Coles has doubled its cybersecurity spending

Coles Group chief executive Steven Cain says business leaders need a clear regulatory framework for what the government deems as baseline preventive standards against cyberattacks.

Mr Cain said attacks were becoming more sophisticated and the business community was trying to understand what they needed to do to improve security following several high-profile breaches including hacks on telco Optus and health insurer Medibank.

Cybersecurity is one of the highest growth areas of expenditure within the tech budgets for companies – Coles has doubled its technology spending since demerging from Wesfarmers in 2018 and more than doubled its cybersecurity spending over that time.

Wesfarmers chairman Michael Chaney told shareholders cybersecurity was a huge issue facing corporate Australia. Trevor Collens

Coles is among many major companies that benchmark themselves against the Australian Cyber Security Centre’s Essential Eight framework, which outlines a minimum set of preventive measures designed to make it harder to compromise systems.

Mr Cain said he would like to know what the expected standards were, aside from the “Essential Eight” program, and agreed that if companies did not follow known guidelines, they should be penalised.

“I think making sure that everyone’s aware of what the standard should be, and that we share best practice to continually improve them would be helpful in driving this forward,” he said.

“I think there needs to be clearer definition of who holds what first, and why, and all those types of things and then establish the regulatory framework around it.”

Wesfarmers chairman Michael Chaney said on Thursday at the annual general meeting that cybersecurity was a huge issue facing corporate Australia.

“The recent attacks have focused everyone’s attention, I think, as a result, we’re renewing our efforts where we’re looking further at the question of what sort of information we hold, and how long we need to hold it,” he said.

Wesfarmers chief executive Rob Scott confirmed after the AGM that across its retail operations, which includes Bunnings and Kmart, they do not store a lot of highly sensitive personal identity information, but rather transaction data like emails and mobile numbers.

“We think you should only take the data that you need, and only store it for as long as you have to,” he said.

Cybersecurity company Imperva has found cyberattacks against Australian retailers are on the rise because the country is viewed as a lucrative market for criminal activity with the pandemic accelerating online commerce.

Imperva’s Tony Mascarenhas said the most heavily targeted industries in Australia are financial, retail, and business services.

“Certainly, there’s a lot more consumption of dollars transacted online,” he said. “There is a lot of buy now, pay later in Australia that is attracting the bad guys if you like too, because they see opportunity at the end of the day.”

Mr Mascarenhas said increasingly companies saw data as valuable assets that they could monetise, so they were holding on to the data for much longer.

“You monetise data via APIs (application programming interfaces). Keeping track of your APIs is really hard,” he said.

He added it was vital that companies monitored the data, which in case of a breach, allowed companies to understand what records might have been stolen.

Mr Mascarenhas said as retailers entered the pivotal holiday season and security incidents rose, breaches were a threat to business operations and damaged consumer trust, which ultimately affected the retailer’s bottom line.

“Retailers really need to be reviewing the cyber defence controls for both the commerce applications and mobile apps they have and do some fine-tuning,” he said.

Mr Mascarenhas pointed to a sharp rise in account takeover attacks, a form of online fraud in which cybercriminals attempt to compromise online accounts by using stolen passwords and usernames.

In the peak shopping period of October to December last year, account takeover attacks increased fourfold compared with the previous quarter, according to Imperva data.


Extracted from AFR

Scroll to Top