Welcome to the Art of services series around cybersecurity risk management.
My name is Ivanka Menken and today’s conversation is with Mr. Mike Ouwerkerk. Mike has been in I.T. since 1998 working across roles such as it support, business analyst, system administrator, I.T. manager, I.T. consultant and virtual C.I.O. It was from the virtual C.I.O. role that the interest in cybersecurity developed, as many of his clients were repeatedly incurring significant costs due to cybersecurity breaches. He developed a short fun and engaging onsite training course, found that it was well received and formalized it as an offering in its own right as “Web Safe Staff”.
His core focus now is cyber security awareness for staff, and if you like Mike’s approach to cyber security and would like to reach out to him after this video. His website is www.websafestaff.com.au. I hope you enjoy this conversation and welcome Mike.
Ivanka: Thank you so much for your time and for agreeing to have a chat with me. So, tell me a little bit more. You were a virtual C.I.O. and that sort of sparked your interest in cybersecurity.
Mike: Yeah. I got into virtual C.I.O.’s and I.T. management, going to consulting and then started off as virtual C.I.O. myself. And it probably started a few years ago that I started noticing that my clients are getting hacked, a lot. I mean, A LOT. Some of them like, not serious or anything, but even potentially unwanted programs and a bit of malware, the cost of that was pretty cumulative by the time you actually added up the cost for all that stuff. It was pretty scary.
So even like small companies, like five people I did a little bit of work for, the costs for the I.T. support to come in and fix that stuff was about $3,000 a year. So I said I’ll put something together for you and see how it goes together. So I chucked a course together and had a reasonable think about it. Turned out, it was pretty good. I liked it. I did a study on it, worked out that they saved quite a bit of money. Just by doing that course. The unfortunate thing was, of course, one person didn’t turn up to the course that they kept getting breached through that person. Um, other than that it went really well and they did save a lot of money. So yeah, I turned it into Web Safe Staff. There’s a need out there for this stuff was just enough awareness of my own.
Ivanka:Saving quite a bit of money through that course… is that where most organizations can save most money is really the awareness of, of people awareness around cyber security?
Mike: The stats are pretty compelling around this stuff. It varies depending on what you look at. But up to 85% of breaches are because of staff clicking on something they shouldn’t.
That’s a pretty massive stat. So you work out the cost of that, it’s pretty eerie. You know, you’ve got your malware and you’ve got your phishing and you’ve got your physical active security threats. But most of the stuff, comes through the staff now. The cost is kind of pretty staggering when you actually add it up. So like I said before, even the little bits when you add those up, it just comes to a big amount. What people don’t realize is, you know, you’ve got your staff and they’ve been sitting there with a virus on the computer or maybe a few people are impacted. You’ve got downtime costs, you’re paying for that.
Then you’ve got things like, you know, someone rings up the client “Hang on. I’m just on with I.T. support I’ve got a virus on the computer.” You know, people like to talk about stuff like that. Suddenly you’ve told your clients that you’re not good at managing their data. The down time costs, it’s just made it about 3.4 times the actual repair costs. You’ve got a whole range of costs that basically, you know, total up to something not nice. And then where it gets really nasty is when you get a major breach. And then you say basically “Look, now we’re going to go to our D.R. and B.C.P.” So, disaster recovery, business continuity planning.
Do our backups actually work?
Have we been testing that they worked?
Now we’re going to do a restore. Does the restore process work?
This is where companies get called out.They have a major breach, they don’t know that their backups work, they don’t test their restores, they find they can’t restore and the company is nothing right now, its data. So then they go bankrupt. That’s a big deal to think that someone can click on something and suddenly you’ve got no company a few months later.
Ivanka: So in your experience as virtual C.I.O., is this an occurrence that happens often, or you know, when you are an organization that has a C.I.O. role, does that organization have an I.T. department that is robust enough to deal with most of these types of attacks?
Mike: It really varies depending on the organization and how seriously they take this stuff. Some organizations, especially if they mean smaller ones, they’re got to just put on the free antivirus and have this service and just kind of pray. They say now, it’s not a matter of if it will happen but when and how bad.
This is where I’m slowly getting to with my Web Safe Staff offerings. It’s almost a cultural shift for companies now. You can’t just think it in isolation. So I say here’s your cybersecurity awareness stuff and staff. And that’s really important. But obviously there’s other paths that tie into that. They have to have the good tech, they have to have management on board for this stuff. They have to have risk management frameworks and everything’s going to be tight to get it. You’ve got to have champions of that stuff to make it a cultural shift in the organization. So that’s, you know, if a company’s doing everything right, then they’ll still get breached. It’s going to happen. The hackers are always ahead of us. That’s the way it works. What you have to do is try and minimize the chance of being breached and when it does happen, be prepared for it so that you can recover. So yeah, it’s, it’s not a matter of if, it’s just when.
Ivanka: Yeah. And do you have a different approach depending on the size of the organization? Like when you work with small to medium enterprises as opposed to a company with 150, 200 or 500 staff.
Mike: So my course is pretty structured in that it’s a base of about two hours. And in that two hours I cover pretty much everything people need to know. And like I said, you can’t train for everything. What you can do is you can try and keep people engaged for two hours so they learn something. So, you know, I know the bigger companies they say “we’ll do an online course.” I don’t do that because you can’t engage people. So if I get a bigger company saying, you know, “what do you do for us?” Same thing. But you need your people alert. So, they need to be engaged it’s going to be fun, it’s going to be interactive. The part we’ll change maybe is, you know, they might want metrics around, some of them might want phishing simulations. They might want certificates, they might want tests at the end. So that stuff is easy. But, it’s the base thing, just teaching people stop, think, act; giving them rules around how to think before they act and making sure that they, unfortunately, are suspicious by default. Which is a horrible place to be, but we kind of have to be there.
Ivanka: So, suspicion by default. So how do you train people to do that? Because when you get emails in from trusted vendors or partners or suppliers you’ve been working with for a really long time, how do you teach people to no longer trust that email conversation?
Mike: There’s a whole host of rules that you can use. So some things don’t change, right? So you’ve got things like email credibility. You can work out if an email is likely credible or not credible. “What’s the from address? Is it recognized? Has it got links that are different to what it shows in the text link? Does it ask for information?” So you can balance that up in two columns and you can make reasonable decisions. You can also look at the URL’s on emails and make a decision there. What gets harder, like you mentioned, is the trust factor.
This is where the social engineering comes in. So you get companies that might ring up and say, “Hi, look, I’m Bob from this company that you deal with. Just introducing myself.” There’s a bit of trust. They haven’t asked for any information, I haven’t given you any information. I might do that five times before they actually say “Hey, we’re going through a financial restructuring. We’re going to be changing our bank account. I’ll get back to you in a week.” By that time you’ve spoken to Bob, you know, quite a few times and you haven’t checked whether he has a dog and stuff. And suddenly it’s like ” We don’t trust Bob” and he rings up. “ok, cool. Here are our bank account changes.” That sort of stuff you handle procedurally. I talked about this is information flows. The way you flow inflammation out of your organization, there are rules around it. The white inflammation comes into your organization there are rules around it. So if that information has major impact or potential major impact on your organization, you have to have a policy that says “This is what we do to clarify that information is ok.” So you’re basically going to bring up some funded public number, ring up to the finance department, “can I speak to…Blah, blah, blah? I’m the head of accounts”, or whatever. And just confirm the details. So that’s an example of a procedure you would have for that. It comes back to the organization stage, to go through a process of working out that sort of stuff and decide how we’re going to handle it.
Ivanka: So when you walk people through your course, what’s the biggest “ah-ha” moment for your students? What is the biggest item of piece of content or knowledge that you give them? Where they go “I never even thought of that!”
Mike: I wouldn’t say this actually just one because there’s a whole lot of them, unfortunately. And it’s really quite scary. I mean ,most people are kind of reasonably aware now that there are scam emails but they still get tricked. So you know, one of the good ones is like how to read a URL. A lot of people don’t know how to read that. There are three step rules around here to read it. So you know, if it says www.Paypal.com.au- … something or other, it’s not going to Paypal.com.au. You have to go to http// country code, come back three dots. And its all between there. So, I show them that stuff. They’re like, “oh, okay”. They’re looking at this thing going “oh, it goes to paypal.” not realizing it goes to, you know, iu.com– or something or other. There’s a whole heap of stuff. It’s, it’s a weakness for a reason because people aren’t aware of it. It’s quite staggering the way, the number of ways they’ll try and scam you. There are so many different ways, and I think the social engineering stuff, that’s the scary stuff now.
The fact that they’re actually manipulating people via psychology.
They gain your trust and getting you to divulge information or use information. It’s not, that hard to do. Like, I actually did it myself. So I’ve got an article on one of my blogs. I actually looked at how to steal a card. I’ll give you a real brief rundown. I was getting my tires changed on my car and you know, basically guy drives a car out and was going to hand the keys to me because I looked confident. I looked like I knew I was supposed to be there. So it could’ve been anyone’s car is the point. So this is what you get with, with the physical and social engineering stuff. There’s a extreme level of confidence there and like you are supposed to be there and they trick people with that. So these things a hard because human psychology, people are quite trusting. Especially once you’ve had a few chats with someone around you. And so it’s hard to get around and it’s hard to teach people not to do that.
Ivanka: Yeah. So it’s really a bad manipulation of people, isn’t it? Because inherently people want to help. They want to assist , they want to provide information. So they tap into that. So in your courses, do you also focus on the younger generation like teenagers or people that have just started out in the workforce?
Mike: It’s relevant for anyone who is at that company. It all sort of relates to their home use as well because there’s a lot of cross level with this stuff. I’m talking about some phishing stuff that comes in through the website, through emails and people are exposed to that. You got a dodgy website so you’re going to get phished more. It is geared for the corporate market. The younger you go, the more the course needs to change, something I considered. But the issue is the younger you go, the more it becomes about parents, the more it becomes about technology, how to manage the kids. But it hasn’t, it hasn’t been something I’ve thought about too much. It’s kind of a bit of a scary thing. I know with my kids there’s a bit of work with that and it’s all specific to the infrastructure that I’ve got and how I want to handle things. It’s about the corporates, for me.
Ivanka: So, in your view, is there a strong link between the technology and cybersecurity risk management or is there a strong connection between the knowledge that you use and cybersecurity risk management. Or are they completely separate; as in you need to do a, b, c, d for cybersecurity risk management, irrespective of the type of technology or infrastructure that you use?
Mike: So cyber security risk management, essentially it ties into, it quite heavily. I guess if I thought about cyber security risk management, you’re breaking into a few different things. You can break it into the risk identification, risk assessment and the mitigation response. So that’s a big deal. You know, that’s awareness. I think it’s a pretty hefty tie with that. Beyond that, you know, when you think about “hey, you’ve got to handle risk management stuff, you’ve got to have someone to formalize your documentation, build a response plan.” That’s obviously cyber security as well. You’ve got to have people that are own process. So, this is like a cultural thing we talked about that. You’ve got to have someone who’s coordinating things, who’s actually driving this, monitoring current risks. So this is that cultural side. And then the champions. You’ve got to have people that are basically selling this to the top of the organization, the board and the execs. Making sure they’re not pushing it down. So yeah, it all ties in. It’s all a wonderful harmonious, beautiful thing.
Ivanka: And how do you see cybersecurity changing at the moment? During your courses you meet a lot of people and you speak about creating awareness around cyber security and cyber crime, but how is cyber security changing at the moment? How is cyber crime changing at the moment? What is the future? What does it look like?
Mike:The biggest thing is that, cyber security used to be about hacking through your tech. So you have little, your hackers there, could be 12 year old script kitties or they could be professionals trying to make a lot of money or someone that works at ransom ware. But, you know, it used to come through the tech. They used to hack you hardware and your firewalls that was a great way of doing it. Tech is pretty good these days and if companies can keep stuff patched, or there’s plenty of services that you can use around this stuff to make things better, then it just makes it too hard for them. So the trend at the moment is as per everyone, take the easy way out and hit the easy target. So they’re hitting the staff. So that’s why we’re seeing phishing emails. It’s a massive part of it. 85% I think I mentioned it but maybe I didn’t, 85% of the breaches come through staff. So that’s, that’s a big deal. So, you know, honestly, that’s the trend. If your staff have been hit really bad, you’ve got to do something about it. They are, well, I think there’s also a trend that the staff are getting blind, which is a bit unfair. It kind of starts offline. We all have a biggest weakness and blah, blah blah. And “Naughty Bob” for clicking on this and that. But I think companies also need to realize that they are an incredible asset. So you can go for a weakness, we can’t deny that. It’s not their fault, they’re not trained. You don’t just give someone a car and say “go and drive a car without a license and training.” But you take it from there, you give them training, you turn them into your biggest cyber security asset. That’s a big deal.
Ivanka: I’m very aware of the time that we have as we only have half an hour. So, to wrap it up, what is your number one thing that business professionals or I.T. professionals or business owners should teach their staff in relation to cybersecurity?
Mike: Honestly, If you asked me for the number one thing, I’m going to say it’s security awareness. And you need a good cost and you need to structure it into all these wonderful areas that you’ve got to engage them and if you want to do online stuff, well that’s hard because it’s not engaging. And you know, don’t treat this as a compliance thing. It’s not tech in a box, this is a big deal. But I would think the number one thing beyond that is a cultural shift. So you need to have awareness around this stuff. Your I.T. people, they need to be kicking the goals on this stuff as well. And they also need awareness because they don’t know all of this stuff. The board, the execs, they need to, part of the party with us. They’re going to be driving it. You need to have your risk mitigation processes, you need to have planning or responses made, policies and procedures that it doesn’t have to be horrifically complex, but you should think about it. Tying into that, is people taking their disaster recovery more seriously. You know, I mentioned this before, do you have backups actually work? Are your backups safe from being hacked? Do you test restores with them? If you can’t do that, you’ve got no business. So it’s a big picture and I think it’s a cultural thing. I think it just needs to be awareness across the whole organization and that will drive every other activity.
Ivanka: In respect to the backup and restore process you were talking about, you know, you mentioned to make sure that your backups are actually working. Do you envisage, and I’m talking about small business predominantly now, do you envisage that small businesses will be more safe when they have all their data uploaded into the cloud or use a cloud service provider?
Mike: Well the general rule of backups is you don’t rely on one location. So like for me I’ve got a home office. I have network attached storage network. Every day at four o’clock another attached storage device lines up and it doesn’t copy anything that shuts down. So that can’t be touched. I also do regular backups. The hard drives, they go off site every week and every night I do a backup to Amazon’s free storage. So something bad happens to my stuff, I’m cool, it doesn’t matter. I might lose a day of data, you know, but I’m fine. So I think, you know, to say “to store it in the cloud, you’re all cool”, you know the general rule of backups is you have multiple sources, multiple locations. You know, and the backup stuff’s got structure. Then you’ve got your grandfather, father, son, backup regime and you know, you’ve got your three, two, one, whatever. As long as you roughly going along with “hey youre supposed to do it” you should be fine. But I would never rely on my Amazon backup by itself. Because at the end of day, Amazon is a web face and company. If they get hacked, my backup could be gone. It could happen. So you just treat things seriously. And your data is the most important thing.
Ivanka: I read in an MIT article that the main target in 2018 for ransom ware attacks actually, were the cloud storage providers. You know, the Amazons and dropbox and you know, the big storage providers.
Mike: Yeah there’s plenty of money there, lots of information. I mean if they manage to shut down the whole place, and really cause some disruption, you lose customers from that. People go “I don’t trust you with my data anymore. I’m going to go somewhere else. ” One of the reasons why companies go broke. Your customers find out about this and go “I don’t like it. I’m out”.
Ivanka: So, let’s wrap it up there. So thank you very much for your time Mike and I really appreciate you taking the time out of your day to have a chat with me about cyber security and specifically how important it is to make your staff aware of the risks of cyber security and cyber crime. So if people that are watching this or listening to this are interested in knowing more, wanting to know more about you or your business they can go to and I’ll read it up. WebSafeStaff.Com.Au. So www.websafestaff.com.au. Is there any other way they can reach out to you and get in touch with you?
Mike: Is there any other way they can chat to me? The day time phone number comes direct to me. I’m a pretty approachable and coffees.
Ivanka: Coffee is always a good idea, so let’s wrap it up there, so thank you very much Mike. Thank you again for taking out the time.
And that concludes this discussion about the awareness need for cybersecurity for your staff. My name is Ivanka Menken from The Art of Service and I look forward to talk to you or see you very soon. Bye.
In this 45 minute conversation you will learn from the front line what it is like to fight Cyber Crime and how the people in your organisation really matter.
We are very excited to share this conversation with Brian to help raise the awareness and need of education around preparedness for Cyber Security incidents.
Brian Hay spent decades in the Queensland Police Service fighting Cyber Crime as the Detective Superintendent. He now runs his own business called Cultural Cybersecurity, where he consults companies on the importance of people management in relation to Cyber Security.
Welcome Brian and thank you for having a chat with me about cyber security. I had a look at your website Cultural Cyber Security and I must say I’m intrigued.
First of all, you have a rare blend of cyber security skills and business attributes. You are long considered a thought leader in the world of cyber security and you have learned your craft not from the technical demands of cyber industry, but rather by focusing on the activities of organised crime and cyber criminals. So, you have a very colourful background police, Head of Security Team for – was it Dimension Data, and now you run your own business focusing on what I seem to understand the cultural or the people side of cyber security. So, please enlighten me.
What is your version of your bio?
BRIAN:My goodness and oh boy they’re just words to put together that someone introduce you to when you present at a conference or something, but I think what I’m trying to say is you know I’ve been always Chair of the ANZPAA’s – Australia New Zealand Police Advisory eCrime Working Group from inception for 5 years, I was on the National Cybercrime Working Group of the Federal Attorney-General’s Department for some years when it kicked off. I’ve seen the policy level and lot of the strategy development around cybercrime from a governmental perspective. Then of course as a Detective and the Operational Commander at the Fraud and Cybercrime Group I had the insights to financial crime and the consequential impact of cyber, and then the ever stronger emerging presence of cybercrime.
So a lot of that focuses on two echelons.One is the victim, the victim entity, the victim person. The second of course is the offender themselves, and then you have what everyone typically thinks in the first instance about cyber security and that’s the technology. So, it’s given me a blend of course when I went to work with Dimension Data, and then to Unisys they gave me further insights into the whole mainstream digital economy from a cyber security technology perspective. And from all those things we were very much missing there on a couple of key components because whilst I was originally driven by services, and then response to communities, and then you go into the technology sphere and it’s driven by making money and profit which is completely normal and that we had all the standard criticism. But I think what has been forgot along the way are couple of things. One is that people should come first and that’s a great vulnerability we have, and the other thing that I think gets forgotten along the way is that strategy should be led by the business it should not be dictated by the technology. We forgot that technology is a tool it’s not a strategy, and I think a lot of companies feel a great sense of assurance if the technologies they’ve got in place or they’ve purchased sit in the top right quadroon Gartner rather than being actually you know what does it reduce risk, does it grow people, does it meet our company needs and there’s a little bit of a false assurance process in there.
One of the obvious things that we’ve never addressed, it doesn’t get addressed enough is ‘why’. Why do we need cyber security? How do you assess your risk? Who are the threats? Everyone talks about the threats being the technology the malware, the viruses, the worms, the Trojans, and the APTs they’re merely the tools.
And there are tools orchestrated, put together and exploited by people and the biggest threatening group is organised crime. The purpose of organised crime is to make money. That’s the ‘why’. And the other thing is the ‘what’, what that we’ll need to protect? Indeed most organisations don’t know really what their risk is. It’s all been driven by the banter of technology giants as opposed to a full and honest appraisal of their environment understanding first of all the ‘why’, then the ‘what, then the ‘where’, then the ‘when’, and the ‘how’. And then after all that’s said and done where do you start? And you know the problem is that too many strategies start with the technology they want to use because that gives them more assurance because of being rated high rather than doing a very honest account of their environment and looking where the vulnerabilities are and what do they want to protect.
And you know what everyone wants to protect their data, but what about the people at the end of the day that’s most important asset you’ve got. I think it’s got lost in the whole translation and that’s a whole bit longwinded speech about some of the fundamentals that you touched on before. But let’s get back to basics and the most important entity we need to protect is the people. You get the people onboard your data is going to be lot safer.
IVANKA:So, you talk about the ‘why’, the why side of the crime, and the why behind the reason for cybercrime. What is your ‘why’?Why did you get so passionate about fighting cybercrime and cyber security?
BRIAN:Well, that goes back to my law enforcement days and it wasn’t a choice. I was sitting up as an investigator – Detective Inspector Heading up the Public Sector Corruption Team at the then it was called Crime and Misconduct Commission and I’d had enough – at that I’ve done five tours of duty fighting corruption in the history of Queensland and I needed a change and I got a phone call one day. I was so desperate to get out that I even applied for the Rural Stock Squad which meant you know you look at cattle doffing and all sort of stuff, and I had an Assistant Commissioner ring me up and he said, “Brian you didn’t get the Rural Stock Squad, but what on earth were you thinking?” I said, “I just got to get out.” He said, “We’d like you to come and take over the Fraud Squad,” which later became known as Fraud and Cybercrime Group.
I had never thought of it before, and once I got in there I realised that we need a paradigm shift in how law enforcement approaches these challenges of cybercrime and international financial crime. When I first joined the Queensland Police you can stand on the borders of the Queensland turn your back on the rest of the world and say, “This is my patch I’ve got to protect it.”
But with the advent of the internet there are no geographical borders.
You had law enforcement, legislation, politicians they still think and respond in terms of geographical boundaries. I don’t think the thinking is elevated you to the standard that needs to do to understand how we approach these things. And so, I took on a paradigm shift of focusing how do we actually – I remember presenting at an International FBI Conference. You know my Commissioner was sitting in the front line of the audience and I didn’t clear the statement with him first, but I said law enforcement needs to adopt of a willingness to contribute without expectation of return, and what I mean that is you got to pay it forward.
You got to work internationally collaboratively and we’ve got to give other countries intelligence to allow them to do their job. So, traditional response is if someone offends against a member of your community you do the investigation and you put in together a brief, and then you and go and – if that person is outside of your jurisdiction you look to extradite them back so you can prosecute them. Now one of the things we saw with cybercrime and the internet was that it went from a high-value, low-volume crime type to high-volume, low-value. So, no one is going to pursue an extradition process for $5,000, $2,000, $200. That would only get done once it gets into the millions where they actually notice it’s a very expensive exercise. But if you are able to share information with the agencies around the world well it gives them an insight what they need to do and they can pull all that information together to form a picture then take action.
For example, if we had 50 victims in Queensland, 20 victims in New South Wales all for $200 each, and then across the other States and territories that’s still going to assemble itself to several thousand dollars but not of significance. But what if they multiplying that by the factor of 500 all the other populations around the world, .and all that money was going back to say London. Now, do we have five to eight agencies in this country pursuing individual investigations or do we actually harnass synergy of intelligence and giving it to the agency in London that can centralize. Imagine every country did that then all of a sudden the people in the UK have a far greater picture of what’s going on. Now, the question gets asked will they pursue a prosecution, then an extradition, and flying witnesses from all over the world, and of course that’s not a cost effective exercise either. But you know what country like that is going to have wealth creation provisions it’s going to have proceeds of crime legislation, it’s going to have tax evasion offences, and it’s going to have money laundering offences. And let me give you an insight, you get done for a hack in this country you might be looking at 3 or 5 years as a top line that’s off the book which no one ever gets anyway, but money laundering carries 20 years.
And what’s the purpose of organised crime? To make money. What do they value most? Making money. So, if you can actually centralize it and have another country, because you work with and provide information, take more effective action using the tools at their disposal, and then enable them to be more effective against the criminal environment then you’re going to make a difference.
IVANKA:No, but that has a really big assumption as well that countries work together towards a similar goal, whereas there are different jurisdiction, and like you say you started off with Queensland is separate from New South Wales is separate from Victoria so that’s a really big maturity journey to go from each do their own to we have to work together to make a difference, and to be able to fight this type of cybercrimes.
My question is how does that translate to the commercial sector, because my assumption is that with countries even though there maybe some reluctance, there’s still that overarching governance idea. But when you talk about commercial entities they could be competitors or they could be in the same industry, so how does that – because you’ve made a jump from the police force into the commercial sector, how does that approach to fighting cybercrime translate into the commercial sector?
BRIAN:Look, there are a number of issues, right? Commercial sector is there to make money, but also has a social responsibility, a corporate responsibility. I think that you’ve seen a lot more collaborations in cyber space in the commercial environment in the last decade. I think we had the Global Site Alliances and the Threat Intelligence and the most and in the main the private sector has been far more mature in the mind. I think that’s where a lot of collaboration. They’re doing more things at law enforcement the other nations can learn from.
IVANKA:Is that because there’s a direct financial impact, whereas with countries there’s more of a political clout around it all?
BRIAN:Absolutely, make no mistake. Bottom line it’s about getting your brand out there being positive and doing stuff, but it’s about doing things smarter, and being more effective, and then being more competitive. And they actually hold more of the data. Law enforcement is not at the front line it’s a response.
I always said if we have to arrest someone it means that crimes have already been committed. The purity of cyber security is that it’s crime prevention you know if I could say it actually wants to stop it. And there’s the other anomaly is that we don’t know – no one knows how much cybercrime occurs because most of it isn’t reported. So, the front line is the industry, and I always saw that the couple of things when I left the Queensland Police I straightaway was stripped off the border restrictions. There’s more innovation no doubt in the private sector than there is in the world of government, and so there are more opportunities and the thinking is more expensive, and sure this can be a selfish motivation to that thinking process but they are open to new ideas and thinking, so protection is a good thing. I remember there was a senior detective who was quite – which I find incredulous, we’re going to arrest our way to prevention, what a lot of nonsense but that was someone said that sort of I thought you got to be kidding me, and that is absolutely ridiculous. Prevention is the essence of successful policing, because you’re enabling the community to protect themselves, reduce the opportunities for criminal offenders, and therefore having less negative consequences on our communities.
IVANKA:Is that the reason why you focus so much on people first like it’s the whole – it is the education and awareness of people to be able to prevent cyber and being a victim of cybercrime or what’s the link there?
BRIAN:Well, there are several links. One is I’ve always been prevention focused in Police. I think it’s tantamount to success. The other thing is I think – let me put – let’s be realistic, I wanted to start my own company with a purpose to be successful and that means making money, and I think there’s a vast opportunity because that’s where the gap is around the people.
It’s something that I’m passionate about and my business partner is passionate about, and how do we actually add value to companies and going there and make the organisations safer, because there are no scruples for the cyber criminals and if they – I’ve seen examples where they have targeted children of family members to get to an entity. So, there’s a lot of apathy that people think cyber security is only at work – we in this country have had the internet 25 years. We’ve only got our first piece of legislation in February this year that said you got to report your Mandatory Data Breach Compliance legislation. We’re 25 years behind the crooks, you know they’ve been exploiting virtually from day-1 and we’ve got a lot of catch up to do.
Unless I say there’s apathy that you got to be secure with home mates doesn’t matter. But where do you think the crooks are going to go to?. They are going to go to the house with the open window and if we’re not teaching our kids, our grandparents, our brothers, sisters, uncles, aunties how to protect themselves well who is going to? And so, one of the things we want to work for the company is not just to focus on the security or the behavior of the people at work, but we take that to their behaviors in the home because like I said, I have examples where crooks have targeted the home environment to get to the work environment and that will continue.
IVANKA:Yeah. And you’re not talking dark web or that’s it, so you’re talking day-to-day internet that people use on a daily basis to do their work, to do their school work as part of everyday living?
BRIAN:Absolutely. So, if I go into someone’s Facebook profile and they are a person that you know what the hell the manager of a certain – say Manager of Finance in the job title in the LinkedIn, so then I take from their LinkedIn profile and what they look like, there’s a photograph there, i know who they work for, whether they were educated, they passed from, resume and work history. So, I can now look at their Facebook page or start to look at who is who in the zoo, how many family members, how many kids.
I go there, there are photographs there embedded into those photographs, I’m moderately confident those people do not turn off the location setting on their phone when they take those photographs, so in the metadata is the GPS coordinates of exactly where they live. If I look further in photographs in the background I see there’s a ProHart painting on the wall, solid timber furniture, big screen TV.
And so on so on, and of course they’ve signed the fact that next week the whole family is going on a wonderful vacation on a cruise or in the South Pacific Islands, beautiful.
I know where you live, I know what furniture, you’ve financially profiled yourself, therefore I want to do a tangible crime that is real world as in you can touch it, well there is a potential of breaking in, and again I could tell you horrible stories that I don’t want to go into, but you can have far more damaging, physical damaging side effects as well. But now for example, if I know let me go a little bit left field of that, I know that you’re into quarter horse racing and it’s your passion. So, I’m sitting back as a cyber crook and I maybe it’s one of your children that were into quarter horses, and all of a sudden I introduce myself, I develop a fake profile, I’m saying I’m the Vice President of Wyoming Quarter Horse Association, I put a letter out there, put some photos, I reach out on Facebook, I see you’ve got a love of quarter horses do one the thing, socially engineering you, you say yes, we connect up, then I’ll to say have a look at my latest stallion just got in, really good, dah, dah, dah, great bloodlines. You click on the photo which are embedded as zero-day exploit and now own your machine, very simply. Now I own – say- the child’s machine. Now a parent is going to be less vigilant about what they accept and download from their child are they not as opposed to if it was from a stranger, so now if I can own the child’s machine I send them a zero-day exploit to their parent who is my primary target to get into a certain organisation and you see how you can follow this and we’re not prepared for that.
And what it is all about? It’s about people. Giving ourselves – we teach our kids from the time they can walk we teach them how to cross the road safely, we teach them how to play in the same pit with other kids, we teach them how to share toys, we teach them to show the elders respect, we teach them how to use a knife and fork at the table but we throw them an i-Pad as a babysitting device and we’ve never been taught ourselves the fundamentals of how to be safe online and we got Buckley’s end up teaching that to our kids and we think our education system is going to solve life problems for us. Well, guess what the teachers haven’t been taught either, so we’re in this vacuum of 25 years. I often use the analogy of a motor vehicle, modern motorcar arguably started in 1886, worst consequence road death. It took in this country nearly 100 years to get the road tolls steadily declining and there are a lot of parallels and lessons to be learned in that process. But the big catch up where we can – if you look at the vulnerabilities ran statistically around organisations I think there are some that suggests 91% of most breaches occur through phishing emails. If you look at I think the first 63 reports on Mandatory Data Breach in the first 6 weeks of the legislation coming into effect I think was only 7% was attributed to technical failure the rest was people behaviour.
Let’s get back to the basics. Let’s focus on the most important asset we possess. It’s not the data, it’s not our systems or the tools it’s our people. So, when we talk of building…
IVANKA:it’s another way to get to the data. Isn’t the data the ultimate goal?
Of course yeah, but through our people. We think we got to put the systems in place that’s our first line of defence. It’s not our first line of defence it’s people. Giving them the tools to actually make it safer for themselves and they are becoming targets. You know I often say in front of audiences if you’re a director or manager or director and you’re an executive in your job description you’re bigger target. We’re all being profiled constantly.
IVANKA:Yeah. But how do you not get paranoid, I mean you’ve been in this industry for 35 years so you’ve seen the dark side of society probably way more than you ever wanted to see. So, how do you not get really paranoid about everything?
BRIAN:Somebody told me once when I was joining the police they said you become very old and cynical, and you know I’ve never had greater faith in humanity. I think our communities are fantastic and I think that 99% of people always try to do the right thing. We have a wonderful culture in Australia. We do actually look after people and each other pretty well, and when you hear these horrible stories of that not happening but in the main in does and I think it’s about – I used to say take a little pill called cynicism, and if you understand that you will be approached and if you know how to protect yourself or have a better idea you’re less likely to get caught. So it’s not about being cynical just being aware that okay look all the wonderful opportunities technology offers us today. You know the digitization, the social media and all that it’s brilliant. It’s not that we’re not using it, but no one ever said, “Okay. Let’s become aware of it.” You wouldn’t put your 15-year old son or daughter behind the wheel of the car for the first time and say, “Here you go, have a go driving.”
IVANKA:Yeah, have fun. Make good choices.
BRIAN:Exactly. So, it’s not about being cynical I’m actually all for the technology and they present it it’s about big way and that’s a big difference.
IVANKA:So, on the back of that what do you feel is the biggest myth about cyber security?
BRIAN:That you can have zero exploits and your risk tolerance is zero, you have zero risk tolerance for cyber security. As I say to people I’m sounding like, “Did you drive here today.” “Yes.” ‘You’re going to drive home, can you guarantee me you’re not going to have car accident?” And they say, “No, don’t be ridiculous.” So I’ll say, “Exactly. So, why you expect zero tolerance for cyber incidents? It’s not possible.” And so that is complete mythology. There’s no such thing as absolute protection.
So, you’re never going to be absolute it’s about how you manage. Cyber security is a risk management exercise. It’s about understanding the risks, being aware, and then managing the processes.
BRIAN:Yes. I think the biggest myth is that you can be protected. So, the other thing that people don’t correlate very well to is incident response component. I think that we only need that if something bad happens. Well, you know what the reality is there will be those accidents and there’s no research that shows that – just only the other day if you can actually find out within 30 days of a breach that’s occurred you can actually reduce your costs by up to a million dollars, and investment in preparedness is akin to most successful business.
IVANKA:Yeah. So, it’s really identifying your vulnerabilities, identifying the types of threats you might be open to, and have a preparedness program, a strategy to work on it if and when things happen?
BRIAN:Yeah, to a point. And it goes back to the very first thing you said that it was identifying the vulnerabilities, because vulnerability of people yes it’s the last thing that had been addressed. Why is that?
There are a couple of reasons for it. From a cultural perspective we’ve grown up on the dart of the technology companies telling us you got to have us we’re going to save you, and we’re trying to solve – we believe we can solve human behaviours through technical applications. Well, guess what to-date it hasn’t worked, and so most of the organisations actually don’t understand the vulnerabilities. They rely upon those technical conversations. From a technical IT perspective that yeah we’ve identified that technical breach we can solve with this technology. I think what about people factor? What about the human behaviours have you fixed those yet?
And you’ve got to have a human based approach to it. You’ve got to look at the culture and the culture is going to be I think a very big stepping – that’s going to fill lot of your gaps. And when I talk about what are your vulnerabilities? Well, that’s a really interesting thing. It’s like asking what data do you want to protect. I spoke to this gentleman one day and I said, “What data do you want to protect?” I asked him that question. He said, “Well, I want to protect my merger and acquisition information, the board papers, I want to protect resource stock listings, I want to do this, do this, do this.” I said, “Is that it?” ‘Yeah, that’s it.” I said, “You’re sure about that?” “Yeah, that’s it.” I said, “Okay. How many people do you employ?” He said, “Five thousand.” I said, “Okay.” I said, “And you’ve got HR files on them?” “Yes, yeah of course.” “With all their personal details, and all the next of kin personal details?” ‘Yeah, yeah.” And I said, “Well, and you pay them by electronic bank transfer?” ‘Yes.” “So, you got their bank account details.” ‘Yeah.” “And you’ve got all their tax file numbers?” ‘Yes.” I said, “And you’ve got their superannuation details?” “Yes, yes.” And I said, “No doubt there will be some automatic payment deductions from the payroll system goes into other providers that they have bank account or you know telephone, health insurance anything like that?” “Yeah.” “By those he could see where it’s going.” And I said, “Well.” I said, “If you gave me that profile,” I said, “It’s not a problem to make $30,000 to $50,000 that’ll breach your identity if you gave me all that information.” You know I said, “It’s not what data you think is important, but what data your adversary thinks is important because that makes you the target.”
It’s not what data you think is important, but what data your adversary thinks is important because that makes you the target.”
BRIAN:Okay and we keep thinking from the technology perspective. What motivates a criminal to do certain things? What actually would make a criminal look at you or your organisation as being the target, now starts the art of war: know your enemy. So, the more you put out about yourself the bigger you promote yourself online in your business title this sort of stuff and post it that way we just had a great win, won a lot or you just imagine we never thought is that we actually giving the crooks the reason to target us, and in fact understanding how they act? Why they will act? We can then better prepare ourselves.
IVANKA:Yeah. So, as a business you just mentioned we focus on technology, we focus oncorporate documentation, we focus on the business side and forget the fact that there are people involved as well. So what would be the biggest risk that we as business owners face at the moment and I am talking not just the large organisations, but also medium-to-small, small organisations from a cybercrime point of view?
Because it’s easy to think, oh you know a big organisation you know like Dimension Data because that’s where you came from. They have so much information, they have so many employees, there is so much data that can be extracted that is valuable in one way shape or form, I’m not even talking BHP Billiton because that’s even bigger, but what about a small-to-medium business owner with 10 to 20 staff that is really sort of flying under the radar most of the time and running their business. What is the biggest risk they face?
BRIAN:They face the biggest risk of all.
They are not losing the terabytes of data, but they haven’t spent the millions of dollars to secure their systems and processes, and they haven’t invested in the cultural programs to actually protect the behaviour of their people. They’re the soft underbelly and worst is that SMEs being attacked every single day and it’s going to continue to occur in large quantities. What you’ve all got to understand too is when you look at the organised crime and cyber criminal environment fundamentally speaking you’re looking at pyramid and at the top of that pyramid are the smaller numbers of entities that can do highly skilled covert cybercrime operations. They are not massive and what they do this in their business model is they now perform services for other criminals and if you imagined say there were five…
IVANKA:Multi-level marketing for crooks.
Exactly what it is. Absolutely, and of course at your entry point at the lower level anyone can go in and just buy every aspect of cybercrime as a service or as a product or as a commodity. You don’t need to have any deep technical skills these days to get into cybercrime and make a lot of money, but what it means is you have the vast number of your cybercriminal players today are not targeting the massive enterprises.
They’re coming after SMEs because they’re softer, faster, smaller targets and they can hit more in one go. So, a ransomware attack you know is going from maybe on a higher entity it’s going to be a million dollars, but they’ve invested a lot of time in that to get there and it needs really high skills they’ve put it in, but most of your crooks are going to be operating at lower level say they’re going for the faster turnarounds and smaller target and something they convert to cash quickly. So, the SMEs are absolutely the soft underbelly and they often pay for it. And they are not prepared for it.
IVANKA:No. So, how can we help them be prepared for that? What can a business owner do to be prepared for that? Understand their risk.
BRIAN:Okay. You raise that question understand your risk.
Well, let’s go back to the fundamentals that cyber security is business responsibility it’s not an IT issue.
And then, we look at where is the business going, what is the purpose of the business, what’s your direction, your growth strategy, what do you want to be and what do you want to achieve, how are you going to deliver your business outcomes. Then conduct your risk assessment. Now from that purpose of how you’re going to operate, where you’re going to go, then you can look at okay how do we reduce risk, and then you make a determination around how much digitisation is involved, where do you keep your data, how do you keep your data? And then, we look at culture.
I always look for culture first, but business so I’m going to talk about business yeah comes first, and then to grow your people not only you know three elements to it be your cyber safety, high performance, and digital transform. So, change has a normative value in today’s digital technology world. So, then and only after you’ve looked at the business outcome, direction, risk, and people. Then say: right, what technologies do we need? So, everything to-date has been here is the technology. It’s the latest and greatest. It’ll solve all your problems, buy it, and patch it, and put it in and take it on. So, we’re turning upside down, so how does business going to make it successful. Let’s do a risk assessment with your people, and then give consideration to what technologies you need.
Now, the reality is we’re going to see more migration as we have seen over time to many security services on the basis of it’s such a sophisticated and complex environment and you just want a one that’s going to help you grow your business because why you know where you want to go and you’ve got to consult with your cyber security provider to make sure the solution you’re getting is not about the technology today but there’s a bit of a strategic sense about where the technology is going and therefore the attacks because the crooks – the first entities are reverse engineering new technologies.
There was a very interesting study with University of New South Wales and the graph that I saw, and when the technology comes out the first adopters are the criminals because they want to reverse engineer it, look for vulnerabilities, find ways to exploit it because they want to make money out of it. So, an SME is you don’t have to spend lots of money, understand your business, get a good sense of appreciation of your risks, protect your people that then protect you and straightaway you can reduce that risk landscape by 90% by having a skilled workforce who are cyber security aware and that’s not being technically aware that’s being just on the line.
All of a sudden your risk has gone way down because you’ve got people onboard with you, and they’re going to be –they’re your eyes and ears and giving you alerts.
And I was talking to someone this morning and I say you know there are 17 people in the office and they said we talk a lot, we share information, and so if one person sees an email that he’s suspicious about they don’t try to make the decision always by themselves they’ll chat about it and come in have a look at this that’s a community that’s supporting each other. Sadly there are too many SMEs out there or SMBs that think, “Oh, we’re too small to be bothered with. No crook is going to come at us.” That is the biggest mistake you could possibly make or a line of businesses that thinks, “Oh, we wouldn’t be of interest to cyber. We’re only a…” I saw something just recently on a plastic surgery business that got hacked and then extorted. Of course, that business will be out-of-date inside 6 months because of certain events that took place and what it chose to do or not to do and its reputation will absolutely get under toilet.
I would come back where is your business going, what is your appetite for risk, grow your people and once you’ve got those three elements done say righto.. how do we get onboard with the right security partner, and I say partner not provider, not seller, not vendor, security partner. Now, I talk to people and I say, “Look I’m not interested in you selling your stuff one off. I am interested in being partner with you on a journey to help you grow and be successful tomorrow. I’m not transacting here today,” and that’s one of the biggest criticisms I see with the vendor community is its true transactional thinking, because I just hate things all about the sale, it’s not about the purpose, not about the why.
IVANKA:No, and ultimately it is a partnership issue. You go hand-in-hand to a shared common enemy?
BRIAN:Absolutely, and that’s it. You just nailed it. We’re all in this together, everybody’s responsibility. It’s just as much the CFO, the CRO, the CMO, the CEO, there’s a CIA to the CISO.
As it to the person and the dispatch doc that’s signed for the receipt of the – whatever comes in the loading bay. Absolutely everybody’s responsibility.
IVANKA:Yeah. So, how do you see this in the future? What trend do you see developing, I mean, we have the GDPR regulation going into effect next week Friday, I mean that’s a big thing. To me it’s a big thing. I’m not sure if it’s a big thing for everybody, but how do you see that moving forward like you said 25 years of internet in Australia, cybercrime is definitely picking up. It’s not just for big organisations. Small-to-medium enterprises and businesses need to be aware of that. What’s next, what’s the trend, what’s – how can we future proof our business?
BRIAN:Okay. So first of all, I think now that we have opened the door to our politicians to solve the cybercrime problems that door will never close. It’s one thing I know from working in government for all those years is that solution to all the problem is making new legislation, but we need regulations. I think as we have more high profile hacks get reported or data losses we will get something that will tickle the media’s fancy. They’ll make a big song and dance about it. Some politician who wants to get on another soapboxes is going to get a – they will make a statement, oh we will do this and we will hold them accountable, we’ll see the emergence of new legislation.
IVANKA:But like you said before that’s looking in the rearview mirror that’s not preventative.
BRIAN:But that’s history telling us what’s going to happen. You asked me where do I think things are going obviously going through it from the regulated environment and forced compliance on people. If you ask me from a cybercrime threat perspective how do I see it going that’s probably a little bit different. We will continue to see the migration of more tangible – why on earth would I go rob a 7/11 for $27.50 a pack of cigarettes and two cans of Red Bull risk going to jail for 7 years when I go online in 30 minutes make 5 grand as a cyber criminal extorting someone else.
So, we will see more migration of traditional street crime into the cyber environment, so it’s not going away any time soon. As you’ve touched on, we’re going to see more and more attention given to the SMEs and we’re going to see it into the individuals in the family. We’re going to see I think more personal extortions, I think we’ve had a situation where a lot of people have shared a lot of personal data out there online I think that’s going to come back and people will pay not to have that made public because it’s emotional. I think sadly when we see some cyber terrorism is something now it’s going to be on the horizon. It’s been put out there if you’re Iranian you say you’ve already been victim of cyber terrorism anyway with the Stuxnet attack on the nuclear facility. I think we’ll see sadly more significant events take place before…
I think we’re going to see stuff that gets everyone’s attention, seriously gets everyone’s attention. I remember doing a lecture on counter-terrorism course maybe about 10 years ago, and I said, “Well, you know in First World War whoever controlled and land and the sea won. The Second World War whoever controlled the air won? So does that mean next time we go to war whoever controls the internet wins?” And I don’t think we’re going to be far from that.
When you look at everything we see more and more IT overlay on the operating technologies, because it saves money and lot of efficiency is being gained but it carries risk.
What we’re seeing today is the inside what we’re going to see in the future. It’s going to – well sadly we have a lot of apathy until something tragic happens and it’s just going to be one of those things, and I am not professing to have a crystal ball or anything like that. But I can see – maybe I’ve just got a warped mind, but I can still see so many ways for a criminal to make money and when I see the apathy and issues like – I saw a report today that Australians have lost $350 million in the last 12 months to fraud and scams. Well, where are most of those scams happening today? They’re happening online. Why is it that our community still send hundreds and million dollars to crooks overseas and scams, to Nigeria, to Ghana and we think even then when you get education – this is the challenge with people, I think we’re pretty unique animals. I remember I did a lot of work on Nigerian scams and we had more arrests affected in Nigeria than I think any other country in the world but working with them and paying it forward, and sharing intelligence at that point in time, and I started looking into why is it that senior citizens in our communities who are now behind those keyboards so vulnerable to these sort of things. We think it’s because they’re more trusting and actually fact is there’s been a university in Iowa that did a lot of research into that, the part of the frontal cortex responsible for cynicism and doubt and as we get older that part of the brain starts to deteriorate. What they found doing these control studies which those that showed more marked deterioration that part of the frontal cortex was twice as likely to fall victim for a scam.
So, maybe the problem is not always the behaviour it’s actually physiological, and so our defences would have to change and that goes in a whole different path. It’s not simplistic and lot of technology companies would like you to think that you buy a technology you’re going to save the world, but we live in a thousand shades of grey and there are multitudes of colour but we got to come back to ourselves.
So, where are the criminals going to go? It’s going to get worse; they’re going to target more and more individuals.
They’re going to be more exploitive of our members and show you how nasty they can go. I know someone who received a photograph of a child and was saying, “Pay me $5,000 or I’ll ruin their online reputation for the rest of their life.” Okay, so what would you do? And it’s going to get more personal and it’s going to get ugly. And the amount of data that’s being stored out there by each and every one of us is quite alarming. It’s just time for a refresh.
The sky is not falling. World is a beautiful place and full of wonderful people, but it’s about knowing their enemy. Today their enemy has been pretty silent in many respects, and unknown and faceless. It doesn’t really matter what country they come from or what their first name is at this point in time. If we can actually take steps to keep them outside the locked door then that’s fantastic, but we just got to be told what their skill sets are as a starting point and when we do have that accident how do we respond more quickly?
IVANKA:And share that information so that our people know what’s going on.
BRIAN:Exactly, you know with too much the time the information is power, we’ll know information shared is benefit, and at the moment people don’t like to talk. We’ve been forced into silos, because we’re worried about the brand and reputation harmed comes as a consequence, and now we got legislations if you don’t report you’re going to get fined and you do report you’re going to be reviewed . So, look I think we’re privileged to be working in this part of an organisation, since I work in this part of an industry we can actually make a positive difference to people’s lives, and it’s actually even though you don’t join the police let me tell you for the money you do it because you’ve got a sense of service and working in the security industry you still have that wonderful sense of service that you can actually still contribute to make a positive difference in people’s lives and families and as long as you never lose sight of that I think we’ll be in a great place.
IVANKA:Fantastic. Well, thank you so much for sharing your views and I loved the way you focused on the people side of things and the culture in not just in organisations but in families and societies as a whole, because you know the time is behind us and we can put our head in the sand and just pretend it’s not happening because it’s all around us, it’s everywhere. And I love the fact that you’re focusing on the people side and not so much on the technology side. So, thank you so much for your time and sharing your knowledge.
BRIAN:Thank you very much and I know rabbit on a bit, so I do apologise for that, but I do get passionate about it.
If we can make a difference then it’s been a good day.
Ivanka: Welcome to the “Art of Service Series” around cyber security risk management. My name is Ivanka Menken, and today’s conversation is with Mr. Peter Maynard. Is that how you pronounce it? Maynard?
Peter: Yeah, that’s correct. Very well done. It’s good to be here, Ivanka, thank you.
Ivanka: Thank you! You’re the founder of the cyber security firm “Cybermetrix”.
Peter: Correct.
Ivanka: And your focus is on helping individuals and organizations of all sizes to improve their cyber resilience through better education, awareness and understanding.
So if you like Peter’s approach to cyber security as part of this discussion and would like to reach out to him, his website is “cybermetrix.com.au” and I will also post that in the notes. So, I hope you enjoy this conversation! Welcome, Peter!
Peter: Terrific. Thank you very much, good to be here.
Ivanka: Lovely, lovely. So tell me, what has been the most significant moment in your professional career in relation to cyber security? Because you’ve devoted your life to it, by the looks of it.
Peter: It’s been a good chunk of my life, especially in the last few years it seems to, to never go to bed. But look, you summed it up, really, in what our mission statement is there. And for me it was really an identification of the power of really… identifying cyber as business risks and the value that education awareness brings to improving your organization’s cyber resilience. And it’s probably been the missing component and will be the biggest challenge moving forward in the short term, is just about getting people’s understanding of what cyber risk looks like, and how it relates to them. So, that was probably one of the most significant points I made when the light bulbs switched on. And that it wasn’t just about technical controls and “this is a job for I.T.”. That definitely brought home the fact that this wasn’t going to go away in any great hurry and if we’re going to make any great in roads to it, we needed to get behind this a whole of business and not just push it to one department.
That was probably one of the most significant moments but, having moved forward from there, I would definitely say that my involvement with my mentors has been critical to my path to where I am today. They are absolutely an essential piece of the puzzle, and they’ve served me tremendously well.
Ivanka: Ok. So can you elaborate on that a little bit more because I love mentor stories. *chuckles*
I would encourage people to seek mentors out at every level of business.
Peter: Yeah definitely, definitely. There’s a lot of push to improve collaboration in cyber security and that’s one way that we will see a fairly good uplift across the sect of resilience, is if we can collaborate. Getting along to conferences, exposing yourself and identifying people that really know what they’re talking about. It can even be in really fine areas. It doesn’t always have to be someone who can answer every question for you. But I’ve been blessed to have really solid mentors that understand the technical area of cyber security very well, all the way through to risk experts that understand business risks and understand some of the challenges that cyber risk brings to the table. And then add on the fringes, the people on the front line that are dealing with social engineering and security awareness training; delivering to small companies or to some of the biggest companies in the world it really has been a critical component of understanding cyber risk in a broader context, being valued when you speak to boards and when you speak to small businesses about what they may need to do.
I would encourage people to seek mentors out at every level of business. Whether it be a small business looking to their accounts as a mentor in cyber security or size as big firms constantly looking for different people with different skill sets that can to the greater value.
Ivanka: So, would it be fair to say that cyber security risk management is not just a big people game, it’s not just a big company game?
Peter: Not at all, not at all. Really some of the biggest risks lie in smaller businesses. But the good thing there, too, is it’s not all doom and gloom. What may be approaches or methods of managing cyber risk in big firms could be very difficult to orchestrate and difficult to execute and results may be varied, they can be some of the easiest projects to implement and deliver some of the biggest results for some of the lowest costs. That understanding of cyber risk and how it affects me and my business is really critical, and I would encourage any small business owner too really to seek to have an understanding of how it effects them.
Ivanka: With which is interesting because I talk to a lot of small business owners and cyber security risk management is not on the agenda that much. It’s almost like “Oh that’s not… nobody’s interested in us because we’re only small business. We only have five, ten or twenty employees. We only turn over a couple of million, who would come for us? Surely they go for the big financial institutions or the big healthcare institutions”. So what is it in small businesses that makes us so vulnerable?
Peter: You’re absolutely right on a number of fronts there, Ivanka. So, firstly, small businesses have an awful lot to deal with on a day to day basis. Cyber security is just another. Very few businesses do it harder and do it with less resources then small businesses do. Their time is limited, their resources are limited. That misconception, that myth, that a small business has nothing to lose or has nothing to offer a cyber-criminal is probably the most important thing for them to get out of their mind as soon as possible.
Also, to back that up to say, once you’ve got that out of your mind and you understand that this is something that absolutely has to be on your radar, help is available and it doesn’t have to be the end of the world to get there. Let’s just look at two situations specifically with small business. If you have a look at some of the bigger the bigger publicized attacks, they’re coming in through small business. Small business is the attack vector of choice for cyber criminals for the exact reason you mentioned that started our question. They don’t perceive to have a problem that’s talking around bigger objectives. So, using small businesses to get to bigger fish is a very easy thing to do. Let’s ask a small business this: how well can they go on if they can’t access their accounting package for a month? If they can’t do billing for a month, would that have an impact on their business? If they couldn’t access their email for a day, or even worse if they lost all of their email archive, what impact would that have on their business? Or to a graphic design firm, if we can’t get to the files that they’re working on for a week and we’ve got five deadlines coming up, does that have impact on my business? And absolutely, the answer is absolutely yes.
Ivanka: Yes.
Peter: So understanding the threat that cyber risk represent to small business is critical. I understand totally how difficult it is to quantify intangibles, and that’s what we do largely in cyber security. We’re dealing with things that we can’t see.
Ivanka: Yeah.
Peter: But disruption has a very noticeable footprint. And be it disruption from cyber-attack or be it disruption from hardware failure or whatever it may be, being prepared in that situation and knowing how to respond can very well be the difference between “you go out of business” or whether you go on.
Ivanka: Yeah, exactly.
Peter: So, it absolutely is critical. It has been difficult for small businesses to get access to actionable, understandable information, but those times are about to change.
Ivanka: Yeah. So, while I’m listening to you, and you know my background is in I.T. service management so I’ve been talking to customers and teaching in the classroom for twenty years not. *chuckles*
Peter: Yeah.
Ivanka: About availability management and business continuity management, identifying vital business functions and identifying your vulnerabilities and your threats and your responses and all that sort of stuff. Listening to you, that doesn’t really sound that much different than your approach. It’s just a different type of threat, a different a different style of vulnerability. Or am I completely missing the point here?
Peter: No, Ivanka, you’re spot on.And really, we do it with our health. One of the first things we do, when we perceive there’s a problem or there’s a risk, we go and do an evaluation. We get an assessment from a doctor, that doctor may refer us onto specialists that may be specialists in that particular area or on imaging to get deeper understanding of what the problem or risk may be. And then from there we make informed decisions and we move forward. This is no different than what you have been doing for the last twenty years in continuity management, and it…
Ivanka: *chuckles*
Peter: Sorry?
Ivanka: Don’t say it so loud that it’s been twenty years, it ages me! *chuckles*
Peter: *chuckles* Oh, I’m sorry! No, it doesn’t. It makes you a valuable commodity in today’s market, that wisdom and knowledge. And it applies to cyber security, it’s no different. If you’re making investments, in something like cyber security, it’s not a productivity based outcome. So if we don’t do it 100% right, sure we may not see 100% efficiency from our investment. Cyber security is very different. If we’re not making the right investments in cyber security, we may have no defense.
Ivanka: Yeah.
Peter: Even though we’re making the investments there could be a wrong way or we’re defending the wrong assets. So understanding that risk, and understanding what it is we have to lose and what we need to protect ourselves from… Let’s not forget this, Ivanka. Small businesses are made up of people that have their house invested in what they do every day. They are some of the people that have the most to lose every day they go to work, yet they’re choosing not to look at one of the biggest problems that’s staring them down the barrel. And that’s a scary situation but, like I said, the times are changing and help might be too far away where it will be accessible through trusted advisors like accountants. Greater insight from I.T. providers that their offerings needs to be more than just technology that we can supplement out our offerings with just trainings and audits and assessments and compliance and just doing the basics really well. That’s the secret source: doing the basics really well.
Ivanka: Yeah. Yeah because there’s a really easy case of “what you don’t know can’t hurt you”.
Peter: Absolutely! And it’s not going to go away by you ignoring it. It will only amplify you as a target to a criminal. There’s no other way to look at it than that. Criminals are always opportunistic and they’ll always attack the weakest point. They’re lazy, they just need to get a job done and all it is, is 95% of our corporate sector, the same sectors that’s saying “it’s nothing. We represent no threat to or we have no value to an attacker”, that’s the golden days to be a criminal.
Ivanka: yeah, exactly. *chuckles* happy days. So if we distil that the one biggest risk that these businesses face right now, and how business owners can prepare for that, what would that be? What is the one thing? You know, if you set a goal for this quarter or for the next quarter, the one initiative that’s going to make the biggest impact for the business in cyber security, what would that be?
Peter: Yeah, fantastic question. Look, there’s lots but, what I’m in the business of doing is “what can we do the quickest that will get the quickest result for the most amount of people?” My advice would be to go back to their accountant and say ‘Can you help us manage cyber risk?”
Ivanka: Yeah.
Peter: Go to their accountant… almost every business that will be listening to this will have some engagement with an accountant, whether it’s to lodge a tax return, a quarterly or a much deeper engagement. Go and ask their accountant “can you help us manage cyber risk?”
Ivanka: Yeah so that’s an interesting question because how educated are accountants?
Peter: They’re in the business of looking at risk. They’re in the business of auditing. They’re one step up. They’re a broader view across your business than what an I.T. function may be. They’re closer to being able to put methodologies and execute methodology or risk management at a small digestible manner for SME’s than probably any other professionalism environment. Let’s just try and keep I.T. and what I.T. do. I.T. have a very important job of enabling technologies for businesses to be successful and profitable. Let’s not bother I.T. with purely its security role, security is very different than information technology. So let’s first of all have an understanding. If security is over here, who am I going to put in charge of that risk center of security if I’m a one person or three person, five person or ten person business? Probably the best access to a trust advisor I have that understands this space would be the accountant.
Ivanka: Yeah, yeah absolutely. So how do you…because immediately in the back of my mind is sort of my mind is my accountant, which I have and I love and have been with the same accountant for almost twenty years now…
So how do I know that I made the right decision to stay with that accountant?
What kind of questions should I ask my accountant, or my solicitor from a legal point of view, what kind of questions should I ask to assess whether or not they were the right fit for me going forward? They were the right fit for me for the past twenty years with the business risks and all the accounting stuff that was happening, but moving forward into the future. Because you’re sort of painting a different picture of the accountant being more of a business advisory role to business owners and more of a trusted advisor for business owners and beyond just doing the tax forms.
Peter: Absolutely. That’s a great question and it will take a degree of evolution for accountants to become proficient in delivering cyber security expertise at this needed level. Look at the Big Four. The Big Four are your go-to organizations if you’re a large business or government, and you’re looking for advice around cyber security and how you manage that risk path right. So look, that’s a great question. You always need to do your due diligence around who your trusted advisors are going to be, as you would with a surgeon. If you’re not confident that your current accountant may have the skill set or the interest or the desire to help you manage cyber risk, look at some others and see who’s available and who’s interested in this particular space. Talk to other business colleagues about how they’re managing cyber risk and see if they’re having these sort of conversations at this advisor level. Lawyers are another great example. They’re essential when it comes to having the clear guidance around “am I doing these things proper from a legal and compliance perspective?”
That is part of cyber security, as you’re aware, the notifiable data breech scheme that’s now become mandatory, will impact on a lot of small businesses in this country. So, compliance there is a part. These people all sit at a table and cyber security isn’t just one person in charge.
It’s going to be the owner of the business first. If the owner of the business doesn’t value this as a risk, and something that they need to mitigate, everyone under him or her will operate at a less level of efficiency because he doesn’t have the same buy in as the boss does. So the boss needs to be there and the boss needs to surround themselves with the people that can help execute this. For a small business, it could literally be the owner of the company, their trusted advisor and their I.T. provider. Between the three of these people, maybe this manager if they’re slightly bigger and have a human resources component to manage. The very essence makes up a digital trusting. That digital trusting may be very different than a large organization on an enterprise level, and they may not even be able to even execute at that digital trusting methodology level. But a small business absolutely can. That’s one of the strategic advantages the small business has in managing cyber security. It all comes from understanding and knowledge and that has to be the first part. If the business owner doesn’t know this needs to be the pathway for them, they can’t start on the journey.
Ivanka: Yeah. So, which part of the business, would you say, is most vulnerable? Would it be financial data? Would it be employee data? Would it be contracts? Would it be just taking over a computer so you can get to somewhere else? What would that be?
Peter: Probably the thing that’s got the most attention with be small business would be disruption attacks, like “ransom-ware”. It’s a very obvious attack, it’s very tangible. They can clearly see something has gone wrong. The can clearly experience pain. You know, “We haven’t been able to access our server now for a day or two days, we’re being held to ransom for X amount of dollars and its effecting X amount of computers” has an immediate business disruption effect. That will get the attention. That’s when this business cyber security seriously. Then there’s a whole range of attacks underneath that, that they probably never will even know has happened, until they hear from a third party that they’ve been breached or are receiving emails under your domain name or whatever the situation may be. So it’s just really important that this visibility is there and that the understanding is there; that they do have things of value be it their time or be it their money.
Ivanka: So, again, listening to you when you talk about cyber security, you’re not talking about I.T. service security are you? Or I.T. security in itself, it goes way beyond that. Because when you talk about ransom rarities, you can have all the I.T. security processes in place, it’s only a person opening an email or a phishing attack or something like that to make you vulnerable to that.
It’s really empowering your people to make the right decisions and empowering them to ask for help or ask for input.
Peter: You’re absolutely right, you’re absolutely right. And that’s where it kind of breaks away, the cyber security component as opposed to the information security problem. This is where it comes back, Ivanka, and this was the lightbulb moment for me, this business risk issue. No matter how much money I delegate my CFO to pay my CIO’s, my I.T. provider, to put the defenses up; no matter how much I invest in that particular area of mitigation, that’s not where I’m being attacked. I’m being attacked through my people and I’m being attacked through age old techniques of leveraging people’s desire to be helpful or trustworthy or assistive. The curiosity, that’s a very, very difficult thing to defend against. And for me my value proposition as a cyber security professional changed when I understood that clearly. The best thing that I can help and organization with is to help them reduce the time that they are impacted by cyber-attack. To be able to stand in front of a customer and say “I can protect you from cyber threats”, I don’t believe that…if there’s an organization on earth that can do that, you can count them on one hand. Therefore where is my best valued proposition that I can be to your business? It’s being able to help you implement the culture that supports people that make mistakes, and knowingly very targeted any one can do it the boss is probably just as susceptible to it as the front line worker is. Put a culture in place that says “If something goes wrong, cyber security is such a threat and a risk to us, these are things we need to be aware of, this is how they’re attacking us.” If this happens to you, best thing you can do for the organization is let us know straight away andnot fear your job or fear incrimination for having made a mistake that we can all do. That allows an immediate response that technology can’t do.
Ivanka: Yeah. It’s really empowering your people to make the right decisions and empowering them to ask for help or ask for input.
Peter: Absolutely.
Ivanka: It’s really an education and training issue, then, rather than a technology issue.
Peter: For a small business, investment and education in training will deliver, if not the same amount, better value than investment in antivirus and a firewall. There’s things that we have to have in place today. If you don’t have a router and antivirus on your computer, then you’re doing nothing right. You haven’t even started considering cyber security. So let’s just say that all you listeners out there have got a router that their internet is coming through and they have antivirus installed, be it free or paid subscription. From there, what are some of the best things I can do moving forward? One of the best things you can do is make sure the people that work for you understand cyber security and the threats and how they relate to them; as a human being, as a member of a family, how it relates to them at home, and that those same threats exist in the work place. But instead of us losing our photos at home of our family vacation for the last twenty years, at work we could lose all of our records. Really, your role in helping making sure that if something does come in or somethings gone wrong, is that you let us know. That is the very best position you can put this company in when it relates to cyber security.
Ivanka: Yeah.
Peter: And that’s really achievable for a small business. For a business with a hundred people or less to be able to get that culture up and running and to get that awareness training out there, is really doable. For large organizations it’s much harder. But for some that early kill chain investment of knowledge and awareness, pays massive dividends.
Ivanka: Yeah. Yeah I can totally see that. So for a larger organization you mention it’s much harder, but it still comes down to culture, it still comes down to awareness and training.
Peter: Absolutely.
Ivanka: Let’s say up to one hundred employees is fairly easy to do. But if you have a business with one hundred and fifty employees or one thousand employees, what’s the different approach there?
Peter: Well, we just expect that you have greater access to resources; be it financial, access to human resources. Your capabilities are greater, you should be able to do more. So, implementing schemes across your organization like mandating two-factor authentication for example, across all email and across all remote access devices. If we’re connecting to servers remotely, they all must have two-factor authentication on them. For an organization to hide, to put intellectual property or business property being a username and password today, it just blows my mind. These measures are near no cost to implement two-factor. But they do take—they’ve taken awareness campaign within larger organizations, there’s a little bit more friction to roll out, but the dividends they pay are enormous. Increasing your ability to detect whether you have been intruded and not just disrupted. They’re things that organizations can do. And we’ve worked with some, and work alongside some vendors at the moment that are doing some really incredible things to simplify the cyber security landscape from a hardware management perspective, to give much greater visibility across an organization’s threat vectors, and to make it much easier for them to join systems to be able to get much better intelligence so that machines can start to do a lot of the interpretation work and there not be a reliance on humans to do it. So the market is moving forward. When I first really became involved in cyber, there was a gaping wound around people and the identification around people as a main threat vector. That, now, is really improving. Everyone’s really understanding that people are a big risk to us. The vendor market needs to catch up still and the security training needs to catch up, the curriculum needs to catch up. This will all take time, but it’s actually happening. And now we’re looking at some of the other issues, some of the bigger issues that are facing the larger businesses and the governments. And it’s their supply chain. Who makes up their supply chain? The small businesses do. It’s a whole ecosystem where big business, large business, can absolutely be helping small business to make cyber a business enabling activity, it doesn’t have to be negative. And more often than not, the treatment for small business, is education and awareness.
Ivanka: Yeah.
Peter: It’s not dipping into my pocket and going and paying $100,000 for a new piece or kit. It’s more about understanding “what am I at risk of? What do I have to protect?’ and “what do I need to do?”
Ivanka: Yeah. Yeah. And no business is an island, is it? We’re all working together…
Peter: We absolutely are.
Ivanka: …and we’re all in the same supply chain.
Peter: If we email each other, we have a digital interaction together.
Ivanka: So where does cloud computing fit in, from your experience? Like, is that a good development? Or is that a dangerous development or indifferent? Where do you sit?
Peter: Look, I think cloud computing is an essential part of the mix being able to move forward and to move security, and the securing of infrastructure to enterprises that have the capacity, the capability and the resources to provide that service.
For organizations to think that they can do this internally moving forward, they’re literally swimming upstream.
Organizations need to start to consider moving up the stack in terms of what they can stream in information technology. And streaming services that are already pre-hardened. There’s a number of the main service providers now that, if you used their cloud based services, and you activate security controls that come with that particular service, from a technical perspective, you’re almost done. You’re almost finished. The rest is up to the business around the people, understanding how we’re going to be attacked, understanding what we do if we are attacked, how do we recover, and being on top of that; people having a game plan to go to. I absolutely think cloud services integral to moving forward in commerce and moving security away from something an organization has to look after themselves.
Ivanka: Yeah because that could be a really good approach for small businesses. If you don’t have the budget to put technical measures in place to protect you from cyber security or cyber-attacks, then move your data to a cloud provider that does have that kind of capabilities.
Peter: Absolutely, Ivanka. And it’s not even just the case of if you don’t have the money to do it internally. Chances are you won’t be able to access the people that know how to secure it properly to even buy. They’re being consumed by government and large business in its entirety. I remember going to a recruitment session with a really prominent and strange federal government department a couple of years back. And they were recruiting for cyber security experts and they were looking for 357, or around that number.
Ivanka: Wow!
Peter: To fill their current requirements. They themselves admitted “There’s probably only a thousand of you in Australia.” So immediately there’s one organization consuming one third (1/3) of the capacity of people able to do that job in this country. The skill shortage is enormous! I know the heads of governments have been working really hard to start to improve the curriculums that are being developed, university courses that are being offered to students because it’s something that is vitally needed. Where I still see a large gap is there’s very little focus around the development of courses around the soft skills, around the social engineering, around security awareness training. They’re still mainly technical degrees that we’re seeing coming out.
Ivanka: Yeah.
Peter: The honey hole is that general awareness training that everyone can be subjected to and I think should be part of school curriculum, myself.
Ivanka: Yeah. Starting at high school, actually.
Peter: I’d start in primary school, personally. When we start to teach our kids about their own identity, I think it’s also a really important time to start introducing the concept of digital identity. Because before they know it they’re involved in social communities that have wider impacts. So to understand in this world now that you can share yourself like you’ve never been able to before in the history of mankind, is a really important concept and one I think our kids need to know.
Ivanka: Yeah, yeah. Just to protect themselves.
Peter: Absolutely! And the rest of their family!
Ivanka: So moving forward, I mean, I really like that point of starting the education at primary level because that really future proves them from a personal point of view. Have that awareness of, you know, “don’t post certain photos online”, “don’t post on Facebook that you’re asking for house sitters because you’re going on holiday from the first of April to the 30th of April.”
Peter: Exactly.
Ivanka: *chuckles* Just for the next generation to understand that it’s not ok and that whatever photos you put online will always be online and you cannot get rid of them. So don’t ruin your entire future, your career, your image, your everything.
Peter: For what would have ordinarily been another silly mistake done in the privacy and security of your own family. That would’ve been addressed but someone that trusted you and loved you, that only had the right intentions for you. But now with the click of a button, a kid can disseminate a photo, that’s illegal, that the rest of the world can see within the space of a very short period of time, without even having any understanding of the severity of what they’ve just done.
Ivanka: Yeah.
Peter: And then be persecuted for that forever. That mechanism, that control, that ability to control the environment that our kids live in until the truly understand what they need to know, that’s shifting away from us. And when social media platforms are available to children from the age of thirteen, Ivanka I ask you, would we give our kids alcohol at thirteen? Would we let them go out and drink at thirteen? Would we encourage them to smoke? No, we don’t. Because we’ve seen the tangible effects of what happens if they do that. This is no different.
Ivanka: No.
Peter: And being able to share to a level that probably isn’t healthy before you have a mature mind could be a dangerous thing.
Ivanka; Yeah. I must admit, I have a seventeen year old son and his school is really good with these sort of topics. They spend a lot of time and effort in building the awareness in, starts from grade seven, I think. Really building the awareness of cyber, protecting yourself and being safe with cyber safety, for lack of a better word. They put a lot of effort and a lot of speakers come in and they have programs and curriculums as part of their schooling. But, yeah, it can always be done better because I also see the photos that some of his peers put up online and I go like “yeah, not a good idea.”
Peter: Yeah, absolutely. And look, I have nothing but good words to say for the schools. They’re just like small business. They’re time poor, they’re resource poor and they’re just constantly being asked to perform things and do things that are outside of their core responsibility. But they do out of the sheer need and necessity for kids to understand these concepts. They do it and they do it really well. We had a great experience with a primary school here in Brisbane a week or two ago. Fantastic involvement from the parents, fantastic involvement from the principal just looking to want to understand “how can we do this better?” And it all comes back to knowledge and understanding. And it all comes back to that basic security awareness training that we all need to start consuming. Theres no point in us teaching it in a work place and expect someone to listen to it. The reality is it has to be made relevant in my own personal life before I can even bring those lessons into a work place.
Ivanka: Yeah, yeah. So moving on from that, well it basically triggered me, talking about the future. You know, these kids are the future. The teenagers of today are the business owners of ten years from now. They’ve grown up in a digital environment, they’ve grown up with all this knowledge. Whats it going to be like? Whats the future going to be like for business owners,be it small, medium or large business owners, in relation to cyber security. What trends do you see at the moment?
Peter: There’s so much on how it rises, it’s not funny. The artificial intelligence machine learning big data, they’re all things that were hearing about a lot now. Robotics, where one of our offices are we’ve got a robotics lab next to us. And to see the progress that they’re making its astounding. I remember hearing, I’m thinking about 2013, our futurists saying that by 2019 we’ll be carrying around a digital environment with us and it’ll be part of who we are. Sure enough, what does our phone represent to us now? We do everything digitally through our phone now. And that’s coming ahead of time.
So, what does 2025 look like? What does 2030 look like? It’s scary but super exciting to see what’s going to unroll. Look, I’m no futurist and I won’t put predictions out because I’m absolutely consumed with dealing with the now, but all I can say is we can expect, I’m sure we can expect more and more small business. More people with a single business with a laptop running really successful businesses. Leveraging different skill sets from all around the world, working at truly global capacity. Maybe less of that centralized coming into a work place.
All of this decentralization is just more challenges for the digital environment and for the cyber security environment. But that’s the nature of the world we live in. We live in a progressive world. Don’t get me wrong, I am one of the biggest fans of technology. It has enabled me to do more things in my life than I would have ever considered possible. It’s an essential part of where we’re going forward. It’s just around that need to understand “when we use these tools, what are we actually doing?” and around valuing our data.
The share price of Facebook tells a really sad story. Have a look at the share price of Facebook from when everything blew up a short period of time ago, and how quickly its responded back. How much do people really care about the substantial nature of what’s happened? It’s really difficult if you can’t see it, and if you haven’t had your identity stolen, and if you haven’t had your life disrupted or your photos stolen or work shut down. But at some point you have to say “look, we now take smoking as giving you cancer. You need to accept that cyber is something you just need to learn a little bit more about.”
Ivanka: Yeah.
Peter: And implement some principle. But I was really encouraged by what I saw at the school. And this younger generation that are coming through the school that do have a greater appreciation of a digital environment. I think things will only get better.
Ivanka: The other side of the coin is that the criminals themselves are getting smarter and smarter. And it’s getting harder to stay in front of—well I don’t think we are in front of them, but. I think it’s a myth that we can catch up to them. But it’s a matter of how do we manage the risk that we’re faced with?
Peter: Let me add one little component to that. What other criminal has such low chances of being caught and going to jail that a cyber-criminal does?
Ivanka: Yeah.
Peter: That in itself is an alarm built to say to business “this is not going anywhere. I need to make sure that I’m harder to get into and harder to disrupt than the person next to me.” Because I said in the start, criminals are opportunistic. They’re looking for the quickest, easiest wins. They’re not out to prove a point to every security operation control system that “we’re smarter than you with our attack and here we got through to you.” That’s not their gain. They’re financially motivated or they’re ideologically motivated. To try and even stay up or have that you will stay up with the cyber attackers and the hackers is not one worth even considering. But what you do want to consider is doing everything that is in your capability, and in the interest of your business, to protect yourself from that.
Ivanka: Yeah.
Peter: Just like you would not go home at night and not only leave the front door unlocked to your business, but leave it wedged open so its clear to the world that you can walk straight in.
Ivanka: Yeah *chuckles*
Peter: Just as you wouldn’t do that, for physical crime and physical information security, someone coming in and stealing all your work papers physically, it’s even easier for them to do that through a cyber channel. So you need to get on top of it and fast.
Ivanka: Excellent. Well we need to wrap it up because I don’t want to take too much of your time.
Peter: Am I talking too much? *chuckles*
Ivanka: No, no I love it! I love listening to your experiences and your stories. I learn so much from these talks I have with people.
Peter: Terrific.
Ivanka: It’s amazing.
Peter: Likewise.
Ivanka: So one final word advice do I.T. professionals, as well as business owners in relation to cyber.
Peter: If I can give on to I.T. professionals, what a fantastic job they’ve done and they continue to do. A very, very difficult task that I.T. professionals are tasked with today toward so many security. And let’s be honest, they’ve done such a fantastic job, criminals being who they are, its harder to go through technical boundaries and fortifications than it is to go through people that have had no investment whatsoever. So to all the I.T. community, which I’ve been a part of, fantastic job and keep doing an excellent job. To business owners, do your best to engage with a trusted advisor that can help you on this pathway. It doesn’t have to be hard, and your wins can be quick.
Ivanka: Yeah. Well, thank you so much for those wise words and again your website is Cybermetrix.com.au. Is that the easiest way they can get in touch with you?
Peter: Yeah. That’d be the best way. Absolutely. If I can be of any assistance, I’m happy to help out. Thank you for the opportunity, Ivanka, it was great to speak with you today.
Ivanka: Not a problem. Lovely to talk to you too, and enjoy the rest of your day!
Welcome to The Art of Service’s Cyber Security Risk Management Month.
My name is Ivanka Menken and I am the owner and co-Founder of the Art of Service.
Since we published the Cyber Security Risk Management Self Assessment, we have had many of our clients discuss with us the need for awareness around Cyber Security Risk Management and the importance of educating both IT Professionals and non-IT staff members.
That is why we decided to make this month – June 2018 Cyber Security Month. The is no denying that Cyber Security Risk Management is important for all types of businesses – from solo preneurs to large multi national enterprises, we all need to be vigilant and aware of the vulnerabilities that we face on a daily basis.
To celebrate this Cyber Security Month I interviewed a number of experts in the field, working in Australia and The Netherlands. These people work with companies every day of the week to help prepare and manage the Cyber Security Risks that are present in our society. Each interview has a slightly different angle, and a slightly different message – but at the core of it all is the passion of these professionals to make businesses and their teams aware of the threats and vulnerabilities in relation to Cyber Crime.
I trust you enjoy this series and I invite you to contact me for further clarification, questions or comments. I am more than happy to connect you to any of the experts that I’ve interviewed and look forward to hearing more insights and experiences as the month continues.
Also – if you feel there are other people that should be interviewed for this series, please introduce them to me. It’s such a lovely learning experience to be able to listen to experts talk about their field of expertise.
