Closing the Cybersecurity Gap: Empowering Small Businesses in Australia with Peter Maynard

Posted on June 28, 2023 in Cyber Security

 

In episode 31 of REDD’s Business and Technology Podcast, hosts Jackson Barnes and Brad Ferris sit down with Peter Maynard from CyberMetrix to discuss the importance of cybersecurity and risk management for small and medium-sized businesses (SMBs). He emphasises that SMBs need guidance and support to effectively respond to and recover from cyber-attacks. Peter highlights the deficiency in current cybersecurity frameworks, which often focus on technical controls and fail to address the broader risk management aspects necessary for SMBs.  

To fill this gap, Peter and his team have created a cybersecurity standard and framework specifically designed for SMBs, called SMB 1001. This multi-tiered standard allows businesses to certify their cybersecurity maturity level based on their specific needs and capabilities. The goal is to provide SMBs with a clear roadmap for improving their cybersecurity posture and to encourage MSPs (Managed Service Providers) to grow into MSSPs (Managed Security Service Providers). 

Peter’s team has established Cybersecurity Certification Australia, an authority that manages and updates the SMB 1001 standard. They have also developed an online platform, Cyber Cert, where businesses can go to certify their cybersecurity level. The certification process involves working with IT providers to implement the necessary requirements outlined in the standard. 

The conversation also touches on the need for a broader risk management approach to cybersecurity, collaboration between industry stakeholders, the role of government in setting cybersecurity standards, and the importance of addressing third-party supply chain risks. 

Overall, the episode highlights the significance of cybersecurity for SMB’s and the efforts being made to provide accessible and effective cybersecurity frameworks and certifications tailored to their needs. 

 

00:00 – Opener 

00:20 – Intro 

00:41 – Peter Introduction 

00:53 – Peter’s career background 

01:56 – Peter’s company’s goal 

02:24 – Examples of 3rd party chains that attack businesses 

02:35 – Medibank attack 

04:03 – The psychology of the people that are conducting the attacks 

06:21 – Why do businesses need to consider cyber insurance from third-party? 

07:49 – What does CyberMetrix do in terms of helping businesses? 

09:31 – Cybersecurity Frameworks in Australia 

09:53 – The Essential 8 

12:50 – Gaps and problems identified 

14:30 – Solutions and certifications 

16:59 – Assessing a business’ MSP on their maturity level 

21:54 – Cybersecurity as insurance in the business 

24:31 – Cybersecurity budget 

26:06 – General Cyber Awareness 

27:42 – Invoice fraud 

28:18 – Existing standards of frameworks 

29:14 – Current improvements in cybersecurity frameworks 

31:35 – ISO 27001 for small-medium businesses 

33:21 – What is the standard? 

34:41 – Implementing that certification standard 

35:01 – Cyber Cert 

35:22 – Requirements of the standard certification 

36:53 – Cybersecurity partnerships 

37:46 – Australia as the safest country in Cybersecurity by 2030 

40:49 – Cyber risk management program 

41:36 – What’s next for CyberMetrix? 

43:17 – Outro 

 

Thanks for watching!  

 

 

About REDD  

REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between.  

 

REDD is a leading provider of the following services  

 

  1. Digital Advisory Consulting 
  2. Managed Technology 
  3. Cloud Computing 
  4. Cyber Security 
  5. Connectivity 
  6. Unified Communications 

 

Our Vision  

We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward. 

 

Show Transcript  

(00:20): 

Hello and welcome to Red’s Business and Technology Podcast. I’m your host, Jackson Barnes. I’m your co-host Brad Ferris. Today we’re sitting down with Peter Maynard, who’s the founder and CEO of Cyber Metrics Australia. We’ll be talking about third party supply chain risks, the cybersecurity frameworks and how you can align how your business and what businesses should be aligning to those kind of frameworks and how you can mitigate third party supply chain. Peter, thanks for coming in. Looking forward to this episode. Thank you 

(00:42): 

For having me. It’s great to be with you guys. 

(00:44): 

No problems, mate. Do you want to start with your story and foundations, what you did before you started cyber metrics and your journey to get to getting there? Yeah, 

(00:52): 

Sure, sure. So I’ve been a tech entrepreneur for the better part of 20, 25 years and have always been self-employed and ultimately found myself getting into technology around about the late nineties, the start of the big.com bubble, so to say. Always found technology to be something that took my interest and was a real valuable tool that would allow me to do pretty much whatever I wanted. So we started off on the route of multimedia development, software development, and I’ve been doing that since 2000 and got into the MSP business early 2012 I think it was, where we were introducing some hybrid cloud services to some of our existing software customers. And it was from that experience there where we actually were starting to deliver some frontline technology services that we saw the need for some cybersecurity services in our own business. And that really led me down the pathway of creating cyber metrics. And our goal has been to find ways where we can improve the resilience of small to medium businesses using technology to do that. And that’s really brought us here today. 

(02:05): 

Awesome. Definitely cyber’s a big topic right now and this has probably come out in a week or so, but think yesterday got announced that Medibank, Medibank got breached again and PWC got hit by a vulnerability, so it’s crazy times. So looking forward to getting some insights in you around what’s going on in that space. Let’s start with examples of third party supply chain attacks to businesses just to set the scene. 

(02:28): 

Yeah, absolutely. So the recent Medibank attack that you mentioned actually is a third party attack. So one of the suppliers that Medibank uses were attacked yesterday, or one of the platforms that provider used was subjected to a breach and that’s led to some data leak. And it really does emphasize the point that not only the big organizations themselves are the targets, but very, very much so the smaller businesses that they work with on a regular basis. And if we look at what a supply chain or what a vendor market looks like for most businesses, most of that supply chain were made up of small to medium sized businesses and they typically don’t have the same level of cyber maturity that the bigger organizations do. So they’re quite a good target for the bad actors and for a number of reasons. So yeah, it’s, it’s going to become an increasing problem for a number of reasons, not just the one that they’re being targeted, but there’s going to be increased requirements for those suppliers to be able to demonstrate what cybersecurity measures they do have in place, not only protect themselves but also their partners and the digital assets that they look after for those partners. 

(03:41): 

Yeah. I want to hit to, this is off kind of the script here, but I want to hit you with a myth that I get on a day daily basis, which is we’re too small, they’re not going to attack us. What do you say back to that? 

(03:54): 

Yeah, it’s a sad myth and it’s unfortunately one that we hear more often than not. If we look at the psychology of the people that are conducting the attacks, they’re not out for perfection. They’re a business operation that has a clear business objective at the end of it. And the easier and the quicker that they can achieve that objective, the faster it will be for them and they’ll pursue that. So if getting hold of 30,000 employee records for Medibank, for example, I’m not saying this is the case, but let’s use any provider, any organization out there, if I want to get those records of that large organization, it’s likely going to be much easier for me to attack someone that’s likely to have those records as opposed to large organization themselves. The large org you see pretty well defended and they’ve got good processes in place, but when you move down the track, it’s pretty much the wild west out there and there’s not a lot in place to protect it. 

(04:57): 

So you’re absolutely right. That’s one of the real key myths that we do need to debunk and not just for the third party, third party’s sake, this is one of the real core reasons that got me into cybersecurity. And again, coming from small business myself, we typically have everything invested in our companies. We’re employers of people and they rely on us to be able to continue to employ them, look after their families and so forth. If a small business gets attacked, very difficult for them to recover and it could be a business ending event. I remember seeing a statistic a couple of years back that quoted around 66% of small businesses that sub to a substantial cyber attack and that includes ransomware attack would go out of business within six months. That’s a devastating outcome for large corporates. It might mean one or two people get fired and the business will go on. But for small business, that small business owner has lost their income, has lost probably one of their bigger assets. They may have a mortgage tied to that business as well at funding it. And the people that turned up for work every day have suffered a loss as well. So understanding that we’re too small is really something we have to move the dial on pretty quickly. 

(06:18): 

Definitely agree and that’s good advice. Why do you think businesses need to consider cyber risk from third parties? Let’s get back to that cause that’s kind of like the core thing that cyber metrics is doing currently. Why do businesses need to consider third party supply chains? 

(06:33): 

It’s going to be enforced on them without much control of their own. So the way federal government are approaching cybersecurity in general is very much from the top down. So by imposing regulation responsibilities on larger organizations, they’re able to trickle through requirements all the way down to small business. So for example, Australia has a regulation and act called the Security of Critical Infrastructure Act of 2018, and that’s designed to protect our critical infrastructure providers from cyber attack and to make sure that Australia can continue to run as a business part, an economy. Part of that act and that responsibility for those large organizations is that they have to incorporate a risk management program across their supply chain. So by those large orgs being required to do it from regulation, it’s now going to spill down into the small businesses who are part of their supply chain. 

(07:34): 

Yeah, that’s definitely true. And most of the small businesses I think are getting a little bit left behind in this kind of stuff. There’s Australian Cybersecurity has the essential aid and that kind of stuff, but not really much enforcement currently. But yeah, we’ll see what happens in that space in the future. What does solving metrics do in terms of helping businesses with third party supply chain risk and mitigating that 

(07:54): 

So directly? We don’t work with small business, but we look to provide capability for the larger consultants and the MSPs like Red who deal with the larger orgs that have that regulatory requirement to enforce supply chain assurance across their supply chain. Give them ways and capabilities to do that in an easy way for everyone involved. What we’ve seen happen is the small businesses and the suppliers currently are being asked to comply with standards and frameworks that are outside of their capability. So an easy one to go through go is ISO 27,001. It’s an internationally accepted standard. It’s a great standard and it provides a foundation necessary for a really good cyber risk management program. Unfortunately, the capabilities required to implement that standard in those programs are well and truly outside of the capabilities of most small to medium businesses. So if these businesses are having that standard imposed on them, it kind of does the job for the large org prescribing it, but it goes nowhere with the small business. So the outcome is really, there’s no real achievement in risk mitigation because it’s just too hard for ’em to implement. 

(09:12): 

Yeah. So 20, I said 27,001 is a massive effort to go and do looking at a bunch of controls and even to renew every year there is a massive amount of investment for a small business to do. That’s kind of the thing you’re trying your telemetrics is trying to combat for small businesses, but essentially through partners get that. What more broadly speaking is your opinion of the current cybersecurity frameworks in Australia? So there is 27,001, there’s the essential eight and there’s IRA and that kind of stuff. If you would’ve just the audience sake give an overview of what cybersecurity frameworks there are in the market in your opinion. 

(09:45): 

Yeah, sure. So ISO 27,001 is a standard and it’s a great framework. The essential eight are eight technical controls. They’re not technically a framework. So they represent eight requirements or activities or controls that you can put in place in your business to reduce the likelihood of an attack or an attack that causes a loss or damage to your business. Where we’ve seen those eight controls kind of fall behind modern risk management thinking is that they don’t allow for, let’s, let’s just talk in simple terms. If we look at cyber risk management from a business perspective, we’d break into three areas, your people, your processes, and your technology. So the essential eight cover off technology really well for businesses, but they don’t address the process or the people. Now when it comes to people, the awareness and the education, the understanding of what the threats are, they face, how they’re targeted, how they’re manipulated, what phishing is, what fishing is, what social engineering is, that’s really important information for employees and businesses to have. 

(11:03): 

Your people are your frontline, your people are actually who the bad actors are targeting. So the more that they can be informed, the better chance you have of actually responding to an attack and recovering from it. Australia’s not getting that guidance and that advice pushed on them. They’re largely being told that if you’ve got these eight controls in place, okay, yeah, well what happens when those eight controls aren’t enough in place? How do you respond and recover from the attack? So our focus really and my light bulb moment when I started that MSP and I could see by providing hybrid cloud services, we could bundle a lot of security, tech security into the stack that our clients could just consume. And that’s only gotten better and better and better over the last 10 years. But where the deficiency was around the people in the process and that’s the real maturity, that’s what an ISO 27,000 will give you or give you a broader risk management approach to cyber. And if we look at really a cyber attack is becoming an if event, not sorry, becoming a when event for a business, not an IF event. Yeah, my attempt to stop it has failed, what do I do to recover? And that’s where the processes come in. Having an incident response plan, being able to know who to call on, what to do in the event that something does go wrong 

(12:24): 

Makes perfect sense cause So what you’re saying, basically if I was to look at business continuity as an example, is essential eight looks at have an offsite backup with that, but more your frameworks and I said 20 2001 is have a business continuity or disaster recovery plan in place due disaster recovery testing and instant response plan, those kind of things in place looks more holistically to actually we mitigate cyber risks. 

(12:46): 

Exactly. So one of the things that we’ve focused on and one of the big gaps and the big problems that I’d identified was that there was nothing that it goes from when it comes to certification frameworks, standards, it goes from nothing all the way up to ISO 27,001 and that ISO 27,001 might be fit for purpose for 5% of our economy. So for 95% there was nothing. And then the other reality is not everyone needs the same level of security, so there’s not good or bad. So the approach that we took was to introduce a multi-tiered standard multi-tiered certification. So there was a very easy starting point where a business could get on board and they could put some basic controls in place that may get them 50 or 60% of the way there, very achievable, could be done in two or three months and then they’d have something to show for it. They could show a certification to a partner or to a client. We’ve taken these measures, but what we’ve also done is provided additional levels of maturity that they can move up all the way up to ISO 27,001. So our intent was to find a certification and standard solution that was fit for purpose for a small business was within their capabilities to deliver and that they could execute the majority of it with their existing IT provider. They’re the things that we have to work with. If there’s inputs required outside of that, it empirically fails. 

(14:21): 

Okay. I couple more questions but Brad did you want to weigh in on anything? 

(14:24): 

I think you’re going to get to it, but I’m definitely very curious to hear the solutions that you have put in place, the certifications and how you’re filling that gap between nothing to ISO 27,001. Cause I think it is relevant for us and relevant for a lot of our customers and our audience. 

(14:41): 

Yeah, absolutely. Look, we had to take a bold move and say that there’s a deficiency here in the market. There’s a new and emerging risk, which is cybersecurity do the way we manage standards and certifications in the past work for cyber. And our response was, no, we can’t wait six years for a standard to be updated or to be modified to address the current threats that businesses face. And it also doesn’t take into consideration the advancements in technology that we see. So we saw a real opportunity in the market to create a certification authority that focused on dynamic standards. Ones that could be reviewed and turnover on an annual or bi-annual basis that keeps the standard fresh and keeps it current and keeps it relevant. By doing that, we can also keep it super lean and that’s the intention. We’re not here to overburden businesses with more work. 

(15:49): 

We’re here to clearly identify what low hanging fruit is and what good looks like and at achievable levels. But we’re also providing a way for MSPs to grow into MSPs if we can demonstrate these are gaps in services that small businesses and medium sized businesses need and they’re coming to you as their expert. This effectively is the roadmap. So we’re trying to grow that ecosystem as well. If we can see every MSP in Australia become a really valid MSSP within the next five to 10 years, that’s actually how you’ll make Australia the most cybersecurity nation in by 20 20 30. 

(16:34): 

It’s interesting because yeah, we see on a daily basis, traditionally MSPs giving, to be honest with you, sometimes bad cyber security advice and focus on keeping the lights on and making sure users can access PCs and cyber security is the kind of thing on the side, not really focusing on it. So I’m interested that that’s interesting that essentially that’s the approach you are taking. So a question I’ve got following off from that is how does a business assess an MSP or a managed service provider or IT company to partner with on their maturity level? Apart from going through your kind of compliance like maturity level, is there another way of doing it? 

(17:12): 

That’s a really good question. I’m not sure there is. Okay. The IT provider has in recent years sort of fallen into that trusted advisor role of almost the accountant and the lawyer that allows the small business owner to go to sleep at night. And it’s not really based on anything a lot of the time is that, but I will say 99.5% of the time, the initial conversations that we will have with a business owner is that our IT guy has got our cybersecurity covered and then when you look underneath the sort of bonnet so to say, as to what services they’re getting, they are that traditional IT provider and that was their job. That is their job is to keep the lights on, to keep the computers going. They’ve now become the convenient point of stock for cybersecurity as well. And look, that’s not a bad thing. Small business owners need to have that person in place, but what we need to do is we need to be able to make sure that the business owner and the IT provider are essentially singing from the same hymn sheet. And that really is around broadening the solution capabilities of that MSP to start to go into areas where they typically wouldn’t have, I would’ve expected to see more accountants actually come to the table from a risk conversation and from an normal 

(18:47): 

Conversation. Well it is an accounting, a CFO kind of conversation. And this is what it comes down to is that if an organization gets breached, the person that’s wearing that cost, especially if there’s no cyber insurance in place, is the director of the business, not the msp. Yeah. Or the IT partner that’s engaged. And I guess that is, it is a bit of a gap in the market. I’m fully on board with essentially what you’re saying. I agree and see on a day to day basis that MSPs aren’t focusing on cyber and then give some somewhat advice on tech general technology hygiene. But some of they’re not even doing patching MFA for example. 

(19:19): 

It is a two way conversation. We’re on the front line of this. Obviously we have launched our security services, but in partnership because as you’d be well aware, security is broad, it’s deep, it requires expertise, it requires a lot of people looking at different things. So I dunno, I guess our experience if we put our MSP hat on is like we know we couldn’t do that all ourselves. We can’t provide a soc, we can’t provide a lot. We need to rely on partners. We’ve got a strong partner there. But one challenge, and we’ve talked about this on the show before, to your point in that businesses think, oh you’re my IT guy, you do everything. We would like to try and do everything, but there’s a cost involved and that is probably the needle’s moving for us now. Definitely with our more mature or I don’t know how I put ’em in a subset, but with some of our customers, definitely they’re getting it. They’re seeing everything in the news. It’s been front of mind. It used to be a bit of an, oh not in my backyard kind of thing situation, but now it is. And we have been using that language. It’s not a matter of if it’s a matter when, so the needle is moving, but we still get lots of resistance on cost. We mean we talked to one customer and around cybersecurity services and what did they say? Oh, it’s just a cash grab. And that’s 

(20:37): 

Very common, 

(20:40): 

Very common. Some common of the mindset that’s out there. And we have had clients that have had incidents, some small who we had have been having the conversation with and unfortunately once they’ve been through it, they’re like, they get 

(20:57): 

It. It’s not a cash grab anymore. 

(21:00): 

Yeah. So it’s an interesting time if you like. 

(21:03): 

It is Brad. And the certification is just as much there to help the MSPs in that situation as well. Yes. All of a sudden what looks good is neither the business owner’s decision or the MSP’s decision, it’s a standard. It’s something that industry has said at this level, this looks is what good would look like. We keep going up and improvement keeps coming. So if a business wants that certification, it’s now very clear, this is what you’ve been told to get and your MSP will help you get there. That’s the intention. But look very, it was very cold realization when I truly understood what cybersecurity was as a business. It’s essentially insurance. So any measure that one takes to improve the cybersecurity of their business is self-insurance in this space. And we typically know what small and medium sized businesses are like when it comes to insurance. It’s not really a super huge focus, especially if it’s not one that they’ve encountered before. The flip side to that is very few events will finish your business as quickly as a cyber threat will. So you literally are going to the casino if you don’t have 

(22:24): 

Anything in place. In fairness to my previous comments, it is hard to understand for people. I think 

(22:31): 

It can be to really 

(22:32): 

Comprehend the risk and to your point, a lot of people get told it is quite binary and it can be, I mean not every incident is going to be business ending. There’s correct, there’s different attacks and different breaches and some can be contained with standard tools or just might have an impact or quick restore from a backup we’ll fix it. But even that kind of thing, I think it’s hard. It’s hard for us to make the risk compelling and articulate the risk. And I think it is for the whole industry to 

(23:02): 

Be honest. You’re absolutely 

(23:03): 

Right. But I, I’d like to say, I dunno, you can comment on this. I mean I do believe it’s getting better 

(23:08): 

People. Yeah, I think it’s definitely people getting more cyber aware with the Australia anyway with the events that happened late last year and it continued to be, get a pretty rampant the first six months of this year. But it’s still a long way to 

(23:20): 

Go. It’s only the big ones you hear about in the news for every big one. Absolutely. There’s probably a hundred little ones. 

(23:24): 

Absolutely. At 

(23:24): 

Least. 

(23:25): 

And to the point of what people spend this was really telling. So o o cyber funded a program early 2021 I think it was, which assessed around about two or 300 small businesses in association with some universities. And the outcome from that was around 56% of SMBs would spend less than $500 per year on cybersecurity. And that’s telling, oh, and I mean we peak, we peaked out at a thousand and at 10,000 and I think that was less than probably five. Would that include insurance? I don’t dunno. Yeah, I don’t. But back then insurance was a little bit more affordable. So it could have, 

(24:09): 

Well, it’s a hard challenge, right? Because it was definitely 10 years ago, here’s my technology budget, but almost now you need a digital and innovation kind of part of that budget. You need an IT operations part of that budget and then cybersecurity’s another kind of budget you need. And I don’t think a lot of businesses are that at that maturity level yet. No, but it does need to get a bit more broken down like that in the future. 

(24:31): 

We’re still seeing largely security budget being pulled from IT budget and so cybersecurity sitting underneath it and it’s just not what it is it, it’s a business risk. So it’s a business risk that you, you’re putting on your IT people to manage and effectively govern themselves and that doesn’t work. So there needs to be a separation of who’s responsible for cyber risk in the organization and make sure they can work well with either the internal IT team or the external IT provider. Because 

(25:11): 

This is something we’ve battle with all the time and I like to get your insights in this because in typically internal IT to managers, internal IT teams, they’re dealing with dayto day basis with the employees coming back to them saying, Hey, this won’t work. I don’t have access to this, I need this. My laptop fixed, mine won’t work. They’re focused on keeping it operational. Correct. 99% of the time. So if they can invest in tools to save them time and keep the lights on more, they will do that usually over proper kind of cybersecurity. But if there is a breach, the IT manager, okay, got to work some overtime to get back online here all the financial risk is hitting the bottom line and usually the directors of the business. But the risk is, and the decisions with technology and cyber is with the IT team. So it’s a consistent battle. It’s probably getting worse and worse. That’s probably going the other way in terms of the general kind of cyber awareness from what I’m seeing. Are you noticing that as well and what are your thoughts? 

(26:06): 

Yeah, look, the one thing that I’ve really pushed for the last few years, and even in the recent round tables back to federal government around the 2330 strategy is can we please move the conversation away from eight technical controls to managing risk fundamental when a business makes that transition from, I’ve got to get eight IT controls in place and we’re cyber secure to this is a broad risk that impacts marketing, communications, brand reputation, even ability to go on financial loss a whole lot. You don’t really start to see the maturity. So how small businesses deal with that? Yeah, it’s an interesting one. Typically the owner of a small business is the one that’s going to be ultimately responsible for what happens. And if we can get away from those individuals thinking that my IT team is responsible for this to, I’m responsible for this, my IT team are going to be my white knights. 

(27:20): 

So to other people that can help from a marketing perspective or from a communications perspective, if something goes wrong, for example, one of the, we’re the only, the standard certification that we’ve created at C S C A U to my knowledge is the only one that exists that incorporates a policy around invoice fraud. Invoice fraud is one of the cyber related events that’s most likely to stop a business in its tracks. If you go and pay a $50,000 invoice to a supplier that wasn’t really your supplier and you’ve lost that money and you’re still left to pay the $50,000 to the supplier that really has owned it, that’s a massive loss for a small business to recover from. That’s what 

(28:08): 

Chris was talking about, the CFO from HOP Good. I think he put that as his number one. 

(28:12): 

Number one that really, and that really goes to show that existing standards and frameworks haven’t been written with the mind of a small business. They’ve come from cybersecurity experts down and that that’s okay, but when 95% of your economy isn’t that layer, something’s not right and you need to make it fit for purpose for the people that actually have to implement it and protect their business. So that comes in level two for us. That’s one of the very first policies that gets introduced before a cybersecurity policy or even an incident response plan. That’s a requirement at level two. 

(28:48): 

And your honor, I think that conversation will get driven towards the accounts payables and receivables team from a cfo, from a director of the business a lot better than from an i IT manager. Well, 

(28:59): 

That’s not their job really. Yeah, absolutely. 

(29:01): 

So I do agree with that. I want to get some of your insights and look, do you think cybersecurity frameworks are getting better from, so comparing to 2015, for example, to now, are they getting better? 

(29:14): 

I think it’s getting, there’s more of them, which is difficult. They’re potentially getting more segregated. The challenge really is though at the enterprise level for standards and frameworks. The ones that are getting bombarded with it, the SMBs are largely left out of that or occasionally are dragged in to comply with one of these standards. Hence why we’ve had do what we’ve done and hence why it’s had great traction with all parties, whether it be the small business, the MSP, or the large prime that has them as a client. It’s simple and digestible and doable for everyone involved. So yeah, look, I’m no expert. The other members of my team are the experts in standard. They’re actually stand sit on the editing committee for ISO 27,001 and represent multiple countries in doing so as well. Asnu number of other standards in Standards Australia. So definitely work that needs to be done in Australia to redirect it to where to really what the federal government messaging is to small and medium business and that needs to be moving away from IT controls only into broader risk management. 

(30:34): 

So can we unpack a little bit more what it is you’ve actually done? Yeah. So is that coming or can I jump? Yeah, here you go. Yeah, absolutely. Yeah. So you’ve created, you’ve worked, how does that work? So sure you’ve created a standard effectively and then does that need to be certified or how does that whole process 

(30:51): 

Work? Interesting process, Brad. So we’ve sort of gone out in trailblazing startup format and surprisingly have had good traction and it was needed, which is warmly welcomed, 

(31:08): 

Good traction with people who’s certified or good traction with businesses taking up the framework. 

(31:13): 

Mainly we’ve stayed away from potentially the competitors to start with, which the standard bodies themselves because what we’re doing is actually is very disruptive. 

(31:24): 

So you are filling that gap between zero to between 27,000 

(31:27): 

A month. That’s exactly right. 

(31:28): 

So yeah, curious to hear. Yeah, 

(31:30): 

Yeah. So that 

(31:30): 

What you’ve done, what the standard is, who it applies to. 

(31:34): 

Yeah, absolutely. So in 2021, myself and my co-founder, professor Ryan co co-authored a cybersecurity standard and framework specifically for small business labeled SMB 1 0 0 1. That standard was intended to bridge that gap between nothing to ISO 27,001 and specifically for the capabilities of a small and medium business. On top of that, we said, look, one standard isn’t sufficient. We need to create multiple tiers. This is a journey for a business and a florist doesn’t necessarily need to be as secure as an accounting firm, as secure as an msp. So let’s put it on a step scale. So we’ve created the standard, we’ve created the certification, and we’ve been running businesses through the certification process for the last two years manually, just to get a feel for how well it works. It’s been widely used across the Pacific nations, so we’ve used it in government agencies, but around fishery agencies that needed to uplift cybersecurity. 

(32:41): 

It’s been a very effective tool there. Previous to that, they were needing to use ISO 27,001, didn’t even know where to start. The analogy that I would compare it to, and it was similar to what I heard outside before. Were basically expecting grade one students who are learning to add up and to subtract, subjecting them to geometry and calculus. When we drop ISO on them, they’re learning how to read CAT and the hat, but we’re giving them more and peace so that you go nowhere. So that’s what we’re looking to fill that gap, and we’ve been able to do that successfully. So the standard itself has now evolved and we’ve created a standalone certification authority, so kind of a standards of Australia itself, known as cybersecurity certification Australia, and that certification body, that authority will take ownership of that standard and that will look after that standard moving forward. 

(33:44): 

We’ve established an industry steering committee that’s made up of key bodies around Australia that participate annually in making sure that standard is up to date and representative. And some of the bodies on that industry steering committee include McGraw Nickel, who really want Darren on there because Darren’s at the coal face every day of what businesses are encountering, what they’re experiencing from supply threat, supply chain threats. Our cyber are on there as a great conduit between commerce and the federal government and cobo, the Council of Small Businesses Association of Australia. They’re the real voice of Australian small businesses and understand what their capabilities are. And then a number of other organizations and that industry steering committee will continue to look after that standard. So we basically gave birth to it, created the associate, the organization to manage it and then put the things in place for it to continue to live on. 

(34:41): 

The next part is, okay, well how do we implement that certification, that standard so that businesses could actually access it? This is another area that we’ve been disruptive out of need to get scale. The standard is then passed across to a certification issuer, and that certification issue in this case is called Cyber Cert. And what Cyber Cert is, it’s an online platform that small business can go to where they can certify their business. Now, levels one, two, and three, the certification are based off a directors attestation. So we basically, well CERT provides a workbook and the requirements that the business needs to implement with their IT providers. So the first requirement of the standard and the certification is that you either have an internal IT department or you have an external MSP or IT provider. If you don’t have that number one requirement, you can’t proceed to certification. 

(35:39): 

So the intention is that the small business will go to cyber cert, they will nominate which certification level they want to certify their business to. They will get the workbook and the spreadsheet and the instructions that they need to work with their IT provider to implement those requirements in their business. We find most businesses have most of either level one or level two already in place. So they’re able to pretty much certify their business and be able to demonstrate immediately, this is our level of cybersecurity, but this is where we really wanted to grow the MSP market, is that by providing that workbook, MSPs will start to see as their clients say, look, we either need to get this certification, it’s a requirement of one of our partners, or they’re wanting to do it just to be better. They’re, they’re giving clear guidance to their IT providers, their MSPs, what they need to have done have put in place. 

(36:33): 

And we think that will happen pretty quickly. I think Red’s a perfect example of that MSP transitioning into the MSSP in a very short period of time and understanding what the landscape’s like. So congratulations to you guys for being trailblazers in that area. There’s a lot more of that needed and need strong partnerships. Absolutely. All across the board. This whole thing’s about partnerships, one of the things that surprised me the most with the cybersecurity community, the issues and the problems are that great. There’s no reason why we shouldn’t really all be supporting each other and helping each other to progress what their solutions are. If they make a difference and they provide value, 

(37:14): 

The danger is, I think from what we’ve seen is like MSPs or small operators not partnering and trying to do it all themself and putting tools in place, but not leveraging bigger companies to actually put in monitoring. Yeah, absolutely. The appliance checks and frameworks and that kind of stuff. So yeah, that’s good advice. I wanted to pivot a little bit, unless Brad, you want more follow up questions on that piece? No, you’re good. Clint or Neil wants Australia to become the most cybersecurity safe country by 2030. What do we need to do from your perspective, you know, are big in this space, what do you think this Australian cybersecurity industry needs to do to achieve that goal? 

(37:54): 

Look, I’ll, I’ll be the controversial participant. I think whatever applies to commercial Australian needs to apply to the government 

(38:05): 

And we need to find a way to make that happen. It’s okay to put a 50 million fine penalty on a large corporation. How do we do that with the federal government or a state government or local government? What are the levers and the mechanisms that we can do? Because until there is a level playing field, then there’s going to be, there’s just too much friction and it’s okay to wheel the stick and I get that. And at some point you do need to get out there and wield stick, but you can’t be the person wheeling the stick when you’ve got chaos behind your own door. So that would be, that’s a really, really big change and a tough one, but tough problems need to be thought about and not just put to the side. I commend Claire O’Neil for what she’s done. She’s absolutely came, come out and been an incredible champion for the importance of good cybersecurity and cyber resilience. 

(39:04): 

We’re going to go to the moon by seven by 1970 or whatever. Whenever JFK said that, that’s basically where this statement falls. It’s a big ask. I think another key component of getting to that level is around broadening the approach and the communication to the broader digital, broader economy in Australia. And I come back to that point around we need to move away from a conversation of eight controls to broader risk management. If eight controls only covers half of what we have to deal with and it doesn’t help us respond and recover, then there’s a deficiency in that model. And what it does when the federal government amplifies that is it tells every small business, if my IT provider says I’ve got the essential aid to the top four in place, I’m safe. Well then they go to bed thinking that at night. But the next day when they get hit, how do they know how to recover? 

(40:05): 

And they go to the IT provider, well we’re not actually your instant response provider, I’m sorry, we provide volume, we provide you technology, so we’ll do what we can to help you. But we don’t know how to communicate to your 2000 customers that you’ve just lost their data or whatever. That may be really where I think there’s some big change could occur. And we’re one of the, as far as I know, we’re the only country in the world that does this, relies on a IT controls as opposed to a risk management approach to a risk. 

(40:39): 

Yep. It’s a complex problem and not an easy one to solve 

(40:44): 

It. It can be complex, but the smaller your business, the easier it is for you to be goal class. So one of the key drivers for complex, how complex or costly does my cyber risk management program need to be? It’s almost directly relational to the number of employees you have. The sole operator can be locked down, rock solid, super secure, you move up to a hundred thousand employees and the technology infrastructure that you need to manage that becomes super complex. The 

(41:15): 

Change to put in 

(41:16): 

Place, absolutely, it’s giant, right? But that’s still 5% of our economy that the 95 that sits underneath that are really, you can do a lot with, but you can’t approach it. You’re the enterprise guys, they’re different. It’s completely different. Has to be fit for purpose, 

(41:35): 

For risk. Next for cyber metrics. 

(41:37): 

Cyber metrics at the moment is really getting behind our partners on the supply chain assurance program. So we’ve recently partnered with McGraw Nichol to start to engage with the next gen, third party cyber risk management program that has been developed and is based off certification. So that’s really our core priority at the moment for the next 12 to 24 months is to make sure that partners like McGrath, partners like Red are all supported properly and getting what they need to make sure that customers can understand the value of having good third party assurance in place. Outside of that, I dare say there will, there’ll be something that will pop up along that journey that another scalable solution can address. And that’s where my problem’s actually staying focused. And I’ve, I’ve managed to stay focused for a few years now, which has proved quite valuable. So I, I’m reluctant to sort of stretch that out. Yes, a morning playing golf can come up with five spinoffs and that’s not productive with that. Yeah, 

(42:51): 

I’m really glad to hear that you are big on, I think it seems like a common theme. Everyone in that cyber industry is big on partnership and working together. It’s essential to essentially help mitigate cyber for small businesses. So I pretty aligned in everything you’ve said today, Peter. Really appreciate you coming in and all the insights that you’ve shared. It’s been, you’re welcome. It’s been great speaking to you around that kind of third party supply chain risk, the frameworks and how we can end cyber risk in Australia. 

(43:14): 

Been a pleasure. Thanks for having me. 

 

Reach out!

If anything in this post interests you, or you'd like to have a chat with someone about your technology challenges, we would love to hear from you!