The Godfather of Cyber Pt 2: Darren Hopkins on Aus Cyber Strategy 2030 & Emerging Threats
The godfather of cyber security has returned to the REDD studio! Join us for episode 44 of REDD’s Business and Technology Podcast, with host Jackson Barnes and co-host Nigel Heyn in this discerning discussion with Darren Hopkins, who is the Cyber Partner at McGrathNicol with over 30 years of protecting and responding to cyber threats throughout Australia.
Darren Hopkins shares important insights on how businesses can protect themselves. He emphasises the value of using managed detection response (MDR) services instead of traditional antivirus approaches. These tools can detect unusual behaviours and are now more accessible through managed services, which makes them easier for businesses to use.
The discussion also covers the latest McGrathNicol annual report, which shows a decrease in cyber attacks this year. However, persistent threats like BlackCat and LockerGoga remain a concern. The report highlights the importance of cyber insurance, especially in making improvements after an incident.
When planning for the future, Darren suggests businesses focus on understanding baseline cyber security measures, identifying and addressing gaps, setting reasonable budgets, and achieving quick wins. He also recommends getting certified, following sensible frameworks, and regularly testing and training. By following these simple steps, businesses can significantly reduce their risk and protect their assets against cyber threats.
McGrathNicol Cyber Report 2023 – https://www.mcgrathnicol.com/insight/ransomware-a-cost-of-doing-business
Get up to speed with the 2023 – 2030 Aus Cyber Security Strategy here – https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy
Stay ahead in tech – Connect with us for cutting-edge cyber security solutions here – https://cyber.redd.com.au/book-now
#CyberSecurityInsights #MDRStrategies #McGrathNicol #CyberRiskMitigation #CyberThreats
00:00 – Opener
00:26 – Guest Introduction
17:08 – Standards and Professional Development
32:26 – Cyber Security Spending and Loss Discrepancy
34:51 – Essential Eight Framework Updates
37:41 – Shortening Dwell Times and Threat Actor Tactics
40:48 – Managed Detection and Response (MDR)
44:38 – Selecting Effective Cyber Security Tools
47:21 – McGrathNicol’s Annual Cyber Security Report Highlights
49:46 – Planning for Cyber Security in 2024
52:37 – Closing Thoughts and Remarks
52:51 – Outro
If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected], or through any of the links below. https://redd.com.au
https://www.linkedin.com/company/redd-digital/
https://www.linkedin.com/in/jacksonpbarnes/
https://www.linkedin.com/in/nheyn/
https://www.linkedin.com/in/darren-hopkins-5844469/
(00:20):
Hello and welcome to Redd’s Business Technology podcast. I’m your host, Jackson Barnes and I’m your co-host Nigel Heyn. Today we’re sitting down with our second ever returning guest. Should be quite exciting. You’ve probably seen the movie Godfather part two. This is our part two with Darren Hopkins, the godfather of cyber security from McGrathNicol. Mate, thanks for coming in.
(00:38):
Thanks for having me again.
(00:39):
Today we’ll be discussing a firm amount of cover’s, been a lot happening in the cyber security space. We’re looking forward to getting your insights. We’ll be discussing the Australian government released the 2023 to 2030 cybersecurity strategy, so get some feedback on that. The essential Eight had some changes and there’s been a whole range of breaches, so we’ve been looking forward to this one. Let’s start first with the Australian government releasing the cybersecurity strategy for 2030. And the shields really want to get your feedback, but just everyone listening, it’s essentially the strategy on how we get to be the most cybers safe country globally by 2030. And there’s cyber shields ranging from strong business and citizens, safe technology, world-class threat sharing and blocking protected critical infrastructure, sovereign capabilities, resilient region and global leadership. So there are the shields that Kerne has put forward as how we’re going to get there. Over to you mate, how it’s, what’s your feedbacks on the plan? I’m sure you’ve read through,
(01:37):
Look, I’ve tried to read through it a few times by now. Look, it’s something we’ve been waiting for a long time. The previous strategy set a pretty good goal for most businesses to try to actually focus on security, make it something that’s built into what you’re doing every day. Looking through the actual, what eventually became the new 2030 strategy with as the most cyber resilient country by 2030, which is an interesting ambition to have. I hope we get there. There’s a couple of things that have come out that we weren’t expecting in this particular, in the actual strategy that we’re a surprise. So if we have a look, you’ve already mentioned strong businesses and citizens. Yep. You’ve got to have that there. That’s how we as a business community do more to protect ourselves and the government’s got some incentives there to actually work with small business.
(02:25):
So there’s talk about actually having a survey available for businesses to go off and determine how healthy they are in this area with some guidance around what they should do. There’s talk about incident response support and guidance and training, all these things which are really important for businesses, especially smaller businesses to try to get more resilient, good to see, not a great deal of detail in relation to what we want you to do. We hope that there’s got to be more guidance in relation to what are the actual things you need to do and what as country do we expect you to do to get there. One of the things that’s been talked about is it’d be great for the country to agree on a standard. What are we going to do as a country? What’s the minimum look like for our businesses? If you have a look at the UK, Canada, New Zealand, they’ve all got a cyber essentials type framework which dictates what a business will do to meet the minimum of cyber and there’s a programme around every year going back and actually having a look to make sure that you’re achieving those things.
(03:28):
So minimum benchmarks would’ve been great, but I think this is a first step toward that. One of the things we weren’t expecting, and it comes through in the actual shields and they talk about it quite clearly, the government is worried about ransomware. It’s still highlighted in the actual plan is something we have to work on reducing. We have to avoid, we have to train for put mechanisms around preventing it or dealing with it. The government’s going to do more themselves to try to limit and actually play a part in responding and supporting. That’s great to see. The one thing we weren’t expecting was some mandatory reporting though in relation to a ransomware event. Previously there was a ransomware bill that was put out and there was discussions in that bill. Would we as a country ban the payments of ransoms? Would there be mandatory reporting?
(04:18):
What would happen? And that bill sort of stopped, didn’t go any further, and for a while it looked like we weren’t going to go back down there quite clearly. The vocalisation of our government during big breaches, big data breaches, telling everyone you shouldn’t be paying seemed to be working. If you have a look at the Optus and the Medibank and the latitudes and all of these big ones, there was this clear messaging by the government, by the federal police and others. We don’t endorse payment, you shouldn’t make a payment. You’ve got to go and work with
(04:49):
Us. From what you’ve seen Darren has that actually had a positive effect. Are people paying less ransoms since then?
(04:56):
Well, certainly the really large ransoms that sort of make the press and that we all hear about, they haven’t been paying so clearly that’s working there. But then what’s happened though is there’s still huge numbers of ransomware events happening behind the scenes in small and medium sized businesses and for the actual strategy to come out and say, we’re going to have some type of safe harbour approach to you, having to monetarily report your ransomware is an interesting one. As soon as someone has to do something that changes the way you’ll actually deal with it. So we released a ransomware survey and this is our third one about four weeks ago. So we’ve had a look at why do Australian businesses pay ransoms for a long time and each year we’ve sort of seen the stats evolve and having a look at this year’s stats. It was interesting, so of our survey number, which was more than 500 businesses from small, medium, larger enterprise, so we wanted to get a cross section of all businesses, not just one industry, one group, so to say.
(06:01):
It’s a broad sort of coverage of Australian businesses. 56% of the businesses that were surveyed also had experienced a ransomware event in the last five years. So more than half, that number’s pretty high. And every time we put these stats out, I’ve got colleagues and peers in different industries challenging us on these ones saying that’s not even close to what we see. I saw instantly recently a survey that looked at just over a hundred law firms and apparently 10% of them had admitted to paying. I’m going, well, gee, in my mind that’s high. That shouldn’t be so high. But what we also saw looking at the survey was some other stats. One was 73% of those businesses that had experienced the ransomware ended up paying. Now what we do know is that the big end of town larger businesses aren’t paying as much. That’s clear and that aligns to what we see as well, but a lot of smaller businesses are electing to make payments because it’s faster, it’s less expensive and in some cases they weren’t prepared
(07:13):
Probably that’s what I was going to say, less backup and business continuity and disaster recovery best practises with that in the small businesses. Right?
(07:19):
So that is their mechanism for recovering make a payment and the average payment in Australia’s just over a million dollars. I think it was 1.03 million this year was the average payment, but that doesn’t mean that everyone that gets ransomware has to pay a million dollars. I’ve seen $10,000 ransoms. Generally what’s going to happen is the payments got to align to what the business can afford and that’s just what happens. Another thing that changed this year, having a look at those stats was negotiations are up so people are now more likely to talk to and negotiate with a threat actor and it was 66%. Now that for me is quite interesting because what you’re electing to do is to start a negotiation, open up a conversation with usually an eastern block organised crime group. And when you say it that way, it’s not something that you probably do every day.
(08:09):
You’re thinking, what did you do? Well, I was talking to some Russians today and we’re just negotiating how much the extortion payment’s going to be to get my data back and to not out all of the issues that we’ve got and release all this data publicly. It’s almost becoming a little bit common that you’ll go through that process and I was trying to work out, well, why are we also willing to go off and talk to organised crime about something in these cases? I think partly good cybersecurity practises are a little bit to blame as well, to be honest. We’ve been doing tabletop exercises and board presentations and training with executives around how to prepare for an incident. How do you prepare for a ransomware? They want to know, okay, go through the hard stuff so that we can prepare ourselves for an event. Often that training that we do involves, well, let’s go off and pretend simulate to pay a not to pay situation.
(09:05):
So you as an executor or board will go right through the process of would you pay, would you not pay? Under what circumstances would you engage with the threat actor? Would you ask for a proof? Do you want a listing of what they took because give it to you and it almost normalises the process of going down that path. And there were some other stats that came out of it, which were quite interesting. It still looks like the reason we pay is on the side of good. We are choosing to pay a ransom because it’s going to minimise harm to others. So if we pay and don’t have that data and go public, it means that all those people won’t experience a very public embarrassing data breach of their personal information. So we’re stopping that and that’s a good thing to rationalise that you’ve done.
(09:49):
You’ve minimised the harm of your incident and the other reason is to protect your brand, your reputation, your business and your people. So you sort of look at the two reasons and you think, I get it, you’re not paying because you want to hide it. In most cases people still talk about it and announce it and report it. It’s just that they’re trying to go down that path. That’s the one thing that this cyber strategy, when you look at the ransomware piece is trying to stop. They don’t want us rationalising why we’re doing this. They just don’t want us to do it. Stop paying them a million dollars on average per event. I look at Australia, if I’m a cyber attacker and I do these things, more than 50% chance I’m going to get lucky and someone’s got a fall victim if I just go
(10:33):
Through makes this a target, right?
(10:35):
Yeah. And then three quarters of the time they going to pay and on average I’ve got to get a million
(10:38):
Dollars. It’s interesting, your feedback on smaller businesses are the ones actually paying as well because I’m not sure if you saw the stats on the notable data breach scheme from January to July, but 62% of the breaches were businesses with a hundred or fewer employees as well. So it seems to be the majority of the attacks are small businesses and they’re the ones that are paying, which is kind of I think different to 10 years ago where it was the bigger end of town being targeted. Now it seems to be the smaller, the ones that actually pay and have poor backup hygiene and have to pay that kind of stuff. So that’s a scary time. But what else is your feedback on the shields? Are you a supporter of the strategy as a whole or,
(11:14):
Oh look, I think the strategy is good. We need something to focus on safe technology, it makes a lot of sense. Let’s build security into the technology ecosystem. Make sure that if someone’s going to go off and offer a piece of software for a small business to use, it’s got multifactor and it’s appropriately built and it’s secured by design. They’re great things to have in place and to force that industry to get better. Makes sense. The threat sharing and blocking effectively, what we want to do is make sure that when attacks happen, we share that as quickly as we can because at 72 hours that information is really relevant to blocking others and by sharing and having blocking capability, the government can actually protect us from actually experiencing some of these things themselves. Critical infrastructure, we completely expected critical infrastructure to fall in there. Some interesting takeouts from that though, the call out managed service providers. Now you guys are managed service providers that what you do, but what they’re saying is that if you want to be in that place in that space and support critical infrastructure clients and that into town, there’s going to be an expectation that those service providers are at a higher level than they are at the moment. And so they’ve called out that there seems to be an industry where some players in this space aren’t taking security seriously enough.
(12:33):
No, it’s a good idea. I mean we do reviews, right? And I’ve seen some MSPs not to talk bad about other MSPs, but where they’ve be managing environment and they’d be backing that up to their house, for example, to a NASS instead of using a much more secure cloud-based environment or a private cloud or something, it’s literally backing up critical coal mine data to someone’s house. So I’ve seen some crazy about there, so that’s definitely a good thing, but what impact do you think that’s going to have to the managed service provider industry?
(13:05):
Look, you hope that there’s a bit of a shakeup in that they realise as the industry realises your responsibility is to provide services to others and they automatically assume that you’ve got their back and you’re doing everything you can to protect and ensure that their business is going to operate, and that’s just always been the expectation. I talk to clients, they’ve had breaches and said, I can’t understand how this happened. We outsourced this risk, we gave it to a service provider, and at no point did they ask that service provider, how do they look after you, their systems and what type of security do they have? It was just this sort of, well, they’re the smart people. They’re the ones that are offering the service they should know without any care. So it is going to force, I think, the industry to really think about how they manage the risk that they’re incurring for others.
(13:52):
Some things that I think will also change is I’ve seen a couple of instances where service providers are possibly partly to blame IE. They’re not doing what they’re supposed to do. If as an example in your contract to support a client, you say, we’ll keep your systems up to date with patching, so within 30 days we’ll make sure your patches are on and that you’re okay. We see vulnerabilities all the time coming up as a reason why something happens. There’s instances now where we’re seeing where that doesn’t happen and someone falls victim, they going to hold service provider accountable and you’ll start to see that forming more and more.
(14:31):
It’s probably a good and a scary thing though. One thing I’ve seen, which is almost the counterargument that is that IT service providers, including red have a bunch of different offerings like looking for vulnerabilities within environments and those kinds of things and different ways of managing applications and so on. But most businesses, definitely small businesses just see it as they’re in charge of our stuff and when they come back to them saying, Hey, you’ve got no MFA on VPN or something for example, or some kind of security gap, and they go, oh yeah, let’s put the roadmap into that next year. It’s quite hard. Or if there’s another service we want to try and introduce, they might say, look, we can’t afford that, but we so much to manage our technology. So that’s a bit of the grey area there is that it’s not like it’s either a yes or no for managing all parts of technology, especially when it comes to cyber because let’s say it’s a third party risk that comes in. Your managed service provider doesn’t really control what third party vendors your business deals with, right? So what do you do from business perspective?
(15:31):
Oh, it’s exactly to your point. I have actually spoken to clients and said of why aren’t you doing this that we couldn’t afford it or we only pay for so many hours or we don’t want the service provider to do that. We’ll think about it next year. And it’s not very often I talk to a service provider who hasn’t for years and years been telling their client, you really need to do these things. We’re calling this out as a major risk. Can you please invest? So that’s what we see often happening as well. I’m actually hoping that the strategy will do a couple of things. It’s going to tie in what does good practise look like? So what should every business be doing to meet their obligations under the strategy for strong businesses and citizens? So you need to do these things. We can help you do those things, but you’re going to have to enable us to do it. And at some point I think you’re going to start to find that those super high risk businesses, then in the past you’d probably go, okay, well we’ll do the IT piece and you accept the risk. It’s got to get a little bit too hard to accept that risk because anyone that’s in our industry realises when someone has an incident, it doesn’t matter what someone signed and what they’ve accepted in an email, you’re all drawn into it and you’re all at some point have a brand that’s connected.
(16:39):
It’s quite a hard one though because I’ve spoken to it’s let’s say a business who is looking at assessing which managed service provider to go with, and if you go with, we want all of these things in place, which is probably solid best practise. They’ll look at let’s say us versus a different kind of provider and go, oh, these guys are half the cost but doing a lot less services and this is best hygiene, but we’re go these guys because they’re much cheaper. But to a non-technical small business, they don’t really understand the difference. So it’s quite a hard thing of the cyber shields. Anything else you would add to it? I
(17:09):
Think it would’ve been nice to enhance some of the shields a little bit more strong businesses and citizens. Let’s actually call it out. What does good look like? And actually put a bare minimum in there. Actually tell people that if you’ve got accounts that are connected to the internet that someone could have access to, they will have multifactor. I mean just start to lock in some bare basics and force people to do the minimum rather than suggest that would’ve been nice that we’re not there yet. Some of the other components were interesting, how we as a global player, how we’re going to perform and how we’re going to support the other nations around the world that have got these instances. Great. And that’s actually how it’s going to work.
(17:51):
Years ago might’ve been a bit of a cynic saying, well, yeah, you report it to the police if you need to for insurance, but there’s probably not much going to happen if you have a cyber event. That was the case we had a matter would be 18 months ago, a Melbourne client who had been through a ransomware event and did the right things and reported it to the police and the police, Victorian police in this case had done quite a bit of work on that particular matter, supported it on the way through, and it was only about a month ago, I was talking to the same police officer on a different matter for a completely different reason and he turned around and said, oh, by the way, we’ve locked that guy up. I’m going locked two up. He goes, the ransomware operator from
(18:32):
A local one,
(18:32):
The job? No, it was from another country. And I said, well, how the hell do we lock a ransomware operator up? These guys are all operating in countries that we can’t touch and no one knows who they are. They’ve got cool names. What he ended up saying is that they had enough information to work out who it was and our five eyes capabilities with the other countries that we support had good intel on who it was. And during the start of the Russian crisis with the Ukraine, this was a Ukrainian hacker
(19:01):
Left the Ukraine to escape and moved his way into Europe. As soon as he left that haven all of a sudden was tracked and then moved into a country that they had access to and they actually executed warrants and actually caught the guy. Wow. So it’s not very often that someone responsible for attacking an Australian business in a ransomware event in one of those eastern block countries gets caught. But did, and it really makes me realise when we see a strategy here, which is on how we work with other countries and we share intelligence and we work together and we report these things, it is for a reason because eventually when there’s enough pressure, we are going to start to break down those groups and start stopping things. Other things that I would’ve liked to have seen, look, there’s good stuff in there, sovereign capability, build out our own capabilities in this country, grow the cybersecurity specialists that are out there to actually help us all positive things. It is never enough, but good start.
(20:03):
One thing I wanted to ask and pick your brain on is there’s a piece in here around providing cyber best practise to small businesses and doing reviews essentially. It was a bit vague on the wording around what was going to be a web form, whether it’s going to be an actual person doing a review, how is that possibly going to happen with the amount of limited cyber professionals in Australia?
(20:25):
That was a cyber health check. I think they’re talking about offering. Yeah, look, it’s been done before. I think ASIC just recently ran a cyber survey, if you want to call it that, trying to understand what Australian businesses are doing in respect to this that was done so they can get a view as to how resilient the country is from a regulator’s perspective. If you have a look at what they’re suggesting here, it’ll likely be what does a small business assessment look like? And the, sorry, the Australian Cybersecurity Centre, A CSC has had guidance out there for a while on what small businesses should do. So I think it’s going to be taking some of that guidance, taking some of the material that’s out there, putting it into something that a business can online, fill out, run through, and then it’ll come back and give them some, I guess baseline where you’re at, what you could do and then connect that guidance to their answers. It’s a useful thing as long as at the back of that process someone knows what to do to fix it.
(21:24):
And I guess even has the technical know how to fill it in for some small businesses, did they get the MSP to fill it in? Yeah, it’s a bit of an interesting space. I had a lot of questions to ask Darren, but Naja, do you want to jump in?
(21:38):
Look, it’s interesting just listening in terms of your experience, Darren with DP Worlds and everything else that’s been happening late in the news since you last came in for Godfather part one, what trends have you seen? Is there anything that’s becoming more and more apparent? You touched on before service providers and look, I’ve been in this industry 29 years. I actually like the fact that there’s a certain standard now that’s approaching, appearing because there’s so many cowboys that we’ve come up against time and time again, to Jackson’s point, they’re selling a service that’s substandard half the price. We will lose a suspect to that, but then eventually they come back and talk to us. But yeah. Is there any trends emerging? Obviously I know I think dp, well equipment, everyone was something along the lines of a Citrix hack. What are you seeing?
(22:21):
Look, there is some trends and to your point about cowboys, one of the things in this was also instant responders are going to be held accountable for the way that they provide support as well. So I think the whole industry is being asked to step up. Sometimes there’s responders out there that think it’s okay to start work within a couple of days, maybe a week. If you are not answering that call in a couple of hours and actually on the ground, you’re probably not doing your job well enough. Still big businesses falling victim one after the other and they still seem to be falling victim to the things that don’t make any sense to me. So vulnerabilities in software like Citrix, there’s been a few this year vulnerabilities that have come out and emergency patching and all those things. How will any business at this point can’t take that seriously is beyond me.
(23:10):
If a business comes out and says, the technology you use to enable people to come into your business has a flaw and you need to fix it, why are you waiting? Because time and time again we see that’s the way someone gets in. So there’s been this constant issue of the hygiene around patching still isn’t up to date and that’s why the essential eight has two of the eight are basically patches operating systems and applications effectively. All that’s saying is at some point you might fall victim to a zero day. You can’t fix that, you can’t stop that. That’s the one risk that we all worry about. It doesn’t matter how much risk mitigation we put in it, if there’s a flaw that you cannot change and you happen to get found to have it, then you’re going to have an incident at that point.
(23:58):
You are now your ability to respond and recover and that’s why we sort of focus on that. But these big businesses still are coming out saying, oh, we hadn’t done that. We hadn’t gotten around to fixing that yet. And then sort of force the whole country to have to deal with the issues. The a CCC had to put out another update saying you really all need to patch your Citrix and it’s not picking on a brand like all of the big brands. At some point, Microsoft included, have a look at Patch Tuesdays. Now they’re not all updates of new technology and updates. Often it’s fixing vulnerabilities and that’s just sort of part of our ecosystem. Threat actors are getting way more brazen in the last two months. It’s something I’ve seen a trend in.
(24:42):
Can you share any examples or
(24:44):
Anything? Yeah, we’ve got some examples now where everything is on the phone. I mean they’re just ringing people and phone calls from Russian sounding people and not just ringing CEOs and others, but I mean ringing broader groups. Some email engagements where they’ve actually sent through a table saying, here’s all the people we know you work in your business. Here’s their roles, here’s their mobile phone numbers, here’s their next to kin. We’ve had instances where people have had their family called, I mean this high pressure extortion type ability where they’re talking to you, they’re basically threatening you, is a new change that we haven’t seen a lot of
(25:24):
And predominantly from Russia or from anywhere really
(25:28):
Pretty much we tend to say eastern block countries all through that region tend to be what we see because that’s where that organised crime groups tend to be. But it depends on the type of scam you’re dealing with. And business email compromise still huge, still a real issue. I’ve seen more loss of money to business email compromise than I have to ransomware recently because we are talking about frauds that happen very quickly and are very difficult to recover from. Whereas a ransomware you have to elect to pay if they want to make money, you have to elect to make that payment. That’s their business model. Do everything they can to make you fall over the line of I’ll pay. It’ll be easier. Whereas a good old business email compromise, a lot of ’em are just frauds. You’ve accidentally paid and you’ve accidentally paid a lot of money because you thought you were doing something genuine and it’s a different type of attack.
(26:21):
There’s more social engineering, you are more connected to the business. We’re seeing criminals now spend more time trying to think about what’s in a mailbox and how can I use that to attack someone. And it’s interesting, we’re seeing them connect applications to Office 3, 6 5 as a way of getting around us removing them. So our playbooks for doing a business email compromise now include check for apps that have been connected. It’s not this change the password, reset all the tokens, check for other accounts that might be compromised. We’ve seen it where they’ve gone off and added a small app in the background that after doing all those things, they’re still in their reading your email, so they’re getting more sophisticated. We’re starting to hear now that AI is going to have a real impact on how the bad guys will work through. Imagine taking someone’s mailbox and grabbing all of the data out of the mailbox, feeding it into a chatGPT and say, find me the best course of committing a fraud considering all of the data that’s in
(27:23):
There and word it like I usually would in this thing and
(27:26):
Then come up with a way of doing it. I need a scenario. Of course, it’s not going to be chatGPT, it’ll be chaos, GPT or it’ll be Worm
(27:33):
Gt,
(27:34):
But they’re the things that we’re starting to worry about a little bit more.
(27:39):
I want to pivot a little bit. There’s been a lot of managed service providers that have been breached in the last 12 months, and I want to pick your brain on that in a second. There was also a case recently of a Rockhampton managed service provider actually over the weekend pleaded guilty to computer hacking where it was a customer manufacturing business, didn’t pay an invoice, jumped in, removed access, was causing $150,000 a day worth of downtime, and that business owner actually pleaded guilty to that and is now going to face some pretty serious consequences, but it’s separate to that with a bunch of MSPs being breached. What questions do you ask? Let’s say you’re a business owner and you are looking at changing to a manager. Hes provider for whatever reason. What questions do you ask them to make sure that not only are they keeping you safe, but they’re keeping you safe from them?
(28:29):
Yeah, look, third party risk is something that all of our businesses should be really worried about right now. So not just your MSPs, I mean you as a business, you think about, okay, who are the third parties I rely upon to help me deliver services for me? Have a system run my it, and am I sure that they’re all doing the right things in relation to cyber so they don’t cause me risk? Managed service providers are one of those interesting ones because all of the things that you’re worried about losing or being accessed or attacked are the things that they manage on your behalf. So it increases the level of risk. Again, and clearly MSPs are a good target and the reason they’re a target is if they’re not built and set up correctly, you’ve only got to breach one business to potentially get access to hundreds.
(29:18):
You’ve seen a lot recently,
(29:20):
We’ve certainly seen some service providers who have been unfortunately targeted themselves, and then if they fall victim and a threat actor gets into their systems and is able to then find other clients. So you’ve got two choices. You could just go off and encrypt and send an extortion to the service provider, or you could identify the individual businesses that rely on them and extort each of them. So that’s one thing that we’ve seen, and you’re increasing your chances of payment because it’s not one attack, it’s now 10, 15, 20 attacks that happened through one successful incident. So that alone increases the likelihood of payment, therefore is going to be more interesting for somebody to actually run that one.
(30:02):
If 60% of paying or whatever and you go through an MSP and you get 10, you’re pretty likely to get something out of it, unfortunately, a good chance of a payday. Yeah. Yep.
(30:11):
The other thing, it’s a really tough one. So what are you going to ask your managed service provider to go back and confirm? And it should be no different to any other business that you’re engaging with. You want to know that they’ve got the right systems in place. So the frameworks that we use to assess ourselves that business, so that managed service writer should be using a similar framework themselves to assess themselves. So you ask the questions, do you follow any frameworks? Have you assessed yourself? Do you rate yourself against nist, ISO 27,001? Have you looked at the essential eight? These things that were out there talking about our own business, you ask them are they doing the same things and how do they rate and can they share those ratings? Have they had pen tests? Can you share me a copy of those pen tests so I know that that independent piece is getting done?
(30:59):
Do a scan. You don’t have to do a full pen test on your service provider, but there are ways of going off and saying, well, is there any real logical external vulnerabilities that I can just find by using commercially available or free software? These are the things I’m seeing come into play. And then you ask those questions, bigger end of town, what we’re now seeing is there are whole services that sit around that third party risk where you subscribe to a third party who does all that for you. They will give the third party or the MSPA score, they’ll have done the checking. They’ll note if they’ve been breached in the past, they’ll do some threat intelligence. They’ll go off and scan their whole network to see if there’s vulnerabilities and they’ll give you a view as to how much risk they present. And that seems to be a fairly normal way of approaching it now as well. And that’s what a threat actor would do. Can I see a hole? Is there something I can exploit? Is there any credentials for sale on the dark web that I should be aware of? That type of thing. And you apply that to the business.
(31:59):
I think it’s a good idea. I think it’s coming already as part of the cyber strategy and I think definitely needed. Like knowledge said, we’ve seen some cowboys in the industry where they’re not using best practise on MSPs, their stuff internally backing up to houses and just crazy stuff. So there needs to be more protection for small businesses through managed service providers getting checked.
(32:22):
I think you’re right. You live what you sell and look, it’s got to be a value proposition for any managed service provider be able to demonstrate how secure they are. If you take it seriously and you’re doing all the right things, we’ve got our own shop in order and we take what we live then to your clients. That’s got to be a good thing. I’ve seen where I’ve spoken to a service provider and I’ve said, hang on, it was an admin account in use. And they said, yeah, we don’t put MFA on admin accounts. It’s too hard to share. I go, but you tell all your clients that they have to have MFA. He goes, oh, it’s really important for them, but it’s a pain for us. And I said that attitude is a thing that has to change.
(32:57):
Yeah, you’ve got to drink your own champagne unfortunately.
(33:00):
Drink your own Kool-Aid. Probably a scary time night as well for a Majesty service provider with all this kind of stuff coming around. How do you look at this and the changes?
(33:09):
Yeah, look, I think it’s timely. We’ve been in the business of providing services and it’s an essential part of life, right? Technology is oxygen. You cut off technology. Most businesses can’t function, right? So I think I use the analogy, you want to make sure your oxygen supply is reliable, it’s clean and we can count on it when you need it. So we invest heavily into red. It’s hard to run a very, very successful business to run it profitably because you have to put a lot of thoughts and process. That’s why we partner with GRA Niel. We regard Darren and his team is the best. We’ve worked through several incidents and we’re seen good and we’ve seen not good. But I think for me, I really look to what you are doing, Darren, what the cyber plan, everything that Claire o’ Neil, I do think there needs to be standards, and this is the challenge. We do run an industry that there’s no continual professional development. What Darren said before, you’ve got to have a certain standard that you’ve got to adhere to be able to show your customers, look, we are putting the best protections in place as independent audits. We’ve got the shields. That’s the only way you can really differentiate yourselves and naturally that comes at a premium. But at the end of the day, when you’re in a car accident, you want to call upon the right people to support you. And that’s what we try to do.
(34:20):
It should almost be its own kind of framework for MSPs these days, like the PCI compliance, if you have a hold card information, you have to get that kind of compliance and look at service providers and the crucial role they have in Australia. There almost should be like a framework just for IT service providers where you get audited and scored on and have to have these certain things in place, but maybe that’ll come out of one of the shields that Claire’s put forward. Let’s pick your brain down a little bit on the Austral Cybersecurity essential aid to just release some updates to the framework. What were the updates, Alex? I haven’t looked into it in much detail yet. And what’s your feedback on the updates?
(34:55):
That’s the one thing I didn’t bring with me. It’s funny, I just finished a report which I delivered today using the version from two weeks ago,
(35:05):
Right?
(35:06):
And we had a change last week. Look, a lot of the changes have come through. There wasn’t changes to every single one of the eight, I think it was seven had changes come through. Some of the changes that we’ve seen come through do make a lot of sense. It’s effectively shortening the time we’ve got to do things. So in some cases halving how long we’ve got to patch or to do certain things and bringing through and reducing that time between being responsible for a fix or an update or a change and reducing the chance that a threat actor can actually leverage that because you are a few weeks off doing something. There was a couple of other really interesting changes that they put in which no one saw coming. So there’s a change in a few of them in relation to some mandatory reporting. So if you want to comply against the essential eight, there is no reason anyone has to comply.
(36:01):
A lot of businesses use the essential eight as guidance to have good controls in place to mitigate and lower the risk of a cyber incident. That’s what they’re there for, and they do that very well, but there’s no organisation saying, send me your scores. I need to know that. So often what you do is you self assess or have a third party assess yourself, and when someone asks what frameworks do you use? You say, oh look, we build against the essential eight and here’s some scores that we can share with you that have been independently looked at. If you want to say you comply against it. Now one of those is mandatory reporting of an incident to the A SD. How
(36:33):
Does that work there? Because you don’t really get a certificate for ticking maturity level two in the essential eight. So if there’s a breach and you say, oh no, don’t mind, we weren’t not really level two, we were just one. Therefore don’t have to report it. It’s not like 27,001 or anything where you’re like, no, we have a little badge you put on everything. How do you enforce that?
(36:53):
You really can’t unless you, it is a standard framework that the government built to help secure themselves and as a government agency or a department, then yes, if you are compliant against it, then you may need to do these things because that’s part of your framework. But as a small business or a medium sized business or just some cyber advisor like me said, Hey, you should look at the essential aid. It’s really good. It minimises the chance. They’ve got really no obligation whatsoever to do anything about it. What it’s a saying is that that’s what you should do.
(37:27):
One of your colleague, Jesse actually mentioned a stat earlier this week I found really interesting around the dwell time. So the time that th actors in the environment before they actually launch an attack has seen some really short kind of time spans recently. Is that the case and what are you seeing?
(37:45):
Yeah, look, it used to be months used to be the time they used to talk about threat active was in your system for months and months before they finally did something. Then I would’ve said last year, weeks was normal, 2, 3, 4 weeks maybe while they first come in and they do some work. Some of that was a little bit because of the way that the whole threat actor landscape works. Sometimes there’s a broker that gets in first, they get in, they find credentials, they find the back door, they test it, they come in and out, they make sure it’s okay, and then they onsell that to someone else in the ecosystem. So it might be a ransomware operator. You then have another person come in again on those credentials. Often we were probably mistaking the two events as being one long event and thinking, oh, the threat actor was in there for that long.
(38:31):
What we’ve started to see, and I mean some recently where it’s eight hours or it’s 16 hours, I mean not long at all. The first time someone comes in and we see them come in on a firewall and they’re so well prepared, now it’s come in, run a script. That script deploys all their tools and does all their scanning and grabs the password hashes, exports ’em out, they do some stuff in the background, then they’re back in again with another account, and then literally we see an exfiltration of data almost happen immediately. Accounts are being built in whatever service they want to use a mega or something else, and they run a script and they start copying at what point when they think they’ve got enough data, they execute their malware and I mean it’s just bang, bang, bang. There’s no waiting, no dawling, just we’re in and we’re out.
(39:20):
It’s like smash and grab. And when you have a look at that, I think part of that’s because we are getting better at detection and response. So it’s minimising the chance that they are going to get caught and not succeed. I can think of nothing worse for an operator who’s been in there watching for all this time, getting prepared, putting beacons in place so they can come and go with the, okay, well next thing we’ll do is we’ll steal the data and then we’ll go off and blow it up. And then that’s when they get caught and then they get exited and it’s all of that time for nothing. So they are reduced in the likelihood of a successful attack.
(39:53):
Interesting. Also scary by the way, some stats I saw from our security partner article Wolf actually saying that the amount of spend on cyber tools last year was up 11%, but the amount of money lost to cybercrime globally was up 48%, which means that yeah, there’s better detection response and more tools down the market, but it’s still not really keeping up. There’s a lot more talk around businesses having separate, we’re talking the managed detection response for MDR R sector when you, because that’s the only way you can really catch it in a sooner time period. I think historically you’d have an antivirus and you’re standard Corona 3, 6, 5 tools in place to catch and then hopefully they would catch that the threat are going around it. But probably from what you are saying is that the time being shorter, you need someone to catch it quicker, otherwise they’re going to be taking your stuff, sending it away and then locking you down in a lot shorter time period. So the only way to stop that is having faster detection response. What advice would you have for a business who’s potentially evaluating like a managed detection response offering?
(40:53):
That’s a good question. I think the days of antivirus being a tool that’s effective are slowly, slowly becoming less. So many attacks. I see the first thing they do is, okay, what is the antivirus tool? It’s X brand, run a script, remove, delete, disable, and just disable that piece. And a lot of that older technology detects when something’s happened. So you’re trying to run a piece of malware, you’re trying to run a piece of software. Look if that’s when you’re stopping them. And here we are just been talking all of the things that happened before that last stage, I mean the last thing they do is blow you up. Everything else is finished. Now the best thing that happens is they stop you getting encrypted, but they still stole all your data and they’ve still got all these other things. You’ve still got an incident.
(41:39):
And what we’re seeing is threat actors are using tools that are built into your operating system. So a lot of the things they do aren’t going to get flagged through sort of standard antivirus and tools as malicious. It’s PowerShell. It’s built into every computer. It’s a range of tools that are built in. They’ll use them. It’s just right at the end that they’ll sort of take over. So what you want is something that isn’t waiting for something to happen, something that is looking for unusual behaviours, things that are not normal, things that aligned to what a threat actor would be doing. So it’s sort of, and you look at E-D-R-M-D-R-X-D-R, picking an R,
(42:16):
It gets confusing.
(42:18):
A lot of what they’re trying to do is predict the behaviour of something bad happening and stop it and block it and detect it before it actually eventuates in the bad. And that happens right at the start of the attack as well. So someone coming in on A VPN that you’ve lost access to, that’s bad. That’s how a lot of these things start. But then if that activity, the first thing that the threat actor does is it goes off and remote connects to another server like a user going to a server that they would never do. That is unusual behaviour that should be flagged. And that’s what the good managed detection response tools are out there doing, looking for weird behaviours. And even better, don’t rely on the engine to detect what is normal. Have people still sitting around it with experience who can look and check alerts and check these things going through and actually make a call in real time.
(43:11):
And that’s where a lot of us should be moving. Used to be very expensive. And this is what I’ve seen so many reports I wrote, we said, you need better detection capabilities. You could have stopped this if you’d detected it way before. So you sort of encourage people, but in the past it was you need a seam and you need a SOC and you have to pay all of this data costs and then you have to pay this big security team to oversee it. And that was actually outside the grasp of most businesses. Now what we’ve got is security tools that are coming in and they will do an automated process very similar to that. They will collect their own logs rather than having a seam. They may not cover everything, but they cover 90% of what you really need and there’ll be a team around it. And that’s something that’s now more available. So that’s why you see the spend going up to the point about more money lost. I’ve had an instance where I’ve had a client pay 7 million US in ransomware, so paid a lot of money. And then remember being at board meetings, trying to fight for them to get a couple million dollars in protection for three years. I think, gee, we’re more than happy to give out 10 and we’re only going to spend two to protect ourselves over the next three years. We’ve got no chance.
(44:22):
Yeah, it’s a bit confusing. I appreciate your feedback on that. Let’s say you are running an IT function and go to Google MDR and everyone says they’re M-D-R-X-D-R and all these other things. How do you cut through that noise? What questions would you ask? The potential managed security services or outsourced security operation or managed SIEM or whatever you want to call it vendors, what questions would you ask them?
(44:48):
That’s a pretty tough one. First thing, do you cover everything? So a lot of tools will just cover the computer in front of you. That’s like old school antivirus and they won’t cover your network. And some of the other devices there, they may not cover your cloud services like your office 3, 6, 5. So if you’ve got gaps in what they’re able to actually see and alert on, there’s a problem there. So you want to make sure they encompass everything. Even more important these days with a lot of businesses using Office 3, 6, 5 for a lot of their core business, that’s where their identity sits, that’s there their user account and their MFA and all those things. That’s where their mail is, their SharePoint, their OneDrive. So a lot of critical data, if you are not getting the logs and audits from that system fed into your tooling in some way, you don’t get all the alerts and the data that has there as well.
(45:39):
Your network devices, old schools just on endpoints, your VPN in a lot of cases is coming through your firewall. So if you’re not getting your VPN data through your firewall fed into this, you’re not seeing that third party come in from another country. That just is weird. So you want to cover those things and then of course the endpoint. So you want something that covers all of those things. Something that is managed. So I mean not just a tool that automates, I mean has people hopefully around it, has a team, has experience. And most importantly, when something happens and there’s an alert, something you don’t know, you want someone to pick up the phone because if someone doesn’t wake you up at two in the morning on a Saturday and doesn’t find a team member, it’s tragic because you’ve got this. Yep, we found a great ransomware and we’re just watching it play out. We couldn’t get onto someone. If you can’t do that automation, I’m going to remove all of the unsafe things from your network and we’ll talk about it later. That’s the other things you want. So I haven’t seen the old antivirus tools that there’s a virus and I’ve just disconnected your computer. It’s now taken off the network, it’s now safe. It can’t cause any other problems. You want that type of capability. Yep,
(46:50):
That’s good advice. I think it’s definitely a space which has got a lot of ambiguity at the moment, but needs to be, how do I say this, cut down and just made sense and put into buckets. I think there’s a lot of things out there that are agent base that claim to everything and a lot of providers out there that do just endpoint for example, that do try and do it across every surface. And then from even a cyber insurance perspective, it’s network detection tech, yes or no. And then it’s EDR tool, yes or no. So it’s such a grey area, but I appreciate your thoughts on that. Darren, back to the annual report that McGraw Nickel released. Anything other good insights you’ve changed this year from the report? We’ll link that as well in the show notes, but anything else interesting from that report you weren’t expecting to happen?
(47:34):
Look, actually there was a reduction in the amount of attacks this year, which is a good thing here we are thinking doom and gloom, but I think you go back 12 months and it was even worse, more people falling victim and more payments going out. So there has been less people impacted, less pain. I mean the stats are all dropping. So what we’re doing is working probably just not quick enough. We had some interesting stats that we pulled out just trying to get who attacked us the most. It was black cat, they love us. So they were the number one and lock bit and some others sort of jumped in there as our favourite attackers. We asked some questions around insurance, cyber insurance, and the vast majority of people see real value in having cyber insurance. And we thought, okay, that’s good. And also those that had fallen victim we’re able to say that no, we were actually able to go off and get reinsured.
(48:28):
There’s this view that if I have an incident, that’s it, I’m out. I can’t get insurance. Again, that’s not the fact In a lot of cases, the effort that goes into fixing an issue post remediation, I mean you’ve had an incident and you fix all of these things, then you improve your business so much. That’s actually a good thing to take to an insurer and they’ll accept and recognise that you’re actually a better risk now than you were before. So that came through on the survey as well. And then we were just trying to understand how did these things happen? And once again, we’ve got phishing emails and people clicking on things and falling victim. All those basics are still up there as the reasons why we do this. So the human behind the keyboard, and I’ve always said my start of my life in it doing service desk work and I said the only one thing I wanted to fix was between the chair and the keyboard. And if I could fix that, I’d never have a problem.
(49:20):
Good luck. We’ll all be out of business then. Yeah, yeah, we need them. What are we doing? The last question I got for you, six hundreds of time is a lot of people right now who are responsible in businesses for cybersecurity might be trying to plan for next year and what things to do, the market as a whole and the different kind of solutions out there around cybersecurity have, I say a lot have popped up this year in particular. What’s your advice for that kind of internal cyber stakeholder planning for 2024?
(49:51):
So where do I start? Understand what your business’s baseline is. So everyone’s trying to build plans and actually hasn’t actually thought about what are we currently doing and what aren’t we doing enough of. So if you haven’t done it in the past or you haven’t done it for a while, set yourself a new baseline. What are our gaps from that? Then start to think, okay, well what strategy and plan am I going to put around those gaps? So what am I going to do about that? And then be realistic. We all talk about budgets and there’s not enough money in the pot. Build a plan that actually caters for that. It might be 18 months before we get everything done. I am going to go for bang for buck the quick wins. Add those things in, get that movement as quick as you can, set some mandatories in your plan and we will have MFA on every single user account without exception by this day and time.
(50:38):
We can’t accept that risk and do that for quite a few things. And if you have to go off and ask for more budget and more support then that’s what you have to do. Have a look at sensible frameworks to actually build security. So just don’t make it up and don’t go and Google a solution or chatGPT, how do I do my cyber? It might get it right if you give it the right question, but in Australia, the NIST is a great medium and upsize framework for managing security. It’s just been revised. It’s revised actually. 2.0 comes out in 2024, very early this year. So there’ll be a new framework. iso, if you’re big into town, you’ve been investing for a while, great. Get certified. Demonstrate to your supply chain that you are cybersecurity and you’ve got a certification to show that. If you’re an SME, consider one of the new frameworks.
(51:30):
So the C-S-C-A-U Cybersecurity Certification Australia have just released a new framework for SS ME businesses in this country. Five tiers of cybersecurity framework from mom and dad business. I mean just there’s two or three of you who have a business, but I need to show someone I’m doing something right through to a level five where you’re doing your essential eight, doing a whole lot of other good things. Have a look at frameworks that tell you what you should do to reduce the risk and follow through and actually achieve something on them. So that’s what we would definitely be suggesting people do. And then test and train. Make sure your people are trained and they’re up to date. Test your systems. Don’t just assume it’s all working. If you’ve got backups, ask someone to test them. If you’ve got an MSP, ask ’em the hard questions. How do you look after my security? What are you doing? Can you go off and show those things? A good MSP is going to love you asking that question because they’re ready for it. They’ll come back and say, absolutely, thank you for asking. This is how we do it, and we would love you to do something similar. And if you got to do those things, that’s where you got to position yourself to get better next year.
(52:37):
Awesome. Thanks Darren. Pretty appreciate your time. Shed a lot of knowledge, as usual, as kind of expected. Always great to catch up. Move to another one in six months time. Thanks for coming in.
(52:45):
How many movies do we get to make?
(52:47):
How many parts are there in the Godfather? I don’t know. I look forward to Godfather part three. So thanks, Darren.
(52:51):
Thanks Darren. Thanks guys.
If anything in this post interests you, or you'd like to have a chat with someone about your technology challenges, we would love to hear from you!