Telstra identified “multiple incidences of malware” lurking in the IT systems of regional telco Digicel Pacific after recently acquiring the company, outgoing CEO Andy Penn has revealed while warning existing cyber security awareness spend is “too small” to protect Australia.

Noting the find after the controversial acquisition of the carrier was finalised in July – and adding that Telstra technicians similarly found malware on the network of telecommunications firm Pacnet after its 2015 acquisition – Penn told the National Press Club that the ubiquity of malware meant businesses and governments alike need to stay ever vigilant about escalating cyber threats.

“Fortunately, our cyber team is very experienced, and we are able to clean the networks and systems of any company that we acquire before we connect them to our networks,” he said.

“However, you would be surprised how many companies are not able to do this, and find that malware comes in and infects their home networks through a company they’ve acquired.”

Cyber security risk is everywhere, Penn warned, noting that the recent acceleration of digital transformation – and the looming “great leap forward in technology innovation” from 5G-connected people and systems – would create new types of exposure and demand that companies invest even more in educating their staff, and the public, about the risk.

“The overwhelming majority of attacks could be avoided, or their consequences mitigated, by a better informed and more cyber aware community,” he explained, calling it “critical that individual awareness is raised and good cyber defence hygiene practices are put in place to protect people.”

“These are very real threats, and they therefore need very real action.”

Yet while previous cyber security initiatives had produced “very positive” results, Penn said, “the resources and investments being committed to them are too small when considered in the context of the scale of the challenge.”

Cyber policy “needs more teeth”

Reining in that challenge will be a defining focus for cyber security policymakers as they process the recommendations of the newly tabled second report of the Department of Home Affairs backed Cyber Security Industry Advisory Committee (IAC), of which Penn is chair.

That panel’s engagement with cyber security policy has helped track the outcomes of the government’s Cyber Security Strategy 2020, which put Australia’s national cyber security policy on the front foot with major investments in cyber security skills, protection of critical infrastructure, and the $10 billion REDSPICE initiative that will recruit hundreds of government cyber security specialists.

Penn welcomed the government’s recent decision to overhaul cyber policy, made by new Minister for Cyber Security Clare O’Neil, who recently warned that Australia’s cyber industry remains “quite fragmented” and is lacking “that backbone that real, genuine, serious government engagement is going to give you. Because when you think about cyber security, it’s everything and it’s everywhere.”

That approach to cyber policy dovetails with the recommendations in the new IAC report, whose recommendations include “empirical, data-driven” evaluation and measurement mechanisms; supporting SMEs to improve their cyber security practices; progress on the stalled Best Practice Regulations Taskforce; improvements in workplace readiness; and uplift of critical infrastructure with strong industry consultation.

Treating cyber security as a government priority and hardening government systems will be crucial in setting the pace for the entire industry, the report adds, noting that “it is important that government is a cyber security exemplar.”

“Industry support will be harder to enlist if Government is not seen to be lifting its own defences at the same rate it is expecting businesses to.”

Penn echoed those sentiments, warning that “there are crucial areas where more needs to be done, either because insufficient progress has been made, or because of the evolving threat landscape.”

One particularly challenging initiative had been the establishment of capital city Joint Cyber Security Centres, which were initially created under the government’s Cyber Strategy 2016 but had failed to maintain momentum over time.

“Progress in establishing and maturing the JCSCs has been more protracted than we had hoped it would be,” Penn said, “but the important REDSPICE program is now an opportunity to leverage and accelerate these.”

“Ensuring industry leaders also remain key partners in the governance and directional focus of the JCSCs will enable the government to maintain focus on what the pressing issues are across the industry.”

Another key initiative, the Cyber Hubs program – which has developed cyber security centres of excellence in six government agencies and will see another established in the ATO before the pilot ends on 31 December – “needs to be given more teeth and their way of work needs to be accelerated,” Penn said.

Delivery of the report comes just days before Penn steps down from his role as Telstra CEO, where in nearly eight years he has overseen the pivoting of the company into a more agile, post-NBN business that is leaning more heavily on cyber security and other services.

Telstra has recently stepped up its blocking of scams, while last month Penn made good on a promise to repatriate thousands of contact centre jobs to Australia, after staffing disruption at overseas outsourcers exacerbated plummeting customer satisfaction.