ANZ cyber audit reviews staff access to critical systems
ANZ Bank has hired external auditors to investigate controls around staff access to critical technology platforms, after claims some former employees retained backdoor access to internal systems after finishing off their contracts.
The country’s fourth largest bank has enlisted audit giants KPMG and PwC for the job and launched a recruitment drive to hire specialist staff working in ‘access and identity management’ over the past 12-months to lift controls around staff access to internal systems.
Major banks are fending off thousands of cyberattacks per day, which has drastically increased during the pandemic, and are investing hundreds of millions of dollars in building and updating digital security. However, the Reserve Bank of Australia warned this month a successful cyberattack against one of the country’s biggest banks was “almost inevitable”.
ANZ Bank has hired auditors to review staff access to internal systems.Credit:Wolter Peeters
Across all banks, unauthorised access to internal systems creates cybersecurity risks because it can permit outsiders to obtain or monitor sensitive information, including customer data or intellectual property, that can be sold on the black market. Hackers can also use unauthorised access to infiltrate a bank’s systems and remain dormant for months, collecting or manipulating internal data before mounting a ransomware attack.
An ANZ spokesman said cybersecurity is one of the bank’s “highest priorities” and it has multiple layers of controls that “all work together to protect the bank and our customers”.
“ANZ has automated processes that terminate critical system access when staff members or contractors leave ANZ. This process has been tested and audited by both internal and external teams and found to be effective,” the spokesman said. “ANZ also has a specialist team to monitor for and manage any data breaches across the bank and there have been no material breaches related to ANZ employees or contractors that have left the bank.”
However, multiple ANZ sources said the bank’s ageing technology systems and out-of-date human resources records have compromised the bank’s ability to monitor staff access, allowing former employees to slip through the cracks and retain access to critical systems.
“It’s not like bank robbery where they come with guns and start robbing a bank from the front end. Now they’re being really smart, they’re going in from the back,” said one source, who could not be named because they were not authorised to speak publicly.
Former and current ANZ employees claim the bank has a culture of embedding security controls into operations, using a US-built technology platform Splunk as well as custom-built analytics tools to detect and flag unauthorised access.
However, offshore technology developers on short-term contracts are one cohort who have managed to evade these controls, which sources claim could have wider implications for the bank’s cybersecurity protections.
“It’s the front door. Access management is the outer layer to prevent attacks. If that’s compromised, many other subsequent layers will be exposed. That’s why it’s important to get it right,” said another source. “Sometimes with rushed development work, there is privileged access that are not deleted or removed after. Since the development work had been done offshore, a lack of documentation leads to lack of visibility.”
A disclosure report published November last year shows ANZ hired KPMG technology specialists in New Zealand to stress-test a range of the bank’s operations, including “design and operating effectiveness testing of controls across the user access management lifecycle”.
“Including how users are on-boarded, reviewed, and removed on a timely basis from critical IT applications and supporting infrastructure. We also examined how privileged roles and functions are managed across each IT application and the supporting infrastructure.”
Accounting giant PwC has also been retained by the bank to run ongoing programs to improve the bank’s approach to identity management – tightening processes like password rotation and multi-factor authentication, according to multiple sources.
This year, ANZ’s “return to work” program, that aims to increase women working in technology, advertised a number of roles in ‘identity and access management’ across India, Australia and New Zealand offices. These roles focused on securing and controlling privileged access to ANZ’s critical technology assets through its CyberArk system, according to job descriptions published online.
An ANZ spokesman said the bank uses a range of monitoring and analysis tools and continuously upgrades capabilities to respond to changing threats. “We also recognise that our people are our first line of defence and embedding a culture of security across the bank is important with extensive education programs to help everyone do their bit to keep us secure,” the spokesman said.
COVID-19 has seen a number of high-profile ransomware attacks against companies, including Toll Group and US oil major Colonial Pipeline, that has refocused the debate on how critical infrastructure firms should respond to organised digital criminals.
ANZ chief information officer Lynwen Connick in June warned that paying ransoms would only increase attacks, but declined to weigh in on whether the government should mandate greater disclosure.
The federal government is currently working on a bill to amend cybersecurity laws to impose a range of reporting obligations on companies to disclose hacks and give public agencies the ability to access networks to fend off attacks once an emergency is declared.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
From our partners
Source: Read Full Article