Are Australian businesses prepared for cyber attacks? talkBIG podcast | Season 3 Episode 9

Andrew Sykes:

Have you ever been fooled by a scammer? You've received a text message that came from maybe the right number, or maybe the timing was right. And then you attempted to click on a link, or maybe it's a phone call you've received about internet problems just after an outage. And this can lead you to being scammed.

It happens every day.

In fact, every six minutes, that's how often an Australian business is hit by a cyber attack. All it takes is one mistake, and it could cost your business millions.

Hello, my name's Andrew Sykes, and I'm a partner with RSM in our Business Advisory division. I talk about business, money and the economy to help you get ahead. Welcome to talkBIG. Today we're going to have a bit of a talk about cyber security.

Now it is a massive problem in Australia. RSM has recently published a study on cyber security. And one of the things we discovered is that Australia is well behind places like the US or the UK when it comes to being prepared for a cyber attack.

Joining me today, I have one of the report's authors and National Head of Cyber Security at RSM Australia, Darren Booth. How are you going, Darren?

Darren Booth: 

Well, good thanks yourself?

Andrew Sykes:

Good, mate, good, good. So I understand you have authored this report, and you enjoy translating cybersecurity risks into business language. And you're gonna talk us through a little bit about this today.

Darren Booth: 

Yeah, definitely. Cyber's full of lots of jargon and acronyms, and what can seem like technically sophisticated things. But a lot of it actually boils down to basic common sense and doing the right things. But if you put the context of what cybersecurity looks like today in Australia, you touched on it. There are 94,000 cybercrime reports each year to the Australian government. Now, those aren't all business-related; there are personal reports in there as well, but it does sort of show you the size of the problem that affects both people and organisations. When an organisation is impacted, it can have like a paralysis to them. There's the impact of the actual attack itself, but then there's actually dealing with that in relation to some of the financial impact, some of the operational side of things in relation to ransomware that might then take out your systems and mean that you then actually can't operate some of your day-to-day business operations. And then you get into some of the penalties if you're in like a regulated industry, the various impacts ongoing for months or years after that, as you sort of deal with the fallout. So it's something that everyone has to deal with.

It really comes down to being prepared to prevent that attack. If it does happen, then being prepared to respond to that attack. 
 

Darren Booth: 

And yeah, we published this report and surveyed a number of organisations, really just to try to get a bit of the lay of the land for Australian organisations, particularly in the small to medium-sized organisations. And what it came out with, sort of as the headline, was that 31% of businesses were unprepared or were unprepared to respond to an attack, which is really quite scary, given it can really have a fundamental impact on how they do day-to-day operations.

Andrew Sykes:

So that's one in three businesses.

Darren Booth: 

It is. And that's everything from a small 5-10 person organisation all the way up to a couple of hundred people. Where we really started seeing the change was when an organisation had sort of maybe plus 200 employees. We started seeing that the investment had increased and there was more work being done in the larger organisations. But really, in that sort of small to medium-sized organisation, there's a lot of work that needs to be done.

Andrew Sykes:

So generally it's a lot of small businesses aren't really that prepared for an attack. Does that mean the smaller the business they are the more vulnerable?

Darren Booth: 

Look, that's always a hard question. How vulnerable is your business? When you look at the statistics, there are definitely certain industries that are attacked more than other industries. They have maybe more money or more data. So if you're in the health sector or the financial services, obviously they're probably more prime for an attack.

But what we do find as well is that a lot of attacks are probably not aiming at any particular company. They're just trying to get someone to bite or trying to find some vulnerability in some system. So a lot of the time, when they're doing the attacks, they actually don't even know who they're attacking. So they're sending out these attacks or sending out emails. And once someone clicks through or once the payload gets a foothold in the organisation, that's actually where they start figuring out, who've we actually got here? What type of information do they have? What size company is it? So when that happens, every organisation in Australia is on a level playing field in relation to whether they're on that hit list or not.

Andrew Sykes:

Yeah, so yeah, there are some really interesting points you've raised. Probably split that into two different areas for today, what are the main attack vectors? So where are the vulnerabilities? And then, if you are attacked, what's the response? So generally, where do the attacks come from and what are those main vulnerabilities that you see in businesses?

Darren Booth: 

Yeah, look, and today, it's still business email compromise that is prevalent. So business email compromise is essentially when someone has been able to get a foothold in a person's email account. And once they're in there, they then start using that to then sort of launch other attacks. So that could be either an invoice scam where they pretend to be someone because they've got access to that email.

And they are then sending out false invoices or requesting people within the organisation to make payments because they see it from a trusted source. That still is a high proportion of attacks, and the reason is that it's actually quite low cost from an attack perspective and low risk as well. So the attackers are able to get into the accounts and go around without much detection because, provided they're not doing anything too risky, they're not setting off any alarms, or they can do things very covertly without anyone knowing. The second one, which has definitely been the attack of choice increasingly over the past five years has been around ransomware where an organisation gets some sort of a payload that could be through someone clicking an attachment in an email or going onto a website that has something that if you click on it, then sort of automatically downloads it. It could be, you know, something that got in through a vulnerability in your systems. But once the attackers sort of got in there, what they typically do is they'll hunt around and sort of try to find out what data they can get, what information they can get.

Once they've got some of that information and extracted it from the organisation, they'll then launch their ransomware. And what that basically does is it then locks down your systems. And it's really evolved over the past couple of years to be this two-pronged attack. One is that the attackers now have your data. And then secondly, they've compromised your system so you actually can't use them. So they're actually looking for payment twice. Once to release

Andrew Sykes:

Mm.

Darren Booth: 

Or unencrypt your system so that you can use them again. And then another time to then get back your data. So it's a more time-consuming attack, but it's a higher payment a lot of the time because they get two bites of the cherry in relation to payments from you, which is why it's become really one of the main ones over the past couple of years.

Andrew Sykes:

Yeah, so that's what's really interesting in that is so you're saying that you have the email scams that come through and that can be a payload that's ransomware, or they can get some sort of that opens up some sort of gateway into the system that allows them to look around.
 

Andrew Sykes:

The common thing there in those two methods is that somebody has to click on a link. Is that correct?

Darren Booth: 

Not always. It's definitely probably the easiest way for an attacker again. People are, a lot of the time, the easiest, weakest link in an organisation. It's human nature. People do things that might not be following a particular script or a particular thing, so they can be manipulated to do things.

IT systems can be more complicated because they have certain rules built into them and certain controls built into them that if there's no vulnerability in them, then they're hard to exploit. Obviously, if there's a known vulnerability, that can be where the attack can come in. People are still, in a lot of organisations, the weakest link. So that could be getting them to, like I said, through an email. It could be on a website.

We do tests where we essentially are testing a company's defenses. One of the tests we do is we call up a person and pretend to be the IT help desk and we direct the individual and see whether or not they'll click on something on our behalf. Or we'll try to access a system and say, can you just read out to us the code that's come through on your phone?

So that's really all around manipulating the person to then sort of take the person weaknesses in order to bypass some of the system strengths.

Andrew Sykes:

Yeah, so that's using that broader category of what we would call social engineering to get around the inbuilt security measures.
 

Andrew Sykes:

So when you look at that sort of vulnerability or penetration testing, how do you start? What do you do?

Darren Booth: 

Yeah, there's a couple of different things we'll do depending on the maturity of the organisation. The social engineering one is definitely a useful attack to understand the people risks. Some of that is we'll create a dummy website and try and get people to click on that through an email, through a telephone call. The other type of attacks we'll do is then we'll actually scan the system.

There's different types of attacks that can be done in relation to that. One is where we essentially are just a member of public. Just like anyone could access without any credentials, we scan the environment and see whether or we can find any holes or any vulnerabilities that could be exploited. That's probably the scariest one because if we find a vulnerability there, it means that anyone could access that vulnerability.

Because anyone over the internet could access that. Once we're sort comfortable in relation to that sort of external scan, we then started looking at the internal side of things. So we take that worst case scenario to say, okay, if someone's managed to get into your system, whether that's maybe an employee who is disgruntled or it's an attacker,

who's managed to get credentials and managed to get into the system. What can they do now? What are those layers of defence that you've got now the perimeter has been breached? What are the layers of defence to either stop or prevent or reduce or slow down an attack? So that's called an internal assessment. And that's really trying to look through and to say, right, well, worst-case scenario, if they got in there, what could they then do now?

So it's really trying to build up.

Andrew Sykes:

So that would be really good things like not having the same passwords for different types of servers and separating systems so you can't cross between them. Is that the kind of thing you look at?

Darren Booth: 

Yeah, definitely. So, you know, there's a brute force attack that can be done where, you know, essentially if you use a password on one website, maybe a shopping website, that particular month you are trying to use the same password everywhere, including on your own organisation's computers. If that password got breached on that website,

What essentially happens is an attacker can download a database of usernames and passwords and they'll just fire that at an organisation and hope that one of them sticks or one of them is successful.

Andrew Sykes:

Yeah, so when you talk about that Darren, this is one of the things in researching with this podcast I found staggering as a business person, I probably didn't understand the size of these attacks. So when you say download, they're not just downloading like a few thousand, they're throwing millions of password combinations. So what kind of size are you looking at there?

Darren Booth: 

Like you said, it's millions of users and passwords. Now, if they know who they're attacking, they'll be able to filter that down. So for example, if it was RSM, they would look for the RSM email address and then use those combinations. But essentially, there are databases out there with millions and millions of usernames and passwords that have been collected through thousands of breaches over many years. And you essentially just buy access to that list through the dark web and get access to that. And you push a button and it just sends off the attacks. So a lot of the attacks these days aren't sophisticated from a technology perspective because you as an attacker, go to a marketplace and you buy a particular type of attack and you buy a certain number of user name and passwords and you load them in and it just does it as a payload. So you actually don't need to be technically advanced yourself to launch these attacks. There are obviously people out there that are more advanced, but this is the...where it's a commoditized attack now in relation to some of these more basic type of attacks that are really aiming at trying to get as much penetration from an attack with as cheap a cost of each attack from the organisation's point of view.

Andrew Sykes:

Yeah, so that could be as simple as if I wanted to attack an organisation or somebody did want to attack an organisation, they could research them on LinkedIn, get a bunch of their user names or email addresses, and then just go and source a couple of hundred million passwords and give it a go.

Darren Booth:  

Yeah, exactly. Yeah. So that's called open source intelligence where it's public information that you can access and you build up a profile of the organisation, a profile of the people working on the organisation and using that small bit of information, you then start targeting things and making things a bit more specific. You know, in the email example, you you then start pretending to be a particular person in the organisation.

You may find an email, so you know what their signature footer looks like. So you start to craft that and you build up these things to try to make the attacks look more authentic. Because again, that's playing on the people side of things.

Andrew Sykes:

Yeah, always the, or generally the weakest part of the system. So given this and given how easy it is now and accessible. So as you mentioned, there's a marketplace, so readily available if you wanna buy a pre-packaged cyber attack, you just go out and do it. How many companies do you see getting tested for this, penetration testing to make sure that they're not vulnerable?

Darren Booth (15:19)
Yeah, so our survey identified that about 40 % will be conducting annual testing. And again, that's probably, it is definitely more in the larger organisations compared to the smaller and that's expected. Testing costs money, but also there's a knowledge gap there. And then some of the tests can be run quite cheaply, but knowing that that task is there, it's available.

Knowing the results come out of it. What we do find is once an organisation starts doing vulnerability tests and penetration tests, they seem to value it and they keep doing it year after year or every two years. So we would love to see in Australia that number increasing just because it then sort of shows that testing is happening and the visibility around the security is there. But it then gets into again, that confidence level of how confident are you as an organisation and therefore, how do you feel about doing these type of tests? The survey found that it about 50% had a medium to high confidence in their technology and in their staff's ability to manage a cyber risk. Where if you compare that to the US and the UK, they were about 84% So there's a 34% difference there in relation to that confidence level.

Andrew Sykes:

Mm.

Darren Booth: 

And that then feeds into downstream how much testing is being done, and how much work is being done in relation to training and things to manage those risks better.
 

Andrew Sykes:

Yeah, so you talk about that, talk about your vulnerabilities. Can I ask you about Wi-Fi? How vulnerable is that?

Darren Booth: 

Yeah, look, for a lot of organisations, they'll treat their Wi-Fi as part of their internal network. So, you know, Wi-Fi has come a long way in the past 10, 15 years. It used to be the weakest source and the easiest source to get in.

Andrew Sykes:

I remember when you used to buy your router and it would be username admin, password admin, and that was a default that got set. Is that still the case?

Darren Booth: 

The things have evolved. So there are actually now standards that are in place in relation to when you sell a router to someone. It can't be using a password admin and admin or if it is, it then has to get changed on the first use of that. So you then have to set up your own one. So there are now standards in Australia that help with that. Where we find weaknesses in organisations is an organisation will try to help people and they'll set up a guest account and then they'll set up an account for their internal employees. If those two Wi-Fi accounts aren't appropriately segmented or separated, what you can do as part of an attack is you can log in to the guest and then jump from the guest into the corporate. And that's one of the tests that we do is try to sort of see where that's possible.

So a standard attack now using an admin, using a password, I haven't seen that succeed for a while, but I do still see success in jumping from one to the other just because it hasn't been configured and set up in the right manner.
 

Andrew Sykes:

Yeah, so that configuration, and we'll go into a bit of that. I'll just ask you one more question around vulnerability. Updates. So we seem to be constantly updating our software. How important is that and how big a vulnerability does that leave us if we have out-of-date software?

Darren Booth: 

Yeah, it's definitely one of the key focus areas for an organisation and the Australian government to sort of release their top eight mitigating controls to prevent a cyber attack and patching, as it's called, is up there in those top eight controls. So there's probably two sides to this. One is the nature of software development over the past 20 years has meant that whenever software has been developed, it hasn't always been built in the right way and hasn't always been built with the right secure codes, which has then resulted in vulnerabilities being implemented with the code at the same time. That's why what happens is a developer will then release these patches to say, look, we've messed up.

We've identified that this vulnerability is there. If you implement this patch fixes that vulnerability. But what you end up finding is that there's a constant chasing your tail where every month there's a new patch that gets released or every couple of months. Some of those are what we determined to be critical patches. So when it's a critical patch, it's a vulnerability that has a high impact and it's already been exploited by attackers to get into an organisation or to get into systems. And for those types of critical patches, the faster you can get that patch, the more secure you are. we would typically be saying, if you can, 72 hours is what you're in to try to do. There's an impact there from a technology point of view that might mean you might need to bring down a system for an hour and reset it. You need someone with the technical ability to do that, to implement that patch.

Andrew Sykes:

Mm.

Darren Booth: 

But it is a key area that is something that's constant. It's not a just set and forget. You've got to keep on keeping up-to-date on the patching because unfortunately, vulnerabilities are getting found every day. Patches are therefore getting released every month. And you as an organisation have to try to keep up with that race to keep yourself protected.

Andrew Sykes:

Mm.

Yeah, so you've got that threat of the brute force attack or somebody in other ways accessing your system and then they're aware of what they should be looking for in terms of out-of-date software and understanding vulnerabilities.
 

Andrew Sykes:

So once they do that, or maybe now is a good time to ask, so if there's such a high risk of somebody accessing your system, what can you actually do to protect yourself?

Darren Booth: 

Yeah, definitely there are key controls that we look at in an organisation. So we do these gap assessments where essentially we'll go in and very quickly try to assess whether or not the key mitigating controls have been put in place. So from a people side of things, it's multi-factor authentication. So have you enabled multi-factor authentication so that if someone tries with a brute force. So they've got a username and they've got a password. If you've got MFA enabled, that will reduce 99.98% of all attacks that are brute force trying to use a username and password. If you have systems that are externally facing, so you've got a website and you've got customers accessing information through that website.

The patching side of things is one of the key ones. So have you got it patched? Have you got it up-to-date? Have you actually put in some basic hardening of that environment, realising that if it's an external system that's being able to be accessed over the internet, that from a risk profile is a higher risk profile compared to a system that's internal within your network. And therefore there are certain configurations that we would look to have enabled.

And you know it's basically a checklist that we can go through and say right well you know these things been turned off and these things been turned on right therefore it's been hardened in relation to that risk profile of where that system sits in your environment. Yes we do do penetration testing and that's probably a good one to sort of get that lay of the land but it's part of a package.

Andrew Sykes:

Mm.

Darren Booth: 

Penetration testing can sometimes be seen as the be all and end all and it's not, it's a one-time test that looks at some of those key things to say, what's the worst case scenario? What we like to see is that you don't even need to get that worst case scenario because you have some of these perimeter preventative controls in place to protect your environment. So yeah, definitely the key things are around prevention upfront. The last thing that we'll then look at is

Andrew Sykes:

Mm.

Hmm.

Darren Booth: 

Should an attack happen, how prepared are you to respond and recover? So do you actually have backups? Do you actually know who to call, whether it's your insurance company from a cyber insurance perspective, or do you have a run book that says these are the steps I'm going to take to prevent the attack from getting worse once I find it? So again, those sort of things are good to understand should that worst case now happen.
 

Andrew Sykes:

Yes, so generally you're a small business person, you're running your business, you might have left your patching on your server, get out of date, you've got a ransomware attack. What do you do?

Darren Booth: 

Yeah, so if you do find that you've got that ransomware attack, probably one of the first things to do is try to isolate it and restrict it. You know, try not to plug other systems into it, or if you've got the ability to turn off certain applications or certain systems, that that can reduce the spread. Once you've done that, really, your best protocol is to reach out to someone from an investigation point of view.

If you're lucky enough to have cyber insurance, about 40% of medium-sized firms we find have some sort of cyber insurance.

Andrew Sykes:

What is that

Darren? What's cyber insurance and what does it cover?

Darren Booth: 

Yeah, there's probably two key things is probably what we see it for. One is access to resources. So should an attack happen, you have access to professionals who can come in and recover your systems, can clean up your systems and get you back up and running again. So there's the access to that.

But then there's then the financial side of things. So the insurance then covers some loss of earnings or loss of costs of that type of resources. the insurance, it's there essentially to protect you should the worst happen, both from that ability to get up and running as quickly as possible, and then covering some of the costs and expenses that you'll be facing as part of that recovery exercise.

So the insurance will cover loss of earnings potentially, cover paying for the responders to come in and recover your systems. And, know, potentially depending on the type of insurance and the type of incident you've got, might then protect you should someone have had personally identifiable information stolen from you. It then can protect you in relation to some of the costs from...a third party trying to essentially claim that back from you in relation to a breach of their privacy.
 

Andrew Sykes:

Yeah, so you mentioned third parties there. How can they impact, like say your suppliers and third parties that they deal, that you deal with, how can they impact on your cyber security processes and hygiene?

Darren Booth: 

Yeah, there's probably two key ways of it. One is, you know, there's this standard supply chain. you know, businesses by their very nature have a lot of other relationships from a B2B point of view. So you'll have key suppliers and key customers. And if someone in that chain is unable to support other businesses in the chain, then there's an overall impact on the operations.

That supply chain in relation to whether it's providing service from one to the other or providing a good from one to the other, that can have a knock on effect throughout that whole chain. The part is then where maybe a third party is actually supporting your business from a technical point of view, where you've actually got technical service providers. And as part of being a technical service provider, they'll probably have elevated access inside your environment to support your technology and support your systems. If they have a breach, that might mean that then...the attacker that can then get into your systems and then sort of impact what you're doing. There's two sides to that sort of third party side of things. One of this is supply chain, but the second one is then sort of how you're getting others to support your technology stack. Are they bringing in some risks as part of that?

Andrew Sykes:

Yeah, yeah. And a lot of those, so you might have a third party supplier that has access to your system. Requirements around 2FA can really reduce those risks there, can't they?

Darren Booth: 

Yeah, exactly. you know, access controls are great, regardless of who that access control applies to. So whether it's your employee, whether it's a third party, you know, that basic hygiene around access and authentication is critical.

Andrew Sykes:

Yeah, so we are looking, you did mention, and we're just talking about flow on risks of businesses dealing with other businesses. So generally we get more regulation happening. You mentioned before the fines for certain organisations if they get a breach, but we also have the upcoming CPS 230 operational risk management standard being released by APRA. What does that mean?

Darren Booth: 

Yeah, so that's for financial services organisations and upper regulated financial services organisations. What that basically requires those regulated entities to do is have a knowledge around their end to end operational risk. So it means, you know, how did they as a business, how are they resilient to keep their services and products operating?

In a nutshell, that seems simplistic because it sort of says, well, you know, they understand what they're doing. They can get themselves up and running again. The complexity comes in relation to that supply chain of third parties and fourth party and fifth party suppliers. So, you know, if you're a financial services organisation and you've got a banking platform, well,

That banking platform is then supported by one organisation. That organisation then relies on another organisation to then provide some of the technology stack. That organisation then relies on another organisation in relation to supporting the data center. So it has an end-to-end impact that previously the regulations applied to only the regulated entity. What CPS 230 has is it requires that regulated entity to go down through its supply chain and understand how anyone in that supply chain could impact their risks and impact their operations. So it really does have that knock-on effect to the suppliers of regulated entities as opposed to just the regulated entities themselves. So we're finding a lot of organisations now looking at their resilience to support their customers from a business-to-business point of view.

As well as just sort of looking at themselves as to how they sort of do their day-to-day operations.
 

Andrew Sykes:

So Darren, cyber security is filled with buzzwords. Can you tell us the difference between black hat and white hat hackers and what are bug bounties?

Darren Booth: 

Yeah, definitely. And you're right, buzzwords galore in cybersecurity. So a white hacker or a white hat is someone who is ethically trying to hack your system. So they're essentially paid by you to try to find those vulnerabilities. So they're the good guys. They're working on your behalf to identify vulnerabilities that allow you to then fix them.

Black hats are essentially the attackers or the hackers. They're not the nice people. They're essentially out there to do bad things to you. Bug bounties are an interesting one because bug bounties is a way for you to set up a reward system for people to try to find vulnerabilities in your environment. So there's different ways to reward people or pay for a vulnerability assessment. One is you engage an organisation and they go and test your systems and find things. The other one is to set up a reward. And you say, if you can find a vulnerability or if you can find an exploit, we will reward you with a payment. So it's almost like saying, well, if we're secure, we don't have to pay anything.

Andrew Sykes:

Hmm.

Darren Booth: 

But if we do have something then we're going to give a reward and thank you for finding that and here's the bounty for that. So the bug bounty is something that you can set up and you can run it over multiple years and you can just have it there. Depending on the type of vulnerability that's found then that will depend on how much you actually then pay as part of that bounty.

Andrew Sykes:

Yeah, so if you were an organisation that had gone through and done your planning, secured your environment, one way of making sure that stays secure on an ongoing basis might be to encourage white hat hacks and then pay for outcomes. There's an ongoing maintenance programme.

Darren Booth: 

Thank you.

Yeah, exactly. So it's the type of thing where you can sort of set it up. particularly if you're the type of organisation that is releasing code on a regular basis, instead of having each particular code, having testing done a bit through some sort of penetration test, you can get it out there and then knowing that people will be testing you constantly to try to sort of find out.

The thing that we find with that is that it opens up the attack to multiple different people. So your bug bank means you've got different people trying to attack you from different vectors, from different methods. So can be a highly useful way to do it. Probably one of the key things though is to make sure you're probably secure or you think you're secure to start with. If you send out a system that you haven't tested yourself.

You'll find you're very quickly start paying out lots of bounties and it becomes a very expensive way to secure your systems.

Andrew Sykes:

Yeah, so get secure first and make sure that you are very secure before you do that.
 

Andrew Sykes:

So what are some of the common pitfalls businesses face when they decide that they should try and improve their cybersecurity measures and how can they avoid these to be better prepared for future threats?

Darren Booth: 

Yeah, so I think some organisations try to overthink it and go too technical too soon. So for us, the key thing is to make sure your basics are working properly. So to make sure you have the fundamental controls in place and having those fundamentals then gives you that foundation to then build off. Security is around strength and depth. So the idea being that you've protected your perimeter, you've protected internally, you've got the right people doing the right things, you've got the right processes working. So it's around that depth in what you're doing. Yes, some of that is technical controls, but some of it is not technical. So some of it doesn't necessarily have to cost a huge amount of money. It can be around implementing slightly different practices,doing things that maybe just means you're more secure over time. And probably that maturity is important. So we're always looking to try to increase the maturity in a sustainable and cost-effective way. Realising that attacks evolve, there's new threats like AI that is slowly trying to change the threat landscape.

Andrew Sykes:

Mm.

Darren Booth: 

And organisations whilst trying not to be too scared about it just need to be aware of what's happening and just stay with or ahead of the vulnerabilities.

Andrew Sykes:

Yeah, because I will say that I've seen throughout my client base, there are clients that have lost significant amounts in excess of a quarter of a million to scams. One that comes to mind was an invoice received from a builder, but there was a new bank account on there and the client just paid based on what was on the invoice. When I look back at things like that, a very...

It's not a expensive process with your accounts payable to say, well, you have an authorisation process for clients to change their bank account or your suppliers so that you're actually ringing up and confirming details rather than just paying off. Are there any other sort of just like really simple things businesses can do like that, but rather than implementing new software, just processes and procedures?

Darren Booth: 

Yeah. It’s a really important one, because like I said, it's a very cheap thing to do, but a very important one to do from a process point of view. There's other things out there that can sort of help you understand if you're potentially at risk. So there's a website called Have I Been Pwned? And that's essentially where someone has captured the database of usages and passwords and are using it for good. Instead of trying to sell it to hackers, it's a publicly available website that you can go on yourself. You can check whether any of your employees' details have been captured as part of a breach in another organisation. And it's a proactive thing that if you find something on there, you might then, or you get alert that something's just been found on there.

You can then get that person to reset their password just to make sure it's not a password that's aligned with that password that it's maybe found somewhere else. So that's a quick and easy thing. Again, it's something that's set and forget. Once you register, it'll notify you if any of your employees are found. So those sort of things are, I think, again, they're not technically challenging, not expensive, but really that hygiene around trying to just make sure that your processes and your knowledge is up there to be aligned with some of the people who trying to attack you.

Andrew Sykes:

Yeah, and we'll sort of finish with the questions by asking, have you been involved in any really interesting cyber security breaches?

Darren Booth: 

Yeah, look, we do get involved from an incident response side of things. I think some of the real interesting ones are probably in the healthcare side of things where for me, these are high risk systems that then have an impact on people's lives. So if a hospital is impacted and they're medical records or if the patients are unavailable, that has a direct impact on what a hospital can do. So being involved in some of those and seeing actually the resilience of people to then work around the technology limitations that they're then facing is probably one of the more interesting things I find. It always surprises me how resilient people can be to move from a computer system onto pen and paper. And do things that, yes, not perfect, but it means they can get by and do things without a technology system for a couple of days to maintain their operations. Those sort of attacks, some of them are real basic. A vulnerability has got in because someone has clicked on an email. So some people sort of think, oh, that's something that happened 10 years ago. It doesn't happen today. It still does happen today where it's a simple email. Someone's clicked on a payload. It's got through the systems protections and has then resulted in a very large organisation like a hospital then going down and not being able to use any of their IT systems.

Andrew Sykes:

Yeah, because look, I've seen them come through even on an individual level, emails and texts that look like they come from a genuine supplier, but then you have a look and you go through and well, it's not what they'd be asking me, the wording's not right. Yeah, it might be a wrong email address, but you can see they'd be very easy without education to click on it.

Andrew Sykes:

How important is that education across the workforce when you're in business?

Darren Booth: 

Yeah, I think it's critical. We talk about a culture around occupational health and safety, a culture around financial awareness and, you know, expense management. There is a culture around cybersecurity and organisations that have a culture around cybersecurity definitely perform better than organisations that don't. Their employees are more prepared to speak up about something and sort of go, this email doesn't look quite right. Can you just validate whether or not I should be clicking on this? They have that culture of awareness and the culture of skepticism and the realisation that if they do click on something, the culture is, as quickly as possible, tell who you can to try to sort of prevent any further damage. So yeah.

The culture around cybersecurity is as critical for us as the culture on other things. It should just now be in the organisation's ethos in relation to how it does day-to-day business.

Andrew Sykes:

Yeah, that's great.

Well, thank you very much, Darren. Now, if we want to get a copy of your report, where do we get that from?

Darren Booth: 

Yeah, you can download our free report called Cyber Storm Rising and that's available at rsm.com.au. Alternatively, drop me an email at [email protected] or alternatively up on your screen there should be a QR code.

Thank you.

Andrew Sykes:

So thank you for your time today, Darren. And thank you to everyone listening to our podcast. So a few key takeaways for me, multi-factor authentication. I thought that was fascinating, Darren, where you said that stops 99 % of cybersecurity risks. Learn and educate your team because people are probably the most, your biggest vulnerability and get a plan together.

Do something about cybersecurity including understanding how you're gonna act, how you're gonna respond if you do get breached. So prevent and then plan how you're going to act. Encourage you to download the free report from the RSM website. It's a great read. Thank you very much for your time today. Would be great if you could leave a review of our podcast on your favorite podcast platform. We'll talk to you soon. This has been talkBIG.