Cyber Risk Management for CFO’s with Chris Lowndes – Group CFO HopgoodGanim
In Episode 019 of REDD’s Business and Technology Podcast, our hosts Jackson Barnes (Head of Business Development – REDD) and Brad Ferris (CEO – REDD) interview Group CFO of Hopgood Gamin – Chris Lowndes. Chris has a wealth of experience managing budgets & risk.
We discuss risk management, importance of technology and cyber security in law firms, cyber insurance and how Chris looks at methods to mitigate cyber risk. Cyber risk mitigation is definitely not what it was 20 years ago and with recent large-scale breaches in Australia, boards and management teams needs to take this risk seriously.
If your business is looking to enhance its level of cyber protection or know where you stand, check out some helpful information from REDD here:
Cyber essential booklet – https://redd.com.au/cybersecurity-essentials-booklet/
Microsoft security score and what it really means blog – https://redd.com.au/microsoft-secure-score-and-what-it-really-means/
Recorded Thursday, 23rd of February 2023
00:00 – Start
00:48 – Chris’ career background
02:53 – Cyber risk management from law firms
03:53 – Concerns from law firms regarding security breaches
04:43 – Articulating risks from a law firm’s cyber security
06:07 – How big is the cyber security risk for a law firm?
07:24 – Importance of IT in law firms
08:48 – Advice to other finance businesses.
11:15 – Cyber insurance companies
12:32 – Getting cyber insurance for businesses.
13:30 – Importance of Cybersecurity in business/companies
14:07 – Understanding the risk of cyber threats from the CFO’s perspective
16:29 – Separating technology and insurance related spends in the budget
20:51 – Importance of technology to businesses
21:58 – Strategy and process of a CFO in risk management
24:08 – CIO on small businesses
25:54 – Managed Services
28:59 – Frequent cyber attacks
31:00 – Senior managers as the weakest link
33:39 – Enforcing cyber risk awareness in the team
35:25 – 2017 attack on a global legal firm
38:08 – Ransomware attacks
40:08 – Wrap up
If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected] or through any of the links below. https://redd.com.au
Thanks for watching!
REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between.
REDD is a leading provider of the following services:
- Digital Advisory Consulting
- Managed Technology
- Cloud Computing
- Cyber Security
- Unified Communications
We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward.
You can read the full transcript below:
– Hello, and welcome to REDD’s Business and Technology Podcast. I’m your host, Jackson Barnes.
– I’m your co-host, Brad Ferris.
– And today we’re sitting down with Chris Lowndes, who’s the CFO of HopgoodGanim. You might be familiar with the name. We had Steven Hunwicks from Chris’s team in earlier, late last year, actually. Today, we’ll be covering off cyber risk, but also, technology from a CFO’s point of view in a law firm. Chris, thanks for coming in. Really appreciate it.
– No problem.
– Did you want to touch on mate, your background, what you did before you started HopgoodGanim.
– Yeah. Well, I’ve been around for a little while. I know that I can’t speak for too much too long on that. But essentially, I’m a chartered accountant. I had the opportunity to do a bit of consulting work after being chartered. So gave me a bit of an insight into, you know, project management and managing people, or softer skills. And then I came back into accounting again, and I’ve been working as a CFO in multiple different industries for probably the last 20 years. And spent the last six years at HopgoodGanim as their CFO. So it’s been a pretty big ride for a simple chartered accountant.
– So, yeah, awesome. So do you want to update us on HopgoodGanim? What they’ve got, you know, going on in the last three or four months?
– Yeah, so HopgoodGanim a full-service law firm. So we’ve got… I guess Brisbane’s is our home base, so that’s where we’ve got the most staff, most practitioners, we’ve got a smaller branch over in Perth. But yeah, it’s been a tough last couple of months, I think all the professional services firm have found, you know, that post-COVID period, a little bit tougher. You know, COVID itself was a lot less impactful than we had ever expected. A lot better than the modeling it suggested. You know, we thought there was going to be complete disaster coming our way, but it didn’t actually turn out that way. But the last couple of months for most professional services firms and legal firms have probably been a little bit tougher than we would’ve expected. So, and HopgoodGanim is seeing that as well. So, a little bit tighter in terms of our fee expectations.
– Hmm. Okay. So look, this episode, we really want to get your insights on the cyber risk side from someone who, you know, I guess controls the budget of a big law firm and has controlled the budgets for a long time. Let’s start with… Obviously, there’s been a lot of cyber breaches, large scale that have happened late last year in Australia, like Optus, Medibank, all those, and even all-around Queensland, there’s a university here recently and on the school, that kind of thing. How… Really want to get your point of view on this, how do management teams of law firms look at cyber risk now compared to 12 months ago?
– Significantly, differently. I think what we’ve found is that… Professional services firms and the legal industry probably been behind a lot of other industries in just technology, and using technology and implementing technology. So I think we’re slowly starting to pick up speed on that particular area, but cyber security is something that I think most law firms are now seriously looking at because of some of the impacts that we’ve seen on other law firms and how impactful a cyber breach, a data breach on privileged information for clients can be for a law firm. You know, you talk about reputational damage and financial damage, but yeah, significant. So I think law firms are really taking things quite seriously. And HopgoodGanim are obviously taking things quite seriously too.
– In comparison to 12 months ago, I mean, law firms have always held personal information. Do you think just since the breaches recently, you’ve noticed in your firm that even more serious than before?
– Absolutely. And one of the things that we’re finding is that we’re actually being pressed by clients and panels that we’re looking to get onto, to improve our standards and the quality of the… You know, I guess the cyber protection and security that we have in place. So, and not only is it us striving for better, but our clients are saying, “Well, hang on, if we want to deal with you, we want to make sure that we’re dealing with a firm that’s got the quality standards and the security measures in place to protect the data and the information that we’re providing.” And there’s pressure on a law firm from all angles to make sure that we’re… Not only compliant, but we’re providing, you know, some security over a client’s information.
– That’s interesting. How are you articulating that risk back to maybe a panel you are trying to get on or a client when they question you on your cybersecurity. How you are you articulating that back to them?
– Yeah, well, they will actually lay out, you know. Some of the bigger banks if we want to get on the panel. They’ll be very specific about what they require. You know, ISO standards.
– They’ll actually talk about, and there’ll be questionnaires and information that we need to provide back to them, which give them some information about what we’re doing and the standard that we have. And if we’re not at that standard, then there’s an investment decision that the firm might need to take. You know, is the likely fees that we might get from being on the panel and having this particular client in line with the cost and the risk that we’re going to have to take on to get us up to that particular level. So, you know, there’s decisions that we have to make as to how far we want to go with some of these… Some of these standards and requirements. Is it fit for our business or is it fit for a law firm that’s four, five, six times the size of us, that particular account. So we need to do that quite a bit, and we’ve changed a lot because of some of those requirements.
– It’s interesting. So, there’s a real commercial driver to be up to a certain par, if you like, around cybersecurity.
– Absolutely, yeah, yeah.
– We know as well, I think we’re doing some work for a business with the head office in Queensland and uplifting their cyber security and they said they’re actually going to put on their proposals that they’re, you know, backed by this kind of technology, and this level of cybersecurity. So it’s strange how that’s changing from, you know, just the burden into potentially in-
– Commercial opportunity.
– Yeah, commercial opportunity coming out of it. So for law firms in particular, what is the risk? Why are law firms such a big risk from cybersecurity?
– Yeah, well, I’ve just mentioned the privileged client information that we have. You know, one of the things that I was actually going to mention was from my perspective and I’ve read a little bit about, you know, the different types of cyber, cyber threats that are there. There’s really, in my mind, there’s really two. One is more important for me and my team than probably the main one that everyone thinks about. So there’s the cyber-attack, which comes through your systems. Someone hacks in, drops malware on and takes your systems down. But there’s also the other side of a cyber attack, which is a criminal, or an organization use technology to get into your systems and they use it as a tool. So what am I talking about? I’m talking about emails, you know, fraudulent emails, malicious actors which pretend to be someone that they’re not, you know, your boss, so that’s sort of-
– Kind of the social engineering.
– Or business email compromise.
– Yeah. And from my perspective as a CFO of the organization and in my team, you know, law firms do, you know, we’ve got large trust accounts, we have a lot of funds that we have to manage. We take direction from our clients as to how to use that and we’ve got regulations that we need to follow. So we need to be really careful. There’s a lot of funds that are moved around within a law firm. So, you know, what keeps me up at night is probably less we’ve got IT. People that know their stuff at HopgoodGanim. They have some plans and we’ll probably talk a little bit about that anyway. But from my perspective, it’s the weak link in the organization that lets an email through or clicks on a link or accepts, you know, a fraudulent invoice, which has been intercepted along the way and the banking details change and we inadvertently pay a large sum of money to someone that we shouldn’t have been paying it to. You know, that’s a risk that we… And we’ve got controls obviously around that, which hopefully I’ll be able to give you some comfort around ’cause we do that well. But that’s the sort of stuff that I think about, you know, ’cause it’s my team that are processing, my team that are looking at the internal controls. And my job to make sure that the organization understands and is aware that this is pretty important and I need to get it right.
– Let’s unpack that a little bit. So I do agree that like phishing emails and business team compromise, the language used now compared to five years ago is so much better than anything. So much more sophisticated, where it was pretty broken English like five years ago, for example. What’s your team doing, what policies? Is just the call, if there’s any change in banking details sent through or what are the kind of things that you would advise, other businesses or people who run the finance arm to put in place?
– Yeah, it’s interesting, you talked about the terminology, and that was probably one thing that reduced how, you know, senior management boards and directors, how serious they took cyber threats and cybersecurity. You know, ’cause the terminology was just, you know, something people just didn’t understand. You know, it was changing on a regular basis. So when you want awareness and you want people to really take notice and take some action, you know, they have, you know, information and technology and descriptions, which no one really understands. We’ll probably talk about that in due course as well. It’s hard to get your head around it if you’re not an IT person and then to take it seriously, that’s another level altogether. So we… Probably a couple of years ago, a lot of the internal controls that I’ve driven and we’ve implemented without throughout the firm, actually came from our insurers. So our insurers drive a lot of this themselves because they know, and they see the risks that happen in other firms in the area. So they’ll often talk about the standards that they require as our client, a client that’s taken cover, they’ll actually come to us and say, “Look, we expect there’s a certain standard or quality of control that we expect you as our covered party need to have within your organization. And we expect you to have that as part of, you know, the overall plan.” So, you know, they came in and gave all of our staff training. So all of our staff go on regular training that’s put on by our insurer, Lexon.
– Really put on cybersecurity training.
– Yeah, absolutely. So they’ll talk about password controls, they’ll talk about when you get an email, what to look for in an email, how can you tell that an email is not, you know, is a phishing email as opposed to a real email. So there’s really practical stuffs. And I tell you what, when you leave one of those sessions, you’re looking at your emails. So there’s things you can look out for.
– So is that a structured program, or they’ll come in quarterly, something like that?
– It’s very structured.
– So everyone in the firm will sign off to say that they’ve done the training. As I said it’s the weakest link. It’s the person,
– Yeah, the .
– the organization that gets the email doesn’t realize that it’s not from someone in the organization or from one of our clients, or a supplier. Opens the email, clicks on a link… You know and can open us up for some exposure.
– Yeah, 75% of threats in Australia last year were led in by someone clicking a link or, you know, forwarding email or paying something they shouldn’t have. So that’s definitely the weakest link. That’s interesting though, because we recommend cyber awareness programs and training for our clients, but, and typically internal IT teams do recommend that as well. So that’s different angle. I’ve heard that before actually.
– I haven’t heard that before.
– The story of the insurance company, you’re training.
– Does that built into your premium or is that an add-on?
– No, it’s just an add-on. What it helps the insurer do is reduce the retention for client.
– Yeah. So if we can be doing our best to ensure that we’re addressing threat and risk, then it reduces the potential for them to… And we work together on, so that’s just around the cybersecurity, but we also work from a professional perspective to ensure that our indemnity cover is being managed by the way our practitioners work with their clients. So there’s checklists that they provide and, you know, as a law firm, we need to make sure everyone’s working at a particular standard not only to deliver the service and the advice that the client wants, but also to make sure that reputational and from an insurance perspective, we’re doing everything we can to ensure that the firm’s protected as well.
– So cyber insurance, I’d like to get your thoughts on cyber insurance. Not just HopgoodGanim, but for other businesses as a CFO, ’cause obviously that helps mitigate risk really, is what it does.
– Would you advise all businesses take cyber insurance and what scenario would you not advise?
– Yeah, it’s an interesting question. We talked a little bit beforehand. You know, 20 years ago cyber insurance was just something. I remember being at one of the previous companies I worked at 15 years ago, and as a board and having directors that really didn’t have an IT background at all. As soon as the discussion around cybersecurity came up, it didn’t last very long. It was just outrageously expensive. No one really understood the risk properly. And it was dismissed really quickly. You know, and our IT department at the time couldn’t translate the level of risk that was involved and, you know, it was just dismissed and probably the client that Brad knows as well from way back. So yeah, it’s changed dramatically because what people have seen is the impact that a threat and an attack can actually have on an organization. It’s taken a lot more seriously now.
– [Jackson] So you think today it’s getting received pretty well, amongst boards and management teams?
– Oh, absolutely.
– With the cyber insurance.
– Yeah, yeah, we talked about, you know, possibly talked about ASX listed companies in the boards and the responsibility that directors have. You know, cyber security is now up there as one of those key risks that directors need to be aware of, and ask enough questions to cover off their duty of care as directors. And you can’t use the old, “Well, I didn’t understand it and I just relied on my IT manager to tell me what need to be done.” As a director, you’ve got to do a little bit more than that. You’ve actually got to ask the questions you need to ask so that you can understand the ramifications, and the, you know, potential issues that might come to the company.
– So what helped you understand the cyber risk or the threat over the years? What do you think really helped you?
– Yeah, what I tend to do is, I’ve, or normally have a pretty good relationship with the IT team in particular, the CIO or the IT. So having a… And I’m not an IT professional, but I can sit down, and I can ask the questions of my IT manager, IT director, and get some comfort from them, that one, they’ve got a handle on it. You know, they’re using the right sort of consultants to help them. You know, if they don’t know everything, they’ve got consultants that do. You know, and the responses that they can provide, give me some comfort that when something happens, we are going to be okay, or they’ve actually considered it. It’s an area that is constantly changing and our systems and network are constantly changing. And there’s exposure whenever you implement a new system, a new application, new module, is there another avenue that someone can come in from externally and be able to get into the system. So I like to hear that my IT guys are on our big projects. If we’re implementing a new system, they’ve seen before we even start and we start opening up our systems to uploads and downloads and new applications. They’ve actually thought through the implications for firewalls and our networks. So they’ve asked the right questions.
– It’s similar to tax service, right? If you get into something else new in place. That’s something that we see as internal IT teams, especially a smaller businesses, maybe not so much with HopgoodGanim, really do struggle with having cyber security in their wheelhouse because, you know, if you’ve got just an IT manager and one or two offsites, it’s quite hard to have someone who’s an expert in networking, you know, PCs, Microsoft 365, or any cloud applications or infrastructure as well as cyber security. It’s just a lot. So I’m glad you mentioned to definitely seek external advice if you haven’t got that skillset internally, make sure that your IT team has got the right advice. On that same kind of rung, something we’ve seen is technology and cybersecurity from a budgeting point of view are getting really separate, you know, there’s all the hardware and there’s the basic cyber security things you need, like firewalls and antivirus and those kind of things. And you’ve got your cyber insurance policy if you know, it gets to become a problem, you can enact that to help mitigate risk. But in between that is the more operational piece, people actually looking at your data and or hiring security analysts internally. Or what’s called a SOC, Security Operations Center. That’s really evolving recently. What’s your thoughts on having a different technology budget to a different cyber budget?
– I think it comes back to two key points. One is accountability for the cost and responsibility for the cost. And the second thing is, I guess the level of cost associated with it and how much risk management is key to the organization. And I say the three because they’re important in the way that your budgeting is set up. The way our budgeting is set is that we have that cost spread across a lot of different cost centers because we’ve got an IT manager that will cover penetration testing, the cost associated with getting advisors and consultants into test the system. He will also have all the systems on his budget. He will have a CapEx budget. We’ll have the insurance component for cybersecurity, which will be on our COO’s budget because that’s what he manages and looks after. You know, I’ll have a component of some of the IT capacity on my budget. We’ll have the learning and training, on our learning and development project budget. So we… That’s normally the way budgets are set, so that you’ve got someone who’s got the responsibility for that spend actually managing the cost and managing the way that it moves forward and can say, have a hand in controlling the spend as well. As an organization moves forward and the bigger it gets, if you have something like a chief risk officer, sometimes what you’ll find is that all of those elements will be bundled in together and will be under the chief risk officer’s responsibility because they’re responsible for the risk and managing the risk. So they’ll have the insurance component, they’ll also do the testing on different areas of risk, they’ll manage a risk register, so it becomes their responsibility and it’s their budget component. And we are not at that level yet, but we’re moving rapidly towards having a dedicated risk manager. And our budget system will probably change to reflect that.
– Have you personally increased your budget or spread across multiple arms by the sounds of, you know, some to the IT manager, some to the risk manager. Have you increased your cyber budget in the last few years with everything going on?
– Yeah. And one of the things that… You know, we don’t have directors. We’ve got our owners are our equity partners and then we’ve got specific committees that would do the same sort of thing as a board would do. One of the things that is really easy to get your head around is this idea about penetration testing. To have someone come in externally and actually, test your system, and see whether it would withstand some external pressure coming towards. And it’s not just the IT often sending emails to each other and checking the firewall. That’s also practical things, like, you know, having someone come into reception area and ask if they can use… You know, I’m a client, I would just want to use your meeting room, you know, and someone allowing them to go into a meeting room, where you’ve got laptops and you’ve got other IT equipment, you know, or dropping a, you know, crazy scenario, dropping a USB stick in the lift as you’re coming up and wondering, seeing whether there’s a HopgoodGanim staff who’s going to pick up the USB stick sticking into the laptop. All those practically you don’t think about, but they’re things that you need to take fairly that physical side of the cyber threat as well, you have to take into account. So it’s interesting to sit down and talk about that. And that budget seems to be something everyone gets… It’s a practical thing. People can say, “Oh, good, someone’s going to test it, and make sure that what our IT guys have been doing and the consultants is actually going to work.”
– So that tangible piece is… Is that an easier, I don’t know, what’s a good term? Like is that an easier sell to the executive, to the leadership team?
– Yeah. It’s pretty, you can talk about that. I can talk about that. I could sell that.
– Yeah. Look and that’s interesting-
– And it makes sense.
– Yeah. So, and some of the preamble, because again, HopgoodGanim, different structure, bigger business if you like, law firm, different risks, you know, and something we’ve talked about outside of this forum is around smaller businesses. And again, not micro businesses, but SMEs, handful of directors, generally, owner directors. Lots of competing information, lots of competing ways to spend your money. What is the best way to understand the real risks of cyber? And that’s an interesting point that you mentioned about the tangible aspect ’cause it is a journey for them to understand, to make it tangible, something so intangible to make it tangible. So I think that’s a good tip.
– For boards nowadays, technology is so important to your business now, it runs through so many different areas of your business. It comes up in so many decisions that boards need to make. You know, the larger companies will quite often have a director that’s got specific IT skills and technical skills, so if something comes up, they’ve got someone around the table, they can actually talk the talk and understand what consultants are saying, you know, so the smaller businesses possibly don’t have the ability to do that and they’ve… Generally got people that understand the industry or understand their business around the table. So when things like cybersecurity and cyber threats come up, it’s really difficult for them to process and understand, and have the awareness that this is why it’s important, this is why we need to spend some money to get there.
– You know, your experience, you’ve been a CFO and responsible for finance for a long time. Risk management being a big part of that. And I know you are big on a risk management. What’s your strategy internally on how do you look at risks? Let’s say, you have an internal IT team who comes to you and says, “Hey, we want this new tool ’cause it’s going to help mitigate our cyber risk.” But whatever percent, for example. What’s the process you go through internally to decide whether you’re going to invest XYZ dollars on XYZ solution?
– Yeah. Well, depending on the size of the spend, and the nature of the spend, we have business cases. I want a business case prepared. So, you know, if it’s a large spend, then we’re not going to spend anything until we understand what the need is. Why is it a need, how much is it going to cost? Have you gone out to the market to compare, you know that same particular product from with other suppliers? How long’s it going to take to implement? And what’s the benefit that we’re going to get from implementing it? So there’s a whole lot of questions that we will run through and most organizations will, before they actually put pen to paper and actually, agree to sign off and it’s normally up to the person putting the business case together to actually ensure that they answer those questions. And if they don’t, it goes back and they have to come back again with the updated business case. So there’s, you know, depending on the size of the investment, there’ll be a lot of other, you know, preparatory requirements before any approval’s provided on that. And that’s, you know, I’ll have my section of the business case that I’ll ask for information and they’ll ask me to provide information about. You know, how we’re going to fund it and how long the funding’s going to be, and what’s the benefit that we’re going to get.
– So when you do that, you’ve got a CIO at HopgoodGanim.
– Who you basically pushed back on him saying, “Go get me a business case for this.”
– Yeah, he helped me with all the IT stuff, ’cause I’ve got no idea about the jargon.
– Yeah, yeah, yeah.
– I’ll help you with the finance side, together, we’ll put together a business case. But I’ve also got to understand from him, why do we need to invest? So he’s got to get that across the line with me first and then we’ll work together to put together the business case and present it to the owners.
– I think one of the real problems in the, like, right now, is that some CFOs don’t have someone internally they can go to that, you know, is the CIO or IT manager as any expertise-
– Technical translator.
– Yeah. It’s quite hard. Some CFOs just like, I’m also responsible for technology, and I see it in businesses that have 60 employees. You know, the CFOs still the person who has to have the IT knowledge. And then go back to a board meeting or a management meeting and go, “Oh, well, this is the options we got to help them to get this risk.”
– It’s a big problem at the moment. It’s a really big problem, right? Like, the cyber needs to be seen as an existential risk for businesses. However, smaller businesses that don’t have the CIO, that don’t have that internal translator are relying on third party advice. And there’s always an always… Generally, there’s an element of distrust for whatever reason with a third party. And that’s when you, okay, you might get multiple advice, but again, if you’re paying for advice, this kind of advice from then three people, that’s three times the cost. So you’re kind of in this catch situation. So I look… We don’t have the… We don’t know what it is. Like this is a kind of a new frontier. Not a new frontier, but a newish frontier where lots of people are facing increasing risk, increasing challenges, threat actors are more sophisticated. Cyber is out there, it is happening. What we’re seeing, you know, from the technical side, I almost want to say it’s a question of when not if you’re going to deal with something, and if you don’t have the right controls and solution in place, the lookout, this could be, you know, business ending kind of stuff. So communicating that to business owners when they don’t have that person internally, it’s really a big issue at the moment. And I guess that’s the struggle we have really at REDD even is really translating that to business owners, is that you need to take this seriously.
– You almost need an intermediary. In the middle that can translate it for you.
– So what would you do, Chris, if you didn’t have a CIO, but you were… You knew there was a big gap, whether it was, you know, or the way that your team does authentication or that does backup for example, and you need to get advice for it, but you didn’t have a CIO. What would you do?
– I’d be coming to you guys and saying I need a managed service. Because things change so quickly. Even if you’re a CIO in an organization, it’s really difficult to keep up. You know, I know, our CIO, he relies quite a bit on third party consultants to help him and give him some advice, help him with strategy. You know, they can pick up the phone and bounce questions off of. You know, it’s like a CFO, you know, it’s trying to keep up with, you know, legal tax changes. You know, I rely on accountants and my advisors tax and accounting advisors to help me with my job on a regular basis. I just can’t keep in touch with everything. It’s probably triple fold for a CIO, trying to keep in in touch. Quite often larger organizations, it actually works the opposite way. Senior management find it difficult to be able to get things across the line without having a consultant say “Yes, I agree with them.” So it works the other way too. So, you know, we’ve heard from Chris. Yeah. He’s already presented a couple of business cases. Does he really know what’s going on? And I’ll bring in a consultant with me, or an advisor and we both present. It makes a big impact.
– And, you know, look, even with us. You know, I have this conversation often with businesses and we don’t know it all either. We’re a 50 odd team and as you said, technology changes so much and there’s so many different facets and there’s so many different configurations and there’s so many different technologies and piece of hardware and they all interconnect and interoperate. And why we’ve gone the way we’ve gone, like our security services are with a partner as well, because they have thousands of people, they have thousands of customers they look at. They see all the vulnerabilities across the world, and they can distill that knowledge down to all their clients because you just… You cannot keep on top of this. And I think this is what people don’t understand there is a lot of people out there, in a lot of countries in the world who just want to take what you’ve got and shut your business down and take your money. And it is a lot of work to stay ahead of them and you’re just not going to be able to do it on your own, so.
– Some stats out there say that there are last year, 59% of businesses experienced some kind of cyber threat, whether it was just a business team or compromise through a full ransomware attack, which is quite scary. And just extrapolate your point, Brad, I think, yeah, you’re dead right that, you know, our partner in the managed cybersecurity space, they look at so many different environments and as a manager team provider or technology success partner, we see a lot of environments. I think be really hard these days for an internal IT team, which is managing one environment with a, you know, handful of guys to be fully across the changes that are happening with cyber security.
– Oh, look. I dunno how you would do it. I’m the least technical in this business and when the guys actually open up and show me all the knocks on the door, if you like it, the perimeter, that are actually happening every day, you know, thankfully 99.9% of them don’t get through. But geez, there’s a lot of knocks. Like, there is a lot of knocks on the door.
– A sobering discussion to have is sit down with your CIO and say, “Last weekend, how many attacks came in and were stopped at the network.” It’s fascinating. It’s scary, it’s fascinating ’cause you know, it also shows that we’re doing something right. You know, these attacks aren’t getting through, but the number of attacks which come are just surprising. The number of emails I get on a daily basis. That if I pushed a button to launch something, I’m sure a skeleton crossbones would come up before- You know, and HopgoodGanim.
– Yeah, yeah, yeah.
– They love CFOs.
– Yeah, they do.
– They target and they-
– They like money.
– Keys to the cars.
– Yeah, well, they… I’ve had specific emails come through that have been purportedly from my boss. Asking for payments to be made. And they’ve got the right project that we’re working on at the moment. They’ve got my boss’s name.
– They’ve got… ’cause they come in and they, well, as far as I know, I’m not an IT person, but they’ll come in, and they won’t go… They’ll come in and they’ll see, and they’ll track history, they’ll track the way things are done. They’ll track the way that who you liaise with, and they’ll probably see, so they’re sitting there, they don’t act, So they look for trends.
– They do the homework.
– And the way things are and then they send this beautifully crafted email talking about a project which is actually going on, where payments are being made. They’ll use your boss, they’ll use some of the language that’ll offer. And it was only… I remember came through when I was out, I was out at shopping I think, and I saw it come through and I thought, “That’s strange.” There’s no way my boss would ask for a payment like this. He’s as stingy as… Not my current boss all right.
– Do I need to cut that?
– You can leave it. He’s probably three or four business, anyway. I remember thinking that’s quite odd that he’s done that. And I called him, fortunately, I called him. And he said, “No, I haven’t done that.” And I just realized how sophisticated, you know, this could be since. So I always attentive and I’m getting emails on a regular basis. People just trying to get something out of you. So if I’m getting them and the rest of the team, I think they say that the weakest link is sometimes the senior managers, who are the ones that should know better, they’re the ones that’ll cut corners, do things a little bit differently to get the job done. But they should know better. It’s possibly not the junior people, it’s more the senior people.
– Or, you know, flip side under pressure, under stress mean to get things done. Lapses of judgment.
– Better pay that $4 million check in.
– Yeah. Trouble.
– Yeah, I think gone to the days of the broken English, you know, phishing attack where, you know, just as you pay this invoice, I have chained bank detail. No more of that. It’s really very sophisticated now.
– Very sophisticated now. Absolutely.
– Which is quite scary. What are some of the things as a CFO that help you sleep at night?
– A good discussion with my CIOs, I say. And he’s answering some of my questions that’s pretty helpful.
– I really, I think the training which Lexon has on a, you know, semi-regular basis is excellent. I think having a culture whereby the organization understands the risk, and is aware of the risk is important. Internal controls that actually do the job. So we’ve got internal controls that my team look at. It took a little while for us to get the organization to step up to that, you know, verbal checking of bank accounts, you know, so that if we’re paying our dollars over a particular value, we actually pick the phone up and we say, “Just want to check the bank account that you’ve given us is the right one.”
– So that’s on a threshold, or on a sample basis, or?
– There’s a threshold that we have there, and we’ll do it. And the whole organization is aware of it now. When we first pushed it out, it was quite difficult for people to, “Do you want us to do that every time we make a payment over X dollars?” Yes, we do. Because I don’t want you coming back to me and saying, “You paid it, you got the problem.” So there’s a lot of reliance on people doing their job and my people doing their job too.
– Yeah, it’s definitely good advice to enforce a cyber security culture. So some of the ways that you… I guess create that cyber conscious culture is that through the cyber awareness training. Is around the myth that you do to help get everyone more aware.
– We communicate, there’s this specific training that we have and we’ll talk to practitioners as well. We’ll go around and talk to ’em about a new internal control or a new form that we’ve got, and talk to ’em about the reasons for that and then hold them accountable. So we just won’t process a payment unless it’s been done correctly. But really important to make sure they understand the reason behind that, because it’s an impost that we put on our practitioners to get it right. But once they understand and they’ve got some idea or some of the examples where things haven’t gone wrong, they generally step up.
– So you create policies and then you actually go and speak one-on-one to, you know, prepare everyone on your finance team about enforcing those policies actually happen to make sure you’re protected.
– Well, absolutely. Everyone in my team has to be aware of them and has to make sure that they’re done. You know, if we get a payment request through and we want to see certain things have been completed on the request form before we process it. Once we process it, we’re the last one to touch it. We’re the winger on the football team, that’s got to score to try. We’re normally the last in the lines, so if we get it wrong, big trouble.
– Hmm, definitely. Brad, you have any other questions you have for Chris before we close out?
– Oh, look, we could talk for ages, but look, I think we’ve like need to talk to your CIO as well. Just validate some of this stuff.
– Or the whole HopgoodGanim team on soon if we keep going.
– all this.
– Well, not a couple of this.
– Is it relevant for this podcast? But you know, just out of curiosity, so obviously you do have, you know, we’ve talked to Steven, you do have, you know, probably a different level of insight into what’s going on in the world due to the nature of some of the work you do. Has there been any examples of, “Hey, we just saw this… We might want to think about this… We just saw this out in the market, we might want to think about this internally.” I’d say, I guess, what am I saying? Maybe knowledge sharing. Obviously, there’s privacy et cetera, but, yeah. Are there things that you see happening kind of, out in the market that you guys will then bring internally to implement?
– Yeah, yeah. We, you know, each of the, I guess the back-office managers, we have our own little areas of expertise and people that we talk to at other firms. And you also get some good learnings as well from some of the other firms that have been breached or attacked. And you know, unfortunately for them, others will use their story as an example for what not to do and how to, you know, just before… Before the podcast we talked about some examples and you know, back in, as early as 2017, there was a global legal firm that, you know, just simple stuff. You know, had a payroll and you know, they’ve got offices all over the world. They had a payroll system being implemented and some malware was uploaded with the upgrade and you know, they didn’t have their firewalls set up. They’d been told about firewalls. And their the MS Office upgrade, or their patch hadn’t been loaded for some time. They knew that it had to be loaded. And you know, this malware got in and within 90 minutes it had infiltrated every office around the globe. They had to go out to all their clients very quickly and so you can’t contact us via email or landline, we just can’t do it, we’ve shut down our systems. And that same firm even today. That’s 2017, they’re still working through some of the issues that were impacted by that scenario. So just some pretty simple things there. It’s not too involved.
– I think that was a very good example of take it very seriously because it can happen, and if it does happen, it’s not fun.
– Why do you think businesses don’t take that advice when they no stuffs not patched, firewalls are configured not properly. There is a cyber risk there. Sure, they’re having an internal IT team or a manage IT partner who’s like telling ’em this, right. Why do you think that they’re not fixing these issues?
– Sometimes they dunno it’s a risk. Sometimes they don’t know they’ve got a weakness in a particular area, you know. That’s why that penetration testing and having someone external looking at your system and getting a report from them to say, “Hey, we’ve found these weaknesses and these are the areas that you need to plug.” There’s weaknesses coming up all the time. People are doing, you know. The criminals are doing different things to try and get around, finding loopholes every day, every week. There’s something new that’s coming up. So, you know, there’s the old saying, “You don’t know what you don’t know.” That’s why having third parties coming in and helping us with finding the holes and plugging the gaps is so important.
– Yep. So you get like annual penetration testing.
– Yeah, absolutely, yeah. It’s something that gives us some comfort. You know, we’re never told when the email comes out that it’s going to be the one, but it’s important to know that people are recognizing that’s a problem email, and no one’s doing anything about it in a controlled way.
– No, I think that’s a really good takeaway, actually. Just that independent review, audit assessment, penetration testing, whatever you want to call it, focusing on cyber security making it tangible, making it real, clearly articulating the risks, and giving you kind of an action/remediation plan to implement, you know… I think at a minimum these days, any business, small, medium, or large, needs to go through that exercise to just understand the risks, at least. Whether you action or not, that’s up to you, but at least you know, and you understand.
– Well, you know, when it happens, as we were talking about earlier, it’s one of the worst things, again for a small business. If you’re attacked and you’ve got ransomware, it can take your business out.
– Yeah, even if you have cyber insurance, right. There’s still the reputation hit-
– Yeah, that’s right.
– You can’t really recover from, or it takes a while to recover from. I think definitely even if you have a CIO or don’t have a CIO, you should definitely get penetration testing or some kind of annual kind of review done from a third party. Someone who’s not going to be, you know, biased to what their knowledge internally, which I guess is the big gap right now is that, you know, CFOs, Intel teams, there’s always going to be gaps in
– And you know, on the example that Chris mentioned, you know, the artifacts can stay in the data. You might not potentially ever fully cleanse your data from the artifacts. So, you know, take it seriously upfront because it’s… It can be bad, and I guess we’re all talking from experience here, so.
– Yeah. And I don’t think we hear nearly half as many of the cyber attacks that are really going on. You know, a company or an organization needs to make a call whether they make it public as well. There’s some laws that require to make things public, if the impact of that data breach is significant. You know, ISF listed companies, Brad’s probably aware of, I’ve got continuous disclosure requirements, you know. If you know something’s material, you got to do more than just tell your clients, you won’t actually have to go to the market and make an announcement, and talk about potential impacts on your share price and values. There’s some… Boards have got some pretty big calls to make if it does happen. And they can’t stop it from happening but they can certainly ensure that they’ve got strategies and mitigation plans in place to minimize the impact if it does.
– Yeah, I think finally… Well, it’s a good thing that there’s fines in place now, but it’s good from an awareness point of view that since the large breaches that last year that the penalties are getting, I guess barge on directors just so there is that awareness. Hopefully, they don’t get enforce and crushed individual people like directors of businesses. But it is good that it helps with awareness, I guess as well, so. Right, Chris, thanks for coming in. A courtesy of your time.
– Really appreciate your insights. It was really good to hear CFO’s point of view on how the cyber risk landscape has changed over the years. So I really appreciate it.
– No problems at all. Good to talk to you guys.