Other banks and the Australian Securities Exchange also conduct simulated attacks to track staff responses to potential incursion. Australia is becoming more of a target for banking botnets, where computers launch repetitive tasks to damage systems, while the Dreambot trojan has been increasingly trying to lure bank staff to click on emails that allow malware to enter bank systems.

People over technology

Nick Scott, head of security governance at National Australia Bank, said people are more important than technology when creating a strategy around cyber security. In an ideal 2020, he said all staff creating products in NAB would have high proficiency around IT security issues as a normal part of their job. "I need people to understand the challenges we face," he warned.

Maintaining security is getting more difficult with "agile" product development proliferating through the industry, reducing the time of new products coming to market. "I need the people developing that to understand the security aspects right at the outset and be able to build that in from the very first line of code," Mr Scott said.

"If you look at how most of the breaches have occurred, it is through somebody in your organisation being compromised.

Phishing emails sent to bank staff are a favourite way to compromise IT systems

"I have got to continue the journey we are already on and upskill those people inside [NAB] to recognise the threat and shut it down at the very get go, and get them so good that I go from having a security team of 200 people to 40,000 throughout the whole bank."

Banks are also collaborating to share intelligence about cyber threats.. "We don't see ourselves competing on security – a hit on one of us is a hit on all of us," said Mr Glynn.


'Profound cultural change' required

Business Council of Australia chief executive Jennifer Westacott said industries needed to view cyber security like safety. "The airline industry is a great example – they are fierce competitors but collaborate openly and are quick to talk to one another when there is a safety issue."

After the Australian Securities and Investments Commission on Tuesday used the Sinet61 event to warn directors to ramp up their knowledge about cyber threats, Ms Westacott told the summit that "profound cultural change" is needed throughout corporate Australia and that cyber security should be part of board agendas and sit alongside issues such as finance and occupational health and safety.

"If you are not doing that in cyber in the next 12 months then I don't think companies are taking this seriously," she said.

Ms Westacott also encouraged the development of a more vibrant local cyber security industry, something that is also being encouraged by the federal government and is being developed by CSIRO subsidiary Data61, which supported the Sinet61 summit.

"We should be seeing this not just as something we have to protect for and manage, [but] a massive opportunity, because whoever gets right out in front of this space, whether it be a start-up or a big company, they are going to be able to dictate the playbook."

Mandatory reporting

The incidences of cyber attacks in Australia are not known because it is not compulsory to report cyber breaches. This contrasts with the US, which introduced laws in 2003 requiring companies to notify customers of cyber attacks. Such laws have forced companies including Target, Home Depot and Sony Pictures Entertainment to reveal hacks.


In February last year, a federal parliamentary committee investigating the government's contentious data retention legislation called for mandatory data breach notification laws to be introduced but no legislation has materialised. However, it is understood governments are considering whether such laws would be suitable in Australia.

But Ms Westacott indicated such moves may be resisted by big business.

She said the development of reporting standards, joint threat centres and centres of excellence, as proposed by the government's recent cyber resilience package, were important and should be given the chance to "play out, to see if companies have lifted their performance".

If any regulation is required, it should be "co-designed with business, so we are not creating unintended consequences and a compliance burden".