Cyber Security Awareness Month 2025

Cyber Security Awareness Month is an annual reminder to protect yourself online and secure your devices and accounts from cyber threats.

This Cyber Security Awareness Month, the Australian Government theme is ‘Building our cyber safe culture’.

For more information including resources, assets and stakeholder kits visit Cyber Security Awareness Month.

Home Affairs Cyber Month Webinars

Securing Australia Together Webinar

Lieutenant General (LTGEN) Michelle McGuinness CSC, National Cyber Security Coordinator, has joined forces with Australia’s big four banks to empower small-to-medium-businesses to strengthen their cyber security through this joint webinar.

In the first ‘Securing Australia Together’ webinar, LTGEN McGuinness joined the Chief Security and Information Officers of ANZ, CBA, NAB and Westpac. They discussed Australia’s biggest cyber challenges and how the National Office of Cyber Security (NOCS) and big four banks are working together to address them.

Securing Australia Together Webinar

Jess THOMAS

Good morning, everyone, and welcome to the securing Australia together webinar. It's a pleasure to have you all with us today. I'm Jess Thomas, an assistant director at the National Office of Cybersecurity. I'd like to begin by acknowledging the traditional custodians on the lands from which we are all joining today.

I'm joining from the lands of the Gadigal people of the Eora nation. I would like to express my respect and gratitude to the elders, past and present, and extend that to any First Nations people who have joined us today.

Alison Pike

I'll leave you with it.

Jess THOMAS

The purpose of this event is to highlight how the big four banks and the Knox are working to secure Australia against cyber threats together and we are very lucky to have some incredible speakers which I will formally introduce shortly. But first I'd like to take you through some housekeeping.

Due to the large number of attendees, microphones and cameras are switched off for all attendees. This event will be recorded and made available at a later time by the bank's websites and by the National Office of Cybersecurity. Information about how to access the recording will be distributed following the event. You will also receive an e-mail with a list of cybersecurity resources to help your business. This is the first securing Australia together webinar. But we would like it like for it to continue and would value your feedback to make the next edition even better. If you would like to provide feedback, please follow the instructions in the e-mail you will receive following this event shortly. We will hear from the National Cybersecurity coordinator, Lieutenant General Michelle McGuinness.

The coordinator has come to us from a 30 year military career both in Australia and overseas. She was appointed to the role in February 2024 as coordinator General. McGuinness leads national cybersecurity policy. The coordination of responses to major cyber incidents, whole of government cyber incident preparedness efforts and the strengthening of Commonwealth cybersecurity capability. Following the coordinators address, she will moderate the panel discussion with A&Z's chief Information Security Officer, Doctor Maria Milosavljevic, Commbank's Chief Security Officer Nicola Nicol, NAB's Chief Security officer Sandro Bucchianeri.

And Westpac's chief information security officer Richard Johnson, following this there will be a short audience Q&A where we will put to the panel some of the questions you submitted during the registration process. We received too many questions to answer during the allocated time, but have chosen a representation of the key themes that came through. We hope you leave today with a stronger understanding of how to strengthen the cyber security of your own business and a sense that as a nation we are on our way to securing Australia together.

With that in mind, I will now hand over to the National Cybersecurity coordinator.

Apologies, Michelle. I think you're on mute.

There we go.

Michelle McGuinness

Thank you, Jess. Thank you so much for that and good morning, ladies and gentlemen. I am so pleased that you all made the time in your busy schedules to attend today. It tells me that you know that cyber threats pose significant risk and you know what it could mean for your businesses and more than that, potentially for your livelihoods. Your attendance, I believe, is a critical step toward not only securing yourself against these threats, but as Jess has mentioned, securing Australia together. This is a journey that we're on together.

We want you. That is all the small and medium business owners out there to leave today being super clear about what's at stake, what you can do, what you can start, what you can continue so that you can secure your business from cyber threats.

And I don't think there's any better time to do this than during the 2025 Cybersecurity Awareness Month, which is now, let me just take a minute to add my personal acknowledgement of the custodians of the lands on which we all join from today. And I pay my respects to elders, past and present.

And extend that to any First Nations people who are joining us today as well.

And of course, thank you to our great panel who will be sharing expertise, their collective knowledge and experience is incredibly valuable to us and demonstrates how essential our partnership is. The partnership between government and business and what we're doing to strengthen our nation's cybersecurity.

My hope is that during this hour it will give you a practical jump start, give you steps no matter where you might be on your journey to uplift your own cyber security. Our panel will detail the most important answers to the questions that you and your customers have.

Including the cyber threats and the risks they pose to your business and clients, we'll also hear about cybersecurity investments and what role AI may play in all of this.

Importantly, we will start with discussing how to build a cyber safe culture in your business.

This is really important and where I do want to start, it is fundamental and foundational to our strategy. The Australian Cybersecurity Strategy and the success of our vision. Under that strategy, my team, the National Office of

Cybersecurity or the NOCS.

And I work to uplift and support the resilience of our government, our businesses and citizens, and we do that every day in order to prevent, prepare, respond to and recover from cybersecurity incidents. We cannot do this without support and engagement from across all sectors. This includes sharing knowledge and strengthening our partnerships and relationships. That's why a key priority is really helping every Australian to do their part to become more secure.

Whether it be in our homes, our schools, our workplaces, absolutely everyone has a role to play for Australia to be cyber secure, we really are only as strong as our weakest link as business owners. Many of you, I suspect, without dedicated IT teams.

I know there is a lot on your shoulders and if you do have staff they are juggling so many other tasks.

So many of you tell us that you find cybersecurity rather new and daunting, and sometimes it can be paralysing. That's why we're taking this partnership approach. The government seeks to reduce the burden on small businesses in every way that we can, and we want to help you do what you do best, which is focus on your business and the goods and the services that you provide.

Ultimately, we want to and need you to thrive. We want you to be innovating and delivering and not paralysed by cybersecurity threats, so I'm not even knowing where to start. So today's event it is the first of its kind, as Jess said, demonstrates this partnership approach in action.

We know that the daily running of a business takes so much of your time, energy, budget and attention. In fact, it might take everything you have if you're like many people, this means you might be putting off tasks of working out what cybersecurity is about and what you can do about it.

You may be unsure about where to start, and it would be very natural to put in this in too hard basket crossing your fingers, closing your eyes and hoping that things will be OK.

But even the last 18 months tells us there is too much at stake to rely on luck. More than ever, it's proving to be a question of when, and not if a cyber-incident will happen. I've been in this role, as Jess said, for just over 20 months, and I'm supported by a great team of people who work hard at delivering our cyber strategy every day which seeks to position us as a world leader in cybersecurity.

For those who aren't aware, the strategy is structured around 6 Shields.

These Shields together create interlocking layers of defence. It includes ensuring that our technology is safe, particularly for our smart devices, that we have mechanisms to rapidly share and block threats to protect our critical infrastructure.

It also seeks to enhance our sovereignty, making us less reliant on supply chains we can't control.

Building our workforce and of course building a resilient Indo Pacific region and being a leader in the world.

All of that said, small and medium businesses are right at the very heart of our strategy and have their own shield. In shield one more than 97% of Australian businesses are considered small businesses. So what you do every day keeps us as a nation running.

Small business owners are disproportionately targeted by cyber criminals because they are seen as a soft underbelly and easier mark. The risks are high and the costs are growing, but you're not alone.

We, as the government are working with businesses to ensure that you are protected from cyber threats and as you can see today, our big industry and our banking partners are with us on that journey.

Genuine partnership with government and private enterprises have and will continue to build on our respective strengths and are the absolute jewel in our crown in getting after this threat. Today, we're going to benefit from, as I said, the incredible and valuable insights of our nation's largest banks. I think they know better than anyone where vulnerabilities are and are sharing today so that you can strengthen your own cyber defences for your businesses.

And ultimately we drive uplift through this across the nation because when it comes to being cyber secure, we are all connected.

As the banks know, many of the cyber incidents and online scams are successful because of unwitting participation by intended victims, in other words, so much of this includes human error. Maybe the biggest piece and the most affordable way we can be efficient in uplifting our cybersecurity is to actually uplift our awareness as humans.

You know, the minister said it at the AFR Summit recently that we need to build a human firewall.

This requires a cultural shift. The best protection you can offer your business is to raise the consciousness of your people around what are good cyber health practises, because cybersecurity is everyone's business.

We know that cultural shifts are also hard and challenging. As leaders, we all have a role to play in making this happen across our organisations.

To strengthen that human firewall and make sure that we're as prepared and resilient as we can be when attacks occur.

This means embedding security across every function of your business. This is not just an issue for our IT experts. Like any significant business risk, this requires awareness, training and prioritisation. I'm really looking forward to hearing from our panel on changing our culture. But also on supply chain vulnerabilities and how critical it is to understand your connections and networks.

As well as rehearsing scenarios by running through an incident, these are some of the best ways to identify our connections and potential vulnerabilities, so you'll know the state of play. And you don't want to be doing this for the first time in the middle of an incident, so practising and having plans are really important.

Before we share these discussions and I turn to the panel, I do want to say we know people need practical, simple steps if they're going to embrace cybersecure behaviours. So we have a few resources out there for you. Our key message is obviously at the forefront, Act Now Stay Secure. This is a government campaign. We have a website that outlines 3 key actions for every Australian to protect themselves online. It won't surprise you and hopefully you've seen the media, use a unique and strong pass phrase for every account. Don't share passwords.

Install all software updates to keep your devices secure and always set up multi factor authentication when available. In addition to that, we want everyone to be aware of the proliferation of scams and how to recognise them and what to do. Don't respond. Hang up. Source your own confirmed telephone number or e-mail to contact your bank if you think it's legitimate. There are absolutely simple actions we can all do and they work. Whether you're an individual or a business. Please visit actnowstaysecure.gov dot.au I'm also really excited to share with you a new cyber health check tool. It's been developed with the Australian Signals Directorate.

It's a simple 5 minute cybersecurity assessment, perfect for small businesses and not-for-profit organisations. And in fact it's custom made for people who want to know where to start.

This plain English tool asks simple cybersecurity questions and provides an instant cybersecurity health check score and rating. Not only that, but a tailored action plan along with a prioritised list of actions that you can take after you've done.

It's a health check to improve your own cybersecurity.

Visit cyber.gov.au to access the cyber health check tool, along with a range of other free resources like the ransomware playbook and a host of other things that we put on that site.

The government also offers one-on-one assistance with cyber capability challenges, resilience and recovery through the small business Cyber Resilience Service program. This can be accessed through idcare.org/smallbusiness. These resources will be shared with you at the end.

Before I wrap up and turn to our fantastic panel, let me just touch on the cyber elephant in the room. AI. We are experiencing AI's benefits and beginning to better understand its risks and it's happening really quickly. Notwithstanding the immense opportunities that AI offers, it will almost certainly increase national security risks.

Likely to be compounded by potential risks that we haven't contemplated yet relating to data security, integrity and more, the Australian government is taking steps to mitigate the risks presented by AI.

They include providing practical guidance to Australians through the voluntary AI safety standards to support businesses to adopt AI in a safe manner. We're also publishing advice from the Australian Signals Directorate on how to safely engage with AI and best practices for deploying secure and resilient AI systems, so you can get it right from the start and embed that security culture across your organisation and in the applications that you're embedding. The government is also engaging internationally to ensure global governance of AI strengthens safe and responsible practices across the world because we are so interconnected.

Ultimately, we must embrace AI if we don't want to get left behind and we should be able to leverage the immense benefits and the potential that it offers. But we should also do so safely.

With that, I am super keen now to share the challenges with our steemed panellists and hear from them on how we can all be more secure. So with that I would really like to start with you Richard. I've talked a bit about the threat environment and the importance of working together.

From your perspective, how are we responding to these threats together?

Richard Johnson

Thank you, general. So if I cast my mind back, I can still remember the day of the attack really well. 4th of July 2003, a fake website appeared. A ghost website trying to get usernames and passwords off Westpac customers.

It was hosted in Florida on the 4th of July. It was poorly constructed, bad language, Cyrillic, Russian on the bottom of the page, and it was a very, very effective because we had trained people to trust any website and enter information without trusting it.

We realised then by talking to our peers that ANZ NAB CBA were all being targeted at the same time by the same adversary and we realised that the logical course of action for us was to collaborate against this new threat which today we all would recognise as phishing sites, and share this attack data of these innovative attacks and also what defences were proving effective against this new threat. So what we effectively, we had realised 22 years ago was that against a common enemy, only a coordinated defence makes sense.

And so the interbank Security Forum was formed and it is still meeting 22 years later, still proving effective at sharing that attack data and, and countermeasures now. Back then, there were about 10 CISOs in the country. I knew them all personally. Today it's a bit bigger, but the fact is attackers have a lot of advantages and they're criminals after all, so they can operate outside of a lot of the constraints we have and they actively collaborate. And so against us, it's common sense that we should do the same.

Now, Fast forward to today and from the small beginnings, there are hundreds of CISOs in Australia as the threat actors have dramatically expanded their focus to other targets. Indeed, all of the people are joining us here on this call today. The fact is, today it's not just banking, telco's and government. Cyber threats target all businesses, all individuals, regardless of size or sector. Now one of the unique advantages Australia does have compared to say the US or UK, we're reasonable scale, but we're still small enough that the cybersecurity community knows and trusts itself and is willing and able to share telemetry in a trusted way. And we haven't gone down the path of some other nations that are very litigious when there's incident response and lawyer up and don't share and I hope we never do. The fact is that, that a key strength of combating our adversaries, is that we collaborate during, during incidents and during major incidents that many of us on this call have, have worked through is that in those events that trusted network of sharing attack and control data freely between ourselves, between our government colleagues is absolutely crucial to our collective defence as a nation. As we build a picture of what our adversaries are doing and what countermeasures work most effectively for them, and it's for this reason that Westpac and our peer banks who are here today and the Cyber Coordinator and government are very active in the broader cyber community. We treat all security Intel as non competitive and we will actively collaborate with any other white hat against those common enemies. And the fact is that we need to, to protect not just ourselves but our supply chain and the ecosystem.

Our customers, our peers, our investors, our suppliers, it's all part of the ecosystem that collaboratively and effectively we need to, we need to secure. And by doing that we can ensure that my customers who are also your customers, who could be your supplier, your investor, your mum and dad, by working together we can make sure that they are secure and suitably protected. One of the exciting examples where everyone here today is working together is through the National Cyber Intel Partnership under the leadership of General McGuinness and the Threat Blocking Working Group where we've gone from those early days of reacting to phishing.

Where all the banks are now, telcos and other companies are joining in to actively share live attack data and enable active blocking through telcos and big tech to protect Australians. While the attacks are still active. It's that kind of effective grassroots collaboration that I think has a lot of hope for the future.

And, and it's very exciting that through sheer force of will, the people on this call are able to are able to do that. The fact is that, that effective collaboration creates a force multiplier effect and can significantly magnify the impact of our individual contributions.

Because the simple fact remains against a common enemy, only a coordinated defence makes sense.

Michelle McGuinness

Which is fantastic. Thank you. It’s great call to action, collaboration, not competition. I hope that those listening are reassured that reaching out to your peers and collaborating and seeking help at times of crisis is absolutely critical. And you showed your depth of experience there as as well Richard back when Australia had 10 CISOs. That's the kind of experience we're leaning on here.

Let's go to Nicola. So when thinking about security investment, how do you balance your interests with Australia's national interests?

Nicola Nicol

Look, that's a really interesting question. And I think because if you actually zoom out and and look at the context of the Australian ecosystem, Australians are deepening their engagement across our digital ecosystem, whether it's through banking, whether it's through e-commerce, etcetera. And if you if you take an example.

You know, at CBA we've got 9 million customers using our app every month and logging on like 12.7 million times a day, like that's the norm and and my peers see the same thing, right? We, we collectively see that engagement across our digital ecosystem growing. So we're constantly investing and innovating and looking at how, how we solve some of the more complex cyber challenges that are emerging and, and part of that is actually about investing in safeguarding Australians through partnership and that's a part of our strategy overall. And I know again that is echoed across across the other banks.

Now let me give you a couple of examples of what that means in practice. So the first is investing in partnerships with government so you know the cybersecurity strategy, 2023 to 2030 lays a great foundation for lifting Australia's cyber capability. And part of that is about cultivating this, you know, improved partnership between government and industry and the Executive Cyber Council, which General McGuinness also sits on and and actually co-hosts that session and really brings industry together to look at how can we help delivere on those horizons. So investing in that conversation I think is is really critical.

And personally, an area that I'm most close to is an investment in sovereign capability where what we're looking at is for Australia's collective defence. How do we think about workforce and investing in our cyber workforce? How do we think about investing in research capabilities and making sure that Australian research capability is really focused on the problems that corporate Australia need to solve and also thinking about in how we support Australian start-ups in our cyber economy overall?

Now we also though invest in partnerships with our peers. So Richard's already talked about some of that intelligence sharing that we do, but another area on which we look at the Australian national interest as we partner with with one another on getting match fit in the middle of a cyber attack. So we've talked about that and and General McGuinness, you mentioned you know, making sure you have a plan and a recovery plan at the ready. One of the things that we do is we work together to look at how would we collectively respond at a national level. And again, I think that's really, you know, a great demonstration of how we are doing. So that we are well prepared to defend Australia's national interests and then maybe the final thing I'll comment on is we also invest in partnerships to help build the Australian economy. So one area that I'm particularly proud of is some of the commitment we've made to investing in cyber companies that are indigenously owned in Australia and and I think that's a great example of where the investment is not only in sovereign capability but supports an indigenous community, it supports the growth of talent and indigenous education and employment programmes. So I think those are a couple of examples where we really together all work to balance both our individual investments that we need to make in our in our capabilities, but also really investing in national interest and National Defence.

Michelle McGuinness

Look for the audience out there as a service member, I was incredibly struck and inspired by the national interest that all of our partners demonstrate in this. I'm pretty proud to say that when an incident happens, I'm not only getting calls from victims, but from experts across the nation saying how can I help? I hope that reassures you and it should encourage you to reach out to your providers.

Amazing people and the services they offer to ensure that you're connected in whatever they're offering. Let's move on to Sandro. I'm so we're hearing a lot about AI at the moment. Maybe a bit remiss of me to talk about it as an elephant in the room, but what threat do you believe it poses?

And how can it be used for good in cybersecurity, and how do you work together to combat that threat?

Sandro Bucchianeri

Good morning. Thank you. That that's a great question. I think from my side, you know AI is both friend and foe and it's essentially a double edged sword. The challenge that you have is because it's easily and readily available just like cloud was when it came out, you know about a decade or so ago.

The same challenge happens now. AI is readily available. The bad guys has access to the same tools we have as defenders, and they and as Richard mentioned, they have no boundaries. There's there's no legislation that they need to contend with. There's no privacy act or whatever the case may be.

So they use it rapidly. If you think about any of the emails you receive now, those phishing emails, have you ever seen a bad phishing e-mail? Probably not, because they're using AI to craft this perfectly worded e-mail. So that's the that's the one. That's the one, at least on the bad side. And it creates new routes to attacks what we typically talk about in our our area is the yes, this the attack service or the the attacks that comes through the service area has just grown exponentially because of AI and it's a key enabler to increase those attacks for that reason.

Where we see AI helping us is think of two supercomputers playing chess against each other. That's essentially where we would get to, where you'll have an attacker AI and a defender AI trying to see who is better than the other and getting into your environment.

I think that we can definitely use AI to help uplift our own defences. The number one question that I get and I know Richard, Maria and Nicola gets the same question is how do you guys sleep at night? And I think with with the admin of AI where we want to go to.

As a nation and to protect everyone, our customers, our own colleagues, I think AI is going to help us defend much faster than we have in the past. But all of this comes down to doing the the, the most basic thing and that's hygiene. We've been talking about getting hygiene right forever.

A day making sure you're patching your systems. You're using multi factor authentication and the like, and if you just do those basics, the essential 8 is a great tool that most of the businesses can use right now. It's a great way to get yourself started to increase your or improve your overall security posture. I think that's how we then defend ourselves against bad actors that are trying to get into our environments. And then I think the last thing is as AI is accelerating at great pace, you think about it in the last 2 1/2 years we've gone from generative AI, which everybody just couldn't believe how quickly AI was growing.

Going to agentic AI which is now bots, an autonomous bots basically booking your your holiday for yourself without you, just say hey, I want to go to Fiji, can you book me a holiday for five days? and it just goes off and does it for you. The attackers are using that and that's the, the chess analogy. But I think it may be daunting because it's new technology right now, but I think you working together and collaboratively sharing our our knowledge that we have, I think that's going to be the greatest defence that we has have as a nation.

Michelle McGuinness

Hey, Sandro, it's so fantastic to hear you articulate it so clearly and in those simple steps and that the Act Now Stays Secure actions are really important to baseline hygiene, whether you're talking about a start up business or AI and again collaborating together. I do think this is an area where we need to work as a nation and lift threats further upstream, and we're working with our big industry partners and our providers to do what we can for the Australian economy to protect it, but secure at its outset is a great approach. So Maria, let's come to you. I'd really love to hear your views on building a cyber aware culture and what that actually looks like in practice. This is a challenge for all of us and I'd love to hear, hear your views.

Maria Milosavljevic

Absolutely. I think one of the most important things is that it's about shared responsibility and workforce readiness, because this goes to the heart of cyber resilience and shared responsibility. When we talk about things like securing Australia together or responding together, It means everyone. It means within an organisation, from the board down, every employee, every contractor plays a role. It means our customers need to take steps to make sure that they prepare themselves. But we need to take responsibility to educate them, to make sure that they are aware.

So at ANZ for example, we have a lot of in app messaging. We have a security hub, we use social media, we run events, etcetera. It also means our supply chain. We've we've heard a little bit about that today and it means you know having dedicated teams that manage relationships with vendors and suppliers to make sure that everyone understands, their role, and everyone remembers that risks do not live in silos. It means government and industry working together to make sure that we all understand what are the most important things. And I mentioned the essential eight. What are the most important things to do to prevent things from going wrong? What do you do when something does go wrong? How do you all work together? And then we've also heard a lot this morning about the security community as CISOs we don't compete because we know we're all playing for the same team. When we secure our banks, we're securing our economy. We're securing our way of life, we're securing our future as a country.

And so within an organisation that workforce readiness is absolutely critical and research shows us that people learn more from their own organisations about cybersecurity than they learn it from anywhere else. So we all have a responsibility.

Building a cyber aware culture is not just my job as the CISO, it is a shared responsibility. It involves every single individual, every single day. It means protecting our organisation and our customers from threats, and it requires everyone to be alert, informed and fully engaged.

It's really very similar to the way that we deal with other hazards in life. We all know how to call emergency services. We teach our children how to do that when they're really young. We also teach our children how to swim when they're young, and we teach them to swim between the flags.

And every home owner knows that they have to clean their gutters to reduce the risk of a fire. It's their responsibility. It's exactly the same with cybersecurity, because ultimately it's about a resilience mindset, and that starts with workforce and it builds that whole ecosystem so that we all make sure that that we are working collaboratively, everyone remains curious, collaborative prepared to act under pressure because ultimately it's what we do when things go wrong that really makes a difference and matters most. So at ANZ, like all of my colleagues, we invest in things like ongoing training. We foster a culture of vigilance we partner with with many others and make sure that we all understand what we need to do, the future of cybersecurity really relies on us all playing our part every single day.

Michelle McGuinness

Yeah, I couldn't have said it better. Thank you so much. It does require every one of us on this call on this webinar today to get to a point where our actions in the cyber domain are innate and that security, that's what it means to have a cybersecure culture, to know that you, to clean your gutters, to know that you need to put on your seat belt. Well, to know that you need to update your software, you need to use passphrases. You need to be alert to those scams, so thank you so much. Look, I am so excited we're going to come to some questions from the audience, but first I'm going to put you on the spot and do a quick hot round. I'm going to ask you to click and I'm going to go in reverse order. I'd love it if each of you could give me your top two things that customers should do right now to improve their cybersecurity. Maria, let's start back with you.

Maria Milosavljevic

So my top two, the first one would be make sure you understand what are your most critical services and what do they depend on. Because if you don't understand that then you're not going to be able to have a resilient business. And the second thing is make sure you rehearse. Make sure everyone is empowered to act. Everyone understands what they need to do and what they are allowed to do when things go wrong, those who might talk to.

Michelle McGuinness

OK Sandro over to you.

Sandro Bucchianeri

And I don't want to repeat what Maria said, but two things. One, breathe, take a breath. It's easy. You don't realise how important it is when you're actually taking a breath. If you cross the street and you're looking left and right, you are pausing because your physical safety is important to you. The same should apply when you are online.

You're clicking a link or whatever the case may be. The second thing is get the basics right. If you get the basics right. I know it's boring. It's not as cool as AI and quantum computing, but if you get the basics right, it goes a long way in protecting yourself and your organisation from those threats that come. Because if you look at any of the attacks that has happened over the last ten years, just let's just take 10 years, nine out of the 10 times, it's been the basics that was was not done correctly. So those will be my top 2 tips.

Nicola.

Nicola Nicol

OK, top two for me. First one would be a little bit of a mindset takeaway which is think like an attacker. So it's probably building a little bit on and on Maria's comments about knowing your business and what's important to you. But also like know your weak spots. So think about how the attacker is going to go after you.

If you take something like Jaguar Land Rover and as an example, which we've recently as a community been talking about, you know it wasn't so much for them about their data. It was about disrupting their overall business. And there's their manufacturing business. So think about not only what's most important to your business, think like an attacker who might they attack you and what are your weaknesses?

And if you can look to protect those first, I think that's really, really critical and maybe the second one, a really simple one. I go with, which is who's your phone a friend? Well, I know my phone a friend that's right in the middle of an incident that actually in the first in the middle of an incident, your first phone, a friend. Everyone’s is absolutely the Australian Cybersecurity Centre without a doubt. But what if you are looking for what if you're looking for advice and guidance, or you're concerned about something like who is your phone a friend? I think for us it's the peers on this call. But but I think that's a good a good thing to think about who you're calling. Those are my 2.

Michelle McGuinness

Amazing. Richard, bring us home.

Richard Johnson

Now this is really good stuff. I'm busy typing it down because I want to use some of this. I think it's fantastic and I don't want to repeat. So what can I add to that body of knowledge I would say.

What is your security perimeter? And if you think it's your building and your internal network, think again because the reality is it expands deeply into your supply chain and out to your customers and through your partners and the community. And that's the mindset you need to adopt when you think about cyber and prepare your defences. It's that ecosystem that you need to approach and defend not just your internal network and and building on what we said before, do you have a cyber response playbook? And where is it and how do you get to it when you really need it and have you prepared it in advance and most importantly, rehearsed it? Especially the first hour, so that like training hard, fight easy, it's a drill and you're very used to what everyone needs to do when you've got all the people that might be involved to have gone through dry runs and practice this and rehearse ahead of time for that when you need it. It's muscle memory for not just your cyber team but the broader organisation, comms, media, government relationships, suppliers, regulators. All of those teams. If you don't have one, there's one freely available on the ASD website. Westpac has one. I think a lot of our peers probably have them on their website as well, so you can get a free resource there just to kick start that off.

Michelle McGuinness

Amazing. You know, when I think about what keeps me awake at night, people say, how do you sleep? I sleep because I have amazing colleagues and peers across our economy in this sector and in so many others that are helping secure Australia together. This does take everyone.

So with that, now is time to go to some of our audience questions. As Jess said, we don't have time to respond to all of the questions today, but I know my team have been doing their best to consolidate them into themes for us and we will seek to share those questions and get answers out after the event as available. So Jess?

Do you have some questions for us over to you.

Jess THOMAS

Hi, Michelle. Yes, I've, we've received a lot which is excellent a lot on AI and we have heard the panel talk about this, but I think the first question might be best placed with with you, Michelle, what measures is the National Office of Cybersecurity taking to respond to the AI threat and how can our audience, small and medium businesses, contribute to that work?

Speaker 1

Thanks, Jess. That's a great question. We are relying on our experts and working across the areas of government that have expertise in this. And as I said during my remarks, we're producing safe adoption of AI guides with the help of various organisations including the Australian Cybersecurity Centre at the Australian Signals Directorate.

We're also working with some of our other colleagues that you see here on the screen through the executive side of the Council through working groups, because we know this is one of our significant challenges and massive opportunities as a nation. So we're looking to collaborate and provide best practise and experience vignettes to share across the economy.

And we will seek to publish those in the coming months as we've done research with academics, we've got use cases and we're looking to publish those and share. How can people get involved?

It's a really great question. I get this a lot. I know that we're a small organisation but there are ways that you can communicate with us. If you have a vignette, an example, then you should reach out to the NOCS, but also access all those resources, whether it be on cyber.gov.au which is owned and run by the Australian Signals Directorate, is the home of a significant number of technical resources or ActNowStaySecure.gov.au or even the coordinators page on the Home Affairs website as well, but we'll post all those resources and we do want engagement, so please reach out. I think the most important thing you can do is build peer groups, collaborate across networks and reach out. Understand that if you need help.

Jess THOMAS

Thanks, Michelle. The next question is is sort of in relation to the intelligence sharing that we heard both Richard and Nichola speak about, we know that's happening in the banks really effectively, but our audience would like to know how some of that information can be shared with small and medium businesses and other industries in Australia.

Michelle McGuinness

Would you like to take that? I would just start by saying sign up to the ASD programmes with CITIS and you will be a recipient of that information. If you haven't signed up, sign up today. There are individuals that sign up individual business leaders, larger organisations. That's the way that you can tap in and receive and be on the receiving end of that. We also have a range of information sharing organisations as ISACs, but we'll try and get some details in the resources that we share. But Maria, please jump in.

Maria Milosavljevic

Look, one of the main things that I would also suggest is to look up ID Care if you haven't. And Michelle did mention ID Care in her opening comments, they have a lot of resources and a lot of information that they put out around what is happening and where the the sort of targeted attacks are for business as well as first aid kits.

And things like that. So definitely go there.

Richard.

Richard Johnson

I'd encourage you to use the the resources that are there with the ACSC website cyber.gov.au There's a lot of material that gets shared, a lot of it gets pushed out in real time, but really importantly myself, my peers, other large organisations, we do a lot of work when a new attack comes out of which there are many and we will share that any Intel or or even reverse engineering a tool set or a capability freely with government and others, and it's through those government sites that's the best possible way to obtain access to that and use that and also give the government telemetry about what's happening so they can better coordinate across the country, so it really is that symbiotic relationship with with ACSC and the and the national coordination mechanism.

Michelle McGuinness

Thanks, Richard. No matter how big or small your organisation is, if you have information on an incident, ACSC need that information. That is how we've we build our whole integrated picture of everything we know and then we provide advice back to the nation in terms of what they can do about it. I will just very quickly say that in the National Cyber Partnership, we are piloting a range of initiatives that see those that can block threats upstream, be it telcos or service providers, that they block them as they become aware and the banks are huge partners in that in sharing those threat indicators and then we're seeking to have them automatically blocked so that customers aren't victims of scams or cyber incidents, but there's a lot working in the background there that I'm excited about. When we look every day to figure out how we can scale it and make it bigger and more impactful for every Australian. Jess, I believe we have time for more questions.

You're on mute.

Maria Milosavljevic

Play song.

Jess THOMAS

Apologies, I'm back. So related to your response, we have heard a lot about how the financial institutions are collaborating and working together and you've just mentioned telecommunications, but how heavily are you all integrated with the other critical infrastructure sectors and how do you work with them?

Nicola Nicol

I I might jump in and take that to start with, and I'm sure others will will build on this. So and we're we're really very well integrated. And I think firstly and maybe if I if I draw a sort of visual picture of this. So firstly, if we think about places like the Executive Cyber Council where we've got a whole lot of different industries represented banks, telcos, supermarkets, you know, small businesses and different but different board industry bodies as well all represented in that forum and working together to look at how do we collectively lean in and on building and executing against the outcomes from each of the horizons under the under the cyber strategy. So I think that's one really good example where the work is focused on sort of innovation. What can industry do for industry and what can we do together to really deliver on some of those strategic outcomes.

But perhaps then also sort of tucked up going back to a topic I touched on earlier, when we think about being match fit for, you know, responding to some sort of cyber event, again, there's a lot of work we do, which is exercising, but across different parts of our critical infrastructure. So bringing the banks, the telcos, the energy sector together to say how would we, what would a collective response look like and and as an example we had some of my, our colleagues from the energy sector come and join one of our internal crisis management exercises along with NOCS and along with the ASD and along with some of our regulators. So we do a lot of work I think not only on the strategic thinking and and through the lens of their our national strategy, but we also work at a really practical level on our response capabilities and practising and exercising as a community. So there's just two examples and I'm sure Richard or Maria will build on that.

You both had your hands up, Maria. You took yours down.

Richard Johnson

Yeah. Thanks, Nicola. The the fact is there's hundreds of CISOs. I mentioned before, it is very practical and real time information sharing that we enjoy in this country. When I and my peers or certainly when I get out.

Nicola Nicol

Yeah.

Richard Johnson

And I look at my phone. If I don't have 350 alerts in those shared rooms, that all of the CISOs of our community and their teams are collaborating on, then I have breakfast. If there's a 350 alerts, then I stop and react and respond. I know it's going to be a bad day and it's not just Intel, it's attack data and control response data, really actionable information of what's working and what isn't working and how are people approaching the problem? It is an amazing ecosystem approach that we are incredibly fortunate to have in this country and not every country has that and it's part of our secret capability that we need to protect and defend is the ability to work as one ecosystem whilst under attack and share freely amongst white hats without fear.

Maria Milosavljevic

I'll just quickly jump in there. So we knocked my hand down. Nicola, your your response was so eloquent, just adding what Richard to what Richard said though I think was a really important point around, you know I'm saying I pick up my phone the first thing before I have breakfast before I do anything, I pick up my phone and I'll look at the sites, our community to to see what's what's happening. You know, I I once landed in Heathrow and turned on my phone and it just went Bing, Bing, Bing, Bing, Bing, Bing, Bing and I thought, oh, OK, it's going to be one of those days, right. And so it's that community is really important. And so I would say to anyone out there who is from a small business, if you're not connected into the CISO community, you can be right. There are many, many CISOs, reach out phone a friend. As we heard before, or find a friend, reach out to one of us. You know your bank CISO and we can we can connect you with peers if you don't have any.

Sandro Bucchianeri

Yeah. And then the only thing that I will just add, I'll give a practical example. I think 3 weeks ago, I I pinged my three peers on the call and I said I need to speak to you urgently. Maria and Richard got back to me immediately because they they always answer my messages. So thanks for that. Nicola did eventually call me back later in the afternoon.

Because we, we discovered an issue in NAB and I provided the those indicators of compromise that Richard mentioned and the three of them went went away to go and look in their environments, did they see the same thing? So that's a very practical example. It's. I'm glad Richard has breakfast in the morning, but that's a very real example of how we work very closely together and then when we take it down to our customers. So I know we do it at NAB and I'm sure my peers do it as well. Our business customers have access into a whole myriad of resources that we provide them. Along with the webinars and the like. So all that sharing we share freely, openly, etcetera, we have one-on-one discussions etcetera. So it's a, it's a whole of community event. It's not that I'm going to keep my information to myself. So we we encourage anybody that if you are in a if you have a coffee shop speak to the other coffee shop owners in the area to come together because you'll have similar challenges. So I think that's that. That's the messaging that we would want to leave you with on that.

Michelle McGuinness

So this is our superpower. Thank you for that. And collaboration is cool. Jess, do you have one more, short question that we should address before you run out of time?

Jess THOMAS

Yes, I have one more short question on culture. Do you think we're experiencing a cultural shift in cybersecurity from being risk driven and prevention focused to increasingly resilience driven and recovery focused?

Michelle McGuinness

So my plan, I absolutely hope so and it's hard to get data around this, but it's going to require every one of us to drive to that. But absolutely the message we're sending is, is and it is about that sometimes and Maria touched on as well. It's not what happens to you, it's how you respond because we have to be clear on about the fact that our threat actors and the technology are evolving so quickly that we are going to constantly learn new ways to protect and this is exactly what Sandro was talking about as he talked about sharing new things that he's finding or identifying. So I hope so and I believe so, but I need everyone on this call. And in fact every leader across our nation to be part of that. Let's go to Sandro then Maria.

Sandro Bucchianeri

So the short answer is yes, there has been a massive shift in cyber and the focus that we place in it in our country. If you think about just go back three years, there was no national coordinator role there was, there was no centralised focus from government.

And here we are, sitting together on a call, all in different parts of the country, talking about how we share information, how we work together, and I can sense that mindset and the way people are talking about it all the way down to my 12 year old who talks to me about cyber at the grassroots levels like Dad, what do you do and are you having a super secret squirrel meeting with government? And can you tell me what they talked about and I tell him no, I can't and he tries that everyday when I drop him off, but that's the interest that that this all has generated and it's terrible when the events happen, but I think the nation has moved forward in a good way and long may it continue, we just need to continue this conversation and collaboration.

Maria Milosavljevic

So I would add a little bit more to that as well around the fact that attacks that may start in a physical world actually, you know, sorry start in a virtual world actually become a physical issue and we've seen that you know this we we really need to take an all hazards approach because everything is connected to everything else.

And unless we understand that cyber digital becomes physical, we're not going to be prepared for things like I can't, I can't pay the bills. I can't actually buy my groceries. You know, I can't take transport, those sorts of things are impacting on daily life, and it's really important to understand. Those things must go together. One of the things that I kind of joke about is that the SOCI Act, security for critical infrastructure maybe should be ROCI for resilience of critical infrastructure for this very reason, right? Because it's it's this deeply integrated approach that we need across you know, government agencies, industry peers, law enforcement, technology partners we all need to work together to make sure that we understand the full potential impacts and who needs to be involved in actually addressing those sorts of impacts, particularly when they can undermine our economy or our way of life.

One of the things that's also changed a lot in recent times is that a lot more people are working remotely, and so we need to become much more acutely aware that the sorts of risks that we're dealing with are not necessarily things that we may have thought about in the past and some cyber threat actors, may actually want to, you know, pretend to be someone that they're not, and that's also got to be part of the way that we think about resilience, because the way that we trust each other and the way that we trust our employees, the way that we know who each other is, all of that has fundamentally shifted.

Nicola Nicol

And I may make one one build on that as well, I guess 2 observations. I would offer one that if we think about that shift of protecting to resilience that I think we've seen a mindset that was about protecting our data and we've all but, but in the in the last few years, we've really started to see a shift towards resilience through disruption because again, I think we see the threats evolving where the threat actors are not that you know, yes, there's always been sort of hacktivists, there's always been those that are out to make a point and have a purpose, but I think we see much more these days where threat actors are very much looking to disrupt a business and and it's rather than the more traditional sort of looking after looking to get after your sensitive data. So I think that's part of the reason for the shift as well from a cyber community perspective is it, is it is, yes, always will be about protection, but we've got to be ready to be resilient through disruption and and the and the final thought I'd I'd share it is I think that's where particularly in Australia we have a great opportunity to be much more integrated with our regulation. Somebody I talked about it's OK and the all hazards approach. If you look in the banking and finance sector at things like CPS 2:30, which is about operational resilience. If you look at some of the evolution of what we're seeing in the fraud and scam space, you often will find at the core, you've got the same threat actors who are, you know, causing disruption in multiple different ways where we might have traditionally thought about these things in silos. Let's let's look at fraud over here. Let's look at resilience over here. Let's look at cyber over here. I think the learning for us and what we're doing as a community is taking a much more integrated approach to thinking about operational resilience and that includes cyber and scams and and other sort of disruption activities across the community. Yeah.

Michelle McGuinness

Thank you so much, Nicola, and thank you all of you for coming.

We are now closing in on our ending time here today. I do want to make a couple of remarks. Firstly to the team here. Thank you so much for being here. There is absolutely no doubt in my mind that you are on the front line with a range of other industry partners of this issue. You are under consistent, persistent attack and this is why it's so critical that we partner together. So thank you for your time being here and thank you for everyone who has dialled in. I also really want to thank my team represented by Jess, but obviously backed up by others who have pulled this together. It's been fantastic and the team to the banks who have been so willing to jump in and do this, it has been novel and new and I can't wait to do it again.

Let me just say as we come to a close that the Australian government, along with our partners is busy building our cyber workforce, our cybersecure culture, strengthening our resilience as we’ve talked about and responding of course to incident after incident as a nation.

Critically, at each step we are partnering like you see here today with industry.

The benefits of us taking action that absolutely is compounding when cybersecurity is improved anywhere in the whole chain, whether as an individual, as a small business, big industry or within government, it benefits us all. So I really urge you to take what you've heard and learned today and take practical steps and run with them for your businesses. Please also be an advocate for cybersecurity. It will take every one of us to do this, and not just with your employees, your co workers, your peers, but speak to your Nana. Talk to your siblings. Reach out to your friends. Keep inspiring all the 12 year olds. We need that future workforce, but talk to anyone in your circle and help them to understand the risk and embrace the simple things we can all do to make us stronger.

Unique passphrases, multi factor authentication, software updates.

A robust and resilient cybersecurity culture is the glue that will harden us as a nation against these threats. And please keep that top of mind in every decision you make across your business. Being together we can be more secure as a nation.

With that, thank you so much again for your attendance. Thank you to the team and our fantastic experienced analysts, have a great day.

Sandro Bucchianeri

Thank you.

Simple Steps, Safer Business – Webinar for SMEs

The National Office of Cyber Security hosted a national virtual webinar for SMEs with representatives from Cyber Wardens and the National Anti-Scam Centre (also known as Scamwatch). This session showcases top tips to address cyber risks, identify scams impacting small businesses, and shares practical advice on what to do if you have been targeted.

Safer Business

Michelle MCGUINNESS 0:28
Thank you so much for joining us today for our Small Business Simple Steps Safer Business webinar. This is part of our suite of Cybersecurity Awareness Month activities. I'm so pleased that you've made time in your busy schedules to attend today. It tells me that you all realise the risks that are posed by cyber threats and what it can mean for you and your businesses and potentially your livelihood.

If I can, let me just step back and start by acknowledging the traditional custodians of the lands on which we're all joined today. I am joining you from the beautiful Ngunnawal land here, the Ngunnawal people here in Canberra. I'd like to express my respect and gratitude for their continuing culture and to the contribution they make to the life of this city and this region and extend that to any First Nations people who have joined us today online and pay my respects to all the nations from which you're joining.

Let me just also run through some housekeeping. Due to the large number of attendees, we think we have your microphones and cameras switched off. The event is being recorded, and we will make it available at a later time via the Home Affairs website within the National Office of Cybersecurity web pages, so you can come back and refer to it. My team will also provide an e-mail address for all attendees post this webinar with the links that we're going to share with you and the things we're going to talk about, as well as an opportunity for you to provide feedback to us should you choose. Because this is, you know, this month we have started doing these webinars and we hope to be the first of many and we warmly welcome feedback.

So, in a moment I'm going to give you a quick rundown on my office and my role and what we're looking at. But I'm also joined by Fleur Anderson, Director of Major Programs at Cyber Wardens, and Ruth Pirrie, Assistant Director, Outreach Teams for the National Anti Scam Centre. So, Fleur leads the Cyber Wardens and Future Female Entrepreneurs, two Australian Government funded programs delivered in partnership with the Council for Small Business Organisations of Australia, or COSBOA. Fleur brings more than 20 years of experience to her work developing and delivering programs for small business. And women's entrepreneurship and was a former political and business journalist with the Australian Financial Review prior to undertaking her current roles.

We also have Ruth. Ruth has been in the business of investigating and preventing fraud and corruption for the last 20 years, starting her career in Westpac's financial crime team. She then moved to the UK, where she went on to work with City of London Police, specialising in large-scale networks of banking and corporate fraud.
Upon return to Australia in 2016, Ruth shifted her focus to preventing corruption, initially with AUSTRAC and then subsequently with the National Anti-corruption Commission. Welcome ladies and thank you both for providing your time and your presentations today to the small businesses attending our webinar.

To keep things running smoothly, following my opening remarks, we'll then hear from Fleur about Cyber Wardens and then Ruth from National Anti Scam Centre. We will then have a Q&A session where I've actually asked my team to curate the questions coming in, so please submit your questions in the chat. And we will try really hard to get to as many questions as we can. If not, we can have that e-mail exchange afterwards if there are questions that are unanswered.

So, before I handover the floor, let me just touch briefly on my role. As the National Cybersecurity Coordinator, I support the Minister for Cybersecurity to ensure that the Australian economy is to the maximum extent possible, both cyber secure and cyber resilient. This means taking the precautions and actions to harden our defences and to build our resilience as a nation. It also means reducing the opportunity for threat actors by making us as harder a target and a smaller a target as we can for those that seek to do us harm.

My team, the National Office of Cyber Security, and I work to support the uplift and resilience of our governments, our businesses and our citizens. In order to prevent, prepare for, respond to and recover from cybersecurity incidents, we cannot do this alone. No one sector can do it. In fact, I don't believe one nation can do it, but we do thrive on engagement across all sectors. It's so critical that we share knowledge and that we build relationships. Because none of us can do this alone. So, a key element of our role is helping all Australians do their part to become more secure. This is foundational in our strategy, looking after small businesses and our citizens. We hope to make everyone more secure, whether it be in their homes, their schools or their workplaces. And we know that everyone has a role to play in making us a cyber secure nation. We really are only as strong as our weakest links.

As business owners, I know many of you won't have dedicated IT teams. A lot falls on your shoulders every day and we're so aware of that and those that have got staff, you're juggling so many other tasks. I know that this may be for both you and your staff. The whole issue of cybersecurity is relatively new, unfamiliar and can be really daunting. That's why we're committed to partnering with you all. You know, the government seeks to reduce the burden on small businesses in every way we can in order to help you do what you do best, which is to thrive in the delivery of the goods and services that you provide. We really need and want every one of you to be successful. So hopefully today's event is part of that partnership approach in action. We know that the daily running your business takes up all of your time, your energy. your budget and your attention. And if you are like so many people, this means you might have been putting off the task of working out what cybersecurity is all about. And many of you are probably unsure of what you can do about it beyond maybe popping it into the too hard basket, crossing your fingers, closing your eyes, and hoping it'll be OK.

But unfortunately, too much is at stake to rely on luck or putting it off more than ever. We know it's not a question of if there'll be a cyber incident, but when. So, we've really focused this month, October Cyber Security Awareness Month, as a time to talk about cyber with everyone and asking everyone to talk to your employees, your friends, your colleagues, and not just to talk, but to take action to build a cyber safe culture. This is not just about businesses, but we're doing this across the community. But businesses are such an important part of our Australian landscape.

So, it's also something our two guest speakers and I are very passionate about. So, each of us hope to leave you with something today. Throughout the month of October, we are spotlighting a different action each week from our Act Now Stay Secure campaign, which launched its current phase back in May this year. Hopefully you've seen the ads on TV or online. It's that commercial that has the byline. What are you risking online? The campaign highlights three really simple actions that every one of us can do that makes a significant difference to our cybersecurity online.

Those actions are install all software updates to keep your devices secure, use a unique and strong passphrase on every account and always set up multi-factor authentication. You know these three factors, our technical experts tell us minimize our risk substantially and they account for over 85% of incidents that occur in Australia, just at different scales, you know, cyber threats are now a part of everyday life.

But taking these small actions make a huge difference, which is why we've really taken this approach for this webinar. Simple steps equals safer business. We know that people need practical, simple steps and on our website, Act Now, Stay Secure. it talks you through these so that everyone can adopt them. We also have it online in 32 different languages, so we really hope to reach everyone. I think the bottom line about these three things is they actually work back to what I was saying about our technical experts who provided us this information. It works if you're an individual, it works if you're a business owner. The difference is, as a business owner, and you all know this much better than I, that you've got so much more to lose. You've got data as well as your heart and soul. You've got all the resources you've committed to into being successful, and that makes you a rich target for those looking to profit from a vulnerability.

We know that cyber criminals see Australia as lucrative and slightly vulnerable and gullible, and they will target us persistently. So, we know these simple steps work. You know, there is a fourth step that we're highlighting this month and throughout our program as well, just about being able to spot scams. So, there are great and practical tips on actnowstaysecure.gov.au that you can go to get the laydown. So, while Cybersecurity Awareness Month this October is our annual reminder and really, we're driving that opportunity to not just talk about it, but to take action to protect ourselves online, we actually don't want this to be an ‘October only’ thing. This is just an opportunity to really amplify it, but this is something we need to do all year round. We want cyber security to be an everyday habit. We want to change the culture of Australians and Australian businesses. We want you to think of it as a risk.

We want you to think of it as innate, just like buckling your seatbelt, locking your front door. We need to lock up our cyber profile online, our online doors, shut those doors, and we have to introduce these cyber safe behaviours to protect all accounts and devices on multiple layers.

So, this hour is designed to give you a practical jump start no matter where you might be on your journey to uplifting your own cybersecurity. Our presenters will detail the most important information that they have for small businesses. Together we will hopefully answer your questions at the end and the questions that your customers have to include around cyber threats, the risks they pose to your business, your clients, and how to introduce a cyber safe culture into your businesses. With that and to keep us on time, I'd love to now invite Fleur Anderson, Director, Major Program Cyber Wardens, to present on Cyber Wardens and why small businesses need to know about cyber safety. Thank you so much, Fleur.

10:47

Fleur ANDERSON
Thank you. And I'm now going to seamlessly share my screen and hopefully that's working. Yes. So, thank you very much. As Michelle said, my name is Fleur Anderson and I'm the director of Cyber Wardens. And just thank you so much for the opportunity to be able to talk to you all today about Cyber Wardens and what it means for small business. So, I will get into it. So, what is cyber wardens? So Cyber Wardens is an initiative of COSBOA, the Council of Small Business Organisations of Australia, which is supported by the Australian government, Telstra and Commonwealth Bank.

So, our goal at Cyber Wardens is to make cyber security simple by building a culture of cyber safety, by teaching really quick, simple cyber skills for all Australian small businesses. It's fast, it's free. It's simple self-paced e-learning, but also through webinars and on online so that you can help. You can boost your cyber safety, whether you're a sole trader or a startup or a small business, you don't need to have a tech background. We've taken out all the buzzwords and the jargon to make this program, one that gives you quick wins. You can do it right now today. So, after this webinar, if you've ticked the box on your registration, you'll actually receive a certificate via e-mail to say that you've started your Cyber Wardens journey and that you are level one of a cyber warden. We hope that after that you'll jump online to cyberwardens.com.au and expand your knowledge to levels 1-2 and 3 and even become a Cyber Wardens champion to educate your team.

So why do small businesses need to know about cybersecurity? Small businesses are at Australia's frontline of cyber crime and many of them are unprepared to deal with cyber risks. So, 43% of cyber small businesses are actually targeting small business, so that's nearly one in two cyber attacks are going after businesses like yours. So, if you're thinking that it won't happen to me, statistically, it might already be happening.

There are 232 cyber attacks reported every day. That's an attack every six minutes, so that's pretty much the top of the tip of the iceberg. A lot of cyber attacks go unreported. The average reported hit is worth about $56,600 and for a lot of small businesses, that's enough to close you down. Good, so here's the kicker, 95% of cyber crimes involve human error. It's not that it's anybody's fault, it's just that sometimes we're rushed. We're pushed for time and we might click or trust a link that is actually a cybercriminal. So that's actually good news, because it means that with awareness and training, we can prevent most cyber attacks.

In 2023 and 2025, we actually did a lot of research with small businesses and we asked small businesses what the top risks that they were facing, now and over the next five years. So, the top ones, you can see a lot to do with the cost of doing business, energy prices and staff. But number three is cybersecurity threats. So, all the other threats there you can see are also just products of doing business. But the good thing about number three is actually it's something that we can act on right now by just having a little bit of education and awareness to try to really mitigate that risk.

There are consequences that to small business owners and employee’s confidence and to their businesses. So, we found that seven out of ten small business owners don't have the resources to recover from a cyber attack. And almost a third don't know where or how to get help. And this is where we really want to be able to help.

I'll just go back a second, sorry and some of the things that the financial threats or impacts are that people told us about where that 67% or you know, two out of three are worried about the financial loss. There's operational costs, damage to reputation about 40% of small businesses reported that was a big fear. And then about third of small businesses didn't know where to go to get help if and when a cyber event occurred.

So, we want to just talk about the types of crimes that are particularly targeting small businesses just so that you're aware. So, the number one is inbox break insurance. So, in technical terms this is known as a business e-mail compromise or BC attack. And this is where hackers have got into your e-mail and could be using that as a launchpad for more dangerous attacks. So, if you think about it, your inbox is a treasure trove of information for scammers, and we'll get into a bit of detail about this in a minute.

The second one is fake invoices, and this is a type of BEC fraud. So cyber criminals might use your e-mail to send fake invoices from people who look much like your suppliers, and they'll change the payment details of your real invoices so that the scammers get paid instead of you with AI. These are becoming very, very tricky and very fast to come in. So sometimes you might find that your bank might contact you before you even start to pay someone just to make sure that you've actually had other types of confirmation that this is a real invoice. So, we'll cover what you need to look at from that shortly.

But then the third type is banking burglary. So, this is where scammers break in and gain access to your bank account details, and they will often get that through your e-mail accounts and from invoices as well. So, they're the three most common crimes need to be aware of. Number one, though, is the inbox break insurance. That is the key to everything for a cyber criminal. So, your business e-mail is so full of very valuable information and this is where cybercriminals use it as the front door into all of your business. You'll see that there's a number of secondary types of attacks that they will use like company impersonation, changing payment details, sending fake invoices that are, you know, apparently from you to your own customers. They can also get in there and steal your business files and data. Valuable information that could be your intellectual property. There's a whole host of things. So, the main way that this happens though is reusing passwords. That's the main thing. So, if you're reusing your password across multiple accounts and you're not using multi factor authentication, that is a really risky way to operate and, but a very simple one to fix.

So that's why you need to be aware of secondary attacks after a data breach of your e-mail credentials. You may have heard of credential stuffing scams as well and so this is where your e-mail and password might appear in a data breach, which are then bought and sold on the dark web. This is what scammers can use in another type of another attack. From there, they'll take these details and they'll test them in logins across multiple consumer accounts on really popular websites like retailers or banking. And once they gain access to your account, they can then place orders using saved credit card information or do even more damaging activities so that they can get into your bank account. So, this is really important. Why? It's why you should not reuse passwords, even though we all have trouble remembering them. But that's why we have other types of ways, like password keepers and password managers so that you don't have to remember everything.

The main thing is to remember that if you've got a password, you need to make sure it's long, strong and unique with a minimum of 14 characters up to 18 is even better.

The longer the better. So more like a pass phrase than a password. So, adding a virtual alarm like a multi factor authentication and other types of ways to verify your account is a really good way. Also, it's like a burglar alarm. To make sure that you know that someone else is trying to get into your account. So, if a password is the keys to your online accounts, adding two step or multi factor authentication really helps add that extra layer of security. So most common accounts that we use every day will have their own built in MFA in the security settings. But you should also think about using an authenticator app. You can download those from your Google Play store or your Apple Store. And an authentication app is a mobile application used for two factor authentication. So that adds that extra layer of security these apps will generate one time password or OTP as they say so that you can enter that along with your passwords. A lot of most people would know what that is like when you're using your bank online to get in there.

The other thing, as I mentioned before, is to use a password manager. So a password manager is a software or service app that will help you securely store and manage and generate passwords for your online accounts. It eliminates the need to memorize passwords. I know as I'm getting older, I can't. I can barely remember my kids name someday, so why would we even remember all of our passwords? So, by having a password manager, it's stored in a digital vault. You only need to remember one single master password and have an extra layer of to get into that, and then all your passwords there. So, as the National Cyber Security Coordinator mentioned just then, we're talking about cyber safety as a culture and this is where the key is. It's not about technical knowledge, it's about shifting our thinking about cyber culture. And this is something I'd like to focus on today.

As I mentioned, 95% of attacks involve human error, so we need to make sure that ourselves and our team and those around us are all informed and working together.

What we're trying to do here in that cyberwar is create that culture of cyber awareness. And it means that it's not just cyber aware at work. It's what we're doing at home and online with our friends, our family and in our communities. So, as we've talked about here, we are what happens with human error. The main things are, you know, when we're busy, we sometimes fail to spot a scam or phishing. We don't double check invoices. We use short, repeated passwords and everyday habits to just make ourselves more vulnerable. And the biggest reasons that our team might not be where it needs to be is because of lack of training. We said as before, human error.

But now also working off site. You know, since COVID, we've all become very used to working away from the office and we all like to sit in the cafe and have a coffee and work on our laptop. But being in a public place using public Wi-Fi is one of those things that we just need to be really aware of. Don't use it if you if you can avoid it.

Being busy missing details are often when the cyber criminals will come in right when it's end of tax year, time when we're just getting inundated with invoices. And that's a really big time. Also, Christmas. Christmas holidays, they really know when to go after us and also personal targeting. You know, if they can get into your inbox, they can see what you're interested in, who your friends are and will use lots of little clues about who we are as a person to maximise and leverage on that.

So, I'd like to talk to you about becoming a Cyber Wardens champion and a champion is someone who talks to people around them and learns about the best ways of communicating a culture of cyber security. So, who should be a cyber warden? Well, we think everybody, but in particular small business owners and their teams, small business advisors. So, people like accountants, bookkeepers, IT specialists. Anyone who is working with small businesses, even if they are in a large business, there's also people who are in, in HR. You know, we find that a lot of cyber criminals are targeting the HR sector, particularly with fake candidates, you know, you might be going through an online hiring site and find a fantastic candidate, but through the miracles of AI, it might actually be a scammer. And then there's also the community. So, most of us wear many hats. We're not just here at work during 9:00 to 5:00. We're also, you know, members of sporting teams or interest groups and we all are online every day and it's connected. So, it's really important for us to think outside of what we're doing between 9:00 to 5:00.

A really good thing to understand when you're talking to people around you about cyber security is just to understand what some of the barriers are for people to learn about cyber security. We find that sometimes people think, oh, it's just all too hard.
I'm just going to get hacked anyway. What's the point? There is a point. It can save people time, their money, their mental health. So, here's some of the things that we find that are the barriers to some people wanting to take that first step.

So, the first is knowledge barriers. Technical terminology can be really confusing. That's why we try not to use too much jargon in Cyber Wardens. Also, lack of awareness of threats. You know, if you understand what the common threats are, you're less likely to click on a suspect link or pay an invoice without checking. There's also the misconceptions about who is being targeted and why, most often in the media, we hear, at most about some of the really big cyber or data breaches, but actually it's the small business people who are mostly targeted and we just don't hear about it every day. And then there's uncertainty about what is it that I can actually do that's achievable?

So, the second thing is the attitudinal barriers, so that it won't happen to me mindset that it's not worth cyber criminals time to go after small businesses. The fact is that with AI tools that are being misused, there's a very low barrier to entry for cybercriminals. They could spend $100 on a very easy app that can make it much easier for them to attack thousands of small businesses at a time than it did in the past. So, we are all at risk. The belief that cybersecurity is just the IT department's responsibility. This is something that is a cultural thing. It's not just the IT department or Security’s responsibility is to block the front doors. It's all our responsibilities.

And there’s also the feeling of being overwhelmed about the potential complexity about what you need to do to be safe online. Now in the behavioural side of things and you know, I've found that I suffer from some of these as well just in our busy days. Prioritizing convenience over security, you know, in the past we used to have lots of shared passwords. We'd share with our team because who can be bothered memorizing a single, you know, different passwords for different apps. So that's one thing. Resistance to changing the established habits. But we've always done it this way. Why do I have to do it this new way? I'm just tired of it. Security fatigue from too many passwords and procedures and then just running out of time to actually put aside time to update your security settings and take those basic steps that need to be done. But it's not unachievable.

So, we'll go on to the next part. So why your role matters? And it's so important that you're all here today as a cyber warden, your everyday role positions you so well to really make a difference to, to yourself, the business you're in and those around you, whether you're a connector, a role model or a protector, you know, being able to recognize your strengths really will help you when you are communicating it to your teams or the people around you to become a more cybersafe culture.

So, I'll just go through a few of these. So, you know we all have these strengths in our own organisations. So, you might be a community champion. You want to get everybody on board, and you know show how by working as one you know we can achieve great things. You might be a great on board. So, when new people join your business, you've got all the policies there how to do things online. What your business is like and cyber security is part of this. You might be really good at technology and are not scared of jargon, so you're able to translate that to other people. You might have people who follow you on small business. The small business sector again trusted advisor like a bookkeeper or an accountant. There are so many ways that you can use your role to communicate cyber security culture.

Now the other thing that's really important to understand when we're talking about cyber security is it about who's on your team. So, there are, as I said before when we are talking about cybersecurity, it's not just the people who are working in your business. There are the helpers, the game changers, the guests and the sharers. So, I just start with the sharers first, so. These are the people who love your business.
They might be your clients. They are shouting to the stars about, you know how good you are. These are really important people who help enhance the reputation of your business so that can help or hinder if things go wrong. And if you're the target of a cyber attack. If things go wrong for them, then it can be damaging to your business, but they can also be really helpful. So, bring them on board with your journey about how you're keeping your business safe.

Then there's the guests. These are the people who might be your contractors, people who coming in and out of your business or your workplace. These people are just as important as your employees or, you know, people in working within your business because often they, you know, will get access to your guest Wi-Fi. They'll be working in your systems.

You also need to have really cyber secure Game Changers. These are the people who can have a direct impact on your business itself. It might be your bank. Your major clients, the people who really have massive significant impact on your business that you know materially from a financial point of view. And so, it's really important to work closely with them on making sure that both of you are comfortable and trust each other's cyber security settings. And then there's the helpers. So, the helpers can be your mum, your dad, your kids who might work in the business or could be just your friends and family. Anyone who you work with, who has an interest in you and your business doing well. So we so many times hear that the Tech department is actually the Tech department by accident, and it might be that, you know someone's nephew is really good at Tech and does it on the side, or it could be that you know your kids might have access to your work iPad and they can do things from time to time, but they might also know what your passwords are. So, it's just thinking about who those helpers are in your business and making sure that they're all on the same page.

So, we've talked about who the helpers are and some of the cultural people that the people around you in cyber secure culture. Now let's have a think about some of the quick things that we can do right now to that will make a difference. So, these are the things we can change today. So, hands up, who has ever snoozed on a software update? I have to say I've been guilty of this when you just need to get out of the house or get out of the office because you've got to go pick up the kids from childcare. One of the best things you can do is making sure that you put your laptop, instead of going to sleep mode, shut it down so that you can restart it again. Often that's what triggers an automatic update that will protect you without even trying.

The other thing is paying for one software licence but letting everyone use it. That's a big one. It goes back to shared passwords. It might cost less in the in the short term, but it costs you a lot if you are vulnerable to a cyber attack. Using passwords. We've discussed that using short passwords, having a password spreadsheet if a cybercriminal can get into your system, then it's just like handing over your wallet. It's all there. So just going back to the guests in our Cyber Wardens team, those people who might come in and out every now and then into your business if they've got a general staff login that's used across multiple people, then that's a risk.

Now the big one, adding personal details in out of office update. As I mentioned before, our inbox is a treasure trove of information about our personal lives.

If you put in your out of office update ‘So long and see ya. I'll be in Hawaii for the next 10 days, staying at this amazing resort’ that can be used by cyber criminals to login and imitate you and send a message to your finance department saying ‘Hey, I've lost all my credit cards. I need you to deposit some money into this other account so that I can get into it’.

Happens if we say too much in our out of office emails. So, if the worst happens, as we said before, about 30% of people don't know where to go where when they get targeted by cyber criminals. There are plenty of ways to get help, but probably the best one to remember is the Australian Cyber Security Hotline 1300, cyber one. I'll leave this up here for a minute, but if you want to take a screenshot, that's the one to look at and obviously look at the Australian Cyber Security Centre’s website.

There's the National Anti Scam Centre (NASC). Ruth will be talking about the NASC in a minute. IDCARE, and if you get your identity broken into the Australian Tax Office. If your business is hacked and then the Australian Securities and Investment Commission, if you fall foul of, you know, a scam that company might be in Australia doing the wrong thing.

So please do keep aware of that and there's plenty of ways to get help. So, as I said before, after this I hope that you will go into the Cyber Wardens.com.au website to learn more. Because we have got a whole lot of stuff here that might be of interest to you. We have our foundations course, which is a quick bite size. Basically, lunchtime or coffee break session, just to give you some refreshers on some stuff; we have webinars on demand and live, on a whole heap of topics.

We've got also some specialist courses level 2, say for AI for small businesses, because it's something that is evolving very, very quickly. And then for those of you who are interested in tendering for large projects or might be wondering about how to operate more safely and effectively within large supply chains, Level 3 is the one for you. We also have on our website a lot of resources that you can have a look at, such as factsheets.

There are also industry how-to guides such as for construction, tourism, bookkeepers, a whole lot of stuff really I urge you to get on and have a look. And now if you have a story or a tip, or you've heard of, you know, a new scam that's doing the rounds of small businesses, or if you'd like to share how you actually foiled some cyber criminals and got them back, we'd love to hear from you. So please access our resources and please get in touch. And I'd love to take any questions at the end of this presentation. So, thank you very much.

Michelle MCGUINNESS 38:13
Hey, thank you so much, Fleur. That was super comprehensive. Thank you to everyone who's throwing questions into the chat. Now that Fleur’s finished talking, she might dive in there and have a look and see if we can add some answers there. Thank you for all those who have been updating and adding answers. Let me now go across to Ruth.

Assistant Director, Outreach Team, National Anti Scam Centre. Ruth, over to you. Scam Watch Small Business Scam Prevention. Better safe than scammed.

Ruth Pirrie 38:40
Thanks so much, Michelle. I'm also going to seamlessly share my presentation slides.
Well, maybe I'm not. Let me try one more time.

<Some technical issues getting the slidedeck uploaded>

Ruth Pirrie 40:49
Perfect. Thank you for pivoting so quickly and thanks for everybody's patience on the phone. As was mentioned, my name is Ruth Pirrie and I'm the Assistant Director here at the National Anti Scam Centre and our Outreach team. You may also know the NASC as ‘Scam Watch’.

Serena KING 40:50
And.

Ruth Pirrie 41:08
And in my session, I'm going to highlight how scammers use powerful psychological levers and technology to manipulate and to scam us; outline some scams that we know are most significantly impacting small businesses; and most importantly, some practical steps that you can take to stay safe. All right, Serena. Next slide. Thank you.

So, what is a scam? It's important to recognize that scams are a crime with the aim of stealing money or information through deception. They can be a subset of cybercrime or other kinds of offenses like fraud. Scams are a really lucrative and efficient way of generating illicit income and as such are often perpetrated by large and coordinated criminal networks. We are all vulnerable to scams. They use powerful levers and when used in combination with technology, this means that the scams we see today are often incredibly difficult to identify. Thanks, Serena.

All right, so Fleur mentioned this one, but I'm going to go into a little bit more detail. So, payment redirection scams were the most common scam reported by small businesses in 2024. So, payment redirection scams are also known as fake invoice scams. And in these scams, scammers use stolen information to impersonate a client, business, employee, or customer. Their aim is to leverage trusted relationships to manipulate you into doing what they say. The scammers will most often contact you via e-mail using an address that looks very similar or potentially the same to the one that you'd expect. They might notify you of changes to payment information or include a fake invoice with modified bank account details. A common variation of this scam occurs when scammers impersonate a business owner or other senior staff member to deceive an employee into transferring large sums of money, scammers will often create a sense of urgency and secrecy by claiming that it relates to a personally or commercially, commercially sensitive event.

So, your best form of protection when it comes to payment redirection scams is to make sure you always verify requests for payments using trusted contact details that you already have on file. Don't use ones that have been sent in the same e-mail or invoice because these might have also been modified by the scammer. Thanks, Serena.

OK, so in this next slide, you'll hear from a victim of an investment scam. So, in 2024, small businesses reported losing more money to investment scams than any other type of scam. These scams can be really hard to spot, even to experienced investors.

And just to stress that point, the largest loss I heard about in relation to an investment scam was half a billion dollars. So, it's really not possible to underestimate the sophistication of these scams. Scammers impersonate real investment and finance companies to create fake legal, financial and business documents that appear legitimate.

Ruth Pirrie 44:37
They also create fake scam investment platforms that look and function exactly like the real trading apps that you might be familiar with. These platforms show fake market data and profit growth to deceive you into believing that your investments are performing really well. Scammers may even allow you to make small withdrawals as a means of building your trust, but when you try to take out your larger amounts, they'll come up with multiple reasons not to pay or claim that taxes or fees are required first. So, in this video, as I mentioned, we'll hear from a small business owner who generously agreed to share her story of an investment scam. Thanks, Serena.

Serena KING 45:22
I don't think it's gonna play for us.

Ruth Pirrie 45:25
Have you got the other slide there by any chance? If not, that's fine. Nope. OK, that's all right. We'll move on. The video that I mentioned, I will share it in the comms after the presentation, so you can go and have a look at it then. It's also available right now on the Scamwatch’s website, so if you're particularly keen to watch it.

Ruth Pirrie 45:45
Go and take a look, please feel free to jump on even before you get that follow-up comms. Just so that you're aware, when it comes to investment scams, the best form of protection is just to make sure that before you part with any of your money, you have to take a really good look at the ASIC Money Smart website because that has a wealth of information about what to look out for and how to stay safe when investing your money. All right, so scammers use a range of technology to manipulate and deceive us.

We've all heard about AI when it comes to scams. Scammers use artificial intelligence to create fake videos, documents, clone voices, and send personalized messages that are harder than ever to identify as fake. Spoofing occurs when scammers use legitimate tools when impersonating businesses to make their calls, emails or messages appear as though they're coming from the genuine address, e-mail address or phone number. So, this means that even messages that look like they're coming from genuine entities, can't be taken that they're genuine. You always need to make sure that you check. Remote access is where scammers gain unauthorized control of your computer or device by deceiving you into approving access, usually by pretending that they're calling from a software company like Microsoft or perhaps your telecom provider saying that there's a problem with your device and convincing you that they need to get access in order to assist you. But once they have access, they are able to control your device, access sensitive information and use it to log into your Internet banking. Thanks, Serena.

All right; the good news is that you don't need to be a technological expert to stay safe from scams. ‘Stop, Check, Protect’ is the catchphrase that we use at Scamwatch to help Australians to remember to stay safe. So, let's break this down in a little more detail. Stop. Always take a moment to consider before you make a payment or provide sensitive information. Scammers will create a sense of urgency to pressure you into acting quickly. Don't rush and always trust your instincts if something feels a bit off.

Check. While instincts are really important, scammers are making it harder than ever for us to detect when something isn't right. So, it's crucial that you always make sure the person or organization you're dealing with, all payment information you've been given, is real by verifying this first using contact details that you know you can trust. So, this might be from an official website or from records that you've been maintaining for a long period of time.

Protect. Ensure your staff are aware of scams and put processes in place like Fleur's mentioned today to make sure that you protect against them. Consider using E-invoicing, for example, which is a standardised, easy and secure way to send and receive invoices, which you can find out more about on the ATO website. Monitor your bank statements and credit reports for unusual activity and act quickly if you think you've been targeted, or something feels wrong. Contact your bank or service provider immediately if a scammer steals your money or information. Change your passwords and security details if you think they've been compromised, and once your accounts are secure, report the scam to Scamwatch and police via the Report Cyber website. Thanks, Serena.

All right, so unfortunately your business can also be impersonated by scammers in order to defraud other people. But there are also some simple measures that you can put in place to protect your brand and minimise the damage. So, step one is to monitor and prepare. Consider proactively monitoring the impersonation of your business by periodically doing a search of your brand name online. This will help you detect and remove fraudulent websites and ads before any harm is done to your business or customers.

Create a clear process for your customers to report brand impersonations to you and make sure your staff know how to respond. Notify and report. So, if you do identify an impersonation, notify your staff customers and the other businesses that you work with. Consider putting warnings on your social media accounts, website and at points of sale, and direct anyone who's impacted directly to Scamwatch or to the police via Report Cyber. If you identify a scam website that has stolen your brand, report it to the company that hosts the website and ask them to remove it. If your brand is being used in scam ads on social media, also report this activity directly to the platform hosting the ad like Instagram or Facebook for example, because you own the intellectual property in your business and your brand. Your best place to make the report. Once the scam's reported to Scamwatch, we'll also share this information with the host and all platform to help inform their assessment of whether or not the website or ad can be taken down. Thanks, Serena.

All right, so the good news is that there are many initiatives that the government has put in place to help protect Australians from scams. So, the National Anti-Scam Centre, where I work, is actually a program run by the Australian Competition & Consumer Commission (ACCC), which brings together experts from government, law enforcement and the private sector to stop scams and limit their impact. So, while the police investigate scams and pursue potential prosecution, we come at it from a slightly different perspective. Our priorities first of all, are data sharing by creating a new system that supports high frequency secure data sharing with different agencies and organisations that can take action. While the prosecution of criminals is really important, enforcement on its own won't stop this widespread financial crime, but disruption at scale cuts them off faster and deters other scammers from using those methods. Things like shutting down websites and phone numbers and notifying banks of accounts that are being used to perpetrate scams. We're also educating and protecting businesses in the communities via the Scamwatch website and social media accounts and throughout outreach activities like this one. Thanks very much, Serena.

All right. So, as I mentioned before, Scamwatch, which is kind of like the front face of the National Anti Scam Centre, it's a brand that you might be familiar with. It actually outdates the Nationality Anti Scam Centre. It's been around as part of the ACCC for a really long time and it's now the front face of the NASC. So, our website is a fantastic resource for reporting scams, even if you haven't suffered a loss. Aside from sharing valuable information that can help others stay safe, we can also refer you to IDCARE who can provide tailored support and I'll talk about them in the next slide. It's also a one stop shop for information on scam types and techniques and advice on how to stay safe. The QR code you can see on the slide here will take you through to a downloadable version of our flagship prevention product called The Little Book of Scams. And you can also download it from our website directly in 17 other languages, as well as the First Nations and an easy read version too. We even have a resource, a range of resources that you can share with your staff and customers, like a quiz, posters and social media tiles. So given that I only have a really short time with you today, I highly recommend you take some time after today's session to jump on the website and learn more. Thanks, Serena.

And finally, I also wanted to mention IDCARE, who we partner with at the National Anti Scam Centre. IDCARE is the National Scam Identity and Cyber Support Service. It also delivers the Small Business Cyber Resilience Service, which is a free program for Australian businesses with 19 or fewer full-time equipment employees that also have a valid ABN. So, if you want to learn more about tailored support that's available for your business, call IDCARE before or after an event and they'll be able to give you the support that you need. So, using their services, you can get access to a cyber health check advisor. They provide an incident response hotline and cyber first aid in the event of a cyber incident. They also can provide you with well-being support in confidential sessions to help you and all your staff manage stress following an incident. And they also have a secure online portal that provides tailored online content that is most relevant to you and your business. So, visit the website that you can see on the screen then or call the number in the event that you want more information. And I think that might be it for me, Serena, but we'll go to the next slide just in case. Yeah, that's right. Thanks very much. Back over to you now, Michelle. Thank you.

Michelle MCGUINNESS 55:31
Hey, Ruth, that was fantastic. Thank you so much, team. I'm so glad that we have people online answering questions. I'm just going to, in the two minutes we have before I close out, ask any of my team whether there are any questions that have come through that haven't been answered, whether there's anything you'd like us to address.

Yes, while they're pulling that together, I will just reiterate that the presentations along with the filming of this webinar, along with the resources that we have, we've touched on a number of them. Scamwatch, Act Now, Stay Secure, cyber.gov.au, Report Cyber, IDCARE. I'd also recommend ‘Have You Been Pawned’. There are a range of reliable resources out there that you can look at. We will share these details with you.

The digital ID question has come up. Digital ID is a focus of the government. Let me have a quick look at what the question was.
Fiona, have you got other questions?

Fiona BROCKENSHIRE 56:30
Yes, there was a question, uh, Michelle, in relation to cyber insurance. From a business perspective, is it worth purchasing if a small business follows all the processes, including those of ISO 27001?

Michelle MCGUINNESS 56:45
Yeah. Look, this is an interesting space and we're certainly looking into this as we approach the next phase of our strategy. I will say that there are some new insurers who have a strong underwriting coming into the Australian market that actually look at your cyber posture. I'd encourage you to have a look around and I won't recommend one over any other being a good government vendor agnostic person, but there are some great young new insurers who will actually get you to go through what is your cyber posture. Things like Cyber Wardens absolutely helps, the awareness that Ruth has given you, the training that Fleur has helped you with.
And they come up with a far more affordable product. I think that's a really important thing to have a look at and make those decisions around your business as to the risk you're carrying and whether you need to.

Password managers. There are a range. You can find independent sources that talk about strong password managers. We talk about passphrases because it's easier to remember digital ID. Yeah, as we approach digital ID, it's really important that it is secure. We have great confidence in the government digital ID. We also have Connect ID. The way our legislation in this country works is that it's not mandatory, but of course we do watch both Singapore, what India has done, countries like Estonia and we are constantly learning on the best way to actually bring digital ID in. Whilst not mandatory, we strongly recommend digital ID pass keys, pass phrases. They are the stronger way to dial in. What else am I missing?

Fiona BROCKENSHIRE 58:23
There was a question in relation to ‘It’s surprising how many banks don't offer MFA for small businesses and self-employed accounts. Large business accounts have this option. How can this be made mandatory for all banks?’.

Michelle MCGUINNESS 58:35
So our regulators, our financial regulators are working very closely with all those institutions to ensure that the critical functions that are at risk are protected with MFA. I did see someone put some good advice out there is that if you're concerned that your provider doesn't actually provide that capability, then maybe you should be looking for one that does.

Because this is important enough for you to have the security around your systems.
I know we're at time. I really just want to share one more tool with you, which is our Cyber Health Check Tool. We've just recently partnered with the Australian Signals Directorate to actually build a Cyber Health Check Tool. We will provide a link to it. It is a simple 5 minute cybersecurity assessment. Perfect for small businesses and not-for-profits, and it's custom made for people who don't know where to start. It really is a great plain English tool that asks some simple cybersecurity questions and provides an instant cybersecurity health check score and rating. Not only that, but once you have that rating, you have a tailored action plan that will be sent to you as well that prioritizes the list of actions that you can do to improve your cyber security.

The government also offers one-on-one assistance with cyber capability challenges, resilience and recovery through the Small Business Cyber Resilience Service program, which I strongly encourage you to access, and you've heard of other resources that both Ruth and Fleur have put up and we'll make sure they're all provided. All registered attendees will get links to these services once we pull them together. So, in closing, I really just want to finish with a couple of things. Firstly, thank you so much for joining. We underestimated how long this session needed because of how interactive you all are. I love your questions, your engagement levels. So, this is to me feedback that we will do this again and with more time. But I really want to leave you with a call to action. We really all have a role to play in uplifting our cyber posture and security and our strategy is very focused on small medium businesses and individuals, we do want to address our culture. I think webinars like this are proving to be a great start and I urge you to keep the conversation going with your employees, but also with your families, with your neighbours, with your customers.

This is really important how we reach everyone.

Robust and resilient cybersecurity culture is the glue that will harden us. So let me just finish with some thanks. Thank you all for coming. Thank you to Fleur and Ruth. Fantastic presentations. We will definitely do it again sometime. Thank you to my to team for pulling this together. It's not as easy as it hopefully looks.

And again, thank you for your engagement and all your questions and we'll get these details out to you, with that and getting you all back to your day. We might close it here. Thanks everyone.

Health Sector Town Hall 2025 – Webinar

The National Office of Cyber Security hosted the first national Health Sector Town Hall 2025 virtual webinar with the Australian Digital Health Agency, Australian Signals Directorate, Department of Health and Aged Care and the Health Cyber Network (CI ISAC).

The program highlighted the evolving cyber landscape and strategies for strengthening resilience across government and industry.

Cyber Security Awareness Month 2025

Home Affairs Cyber Month Webinars

Securing Australia Together Webinar

Securing Australia Together Webinar

Simple Steps, Safer Business – Webinar for SMEs

Safer Business

Health Sector Town Hall 2025 – Webinar

Content Editor

Popular searches

Your previous searches

Cyber Security Awareness Month 2025

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Home Affairs Cyber Month Webinars

Securing Australia Together Webinar

Securing Australia Together Webinar

Simple Steps, Safer Business – Webinar for SMEs

Safer Business

Health Sector Town Hall 2025 – Webinar

Content Editor

Popular searches

Your previous searches