities are BaFin and the German Federal Bank (‘Deutsche Bundesbank’). WEG is registered with the commercial register (‘Handelsregister’) of the local court of Frankfurt am Main under registration number HRB 118483. In accordance with APRA’s Prudential Standard 222 ‘Association with Related Entities’, Westpac does not stand behind WEG other than as provided for in certain legal agreements (a risk transfer, sub-participation and collateral agreement) between Westpac and WEG and obligations of WEG do not represent liabilities of Westpac.
This communication is not intended for distribution to, or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to local law or regulation. This communication is not being made to or distributed to, and must not be passed on to, the general public in the United Kingdom. Rather, this communication is being made only to and is directed at (a) those persons falling within the definition of Investment Professionals (set out in Article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (the “Order”)); (b) those persons falling within the definition of high net worth companies, unincorporated associations etc. (set out in Article 49(2)of the Order; (c) other persons to whom it may lawfully be communicated in accordance with the Order or (d) any persons to whom it may otherwise lawfully be made (all such persons together being referred to as “relevant persons”). Any person who is not a relevant person should not act or rely on this communication or any of its contents. In the same way, the information contained in this communication is intended for “eligible counterparties” and “professional clients” as defined by the rules of the Financial Conduct Authority and is not intended for “retail clients”. Westpac expressly prohibits you from passing on the information in this communication to any third party.
This communication contains general commentary, research, and market colour. The communication does not constitute investment advice. The material may contain an ‘investment recommendation’ and/or ‘information recommending or suggesting an investment’, both as defined in Regulation (EU) No 596/2014 (including as applicable in the United Kingdom) (“MAR”). In accordance with the relevant provisions of MAR, reasonable care has been taken to ensure that the material has been objectively presented and that interests or conflicts of interest of the sender concerning the financial instruments to which that information relates have been disclosed.
Investment recommendations must be read alongside the specific disclosure which accompanies them and the general disclosure which can be found here. Such disclosure fulfils certain additional information requirements of MAR and associated delegated legislation and by accepting this communication you acknowledge that you are aware of the existence of such additional disclosure and its contents.
To the extent this communication comprises an investment recommendation it is classified as non-independent research. It has not been prepared in accordance with legal requirements designed to promote the independence of investment research and therefore constitutes a marketing communication. Further, this communication is not subject to any prohibition on dealing ahead of the dissemination of investment research.