Verizon regional vice-president Rob Le Busque said too many companies treated cybersecurity as a tick-a-box compliance exercise rather than a serious threat akin to a bank robbery.

Financial and corporate regulators repeatedly warned AustralianSuper and other industry funds that their online defences weren’t up to scratch before last month’s attack.

Mr Le Busque said this was different to security at banks, which has evolved from merely training staff to installing physical barriers, screens and time locks to ward off robbers. He said companies needed to take a similar approach to cyber security.

But AustralianSuper has moved to distance itself from previous large-scale attacks – such as the one that hit Optus in late 2022 – saying only 10 of its members’ accounts were compromised, with about $750,000 stolen.

The Prime Minister and Home Affairs Minister Tony Burke also appeared unbothered, with Mr Albanese saying cyber attacks happen “all the time”.

But Mr Le Busque said such attitudes were unhelpful.

He was speaking as Verizon has released its annual Data Breach Investigations Report, which analysed more than 22,000 cyber attacks in the past year across 139 countries.

The report reveals that state-sponsored hackers were targeting Australia and the broader Asia-Pacific more than any other region, underscoring the need to strengthen cyber security.

“The analogy we sometimes use is you can’t afford to leave even one window open on your house because even the smallest entry point can create a really significant issue for you,” Mr Le Busque said.

“I was talking to a colleague … whose mother was a bank teller in the ’70s. They would be sent to the shooting range twice a year. They had to qualify to hold a handgun in the branch. And then they introduced better protections and screens.

“It’s that mindset, or thinking about that same approach when it comes to cyber – not just compliance … thinking about those firm protective measures that you can put in place that harden your cyber security and your overall posture.”

Financial and corporate regulators warned Australia’s industry super funds repeatedly. For instance, multi-factor authentication was absent or not a compulsory measure to protect members’ accounts. “Multi-factor authentication should not be optional,” Mr Le Busque said.

State-sponsored hackers were responsible for about 37 per cent of attacks in the region – up from about 25 per cent the previous year. “The rest of the world is about 17 per cent,” he said.

Mr Le Busque said state-sponsored hackers were targeting the Asia-Pacific more than other regions because it was easier to access corporate data.

“If you’re trying to hack into the corporate headquarters in Europe or the US, it might be a very difficult task,” he said.

“But hacking into their third-party manufacturer or someone else that sits in the supply chain in the Asia-Pac region probably offers a softer target, a higher percentage of success in breaking in and getting that information.”

Mr Le Busque also warned about the dangers of using artificial intelligence platforms such as ChatGPT, saying even uploading a “selfie” to create a Barbie doll rendering of yourself could be used to stage cyber attacks.

More Coverage

SMSFs need to lift their game on cybersecurity

Shelley Banton

Burke gives pass to Big Super on cyber attack scandal

Jared Lynch

Originally published as Super funds treat cyber protection as ‘tick-a-box’ rather than preventing a bank robbery: Verizon