Cybersecurity comes of age at BPAY Group

- By Collaborative Media & Publishing
Cybercrime is exploding around the world yet one of the first recorded instances of a computer break-in happened way back in the 1980s.

The classic book The Cuckoo's Egg tells the true story of how a 75c accounting error discovered at California's Lawrence Berkeley National Laboratory ultimately led to a German hacker stealing information for the Russians.

"Even though the book and the technology references are all very old, the interesting thing is the issues we're facing today haven't changed much," says BPAY Group Head of Information Security, IT Risk and Governance, Trevor Cushen.

"You've still got the people moving data between computers and determined people trying to attack you."

Understanding and managing cyber risk is one of the reasons BPAY Group remains one of the most trusted brands in Australia. The organisation processes an average of 1.5 million bill transactions valued at $1.5 billion each day and has launched a range of innovative services, including real-time payment service Osko®.

Safeguards: awareness and training

With such a broad and growing business footprint, taking a whole-of-business approach to cybersecurity is crucial.

"The big focus at BPAY Group is around staff awareness," Cushen says. "We work closely with the marketing and legal teams to make sure that the message is clear: cybersecurity is a business requirement. Our staff have really embraced that."

Cushen says BPAY Group produces monthly videos about security awareness and holds a week-long annual security awareness event also including risk, legal and marketing functions.

"At those events we do presentations on how exactly systems can be compromised, so it's very interactive and people engage very well, which is great because the end user is always going to be the greatest risk with data."

While direct cyber-attacks are always a threat, simple human errors such as clicking on a phishing email or reusing passwords across services account for about one in three data breaches, according to the Office of the Australian Information Commissioner's June 2019 quarterly report.

"At BPAY Group we are focused on ensuring that staff awareness is high and they remain vigilant against cyber threats. I get notified every day by somebody going 'I think this is spam' and some of that spam is quite sophisticated. I've even received some where I'm pretty sure I didn't enter a competition to win an iPhone."

Strengthening the cyber framework

APRA recently announced that improving cyber resilience across the financial system is one of four areas it will focus on. It also unveiled a new prudential standard, CPS 234 Information Security, which outlines how organisations should tackle cyber risk.

BPAY Group is owned by the big four banks and there are more than 150 financial institutions in the BPAY Scheme and so it applies many of the same cybersecurity standards and principles.

Cushen says BPAY Group has upgraded its anti-virus capabilities across the entire organisation, so if someone does accidentally click on a phishing link, it is quickly identified and quarantined.

"Then we can go to that person and say 'look, no damage has been done, but just be aware that it is actually a virus and here's why'."

Cushen says it's more important to have a strong framework in place rather than react to media headlines, such as the WannaCry ransomware attack which quickly spread around the world in May 2017.

BPAY Group has been steadily strengthening its own framework over the past two years. It’s maintained certification under the Payment Card Industry Data Security Standard (PCI DSS) security standards for several years and has now applied that methodology across its entire environment.

It also applies other globally-recognised standards to measure its security, such as the National Institute of Standards and Technology's (NIST) cybersecurity framework and ISO 27001, which outlines the controls involved in an organisation's information risk management processes.

Cushen says those standards can also be valuable for other organisations. It allows them to set their own benchmarks about cybersecurity relative to the maturity of their business and the specific risks they face.

"Standards allow organisations to step away from what their opinion of good security is based on international best practice. It's then easier to plan because you know where you're going."


This article represents the views and opinions of the author and do not necessarily reflect the opinions of BPAY. Published by BPAY Pty Ltd.  BPAY payment products are offered by over 150 Financial Institutions. Contact your Financial Institution to see if it offers BPAY payment products and to get the terms and conditions. This is general advice – before using BPAY payment products please review the terms and conditions and consider whether BPAY payment products are appropriate for your personal circumstances.

Subscribe to the newsletter

Stay up-to-date about the changes in the dynamic payments industry, both in Australia and overseas.

Success! Thank you for subscribing.