Hide this message

It looks like you are using Internet Explorer .

insight.telstra.com.au may not display correctly and some of the features may be unavailable to you.
If you are not using this version, please check that compatibility mode is turned off, otherwise you may need to update your browser.

Secure Success

Discover the most pressing cyber security concerns to emerge in 2015, and find out how to ensure your organisation can continue to thrive by adopting the safest and most effective operational practices.


2 min

Cyber security through sound strategy



Cyber security through sound strategy

Australian business is facing unprecedented data security challenges. However, there are effective ways organisations can prepare for and respond to these threats.

Cyber security has become an increasingly important issue for corporate boards in Australia and around the world for many reasons, including continuing legislative change. The rapidly changing threat landscape means C-suite officers and staff with IT knowledge must work together to gain a shared understanding of the most effective approach to risk management and effective corporate governance.

The recently released Telstra Cyber Security Report 2016 highlights the proliferation of security threats, including shadow IT and a shortage of cyber security professionals. It also details considerable opportunities created by organisations that take a strategic approach to security and risk.


Register for IN:SIGHT

Register to explore the latest in business thinking, management tips, technology trends and Telstra events.


Recognise the challenges

A shortage of technology security professionals is a big challenge for Australian business, as the number of graduates fell by more than 30 per cent in the past 12 months.

Meanwhile, some companies still consider cloud computing a risky proposition. More than 70 per cent of businesses are worried about data loss and controlling risk factors such as network downtime.

Finally, the emergence of shadow IT is a challenge for business leaders. This growing trend in which staff download apps or using cloud services has combined with the consumerisation of corporate IT and the move to bring-your-own-device (or BYOD) to work.

Top of mind for companies in this environment is the likelihood of sensitive corporate data being stored on relatively insecure personal devices and the cloud, outside the purview of the corporate IT department.


Seek solutions

Fortunately, there are well-tested, strategic ways organisations can respond. C-suite officers are working more closely with boards and cyber security specialists to raise awareness among general staff that cyber security is everyone’s responsibility.

The overall threat landscape can be mitigated, but never completely vanquished.


Idea in brief

  • Cyber security is not just the domain of IT departments – responsibility rests with the C-suite and the board
  • Shadow IT and BYOD trends are putting companies at greater risk
  • There is a shortage of skilled data security professionals, with graduate numbers falling
  • Risk mitigation is possible – and essential

Ask your Telstra AE about how to use security and privacy strategies to protect customers and improve your business.

Or to find out more our Cyber Security Report 2016 virtual event is now live for registrations.

Download the report

Find out more about our Telstra Cyber Security Report 2016.

6 min

Why effective privacy and security strategies drive business outcomes



Why effective privacy and security strategies drive business outcomes

The scale of data being collected by businesses today has made cyber security more important than ever to commercial success.

IN:SIGHT talks to Telstra’s Chief Risk Officer (CRO) Kate Hughes and Chief Information Security Officer (CISO) Mike Burgess about the most effective ways senior management can counter new security threats


Q: What are the major challenges facing Australian business leaders who are responsible for protecting the privacy of consumers and suppliers?

Mike Burgess: Cybercrime in the end is just crime – people are stealing data and hacktivism is just another form of protest. However, technology and improved connectivity means that espionage, protests and mistakes can occur at an unprecedented pace and scale.

Look at what happened to US health insurance giant Anthem where the health records of 80 million customers were stolen. That amount of documentation would take roughly a million pages of double-sided paper to fill. It would take someone about two months working fulltime standing at a photocopier to copy but it probably took less than an hour to remove that information via a computer across the Internet.

Kate Hughes: There’s been a general cultural shift in the business community that has reignited the value of data. We all think we could market better to our customers if we knew more about them and so we go on these hunts for more data and holding all that data puts us at risk.

This is exacerbated by the fact that supply chains of most large corporations are deeper and more complex than they’ve ever been. With all of those vendors in there, you know, you are further increasing the risk that they will either deliberately, maliciously, or just mistakenly mistreat your data.


Q: Given the diversity of cyber security challenges, who inside the business should have the most insight into emerging threats?

Mike Burgess: It is a leadership issue first and foremost. The business leaders have to understand that collecting and using more data carries with it an ever-increasing threat.

Kate Hughes: Mike and I work very closely together on this because we consider it a business risk, not an IT risk. There are elements of IT risk in it, but we also need to look at the relationship between our business units, the risks at the coalface and how those risks manifest themselves. We can’t fight a good battle until people understand how they introduce cyber risk to a business and how even the simplest things such as access codes to buildings, the security of staff and our employee vetting processes all contribute to the company’s risk profile.

There’s no point having the world’s best firewalls if we inadvertently open the door to a hacker by plugging a USB key into a laptop.


Q: How does Telstra assess the risks associated with cyber and IT-based threats?

Kate Hughes: Most businesses have traditionally viewed these threats as IT or technically related so they’ve used those departments to come up with technical solutions. At Telstra, we’ve taken a much more collaborative approach where we expect every line of business and every business unit to understand how cyber risk manifests for them. They then incorporate that risk into an overarching governance framework that recognises that cyber risk doesn’t exist in and of itself.


Q: How have the obligations of large companies changed in recent years, particularly regarding data protection, privacy and cyber security?

Mike Burgess: Governments and regulators are still adapting to this connected world and the law is still evolving. The Australian government has recently indicated strongly that it will introduce mandatory data breach notifications.

Kate Hughes: Governments want to treat the Internet and cyber security as though it has regional boundaries, which it doesn’t. Laws need to recognise that in fact data can easily be sent round the world in a matter of seconds. So I do think that regulation has kept pace.

But I also think it’s incumbent on the business community to take the initiative by having regular discussions about things such as privacy. For example, who owns the data captured by your Fitbit? If I share that information with my employer, could they usefully act on it? If I shared it with my health insurer, could they usefully act on it? The privacy legislation we’ve got now still doesn’t fully understand how personal information can be collected in a big data environment and how supposedly anonymous data could become re-identifiable with the right steps.

The extent of the risk has come as a bit of a culture shock for a couple of large Australian organisations that now have data that’s considered incredibly attractive to other countries and to other large companies. Cyber threats today are as much about industrial espionage as anything else.

Organisations are certainly going to have to increase their levels of data protection and risk mitigation, not because the regulator says so, but because their customers would not forgive them if their data was stolen.


Q: At the most senior level, what kinds of strategies are proving most effective for preparing for and ultimately combating cyber security threats?

Mike Burgess: At Telstra we refer to the ‘Five Knows of Cyber Security’: knowing the value of the data, where that data is, who has access to the data, who is protecting the data, and how well it’s protected.

And if you don’t know the answers to those five things, how can you possibly assess the business risk?

Kate Hughes: Yes, get away from the technical jargon and terms and seeing this as some kind of rare specialisation, when it is really a serious commercial business risk.

We need to talk about cyber risk in the same way that we talk about business resilience, privacy and safety as business risks.


Q: What are the main challenges to adopting an effective security strategy to prepare for cyber security threats?

Mike Burgess: People still believe this is a computer problem and therefore it’s not their responsibility and leave it to the IT department.

Kate Hughes: The challenge has been getting the first line in our business to be accountable. It’s really easy for us to sit here and talk about some really sophisticated hacking activity, but it can be as simple as the employee who gets an email and clicks on the link in an unsafe environment downloading malware or ransomware onto the computer.

Where we see people behaving badly or potentially not understanding what they are doing, they will get a friendly phone call from their security team to talk about what they did and how they might do it more safely.

They’ll also have a conversation with their risk manager. That will be about making sure the teams involved really understand what’s required and that our policies are well understood.


Q: Can adopting a strategic approach to data protection and privacy security improve other areas of the business?

Kate Hughes: Absolutely. No doubt about it. We have recently done some revisions to our cyber risk framework to align it more closely with our broader enterprise risk management framework. We cause significant customer dissatisfaction when we have an information security problem that often results in a privacy issue. It may also end up costing us money to compensate or take remedial action for the customer. We know we can achieve good business outcomes when we can look at this as a holistic situation rather than trying to deal with these risks in isolation.

We have had internal guidelines at Telstra for a very long time about how we report breaches to our customers. We also notified customers every time we feel that a customer has been at risk from a breach.

Mike Burgess: When we engage with a business, it’s not just cyber security that’s important. It’s about data management, where cyber security is important, but only one component of a greater range of things that can cause problems.


Q: What do CROs need to do to integrate emerging cyber security threats into an overall risk and response strategy?

Kate Hughes: The first thing you need to do is make sure your enterprise-wide assessment processes take cyber risk fully into account. You want your technical experts to be able to help you, but it’s the same as any other risk management strategy.

When you understand that risk at every level of your business, you can be sure that the management of a product release or the finalisation of a product is being done within a holistic risk management strategy.

This means understanding the cyber risk not just from a security perspective but from a privacy, data protection and commercial level. We make decisions every day not to retain certain bits of data because it’s too costly to and it’s not appropriate from a privacy perspective. If you have all of those voices in the room when you make those decisions, you’ll get a really good business outcome, especially if you know where to go to in your organisation.

Mike Burgess: Chief risk officers should not let cyber security risk become something special and different. It is just another significant business risk these days and if you take the same approach to the way businesses manage other significant risks, you’ll get a far more effective outcome. You can’t let it become special.


Telstra, Chief Risk Officer
Kate Hughes has responsibility for enterprise-wide risk management, security and compliance.

Telstra, Chief Information Security Officer
Mike joined Telstra in February 2013. He has more than 18 years’ experience fighting cyber-crime and espionage in government agencies at the forefront of national cyber security.


Idea in brief

  • Cyber security is a leadership issue first and foremost
  • Cyber security is a business risk – not an IT risk. Many businesses still regard cyber security as a technical issue that can be dealt with by IT departments
  • Business leaders need to understand the value of cyber security from a commercial perspective
  • Every department and all staff need to be aware of their responsibilities in an enterprise-wide security framework
  • Adopting a holistic approach to cyber security leads to positive business outcomes.

Ask your Telstra AE about how to use security and privacy strategies to protect customers and improve your business.

Or to find out more our Cyber Security Report 2016 virtual event is now live for registrations.

Download the report

Find out more about our Telstra Cyber Security Report 2016.

1 min

The digital era prompts a rethink within retail



The digital era prompts a rethink within retail

The world of retail has been turned upside down with the advent of the always-on, globally-connected economy. Today’s consumers shop anytime they want and with a click of a mouse or tap of a phone they can purchase goods from across the street or around the world. As a consequence, the need to innovate to retain marketshare has become more apparent – and urgent.

Digital technologies have put the power firmly in the hands of the consumer, whilst also providing the impetus for new types of competition. Smartphones and the like have also prompted a rethink of the retailer/consumer relationship.


For retailers, who have traditionally been slow to respond to change, this era of rapid change has been challenging. However it has brought with it many positives, such as facilitating closer relationships with digital shoppers, creating opportunities for new services and providing information that is helping retailers to work more efficiently.


Adding digitally to your shopping experience

Digital technology is already being used by a number of retailers to enhance and improve the entire shopping experience.

McDonald’s for example, has deployed a new digital entertainment concept that combines superfast in-house Wi-Fi with a McDonald’s instant app to open up a whole new world of news, entertainment, games and learning experiences for customers.

Customer responsiveness is also key to the new Myer Hub, which does everything from, offering tired shoppers a coffee, to suggesting clothes to try on in store, and revealing a safe space where excess baggage can be stowed while shoppers continue to browse.

In a similar vein Telstra’s own T-Shop’s have been rebuilt from the inside out, to feature everything from wearable technology stylists, in-house baristas and pop-up community spaces, while slashing processing times.


Idea in brief

  • Retailers need to embrace innovation in the face of a consumer and competitive landscape that is being radically disrupted by digital technologies
  • Organisational structures that used to work in traditional retail organisations are not effective in today’s disruptive environments
  • An Innovation Index to benchmark and track against can be an effective tool for retailers to help drive innovation and change in their business
  • Fast-food chain McDonald’s, department store Myer and T-shop are just some of the retailers using technology to create a whole new customer experience
  • Three key overlapping technologies Big Data analytics, mobility and the Internet of Things (and/or some combination of them all) will shape the retail industry in the coming years

Download the report

Find out about how technology is changing the retail sector.


What's next?

You might be interested in

Related articles

1 min

How to prepare for the Internet of Everything



How to prepare for the Internet of Everything

When it comes to connected business, CISCO evangelist Aglaia Kong has three steps for ensuring success as the internet of everything become reality.

As the transition from IOT to IOE becomes more dramatic, Aglaia Kong says business leaders need to focus on the opportunities offered to their specific industry sector in order to shape, and ultimately to fully automate, user experiences.


“Once you get things connected together, you are naturally going to gather a lot of data and that’s when the transition happens from IOT to IOE.”
– Aglaia Kong, VP & CTO, IOE Solution, Cisco



Aglaia Kong
VP and CTO, IoE Solution

Once you get things connected together, you are naturally going to gather a lot of data and that’s when the transition happens from IOT to IOE, data analytics and then process automation, and then people experience.

So for business leader I think depending on the verticals they’re in, what they really need to be mindful about is what is coming, if you look at IOT or IOE, at the conceptual level, the architecture is the same.

However the true challenges of IOE really fall into three categories.

One is how do you connect things because each one of the things talk different protocols.

So the connectivity and how you connect sensors becomes very vertical specific; that’s kind of challenge number one.

Then challenge number two is the type of problem you are solving for that particular vertical is also very different.

The third thing is really it needs to be vertical specific is that the business model is very different for the type of vertical you go after, because the value proposition you bring to that vertical is different.

You know, the business model for manufacturing is clear. If you help them to prevent downtime.

However, the business model is not necessarily clear when you go talk to the city mayor because you keep saying “I’m going to make your people happy”. Great – but who’s going to pay, right, for the infrastructure?

So that’s why, you know, we always have to get down to the vertical specific depending on what industry they are in.


What's next?

Related articles

3 min

Security conscious? Watch these three groups



Security conscious? Watch these three groups

There are many threats to information security. Telstra security specialist Jeremy Requena focuses on the people challenges businesses face.

For many, the term “security threat” conjures up notions of the mysterious workings of a shadowy underworld. But senior managers need to understand that real threats also come from people close to the organisation, including staff, IT specialists and external parties. Security consultant at Telstra Global Enterprise and Services Jeremy Requena says this is a three-pronged dilemma that needs to be identified and addressed.

As a senior manager, you may think you’re not part of the problem, yet Requena suggests senior managers might be contributing to the company’s cyber security dilemma in ways they don’t expect.

“When it comes to cyber security, a lot of people are pointing towards technology as the saviour with too little focus on people,” Requena says.

Here are three groups companies need to keep a close eye on:


End Users

Decisions made by end users are often poor, so user education is important, Requena says. Phishing emails succeed because users may open links or attachments, and people with administrative rights to their desktop can install any kind of software either deliberately or unknowingly.


IT Staff

IT staff comprise a complex case: because their level of access can have a significant impact on whether or not malicious activity is detected. Some system administrators are jack-of-all-trades with fairly comprehensive access to across organisational IT systems. These accounts have the corporate IT equivalent of the “keys to the kingdom”, and represent a significant threat to the company overall if they are targeted by a malicious third party, who can use this access to move around a corporate network largely undetected.

Many large organisations however, use a stronger set of partitions, and different access rights, to make it more difficult for systems admins to move across different networks, making malicious or unusual behaviour easier to spot.

“A key part of it is people being trained well enough to use the technology in an effective way,” explains Requena. “It’s not the technology but how you configure it that matters – you can have the best-of-breed firewall but if it’s not configured right it’s all for nothing.”

Change management is a crucial issue, people need to know why their access is being limited, or curtailed, otherwise they may look for ways to circumvent important security processes. Additionally if processes become too lengthy and cumbersome, staff may look for shortcuts or avoid vital processes.


“When it comes to security, a lot of people are pointing towards technology as the saviour with too little focus on people.”
– Jeremy Requena, Security Consultant
Telstra Global Enterprise and Services


External Parties

Surprisingly, shady underground hackers often find a path into an organisation thanks to well-intentioned insiders. Requena says risks can also be introduced into an organisation by internal staff, who are outside of the IT team, and who may not have a deep understanding of security policies and requirements. In fact he believes senior executives who have control over technology decisions can, unknowingly, place an organisation at risk.

“What I’ve found is a lot of C-level folks will go to a conference and come back with a new idea, yet there’s no good business case for doing things,” Requena says.

He cites IT transition to the cloud and bring-your-own-device trend as two trends which can unknowingly operate as an entry point for malicious activity. In many cases, managers who were loath to be seen falling behind their peers rush to adopt new technology, and unknowingly leave company vulnerable to attack from outsiders.

Requena sees the same issue with the rise of the Internet of Things. “It’s like we’re being made to react to situations that don’t exist or to change direction to fit the mould or mandate of someone who has heard what someone else is doing,” he says.


Senior security professionals need to focus on three groups:

  • End users – education is crucial, particularly around phishing emails and segregation of duties though user accounts
  • IT staff – find appropriately skilled staff and ensure you know what normal network behaviour looks like so you can spot anomalies
  • External influencers – hacking threats are one thing, but don’t be driven by emerging tech trends that don’t have obvious strategic value

To find out more our Cyber Security Report 2016 virtual event is now live for registrations.

Download the report

Find out more about our Telstra Cyber Security Report 2016.