ANZ Bank Adopts Zero Trust and ‘Secure-by-Default’ Strategy to Enhance Cybersecurity
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
ANZ Bank Enhances Cybersecurity Through Zero Trust and ‘Secure-by-Default’ Framework
Brief Overview
- ANZ Bank is rolling out a cybersecurity plan over three years, centred on Zero Trust and ‘secure-by-default’ concepts.
- The bank’s plan revolves around three main objectives: integrating security, enhancing resilience, and facilitating business change.
- ANZ has participated in organisation-wide cyber drills to prepare for major incidents, pinpointing improvement areas through practical scenarios.
- The Zero Trust approach prioritises rigorous authentication processes, network division, and automated security mechanisms.
- ANZ collaborates with external service providers, regulators, and industry peers to foster joint accountability in cybersecurity.
Zero Trust and ‘Secure-by-Default’: ANZ’s New Cybersecurity Framework
ANZ Bank is embarking on its first year of an ambitious corporate security initiative that emphasizes the integration of strong security measures, resilience building, and fostering innovation within the organization. This is part of a continuous effort to enhance the bank’s cybersecurity infrastructure, with a focus on Zero Trust and ‘secure-by-default’ methodologies.
This groundbreaking approach highlights the necessity for holistic security given the rising sophistication of cyber threats. Dr Maria Milosavljevic, ANZ’s Chief Information Security Officer (CISO), is at the forefront of this project, which received approval from the ANZ Board in early 2024.
Three Key Pillars of Cybersecurity at ANZ
ANZ’s cybersecurity framework is constructed on three essential pillars:
1. **Integrating Security Throughout the Organisation**: Security is no longer tasked to a singular department; it is now a collective obligation among all teams within the bank. This collaborative shift guarantees that security permeates every layer of the organization.
2. **Enhancing Resilience**: ANZ collaborates closely with third-party service providers and regulators to reinforce its defenses against emerging cybersecurity threats. This involves improving contractual arrangements and fostering trustful partnerships.
3. **Facilitating Business Change**: As ANZ adapts to digital transformation, it is crucial that security does not obstruct innovation. The bank seeks to promote rapid yet secure experimentation within its business units, ensuring security acts as an enabler rather than an impediment.
Getting Ready for Cyber Incidents: Practical Simulations
Preparedness for cybersecurity incidents is a primary concern for ANZ. In November 2023, the bank executed an enterprise-wide cyber simulation with prominent decision-makers and implementers. This exercise was modeled on a genuine incident impacting another entity, compelling ANZ to evaluate its readiness for similar issues.
The simulation yielded valuable feedback, enabling the bank to highlight weaknesses in its incident response procedures. Smaller-scale activities have also been implemented across its operations in Australia, New Zealand, and the Pacific regions, along with joint drills with Suncorp Bank, emphasizing the significance of cross-organizational preparedness.
Essential Insights from Cyber Exercises
The cybersecurity drills have highlighted the necessity of:
– **Clarity in Incident Response**: Employees need to know their responsibilities during a cyber incident, including backup plans for key decision-makers who may be absent.
– **Maintaining Operational Continuity**: Incident response strategies should ensure that the right personnel are present and recuperated during an extended crisis.
– **Communication with Stakeholders**: Effective communication strategies are crucial to keep regulators and partners updated as incidents develop.
Building Resilience through Third-Party Collaboration
In today’s interconnected ecosystem, no entity functions in seclusion. Acknowledging this, ANZ is focused on cultivating strong partnerships with its third-party providers and regulators, realizing the significance of a shared accountability model.
Cybersecurity agreements are being meticulously examined to ensure mutual understanding of expectations. However, it’s not solely about contractual details—ANZ is also dedicated to fostering ‘soft relationships’ based on trust and ongoing collaboration. This strategy guarantees that both the bank and its partners are coordinated in protecting sensitive data.
Zero Trust Framework: A Multi-Layered Security Approach
ANZ’s strategy encompasses the application of a Zero Trust framework, a thorough security design that operates on the principle that no entity—inside or outside the network—should be trusted by default. This framework replaces conventional perimeter-focused security models with ongoing verification and segmentation.
Core Elements of Zero Trust at ANZ
– **Enhanced Authentication**: Improved methods, such as multi-factor authentication (MFA), ensure that users are accurately identified before accessing resources.
– **Network Division**: By partitioning the network into smaller, secure segments, ANZ can restrict the proliferation of potential threats.
– **Automated Security Mechanisms**: Shifting from manual to automated verification of security controls enables ongoing surveillance. This provides the bank with real-time insights into its security status and risk levels.
Facilitating Business Change with Security
Security is often critiqued for hindering innovation, but ANZ is striving to alter this perception. The bank has implemented an “experiments at pace” framework that empowers various departments to innovate swiftly while adhering to security requirements.
ANZ is equally devoted to simplifying compliance processes for its employees through user-friendly tools and frameworks. This enables staff to experiment and innovate within a secure context, encountering minimal obstacles.
Conclusion
ANZ Bank is taking decisive actions to advance its cybersecurity framework through a consolidated approach rooted in Zero Trust and ‘secure-by-default’ principles. The bank’s three-year strategy is structured around embedding security across the organization, enhancing resilience against cyber threats, and facilitating business transformation. By participating in hands-on cyber exercises and strengthening collaboration with external partners, ANZ is progressing toward a more secure and resilient financial institution.