Building Cyber Resilience Through Education with Craig Ford

Interested in discovering the most powerful way to shield your team from phishing attacks? Craig Ford, Co-Founder and Executive Director of Cyber Unicorns — a cybersecurity veteran, joins us on Redd’s Business and Technology Podcast with host Jackson Barnes to discuss bridging the gap through cyber education. With over six books authored and a thriving online platform, Craig advocates a proactive strategy. His suggestion? Tailored training sessions that focus on the specific vulnerabilities of different departments within organisations, such as the often-targeted marketing teams. Through regular simulation tests and customised workshops, Craig assists businesses in recognising and addressing potential risks.

Craig started his mission to simplify cybersecurity with easy-to-understand language and practical advice. His new online platform provides affordable cyber education for everyone, from individuals to entire teams. Craig’s goal goes beyond making money; he wants to help seniors and small businesses learn essential cyber skills. Join Craig in strengthening your digital defences. Stay informed, stay secure, and empower your workforce against evolving cyber threats.

#CyberAwareness #CyberEducation #DigitalSecurity #InfoSec #CyberRiskManagement

00:00 – Start
00:24 – Guest Introduction
00:55 – Cyber Unicorns Launch
05:18 – Mission Behind Cyber Unicorns
10:22 – Overview of the Sixth Book
13:00 – Evolving Cybersecurity Priorities
15:02 – Industry Confusion with Acronyms
21:40 – The CIO’s Role and Value Over Time
25:30 – Cybersecurity Frameworks and Compliance
27:04 – Cybersecurity Awareness
29:26 – Importance of Regular Training
32:14 – Phishing Simulations and Targeted Training
35:25 – Writing Process for Cybersecurity Books
38:26 – Growth Plans for Cyber Education and Consulting
40:18 – Launching an Online Education Platform
41:59 – Closing Thoughts

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected], or through any of the links below. https://redd.com.au

https://www.linkedin.com/company/redd-digital/
https://www.linkedin.com/in/jacksonpbarnes/
https://www.linkedin.com/in/craig-ford-cybersecurity/

(00:20):

Hello and welcome to Redd’s Business and Technology Podcast. I’m your host Jackson Barnes, and today we’re sitting down with our third ever returning guest, Craig Ford. Craig Ford is a veteran in the cybersecurity industry, just released to the sixth novel slash book director of Cyber Unicorns. A lot’s happened in the cybersecurity industry since 12 months ago when you were first on the show. So keen on unpacking your journey over the past year or so and find out what’s been happening. So man, thanks for coming in.

(00:48):

Thank you. It’s definitely a pleasure being here again.

(00:51):

Alright, so maybe let’s start straight into Cyber Unicorn’s Launch and Journey. I believe it’s been 11 months. Next month will be the first year breaking out from what you’re doing with beta and obviously the book journey to launching a small business effectively, which is no doubt a scary time. So just maybe if you can elaborate on maybe why you started Sub Unicorns and how the first 11 months has gone.

(01:15):

Yep. No, definitely. I think probably easiest way is to start right at the start where probably our last conversation, I think we even included that in some of that conversation around my passion in that cyber awareness and cyber education space, particularly I think the lack of it in general public, your moms and dads, your seniors, your kids, and I sort of started it with the Kids education book, which I sort of talked about in the last one on the shadow world I did with Katie Randall. Basically, I kind of was talking about it then and I was sort of thinking over it and thinking over it and I was like, I just keep talking about it. I’m not actually solving the problem and I’m a big person that I like to, if you see a problem, figure out how to solve it, which is the reason why I created a first few of my books.

(01:54):

So stepped out of my reasonably comfortable CTO role with Biden. I still work with ’em a bit. I still think they’re great people, but decided I’m going to make the plunge and created cyber unicorns very specifically for that cyber education space. So what I’m doing is Cyber Unicorns itself is a cybersecurity consultancy like most of the others, but with a bit of a difference. So essentially what I do is I do VCI o, so virtual Chief Information Security Officer services with a couple of regular clients. I can name them their Wesley PCYC and NIPS Switch Council. And I’ve done a bit with Hungry Jacks as well while they’re doing their interim head of security sort of recruitment. But essentially what that does is that helps me fund the passion side of the project of why I created cyber unicorns. So I’ve built a full online cyber education platform aimed very specifically at the moms and dads, your seniors, your kids, and that sort of general public space.

(02:48):

So at the moment there’s a full online backend web training portal inside the Cyber Unicorns website. And then what I do is I’ve created with quite a substantial investment for myself, an actual mobile app, which is going to be launched in I think about three or four weeks. Awesome. All fingers crossed, everything goes smoothly. But essentially what it’ll do is an extend that capability. So beyond just video training, it’ll have interviews like this one sort of where I’ve been on sort of podcasts. It’ll have YouTube clips where I’ve been on and done interviews and then it’s got those video training access to whatever subscription they sign up to. And then I’ll have how to guides of the basic how to turn m FFA on for social media and all of those little things that we kind of need to teach all the general public and how that

(03:32):

Towards general public or the

(03:33):

General

(03:34):

Public. Yeah, right, okay. So you’re doing essentially cybersecurity consulting to businesses to therefore fund back to individuals,

(03:42):

Educate everyone, individuals. Because my sort of approach is we do quite, I think we’re doing a little bit better in that cyber education space for corporates. We’re actually improving that space. We’re making people a little bit more engaged, but if you’re not in one of those big corporates, you don’t get access to that kind of awareness training. It’s pretty minimal. I think the government’s doing a little bit more now with some of their act now stay safe. I think their campaign is, so they kind of just started that halfway through when I was building mine, which was going, oh hopefully. But they’ll do all of it, but that’s okay. But essentially I think if you’re not in one of those large corporates, you’re not really getting access to that training. So I really as a bit of a passion, I want to push that education out to more that general public and particularly targeted to that the senior groups talking about your phone scams and things like that and kids expanding beyond that first kids’ education book, but giving them a bit more of a collateral and a bit more information and a bit more hands-on kind of guide from someone that’s been in it for a while.

(04:38):

So

(04:39):

That’s a good initiative and something that’s heard from some businesses who may get cyber awareness programmes for the business and password managers and stuff as well. And sometimes they let the employees actually use that stuff for their personal accounts as well. It gets some different licences and whatever else. That’s great actually that it goes back to the individuals as well because yeah, not a fun time for people being attacked separate to businesses being attacked, which is something on this show we don’t really talk about a whole lot to be honest with you. Most that cyber world is targeted to businesses and their information and how to protect that, not on the poor individuals out there. So that’s awesome. Kind of a unique proposition, so you got started on it, but maybe the mission behind cyber unicorns is the long-term mission around that personal education. I

(05:26):

Think probably around that sort of personal and maybe that small business space where I think we’re not really covering that obviously. I think I’ll, at least for the next three or four years, I think I’ll be doing the consulting and the cyber VCI O kind of role to keep funding and pushing that along. I think my dream would be to go out to schools, go out to seniors groups and literally provide some of those workshop education and use the platform as a companion kind of tool to sort of continue that education after the initial workshops and sort of push education as much as I could. It’s quite a big passion project of mine, not the easiest way I don’t think to make an income out of, I think it’s certainly easy consulting, but you’ve got to take a bit of a risk and a bit of a dive for some stuff you’re passionate about I think.

(06:12):

Yeah. How was that launch of the business and break out from a comfortable CTO salary to starting your own business? No doubt you had the book stuff you were doing as well, so it wasn’t like you were just a fresh jump kind of thing, but still no doubt would’ve been some agony long nights and a bit of a hurdle to get started. What was that process like?

(06:35):

I was a little bit lucky I think with my exit out of the Biden team, I’d been sort of talking about it for a couple of months and there was just, I think it was more luck than anything else. I had one of the VCI O clients potentially come in and saying we’d like someone to come in to help to do assist, and I’m like, I could probably do that maybe as part of my exit and we’re already having that kind of conversation. So I think it was kind of an easy jump to give me a little bit of a safety net. But yeah, definitely a bit of a scary jump and a scary conversation with my wife initially of going want to leave the nice comfortable job to follow my passion project, which is not always the easiest conversation. But yeah, she’s been quite supportive. She’s my other co-founder, so wife and i co-founded the Cyber Unicorn. So I think once we started talking about why I wanted to do it and we have two kids ourselves and having that conversation around what the education is and why we wanted to push it, she was like, it’s a no brainer.

(07:30):

It’s not to dive into the personal life, but does your wife in the cybersecurity industry as well or is she just more passionate about the education first?

(07:37):

Passionate about helping particularly in the kid space as our kids are growing up in the space, and I do have one kid, I won’t go into too much around the ages, but in that early primary space and they’re using iPads and things like that already in school and we’re like, we need to help with that education. And the book sort of started that with that sort of primary school age book, but I think we need to go beyond that.

(07:57):

Yeah, there’s definitely a lot to be done. My son, even on YouTube kids sometimes he’s like, some ads come up and you’re like, whoa, hang on. There’s get, yeah, it’s meant to be YouTube kids and it’s meant to be locked down so they can only see certain things or whatever. So there’s a lot of room to be done, but probably also lucky to businesses that VCI o kind of role you are fulfilling. There’s also a gap there. The amount of security professionals in Australia is quite low compared to the work that needs to be done, as I’m sure you are aware. So you kind of be able to help out in both areas, which is awesome. So I was going to touch on, to be honest, your unique lens of cyber unicorns, but I feel like you’ve kind of touched on that already, which is mixing your passion project in with a commercial cyber consulting business. So that’s quite unique.

(08:41):

Probably the only extra part we could probably talk about there around maybe the VCI O side. I very much, I guess along with my passion side, I very much aim most of my effort towards the, I guess you’d say organisations that are aligned passion wise. So your Wesley Mission and your PCYC that they’re doing that sort of not-for-profit space, they’re in there doing some nice things. I usually, and they’re the sort of organisations I think I’ll probably long-term focusing on is the ones that need the help but don’t have the huge amount of funding or the demand to have that full-time size O kind of person there. And I think a lot of them probably need the help more than some of the larger commercial organisations. They don’t have that prep. They need to really focus down on those basics and get those right. They don’t have the money to spend on some of the nicer flashier kind of tools that can sort of help pull that back a little bit if they’re a little bit maturity is a little bit off. But

(09:36):

Yeah, I mean we work with some non-profits as well and I definitely see what you mean. Just the commercial running a not-for-profit, right? Most businesses that don’t have a separate cybersecurity budget to a tech budget, they’ve got your technology budget and then there’s maybe some risk for insurances and stuff. There’s not a separate dedicated cybersecurity budget and then non-profits are years away from that to be honest. So they definitely all help. They can get around that advice piece. I know with some of the legislation changes around what directors on nonprofit boards are being held liable for and so on that it’s even harder for people who sit on boards and they want to take it seriously, but they also just don’t have the funds to do it. So that makes a lot of sense. Let’s pivot towards the book. Your sixth book you launched two weeks ago, funnily enough, I think you were in here the last time was the week after, remember the week of you launched? Was it your fourth book by that time? Would’ve been, yep, the fourth book. Yep. Yeah, so maybe elaborate if you on what’s the sixth book about?

(10:35):

So the book number six, and I’m pretty sure it was book two in that sort of novel series. I think it was the Cyberpunk Hacker fantasy series, the Foreside series, which was when I was in here last time, I think it was almost 12 months ago. I think it was pretty close. Yeah, essentially Vulcan is sort of the third instalment to that sort of series that if anyone that’s listening and watching is had my book series basically in the first two books of those series, I sort of lead female character Sam in the first book, teenage Female Hacker, your first person in her mind sort of following a real hacker’s journey and having a bit of a pen tester, ethical hacker background that kind helps build out that skill set and sort of make it based in reality I guess you would say is probably the right way to put it with a bit of Hollywood flare of course. And then in book two in the one that just before I was on last time Shadow actually switched to the bad guy’s perspective shadow

(11:26):

And

(11:27):

Got into his mind and sort of followed his journey and then they sort of mingled across and a bit of a spider. Weve across their two stories and then it continued along and then I’ve switched back to Sam’s character, which I think she’ll definitely always be the primary character, but I’ve sort of switched back to her in that sort of last book and continued the journey. But I’m told this one is the best one of all. So from a few of the readers that have done it, which is quite nice to hear really it means I’m sort of growing as the writer and sort and really building out that story, which is nice.

(11:55):

Awesome. And how the second book been out now for must be about 12 months. How’d that go? How many copies sold and things did you end up getting for the second one?

(12:04):

I think overall I think for the series I think we’re around that sort of, I think it’s about 5,000 copies between the first two roughly fleet. My most successful is probably the kids book. I think we’re up to retail sales of that I think was probably the shadow world was I think it’s hit 5,000 in the first couple of weeks copies, which was quite nice. So it’s an Australian bestseller once you break over that 5,000. It’s an Australian bestseller in that first run, so awesome. But I’ve actually donated six and a half thousand of them myself to schools since we last talked. So it’s quite good. It doesn’t help the bank balance, but we won’t get into that

(12:40):

Bit of passion project and a bit of commercial at the same time. The sounds of it and honestly great initiative for educating people in schools and so on. It can’t be all reading Pokemon books and then just to study stuff. There’s a bit of cyber education these days is super, super important. So let’s speak holistically around the cybersecurity industry in the last 12 months. What do you think’s changed? What have you seen?

(13:04):

I think the conversation, I think there’s a lot more conversation around it, particularly in that sort of board level and the C-suites level that you were talking about before. I think because of some of the mandates that come from the government and some of their push to I guess improve cyber maturity across, I’m having a lot more conversations on that higher level than I probably would’ve before or at least I wouldn’t. Maybe not more, but at least more grounded conversations where they really want to make a bit of a difference. Before it was yes, let’s talk about it, not sure if it’s something we’re going to really push as the highest value agenda, but they seem to have that right approach to it now. So I think they’re paying more attention I guess is the right way to probably a little bit to do with it’s more going to be their responsibility and come back to them a little bit more than it used to be. But I think the conversations are definitely there and people are wanting to make that maturity uplift and really push it as an agenda. Particularly like your big corporates, they were always kind of moving down that path and they were trying to at least appear they were doing good in that sort of space. But even that mid enterprise market I find is really starting to mature in that space or at least start to have more of those conversations, which is nice. But

(14:10):

Yeah, I’m feeling, I’m hearing a lot of businesses wanting to talk about it more and things like awareness and as such getting more common practise and people transitioning from just an antibi is not good enough too. You need something a bit more. I’d say one problem that I’m seeing in the industry, and I’d like to get your feedback on this, is the almost level of confusion when someone even like an internal CIO for example goes out for a security service or some detection response capability, all the acronyms and we try and educate people, we speak to our customers around difference between E-D-R-M-D-R and XTR and all these other kind of acronyms in that industry. It gets quite confusing to be honest and it almost means just throw it all in the bin and start again. But all these marketing companies from not to name individuals but certain brands say there are other things and it must be so confusing for someone on the buying side of security services. What advice would you have for someone like that?

(15:13):

I think you’re 100% spot on with it, particularly with the acronyms. There is so many of them and you hear it from all the conversations they’re going, half of them don’t know what they mean and they’re like what do we actually need? And a lot of the time, particularly on the vendor side, and I won’t name any either, but you see a lot of ’em where they sell those flashy blinky light solutions going, oh this is the newest thing you need to get it. And they’ve probably been doing a similar thing for the last two years anyway. They’ve just named it something new and put a new pretty little bow on it, which doesn’t help anyone if you ask me. But I find usually what I do is I ground it in whatever the problem is. So forget all the solutions, forget all whatever they’re trying to sell in the next marketing push, just go, what are the problems you actually have and let’s go, how do we solve this?

(15:58):

What is the real solution to solve this? What is the right way to go down and sort of take out all the acronyms and the noise and everything else and go, do we have problems with passwords being leaked out? Do we have a lot of a password issue? Let’s talk about password managers or something that will solve whatever that problem is, but forget whatever the latest marketing spin is or AI or whatever you want to, which is machine learning most of the time, but we won’t get into that either. But literally just try and ignore the buzz and go, what is the foundation things here? What are our problems? Let’s figure out whatever the watts are and let’s talk about the watts and go how can we solve those?

(16:34):

Let’s speak to maybe with the security services piece more than holistically, let’s say you identify the tag, we’ve got no detection response capability at all on endpoints, infrastructure, network, cloud, anything. And you said okay, we need to get a solution for that. Or maybe you had someone like yourself coming in a size O capability around you need some detection response capability. What would you ask the vendors you meet with or the potential partners or businesses you’re looking at transacting with around security services? What questions would you ask

(17:09):

Particularly around that mid to smaller enterprise usually particularly around that instant response capability space, sort of your MDR managed detection response or something. It usually comes back to around helping you educate the small team. You have to make you prepared for some of these stuff. So make it sure it’s not just a one way, here’s your alerts, there’s the answer, we’ve solved it. How about we actually talk about this? What happened? Where was the chain that sort of went through and help educate your team whether they’re going to be instant responders or not. You need your team to understand where these sort of risks are and where the vulnerabilities are and what they’re doing to solve them so that when we’re talking about it and when we’re looking to improve some of the maturity overall, you can come back and go if that vendor or the provider or whoever the solution provider is in the services space, if they’re not, I’ve seen a few where they’re sort of one-sided. They very much, I get your alerts, I take the feed, I fix it, there we go, we’re

(18:03):

Done. Here’s a tool, here’s a report letter

(18:04):

And don’t really sort of go in it, but you need one that will be a bit more proactive with training. Training is not exactly the right word, but sort of

(18:12):

Uplifting your enabling, enabling internal team. It’s good advice

(18:17):

I think even though technically it kind of feels probably to the vendor that they’re kind of taking a little bit of their own work out of it. But I think overall they’ll actually get a stickier customer because you are teaching them and you’re helping them and you’re improving their skillset inside their team so that you’ll probably get less alert fatigue from your side. You’re not pulling in but you’re still getting the same service helping them and they’re sort of bouncing off you and you’re bouncing off them and I think it actually creates stickier kind of client, but they don’t always agree when you have that kind of conversation. I dunno, we just provide the service to the report and I’m like, no, no, no, that’s not what we need. We need a little bit more

(18:52):

You security partner and someone’s going to enable and empower the internal IT team or business to people responsible with technology and that data and so on to better respond and do something with the information that comes back. That’s great advice and I think likens to Steve Jobs used to say about the product development at Apple, you need to cannibalise your own product every 12 months. So you need to be almost like what problems are you solving and then what problems are going to come in the future and how do you solve those? So the last model is almost obsolete compared to the next one.

(19:23):

That’s our job literally as security people and vendors we’re supposed to be solving the problem. I think that’s part of our industry issue I think at the moment is from what I see is we are kind of on this loop. We keep going around and round and round sort of spinning the wheels but not solving a lot of the overall major problems. So I think we need to figure out how to fix the foundation stuff a little bit better and then slowly improve the maturity from there. But we’re not even really mastering the basic stuff I don’t think a lot of the time, which is sad because that’s what we need to fix.

(19:54):

And also almost like dumbing down the acronyms and things like we touched on before for small business, either CFOs or an IT manager in a small business or something so they can get the cyber industry and kind of go right, I’ve got these gaps, I need to fill these gaps with these things and without going to market and just million acronyms and different ways of tackling all these problems. But I mean who would you be VCI O for if there was no these challenges? It’s

(20:23):

Technically appointed. I almost got to do myself out of a job and I think that is strangely kind of what we need to do as the VCI O or a CO or whatever it is. Your job is literally to kind of get the organisation to a point where they don’t really need you anymore and that is literally our job to make it sure that they can understand and they can keep continuing on that journey and then call me whenever they need me. Other than that I’m out the door kind of thing. I’m just sitting there as they need it. And sadly I think that is kind of mostly my job is to sort of push that direction in a weird kind way do myself out of the job. But it’s like the Steve Jobs thing, isn’t it? You’ve got to keep solving your own problems and fixing whatever the next line of problems is. The

(21:03):

Good ones do and and I work a lot of CIOs and I kind of tell them that most CIOs, the brutal truth is that after three years the value they provide back to the business is a lot less than it was when they first started because usually A CIO comes in and evaluates everything, gets into the team, it builds a team, fills in gaps, gets a plan, executes it over three years, then after that really just doing incremental changes. It’s not like a new CIO coming in and making huge improvements. So you almost need to change it every three years as a CIO these days. So let’s flip it back to let’s say a small business owner or A CFO in charge of it or a general manager or so on and you don’t know where the gaps are in your current cybersecurity or with cybersecurity holistically for your business where the gaps are with your systems or wherever they are, where should they start?

(21:53):

Usually what I do in any of those, where are we at kind of conversations when those sort of initial ones is usually I say, do you know what you even have to start with? Have that sort of asset conversation on this includes software as a service kind of systems, what software do you have, what computers do you have? What phones do you have? What tools do you have and who uses them? Once you can lay that all out and actually understand, particularly in the small business space, they sporadically probably add staff, remove staff, what tools do they have, what phones do they have, where are things connected and who has access to what they kind of need to know all of that first before they can figure out what to do if anything next. So I think usually what I do is I go, let’s figure out what you got exactly.

(22:36):

So exactly the systems, the data, the software where things sit and then go now where is your crown jewels, where is your biggest amount of data? What is your biggest risk? And sometimes that could be your CRM or something like that, but just figure out whatever it is or wherever it is your data that you need to protect is and create that as your first point. If you can help tighten that down, restrict who has access to it, remove data. Sometimes I think a lot of businesses just collect date of births licence numbers. They feel like they might need it one day, but if you don’t need it, don’t have it. Validate, check the ID when you first get ’em, sign it off, don’t keep it easier said than done.

(23:14):

Talk about

(23:14):

That one for a while.

(23:15):

Telemarketing team to delete, they won’t do that list, you’re not happening.

(23:20):

But yeah, literally crunch down on that exactly what they got, what is the valuable part and focus on that specifically put your money in there, put your time in there and just narrow that down and secure that as best as possible. And because particularly when you’re talking about that small business space or even that mid-sized business space for 50 or less, probably staff, a lot of ’em don’t have unlimited sort of funds to put into some of this tech space. So I think yeah, just narrowing it down and knowing where your biggest risk is and then looking how to protect that. And usually someone like a VCI O or your IT sort company provider can come in and help you understand some of that. And it doesn’t have to be overly complicated, can be nice and simple, put in a spreadsheet if that’s the easiest way they can do it, just figure out where it is, what you’ve got simple steps and make sure with backups, they never have backups and they never test them.

(24:09):

And it’s one of my little irks, I’ve been talking about it for about five years. It’s like make sure they are, make sure they’re there, make sure you test that you can actually restore things from it. Usually where they get caught up, particularly with ransomware, which is still a problem, don’t doing that testing and they aren’t sort of segregating it so that when the ransomware infection comes byebye for their backup, which is quite a painful spot to be in. But yes, I think crown jewels know where they are, know exactly what you’ve got. You can’t protect what you dunno what you’ve got. Particularly when you’re talking an IOT kind of space. You’ve got people bring in smart fridges in and I think there was a casino a few years ago from the thermometer in their fish tank that they were actually done for that through their wifi network. So it’s

(24:47):

Thermometer in the fish tank thermometer I’ve heard.

(24:49):

So basically they had a IOT thermometer in the fish tank, got into their network back into it, was connected on the same wifi network as the corporate network they got through in a casino US I think it was. But yeah, so IOT is particularly those smart devices like your smart speakers and things like that when they are literally connecting ’em on the same corporate wifi network and they’re not telling anyone, but if you don’t know they’re there, you can’t protect from it. So create a separate guest wifi, connect those kind of devices on the guest wifi, not on the corporate.

(25:18):

Yeah, but I mean as you know, small businesses usually aren’t getting done by IOT from fish tanks. It’s mostly the boring stuff, right? Patching and MFA and backups and the basic stuff. What advice do you have for businesses around or what’s changed more in the last 12 months since you’ll last around cyber frameworks?

(25:36):

I think there’s been a lot more focus towards the essential eight, which I think is a good start. I think usually my sort of direction is sort of let’s go down the ISO 27,001 kind of path, but sort of couple it with the essential eight. So you’ve got your controls on one side and your framework on one side, so you’ve got good to your policies, your foundation stuff, and then you get your controls in place on the other side. So sort of combining together a little bit, but I think they’re coming up more in a conversation. I dunno if it’s from the government push a little bit. They’re trying to move that direction and become a little bit more compliant. I love the fact around those sort of compliance conversations now they’re not using it as a tick box as much. It’s more we actually want to uplift down

(26:15):

The maturity a bit. Oh we secure. Yeah. So

(26:17):

The way it’s approached now is a little bit changed instead of just I just want to tick the box to say I am now compliant and I’m just going to step away and that’s us done. They actually want to have the conversation and sort of really move that needle I guess you should say in the maturity, which I find quite good. It’s quite nice,

(26:31):

But all these news horror stories and it’s enough

(26:34):

To scare everyone, right?

(26:35):

Yeah, people in black hoodies on nine news and stuff is great for scaring people, people I guess sadly. But yeah, there is some stories as well. There was a transport business that was in business for 30 years, the started of this year with ransomware, nowhere way to recover and actually fully had to close doors after 30 years in business. And there’s all the big massive news stories you hear. So it is definitely a scary thing even though we mock it a little bit, but it is pretty crippling for businesses. What is your advice around the maybe best practise for small to medium sized businesses around cyber awareness? Say there was a big passion you’ve got for businesses and personal users for a business, let’s say a hundred people in the business and they have one in it and an outsource provider, but the actual education piece, is it just have a monthly thing go out from the SharePoint form? Is it how often should you do a phishing attack and what does best practise look like for a security matters?

(27:35):

I think from my sort of perspective, from what I’ve seen, I think generally most corporates do that you’ll get your video once a month or even once a fortnight depending on the organisation. And some of ’em are funny and some of them really bring people in and engage, but I don’t think that on its own is enough. I think what we need to do is probably a once every six months or once every 12 months bring in someone to actually do a conversation or a workshop and interact more directly and not necessarily go over the same kind of stuff. That would be boring. They’ll sort of zone out, but maybe tell ’em a few stories and sort break down how things would really happen in the real world and engage ’em a bit more, get them to have some of the conversations around what they’ve seen and it’s a little hard to get ’em to open up, but I find if you, yes, given the standard basic kind of awareness MFA’s on what are you doing with passwords, can you spot these kind of scam emails? Yes, they’re all great and we need to keep drumming that in until they actually remember it. Which for someone that’s not technical, a lot of that stuff takes a while for ’em to settle in. That’s not their normal sort of space. And I think two things probably is we’re not reinforcing it with some more interactive kind of conversations like the workshop style and then I think we need to do a bit more targeting depending on, because those sort of videos in that training is just very generic,

(28:50):

Generic.

(28:51):

So I would say if it’s an accounting firm, make sure that you do some of those workshops and target it around the wording and how they would say things and more specifically around how they do business and sort of approach it so that it’s in their still a standard flow of work and what they would actually recognise in their sort of day-to-day make a scenario that they would go, this is what I would do in my day job. And then make it a story where someone’s get caught out somewhere in that process so it goes, oh hang on, this could really actually happen to me. So you need to get that personal buy-in somehow, not just the generic look,

(29:21):

But how do you do that though these days? Because most of the bonus platforms you can get, they’re all pretty generic and sometimes you can customise it for the accounts team and those other things. There are solutions out there, but majority is fairly cookie cutter. So you can do it at masses and keep it up to date because phishing and so on scams are evolving in the way they target and so on. If it’s tailored as well. I mean who’s going to create all this kind of content? How do you make it tailored? I think

(29:49):

It’s the two things you have to have probably someone come out. So you would have your standard sort of awareness, you would get your monthly sort of feeds, have that content come out, do some of them do a little bit of customization depending on the industry, which is great, but to have that keep going, that process, keep that on. But once every six months or 12 months, get somebody out that actually can be from the security team that works and helps you with your team and get them to do a workshop or do a scenario and make sure it is in as less jargon as possible. Which not too easy sometimes when you’re actually talking about security people coming and doing these things, but you need someone that understands the process and what will happen. But someone that can actually speak the right language to sort of translate a little bit, make it a bit more friendly, but make it that interactive style but make it in person, bring them in.

(30:39):

I find it’s better if they’re not two larger groups they’ll open up a little bit more. But depending on the size of your organisation, that makes it a bit harder and you might sort of need the larger size groups. But yeah, definitely a combination of both in person actually physically get someone to come out and have that kind of conversation. Depending on the organisation, it’s going to cost a few thousand dollars probably to get someone to come out if it’s from an external place. But I think the investment in crossover, you’ll actually get more buy-in and you’ll get more interaction, particularly if they understand that personal risk to them. And I think that’s one thing I always encourage because in the general training and awareness that you do, it’s always essentially focused around the business, which it needs to be around your day-to-day business operations.

(31:21):

But if you in say some of those workshops and some of those other training interactions, you can give them a connection to help them in their own lives. It’ll give them more of a buy-in of why they need to understand the awareness education and the risks and what’s happening. If you can make them more safe at home, you are making them more safe at work. So it’s a kind of win-win situation where you can invest a little bit in helping them understand how to be safer at home but also be safer in the business. So it’s trying to find that right balance in the middle.

(31:50):

So your advice is at least annual if not six monthly. Ideally small groups have that in-person kind of training focus a little bit on the personal side, not just the business side and then still do the regular cyber awareness email out, this is what a phishing email is, this is what a master domain is side, what’s your thoughts in 2024 around the simulated phishing attacks? How frequently should you do those?

(32:17):

I definitely think they’re a good idea. They kind of set a benchmark. I don’t think, I hate how I’ve heard a few organisations use them as a bit of a stick kind of thing when people click on things. I don’t like that approach. I think it’s more around understanding where your risks are a little bit as an organisation, so know where your vulnerable groups are so you can do a bit more of a targeted training to sort of suit those. But I would say at least every year you should probably by quarter at least do some sort of simulation testing and send it out and see the statistics where your groups are, which different departments are a little bit more susceptible. I always find marketing not to pick on marketing, but they always seem to click on a bit more, but it’s because they get more stuff too.

(32:58):

So they’re used to getting a lot of volume usually of random reach outs and things like that. So that I found sometimes they will click a little bit more than others, but if you can find the right balance and help them see the cues, they’ll be some of the ones that quickly learn. So they’ll sort of reduce that number quite fast. But yeah, target down on which individual departments find what they’re susceptible to, tailor a little bit more to target and see how they respond to certain things. And then you can do those custom workshop kind of thing on that particular department and go, don’t name anyone, don’t sort shame anyone, but go, hey, here’s a new type of scam, come out and we are going to teach you how to react to this and how to spot them and just tailor it more specifically to how the things they’re susceptible to and do a little bit more personal approach.

(33:46):

Yeah, that’s great advice. Every business can tailor it to individuals, but the much easier you can do the best. But I think key’s just putting something in place for your employers to get a little bit cyber conscious. Something we’ve seen is the frequencies we hire of attempts of phishing attacks trying to get in and a lot more around third party supply chain risk. A company they work with, one of the suppliers or something, then they get compromised and they get an email back and then it kind of goes from there. It’s a

(34:15):

Vicious circle, isn’t it?

(34:16):

Yeah, kind of chain goes around. It’s pretty crazy. So you need to stay pretty alert and even if it isn’t a trusted source, you still going to be wary of what links you click on, that kind of stuff these days.

(34:28):

Particularly around that ai, if you’re talking about the advancement in the AI functionality and a lot of the time we were particularly Fijian kind of emails, we would sort of show the points you would normally pick out, the bad grammar, the way things are formatting with the malicious actors capability with some of that AI tooling now even if so there’s some theories that they deliberately made them to drop the low hanging fruit. They made them in that bad sense, but I think it was just not their first language. I think a lot of the time I think it was just the way it was. But now with some of those tools, they’re making ’em a lot more, the real ones a lot more like the functionality and the grammar is almost perfect. So I think they’re going to be a lot harder for us to spot. So I think yeah, we’re definitely going to have to dap a little

(35:08):

Bit. Yeah, got to improve in that space, which is good. There’s companies like Cyber unicorns, right. True segue. Let’s pivot it back to the book writing process now. You’ve written six books now. Maybe just elaborate on the process that you go through when writing a book and how it’s evolved over the years. Obviously your first one would’ve been different to writing the one that just got released two weeks ago.

(35:28):

Yeah, very different. Particularly the first one I wrote, the Hacker I am series was the first two books were self-published. So I created what I wanted to is I created, I think it was 50 topics in each, and they were just around specific cyber topics and just because I hated cybersecurity books, so I literally wanted to remove all that jargon we were talking about before and make it more approachable. So they were my, I guess you would say easy for me to write because they were my natural topics, my natural way to write things. And I’d sort of been doing sort of cybersecurity articles for a little while once I started that first book. So it was sort of a natural one. But when I decided to do the first novel, the hacker novel, I think I was quite nervous. I wasn’t sure how I was going to go and particularly around the memory of trying to push everything in and the spider whereby had a plan to kind of make and I’m going, I got to try and remember all this and make sure it all lines up. But I was a little nervous, but literally I wrote the foresight the first one in three months in my daily train commutes. Really? Yeah, literally the place I’ve written probably the most of my books is my daily train commute from the north side down to the city. It was literally I could write a chapter basically from getting on to getting off. It was basically a draught. I would just sit down,

(36:40):

You just headphones on a laptop on a laptop and just whack out a chapter.

(36:45):

And literally when I sort started the book, the process, what I do is I think they call it a, there’s three different types of writers. I think there’s a pan one that does no planning at all and then there’s one in the middle, I dunno what they call it. But then there was one that particularly maps out every single detail before they start to write. So I’m in the middle. So what I do is literally I would write the first sort of 20 chapters, I would write probably a sentence on each of what I wanted out of that first half of the book in those first chapters. So it was like roughly I want this to come out of each of these chapters and then literally I would write and then once I got to that, I guess you would say that halfway point of the chapters where I form this is roughly where the story would get to by here.

(37:26):

And then I go by gut and write how I feel and how I feel the story is forming and coming together, which sounds great idea and it actually flows quite well, but it’s a bit of an interesting way to do it. And I’ve talked to a few other writers and they go, oh that’s an interesting way to do it. I dunno how you do that. But literally that’s how I write. And apparently I’m told that writing in current time in first person, in the mind of the person, that the book is one of the hardest ways to write, which I didn’t know until after I wrote it that way.

(37:56):

Okay, right. There

(37:58):

You go. It was a little funny. But yeah, literally I was writing them basically those first two or three months each approximately. Wow. And literals interesting. 12, 12 months for the editing process. So the editing process takes longer than the

(38:09):

Actual 12 months for editing process, 12

(38:10):

Months to do it, to turn around until it’s published.

(38:12):

It’s a long time honestly writing any cybersecurity book. Things change so quickly, editing like a year long. That’s crazy. So almost at time I wanted start wrap up, but maybe next, what’s the plan, long-term with cyber unicorns? Is it just yourself and you mentioned your partner, have you got other people and part of the team already, you didn’t build up to be a fully staffed consultancy with 20 employees in a year’s time? Or are you planning on staying small, doing your passion product on the side back to educating personal people? What’s the plan?

(38:45):

I think probably there’s two of us at the moment. We have two contractors that do a bit of work for us as well as sort of our ad hoc sort of basis. But I think short term probably over the next 12 to 24 months, I think probably it’ll stay reasonably small. I want to sort of do a bit of a push for that sort of cyber education spike. So that’s the focus I guess to start with. But I think the consulting side, I think I’ll grow to a little bit just in that probably stick to that V size O more helping those smaller not of profit space. But I don’t think my plan is ever to be 20 or 50 strong. I think I’d like to sort of stay that sort of smaller organisation. Maybe if the education side goes really well, maybe grow that space, do a lot more education because particularly around schools and small business space, I would love to do more in that and sort of help uplift that maturity. I’ve just got to get my online platform to fund that and that’d be nice. Yeah, yeah,

(39:37):

Yeah. That’s exciting. And you said that was getting released, how far was that?

(39:41):

So the online platform itself, like the web portal site, it’s now sort of available, it’s basically 9 9 9 a month for mum or dad to sign up, seniors to sign up for a month or 99 for a year. And the mobile app version of it, which I think will make it a lot better. I think the functionality and the capability and just the fact that you can just take it with you anywhere you want and do some education. I think the mobile app is I think about three to four weeks. As long as there’s no holdups in the publishing side with Apple and with Google, that process isn’t always easy to get through. Yeah,

(40:13):

Yeah. How are you incentivizing people, big thing in business, right? It’s trying to get people to actually do the cyber awareness training. How are you going to get individuals to get buy-in to do trainings, to engage in the platform and do all the modules and so on? What’s your strategy for that?

(40:29):

I think generally probably is doing some of those workshops. I’d like to get involved in some of your rotary and things like that and try and get out there and provide some of those initial workshops on cyber education and go here to extend your lessons and continue learning. Here’s a subscription, maybe even discounts and stuff like that to try and sort of bring them in. But I think although it sounds slightly weird, I’m not that concerned if I don’t make a lot of money from the education platform as long as it’s sort of covering itself and I keep continuing to grow that education space I think as long as can keep putting food on the table and it keeps covering itself. I think that’s more my mission and pushing it out into those groups that really need it. Particularly that senior space and your moms and dads, they sort of dunno a lot.

(41:12):

They don’t really know what they don’t dunno I guess at this sort of point. So I’d like to really push that as much as possible. And I think the workshops is how I’m going to do that. Sort of try and get in with Rotary and a few others like that to try and help spread some of that knowledge and that education. But I think my other general plan is I’m going to join up with a few, not-for-profits and help provide licences via through to some of the vulnerable groups and stuff like that. But I think I’ve got to build up the consulting side to fund some of that. But that’s more my philanthropic kind side thing. I’d like to help push some of those licencing and use the platform to push that passion agenda, I guess you would say.

(41:49):

Yep. Awesome. Well let’s have to get you in another maybe six or 12 months and see how it’s all gone with the launch of the app as well and the platform.

(41:58):

Fingers crossed it goes well,

(42:00):

People listening, he’s crossing both fingers, so we’ll have to get you back in and see how it’s all gone and then maybe we’ll book seven or eight by then, we’ll see how we

(42:08):

Go. I’m writing number seven now, so you’ll see, and I’m already starting to put the thoughts together to do a teenage version of my primary school age kids education one. So I’d like to sort of cover that slightly older market group as well.

(42:21):

Yep. Awesome. Craig, thanks for coming in. Appreciate it. Good to catch up.

(42:24):

Thank you. It’s great chatting.