The global cybersecurity and privacy landscape continued to evolve at a rapid pace in FY23. We are seeing a generational shift in technology that can revolutionise the way we communicate with computers, significant data breaches, and increased pressure from governments and boards to address the ever-increasing levels of cyber risk.

Major cybersecurity breaches have impacted large-scale global providers, including both public and private organisations. Australia alone has suffered multiple large-scale data breaches that have impacted most of the population and prompted much-needed reforms in Australian privacy legislation as well as increased pressure on governments to help address cyber risk at a country level.

Artificial Intelligence (AI) burst into the public consciousness with large language models, such as ChatGPT, with an unprecedented adoption rate of more than 100 million active users in just two months. While AI has been embedded in certain cyber products for a number of years, the democratisation of this technology has raised legitimate concerns that this technology is being used to construct advanced cyberattacks, or that its misuse could lead to accidental breaches of personal or sensitive data.

All of these incidents have increased the focus on the need for cybersecurity and highlighted the importance of data privacy. This has led to an increase in the number of skilled cyber staff, despite a general decline in the demand for technology experts, which has further affected the current challenges in recruiting cybersecurity personnel. In FY23, we also expanded our operations in our newest markets with a clear focus on achieving the same level of cybersecurity maturity as the rest of the business.

Anticipating cybersecurity issues

To address the ever-evolving cyber and privacy risk landscape, we continue to review, improve and adapt our existing security controls. Our security focus during the recent financial year included:

• Developing a single bespoke cyber framework that addresses all of our contrasting regulatory and compliance requirements.

• Completing work to consolidate into a single, globally managed, endpoint protection product in all of our existing markets.

• Completing disaster recovery testing for our key online ordering system and services.

• Continuing to make progress with our ‘Ransomware Ready’ work programme.

Cybersecurity operations
We are committed to protecting the privacy of our customers, employees, shareholders and franchise partners by ensuring that we are not only alerted to potentially complex issues, but that our operational staff can respond quickly and effectively. This has been achieved by augmenting our staff through:

• The cyber function that is currently using AI to help us further enrich the information in alerts to allow for more junior members of staff to deal with more complex calls.

• Several security products that are using Machine Learning (a subset of AI) to analyse large amounts of data to identify and alert on patterns that may indicate an attack and reduce the number of false positives.

• Automation, which we are using to enrich existing calls for rapid decision-making as well as automatically remediating calls where appropriate (resulting in a 20% reduction in overall call volume).

Supporting our cyber community

As part of a global security and privacy community, it is important to work together towards a common goal that includes the ability to give back wherever possible. To achieve this, we are:

• Assisting local charities with cyber support

• Supporting local further education institutions

• Sharing knowledge with the wider cyber community

Priorities for the year ahead

• Continue to integrate our newest markets

• Continue our initial investigation into ISO27001 compliance requirements

• Maintain a clear focus on delivering cyber awareness training to our franchise partners and store employees

• Work towards increasing our ‘outside in’ vulnerability management to identify our unknowns

• Facilitate technology and services to support our Tier0 and Tier1 security operational services

Employ a chief data officer and personnel to oversee data security and governance.