ANZ Bank Adopts Zero Trust and ‘Secure-by-Default’ Strategy to Enhance Cybersecurity


We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!

ANZ Bank Enhances Cybersecurity Through Zero Trust and ‘Secure-by-Default’ Framework

ANZ Bank Adopts Zero Trust and 'Secure-by-Default' Strategy to Enhance Cybersecurity


Dr Maria Milosavljevic (Image credit: ANZ Banking Group)

Brief Overview

  • ANZ Bank is rolling out a cybersecurity plan over three years, centred on Zero Trust and ‘secure-by-default’ concepts.
  • The bank’s plan revolves around three main objectives: integrating security, enhancing resilience, and facilitating business change.
  • ANZ has participated in organisation-wide cyber drills to prepare for major incidents, pinpointing improvement areas through practical scenarios.
  • The Zero Trust approach prioritises rigorous authentication processes, network division, and automated security mechanisms.
  • ANZ collaborates with external service providers, regulators, and industry peers to foster joint accountability in cybersecurity.

Zero Trust and ‘Secure-by-Default’: ANZ’s New Cybersecurity Framework

ANZ Bank is embarking on its first year of an ambitious corporate security initiative that emphasizes the integration of strong security measures, resilience building, and fostering innovation within the organization. This is part of a continuous effort to enhance the bank’s cybersecurity infrastructure, with a focus on Zero Trust and ‘secure-by-default’ methodologies.

This groundbreaking approach highlights the necessity for holistic security given the rising sophistication of cyber threats. Dr Maria Milosavljevic, ANZ’s Chief Information Security Officer (CISO), is at the forefront of this project, which received approval from the ANZ Board in early 2024.

Three Key Pillars of Cybersecurity at ANZ

ANZ’s cybersecurity framework is constructed on three essential pillars:

1. **Integrating Security Throughout the Organisation**: Security is no longer tasked to a singular department; it is now a collective obligation among all teams within the bank. This collaborative shift guarantees that security permeates every layer of the organization.

2. **Enhancing Resilience**: ANZ collaborates closely with third-party service providers and regulators to reinforce its defenses against emerging cybersecurity threats. This involves improving contractual arrangements and fostering trustful partnerships.

3. **Facilitating Business Change**: As ANZ adapts to digital transformation, it is crucial that security does not obstruct innovation. The bank seeks to promote rapid yet secure experimentation within its business units, ensuring security acts as an enabler rather than an impediment.

Getting Ready for Cyber Incidents: Practical Simulations

Preparedness for cybersecurity incidents is a primary concern for ANZ. In November 2023, the bank executed an enterprise-wide cyber simulation with prominent decision-makers and implementers. This exercise was modeled on a genuine incident impacting another entity, compelling ANZ to evaluate its readiness for similar issues.

The simulation yielded valuable feedback, enabling the bank to highlight weaknesses in its incident response procedures. Smaller-scale activities have also been implemented across its operations in Australia, New Zealand, and the Pacific regions, along with joint drills with Suncorp Bank, emphasizing the significance of cross-organizational preparedness.

Essential Insights from Cyber Exercises

The cybersecurity drills have highlighted the necessity of:
– **Clarity in Incident Response**: Employees need to know their responsibilities during a cyber incident, including backup plans for key decision-makers who may be absent.
– **Maintaining Operational Continuity**: Incident response strategies should ensure that the right personnel are present and recuperated during an extended crisis.
– **Communication with Stakeholders**: Effective communication strategies are crucial to keep regulators and partners updated as incidents develop.

Building Resilience through Third-Party Collaboration

In today’s interconnected ecosystem, no entity functions in seclusion. Acknowledging this, ANZ is focused on cultivating strong partnerships with its third-party providers and regulators, realizing the significance of a shared accountability model.

Cybersecurity agreements are being meticulously examined to ensure mutual understanding of expectations. However, it’s not solely about contractual details—ANZ is also dedicated to fostering ‘soft relationships’ based on trust and ongoing collaboration. This strategy guarantees that both the bank and its partners are coordinated in protecting sensitive data.

Zero Trust Framework: A Multi-Layered Security Approach

ANZ’s strategy encompasses the application of a Zero Trust framework, a thorough security design that operates on the principle that no entity—inside or outside the network—should be trusted by default. This framework replaces conventional perimeter-focused security models with ongoing verification and segmentation.

Core Elements of Zero Trust at ANZ

– **Enhanced Authentication**: Improved methods, such as multi-factor authentication (MFA), ensure that users are accurately identified before accessing resources.
– **Network Division**: By partitioning the network into smaller, secure segments, ANZ can restrict the proliferation of potential threats.
– **Automated Security Mechanisms**: Shifting from manual to automated verification of security controls enables ongoing surveillance. This provides the bank with real-time insights into its security status and risk levels.

Facilitating Business Change with Security

Security is often critiqued for hindering innovation, but ANZ is striving to alter this perception. The bank has implemented an “experiments at pace” framework that empowers various departments to innovate swiftly while adhering to security requirements.

ANZ is equally devoted to simplifying compliance processes for its employees through user-friendly tools and frameworks. This enables staff to experiment and innovate within a secure context, encountering minimal obstacles.

Conclusion

ANZ Bank is taking decisive actions to advance its cybersecurity framework through a consolidated approach rooted in Zero Trust and ‘secure-by-default’ principles. The bank’s three-year strategy is structured around embedding security across the organization, enhancing resilience against cyber threats, and facilitating business transformation. By participating in hands-on cyber exercises and strengthening collaboration with external partners, ANZ is progressing toward a more secure and resilient financial institution.

Q&A

Q: What is the Zero Trust framework, and why is ANZ implementing it?

A: The Zero Trust framework is a security model that necessitates continuous verification of user identity and device integrity prior to granting network access. ANZ is embracing Zero Trust to bolster its security defenses by operating on the principle that no entity, whether internal or external, can be accepted as trustworthy by default. This reduces risks from both external and internal threats.

Q: How does ANZ’s cybersecurity strategy drive business transformation?

A: ANZ’s strategy includes an “experiments at pace” framework that enables different business units to innovate swiftly and securely. This framework equips employees with tools to self-manage security while exploring new concepts, ensuring a seamless integration of innovation and security.

Q: Why are third-party connections vital in ANZ’s security approach?

A: In a connected framework, third-party providers may introduce vulnerabilities. ANZ is dedicated to solidifying its relationships with third-party providers through clear agreements and trust-building initiatives. This fosters mutual accountability and enhances resilience against cyber threats.

Q: What types of cybersecurity drills has ANZ undertaken?

A: ANZ has engaged in both extensive, organization-wide cyber simulations and smaller, regional drills. These activities are aimed at helping the bank gauge its readiness for cyber incidents and uncover areas needing enhancement. The simulations involve key decision-makers and implementers to ensure preparedness at every level.

Q: How is ANZ planning to incorporate security throughout its organization?

A: ANZ strives to ensure that security is a collective responsibility shared among all business units rather than isolated in a single department. By weaving security into every component of the organization, ANZ guarantees that all employees are accountable and contribute to the overall cybersecurity posture of the bank.

Q: What is the role of automation in ANZ’s security strategy?

A: Automation is a fundamental aspect of ANZ’s security approach. By automating the verification of security controls, the bank can continuously monitor its security status in real-time. This transition from manual to automated procedures enables ANZ to detect and address threats more adeptly, ensuring round-the-clock protection.

Leave a Reply

Your email address will not be published. Required fields are marked *