Voicemail from Cyber Criminals & More with the Godfather of Cyber, Darren Hopkins

In Episode 023 of REDD’s Business and Technology Podcast, our hosts Jackson Barnes (Head of Business Development – REDD), Brad Ferris (CEO – REDD), Nigel Heyn (Founder – REDD), interview Darren Hopkins who is the Cyber Partner at McGrathNicol with over 30 years protecting and responding to cyber threats throughout Australia.  

We gain valuable insights from Darren’s experience in cyber security, covering a range of topics from the evolution of cyber security, threat actors, can internal IT teams cope, what questions you should ask to know if you are safe, and how to keep your business safe in 2023.  

If your business is looking to keep your business safe from cyber threats, contact REDD here!  

Recorded Wednesday, the 22nd of March 2023 

00:00:00 – Start 

00:00:21 – Intro 

00:00:40 – Darren Hopkin’s Career background 

00:02:40 – What is a day like for Darren? 

00:02:54 – Incident response practice 

00:03:52 – Ransomware Event 

00:04:31 – Threat actors getting upset for the lack of response 

00:06:47 – The goal of threat actors in these attacks 

00:08:18 – How often does threat actors reach out? 

00:08:47 – Ransomware using Darknet Site 

00:09:47 – Considering paying ransom for the ransomware attacks 

00:11:07 – Ransomware attacks business model 

00:12:23 – Revil Group 

00:14:20 – How many of these cyber criminals actually get caught? 

00:16:56 – Involvement of the police in these cyber attacks 

00:18:02 – The biggest threat to businesses in Southeast Queensland 

00:19:32 – Importance of MFA 

00:20:46 – How do small IT teams keep up with cybersecurity? 

00:22:50 – How do businesses approach cyber security? 

00:24:10 – In 2023, what size of businesses should separate their cyber security to IT teams? 

00:25:48 – Common roots of these cyber attacks 

00:27:05 – Executives and boards don’t actually really understand the risks 

00:27:42 – What should boards and management be asking? 

00:30:48 – How often do you think businesses should get a third-party review? 

00:33:38 – Good and bad sides of cyber insurance 

00:39:14 – What does a good cyber insurance policy look like compared to a bad one? 

00:42:46 – The longer you are down, the bigger your brand takes a hit. 

00:44:06 – When you detect an incident, the threat actor is still there. 

00:46:28 – What’s the average kind of time frame when these breaches happen and businesses resume back operations? 

00:47:19 – Good disaster recovery and business continuity practices 

00:50:25 – Backups are protected and not at risk 

00:53:16 – How sophisticated are the threat actors now compared to 20 years ago? 

00:54:38 – Evolution of the way criminals made money 

01:00:20 – Privacy Act 

01:00:45 – What is the future of legislation and compliance like from cybersecurity in a year or so? 

01:03:13 – Government’s involvement in these breaches 

01:03:30 – Australian Cyber Security Centre 

01:05:17 – Three things that everyone should really start getting fit and ready for cyber 

01:06:48 – Finish 

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected] or through any of the links below. https://redd.com.au  

https://www.linkedin.com/company/redd-digital/  

https://www.linkedin.com/in/jacksonpbarnes/  

https://www.linkedin.com/in/bradley-ferris/  

https://www.linkedin.com/in/nheyn/  

https://www.linkedin.com/in/darren-hopkins-5844469/  

Thanks for watching!  

About REDD  

REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between. 

REDD is a leading provider of the following services  

1. Digital Advisory Consulting 
2. Managed Technology 
3. Cloud Computing 
4. Cyber Security 
5. Connectivity 
6. Unified Communications 

Our Vision  

We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward. 

You can read the full transcript below:

Hello and welcome to REDD’s Business and Technology Podcast. I’m your host, Jackson Barnes. I’m your co-host Brad Ferris and I’m your other co-host Nigel Heyn. And today we’re sitting down with the godfather of cybersecurity in Southeast Queensland. Darren Hopkins from who’s a partner of technology and cyber from McGrathNicol. Been looking forward to this episode. Darren let’s start with your background and how you got to what you’re doing now.

(00:00:40):

Okay, thanks Jackson. Godfather’s a little bit, I guess indicative of how long I’ve been doing this, but if I go back and have a think about my career from day one IT degree, so I actually did it at school and came out of university, did what most people would want to do, which is not work and travel promised my mother I’d apply for one job. Unfortunately I got that job which was in Queensland Police and actually it was in an IT role running a network. So I started with real IT and six months in got drafted into what was the forensic computer examination unit. So computer crime unit for the Queensland police and had a good five and a bit years of just doing that. And it was really at the start of when computer crime and computers were being used by criminals to start to facilitate what they were doing.

(00:01:27):

So of course not something I planned. Tremendously exciting, did all the things that I shouldn’t have done cause I didn’t get the proper training. So that’s an interesting piece. And then I got an opportunity moving to a big four accounting firm and start a forensic team in technology for them seven and a half years with that firm. And apparently last week triggered 17 years with McGraw Nickel and currently the technology and cyber partner that sort of leaves our country’s practice. And it has been a very different journey for me because as you saw, forensic was where I started, which is a lot of work for courts. And then that evolved into more technology and then I think, what is it, seven to 10 years ago we all started using the word cyber because it was cool but it was the same but let’s just use it anyway. So we started to build out a cyber practice as well. And now I’ve got a business which is one third forensic, one third cyber GRC, and one third cyber incident response.

(00:02:28):

So do you want to to paint a picture of what you do on a dayday basis and explain I guess what you do and then if you wanted to roll into the example you’ve got of a recent interesting feedback you got from a threat

(00:02:40):

Can do so it look is random and that’s the thing about consulting. It’s you can definitely not expect the same data to follow from where you were last week, but in our incident response practice, and that’s the area that I get most focused on at the moment, it’s just basically supporting clients who’ve actually had that worst case scenario happen. So some type of breach or incident that has left them exposed, they need help. And we often get called in either directly by the client because they know us that they’ve heard of us or they need some help there. Or if they’re lucky enough to have cyber insurance, an insurer may pull together a team for them and we would sometimes get pulled in as one of those teams to support them. So I tend to live in the world of crisis. It’s not good for my blood pressure.

(00:03:23):

I get to live everyone else’s pain on a regular basis and my whole team doesn’t generally get to understand what a five day working week looks like. It’s, it’s your role from five day to seven days to midnight whenever it is. But yeah, what I brought along today, which I can play you and is something I’ve, I managed to keep through one of our jobs. It’s an interesting I guess, indicator of what we’re really dealing with these days and what it was was a ransomware event. Now for me, I say just a ransomware event, we get to do a lot of ’em. So for me it’s not too exciting, but this one was different. This was a business that didn’t want to engage or talk to the threat actors, the hackers in any way. They were very much, the criminals we’re not interested, we’ll just go about getting things working back the way they were.

(00:04:15):

So that’s a little bit unusual because quite often you’re curious, you want to find out who it is that it’s attack us, what do they want, is there a ransom, how much is it? You don’t know these things without engaging this client, no interest whatsoever. And you could tell that that was upsetting the threat actor and to the point that the threat actor stopped sending emails and actually found the phone number for the CEO and rang them up and the CEO saw it come up on his phone as a Russian phone number freaked out, let it go through the voicemail. We grabbed a copy of the message and it’s actually quite an interesting, I guess, indicator of who we’re dealing with is it as people. Now the one thing I like about this message is quite clearly threat actors are there to help us and they’re nice people. So I’ll play this and we can have a talk about what it is. Hopefully it’ll work nicely.

(00:05:11):

Brett, hi, my name is Melissa. I’m calling you from Quantum Group. If I understand to you right now or your management trying to figure out what happened with your infrastructure, I’ll explain that for now. 45 servers are encrypted and 4,000, sorry 464 work. Computers are also encrypted and more than 500 kilobytes of private and internal data of your company has been stolen. So my recommendations to come for a negotiation, and you should do this at nearest time, you have so less time to come for negotiation on the encrypted computers or laptops. You’ll find the information how to get in our chat room. So we are waiting for your management. So please take this message and inform because for it now as I see no one’s phone is working on your website. So as I understand right now you have a big problems and the best way how to resolve this issue to come for negotiation. We are waiting. Thank you.

(00:06:36):

Very nice of them looking to help them. Lovely.

(00:06:38):

So Melissa’s really good.

(00:06:40):

Yep.

(00:06:41):

She wants to help. As you can hear, the first thing, you just got to negotiate with us. That’s exactly what threat hackers wants you to do. They need you to engage, to talk, to negotiate.

(00:06:52):

That’s how they get paid, that’s how they get their money back.

(00:06:54):

And look, there is in every incident that we see and people say why do they do this? It’s clear, it’s look, it’s financially motivated. Someone wants to make money through this and this is generally an organized crime group who are behind these things. This is how they make their money. And in this instance, no one had contacted them. The chance of getting paid was looking slim. So let’s just reach out. And from their view, no one’s helping them. You’ve got very little time, can you please reach out and engage and come to our chat room? Yeah.

(00:07:28):

Was that a paid actor you think or someone from the company that just five the

(00:07:32):

Oh no, that’s definitely someone from within the company. Oh really? Yeah, yeah. So yeah, Melissa’s Russian accent gives it away a little bit. I think when they’re not using a person local, you would quite often they’ll use voice actors and other things and if they’re trying to scam you in some way, it’s going to be a different type of voice. And that came out of that phone number that was registered to a Russian number as well, which is interesting. Normally you try to block that type of thing. Yeah.

(00:08:03):

So how old was that example? Is that years, months,

(00:08:07):

18 months.

(00:08:08):

Okay. And given your history in the industry, is that kind of normal or was it a new pH? When did they start being so proactive?

(00:08:18):

Most people actually in some way reach out and this is it. It’s a bit different now. In the early days of ransomware, you’d have this desktop wallpaper get changed and then your screen is bright red with a countdown time, a ticking and it’ll say you’ve got to pay us this many Bitcoin and you’ve got this long in your face, here’s how you make a payment. And that’s what it is. That doesn’t happen anymore. So what you now have is there’ll be a note left on the desktop or in the folders that are impacted. It’ll just give you a link to a Darknet site where you can go off and visit and that’ll be your personal page. So you got to quite privileged, there’s a page for you. You don’t want that page because that page is basically saying, what have we done? What have we got? This’ll be examples of some of the screenshots to show they’ve being in your system and then literally will be a chat box. And it’s just like if you go to a website and then someone down the bottom pops up, can I help you? That will be there for you to start to type and engage with them. And then you can have a conversation. And the first question would be, okay, what’s going to cost me? And it is a negotiation, no, it’s X or nothing. They all say, well we think it starts at 10 Bitcoin,

(00:09:31):

So when you probably don’t recommend this. It’s like we don’t negotiate with terrorists kind of thing. But if you did negotiate and you did decide to pay because you didn’t have backup or whatever, in your experience, do they then honor their word, so to speak and give you back your data? Has there been instances where you have paid the ransom and it’s worked out favorably?

(00:09:51):

I’m on the don’t pay camp. That’s my law enforcement background coming out in me. Yeah, they’re criminals, but it’s not illegal necessarily to pay. There are reasons why sometimes you can’t, like if they’re a sanctioned entity, if they are a terrorist organization, that’s it. You don’t have to worry about making a call, you’re not allowed to. Oh yeah,

(00:10:07):

Right.

(00:10:08):

Yeah. But where it does go is there are going to be circumstances where a payment is a prudent thing to consider. And I’ve actually seen instances where businesses could go insolvent if they didn’t pay. They they’ve lost their backups, everything else is encrypted, they don’t know where to restart. Their managed service provider can’t help them at this point because they’ve lost control as well. So you’re at that point where, well if I want to get my business back up and running, I need these files restored so they’re the only ones that can help me. So to your point about honesty, it’s a good one because in one way they need to be honest. That’s their business model. If you’re going to pay, you’re going to get your stuff back. They want to make sure they don’t share your files publicly. You get your keys to unlock all those files.

(00:10:54):

I’ve even seen them give them a report as to how they got in. Here’s a little bit of free network security for you as to Oh really? Yep. Yeah, we’ve got reports saying what ports they’ve come in on and how they’ve exploited us. Wow. And that’s their business model. So they do want you to believe that they’ll be honest. We have seen instances though where they’re not always honest. We’ve seen instances where people get extorted three months down the track after it’s all over, oh we found another backup. Do you want to pay us a little bit more money for that backup because we’re thinking we might just auction it. And when we go through these processes of negotiation, you quite often will have statistics. So if we’re dealing with a known criminal group, a lock bid or somebody else who’s out there, you’ll get stats in the last a hundred negotiations that a group has done, they have never not given you the keys. They’ve assisted where they can, they haven’t extorted and they haven’t published your data. If they said they wouldn’t. So they’re a hundred percent honest criminal organization,

(00:12:02):

Crazy how professional they are. Now they sell themselves as these professionals give you advice back and polite phone calls. It’s a business to business transaction where they’re actually criminals. Well the big lost

(00:12:13):

Look, but you said Darren was a billion dollar enterprise, isn’t it?

(00:12:17):

Well they’re getting there. Yeah. So early days, some of these groups wanted to be billion dollar enterprise. I think ral one of the big first ones when I first started doing a lot of ransom ways, we saw a lot of ral coming out there, you know can tell he is a computer nerds. It was based on the resident evil franchise. So they must have liked the series. So they called themselves. But one of the things that they had done is that they were very professional. So one of the first groups that really thought about how do we build a network of affiliates that will work for us and we’ll be at the top of that tree providing software support, r and d, a process payment gateways, all of these things that they provide to their affiliate groups. And then the affiliate groups will go off and do a lot of the work.

(00:13:05):

Sometimes you used to have RAL being the actual threat actor themselves. I’ve done a few where it was RAL and not an affiliate. Quite exciting for our team. We’re up there against the big guys and we, we’ve seen some instances where they were very successful, they were very good at what they did. We’ve also seen some instances where they tried some new things that didn’t work. So they are still a team of people trying to pull us off. One thing that they’ve got though is budget and funding. I remember one matter we had where in the end a decision to pay was made and it was about 7 million us. So a significant amount of funds paid. Wow. And we got detract some of that crypto because it was paid in Bitcoin. So we could follow the wallets and we could see all of the money split off and you could see the smaller group getting individual wallet payments. And then we saw some of the money sort of filter back down into the dark net and eventually sort of move right across the train into the big sort of wallets that were for arrival. And the aggregated amounts coming through on some of these days was hundreds of thousands of dollars to millions of dollars every transaction, multiple per day. So you could see how much money they are making.

(00:14:19):

So from your background, how many of these cyber criminals actually get caught? Is it none? Is it very, very small amounts.

(00:14:27):

Hardly any. Yeah, you, you’ve seen some of the local examples get caught. Usually insiders though. Yeah. Yeah. So it’s not necessarily the big threat actor. We saw that young person have a go at scamming after the Optus issue, downloaded some of the data that was leaked and then tried to extort got caught. You’re not going to do it locally and you’re not going to do it without trying to block your phone number. That was crazy. Big groups. Ral was the one classic example of a group that did get brought down, but they got brought down not because they were caught, it’s because there was political pressure put on the group. So Biden basically asked Putin to end it to bring the group down. They had evidence to suggest that they’re involved in a lot of activity in the us. And soon after, we saw a number of the group that were the Ukrainian side of Regal because it was an interesting group, Regal. It was the Ukrainian and Russian right people working together and there were arrests made in the Ukraine. Then later on the Russians made arrests as well. And that actually disbanded that group and there’s plenty of press on that. Interestingly enough, the Russians recorded them breaking in and bringing the gang down so you can watch the video of it coming out. Wow. I find it entertaining and you see big American guys and SWAT jackets and guns and everything running through the door and taking out nerds.

(00:15:55):

Yeah, yeah.

(00:15:56):

And they’re not big buff guys. They’ll be sitting in front of a keyboard their whole life. So at least getting little guys getting taken out by big Russian guys was quite an entertaining piece. But that was one big group that’s got brought down. There’s been internal discussions of other groups taking out other groups for a little while. Some smaller players got in and thought that ransomware is the way to go, but rather than being the honest hacker, they’d get the money and do nothing. They wouldn’t give the keys back, they’d resell the data. They just didn’t care. They just wanted a payday. And then you hear evidence of the bigger groups going, don’t do this. You’re ruining it. For the rest of us

(00:16:33):

Giving it a bad name, no one’s going to pay their reason.

(00:16:35):

We’ve got a model here. And then they get shut down.

(00:16:38):

Yeah, you’re right. I mean if people don’t trust that you’ll do what you do, then it’s like, well I’m screwed whether I pay or not so at least I can keep my money.

(00:16:46):

Exactly. Why is there not more in the police enforcement across this kind of stuff? And I had a question in front of our clients and we were discussing cybersecurity that oh, why doesn’t the police get involved and sort this out For us,

(00:16:56):

It’s just jurisdiction. The people responsible aren’t here. They’re not in Queensland. So Queensland police can’t really help not in Australia. So the federal police can’t help. I guess we have Asia and Australian signals directors, but a lot of those functions that are are to protect that country. So they’re there to actually make sure that we as a country are defended their job to go off and chase somebody for a local issue. So you rely on international cooperation to do these things. And look, there’s examples of when that works and the federal police have had task force out there as well. But it’s really difficult because the countries are in, there’s no extradition treaty, there’s no rightful way for them to go in and actually do this. So they’re sort of beyond the law.

(00:17:40):

So protection is the name of the game

(00:17:42):

Prevention. So with that, I guess businesses in Southeast Queensland are getting more and more cyber conscious with all the big breaches that have happened and QT last year and there was an office Medibank last year, it’s gone pretty rampant from what we’ve seen on the technology side in southeast Queensland. With all the recent attacks that happened, what do you think is the biggest threat to businesses in Southeast Queensland?

(00:18:05):

Well look at, yeah, it’s countrywide, isn’t it? And those examples in Queensland, I think they always come home when you think, oh hang on, that’s a big organization which probably has a pretty big budget to deal with these things and I know they’ve got a big IT team, so how did it happen to them? And that’s the same with those other examples. What shocked and big most of us is how big those organizations were and what chance that we got. If someone like that with that size can’t get this right. What we tend to see though and the threats that sort of present themselves most of the time it is the basics that are getting exploited. It’s not super sophisticated hacking attempts that no one can sort of defend against. It’s always someone hasn’t done something, has made a decision to not invest in something.

(00:18:48):

Wasn’t Optus who said it was a sophisticated attack and then got ripped to shreds basically because it wasn’t, was it Optus,

(00:18:54):

Highly sophisticated threat actor and an attack. Then the minister came out and she clearly said it wasn’t that sophisticated. You left the back door open. And most cases that what happened, look, we would normally see it’s someone makes a mistake, someone doesn’t do change properly or they’ve elected to not take advice and that’s a big one.

(00:19:18):

Mfa.

(00:19:19):

Yeah.

(00:19:19):

Yeah. There’s plenty of these silver bullets to be honest. And we joke about it in our industry because we’ve known for a long time how important these solutions are and they used to be a lot harder to implement than they are now. They’re literally built in mfa. Five years ago MFA on 365 was hard. Now it’s on every single office, 365 license, MFA’s included. It’s just there. And even if you paid for the smallest version of that licensing, you can turn on the security basics and it’s there and it’s on. Yeah. So it’s really hard to now justify when you don’t do things when a lot of it’s just available. You just got to ask someone to turn it on and make sure it works, right? Yeah, it’s

(00:20:04):

Included in the licensing but you’ve got to pay, I don’t know, an implementation fee potentially if you don’t have the skills internally

(00:20:11):

Or you can pay to make it better. That’s the other thing too. A lot of these things,

(00:20:15):

Yeah, there is a lot of businesses out there still that don’t have MFA on, which is a problem, but it’s very surprising. I’m sure you see it, right? Businesses who don’t have MFA on that get breached no doubt. So to get our insights out of you, so you’ve got an internal IT team with two or three people. One thing we noticed recently is because technology’s so broad, it’s hard to get a specialist work for managing endpoints and applications and infrastructure and cloud and cybersecurity. Say you’ve got two person in internal IT team, how do they keep up with cyber security?

(00:20:48):

I tend not to where you see the couple of people in-house who are employed to support it. Their role should be to make sure that the users, they understand what the business needs so they know what IT support they need and what technology and innovation the business wants and they’re the champions of that. They should be managing an external provider or cloud providers or others who are helping them because they can’t do it all themselves. We’re kidding ourselves if we think that cloud systems actually made life easier and there was less work to do, it’s just we have to now manage others and ensure that they’re doing it right And security look, it’s different to technology. If you go off and have a look at either people going through university now or people going through the various certification programs, you choose one or the other, it’s not IT and security, it’s you go down a path of technology and you learn how to be a technologist or a sustainer man or something else or you go down a path of security and it’s quite different skillsets. And normally to think you can do both is wrong.

(00:21:59):

I think an interesting point to, we had a a CFO on the show, couple episodes back from Hogan actually, Chris Lowes and I think also from a business director, corporate level finance level, not only are there different roles, but they probably sit in different areas of the budget and you have to budget accordingly because it is definitely an issue we have and I would like to get your thoughts on this after where it’s not budgeted for probably up until this point, it’s still sitting in that IT bucket and then they kind of get to a crossroads and well how are we going to pay for this?

(00:22:35):

I think when we have a cyber security conversation with a business, a lot of the time they go, oh, speak to our IT manager, speak to our C cio, that kind of thing. Is that not what they should be saying internally as a business

(00:22:47):

It’s common and it’s the size of the business is going to determine how they actually approach security. So small medium size business, it’ll be all bundled together and they probably don’t have formal roles in their businesses to own these risks. So it is what it is. But when you get to a certain size when you’ve got a CFO and you might have a cio, you know where does that risk sit within the organization? And the one thing security is supposed to do is keep it honest. One of the things that they’re there to do is actually to make sure that things haven’t been missed accidentally. Things are getting done the way they’re supposed to, are the accounts being provisioned correctly? So they’re there to be that auditor

(00:23:25):

Internal audit

(00:23:26):

And also be that specialist group to advise that team on how to do things better so they work together and at the same time support each other differently. When you get bigger though, you’ll start to see the security piece stand on its own chief security officers, chief information security officers will sit next to a cio CIO with different roles and quite often security won’t report to it at all. Security may report either to risk or to a CEO directly quite clearly separating out those roles.

(00:23:57):

That’s definitely where it’s going. But right now in 2023, what’s kind of size business do you think should try and separate their cyber team to general IT team hundred users, 200 users, thousand users. What are your thoughts Darren? Oh

(00:24:10):

Look, it’s based on the size and maturity of the business. It’s not a small business though to make that type of investment like cyber resources aren’t cheap, especially if you want senior resources because with senior resources should come a team because you know, just go off and appoint a chief security officer, you go, here’s my chief information security officer, I’ve got that person and that role, if they don’t have a team under them, they’re not doing very much at all. So you need to make that huge investment. It’s not until businesses of hundreds of millions of dollars turnover that really can start to think about that you’re better off otherwise focusing on your technology needs and outsourcing or bringing in those skills where you need them. Because generally early days you probably don’t have enough work to fill two roles.

(00:25:00):

Yeah. So you mentioned earlier one of the reasons people get breached is they don’t take advice. So I’m curious in your IR role when obviously you go through a lot of these and no doubt there’s a debrief after or when you’re concluding how did we get here? Why did this happen? Obviously there’s generally a technology reason or they’ve gotten in somehow, but when you’re kind of wind it back a little bit before and you start looking at the decisions maybe that got the business to that point, I imagine maybe or maybe not, they’ve had advice and they haven’t acted on that advice. What is there a common theme on as to why? Is it it around the cost? Is it around the misunderstanding? Is there a theme?

(00:25:48):

Yeah, look, there absolutely is. So what you’re talking to is one of our jobs is root cause, how did it happen? Yep. Cause we’ve got to be able to fix the issue before we go too far. And then that lesson’s learned piece at the end you sort of sit down and say okay, what have we learned here? What do we need to change going forward? What are the recommendations or observations that we can share with that client? And that always tends to happen. And we do ask the questions, was there a reason why this wasn’t turned on or why things weren’t done? And sometimes it’s a budget and you might think that they’re not giving money to security. It didn’t often not that that people want to spend the money elsewhere, they want more shinies that do more things and security’s okay, but I’d rather spend budget in other operational areas or they haven’t actually asked.

(00:26:37):

I’ve seen a lot of instances where the IT teams aren’t actually pushing an for security their boards or their management teams aren’t really asking much about that. They’ll say, look, are we okay with security? And they’ll get the, yeah, I think we’re fine and there’s no problem. We’ve got great antivirus and we’re in the cloud so yeah we’re fine and therefore the conversation doesn’t happen. And often executives and boards don’t actually really understand the risks that exist, dunno what questions to ask and they’re not actually getting the right information from their teams. So I’ve seen a lot of instances where post an event it gone, we get a struggle here, you’ve made all these recommendations and the board comes back and says finally someone’s actually going off and putting a reasonable plan in front of us to alleviate the risk that we as directors have and answer the questions we’ve had.

(00:27:33):

Which is we ask you, are we doing everything we need to do? We usually get the yes. What should you be asking then? But there’s no detail. And that’s a good question. So what should boards and management be asking? Well ultimately there’s an education piece there as well. But if we just start with the basics. So to your point, what are the top five things I’ve seen that cause a breach and IT hygiene is all five. What I would almost consider basic things that we can do. So are you doing your patch management right? Are you keeping up to date with all of your software? One because if you don’t, you’re eventually going to get caught out in a vulnerability. Have you turned on multifactor on the external ways you get into your system, email, remote desktops, whatever it is. Three, do you manage your administrator privileges correctly, those gods that live in your networks?

(00:28:28):

And the reason they’re so important is because the first thing a threat actor wants to do is get an admin account. Absolutely. Because with that admin account, they’ll undo all the good work you’ve done. And we see that all the time. You put on all these great systems and processes and you’ve got this great technology and then the threat actor comes in and says, find me admin, there’s one great uninstall, turn off whatever they need to do because they’re a god in that network. They can do those things. So managing those things is really key. And then you start to go through just some other things. Keep up with your investments. In the past it used to be, well I’ve bought Microsoft office, we’ll let it run for 10 years. I know that there’s a new version, I don’t want to have to buy another operating system.

(00:29:13):

Windows seven’s still nice, we can use it and it still works. So why do we need to do that? And we won’t fix it until it breaks. That mentality in security is going to absolutely bring you down. And we see that all the time where legacy, the things that are old and not up to date are the absolute root cause. And at some point I’ve seen someone say, Hey, we can replace all these servers. And management will say, well how long will they run if we don’t? Now I’ve seen it teams stupidly go, well I can actually get an extended gold license for a bit more warranty and it’ll take it out for another three years. And they go, oh great, we’ll do that without saying no it’s not. Can we keep it alive? It needed to be put down three years ago so let’s just all get over it and go get a new puppy.

(00:29:59):

It’s an interesting one, understanding your risk for your business and you know, dunno what you don’t know, but it’s boards can’t just go, oh well I didn’t know, my management team didn’t tell me their job is to understand the risks. And probably another thing that we would encourage but don’t see people take up as much might depend on the size of the organization, but getting a third party review to flash out those things that you’ve said for that organization at least I think that’s things boards should be looking at. I don’t think they should. I mean yes, you’ve obvious got to work with your management team, et cetera, but you need that independent assessment I think to really understand that risk. Cause I don’t think ignorance of technology or ignorance of security is really a it’s, it’s not an excuse under the eyes of the law. So

(00:30:45):

Question that then. How often do you think businesses should get a third party review and what types of reviews would you recommend for those businesses?

(00:30:51):

Good question On your board piece, I don’t think there’s any board member at the moment that wouldn’t have a view that they are definitely responsible for good IT security, information security. It’s been made very clear by asic. It’s been made very clear by organizations like the Australian Institute of Company Directors. So there’s so much out there at the moment and ASIC has even pursued businesses now and their boards for not doing enough in this space. So when we’re talking about reviews, most businesses haven’t done one. It’s a perfect way to say, okay, let’s just work out our current state. What are the gaps at the moment? So what should we be focusing on first? What are the things we haven’t done in the past? What are the recommendations against something that is as good practice? It doesn’t have to be so difficult that it’s impossible to deal with.

(00:31:40):

You just choose good practice and you do a review and that will then give you, generally you can choose something that gives you a score. Scores are nice because scores then let you go off and see how you’re progressing and you can sort of go off and actually have a look at, oh, I’m going to build a two year plan and it’s going to be every six months I’m going to rerate myself or check against that. Am I improving? And also, if you do one of those reviews, you should land with something that’s usable. So what a bit of a roadmap. Something that lets you actually make decisions where you can take a piece of work or a program of work or even a strategy to a border and executive saying, look, we are here. It’s not great. We want to get to here. We want to do it in two stages.

(00:32:23):

We’re going to need some help. And when you start to do that and actually outline through what a review will tell you will be the individual things you need to do. So start with this, just do this project. It’s foundational, it’ll give you some insights, it’ll make it safer. That will let you then do these three things here. All of a sudden that’s what management and boards are used to seeing. They see it from finance teams all the time. They see it from their HR teams all the time now talking the same language as the rest of the business does when it talks about risk. So we’re just not doing enough of that. One thing I am told by boards all the time is every time it turns up they’ve just got their handout for money and they want to buy something. There’s never any discussion around why they should buy it, how it benefits the business, how it minimizes risk, how it actually enables them to do something. It’s always just come in and I really need this. And they tend to trust them and they get their budgets, but security falls away because of that.

(00:33:19):

That could be a number of things. So Darren, just on the security side, something we haven’t touched on is insurance. So one thing that comes up in our conversations with clients and prospects is look, they see cybersecurity and cyber insurance as the paracetamal to their problems, but it’s far from that. Can you talk a bit about I guess the good and bad and everything that’s insurance.

(00:33:40):

You look, years ago I, I’d almost agree with that comment. You can get cyber insurance so easy. It was so cheap. It was one of the things, well hang on, you got to cover a couple of hundred thousand dollars worth of loss for $50. Yeah, I’ll take that every day. It’s not that now it’s difficult to get cyber insurance to start with. The expectation from an insurer is that you’ve actually got your house in order and you’re doing things the right way anyway. So they’re not protecting you from being bad at this, they’re protecting you from a risk that may occur. And that’s obviously when they’re looking at you, they’re sort of weighing you up as how much risk do you bring to them? And the other part is what do I as a business need by way of insurance? We do a lot of insurance work, so I can attest to the value of a good policy and I’ve seen instances where insurers have covered tens of millions of dollars worth of loss through cyber events.

(00:34:34):

So it’s not just the cost of dealing with the event, it’s obviously that protection of your income through that process, that disruption that’s covered. So it is covering a whole lot of issues that sort of pop up, but right now I’d be suggesting it’s hard to get good insurance policies have changed, the market’s got hit really hard over the last two or three years because of the big breaches and you and these big breaches cost so much money that just makes it even harder for the rest of us to either get it or hold it. Yeah, I’ve heard of stories recently where clients have turned down a policy for $6,000 that would’ve had a more than a hundred thousand dollars worth of coverage. And you think it seems like a no-brainer when you start to realize what an incident costs and you’re not going to get out of an incident for very much like a business email compromise.

(00:35:29):

Someone loses access to their mailbox if it is just as simple as you lost their mailbox. Thankfully there was no private information in it, no pii. That sort of links you to the privacy act and some obligations just working through how it happened, securing it, doing an investigation. So should the someone find out and ask you questions, you can answer them. And dealing with your privacy issues to make sure you don’t have an obligation to report can cost you anywhere from seven to $10,000. And that’s just for someone losing access to a mailbox for even minutes. But when you talk about big data breaches, it depends if you have a privacy issue. So if you lose access to information that has private information attached to either your people, your employees or your clients, you’ve got a whole lot more obligations and your teams are massive.

(00:36:22):

You’ve got legal teams trying to help you out with those issues. You’ve got forensic teams and cyber teams trying to help your recover IT resources. They don’t stop 24 hours a day. All of a sudden you manage service providers being asked to bring teams around that will not stop until you’re back up and running comms media, all of these things come into play that cost you money and that’s what your insurance is covering. And if you haven’t got those people, that’s what your insurance is giving you. So I’m a big advocate of good insurance, but what I try to tell clients is don’t think it’s going to solve your problem. Because if you’ve got a whole lot of issues that you’re just covering up and your IT and security is pretty average, your policy will be very expensive and your premiums will be crazy. Or if you’re not quite honest, when it goes through the process of getting your insurance and an event happens and the insurer goes back and has a look and says, hang on, you told him you had MFA and you told em you had this and you told me you had that your coverage may not actually work.

(00:37:27):

Have you seen any of that happening? Yeah, I’ve seen denied. Yeah. Right. Yep. Well, part denies for sure. Yep. Yeah, someone has said that a particular system is fully protected and then the reality was that it wasn’t at all. And if you’ve lied on your policy statement to get that, you know, shouldn’t expect that your insurers has to go to turnaround and said, oh no. Yeah, next time, next time. Be honest and we might increase your premium. Yeah, yeah.

(00:37:55):

Hey Darren, you’ve seen also, correct me if I’m wrong, one was underinsured, right? They ran out of insurance 40 million on a massive breach that had to get remediated.

(00:38:04):

Look, I think the big breaches, a lot of time they’d run out of insurance and I’ve seen that happen quite often. That’s really hard. How do you value how much you’d need? And that’s actually in itself a skill to go off and do a proper evaluation. If in the event that I have a major cyber incident, what do I think coverage? I would need to, yeah, because it’s interruption costs, it’s, it costs it’s legal costs and to build that all up and think about a premium is hard. And then look at your coverage and insurers won’t cover unlimited, so you’ll hit a cap and then you’ve got to go off and have a few other insurers come in and back up if you need a bit more. And we are talking big end of town here where 20 million is not enough, but 10 million’s hard to get.

(00:38:52):

I’d say a lot of businesses, business owners wouldn’t know how much to cover for cyber insurance because they don’t understand the non-technical ones of course don’t understand the process that has to happen when you get hit with ransomware or a business email compromise. So it’d be very hard to ask or even to know what to ask for. I would imagine you mentioned before good and bad cyber insurance policies. With your experience, what does a good cyber insurance policy look like compared to a bad one?

(00:39:17):

A good policy’s going to cover you for pretty much any type of event. The areas that I think get a bit muddy, it’s when it comes into fraud and is it a cyber related fraud or is it just a socially engineered fraud? And if it’s a socially engineered fraud where someone sent you an email and you click on a link and pay it, well it’s not really a cyber attack really. You just didn’t do something you should have done. Good policies will cover firstly a team and a good team and multiple teams to come in and help you. And you go back and have a look at, okay, well talk to your insurer about who’s on their panels and who are the types of people that might get rolled in the event that something happens and make sure you’ve heard of them and that they’ve got some credentials.

(00:40:01):

And also check if you’ve got a preferred supplier, if you’ve got a team that you’ve known for years, talk to the insurer about, well, can I sub in my own people? I don’t want to use yours. Good insurers will say yes. Yeah, that’s going to be something they’ll do. Also have a look at the fine print around coverage. So the payment of a ransom’s been something that’s always talked about, is it covered or not? Will they cover me actually saying yes to that? A lot of policies still do. So if you elect through a process to make a payment of a ransom, some policies cover that, so that’s something to have a look at. Some policies will cover half of it co-payment, you pay half and they’ll pay half. You’re both in it together. Some will just won’t touch it. There’s fine prints to look for as well. Some policies will say that if it’s a nation’s state attack, it’s not, you’ve got no coverage. So you want to know that’s the case. And certainly if it’s a sanctioned entity, no one’s got to touch it, so you won’t be able to get a payment, but you’ll still get support. So it’s just understanding what’s covered and what’s not. And then weighing all those things up. Your big insurers in the market all have good policies. That’s what we see.

(00:41:13):

Yeah, it’s interesting the IR comment you made because we’ve been through, we’ve got experience with a few of these incidents and probably that business downtime and what that might could mean for your customers, like the type of business you do sometimes getting money after the fact’s, not really going to help that you were down for a week, two weeks. And we’ve seen with different IR teams, some of ’em can be really slow to get going and that’s been dictated by the insurance provider. So I thought that was a good point to consider and probably something you might want to talk to with your wider technology team when you’re making that decision, if someone’s got any opinions on that. Because getting back up online if you want to get that done as quickly as possible, and if that’s delayed by a week or two, that could be the difference between surviving this situation or not.

(00:42:00):

We, we’ve got a client at the moment, so they’ve just got insurance and what they’re doing at the moment is selecting their preferred and putting retainers in place with those preferred so that we’ll actually pick up the phone when they call us because we’ve got a retainer that says that we will, that doesn’t cost anything. It’s just basically outline the fact that we are going to be the ones to help them respond to an incident. Through that process is also this knowledge sharing learning piece where we actually come together to actually understand what the environments look like. What’s your technology stack? Who are your people, what’s your incident response plan so that if something did happen, we’re not all guessing, we actually know what to do and how to do it quickly and get in there fast. That seems to be something that the mill mature groups are starting to think about.

(00:42:44):

To your point about disruption, the longer you are down, the bigger your brand takes a hit. And that’s the thing you’re trying to actually reduce. How much is my brand and reputation going to suffer through this thing? Because the longer and longer you’re not back up and running. What’s now happening is you’re impacting all of the third parties around you and all your clients and all your service providers. It becomes a problem for them. So when it becomes a problem for everyone else that you deal with, your problem gets worse. So when you’re in there quickly and you contain something quickly and you get that advisory piece out and you’re talking to people, you’ll tend to find that those third parties that you deal with and your clients will be more likely to just sort of come on that journey with you and say, Jim, you are not us, but thank you for that updates and keep us in the loop. But when you’re two weeks and you’re still trying to say that we’re hoping to get something up and running soon, they just lose faith in you and the trust is gone.

(00:43:41):

So Darren timeframes, so one thing we get is people say, oh, I’m fine, I’ve got insurance, I’ve got backups, you’ve got backups. Know I’ll do a claim switch, a backups back on, but just talk us through a timeline of the events because we’ve seen weeks pass before a organization’s functional.

(00:43:55):

Yeah, no days, hours. What really happens in these, and you would’ve seen this with some of your clients who may have experienced this before, when you detect an incident, the threat act is still there. So the bad guys are still in the network, so they’re still copying data, they’re still setting up beacons so they can come back in later. They are still active in holding you to ransom effectively. So the more you delay, the more you delay getting started and doing things, the more damage it’s getting done. And quite often the bigger the problem’s getting. So as soon as you get in there and detect, the faster you contain it, the better. And I mean, ours is preferable and sometimes it might be just a decision where we all come together and say, okay, well we’re pretty sure that this is who it is. We know what their motives are, we know the way they operate, so they’re going to have beacons in and they’ll be able to come in and out as, and we’ve looked at your firewall and we can see that.

(00:44:55):

So let’s make a call or we got to pull a plug on the internet right now and get them out. Now if you do that in an hour, all of those other issues disappear. You can make a call and you say, okay, we’ve got them out. Let’s start to make some decisions around how we get them out. There’s a network and eradicate them and then get the business back up and running. And then what should happen is those tasks happen together. So you want to be restoring and recovering at the same time your forensics and your IR guys are doing their thing. If you’ve got the situation where it’s just need to wait for these guys to do their job, everyone’s frustrated. And actually it’s worse because I’ve seen instances where we’ve been pulled in and we’ve pulled the plug just to contain something. And what we found is that the data was still getting copied and by killing that copy, they were trying to transfer a massive seven zip file. So the bad guys had come in and seven zipped all the data they wanted to steal. They started transferring that, we pulled the pin halfway through it, they get nothing. They get half a broken seven zip file because the rest of it didn’t come out. Whereas when you’re sitting on your hands, if that had finished, that would’ve been their whole file server transferred overseas. And the next thing that’s got to sit on a dark net for sale if you don’t pay your ransom.

(00:46:14):

So what is the average time you see from businesses going through that returns operations piece, say they have a backup and then you’ve got to go in and do the instant response, the forensics, get the MSP or internal IT team to bring the backup back online. What’s the average kind of timeframe you see?

(00:46:28):

Well, it does, it depend on how complex and big they are. You’d like to think that within a week you’ve got good restoration of core services. That’s good practice that minimizes that damage and that harm. And it also means that they’re working quickly. I have seen it go as long as months.

(00:46:46):

So in that situation where you’re getting someone back online, so you mentioned before about when you working with insurers and you are the IR team on retainer, you’re kind of preparing for an incident, you get to know the company’s network. Is that the kind of situation where they’re back on online in a week when they’ve kind of in their disaster recovery plan if you like, they have already, they know who their IR responder will be, their IR responders. For me, with the business, the technology teams that everyone’s prepared, is that the kind of one week scenario

(00:47:19):

And the main things that I see speeding that up are just good disaster recovery and business continuity practices. So they’ve actually thought about it properly. Okay, let’s assume we have the incident. Are the backup safe? And are those backups going to get us back up and running quickly? And have we thought about how we’re going to run them up just in, if I can’t use the bare metal hardware, I would normally do, what’s my alternative solution? And does my MSP have maybe a data center or something that they can run up for me? You’ve already thought about all those things and it’s already been planned for. And that worst case scenario, there’s a path. You just need someone to make the call.

(00:47:55):

And probably one hot tip on the data is you’re going to need twice the data in this situation because you’ve got to restore those back up somewhere. So that’s a little

(00:48:02):

Hot tip. And we make life harder for everyone because we say, don’t delete anything, because at some point we are going to have to do an investigation for you to make sure that, okay, do you have a notifiable data breach obligation? And if you do, you’re going to have to have a very, very strong report that outlines what happened, how it happened, what was impacted, and how you dealt with it, and have you fixed all those problems. Because if the O I C and the Privacy Commission actually wants to ask questions about what happened, you need to be able to answer those questions and demonstrate that you’ve done all those things. And that’s what that process does. So we’ll say, Hey, don’t delete it,

(00:48:36):

And then we got to restore somewhere.

(00:48:37):

And then the other team says, well, okay, we won’t put it off to the side. We’ll give a copy, but at the same time we have a solution ready to go to actually make sure the environment’s coming back up. And it might be down the track a little bit of a pain when you resettle things down and move things back. But the business doesn’t have to get interrupted through that. That’s just the process at you

(00:48:56):

Go through. Darren, how many times have you seen in your experience where the backups have been corrupted and there’s no recourse? Is it 50% of the time or less than that?

(00:49:05):

Oh, thankfully less.

(00:49:06):

Yeah,

(00:49:09):

But it’s probably 10%. Okay. Right. For a long time, threat actors were always going for the backups. Yeah. It makes no sense for them not to. If I look at that evolution of ransomware, the way it started, it was always, I’m just going to encrypt all your files and you’re going to pay me a ransom because it’s so painful to try to restore. You’ve got bad backups, you’re not backing. And so they were quite successful with that. Then we got really good at backups. I mean, it started pushing backups. Risk realized that it’s important. Everyone in the world said, without great backups, you’re going to have. So we put in great backup systems, but we are still a bit lazy. I you didn’t have offsites. So threat actors then said, okay, the first thing I got to do is get an account and jump into whatever your backup solution is and get rid of your backups.

(00:49:59):

And I’ve seen them going into NAS and storage groups and just wiping all the backups, removing all the volumes, saying, great, they’ve got no backups. I’ve seen them going into tape libraries and wiping all the tapes in the library, assuming you’ve still got backups somewhere, but knowing that they’re putting you back quite away in that life cycle and making it harder. So that was a really common thing to do. And now I think we are getting to that point where our backups are protected, they’re not at risk. So we’re not worried about do we have a backup? We’re now saying, okay, well the thing is, how quickly can we use it? Yeah,

(00:50:34):

Right.

(00:50:35):

But for a while we were seeing it fairly regularly. Yeah. Oh, and I’ve actually just last year had a client who said, no, it’s all good. And I went in to the big tape libraries and then realized that there was like nine drives that were dead in one sand that they were using. And then, wow. One of their tape backup drives had been writing dud tapes for two years and no one had tested. But every month someone printed out the report saying backup successful.

(00:51:04):

That’s another thing that is good advice is to get national backups tested once a year. And here’s all good saying backup has gone there. Successful tick, but you can actually test it. Right. I wanted to PI pivot back to back onto the topic of listening to advice. I know there’s a case you went through, which was really interesting, theri advice case. I think your team worked on that. Yeah.

(00:51:22):

So that was a case at ASIC brought forward in relation to our advice group, just to question whether or not they were doing everything they should do in relation to their obligations around technology.

(00:51:35):

Are you able to share or you allowed to share about that case? What happened?

(00:51:38):

Well, we were the experts for asic, so we can’t say a great deal about the details we won. I can say that. Okay, well ASIC won. But ultimately what it was is that particular matter was dealing with entities that have a fsl, their FSL holders. So that was the avenue by which as asset could ask in the questions and actually sort of probe through this process. So doesn’t, not every business that falls within this particular regime, but ultimately what it was, was a view as two, is the business doing enough to manage security appropriately and the event of incidents, are they doing enough to remediate quickly? And the speed of remediation was something that would come up in that quite often. So it’s all well and good to say, I’ve had an incident, we are going to make some changes and we will make some investments.

(00:52:27):

But if you don’t do that in a timely way, then if you have a look at the findings and at the end of the day what ASIC was actually saying wasn’t appropriate, that’s one of those things. Do it quickly as a board and as an executive. If you are going to make some changes and you are going to improve and build some resilience, it’s not just agreeing to do it and then we’ll find a budget one day. You actually need to commit resources and actually start that journey and actually demonstrate that it’s at a speed that makes sense for the business. So you don’t want to leave the risk for too long.

(00:52:59):

One question I wanted to flip by you was around the evolution of threat actors and cyber criminals. Now compared to way back when you were working for the police force and looking at that, how sophisticated are they now compared to 20 years ago or so?

(00:53:16):

Oh, when I was in the police, it was locals. We were dealing with real people that we could see and go off and execute a warrant on. So a lot of that crime that we were dealing with was local. This I am showing my age, the internet was there, it’s okay, it was a thing,

(00:53:34):

But so was I C Q and so was M I R C. So icq and I did use a modem, so a lot of people and 9,600 was fast for a while for me. So that show my age agent and back then, you know, didn’t have this interconnectivity of the world that we have now and we didn’t have these groups sort of come together and sort of dealing with each other. So it was generally localized. It was in the country and it was something you can do. So move forward to the whole world is just now connected. And even worse, we’ve got the dark net that exists underneath where you’ve got tall networks and you’ve got the ability to move in an underground completely anonymously and connect with anybody or anything in a way that is untraceable the most difficult thing for law enforcement to deal with.

(00:54:24):

And that’s what happens. Most criminal groups realize that that’s there and that’s how they’ve start to communicate and move and talk. What we also started to see was an evolution of the way criminals made money. So drugs for a long time were the way that most organized crime made their money. It’s been years and years since drugs was the primary way of making money. So it was probably five years ago that cybercrime took over the number one way of making money can organize crime and it continues to evolve and grow. Yes, there’s still drugs. Yes, there probably always will be drugs, but as far as how quickly can you make money, well you think about trying to make a million dollars in drugs, you’ve got to go off and create it or grow a product and refine it. You’ve then got to get it to the state where it’s in a saleable format. You’ve then got to get a supply chain and move it and then at some point you’ve got to get a sales force to sell it and at some point everyone needs to make some money and your cash has to move. Every one of those instances has got people and people are going to make mistakes. And if you get caught anywhere through that, someone goes to jail

(00:55:35):

Looking at the music industry verse go move into streaming.

(00:55:39):

So what do you do? You just go off and commit one online fraud in another country and you’re done. Or you make 10 million on a ransom in a way that there’s no extradition treaty, no one’s even really looking for you and it takes maybe five to seven days of effort as opposed to years the other way. And then you see law enforcement getting quite good at disrupting the drugs because what they’ll do is they’ll wait right to the end and you’ll see all of these great drug busts where there’s photos of cash and piles of drugs and money and look, that’s not accidental. If you got to disrupt a supply chain, you disrupt it right at the end. Cause the criminal organization to spend all that money and all that investment to get right to the very end and then deny them the payday. So it was all the cost and don’t give them that.

(00:56:29):

Whereas in the world of it all, they’ve got some guys that are coding, they’ve got some computers, that’s pretty much their investment. You do see underground investment in things like buying credentials and that brokering those activities. But even that you look at as an underground activity, $50,000 can get you access with administrative credentials that work to some pretty large organizations. So as a headstart, it’s like literally going saying, I’ve got a key to the vault for this bank or guaranteed or go work and you can take whatever money’s in that vault, you just have to actually do the crime now. That’s what cyber criminals get.

(00:57:15):

And then also then there’s the malware as a service now where they’re actually support and do a help desk for you running the answers. Right?

(00:57:21):

Well especially on the more less sophisticated, the spam, the phishing emails that we all get, we all hate phishing emails. You get tell people don’t click on links. A lot of these things are trying to facilitate some type of fraud. It’s a couple thousand dollars investment to get your toolkit, get your first 200,000 email addresses to attack. They will even do the Bitcoin payment gateway stuff for you. And there are help desks and support and forums to work you through. I still laugh at the one I did where an African group had bought a ransom, oh sorry, bought their fishing kit was having zero success, three fishing campaigns, not one fish court. And we were pretty angry and looking for a refund and on the forum where they were asking, well what are we doing wrong? And they were asked to put a couple of their emails up that they’d sent and there was advice going through, look, there’s some spelling mistakes and obviously the grammar’s not great, you need to improve that for sure.

(00:58:19):

And they were making some other comments about think about targeting at the right time of year if you got to do a package delivery one, do it near Christmas. And then one group said, look, if you really want to get this quickly, throw some social engineering into this. So don’t just rely on the email. If someone clicks on the link and they’ve clicked on the link and that they’re going through, pick up the phone, contact them, start to actually engage, encourage them to go through to actually do what you want ’em to do, which is to pay something. And the guys on the forum said, we can barely speak English. I know you’ve had a guy at us writing English, but we’re not going to be able to speak it, so how do we do it? And the forum came back with a list of voice actors. They said don’t do it yourself if you’re attacking someone over in the us, pick someone who’s got the US accent who can do the phone call for you. And he said, oh, we’re attacking Australians. And I was laughing. He said, oh, okay, well you can use a New Zealand or Australian or a South African because they all sound the same. And they had a list of voice actors that would just read a script and do that for you. Wow.

(00:59:21):

Yeah, it’s almost too easy.

(00:59:23):

Darren, can I ask a question? Changing gears slightly, associations, clubs, not-for-profits, like with all the legislation changes, I don’t think people appreciate that that’s quite a highly risky environment to be in without cyber protection. Can you talk a bit about that?

(00:59:38):

Yeah, look, the not-for-profit sector generally it’s not targeted per se, but it’s one of those areas where I think any organization that is mission based tends to want to make sure that as much of the money that they make or they collect or is donated goes back to their mission. And that’s one of the things that you want them to do. Absolutely. That’s why they’re there often haven’t got enough to make the investments in security and that others do. And that’s something we’ve seen often have a lot of volunteers coming through. So there’s this churn of people. So education’s harder as well. And I know that with some of the changes that are suggested may come through in the Privacy Act and others, there may be some removal of exemptions that were there in the past that might have protected some organizations like that. So no difference in the way you’re supposed to treat and manage the risk. Just a much harder environment to do it, I’d say. Okay.

(01:00:37):

What is the future of legislation and compliance from a cyber security point of view in Australia going to look like in the next 12 months?

(01:00:45):

A lovely 300 page review was released about three weeks ago for the Privacy Act. So what will the privacy Act review sort of do and change and how does that impact us? Is one area The first change to the Privacy Act happened actually December end of the year, and that was on the back of those big breaches that we’d mentioned the attorney general and the minister all coming out saying we’ve had enough. And the first change was penalties in the act. So Australia went from being the most relaxed set of penalties for doing the wrong thing. It was hundreds of thousands to maybe just in the millions. If you’re a big group for having a breach to effectively a minimum of 50 million if you have a significant issue or a calculation, which is about one third of your revenue if you are bigger. So yeah, know when 50 million feels small, don’t worry, we’ll hit you for a third of your revenue and that will hurt.

(01:01:40):

So there’s this penalty piece that’s come through and then there’s a whole lot of other changes suggested from shortening the time that you’ve got to deal with an incident. At the moment we’ve got 30 days to determine whether or not our incident is notable and to start going through that process. 72 hours is likely where it will end in the end. There’ll be other changes in relation to 72 hours. So it’s 72 hours to you notifying okay, individuals not to have fully assessed it per se. You’ll never finish in that time, but you’ll be on a road to actually engaging with the privacy commissioner and talking and trying to notify individuals who could be subject to harm. They’re trying to reduce the chance that you get told five months later at which time your credit card, all your identity could have been used multiple times.

(01:02:28):

And there’s one scary change in there, which is some talk that the act will have a provision where an individual can sue another loss of their private information. There hasn’t been an opportunity where you can just sue somebody for losing my private information. So we hear of class actions coming to bear in relation to these, they will latch onto that as a opportunity to take someone to court in the event that they believe they’ve been harmed that way. So that’s that. And then in the last couple of weeks we’ve also got, the Australian government has released the Australian cybersecurity strategy for 23 to 30. So what are we going to do as a nation and what are those changes? Another thing to expect is maybe the government having more say or input or involvement in breaches, being able to come in and say, we’re not happy with the way this is going. We got to take over is something that some are worried about would happen. I think cooperations of benefit, the Australian Cybersecurity Center have got a lot of fantastic resources. We’ve worked with them in the past. The teams have been really good. Don’t have enough people to actually really get on the ground and help you though.

(01:03:41):

That’s what I was going to say. Is it realistic for the Australian Cybersecurity Center to help with all the criminal activity around cyber? All of them.

(01:03:48):

They want you to share their information, they want you to share information that you have about what’s happened to help them and the rest of the country, but it’s not reasonable to think they’re going to come in and get their hands dirty and roll up the sleeves and do it for you.

(01:03:59):

What are your thoughts, Aaron, on the fines being increased for directors? Is it going to work? Is it a good idea?

(01:04:04):

It’s scary. I think 50 million, no one can afford to lose 50 million for a significant event that’s like that. And one thing that I, the back of my mind is that you’re still a victim. Yes. It’s not as if you’ve done the wrong thing. You are the victim of a cyber attack. So it feels wrong if somebody has genuinely made some mistakes in your business that were just accidental and all of these things lead to a significant event and you probably couldn’t have fixed those things because humans are humans and then all of a sudden you get smacked with the stick on top of the fact that you’ve dealt with this massive incident and have probably lost a lot of money and brand and reputation damage.

(01:04:44):

We probably talking obviously for hours, but I’m conscious of time. Any last questions, Brandon? Ij?

(01:04:49):

No, I’m good. I think it was a good chat and the more we can put out there and educate people around the risks and how to mitigate them, the better I feel and better I sleep at night.

(01:04:58):

Yeah, definitely. Probably my last question to you, Darren, is our federal minister did one Australia, the BHAG was to be the most secure country from a cyber point of view by 2030, I think. What was the tagline like for listeners on this podcast and most of the people that listen to the business owners or leaders, if you were to say three things that everyone should really start getting fit and ready for cyber, what would those three things be?

(01:05:22):

That’s a good question. It’s actually an achievable goal. Funny enough, Australia is one of the most technologically advanced nations out there. If the, we’ve got access to all of the tech, we love our iPhones, our iPads, our tech, so that there’s not, there’s no restriction in getting there. I think I come back to what I sort of said, take advice from the people that are there to help you and do the things that you just know you need to do. So the inconvenient things, stop thinking that they’re inconvenient and realize that they’re there to protect you. And I’m talking MFA and all of those other sort of security mechanisms that slow you down. Just accept the fact that you need to do that.

(01:06:03):

Turning on those things in your Microsoft

(01:06:05):

Licenses and giving thought and budget to security, it is something different. It needs to be budgeted differently. And if you get it right, it makes your it better and it actually secures your business. And then the other one is assume something will happen. So therefore at some point you may fall victim. So get ready to protect yourself. So be ready with your disaster recovery, your backups, your business continuity, and your insurance. So those three things would what I think get most of us there. Yep.

(01:06:35):

Perfect. Great advice. Great advice. Yep. Darren, thanks for coming in meeting your knowledge. I was going to say, look, one thing I would like to say publicly is look, thank you for, we want to be the best, Darren, and you’ve been a big supporter of Red for last couple of years, and thank you for all your advice and helping us be the best and continue to evolve. So without your knowledge as the Godfather, we wouldn’t be heading up there. So thanks.

(01:06:54):

No, no. Look. Look, I love the fact that there are technology firms like you guys who are actually realizing that, okay, if we don’t get this right, we aren’t doing the right thing for our clients. And there it is different and it is a little bit of other change from what you’ve used to do, but you’ve built a business that absolutely does this the right way. So that’s good. Thanks. Thanks guys.