Cyber security and technology innovation in retail with Rhian Greenway CIO City Beach

In Episode 022 of REDD’s Business and Technology Podcast, our hosts Jackson Barnes (Head of Business Development – REDD) interview Rhian Greenway who is the CIO of City Beach.

We discuss how Rhian, waking up at 2am one Saturday morning, could have saved City Beach a world of pain as he went through any CIO’s worst fear, twice, in once weekend! We go through what Rhian learnt from the breaches, before, during and after the event.

After this we discuss how Rhian and City Beach contemplated being in the metaverse in 2010! Plus where technology in retail is heading and what’s next for City Beach.

If your business is looking to keep your business safe from cyber threats, contact REDD here!

Recorded Tuesday the 7^th of March 2023.

00:00 – Start

00:21 – Intro

00:57 – Rhian’s background in IT

03:29 – How was IT from 14 years ago

04:33 – IT support team in City Beach

05:19 – Cyber breach in City Beach 3 years ago

07:45 – City Beach ransomware attack

10:06 – How was the mentality of the whole IT team when the attack happened?

11:34 – The witching hour

12:10 – How the incident change Rhian’s perspective on cyber risk

14:22 – Main learnings going through the breach attack

14:46 – Retail’s PCI DSS semi-enforced compliance standard

15:34 – Importance of cybersecurity in the retail business

17:44 – Advice for those who still haven’t experienced cyber attacks

19:51 – Frameworks to align to

20:39 – Importance of technology in the retail industry

23:10 – City Beach going into Metaverse

24:27 – Future innovation for City Beach

26:16 – Importance of RFID tags on clothes

28:40 – Rhian’s take for cyber insurance

32:00 – End

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected] or through any of the links below. https://redd.com.au

https://www.linkedin.com/company/redd-digital/

https://www.linkedin.com/in/jacksonpbarnes/

https://www.linkedin.com/in/rhian-greenway/

Thanks for watching!

About REDD

REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between.

REDD is a leading provider of the following services

1. Digital Advisory Consulting
2. Managed Technology
3. Cloud Computing
4. Cyber Security
5. Connectivity
6. Unified Communications

Our Vision

We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward.

You can read the full transcript below:

Hello and welcome to Red’s Business and Technology Podcast. I’m your host Jackson Barnes, and today we’re sitting down with Rhian Greenway, who’s the CIO of City Beach Group and he’s been doing that for 13, 14 years. Looking forward to getting some insights out of Ryan on cybersecurity. There was a breach went through some years ago and what learns learnings from back then and technology in retail and future thoughts about, I guess the metaverse and cyber insurance and some other things. So look, Ryan, really appreciate you coming in. Thanks for your time.
(00:49):
Thanks for having me mate.
(00:50):
Mate, let’s start off with your background way back. How far back in it? Okay, so after studying where to
(00:57):
Go look Studyings an interesting, I put that on hold for eight or nine years before I moved up to Queensland from Victoria looped back with what we called an industry placement at the time, which was a little bit sketchy in terms of working somewhere that did it and then using that to get through last two units. So got through that I think back in, I can’t remember, maybe oh eight, yep. Years just before my credits expired and then actually found it really hard to break into IT roles in Queensland.
(01:28):
Why was that?
(01:29):
I’m like, where should I start with that story? I ended up, so for a long time I had a retail computer business down in South Tweed. So we serviced the small medium business, dental surgeries, all kinds of stuff with whatever they needed as well as the local community. And so I got to the point where I was kind of fed up with that. Being a 50 year old man behind the PC counter didn’t really appeal to me too much. It actually went recently to Ms Y at New Rendale and it was flashbacks to yellow painted walls and boxes and all kinds of horrible stuff. So after leaving that, I got into Cisco networking for a little bit, probably not a startup at the time company called Silver Telecom down in Varsity Lakes. They ran all the fiber through back in the day and after leaving there I was like, oh, corporate seems like a great idea. And every interview was like, do you know how to use active directory? And I was like, ah, it’s pretty easy. They’re like, yeah, yeah, but unless you have three years experience resetting passwords, we can’t possibly give you a job.
(02:27):
I was like, are you sure? That’s pretty easy stuff. And they’re like, no, yeah, no, you need three years. So I bounced around through few different bits and pieces and eventually landed at City Beach.
(02:36):
Right. No doubt. That’s probably different now having any IT experience and wanting a job in it. I think most businesses are streaming for people. It wouldn’t have been need three years of ad experience before we hire you. I’d say
(02:48):
No. Look, we take a lot of store-based staff now, so a lot of our good success stories in the department at City Beach, my infrastructure guy started as a, was he as a stockroom controller? I think Yeah. Awesome. At Garden City years ago. And so he came across, he’s now got more degrees than he knows what to do with, but he’s deep in the space. We’ve recently had a young guy come over from WA to join the team. So in the support desk we try to rotate that through and grow those internal resources.
(03:14):
Yeah, that’s really cool. So staying from retail, so they got experience with the brand already and what the stores do then starting it or whatever, they just come into your team. Yeah, exactly. Really cool. So what was City Beach it 14 years ago when you first started?
(03:29):
Old is the best way to put it. I remember when we had the little retail store, we had our own PC systems. The company that owned it previously did a lot of work on Cora Drive back in the day doing remediation works. And so they’d built this whole suite of point of sale e-commerce, the whole lot. And so I left that and ended up at City Beach where we had a Doss based inventory management system and a quirky Delphy seven POS system. And I hadn’t worked in a lot of other retails at that point in time, but I knew that that wasn’t kind of modern tech and we ran that for a long time, to be Fair City Beach adopted early technology but probably ran that a little bit too long, got to the point where it was just too hard to plug things in. People care about realtime stock levels, realtime interactions between systems and we’re just at a point where we couldn’t do anything. The three week body, your work would take eight months.
(04:22):
Right. So then you obviously went in and tried to fix that problem. And then was it a full internal IT support team when you started at City Beach?
(04:31):
Yeah, look, we had three people in the IT support team and two and a half developers at the time when I started.
(04:37):
Yeah. Right. Okay. And then today, how big is it team? Closer
(04:40):
To 15 I think. Yeah,
(04:41):
Right. Support
(04:43):
Team has grown a little bit, but we’ve now got data analytics. We’ve got a functional consultant in our ERP space, we’ve got developers, you name it, we’ve kind of got one of everything. I sw we wouldn’t have developers ever again, but I landed a really good guy that’s been a godsend for us over the past 12
(04:59):
Months. Well that’s a hard thing, right? Finding a good developer and then documenting properly. We won’t go down there. Look, let’s let, let’s pivot to, I know you said you were comfortable with sharing this cyber breach that happened at City Beach three years ago. Do you want to explain for the audience what happened back then? Got I have some follow up questions after that. Yeah,
(05:17):
For sure. Unlucky series of events is probably the best way to put it, right. So we suffered two incidents within a 24 hour period unrelated, which is the strangest part I guess. So office 365 email breach, fairly well crafted email for a rental agency. I think it was one of our younger team members was looking for a house and thought it was an application form for the real estate agent. Popped it up, office 365 login box and next thing you know where we’re in a bit of hot water. So we didn’t think too much of that at the time. I mean the kind of issues that popped off the back of that fairly quickly within half an hour, an hour didn’t seem anything overly suspicious at the time. Reset passwords, all the normal stuff. But nothing really seemed too far out of line, obviously was.
(06:09):
Yeah, so it’s
(06:11):
What
(06:11):
Happened. So the emails got compromised and then how bad did it get? Was it like a full lockdown ransomware or was it just hold some of your data ransom or what happened?
(06:23):
Exactly, yeah, so look for that one, it kind of wrapped itself up a little bit and that was on the Friday afternoon. And so 2:00 AM Saturday morning, whole collection of automated alerts that should come through for different processing overnight just didn’t arrive. So spider Senses kind of weird things. Started to log in and check everything and that’s when we found the second Easter egg, which was a ransomware attack. Lucky that I woke up would be the overarching thing. Is
(06:51):
That, so you woke up at 2:00 AM Yeah. Wow. Just body sensor stinging. Yeah.
(06:55):
Yeah. The old software we had used to fail a lot at night and literally took a game and was kind of the witching hour. And so in a routine from 10 years of that. Wow. So yeah, didn’t feel right. Got up, had a look. We were missing the emails we expected. Checked those core applications and they seemed to be humming along, couldn’t get to the mail server, couldn’t get to a few other things, found a few things that freaked us out a little bit and pulled a pin on everything, shut it all down remotely that we could and then relied the troops and all arrived at the office maybe an hour later
(07:28):
At 3:00 AM Yep. Wow.
(07:30):
Well we actually hard unplugged
(07:32):
Things
(07:33):
And shut everything else down and then called the boys in from GaN at the time is our legal team and very soon after that had the MACRA Nichol guys on onsite for the forensic side of things. But yeah, there’s nothing quite logging into a server that’s been fully ransomware and wondering if the first part is really, nah, that can’t be right. And then you’re logging into something else you’re like, oh hang on, this doesn’t look right. And then you realize that you’ve got a problem that you need to address.
(08:01):
Yeah. Cause at that point you’d been looking after City Beach it for over a decade already before that breach, right? Yeah. So you, you’d been so used to logging in there and seeing things working for so many years. So was that was the first breach
(08:15):
So they both occurred at the same time. So we had the
(08:17):
Emails
(08:18):
Breach
(08:18):
On the Friday
(08:19):
And the unrelated ransomware on the Saturday morning, I think it was start was weekend, like May the fourth. 2020, yep.
(08:27):
Right. So 2020. So that would’ve been like covid time as well. So probably the financial constraints of covid for retail stores at that time would’ve also had a play. And you, I guess managing would’ve going, oh, what’s next Ron? Well
(08:39):
You just dunno how far it’s gone. And so the first thing is we know we’ve got 60 plus stores, what impact is there? We can see quickly from the head office state is and isn’t working, it’s like how far could that get out? And in the background at that point we kind of just pushed the email thing to the side that couldn’t be a problem. And through that investigation piece we actually found out that the email was probably a larger problem in terms of being a compromised mailbox that had a lot of personal identifiable information in it. Right, okay. And so, you know, can look us up on the list of people that have been popped in the past couple of years. Very good response though from the legal team on that. And I think the quickest at the time case had been wrapped up externally for the governing body.
(09:22):
So how fast did it get wrapped up?
(09:23):
I think we wrapped that up within four weeks. Once you know what you’re looking for, it’s pretty easy
(09:30):
Shout the guys over at Grant Nickel and with Gamon, we’ve had both of them on the show are two members from Hoor Gamon and then we’ve had Rob Mcg on the call already. So shout out to those guys doing their job very well. So
(09:43):
It’s still disturbing when they call. Yeah, we chat and we catch up but whenever the phone rings. Oh
(09:48):
Right.
(09:49):
But the first thing that is like, oh no no we must be good. Yeah, yeah,
(09:53):
Yeah. Please don’t me wants to chat. So when that event happened on the Saturday morning and when the rest of the City Beach team woke up, what was the mentality with staff at that time?
(10:07):
Look from the IT team, it was really just all hands on deck. So we kind of set the bad signal out. Everyone up, everyone came in obviously nervous and kind of drip fed in over the days. They were relevant to what we’re trying to do. And I think we had the rest of the leadership team onsite by 8:00 AM as well. Yep.
(10:25):
And what were they saying out of curiosity?
(10:27):
Look, we all just bunkered down in the boardroom, turned into a little bit mini war room. Everyone was super supportive. Everyone had known the challenges of the environment over the years and it was just a matter of trying to work out what next. So this is where we are, how do we make sure that we can trade? Is there any impact to trade? And if there is, how do we handle that?
(10:45):
I did lock down the policy systems completely. Is it all stores come down?
(10:48):
No, we were separate actually. Very lucky. Like I said, if I hadn’t pulled the plug we could have been in a whole different scenario. So I think we lost maybe two or three terminals out of 200 and something. Wow. Unplugged them, sent in them back. A lot of artifacts scattered around that were annoying and they freak you out a little bit. But no major impact to that. And the e-com site was hosted externally. So real bullet dodged on that one.
(11:16):
Yeah, that’s really lucky that your supply sensors were tingling. 2:00 AM in the morning, you went and checked because usually the dwell time of threats and environments in Australia is like 200 days stuff. Sit there until it becomes a problem. It’s
(11:25):
Super interesting. I remember reading a lot of stuff at the time because you know, kind of get deep in this rabbit hole of who else has been impacted by the same group, what could I learn? What do I need to know? And that witching hour of Friday night, Saturday morning, yeah it’s like your favorite because so many people don’t look at anything until Monday. And by Monday you’re totally cooked.
(11:44):
Internal IT teams, they’re off camping or doing their own stuff weekend and then they’ll alert on the phone. Less importance is during business hour and unfortunately they’re high amount of threats from China and Russia and that’s when they’re awake. Prime time when Australians are sleeping or just kind of winding down. So that’s not a good thing. So how did that incident change your management team’s perspective on cyber risk?
(12:11):
Look, I think from the leadership team. So everyone already appreciated what the risks were. We’re kind of seeing things pop up in the news and it’ll never be us kind of mentality from an ownership level probably pivoted that significantly. So I look back at the historical implementation of the legacy E R P antivirus disabled because it slowed it down.
(12:33):
No, you’d turn it on, the developer would turn it off, well let him go it, it’ll be fine. And that kind of mentality creeps a little bit as well. So every person that finds that they can’t do something will find some way to work around it. And so you assume you’ve got a fairly safe estate, but there’s always someone out there that’s ahead of you. And so every time we come for renewal it’s like do we really need this? Do I need to spend this money on this antivirus thing? And you would tell hilarious stories, well do you like the money in your bank account because everyone’s out there trying to get it from you. But it wasn’t until this event where it was like, you know what, what’s it going to take to make sure that we are safe and secure? We don’t want to be in the news, we don’t want to shut down.
(13:13):
We need to make sure that we’ve got all of our bases covered. And that’s like we jumped the maturity level so quickly in that space from having what we thought was a good anti-bias platform at the time was kind of excluding the legacy, turning in on and off. Cause by that time we got rid of that software, but the guys that got us, they knew how to uninstall that in a way that bypassed all the Tampa protection. And so, you know, think you’re protected but you never really are. And the layered approach now is becoming more popular and commonplace. Right? So you plug each individual gap with an, I guess a industry leading tool to try and cover all your bases and then there’s still something new in the news next week that you know should buy or turn
(13:52):
On. Yeah, we had Chris Pkn who was the head of security from Swift Exxon a few weeks ago and we asked him what cybersecurity was like 15 years ago cause he just did cyber for 20 plus years and he said it was a long password and an antivirus tool and that was cybersecurity industry 15 years ago. And you look at it now and there’s so much to it, it’s gone well past firewalls in the emails spa filter, there’s so much to it. So look, the next question I got is what was your main learning from going through the breach?
(14:24):
I probably should have pushed a lot more on the security agenda previously. I thought we did a good job of pushing it forward. We moved a lot of stuff off-prem to try and protect against risk, but it could wind back. I think really just being more equipped with knowledge of what was happening in the industry and trying to make sure that everything you could possibly think of was covered. Retail’s interesting in that P C I DSS is the only kind of semi-forced compliance when really there should be something like nist. The essential eights are a bit weak in terms of what it wants to do, but there should be something out that kind of says as a business you must have these 10 things or eight things in the government sense enabled to protect yourself. And know antivirus is one of those, but there’s just so much more to it. And again, we thought secure passwords, all those things with the winning ticket but just not enough at the end
(15:17):
Of the day. Well now you think last pass you were secure and then here we are. They had the massive large scale breach. So sounds like there’s definitely some learnings that you had from that time. And the business takes look, cybersecurity risk really seriously. Now competitor before,
(15:34):
I would say we do, don’t get me wrong, it’s not like it’s off the agenda, but you go through cycles. So for the first couple of years it’s like yep, great, excellent. Sign it off, put it in, do it. You get the year three and all the renewals start coming through. You usually do multi-year deals to
(15:50):
The expensive mules. Yeah, yeah.
(15:52):
And so everyone is lined up with what do we need that? And so you kind of have to go through that again sales pitch again of like, alright, you remember what happened? Oh yeah, but that won’t happen again. Yeah, that’s because we’ve got all these things.
(16:03):
Yep. Oh
(16:04):
Do you really need them? It’s like yes.
(16:07):
Yeah. And has your security budget gone up over the years? Obviously when the incident went down three years ago it would’ve been just get us back online, tell us when you’d be secure. Did it drop off in the next year or does it keep going up or what’s, what
(16:20):
Happens for you? We’re interesting that we’re privately owned so we don’t really have budgets so to speak, if it’s a good idea to make sense business case and go to the owners. And so for us at the moment, we’re adding a few things to the stack, which we’re going through that process again, we’re swapping a few things in and out. It’s a more open discussion now. They appreciate the risk and I think it’s helped that in the past three years so many people have been hit that are bigger than us. So if Optus can’t secure themselves and Medibank yeah, what
(16:49):
Do you do? Right? It’s kind unfortunate. But a good thing for internal heads of it that there’s all this publicity around the recent breaches, the two you just mentioned, but also black and white cabs in Brisbane got hit a couple weeks ago and Q UT had a scare and oh yeah, breach. Oh that’s a great one in December. Yeah, there’s so much going on which is not good that it’s happening but from an it, a decision maker in a business, trying to get budget for cyber stuff and makes things a bit easier as for sure
(17:15):
It does. And that’s a frustrating thing. Speaking to people over the past couple of years, they’re like, what’s the trigger point? It’s like, well it’s a breach until you actually have something that impacts the business. It’s just a hard sell.
(17:27):
What advice would you have for a CIO or head of IT at an internal business who hasn’t had a breach before but really wants to get across the line? The full security operations, MDR or getting vulnerability management or whatever cyber mitigation tool it is in place? None
(17:44):
One depends on the side of your team. So if you’ve got a large team with good resources in house, you can do things a little bit differently, a little bit cheaper. At the time we didn’t, so we had to outsource a lot of stuff. But I think having a really well prepared story, it’s not an argument, it’s a journey. You need to take the board, the owners, whoever it is, you need to take them from where you are to need to be the essential a’s interesting. That’s a very simplified view on all of that. So you can talk anyone through it. It’s like okay, this one is an antivirus kind of thing, have we got one of those? Yes. Tick is it a good one? Oh we don’t know. We’ll find someone to chat to. But going in with a story that you can talk them through and walk them through and industry specific examples of other breaches is useful too.
(18:28):
Not necessarily through the publicity but really the impact of business. And one of the interesting things I think was a guy from Michael Hill’s security team was talking about in an event recently, the people in the business can also be impacted by the breach. So not from oh my password got leaked, but what did you do necessarily to make sure that you have the right processes in your area of the business as well. And so whether that’s as simple as calling one another to make sure bank details are up to date. So hey Ryan, is this really your bank account?
(18:59):
Did you just change or Yeah,
(19:00):
Not, well it seems odd that it’s in Hawaii, how do you want to handle your money? But I think engaging some of the other business leaders as well, what are you doing in your area to protect against risk and how does that tie back into cyber? Because at the end of the day it’s all kind of cyber risk now, right? Yeah. It’s all kind of bundled together.
(19:18):
It’s what we do here for businesses that trust us with their technology is we put it back to the likelihood and the impact if there is a breach. But you’re right, I think two things you said there, just to recap, we’re aligning to a framework which I think really helps business owners or non-technical people go, ah, that’s the framework. It’s not something that, this one dude told me, this is the
(19:39):
Framework
(19:40):
Of things we should have the organization like the Australian Cybersecurity Center created. So even though that’s targeted small businesses, but what’s your advice on frameworks to align to,
(19:52):
We’re trying to align to both Essent eight and nist. So essentially, like I said, it just ticks all the boxes really quickly and it gives you broad coverage. So everything is kind of covered in there, but we have been doing a NIST assessment, I think we are due for the next one. But trying to maintain that level of maturity. So where we were pre is obviously very bad. Where were we post, we came in with a fairly decent score given the work we’d done so quickly. But it’s a more complex view on what you should be doing to maintain your business security levels. So yeah, we dabble with the two one’s very easy and one requires a bit more effort.
(20:28):
So let’s pivot it a little bit out of cyber into just generally technology in retail. How important is technology and how is it going to change the retail industry?
(20:39):
I’ve got mixed opinions. I mean I’m probably not the target demographic for most retail stores. I shop a bit, but I tend to online purchase what I want and maybe hunt down a bargain somewhere.
(20:51):
Still retail.
(20:52):
It is, but I guess you separate the two. So you’ve got your bricks and mortar side of things and then you’ve got your e-commerce. I don’t think anyone’s doing e-commerce with the view that we thought you would 10 years ago. So hyper-personalized digital malls. I look at the original project plan for phase two of our e-comm site and we had some dreams, city Beach tv, our own version of the iTunes store, right? Shopping in some weird Xbox mall that I don’t think exists to this day, but we were going to be the first shop in there.
(21:22):
Wow. And how many years ago was that?
(21:25):
Just over 10. Wow.
(21:27):
Yeah, there you go.
(21:28):
Might be a little bit longer now, but all these crazy ideas and you look around and none of that’s really happening. So YouTube’s kind of stole that content space from anyone. Even if you’re making your own content, that’s where you’re housing, it might be linking it back. So maintain your own infrastructure for that. Like lofty dreams, people paxon over the US are doing some interesting things. We find them relevant cause they’re in our space. They’re a youth fashion retailer over
(21:51):
There. What are they doing exactly?
(21:52):
They’re dabbling in the metaverse lot, right? Heavily backed by venture capital though. So any idea is a good idea. If it works. NFTs, Roblox or Minecraft, they’ve got a store where you can buy different bits and pieces for your avatar. I don’t know how successful any of that is. Probably not that successful, but it’s interesting, right? Yeah. People buy their skins in all of the games, whether it’s Call of Duty, Fortnite, people are engaging in that online avatar, consumer behavior. So it’s just an extendable step of that. Buy a makes sense, lucid gear and run around in a fortnight. Maybe that’s the next step.
(22:31):
Yeah, we had Ben, the director of technology from Prison Boys college on the podcast a few weeks ago and he was speaking about now when you, you’re selecting your extracurricular activities at high school, you go netball or cricket and then video games you can select and now have coaches that come in and coach you on that game and really run tournaments as well versus other schools. Yeah, it’s a full on thing. So I can see how that would tie back into if there’s a City Beach branded stuff in there that could buy and you can sponsor team. Can we started on those? So how far away is City Beach from going to the metaverse?
(23:10):
Oh God, I think we’re a long way. Okay. I haven’t seen anyone else really do it. I mean a number of the larger brands have done some odd things in that kind of roblox space as well. I think Tommy Hilfiger’s done a range that you can buy and not dissimilar again to the skins and the other games are trying to capture different age brackets. I don’t think we’re anywhere near that but it, it’ll pop up at some point in the next couple of years. As soon as someone gets some traction in that space and there’s tangible revenue from it, everyone will be clamming to get in there. Yeah,
(23:38):
I think about 1280 months ago everyone was hopping, everyone was talking about their metaverse and it was kind of like, oh, all these shops are going to go in there. And I think, did Nike do one? I think Nike did one, right?
(23:49):
Yeah, I think so. I think a couple of the big brands have doubled down. Snoop bought all that land in the metaverse. Yeah. But it’s kind of waned and I don’t know whether that’s through NFTs kind of losing their shine because you don’t hear anyone talk about bored apes anymore,
(24:02):
Right? Waves because crypto tanked big time and then here we are, the economy after that is not in a great space. So people having extra funds to spend on City Beach n f tshirts and things or skins for the people.
(24:19):
More great news from the RBA today.
(24:20):
Yeah, yeah, yeah. Good times. So what future innovation is the team at City Beach working on?
(24:27):
Look, there’s a huge focus on e-com. So yep, we are launched in the US and New Zealand direct for the first time last year. So growing that US channel is high on the agenda in terms of how we do that. The team’s kind of kicking around ideas. We’ve got a bit of a bag of things that we’ll put on hold late last year. So we kind of got through peak. They’re all bubbling back to the surface. I wouldn’t say necessarily a lot of them are super innovative, but additional lines of business. So whether that’s ship from store, we’re trialing click and collect, we’ve got R ffi D ing that there’s a whole collection of things that makes sense. But you’ve got to see tangible results again. And RFID’s a fantastic technology. It’s really high price to get in the game, particularly with the product ranges broad as ours. So looking at some of the global players doing it makes sense. Like Zara, fully RFID enabled from supply chain all the way through to retail shop floor.
(25:20):
So when you say expensive, what are we talking here to get after? Ad tag on close is expensive. Yeah,
(25:27):
Yeah. You’re looking at, so we’re tagging locally at the moment. So I’ve got three pilot stores we tag out of our dc It’s from memory about 8 cents per tag. And so 20,000, 30,000 cycling
(25:43):
8 cents adds up pretty quick.
(25:44):
It does. And it takes the source tag, which is great. So all your vertical product to get it tagged in China, it’s a lot cheaper or wherever you’re getting your goods manufactured. But you need to really commit to the concept of rfid. Cause if you’re going to do it at the supply chain, you need to get all your branded suppliers on board as well. But everything from finding goods in store, accurate inventory, there’s no other kind of guaranteed way to deliver that result.
(26:06):
And what’s the advantage of RFID close? Is it that exactly? Which one? When someone was online, is it the theft side in store or what is what’s Yeah
(26:16):
Advantage? Two key things that come to mind for me. So one is a stock tax cycle can be a lot quicker. You can stock take a store once a week in a couple of hours as opposed to maybe once every six months with physically scanning everything. You can wander the store quite quick. Oh right. Cool. So that identifies your theft a lot quicker. You missed opportunity for products that aren’t in store that customers might want. The other one is finding products. So if you’re doing one hour click and collect and you can just walk around with a Geiger counter until you find that t-shirt or the shoes or whatever it is, you can turn those around a lot quicker as well. So you’ve got a real time inventory in store, you can integrate it into your security system if you want to get that fancy. They do that. I’m trying to think where I was. Uniqlo, they’ve got the RFID checkout, we just drop everything into the basket
(27:02):
And it just goes $32 or whatever for the stuff. And then yeah,
(27:06):
Unless you juggle your clothes around a lot, it doesn’t pick them all up. And then you have this embarrassing moment at the front door where they like, Hey, there’s a pair of shorts in your bag that we don’t think you’re paid for. Oh, I put them in the thing. They’re like, yeah, no, it doesn’t work like that.
(27:19):
Yeah. Yeah.
(27:20):
There’s quirks to it, but there’s so many opportunities in that space and not that you would get rid of all your counter staff, but if you could have six tills manned by two people as opposed to six till manned by six people, that could be four people on the floor giving customer service
(27:33):
And customer experience. Right, exactly. And then I guess the customer experience of just dropping clothes in a basket versus going, waiting in a line, scanning everything and then checking out technology I think for customer experiences is where it’s at. Most people look at just automatic processes, but customer experience is a big thing. Yeah, it is. But I think it sounds like we say at where we want to stay on the cutting edge, not the bleeding edge of technology. And I feel like that is the bleeding edge. So right now
(27:57):
You just described. Yeah. Yeah. Look it is. I mean all the retailers doing R F O D and all those add-ons really well, all fully vertical. And so everything they make is their own. They’re tagging everything. It all comes through tagged it. It’s a very different journey to our, but we still see value for it in our market.
(28:15):
One question which is back on the cyber front also I wanted to get your insights on is cyber insurance. A lot of businesses that we speak to that are similar to your size are actually opting to self-insure and not get cyber insurance where others are just going don’t understand technology, just throw a yes. Cyber insurance at it and others not getting it because there’s multiple questions. What’s your thoughts and advice on cyber insurance? Now
(28:40):
We are insured. Yep. Post, so we had a portion of coverage previously, which was a drop in the ocean with what we could have been up for. We didn’t pay any ransom as a thing. But there there’s coverage for that now, right? So certain insurers will actually cover you paying 10 million to some random Bitcoin address in wherever. I think there’s value to it, but you really need to know what you’re getting for your money. We’re seasonal. And so this spike in retail sales, we have to cater for that as opposed to if you’ve got a flat line business where revenue is kind of the same or you might opt to ensure it differently, but you also want to make sure that if you are going to claim that you’ve done all that homework. So back to selling to the board, all the things that you need in place, whether it’s internal pen testing, external pen testing, independent reviews, business continuity planning, all those things need to be in place. And they’re all tick boxes on that insurance form every year. Do you have this tested this? And I would hate to be in a position where you’ve taken cyber insurance and you claim it and okay great. Where’s the pen test results? Yeah. Oh yeah. Or can we have a look at what you had turned on enabled and talk us through it and you’re missing three things out of your essential
(29:51):
Aid at that point. You just say it was in the data got encrypted. I can’t get it for you.
(29:55):
It’s all gone.
(29:56):
Yeah, everything you just said, no, you’re right. That is a big problem. And I spoke to a business last week actually and who had some gaps in this cyber cruise act and no cyber insurance and they actually got declined. Yeah, okay. Cause they were like, oh yeah, well they have mfk on everything they had on one application and there’s just so many gaps that the cyber insurance just turn ’em away, I think. Yeah. So where do you start with that? Right. But I think right now all the cybersecurity things that you mentioned become so expensive, but the impact for someone like Mitch to get hit, which you’ll probably curly aware of now is very large. So it’s worth investing all these tools, but it’ll get to a point where all the cybersecurity tools in the world, we get to a price where it’s same as just paying the ransom once a year.
(30:40):
Hopefully. Hopefully. No, that could be terrible. Yeah. I mean there’s so much overlap in the tools as well though. And so we went very heavy on E five Microsoft Post and that instantly just solved all the gaps we had at the time. But three years on, it’s not a bad product, but it’s not really targeted at doing anything properly. Right. Yeah. You’ve got a good antivirus component, which they call an mdr. Now you’ve got,
(31:04):
Everything’s a DR of some kind now. Ah,
(31:06):
Exactly right. You’ve kind of got a secure email gateway, but not really. Mimecast is still making a fortune, selling a barrier at the front, right? And so as a small business, probably not a bad investment, but there’s so much stuff in marketing to make sure that you’re really plugging the right gap with the right tool. We’re in the process of ripping out one tool, putting a new one in. We see benefit in that and we’ve managed to break even on the licensing cost. But you could very quickly get in a position where you’ve got 30 things plugged in. They all do the wrong thing. They all conflict with one another. Yeah. And I mean create your own security hole, right?
(31:40):
Yeah, we definitely recommend for really small businesses to get business premium and leverage as much as possible. Cause the cost benefit is actually pretty damn good for small businesses. I know it doesn’t really stack up when you get to the depth of cyber protection at City Beach would require. But small businesses have been particular like’s. What it does for the 30 bucks a month per person is pretty damn good. Look, mate, really appreciate you coming in and sharing insights around cyber and retail and where it’s going and what City Beach is doing. Anything else you want to share before we close out?
(32:07):
No, that’s it mate. Thanks