The Godfather of Cyber Pt 3: Darren Hopkins on Business Security & Cyber Resilience

Kicking off the first podcast for 2025, host Nigel Heyn sits down with The Godfather of Cyber Security and a Partner at McGrathNicol, Darren Hopkins, for a deep dive into cyber resilience.

From emerging threats to strengthening your organisation’s defences, Darren shares critical insights every business leader needs to hear. You’ll gain practical strategies for safeguarding your data, navigating compliance challenges, and building a strong cyber-aware culture.

Whether you’re an IT professional or a business owner looking to enhance security, this episode is packed with valuable takeaways. Don’t wait for a breach to take action—learn from an industry leader and protect your business today.

How are you strengthening your cyber resilience? Watch the full episode now.

#CyberSecurity #RiskManagement #CyberResilience

00:00 – Start
00:30 – Welcome to REDD’s 2025 Podcast
00:52 – Cybersecurity: Are We Winning or Losing?
02:00 – The Battle Between Security and Convenience
03:09 – The Cost of Complacency: A Ransomware Reality Check
05:45 – The Growing Threat: Attackers Are Adapting
07:38 – Ransomware Payments: A Rising Crisis
09:36 – Preparedness Matters: Incident Response and Planning
11:11 – Legislation Changes & Mandatory Ransomware Reporting
11:37 – Brand Damage & Negotiating Ransom Payments
14:18 – Cybercrime Trends & AI-Driven Threats
18:19 – Supply Chain Risks & Real-World Cyber Attacks
22:11 – Evolving Cyber Threats & Attack Methods
26:35 – Regulatory Changes & Government Involvement
28:08 – The Need for Cybersecurity Standards
33:18 – Cyber Security in 2025

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected], or through any of the links below. https://redd.com.au

https://www.linkedin.com/company/redd-digital/
https://www.linkedin.com/in/nheyn/
https://www.linkedin.com/in/darren-hopkins-5844469/

00:00:21:21 – 00:00:35:17

Speaker 2

Welcome to REDD’s Business and Technology podcast. The first one for 2025. And I’ve got a very, very welcome old friend to the business of REDD Darren Hopkins here. The Godfather ofCyber. Darren, thank you so much for for being our first guest for this year.

00:00:35:22 – 00:00:43:10

Speaker 1

Very happy to be back. And I think this is now the trilogy. That’s right. You’ve done this a couple times before. Always love coming in and having this conversation.

00:00:43:21 – 00:00:59:38

Speaker 2

Oh. Look, Darren. Love everything you do. You know, you genuinely passionate about helping businesses of all sizes be protected by, you know, something that’s ever increasing. And, you know, this is the Godfather series, part three. I’d like to say godfather of cyber, Darren Hopkins. So don’t look. Now I need to introduce you to. Everyone knows that your your you know the best in the business.

00:00:59:38 – 00:01:10:13

Speaker 2

But tell us, what are you seeing? What’s. Since we last caught up with the world going in cyber? Are we winning the battle? Losing the battle? Like, just share what you’ve been saying.

00:01:10:15 – 00:01:29:51

Speaker 1

Look, I don’t think we’re going backwards. That’s a good thing. I had to think about what the last 12 months is look like since we’ve done the last one of these. What’s changed? What have we seen? I tend to normally go and think about what incidents have I done, because incidents quite often tell me what a business is doing to protect themselves.

00:01:29:51 – 00:01:54:09

Speaker 1

And where are we falling victim and what what are we not doing enough of? And we had plenty of interesting, incidents come through last year into the business. The thing I like about an incident and, you know, people think we’re crazy because we deal in that world of crisis is you get lessons learned that you would never, ever get without actually being through the crisis and actually coming out the other end and then having an opportunity to think about, okay, what happened, what had happened, and how do we fix it?

00:01:54:14 – 00:02:15:36

Speaker 1

So if you can start to take some of those lessons and then bring them forward. Last year I saw a lot of of good movements in the things that we’ve been talking about in the various conversations was how did you know? In our previous podcast, we talked about, you know, what are the things that businesses need to actually start to do and implement and change to reduce the likelihood of these things happening?

00:02:15:36 – 00:02:43:06

Speaker 1

I’m saying that, which is great. Awesome. I’m also saying the, you know, the people we’re protecting ourselves from taking some lessons learned, adapting their own businesses and their business models and being better at attacking us. And that’s not great. I’d love to say that I saw this huge shift in good cybersecurity across the spectrum. We didn’t, we saw a lot of good movement, but there’s still a lot to be done.

00:02:43:21 – 00:02:57:39

Speaker 1

And we’re still seeing even right up until the end of the year, the basics are still there. And not being sort of focussed on yet. We’re still got this little conversation that seems to pop up, which is security versus convenience. I don’t want to do something because it’s not convenient.

00:02:57:48 – 00:02:58:25

Speaker 2

Yeah.

00:02:58:30 – 00:03:19:58

Speaker 1

And we’re still looking at, you know, some businesses and some organisations struggling to see the value in spending on security. And it’s a hard one if you go off and invest in some security products or, or support or some work in that space and you get through a year and nothing happened, you should basically see huge amounts of, you know, event happen.

00:03:20:00 – 00:03:37:50

Speaker 1

That’s great. It’s just working as opposed to what we’ve quite often seen, which is, well, nothing really happened. I mean, do we need to spend that money? There’s this assumption that you just dodged a bullet, and, I even heard a story this week, which was quite scary as a business. Had a ransomware event last year.

00:03:37:55 – 00:03:56:55

Speaker 1

Quite bad. Went through it all, were insured. Great. So they actually had an insurer and a range of other experts helping them through. Have read some statistics that say, you know, if it’s your time, you know, it’s usually one on a ten year event. So they didn’t renew their insurance. We’ve had our event. Where? Okay, now we’ll save some money.

00:03:57:00 – 00:04:18:54

Speaker 1

And they got, hit again about three months after not renewing that policy and had to do it themselves this time. So you get a little bit of everything. We always, are looking to try to capture information about what’s actually happening in for for a number of years, we’ve been, recording information about ransomware in the country, something we’re quite passionate about.

00:04:18:59 – 00:04:43:41

Speaker 1

I think I’ve spoken about this in a previous podcast where we sort of say, well, why did we do it? And it all started with, you know, experiencing businesses, having to find huge sums of money to pay organised crime. Yep. And with a form of background in law enforcement that really bugs me. I mean, if we are basically paying organised crime and building an ecosystem to harm us, it doesn’t make any sense.

00:04:43:46 – 00:05:02:40

Speaker 1

So we were tracking that data and we’ve done our research again, and we do the research with YouGov. This year we went out to more than 500 businesses in Australia of deliberately different sizes. The research is often, criticised, interestingly enough, by my peers in the market. I’ve seen some interesting.

00:05:02:51 – 00:05:03:18

Speaker 2

Of course.

00:05:03:18 – 00:05:24:11

Speaker 1

Feedback on that. It’s not what we see. And and I expect that to be the case. We’ve deliberately tried to do a piece of research that looks at small businesses, medium businesses, large and enterprise. Most of my peers and including our firms, sometimes we tend to only see maybe large businesses falling victim, those that can afford big insurance policies.

00:05:24:16 – 00:05:41:09

Speaker 1

You know, someone that can have an incident response team on demand. So so our our view is skewed. We don’t see small business. We don’t get an opportunity to help. Not for profits all the time. As much as we would like in in a country where 90% or more than 90% of our businesses are small. We were never seeing that.

00:05:41:09 – 00:06:00:18

Speaker 1

So we deliberately wanted to see what is the real focus across the country of this issue. And that’s why our stats seem almost alarmist when you start to look at them. And I brought some copies, with me today. So this this year we saw an increase in our stats from previous years. So for a while it was going down, which is great.

00:06:00:23 – 00:06:18:45

Speaker 1

You know, less people falling victim, less people paying what we’ve gone back in this year, we’re back up to about 69% of the businesses that were surveyed have actually had a ransomware attack in the last five years. That’s way too high. More importantly, what we’ve sort of pulled out of this one is when you have a look at it is more than 80% of them decided to pay a ransom.

00:06:18:50 – 00:06:25:39

Speaker 1

And that’s the stat that you don’t want to see. So if you fell victim, there was a good chance that that was going to pay. And that’s going up.

00:06:25:44 – 00:06:32:42

Speaker 2

And usually they’re paying that ransom because they’ve got no other choice. Right? They don’t have the backups. It didn’t have the hygiene. Like literally that’s the only way they’re going to survive.

00:06:32:47 – 00:06:53:19

Speaker 1

Yeah. And we we’ve asked the question why? I mean that’s really important. You know, connecting that to that point. You know, previously last year we were making payments to, I mean, because we Australian business and Australians are generally got this great culture of wanting to help people. That’s what we’re known for. So I was about, well, if I pay this, I’m going to minimise harm to others.

00:06:53:24 – 00:07:08:31

Speaker 1

I’m going to I’m not going to make it any worse. I’m not going to see that data get leaked onto the dark web. I’m not going to have this guy by incident causing further harm, and all I’m being asked to do is pay money to reduce that likelihood. So there was a lot of decision making at boards and executives around.

00:07:08:36 – 00:07:25:13

Speaker 1

That seems like the right thing to do. And funny enough, our insurer has got to cover the payment that sort of legitimises that a little bit. And at the same time, it feels like, you know, something that we need to do to remediate this. And as long as it’s legal and we can do it and we’re told it is, there’s nothing wrong with it.

00:07:25:13 – 00:07:44:49

Speaker 1

That would be the play this year. It changed a bit. Disruption was one of the reasons we’re paying. And to your point, we are seeing these groups getting really good. And when they get into your systems causing lots of damage, taking out your backups, being able to come back in over and over again. Yeah. So you might start to fix it.

00:07:44:49 – 00:08:02:28

Speaker 1

And then someone would come back in and unwind all that work and, and actually going through and shutting your business down. That interruption is real every day. You can’t try it every day. There’s no system, there’s a cost. And we’ve even say, this year, some businesses, you know, who were not able to get on top of the attacking a continued.

00:08:02:33 – 00:08:11:25

Speaker 1

So not just one they’re in and they’re out. And then you have to make a choice that were coming in day after day and to the point where we’ve just got to stop it.

00:08:11:25 – 00:08:12:13

Speaker 2

Cripple this.

00:08:12:18 – 00:08:14:58

Speaker 1

Yeah. So we can pay and we’ll stop.

00:08:15:09 – 00:08:21:37

Speaker 2

Yeah. Wow. So that’s interesting sentence that really warrants that, which I would like to drill on a bit further. So 88% have paid ransom last year.

00:08:21:39 – 00:08:25:33

Speaker 1

84% of businesses that suffered ransomware, in the past five years paid it.

00:08:25:33 – 00:08:27:07

Speaker 2

Wow. That’s scary.

00:08:27:12 – 00:08:32:28

Speaker 1

And we’re up to 1.35. Is the average payment now.

00:08:32:32 – 00:08:33:34

Speaker 2

1.35 million.

00:08:33:43 – 00:08:49:41

Speaker 1

Yearly? Yeah. So significant. When we have a look at the underlying stats, there are some small payments. I mean, you’re not going to get a small business asked to pay $1 million. They can’t find that money. The payment amount will be something that’s reasonable that someone can get. But if you’re a bigger business, they go to hospital millions.

00:08:49:46 – 00:09:06:37

Speaker 1

And the stats actually showed some, some significantly large payments that were made that sort of pushes that start up. We were asked we asked businesses, what would you be willing to pay? I mean, that’s a different question. So if you said this, the scheme, you haven’t had an incident and you fell victim and that was there, what would you as a business be willing to pay?

00:09:06:37 – 00:09:27:59

Speaker 1

It was 1.4 million. They willing to pay more than the actual average. And that sort of goes a little bit to the sort of thought process around why. And we we run tabletop simulations and exercises over time to give businesses an opportunity to practice incident response. Yeah. Don’t make your first incident response the real one. Yeah. Go in simulated.

00:09:27:59 – 00:09:34:17

Speaker 1

Try it. Make sure your plans are working. Make sure your technical teams know what they’re doing. Does disaster recovery work on your backups? You know, so that’s great.

00:09:34:17 – 00:09:40:49

Speaker 2

Well, not like that. Just know who to call. I’ll go. I send that to people. If the systems are hacked in your phone. Sit down. Do you know the phone number of. Who are you going to call?

00:09:40:49 – 00:09:57:54

Speaker 1

Yeah, and there’s a big team you need to call. Yeah, you need a service provider. You need your. I tell you teams I need to be on because I’ll be working around the clock. You need some instant responders. You might need comms and legal. All of those things come together. So you have to do that. When we’re having a look at, some of the stats that were sitting around the actual.

00:09:57:59 – 00:10:19:25

Speaker 1

Yeah. What are you going to do and how quickly there was there were some stats. They say that, well, we’ll pay quicker now. We will absolutely negotiate with threat actors. That was a very common thing. There’s a lot of reasons why. And those simulations we do most of them we get to the point where even I can justify that negotiating with the Threat Act is probably a good thing.

00:10:19:30 – 00:10:39:45

Speaker 1

Yeah, there’s a lot to be gained. They want you to pay, but certainly sometimes there’s definitely benefits in doing that. And I think we’ve gone to this the spot now where it’s it’s a little bit too easy. I’ve been talking to various law enforcement groups. And, you know, there’s this sort of asking questions as well, you know, why are we so willing to do this?

00:10:39:45 – 00:10:58:26

Speaker 1

And, how do we better engage with organisations that need the help for that is there for them? And how do we remind, organisations that, you know, there are mechanisms to make a phone call? We you might have the federal police come in to do what we want them to do, which is actually investigate who’s responsible and shut them down.

00:10:58:26 – 00:11:00:24

Speaker 1

And we’re not seeing enough of that either.

00:11:00:28 – 00:11:04:04

Speaker 2

We’ll talk about legislation changes. What other findings have you got from your update?

00:11:04:13 – 00:11:25:35

Speaker 1

Well, one interesting thing that came out of it is, we were thinking leading up to this, there was all this talk about this new ransomware bill that was coming out, which was, it’s a cybersecurity bill which actually had mandatory reporting of ransom payments. So you now, if you make a payment, a ransom payment, and you, within the grounds of that, that new act.

00:11:25:39 – 00:11:43:48

Speaker 1

So you’re a business of the right size, you have to tell the government if you pay. So that’s a new law. So great. The expectation, I think, was that that’s going to stop people paying. If you have to tell someone that you’re doing it, you can’t hide it. That’s not a great thing. We asked the question. Majority of people thought that you should pay.

00:11:43:48 – 00:12:06:01

Speaker 1

You should be telling them anyway. So there was no issue with telling anyone. And you know, we had 79% of the business. They did say it should be mandatory to report ransomware. So we already had the majority of businesses happy to tell. So that legislation of reporting probably won’t shift the dollars much. I already know some businesses that have already paid, and when we said, well, you know, you have to you know, there’s an obligation to now.

00:12:06:01 – 00:12:26:27

Speaker 1

So that’s fine. We will we will do that. What else do we have in here? We had, certainly an acknowledgement of the brand damage that that occurs. And that’s also one of the things that, you know, we’re trying to do, if you can get off and deal with this quickly, you can minimise brand damage. 65% of the businesses that, actually paid negotiated.

00:12:26:40 – 00:12:33:01

Speaker 1

That’s a weird stat. Actually, I’d be suggesting if you got to pay you 100% of you should negotiate. Yeah. I mean, don’t pay more then.

00:12:33:01 – 00:12:38:15

Speaker 2

Negotiate with the threat actors. Maybe that’s a new business. You know, I’m I’m a tab. I’m a threat actor broker as well.

00:12:38:15 – 00:12:59:00

Speaker 1

Is, there’s discounts to be had. It’s, in a lot of the negotiations we’ve watched and seen run through, you will get a discount if you’re looking to pay. Yeah. Hiring. Negotiate it. They’re out there. That’s what they do. And they will often get your 40% discount, you know? So it’s, no different to going to JB Hi-Fi.

00:12:59:04 – 00:13:02:12

Speaker 1

Don’t pay what’s on the ticket. Don’t talk to.

00:13:02:16 – 00:13:02:51

Speaker 2

1. Do.

00:13:03:00 – 00:13:12:50

Speaker 1

So yeah. That’s what you. Yeah. But yeah. So there was those things and, a lot of the payments were done quickly to, you know, in quite often this whole process was played out in 48 hours.

00:13:13:03 – 00:13:22:49

Speaker 2

And the insurance companies that they were reducing the, you know, I guess if they to willing to pay the, the ransom, wander out of saying no or is it just status quo, all of them are still able to do it.

00:13:23:00 – 00:13:29:04

Speaker 1

There’s always been restrictions in whether or not they’ll refund you. So an insurer won’t pay your ransom.

00:13:29:09 – 00:13:29:16

Speaker 2

And.

00:13:29:31 – 00:13:50:20

Speaker 1

They’ll refund you. There’s always been fine print that they will not touch a sanctioned entity. So if they’re a terrorist organisation or on a sanctions list, no you can’t. And and actually when you’re talking about legalities, you can’t go off and, you know, pay terrorists, you can’t pay a sanction entity that is actually against the law. So you still got to make sure you’re allowed to do these things.

00:13:50:20 – 00:14:04:34

Speaker 1

Then when you sort of step back into, okay, well, I can, I can make a payment. There’s a whole lot of, sort of ways of determining how that’s going to happen. And you got to get a negotiator in who will do that. For you. You got to do it yourself.

00:14:04:39 – 00:14:18:29

Speaker 2

Do you have stats on the percentage of various countries that, doing more of these attacks was on? Know when we lost, you know, caught up there was a fair bit from the Eastern Bloc. Is it tend to be there or is it shifting around the world to, to different, you know, resource centres or.

00:14:18:34 – 00:14:34:03

Speaker 1

We, we still see oh. Last year what was a lot of the groups changed. So are we seeing a lot of new groups coming through, some of the older ones disappearing? Law enforcement was very successful in disrupting quite a lot of groups last year. So you see the traditional ones that you used to start to disappear a little bit.

00:14:34:03 – 00:14:53:30

Speaker 1

Lock bit was an example of one of the bigger groups that was was heavily disrupted. It still seems to be, you know, certain countries through that, part of Europe that are responsible for a lot of them. Yeah. We yeah, you tend to not see a nation state attacking a business or doing that for the, for the purpose of making money.

00:14:53:34 – 00:15:16:52

Speaker 1

Quite different reasons for those types of things. We would have anyone that was watching the US elections, you know, playing through I’ve seen some press around salt Typhoon, which was effectively, allegations that Chinese, you know, hacking teams were actually attacking various parts of the US to try to get information to, to influence, you know, the the actual elections over there.

00:15:16:57 – 00:15:42:19

Speaker 1

That’s a normal thing. Yep. A lot of the information coming out of countries like North Korea indicate that, yes, they’ve got great teams doing these things for two reasons. One is to make money and the other one is to have an offensive capability in this space as well. What we did see change, though, was at the lower end of what used to be something that most businesses may have seen, which is a business email compromise, where you lose your email account and that fraud is facilitated.

00:15:42:19 – 00:16:03:22

Speaker 1

Through that, you either pay something, you shorten, or someone tries to change bank accounts, or at some point someone loses money. We saw those attacks getting better, much better. So we started to see AI coming to the mix. Now. And I mean used to help create documents that look real or or make sure the language in the email communications is better.

00:16:03:27 – 00:16:07:36

Speaker 2

And even deep fakes to, you know, call someone to validate it. But that’s actually. Yeah.

00:16:07:39 – 00:16:27:24

Speaker 1

Right. Yeah. And there’s great tech. Yeah. Voices video. All those things are good and we’ll see more of that. I think we haven’t seen a huge amount of it, but it’s certainly there. There was a some news. It was in the Courier Mail not too long ago. And it was in a lot of the other, use groups as well in relation to a case.

00:16:27:25 – 00:16:46:04

Speaker 1

It’s gone through the court on one of these business email compromises where a business has lost their email account, and the threat actor has gotten into that and then tried to defraud somebody else. The business that were trying to defraud fell victim to it. So they tried to do some good things. I tried to make phone calls to validate bank accounts.

00:16:46:04 – 00:17:15:21

Speaker 1

I couldn’t get through anything. They made the payment and they lost that money. Yeah, that’s gone all the way through the courts. Yeah. The business that lost the email account that had someone in it, no doubt they’ve lost control of the email that the person that was using that account was a threat actor from somewhere else. They’re the ones that have sent all of the, you know, the fake emails and managed to process the business that paid has now been through the courts said, I’m sorry that’s on you, even though they had been hacked.

00:17:15:21 – 00:17:40:12

Speaker 1

And yes, that other businesses accounts should have been secured. And, you know, that’s what’s happened. It’s on you to actually control your side of that equation. So it’s your responsibility to make sure you don’t pay. And that was not something we were expecting. If someone’s clearly had their account taken over and someone’s using it to attack you and it’s a real account, so you can’t stop that email coming through because it’s a real email, your system won’t detect it as being fake because it’s not as real.

00:17:40:17 – 00:18:05:12

Speaker 1

And as long as the language and everything else is good, it’s really hard for people to to know that’s not real, because and that’s what they rely upon. It’s still on you to make sure that you do everything to make sure that you don’t make that payment. So it’s just something for all of us sudden, where you have those relationships with clients, where it’s very familiar and you’ve been working with them for years, and you may begin to that part where I’ve got a regular payment going through and you’re not too worried.

00:18:05:16 – 00:18:08:38

Speaker 1

You still need to challenge almost every time you just to make sure you check.

00:18:08:42 – 00:18:30:46

Speaker 2

Yeah. We’ve spoken about supply chain risk. You know, like we’ve seen this, I think, you know, probably than the last six months. And so most of the, impacts that we’ve had to be involved in remediation have all come from some sort of, supply chain risk, you know, down the chain has caused an issue that, you know, and there’s just you said use a well familiar polarity, like people just, you know, take things for granted, you know.

00:18:30:46 – 00:18:46:09

Speaker 2

So can you give an example, I guess, to the people here listening, most of the people that, you know, listen and watch our, our business owners or business leaders and desensitised, what’s one of the worst, you know, examples that you’ve seen that could have been mitigated?

00:18:46:13 – 00:19:04:52

Speaker 1

Oh, there’s so many I’ll, I’ll pull together safely. A story which is quite recent. So many aspects of, of, of one of our attacks could have probably been stopped. And then the business has to think about it. They’re already making changes. So we saw an attack that started with something as simple as someone looking for a job.

00:19:04:57 – 00:19:30:27

Speaker 1

So an email comes through saying, hey, I’m looking for a job. I, I live, you know, 4 or 5 hours north of where you are. I’m moving into the city. I love to have an opportunity to work for you. I’ve seen what you do. Right. Sends an email through, in the email, it might suggest I’ve been told that a good way to actually to have a job is to have a website with my, my CV on it to, to show you that I’ve got some tech skills and, and and I’m serious about this.

00:19:30:27 – 00:19:35:35

Speaker 1

I’ve done that. I’d really appreciate if you’d have a look at my CV and if there’s any opportunities, let me know.

00:19:35:40 – 00:19:38:00

Speaker 2

Actually, I get those emails probably once a week.

00:19:38:05 – 00:20:00:00

Speaker 1

I don’t go get a great someone is proactive, pushing through, went to the right person, went to somebody who’s in talent acquisition or great. So then what we then see is the next step is, you can’t click on the link in the email because deliberately what they’ve done is I don’t want Microsoft to scan it as a, as a link so someone can copy and paste it into Google.

00:20:00:12 – 00:20:21:21

Speaker 1

It’s the and it’ll actually find the website and the website’s a genuine CV. It looks great. And there’s a click on my CV to download it. That’s the scary thing because then immediately then that was actually, what looked like a CV, eventually display a CV, but in between actually puts the malware onto a machine. So, you know, first lesson.

00:20:21:21 – 00:20:21:46

Speaker 2

To make.

00:20:21:46 – 00:20:43:05

Speaker 1

It. Yeah. Don’t just, you know, we always say don’t click on things and don’t just I think just don’t assume that something’s correct. There’s obviously some controls around being able to run things you couldn’t. And then moving forward, there was a whole lot of things that came through. So from a supply chain perspective, lots of vendors coming in to support the business, lots of ways to get into the business there more than one way to come in.

00:20:43:10 – 00:21:04:10

Speaker 1

And a lot of those ways of coming into the business, the threat actor worked out how to get in and, and effectively gave themselves 6 or 7 ways to keep coming back in. Then what we have is, you know, traditional things around, administrators when you have too many and too many people have got, got access big problem.

00:21:04:10 – 00:21:09:53

Speaker 1

You start to lose control. All those things, all of the good work you do around security can get unwound. And that was a factor there.

00:21:10:01 – 00:21:14:19

Speaker 2

But industry can ask was this? Or if you can’t say, it’s probably not fair, not.

00:21:14:24 – 00:21:35:33

Speaker 1

The fairly large organisation. Okay. Yeah. And then, you know, moving forward, you start to have a look at other things which are, you know, business continuity and can you recover quickly and those things and it’s not until you go through a crisis you get to see those things. On the fraud side, we still are seeing, instances where businesses have a process in play.

00:21:35:38 – 00:21:53:15

Speaker 1

You know, if you want to change your bank account, if you want to be a new vendor, you want to do these things. You follow a process. We still see instances where people just get relaxed and do one of three things, not the three. Go. And you know, anything that said designed to actually give you that safety net you shouldn’t bypass.

00:21:53:15 – 00:21:54:46

Speaker 1

And it still happens all the time.

00:21:54:46 – 00:22:01:00

Speaker 2

Now that episode of Air Crash Investigations, there’s something and the plane crash in you just start I see it.

00:22:01:04 – 00:22:16:55

Speaker 1

Yeah. So we we saw a lot of, just different, different types of attacks last year that were just interesting and different. The threat actors, as we call them, they’re getting really skilled, I mean, really skilled at being in a network and finding vulnerabilities and finding ways out.

00:22:17:00 – 00:22:31:21

Speaker 2

Those are the challenge, right? So, you know, you well, I say as a consultant, you need to be one step ahead of your customer. Right. But as a threat actor, you need to be one step ahead of, you know, your customer, which is, you know, trying and talking to business. And then you’ve got, you know, like what what both our businesses do trying to help defend.

00:22:31:21 – 00:22:55:48

Speaker 2

And then we put in third party products and solutions, and we leverage everything to try and protect the business. But everyone’s got to think they’re going to be hacked at some stage. It’s, you know, to your point, those table talks, which you guys do, I’m seven to many of them absolutely brilliant. Right. So people that listening or watching and haven’t done that 100%, you need to be doing them and do them consistently because, you know, I know if you know, someone said, don’t call my daughter like I don’t know a number of by heart, I’ve got it saved in here.

00:22:55:48 – 00:23:12:41

Speaker 2

And if I lose my phone, I’ve got to go trudging through, you know, paperwork to do that. But I know things that way. I’ll ask her about the government in a minute, because I know that you are driving a lot of change through, you know, SMB and DSI and all that. But what what are we fundamentally failing at as a business?

00:23:12:41 – 00:23:24:37

Speaker 2

I know that, you know, you can have a primary, secondary, tertiary, multiple backups. Like, you know, every business is digital. You got the digital, you got the oxygen. How do people stop this from happening? Like, oh, let me rephrase. How do you mitigate this from happening?

00:23:24:46 – 00:23:30:14

Speaker 1

If we had the silver bullet, I guess we’d both be on a beach having this podcast right now. Still.

00:23:30:14 – 00:23:30:40

Speaker 2

We’re doing it.

00:23:30:41 – 00:23:45:52

Speaker 1

It’s doing as we say. There’s there’s some fundamental, simple things you need to do that reduce the likelihood of it. And I think we’re still in the world of it’s not if it’s going to happen, but when. So you need to assume that something’s going to happen and be ready for it. So if that’s the assumption, yeah.

00:23:45:54 – 00:24:05:33

Speaker 1

Firstly, deal with your identity in the in your system. So if you give everyone an account to come in, make sure that that account is safe. The only they can use it. I mean that goes to password hygiene and multifactor and all of those things and make sure that account can only do what you want it to do so you don’t over privilege it.

00:24:05:38 – 00:24:24:48

Speaker 1

That’s a great start because that’s minimising what you should do. Then we look at segmentation in in our IT systems. So if everything doesn’t need to see everything, don’t let it. So if a system should only need to see its own little group of things and then segment it and protect it, so you can’t keep jumping from system to system.

00:24:24:48 – 00:24:43:34

Speaker 1

And we see that threat actors getting once and they can see everything, then they go off and move through, because ultimately what they’re trying to do is steal information to extort you. Yeah. And then blow up your system so they can disrupt you. So that’s the standard approach. They use. And you can actually minimise the damage on those things.

00:24:43:39 – 00:25:07:16

Speaker 1

The other thing is being able to have enough technology to detect it. One thing that was consistent, I saw through the last 12 months is in a lot of the cases we investigated, we saw alerts to show that the threat actors were in. We saw alerts sitting in log files. We saw alert sitting in antivirus programs or or endpoint detection programs that you technology had worked and it had seen something.

00:25:07:21 – 00:25:08:04

Speaker 2

But no one was and.

00:25:08:04 – 00:25:27:18

Speaker 1

No one was looking and no one was actioning those things. And that was just a straight up mess. Yeah, because if you actioned it when those alerts had popped up, it was often weeks before the incident. And then. Yeah, we, we write so many reports where we say, look, it’s you got to have the technology and the controls.

00:25:27:18 – 00:25:45:05

Speaker 1

Yes. And you’ve got to make sure that you are looking at all the information that’s got to tell you something’s going wrong and know what to look for. But more importantly, you’ve got to action. Now on spending. Well, not a lot of businesses are taking that last little investment, which is put a team around it. Look, all the time.

00:25:45:05 – 00:25:56:40

Speaker 1

It’s not a business issue either. I would love it if product is only made us have to work Monday and Friday, but it’s normally, you know, I think my team starts to get stressed at about 3:00 on a Friday.

00:25:56:40 – 00:26:15:18

Speaker 2

Yeah, that’s why we’re doing the podcast today, because otherwise I would never catch it anyway. So it’s interesting, right? This is probably a common theme in, you know, part three of this. But you know, challenges basically drive change, right? So when a business is challenge and drive change, once you’ve been through an impact or cyber hack, that’s when you actually become, you know, the CFO signing everything wants to put everything in place.

00:26:15:18 – 00:26:35:40

Speaker 2

But, you know, governments try and hard. And I know you’ve been really at the forefront of advising and being on panels and all of that, like talk to us a bit about what’s happening in that space and how businesses, because I know, you know, we’ve been pushing cyber certain, you know, people are interested. But I also feel that there’s a bit of a lethargy with owners and going, oh, look, it won’t happen to me.

00:26:35:40 – 00:26:48:57

Speaker 2

And we still get frustrated. He’s the reason why we do this podcast and get, you know, VIP’s like you. And it’s not because we’re actually, you know, know we’re doing this for the sake of it. We need to help isn’t it’s because we’ve seen so many good little businesses that have died because I just don’t understand. It’s an education process.

00:26:48:57 – 00:26:52:31

Speaker 2

But yeah, share with me where the government’s going and what you’ve been able to influence here.

00:26:52:36 – 00:27:14:30

Speaker 1

I try not to get myself in trouble here because government is my friends across. So it’s interesting if we look at federal government, let’s look at the, the, the group that’s supposed to protect our country and does a really good job of that. Our interactions with a lot of those groups. Excellent. And there is so much being done to try to protect businesses and protect our country.

00:27:14:34 – 00:27:33:09

Speaker 1

Home Affairs Strength Signals Directorate, ICAC, Australian Federal Police these groups are proactively out there trying to support us. Quite often. We won’t reach out, we won’t get support, we won’t tell them or talk to them because we think that that’s not the right thing to do. Their job is to actually protect our country and to help us. So there needs to be more engagement there.

00:27:33:14 – 00:27:56:17

Speaker 1

And every time I’ve done a large matter or even a a small matter where we’ve had those engagements, excellent. They’re also the groups that are helping build good legislation that should try to help the problem and minimise the risks. So we talked about a cyber security bill. There’s some some great changes coming through there, like the putting, rigour around issues such as doxing.

00:27:56:22 – 00:28:13:15

Speaker 1

They did put in the mandatory reporting on a ransom payment. Didn’t say we can’t pay. There was no banning of payments, but we need to be more open about talking about that. And then there’s all of the, you know, the help support that comes from those things if you engage with them. So that’s at a federal level.

00:28:13:15 – 00:28:36:10

Speaker 1

Excellent. Then there’s the regulators, the regulators, you know, if I look at, you know, we got a Privacy Act, and we’ve got our other regulators, they they have rules in relation to how we manage and, and deal with these issues. You know, the Privacy Act basically says it’s about protecting individuals private information, incredibly important. That’s what we’re protecting.

00:28:36:10 – 00:28:57:37

Speaker 1

And that’s what people are trying to steal. There’s certainly a lot of, a lot of effort going into enforcement of that act and probably won’t lay around too much. But, you know, have a look at what’s happened with Medibank and others and maybe the fines that are being alleged. And, and the approach that’s going through in the investigations, that’s what happens when it goes wrong.

00:28:57:37 – 00:29:16:52

Speaker 1

And that’s the big stick approach. Yep. And maybe not getting the same traction. And often what I see is during an incident, during a time when you want someone to engage in work, they are so worried about the enforceable piece that a regulator might put in place. They will go into a shell and they’ll get their lawyers and they’ll protect themselves.

00:29:16:57 – 00:29:46:49

Speaker 1

Human nature. At a state government level, each of the states does it for different things. Yeah. We’re in we’re in Queensland. State government here, huge amount of investment, great teams proactively looking to do different things to support all of their remit. So that’s local government, state government docs, anyone that can do that. A lot of what they do is also to supporting businesses as well, because the programs I put in place put in place a designed to actually help, anyone who’s in this state, the other states have got good programs as well.

00:29:46:49 – 00:30:15:07

Speaker 1

There has been you know, some of these changes come through in legislation that force different things to occur, and we have to refactor. At the moment, there is still no standard in this country for what good cybersecurity looks like. This great advice. We have these access or ISDs essentially, and you’ll find most cyber practitioners are an advocate of the essential eight eight really effective controls.

00:30:15:12 – 00:30:34:46

Speaker 1

But there’s no governance. So there’s no risk management. It’s just a controls that minimise the risk. If you’re having an incident, you should do those things. But it’s not enough. So we do need, our governments, state, federal, local to start to call out what good looks like and actually give guidance on, hey, we want you to do this, but here’s ten things and.

00:30:34:51 – 00:30:36:01

Speaker 2

You’re working on that, right?

00:30:36:07 – 00:30:59:52

Speaker 1

Well, absolutely. So, one of the ways you do it is through standards. And for frameworks. So one of the, I’m lucky enough to work with and support Australian Standard, which is now become an international standard. It was originally, SMB 1001 being an Australian standard. At the end of last year, it’s been updated to Dynamic Standards International still SMB 1001, but it is now a stand.

00:30:59:52 – 00:31:16:01

Speaker 1

It’s been picked up by other countries as a an effective cyber security standard at multiple levels to support small and medium sized businesses. And to be honest, it’s effective for for larger businesses as well. It’s a great stepping stone to an international standard like ISO.

00:31:16:08 – 00:31:16:44

Speaker 2

Fantastic.

00:31:16:44 – 00:31:43:16

Speaker 1

Every year it gets updated. Every year a whole bunch of professionals, including government, experts, advisers, we’ve got, you know, advice from from lawyers, get advice from the industry on what does good look like in cyber security and we change it. Had a great debate recently. When we’re talking about what does good password hygiene look like two years ago, we’re saying, you know, change your password often.

00:31:43:21 – 00:32:01:54

Speaker 1

I make it complicated, make it long and change it often. We go, well, no, maybe don’t change it often. Just have a really strong, long, hard password and only change it when you know it needs changing. So don’t for someone to have a bad habit of choosing the simple thing to remember, because I’ve got to do it so often.

00:32:01:58 – 00:32:26:04

Speaker 1

We just got to stay ahead of those things. The standard itself is a certification, and that’s the other thing that we’re seeing supply chains, probably going to benefit from. So I look at our own business, anyone that’s sort of doing work for us, we will want to assess whether or not they introduce any cyber risk. If I’m going to share information with them, I really need to know that they’ll, you know, take that seriously and be safe.

00:32:26:04 – 00:32:47:54

Speaker 1

And I’ve got the right systems in place. Traditionally, you’ll ask questions, you’ll send out surveys, you’ll maybe do some testing. If someone’s not honest or truthful in that response or they miss something, you might miss it. Certification as a way of saying, look, if you can just tell me that you are certified against that level, I’m really comfortable with that level and we’ll move on.

00:32:48:07 – 00:33:00:09

Speaker 1

That’s that’s better than answering a big spreadsheet, because you know that for them to attest to something as a director, they’re not going to do that unless they’re genuinely able to do it.

00:33:00:09 – 00:33:16:13

Speaker 2

Absolutely. Yeah. And in terms of, I guess moving forward, I’m conscious of time as well. Where do you see things for, for this year in particular? Like, I’m not going to ask you to crystal ball too far, but, you know, pretty much every time we’ve asked you, you know, where you see things going, it ends up being true.

00:33:16:13 – 00:33:36:51

Speaker 2

I think, you know, if we really wanted the last podcast, you did say that there’s, you know, new, legislation coming in on you. You’re working on that standard saying that’s been fantastic, but where do you see things in a it’s an ever evolving pace up. Industry in place. But it’s also very slow in that, you know, business owners don’t really understand until they’ve been impacted.

00:33:36:55 – 00:33:46:39

Speaker 2

Legislation isn’t driven until there’s a proper standard. There’s lots of slow things that are happening. But where do you see, you know, 20, 25 and maybe even a little bit into 26?

00:33:46:44 – 00:34:04:55

Speaker 1

There’s a few things that we’re focusing on ourselves. And I think that most businesses will will want to do the same. Data governance is something that none of us have, really. I mean, large businesses will have focussed on it at some point. A lot of the rest of us are now realising, okay, we’ve got to deal with this.

00:34:04:55 – 00:34:23:18

Speaker 1

So all the privacy reforms are all trying to to force us to manage information better and protect it. It’s really hard to protect and manage something. We don’t know where it is. And and you can’t identify what you see in your platforms, in your systems, in your software. You don’t know who owns it. And you certainly not sure how it’s being managed.

00:34:23:18 – 00:34:46:37

Speaker 1

So we’ve got to get better at those things. Yeah. And that can start with, having a view of, where’s the most important information I keep in my business? What of that information is pii personal that I have, you know, under law, a right to, an obligation to maintain and secure, who owns it and who can access it and how it should be used.

00:34:46:37 – 00:35:06:24

Speaker 1

And can I do those things? So there’s a lot of work around just understanding those things. Because if you if you know those things, you can start to do things like protect them, backups. If you knew that of all my backups, there’s two that absolutely have the keys to all of the most important, assets I have. And they’re sort of you make sure that they’re going to be protected properly.

00:35:06:28 – 00:35:23:08

Speaker 1

So there’s a lot of work that I it’s good to have a fairly big impact this year on cyber security. I’m seeing it roll out now, for the benefit of all of us is one great thing. Some of the best technologies out there, you’ll start to see them embedding AI in ways that actually make them better and faster and more accurate.

00:35:23:13 – 00:35:45:34

Speaker 1

Especially in the world of, endpoint detection response. You know, we’re talking about someone watching a data and how quickly can they see things. You’ll start to see I pick up and improve on that. Because at the moment, a lot of that is based on people know, having people who can interpret and then action things. When you’ve got someone that can do that real time and in that type of world, you’ve got to be a game changer.

00:35:45:39 – 00:36:05:04

Speaker 1

At the same time, the bad guys are doing the same thing. They’re trying to leverage that same technology to be faster at attacking us, faster to find a weakness faster, execute on that. So it’ll be this shift to letting our technology really defend us, and you’ll just have to be investing in the right tech to do that. And other things.

00:36:05:09 – 00:36:26:34

Speaker 1

You know, you’re going to have to make sure that you, you’re doing those fundamentals and you have a focus around governance and risk management around it. If something goes wrong, you should expect that someone’s going to ask questions and want to have a look at what you’ve done in the past. And if someone does an investigation into, well, what are you prepared and what are you doing?

00:36:26:34 – 00:36:38:40

Speaker 1

Enough. And you won’t. That’s when you get a start to see some of these penalties start to come through. As you know, you knew that there was an expectation you decided to to risk not doing it. And there’s a consequence.

00:36:38:40 – 00:37:03:23

Speaker 2

Yeah. Fantastic. Darren, look, I’m probably going to have to cut this one now because, you know, we keep the series going. You know, part four I reckon will be everyone that keep saying keep asking Darren to come back on. So thank you so much for for sharing the insights. And you know, Darren, the Chronicle has been a huge supporter of you know all businesses and yeah very very much admire you know what you give to to businesses and you know supporter of you know everything to do with cyber.

00:37:03:23 – 00:37:05:33

Speaker 2

So Darren really, really appreciate it. Thank you.

00:37:05:38 – 00:37:07:46

Speaker 1

Not thanks taking I don’t love coming in doing this.

00:37:07:51 – 00:37:20:15

Speaker 2

For for the platform. Thanks for.