When Matthew Bottaro joined Westpac almost 18 years ago as one of the bank’s first “ethical hackers”, he never predicted he’d be leading a team of around 40 internal and contracted hackers working around the clock to keep cyber criminals at bay.
“Back then, we were doing probably a handful of ethical hacks in a year,” says the penetration testing expert and Westpac senior information security manager.
“Now we’re doing literally hundreds per year, hacking every single day, day in and day out, with new technology and hacking techniques emerging constantly, and a lot of work coming down the pipeline.
“The routine then compared to now – it’s like night and day.”
Westpac is by no means alone in expanding its team of ethical hackers – sometimes known as “white hat hackers” – whose job is to find vulnerabilities and “attack pathways” in the bank’s digital applications and infrastructure before they can be exploited by criminal hackers.
In fact, a quick job search shows it’s a role in hot demand by most large companies around the world, it’s a skill starting to be taught in schools and it’s even possible to be qualified as an “Offensive Security Certified Professional” – trends that are not surprising given malicious cyber incidents are constantly making headlines.
In Australia, a cybercrime report was made every 10 minutes on average to the Australian Cyber Security Centre during the year to June 2020, according to its Annual Cyber Threat Report. At a global level, research firm Juniper estimates more than 33 billion records will be stolen by cybercriminals in 2023, compared with 12bn in 2018.
To date, the security controls of major Australian banks, insurers and superannuation funds have staved off any material cyber breaches, but swelling numbers of high-profile incidents show the threat is not going away.
Just last month, the Reserve Bank of New Zealand revealed a malicious illegal breach of one of its third-party systems, not long before a similar incident occurred at the Australian Securities and Investments Commission. Meanwhile, Rio Tinto and an Australian state government department were among 1800 organisations dealing with malicious code emanating from an attack on a small US-based tech firm SolarWinds, and last year cyber criminals knocked New Zealand’s stock exchange off-line for a few days, logistics company Toll Group was forced to temporarily shut services down after an attack, and media monitoring agency iSentia’s services were also interrupted.
“Our job is to secure the bank and make it harder for a hacker to do what they do,” says Bottaro, hired in 2003 by Westpac’s chief information security officer Richard Johnson when he was head of technical security services.
“It's about identifying where we need to focus our resources to remediate or improve detection or alerting capability if somebody was to have a go at Westpac.”
“Ethical hacking” – a term said to have been coined by IBM Vice President John Patrick in 1995 – is no longer just an operational imperative.
It’s a regulatory requirement.
In November, in a speech marking the release of the Australian Prudential Regulation Authority’s five-year cyber security strategy, APRA executive board member Geoff Summerhayes warned enforcement would be taken against banks, insurers and super funds that fail to meet its prudential standard on cyber security known as CPS 234 which took effect in 2019. Among its requirements are to test the effectiveness of information security controls through a systematic testing program – essentially the role played by Bottaro’s team of technical experts who actively seek out potential system weaknesses before they can be exploited.
Mr Summerhayes said APRA was “acutely aware” attempted cyber-attacks were being warded off by financial institutions on a daily basis but cautioned that "it’s only a matter of time". In fact, a recent report by the Bank for International Settlements, found that since the COVID-19 pandemic began, the financial sector globally had been targeted by hackers relatively more often than other sectors, as criminals attempted to capitalise on the mass movement of employees to working from home where laptops may be easier to compromise.
“With the accelerating transition to a digital economy opening up new connections for criminals and bad actors to exploit, and ever-increasing reliance on the virtual world, we can expect no let-up in this fight," Mr Summerhayes said.
While Bottaro acknowledges Westpac had detected a greater number of “phishing” and malicious emails – where criminals masquerade as trusted entities and dupe victims into providing sensitive data like passwords or banking details – he says his team of ethical hackers have upped regular efforts to test controls and alert employees of the dangers through regular internal “spear phishing” simulations. “We will even use online information, such as social media, to make those emails look more real,” he says.
Education like this plays a huge role in the fight against cyber criminals, says Bottaro adding that milestones like tomorrow’s Safer Internet Day provide good opportunities to highlight the importance for employees, customers, friends and family of protecting their digital lives from criminals. He confesses a few (virtual) high fives fly around when a team member unearths a vulnerability that took a lot of thinking, effort and understanding of new hacking techniques, before moving swiftly to remediate issues and use it as a teaching opportunity.
“People can be very generous in the amount of information they provide publicly on the internet, which can be used by malicious people,” says Bottaro, who recommends the Safer Internet Day online resources provided by the eSafety Commissioner particularly around protecting personal information and social media profiles.
“You've got to balance having your online profile out there, say for career purposes or staying in touch with friends, but make sure people aren't going to abuse that. Fortunately, many social media platforms allow you to protect your privacy through features like privacy settings and location services.”
When asked whether he thinks there may be a point when there are more ethical hackers than criminals, Bottaro gives a considered reply.
“Criminal organisations might still outweigh us in terms of numbers, but luckily some of the best information security experts have dedicated their careers to keeping information safe.”
Emma Foster is a freelance writer. Previously, she led Westpac Wire and was a key contributor until December 2022. Prior to joining Westpac in 2013, she spent almost 20 years in corporate affairs and investor relations, primarily in large financial services and consultancy firms, in Australia, UK and Europe. She is also a photographer and podcaster.
{"topicSelector":[{"tagId":"newsroom:topics/economy","name":"economy","description":"Explore more Economy insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Economy","url":"/news/topic.economy/"},{"tagId":"newsroom:topics/banking","name":"banking","description":"Explore more Banking insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Banking","url":"/news/topic.banking/"},{"tagId":"newsroom:topics/digital","name":"digital","description":"Explore more Digital insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Digital","url":"/news/topic.digital/"},{"tagId":"newsroom:topics/workplace","name":"workplace","description":"Explore more workplace insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Workplace","url":"/news/topic.workplace/"},{"tagId":"newsroom:topics/diversity","name":"diversity","description":"Explore more Diversity insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Diversity","url":"/news/topic.diversity/"},{"tagId":"newsroom:topics/sustainability","name":"sustainability","description":"Explore more sustainability insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Sustainability","url":"/news/topic.sustainability/"},{"tagId":"newsroom:topics/community","name":"community","description":"Explore more community insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Community","url":"/news/topic.community/"},{"tagId":"newsroom:topics/technology","name":"technology","description":"Explore more Technology insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Technology","url":"/news/topic.technology/"},{"tagId":"newsroom:topics/property","name":"property","description":"Explore more Property insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Property","url":"/news/topic.property/"},{"tagId":"newsroom:topics/innovators","name":"innovators","description":"Explore more Innovators insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Innovators","url":"/news/topic.innovators/"},{"tagId":"newsroom:topics/sme","name":"sme","description":"Explore more Small Medium Enterprise insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"SME","url":"/news/topic.sme/"},{"tagId":"newsroom:topics/westpac","name":"westpac","description":"Stories featuring Westpac corporate news.","title":"Westpac","url":"/news/topic.westpac/"},{"tagId":"newsroom:topics/leadership","name":"leadership","description":"Explore more Leadership insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Leadership","url":"/news/topic.leadership/"},{"tagId":"newsroom:topics/covid19","name":"covid19","description":"Stories influenced by the COVID-19 pandemic.","title":"COVID-19","url":"/news/topic.covid19/"},{"tagId":"newsroom:topics/investing","name":"investing","description":"Explore more Innovators insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Investing","url":"/news/topic.investing/"},{"tagId":"newsroom:topics/startups","name":"startups","description":"Explore more Startups insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Startups","url":"/news/topic.startups/"},{"tagId":"newsroom:topics/agribusiness","name":"agribusiness","description":"Explore more Agribusiness insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Agribusiness","url":"/news/topic.agribusiness/"},{"tagId":"newsroom:topics/billsbites","name":"billsbites","description":"Explore more insights from Bill Evans at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Bill\u0027s Bites","url":"/news/topic.billsbites/"},{"tagId":"newsroom:topics/data","name":"data","description":"Explore more data insights at Westpac Wire.","title":"Data","url":"/news/topic.data/"},{"tagId":"newsroom:topics/personalfinance","name":"personalfinance","description":"Explore more insights about personal finance, financial literacy and financial wellbeing. ","title":"Personal finance","url":"/news/topic.personalfinance/"},{"tagId":"newsroom:topics/payments","name":"payments","description":"Explore more Payments insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Payments","url":"/news/topic.payments/"},{"tagId":"newsroom:topics/environment","name":"environment","description":"Explore more Environment insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Environment","url":"/news/topic.environment/"},{"tagId":"newsroom:topics/fintech","name":"fintech","description":"Explore more Fintech insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Fintech","url":"/news/topic.fintech/"},{"tagId":"newsroom:topics/scams","name":"scams","description":"Stories about the latest cyber scams news and trends. ","title":"Scams","url":"/news/topic.scams/"},{"tagId":"newsroom:topics/politics","name":"politics","description":"Explore more Politics insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Politics","url":"/news/topic.politics/"},{"tagId":"newsroom:topics/regulation","name":"regulation","description":"Explore more Regulation insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Regulation","url":"/news/topic.regulation/"},{"tagId":"newsroom:topics/career","name":"career","description":"Stories providing career insights, tips and trends.","title":"Career","url":"/news/topic.career/"},{"tagId":"newsroom:topics/social-enterprise","name":"social-enterprise","description":"Stories relevant to or featuring social enterprises.","title":"Social enterprise","url":"/news/topic.social-enterprise/"},{"tagId":"newsroom:topics/indigenous","name":"indigenous","description":"Explore more indigenous insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Indigenous","url":"/news/topic.indigenous/"},{"tagId":"newsroom:topics/superannuation","name":"superannuation","description":"Explore more Superannuation insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Superannuation","url":"/news/topic.superannuation/"},{"tagId":"newsroom:topics/wellbeing","name":"wellbeing","description":"Stories featuring wellbeing trends, insights and stories.","title":"Wellbeing","url":"/news/topic.wellbeing/"},{"tagId":"newsroom:topics/reinventure","name":"reinventure","description":"Explore more Reinventure insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Reinventure","url":"/news/topic.reinventure/"},{"tagId":"newsroom:topics/westpac-scholars","name":"westpac-scholars","description":"Stories featuring Westpac Scholars. ","title":"Westpac Scholars","url":"/news/topic.westpac-scholars/"},{"tagId":"newsroom:topics/asia","name":"asia","description":"Explore more Asia insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Asia","url":"/news/topic.asia/"},{"tagId":"newsroom:topics/podcast","name":"podcast","description":"Explore Westpac Wire\u0027s podcast series.","title":"Podcast","url":"/news/topic.podcast/"},{"tagId":"newsroom:topics/businesses-of-tomorrow","name":"businesses-of-tomorrow","description":"Stories featuring Westpac Businesses of Tomorrow program winners. ","title":"Westpac Businesses of Tomorrow","url":"/news/topic.businesses-of-tomorrow/"},{"tagId":"newsroom:topics/history","name":"history","description":"Stories unearthed from Westpac\u0027s private archival collection. ","title":"History","url":"/news/topic.history/"},{"tagId":"newsroom:topics/tax","name":"tax","description":"Explore more tax insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Tax","url":"/news/topic.tax/"},{"tagId":"newsroom:topics/opinion","name":"opinion","description":"Expert opinions and insights. ","title":"Opinion","url":"/news/topic.opinion/"},{"tagId":"newsroom:topics/goodpair","name":"goodpair","description":"Explore more Good Pair stories, showing two people making a big difference together. ","title":"Good Pair","url":"/news/topic.goodpair/"},{"tagId":"newsroom:topics/deals","name":"deals","description":"Explore more Deals insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Deals","url":"/news/topic.deals/"},{"tagId":"newsroom:topics/analysis","name":"analysis","description":"Expert analysis on economic news and other trends.","title":"Analysis","url":"/news/topic.analysis/"},{"tagId":"newsroom:topics/veterans","name":"veterans","description":"Explore more insights about defence force veterans at Westpac Wire.","title":"Veterans","url":"/news/topic.veterans/"},{"tagId":"newsroom:topics/IWD","name":"IWD","description":"Stories focusing on International Women\u0027s Day, on 8 March annually. ","title":"IWD ","url":"/news/topic.IWD/"},{"tagId":"newsroom:topics/currencies","name":"currencies","description":"Stories providing currencies insights, tips and trends.","title":"Currencies","url":"/news/topic.currencies/"},{"tagId":"newsroom:topics/rework","name":"rework","description":"Stories of businesses pivoting in the face of the COVID-19 pandemic.","title":"Rework","url":"/news/topic.rework/"},{"tagId":"newsroom:topics/luciscall","name":"luciscall","description":"Explore more insights from Westpac\u0027s chief economist Luci Ellis at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Luci\u0027s Call","url":"/news/topic.luciscall/"},{"tagId":"newsroom:topics/10Qs","name":"10Qs","description":"\"10Qs with...\" is a series that asks leaders what makes them tick.","title":"10Qs","url":"/news/topic.10Qs/"},{"tagId":"newsroom:topics/quarterlife","name":"quarterlife","description":"Explore more Quarter Life insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Quarter Life","url":"/news/topic.quarterlife/"},{"tagId":"newsroom:topics/commodities","name":"commodities","description":"Insights into commodities markets.","title":"Commodities","url":"/news/topic.commodities/"},{"tagId":"newsroom:topics/shareholders","name":"shareholders","description":"Stories relevant to Westpac shareholders.","title":"Shareholders","url":"/news/topic.shareholders/"},{"tagId":"newsroom:topics/climate","name":"climate","description":"Explore more climate insights at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"Climate ","url":"/news/topic.climate/"},{"tagId":"newsroom:topics/esg","name":"esg","description":"Explore more insights on environmental, social and governance issues at Westpac Wire. Subscribe to the Westpac Wire newsletter to stay in the know.","title":"ESG","url":"/news/topic.esg/"},{"tagId":"newsroom:topics/boardwalk","name":"boardwalk","description":"A series of in-depth podcast interviews with board directors to find out what\u0027s on their minds. ","title":"Board Walk","url":"/news/topic.boardwalk/"}]}
