Five Lies Australian Businesses Are Told About IT & Cyber

00;00;00;00 – 00;00;21;04
00;00;21;25 – 00;00;27;14
Speaker 2
So welcome. We’re doing our first episode of a revamped podcast. We call it season two.

00;00;27;19 – 00;00;28;26
Speaker 3
Wonderful.

00;00;28;28 – 00;00;29;16
Speaker 2
Exciting.

00;00;29;22 – 00;00;30;11
Speaker 4
Thanks for having us.

00;00;30;17 – 00;00;55;09
Speaker 2
Yeah, thanks for coming. So we have Brian, CEO of Red cross, CEO of Red, myself, CSO of Red. And today we’re going to be talking about five lies Australian businesses are told about it. And cyber. Yeah. So red being an MSP right. We work with businesses across different industries. We look at how to protect the we look at the right environment and how secure they are.

00;00;55;11 – 00;01;15;27
Speaker 2
And often enough we come across some statements, some sayings which are not necessarily true. We’re going to be discovering five of them today. The first one being we’re too small to be targeted. So I’m a business. And I say, you know what? We’re not big enough. Doesn’t matter. No, we hear this quite a lot. What do you think about this?

00;01;15;29 – 00;01;38;06
Speaker 3
If anything, I think it’s quite the opposite. Often smaller businesses have less controls. You know, fewer people have more power and ability to transmit money around or make decisions on the fly. Social engineering becomes easier on a smaller scale. I really do think that people need to kind of dispense that myth that anyone’s too small.

00;01;38;07 – 00;01;59;21
Speaker 3
It’s it’s far easier for a threat actor to target a smaller operation that’s used to throwing around regular transfers. So you take a construction company, for example. You know, there might be an operation of like, 20 people in the office, but they’re regularly transferring, you know, six figure sums to suppliers or, or to other vendors. And to intercept that is a lot simpler.

00;01;59;23 – 00;02;20;16
Speaker 3
For smaller organisations where 1 or 2 people are always doing multiple tasks at a time, they’re often distracted. Whereas in larger organisations, you know, they’ve got very strict processes, procurement processes, purchase order processes, all that kind of thing that would potentially limit, that kind of ease to, to sort of men in the middle, those that’s kind of conversations.

00;02;20;18 – 00;02;21;07
Speaker 2
Yeah.

00;02;21;09 – 00;02;45;12
Speaker 4
I’ll probably add to that. From my background in software engineering. So historically, there was a group of threat actors they used to call script kiddies. And the idea was that a small group of people who could build scripts and then deploy them against a target. And I think historically, that was a lot of effort. Yeah. They had to choose that target and put in that effort to build the script and then use it.

00;02;45;16 – 00;03;08;08
Speaker 4
But those scripts have now become really, really easy to access and super cheap. So what they’ll do is essentially buying that script rudderless like that, very little, and then just say run it en masse against any organisation I can find. They don’t actually know that they’re targeting, you know, just in a list of thousands of potential endpoints that they could hit on IP addresses.

00;03;08;10 – 00;03;27;09
Speaker 4
So it’s not about you being a target. It’s about someone finding you. And they don’t have to work that hard to find anymore. So following on with what Chris said. Just because you’re small doesn’t mean you’re a smaller target. But if you treat yourself a small, you don’t take those precautions to protect yourself because they’ll be found.

00;03;27;09 – 00;03;31;04
Speaker 4
And people just leverage that against you because it’s super easy and super cheap now.

00;03;31;06 – 00;03;35;04
Speaker 2
Yeah. Of course. And you think about the age of automation in AI.

00;03;35;07 – 00;03;36;19
Speaker 4
It’s going to get cheaper and easier.

00;03;36;21 – 00;03;46;12
Speaker 2
All you are is you’re a data point within money. Right. As you say. So you can be targeted in an instant. And you have these AI and bots that can run, you know, million instances in an in a minute.

00;03;46;16 – 00;04;00;23
Speaker 3
So yeah, when these things can literally code for you based on natural language input, you don’t need to know how to code anymore. I’ve made some pretty cool stuff and I’ve got no idea how to code. You just tell it what you want it to do and it spits something out and you know that not quite right. Can you do this instead?

00;04;00;23 – 00;04;02;06
Speaker 3
And it’ll go. Sure. I’ll do that.

00;04;02;09 – 00;04;20;16
Speaker 2
Yeah. Another point to consider is potentially for a smaller company is if you are targeted successfully. Well, you know, ten K, 20 K, whatever might be, you know, is is a large proportion potentially of your, your revenue, your income, your cash flow, whatever it is compared to potentially larger companies where you know, they’re paying the vendor same thing, but it could be a drop in the ocean.

00;04;20;19 – 00;04;23;17
Speaker 2
So actually the smaller companies should potentially be even more aware.

00;04;23;20 – 00;04;41;25
Speaker 3
Yeah. And look for smaller businesses. That’s potentially an extinction event right. Like you can’t recover from that. It could be a business operation or it could be financial impact. But either way, it’s much harder for smaller organisations to recover from that as opposed to much larger ones that have, you know, big insurance policies and, you know, large sums of, cash reserves.

00;04;41;25 – 00;04;47;12
Speaker 3
And often they self-insure a lot of these things. You don’t really have that option too much when you’re a smaller organisation.

00;04;47;14 – 00;04;59;22
Speaker 2
Yeah. It also, I mean, if it doesn’t extinguish you from a financial perspective, even a larger companies, it would certainly have a reputational damage. I mean, would you sign up for a health provider that’s been data breached?

00;04;59;23 – 00;05;02;12
Speaker 3
No, in fact, I moved from, for that exact reason.

00;05;02;14 – 00;05;19;09
Speaker 2
Yeah, exactly. You know, we’ve seen it recently enough without giving names. There has been one. They’ve been data breach. The pirates, let’s call them, been reaching out to their clients. And the company didn’t even know. And then all the data was deleted, so they didn’t know who they reached out to. They don’t know who was affected. They didn’t know who could potentially abscond.

00;05;19;11 – 00;05;33;14
Speaker 2
So you know super important. Cool. Let’s move on to line number two. Our IT provider has it covered. So you know a provider handle it whether internal I.T or we have somebody who looks at it.

00;05;33;17 – 00;05;54;23
Speaker 4
Look it’s quite a broad statement right. You know I think provider does a lot of different things and different I.T providers have different sculptured coverage. Right. But one of the things that usually isn’t included is making sure you’ve got someone thinking about the risk holistically and strategically. And assuming that your IT provider is doing that is naive.

00;05;54;26 – 00;06;15;18
Speaker 4
Really. If they’re not having that conversation with you, with your board, with the key people understand how your business is working, you have to assume that they’re not having that conversation. They’re not applying that lens. Because they can’t they know technical risk areas. We know where likely sources of, you know, attacks may come from common attack vectors.

00;06;15;21 – 00;06;45;17
Speaker 4
We don’t necessarily know how your business runs and how your business operates. So the non-technical risk factors will be a blind spot. It’s also often things they can’t control. Some of the internal processes around how you handle particular workflows. Yeah, that’s in your business to secure and understand and then articulate to your IT provider. So while you’re I.T provider might have good coverage of the elements that they are within their SLA to manage, that might be a fraction of the attack surface.

00;06;45;19 – 00;07;06;13
Speaker 4
So I think passing the buck so to speak, in that instance is a naive and a bit of a negligent approach to your cyber security risk. You should be involved in those conversations. Especially if you hold the director or an officer role. Yeah. Corporations access you need to you need to act in that manner. You need to keep yourself informed.

00;07;06;13 – 00;07;13;20
Speaker 4
You need to manage your risk. And you could be potentially liable for, for that negligence. Yeah.

00;07;13;22 – 00;07;23;29
Speaker 2
Chris, you have you found potentially that it’s a fear of the unknown? You know, if I’m not having the conversation, I mean, there’s not a problem. And I don’t want to dive into it because then it’s becomes uncomfortable, and I need to do something about it. Yeah.

00;07;23;29 – 00;07;40;20
Speaker 3
It’s like, you know, credit card debt. If you just ignore the statement that it’s not really that or is it? It’s just kind of something that sits in the background and you don’t have to worry about it. But, yeah, 100%. I think people are often afraid of what they don’t know, and it’s easier to just to ignore it than to kind of address it front on.

00;07;40;23 – 00;08;01;01
Speaker 3
I think the other factor, too, is that, a lot of managed services providers, and to Brian’s point around the scope of services that they necessarily provide are reactive in nature in a lot of cases. So particularly if you’ve got a smaller one man band or an MSP that you pay, you know, a monthly fee to to answer the call, answer the email when you’ve got a problem.

00;08;01;01 – 00;08;25;00
Speaker 3
They’re not necessarily spending all the extra time that they don’t necessarily have because they’re busy as well, looking after their other customers, sitting on your network all day, looking at potential ways that they can prevent you from from being breached. So they are not by nature reactive? Not to say that it’s every provider. Like there’s there’s many there’s many ways you can you can structure your, your managed services or your, you know, your support arrangements.

00;08;25;00 – 00;08;32;16
Speaker 3
But generally speaking, a traditional I.T support arrangement will not be that security nature proactive in nature anyway.

00;08;32;22 – 00;08;53;11
Speaker 2
Yeah. Vernon. Thank you. Let’s move on to line number three. We have backups. We’re safe. Right. Backups create a false sense of comfort because usually have the pre event where you haven’t been attacked, the event you’ve been attacked and the post event. And that’s where backups potentially come in at the post event. But you know you’ve been attacked at that stage.

00;08;53;13 – 00;08;57;02
Speaker 2
And yeah if you’re attacked it doesn’t mean that your backups aren’t attacked.

00;08;57;05 – 00;09;14;21
Speaker 3
Yeah, that’s a very good point. The backups should be your last line of defence. They should not be your only line of defence. And to your point, a lot of the pre event work that happens in in that space is you know and we’ve seen this before often you know a threat actor will get into a network and they’ll sit dormant for 6 or 7 months at a time.

00;09;14;24 – 00;09;33;18
Speaker 3
Just seeing where everything is, what data is, where seeing if they can get lateral movement to the backup environment. You know, traditionally, you know, backups set in the same flat network if you like that same layer. So rather than having to go through multiple lock doors and, and, you know, pin code access and whatever else to get to the backup data.

00;09;33;25 – 00;09;54;05
Speaker 3
Often it’s just sitting on another network drive somewhere that they can reach. So if they can get into the network first, understand where your critical data is and then lock out or encrypt your backup data, and then do the attack and then and then take the data. By that stage it’s too late and you can have terabytes of backup data that is now completely useless.

00;09;54;12 – 00;10;01;20
Speaker 2
Yeah. You’re basically to be in a in a hostage scenario, right? Sites we own you and unless you pay up or do something, then tough.

00;10;01;23 – 00;10;12;21
Speaker 4
Yeah, like these attackers aren’t dumb, right? They know that you’re going to be thinking, oh, so what? We won’t pay them. We have backups. They will find your backups first. And getting this first job is.

00;10;12;22 – 00;10;13;20
Speaker 3
Often the first place they.

00;10;13;20 – 00;10;22;14
Speaker 4
Look. How can I remove your mitigation options? And when I hit you with the ransom, you don’t have them anymore. So there’s a concept of immutable backups.

00;10;22;15 – 00;10;22;23
Speaker 2
Yeah.

00;10;22;28 – 00;10;39;29
Speaker 4
Where you set your backups in such a way that they cannot be deleted or tampered with, even if you wanted to. Yeah. So you say, you know, we take the backup for that month. It is in an immutable state, and it gets stored somewhere that’s separate than an attacker getting into our environment can’t access. And that’s two levels of protection.

00;10;40;02 – 00;10;56;17
Speaker 4
Yeah. Got the immutability. That means even if they do somehow manage to get to it or they’re gapped or stored offsite, they can’t do anything that they can’t delete it, can’t get rid of it. That’s kind of the more secure way to manage those backups. But not all that many people do that. Yeah. It comes at an additional cost.

00;10;56;17 – 00;11;04;02
Speaker 4
And sometimes that cost doesn’t make sense when you’re looking at oh I can I backup so I can have these other backups on the backups. I’ll take the cheaper one.

00;11;04;05 – 00;11;04;23
Speaker 2
Yeah.

00;11;04;25 – 00;11;23;29
Speaker 3
So yeah. And further to that point, even if you do have all the right backup data and it is air gapped, meaning it can’t be can’t be reached from within the network directly, what’s the time for you to recover that data? What’s the time it takes in the business impact while you get all those, you know, hydrated and back in and everything kind of restored?

00;11;24;03 – 00;11;36;04
Speaker 3
Do you have enough space in your environment to restore it? Often people run pretty lean, and to restore the backups requires buying additional storage, because if they were to try and restore it over on their existing network, they don’t have enough room.

00;11;36;09 – 00;11;38;07
Speaker 2
Yeah. And you’re still being attacked and.

00;11;38;09 – 00;11;54;26
Speaker 3
Yeah. Exactly. Yeah. At that point, you’re still business is still impacted. You’re still potentially offline. Yeah. You’re now up for CapEx to try and buy more stuff. So you can you can restore from that backup. And even then if depending on what kind of business, right. Like if you’re an architecture firm and you’ve got terabytes and terabytes of data that can take a long time to restore.

00;11;54;27 – 00;11;56;08
Speaker 3
Yeah.

00;11;56;10 – 00;11;59;25
Speaker 2
And directors are legally liable now, right? Correct.

00;11;59;27 – 00;12;16;16
Speaker 3
If you can’t prove that, or show that you’ve taken appropriate steps to secure the data of your customers data we run. We’ve we’ve not taken the advice of professionals in, into in such a way to prevent that or to at least position yourself the best way possible. Yeah, absolutely.

00;12;16;18 – 00;12;33;21
Speaker 4
Yeah. And I think there’s one big assumption that we’re kind of glancing over here on the backup front, and it’s that their backup works. Yeah, yeah. No, you’d be shocked at how many backups on tested. And obviously it doesn’t make sense to test every backup, be taking backup every four hours. You’re going to test every backup every four hours.

00;12;33;21 – 00;12;57;02
Speaker 4
But you should have a cadence and a rhythm of testing your backups, you know, quarterly or at the very least annually to say, let’s pick some backups that are actually critical. Let’s not take the easy low hanging fruit backups. Yeah, test some critical backups and make sure that they are working. Yeah. Ideally, you know, there are tools in the market now that I’m sure you it provided can talk to you about that have automated testing in them that give a level of assurance.

00;12;57;02 – 00;13;08;23
Speaker 4
And you can see that they’re being regularly tested by the tools themselves and will restore when you need them. But it’s a big assumption that when you come to crunch time and you need that backup, it doesn’t work. Yeah.

00;13;08;25 – 00;13;28;17
Speaker 3
Yeah. And I think one other point too, is your IT company that looks after your internal like, hey guys, they might not necessarily know what they should be backing up. So we regularly talk to customers about it’s their responsibility to understand what should be in their backup. Yeah, yeah. It’s one thing to talk about servers and you know, and bits and pieces that operate the network.

00;13;28;17 – 00;13;48;00
Speaker 3
But they could be a, you know, a storage device or an asset sitting in a corner somewhere that has really critical archival data that if they lost, that would be in a lot of trouble. Yeah. If you’re on tape, people don’t necessarily know that. So it’s important to understand your data, understand your risks and make sure that you’re communicating that with with whoever’s looking after your backups.

00;13;48;08 – 00;13;59;21
Speaker 2
Vernon. Thank you. Lie number four. We’re compliant, so we’re secure, right? That means we’ve done minimum. And, you know, we check the box. Therefore, we’re completely safe.

00;13;59;27 – 00;14;21;04
Speaker 4
Yeah, the paperwork’s all in order. That’s awesome. But the attackers don’t really care about the paperwork. And you’ve signed the box saying, yeah, we do that. We do our cybersecurity training. But are people actually taking on a board? Right. It’s all well and good to have people training with them. The largest one of the largest risk factors for your organisation.

00;14;21;06 – 00;14;33;11
Speaker 4
Are you people actually taking that training on board? I like living it, you know. Do they take cybersecurity seriously? If it’s never going to tell you that, you can be compliant on paper, but that huge attack doors right open.

00;14;33;14 – 00;14;58;18
Speaker 3
Yeah. Compliance to compliance sake can be dangerous because it’s very easy to show sample data or sample examples of where you do satisfy criteria, but it could be, you know, many, many others where you are not. So it’s very easy to like it says pass the audits or or tick the box. But can you confidently say that that’s the case for every aspect, every piece of data, every system?

00;14;58;21 – 00;15;03;19
Speaker 3
Can you confidently say that your other systems that you rely on, third parties, are equally compliant.

00;15;03;27 – 00;15;08;23
Speaker 4
To the goal that might be line number four. It’s still a great statement to be able to make.

00;15;09;00 – 00;15;09;19
Speaker 2
Yeah.

00;15;09;21 – 00;15;22;22
Speaker 4
As an organisation, and if you’re making it and you mean it, then that means you’ve taken the time to say we’ve looked at what we should be compliant with. We believe we have the the processes, the checks, the balances, the technical controls in place to be compliant.

00;15;22;25 – 00;15;23;03
Speaker 2
Yeah.

00;15;23;04 – 00;15;42;11
Speaker 4
And that’s fantastic. What we’re talking about here is more has it been tested and need to make sure that your compliance with your paperwork is backed by people actually living those processes? Yeah. That’s all it takes is for one out of the 100 iterations of that process to be incorrect and someone to not follow it to lead to one of those breaches.

00;15;42;15 – 00;15;43;09
Speaker 3
Yeah.

00;15;43;12 – 00;16;03;12
Speaker 2
Yeah. And I was speaking to somebody an insurer, as a matter of fact, who specialises in the cyber security last week. And we’re seeing that in their case, cybersecurity insurance is now an add on. Did you insurance you’re not automatically covered for it. I don’t want a company saying I am compliant does not satisfy that insurance level.

00;16;03;14 – 00;16;03;28
Speaker 3
That’s not.

00;16;04;04 – 00;16;23;26
Speaker 2
So. There needs to be checks. There needs to be testing, needs to be this this rigorous way of talking about it. And the I mean, the assurance companies, if you do have insurance, you know, they’re open to talk to you in terms of what you need to do. But you’re saying, you know, I’m compliant. So if I’m attacked, they’ll pay me my money back or whatever it is, or the deal with the cyber doctor to negotiate on my behalf.

00;16;23;26 – 00;16;26;04
Speaker 2
Well, that’s that’s false.

00;16;26;07 – 00;16;36;15
Speaker 4
So there are dedicated insurance companies, showing that that conversation last, last week, which, if I recall correctly, was like a wine slash insurance conversation.

00;16;36;18 – 00;16;42;29
Speaker 2
Yeah, it was cybersecurity wine pairing, which is strange, common, enjoyable, but not a wine pairing that I’ve had before. Yeah.

00;16;42;29 – 00;16;44;18
Speaker 4
Nice. Nice nice. Yeah.

00;16;44;20 – 00;16;46;24
Speaker 2
So it was over a Chardonnay, this one.

00;16;46;26 – 00;17;04;20
Speaker 4
So, so there are dedicated companies that do the cyber insurance side because it’s becoming so much more complex than just, you know, training. It’s like, here’s an outfit with a couple extra questions. Sometimes it’s almost like doing another audit. Yeah. Like it is quite in-depth. Some of those questions I ask and some of the proof they ask for.

00;17;04;27 – 00;17;21;01
Speaker 4
But in my view, I think that’s moving in the correct direction. And then if they can see the correct controls are in place and that organisations have done what they say they’re doing and are as compliant as they think they are backed by technical controls, that should be reflected in cheaper premiums.

00;17;21;01 – 00;17;21;26
Speaker 2
Yep, absolutely.

00;17;22;00 – 00;17;31;21
Speaker 4
It should be easier for them to quantify what that risk is for them, because they understand that industry that risk landscape. And, I think that’s I think it’s a benefit for everybody.

00;17;31;23 – 00;17;38;02
Speaker 2
Brilliant. Let’s move to our last lie. Lie number five. We’ll deal with it when it happens. You will.

00;17;38;05 – 00;17;39;04
Speaker 4
Yeah. You’ll have to.

00;17;39;09 – 00;17;41;07
Speaker 3
Yeah. Do you have a choice?

00;17;41;10 – 00;18;05;18
Speaker 4
But that doesn’t mean there’s lots you can do in advance. You know, they go left of boom. Yeah. Boom. Being the, the incident itself, the explosion. Everything you can do in advance of that around understanding the risk, having the conversations, mitigating that risk, putting in place your technical controls around backups, testing of those backups, compliance training, testing of that compliance training.

00;18;05;22 – 00;18;37;27
Speaker 4
Yeah. Is all within your control and is required of directors and officers in the organisation to say that they have taken the steps a reasonable person would take to secure the company against cyber risk. Yeah. Bring your head in the sand doesn’t cut the mustard. And ignoring the information that you have is even worse. If the courts find out that you were given that advice, or you saw those risk metrics, or was on a report somewhere and you chose, no, we’re not going to do that, they will find you because of that.

00;18;37;27 – 00;18;45;28
Speaker 4
Yeah. And that’s within your control. So you still have to deal with it when it happens. It might also be dealing with it after it happens for longer. Yeah. In other ways.

00;18;46;02 – 00;19;00;26
Speaker 2
Absolutely. And I mean, Chris, we’ve seen the first fine be an issue close to $2 million because, I mean and directors liable as well because there was information there or they didn’t take the steps they needed to secure it.

00;19;00;29 – 00;19;19;03
Speaker 3
Yeah, absolutely. And this is this is more of a warning example shot like this is only going to ramp up. And this was the first one they’ve chosen to prosecute the way they have. The there will be ample more in the future. And there’s a bunch in the past that didn’t get. But they’re taking it seriously now.

00;19;19;05 – 00;19;25;01
Speaker 3
Yes. It’s when it starts to affect every day, you know, all these. It’s that’s when it gets real. Yeah.

00;19;25;04 – 00;19;53;04
Speaker 4
And it’s putting my memory on the spot a little bit. But it might have even been closer to like five and a half, 6 million for that particular one. Yeah. And that was actually prosecuted under an older version of the act that defines what the penalties could be. And they took a slightly softer approach. But I think now there’s three potentially three metrics that they can use to determine what they will find you.

00;19;53;09 – 00;20;19;16
Speaker 4
It’s up to whichever is the maximum of those three. And the first one is just a flat $50 million. They could choose choose up to that if that’s the maximum amount. The other again, sorry, testing my memory a little bit. The other is 30% of your turnover during the period of the breach. And the third is three times the benefit or savings that you got by not acting or acting in the way that you did.

00;20;19;16 – 00;20;37;02
Speaker 4
So for example, if you had a proposal in front of you, for application whitelisting and threat protection, and it was going to cost you $1 million and you said, no, I don’t do that. It’s too expensive. I could charge up to 3 million under that particular line item to say, that’s the penalty because you’ve got a saving of X.

00;20;37;02 – 00;20;38;02
Speaker 2
Yeah, I know that is.

00;20;38;02 – 00;20;38;23
Speaker 4
Like the highest.

00;20;38;23 – 00;20;41;00
Speaker 2
Yeah. And that is the penalty alone. That is not.

00;20;41;00 – 00;21;06;27
Speaker 3
Just a penalty. And that’s a really good segue to the point I was going to make next is that that’s all, you know the fines and and the punishment if you like. But on the flip side of that, there’s this the chaos that it causes for the, for the business, like when it happens, unless you have a like bullet-proof playbook for how you’re going to approach, an incident like this, you know, who who has what roles in the organisation.

00;21;06;29 – 00;21;34;03
Speaker 3
What what is your plan? What is your what is your disaster recovery plan? What is your breach plan? What is your what is your action plan effectively for? How are you going to navigate through that? Because I can tell you right now, having witnessed it for for other organisations, if you don’t have that clear tested, regularly tested as in like you run tabletop exercises where you run through that process, it will be pure chaos when it happens because everyone’s running around trying to figure out what to do next.

00;21;34;03 – 00;21;41;10
Speaker 3
Who’s responsible for what. Yeah. And that will have a massive impact on the business day to day as well as, you know, financially.

00;21;41;10 – 00;21;55;07
Speaker 2
Yeah, absolutely. So you’ve been you’ve been attacked. It’s hard to potentially pay ransom or you’re still under attack. You get your court order, you have to attend those. You have to prepare your case. You have to pay your lawyers. You have to pay your fine. I mean, first few businesses would survive that, wouldn’t they?

00;21;55;09 – 00;22;21;14
Speaker 3
Yeah. Exactly. Right. And, you know, and then there’s the the like you mentioned earlier, I’m on the other ones, the reputational fallout from that, you got to get ahead of that. And quite often, you know, you’re going to have to, take on the services of PR agencies in certain cases to really control the narrative as to how how you’re approaching it and what you’re going to do about it and how it affects your, your customers, you know, and then next time your your name’s at the top of a tender response and you’re very publicly, been.

00;22;21;14 – 00;22;22;16
Speaker 2
Breached. Good luck.

00;22;22;16 – 00;22;23;21
Speaker 3
Good luck. Exactly.

00;22;23;27 – 00;22;30;15
Speaker 2
Exactly right. Yeah. And, I mean, you’re gonna have to do this anyway. Afterwards. You’re just waiting. Just waiting to be hit. Then just do what you should have done in the first place.

00;22;30;17 – 00;22;38;11
Speaker 3
The classic line is it’s just a matter of when, not if, and all you can do is reduce your, you know, your risk surface and and how it affects you.

00;22;38;15 – 00;22;56;06
Speaker 2
Yeah. So moving on from these lies, it sounds complicated, right? It sounds like putting all these things in place can be difficult. It can be complicated, can be time exhaustive. It can be expensive. The truth is it doesn’t have to be. And the longer you leave it, potentially, the more complicated it gets. But you don’t have to do this on your own, right?

00;22;56;06 – 00;23;07;03
Speaker 2
There is special companies that can do this. There is people who can support it, and you can’t do it on your own, on your own pay consultancy service to help. But it doesn’t have to be that complicated, right? It can be simple enough.

00;23;07;07 – 00;23;23;11
Speaker 3
Yeah, absolutely. And no, really, should you take it on your own? Just much like I wouldn’t represent myself in court if I needed to do so, I would hire, you know, the appropriate lawyer or whatever it might be to, to represent me. In that case, I don’t take myself out of the backyard with a set of scalpels. If I’ve got a medical issue like this.

00;23;23;11 – 00;23;35;27
Speaker 3
Professionals in every industry for a reason. Yeah. They’re trained, they do this day to day. It’s their bread and butter. So not taking advice from people who who live and breathe this every day is, is a risk in himself.

00;23;35;29 – 00;23;40;03
Speaker 2
Yeah. And going to that expense, it can actually be cheaper right.

00;23;40;03 – 00;23;50;27
Speaker 3
Then he just the cheapest is the cheapest way that. Yeah like it preparation is the cheapest. Insurance is about to say rather fairly to prepare will ultimately end up way more expensive.

00;23;51;00 – 00;24;01;07
Speaker 2
Absolutely. Under solutions in place that you know, if you if you use them, they will give you a warranty. You know, if you are breached, then we have a warranty, no questions asked. Years, whatever amount of million dollars.

00;24;01;09 – 00;24;22;09
Speaker 4
So yeah, look, it’s about taking the time as an executive leadership team or board, to assess those three key sections, like what can we do in advance of an incident? What are we going to do when there is an incident, and what are we going to do after that incident? And then finding the right specialists at each of those points to make that easier for it?

00;24;22;09 – 00;24;39;12
Speaker 4
You don’t want to be making decisions, in the heat of the moment, at a point in time where there is an event you want something like your insurance already have in it a plan for when there’s an incident or suspected incident, you let us know. We bring in the incident response team. They are specialised in managing that.

00;24;39;12 – 00;25;12;17
Speaker 4
You then just support them to do what they need to do. If you legal team manage the pieces after and you have the technology teams manage the pieces before and then you make sensible, risk oriented decisions around what you want to put in place now in advance of something like this happening. Yeah, the fit your business don’t. Everybody needs to spend a whole lot of money with the top end security systems and security guards and attack dogs and everything wandering around the building, but there is going to be a level that works for you and your business, because that marketplace is just growing now, there are plenty of tools out there, and if you

00;25;12;17 – 00;25;22;10
Speaker 4
get the right people to have the conversations with you to identify what the right size tool is, some of them very cost effective, super cost effective, really, shockingly cost of those and loads of things.

00;25;22;11 – 00;25;25;15
Speaker 2
Save you money. Yeah. And it will, as a matter of fact, save you money.

00;25;25;15 – 00;25;26;13
Speaker 3
Yeah. Yeah. I’m like.

00;25;26;15 – 00;25;26;23
Speaker 4
Yeah.

00;25;27;01 – 00;25;43;06
Speaker 2
Great. And listen, listen, you know the point which is if if you’re not doing this and you’re dedicating no 5% of your time looking at it as a, as a chequebook exercise, you can’t compete with the bad guys who are dedicating 100% of the time to stay on top of trends. And the technology is just you just you have to do it.

00;25;43;12 – 00;26;02;21
Speaker 3
I think something that needs to be really clear in everyone’s mind is that these are sophisticated criminal organisations. They are not kids at home planning, playing on their computer or drinking Mountain Dew or something like, these are guys who are doing this for a business, and they make a lot of money doing it. So to think that they’re not prepared, this is naive.

00;26;02;23 – 00;26;13;17
Speaker 3
I mean, it’s on the simpler end, it’s naive on the worse, and it’s just stupid. Yeah. If I’m if I’m frank, you have to be really, really, really clear that these guys know what they’re doing and then don’t care. Yeah. Affects you. Yeah.

00;26;13;20 – 00;26;26;12
Speaker 2
And how easy is data scraping these days, right. I mean, anyone can do Google data scraping and you can scrape a website, right. How easy is it to build an an AI agent these days is that you need no coding experience. You just need to be able to type on a keyboard.

00;26;26;18 – 00;26;32;16
Speaker 4
And convince it that it should be building that. Yeah, around it’s guardrails, which yeah, it’s not that difficult then.

00;26;32;17 – 00;26;32;23
Speaker 2
No.

00;26;32;23 – 00;26;48;02
Speaker 3
Yes. It’s that’s a good point. You know, there’s a lot of publicly accessible, you know, tools that have guardrails built into them. But you can run your own models on it. Yeah. That don’t care about the guardrails. Now let you do whatever you want. Yeah. That’s what they’re using ultimately. Yeah.

00;26;48;05 – 00;27;08;09
Speaker 2
So listen, let’s talk about it. You need to get into a position where you’re comfortable being uncomfortable for a little bit. You can have those conversations with your, your provider, whoever it is, and really look at your picture. And if everything looks high risk, be grateful because you caught it before anybody else did. And you can do something about it.

00;27;08;11 – 00;27;17;27
Speaker 3
Yeah. Exactly. Right. Exactly right. Not having it, not knowing about it is far worse than knowing it’s not good. Yeah. Because. Yeah, you can you can do something.

00;27;18;00 – 00;27;30;07
Speaker 2
Okay. Fantastic. So four things are every leadership team should demand right. Potentially is quality backup testing access auditing plain English risk reporting. That’s a good one.

00;27;30;07 – 00;27;48;17
Speaker 3
It must be plain English because if you go into a room full of middle aged white guys and try and speak tech to them, you’ll lose them. Yeah, and they won’t understand the risk. You need to be able to clearly explain that risk like if you’re talking to a child, almost, because if they can’t clearly understand it in their head and they can’t frame it, it doesn’t become serious enough.

00;27;48;20 – 00;27;49;15
Speaker 3
Yeah.

00;27;49;17 – 00;27;54;10
Speaker 2
And the last one is an action plan, as you said. So critical response plan.

00;27;54;13 – 00;28;16;11
Speaker 3
Internal incident response plans do not have to be too long and complicated, like a, you know, a 30 page report that says, you know, step one, do this. It should be who am I calling, who’s who’s got what actions. And how we’re approaching this because the more complicated you make something like that in those moments when it is chaos, the less likely you are to succeed in executing that incident response plan.

00;28;16;14 – 00;28;18;25
Speaker 2
Verdant. Well, listen, thank you very much, Chris.

00;28;18;28 – 00;28;19;13
Speaker 3
You’re welcome.

00;28;19;16 – 00;28;20;16
Speaker 2
Thanks very much, Ryan.

00;28;20;19 – 00;28;21;23
Speaker 4
No problem.

00;28;21;26 – 00;28;31;04
Speaker 2
Next time we’ll be looking at somebody says nothing is broken. It’s probably the first step towards failure. Let’s welcome back to the Red podcast and a delight speaking to you both.