Ivanka: Hello and welcome to The Art of Services video series on cybersecurity risk management. My name is Ivanka Menken and today I have with me three experts from Pitcher Partner, an accountancy and I.T. advisory firm in Brisbane, Australia. I have with me Teresa, Lenny and Guru.
Teresa Hooper is the partner and founder of pitcher partners. She’s basically focusing on the I.T. consultancy services off the firm. She’s both an accountant and a technologist who is able to provide advice on financial and management systems, data analytics and software support. Throughout this experience, Teresa has a strong understanding of business risk and governance. I’m so excited to have her on this interview because the business risk and governance piece, I’m sure we can talk about a lot of that in relation to cyber security.
Then we have Lenny Tuiatua . He’s the director of I.T. Lenny brings over 15 years of I.T. service management and technical experience to pitcher partners. He is a consultant and as a consultant, he has extensive awareness and understanding of market trends, business and I.T. Solutions including it security. He’s particularly experienced in service management and frameworks like ISO and ITIL. He’s also implemented the I.T. security standard of ISO 27,001.
Then we have Guru Baht. He’s the engine room techie slash programmer slash mad scientists. So a true I.T. guru. He’s been integral in the building and brains behind the number of software related tools and he has strong understanding of I.T. operations and technical aspects of I.T. security. Welcome. That was quite a mouthful.
So glad you could make it today. So like we discussed before we started the recording, because it’s the four of us, it’s going to be a bit more of an informal discussion. But the one question I really, really would like to ask is, what made you focus on cyber security? What significant event in your career has happened that you said, “okay, the rest of my career path, I just can’t avoid cybersecurity, security management, risk management. That’s what I’m going to focus on.” So fight who wants to answer the question.
Lenny: I guess, for me many years ago, just providing I.T. support, I was involved in a bit of an outbreak of a virus that crippled the business. At that point we’ll disconnect from the internet and go through everyone’s computers and machines and it had a huge impact both the business. But from there, I could see that we needed a good crisis service in place and that sort of got me on a path of service management title and also understanding what are ways to prevent these sort of things happening in the first place.
That was about 15 years ago and I haven’t looked back since. Since then it’s all I.T. security, cyber security and service management.
Ivanka: And what about you, Teresa? Cause you come at it from a slightly different angle?
Teresa: Yeah, my background is actually in the health industry. So you have to understand that the information that businesses are keeping are highly confidential and highly personal. And I have come across a number of clients have had cyber-attacks, and I have to help them out in relation to whether we can trade the data or it’s gone forever. But it’s just a face, cybersecurity these days. It’s something that every business must actually attempt to take notice off. And it’s just something that we come across every day in the everyday business now. That’s why it’s of interest.
Ivanka: So it’s part and parcel of doing business for you. How about you, Guru?
Guru: It’s similar along the lines of what Lenny just mentioned about his experience. Back in 2005, straight out of Uni, I was working as a junior systems engineer. I encountered, the first time we were hacked anyway, one of our unique server farms was broken into as. As a junior on call, I did everything I could, but the damage had already happened. The aftermath was very interesting. The impact was severe, but I then had the opportunity to work with a couple of security experts. And you know, lessons were learned. From there on it was just inventing the best practice and pretty much everything from a technology point of view. These days I design software, but that one event has had a lot of impact on me and everything we do these days. You know, the design criteria is mostly around security. So yeah, that one event has had a huge impact on the way I work these days. So, we pretty much think like hackers when we’re designing software and so that has helped me enormously.
Ivanka: Following on from that, I mean you’re…all three of you are involved with the I.T. consultancy branch of Pitcher Partners, and obviously have, with your clients a lot of focus on I.T. security. So in your world, what is the difference between I.T. security and cyber security? Where does one stop and the other start?
Lenny: Cybersecurity is defending from cyberspace or from the internet. It’s really the external wide web. That’s what we’re protecting ourselves from. I.T. security or information security is the actual information that we’ve got housed in our business or our homes. That’s what we’re protecting. And these days, all businesses are pretty much connected to the Internet. So, if you bring the two together, we’re protecting that information, those assets, from any cyber-attacks that are going to be coming from the Internet.
Ivanka: Yeah. So internal attacks like the internal threats, that’s dealt with through I.T. security. When it’s an external threat coming through an external network, Internet, you mentioned it as cyber security crime. Yeah.
Lenny: Correct.
Ivanka: Just wanted to have the definition. So definition’s clear. The other thing that I’ve noticed in the discussions I’ve had with other experts is the importance of including your advisors in cybersecurity risk management. So can you give me some examples of what kind of examples can you give in your experiences of talking and helping your clients or talking with your clients and helping your clients in relation to cybersecurity risk management? I think Teresa, they’re all looking at you.
Teresa: We’ll work with clients to come up with an IT strategy for their business. And that’s not just software or what hardware I put on a disk. But, where do they see themselves in the next five years and what do they need down to that. But part of that I.T. strategy is always covered off on the cyber security as well as the data breaches that have happened just normally through staff and/or externally through, as I’ve said, cyber security. So that’s really how we’re working with our clients to ensure that that is covered off when they do an I.T. strategy. It’s not something, I say, is something you can do in isolation. It actually has to be part of the total view you’re trying to achieve.
Ivanka: Yeah, and in your view, where can business owners… I mean, you know… I’m a business owner. How can we as business owners improve our focus on cyber security and where can we reach out for help? Because we probably don’t know what we don’t know.
Teresa: That’s true. I mean, one of the things you have to do is, well actually understand what it is you’re trying to protect within your business in terms of cyber security. Because sometimes, I think, clients look at their data and they don’t actually identify every piece of data that they need to be protecting. So that’s one of the things I have to do. Go look at where you are now, where do you want to be in the next 12 months? What do I have to do about that? How do I get there? And of course I always stickler, they have to measure everything that you put in place. You have to measure it to see that it’s effective. So it’s, you know, in 12 months from, did you get there, did you achieve everything? Part of this comes around, identifying all the risks in your business. And part of what we do in an I.T. strategy is come up with a risk register to understand what things do we say as directors, owners, stake holders, that has to be protected. And then you know, you’ve really got to think about, then, how do you keep the momentum going as a business owner? Because this is not a one off process, this is a continuing process. It has to be monitored. Because you know, unfortunately, the cyber criminals are getting smarter and they’re getting smarter than us. Find something that you have to keep looking at them, the person.
Ivanka: And then from a really practical point of view, because you mentioned you need to identify what you want to protect, you need to identify what data you need to protect. Can you give me some examples of the types of data that really need protecting but that people completely forget about it?
Teresa: Okay. So for instance, if you have a business that maybe directs debits to your customers, that’s their bank account details. You have to protect that data with all your mind, really. As far as watch from our client’s perspective or customer perspective, personal details such as date of birth, tax file numbers, ABN numbers, or whatever they call it, they’re valuable on the Internet. But is that sort of data, you’ve got to actually identify those pieces and look at what is harmful if it got out there into the wider world and how it could harm other people outside of your organization.
Lenny: Health Records.
Teresa: Health records is a good one.
Lenny: I think that that awareness is becoming quite prevalent because of different frameworks around the world. And Australia, we’ve just recently kicked off notifiable data breach and that’s kind of helping organizations to understand what information are they needing to protect from vulnerabilities or from cyber-attacks.
Teresa: Even internally. As owners we all have our staff and payroll details these days so, we have to be diligent that doesn’t get out there in the wider world as well. So it’s internal and its defacing data.
Ivanka: So with the notifiable data breach, that only came into effect in February this year. What took us so long? Because the US started in 2002 or something with a similar regulation.
Lenny: They put out a draft of the program back in, well, I think it was mid-2017. And it went out to anyone to contribute to. I don’t know the timelines before that, but I know there are a lot of organizations that were given the opportunity to review that. Then in time they got to a point where I felt like they could release it. You know, it’s good for us to have these sort of standards in place because it helps us to be, I guess, more accountable, to comply with standards that protect people’s identity and information.
Ivanka: And how can firms like Pitcher Partner help spread the word of this regulation? Because to be honest, before I started doing these interviews, I’d never heard of it.
Lenny: We need to make sure that, through our own clientele, through opportunities of euphemisms to our clients, it hasn’t been a sure job either from many other sources till late 2017. There was a lot of information to spread about it. There’s a lot of changes in the financial industry, we’ve got other things that have happened as well. So the challenge I think really is trying to say, “Hey, look at this one. This is important, so is this, so is an Australian single touch payroll.” There’s so many out there. I think it’s really just trying to help our clients take note on something like the data breach so that can actually execute on it and make some changes that they need to do.
Ivanka: Yeah, maybe it’s a matter of information overload because there’s so much going. You know, you get emails from an ATO, you get emails from the account and you get emails from smart business. There’s so much going on. It’s almost like you can’t see the forest through the trees anymore. Guru, question for you, what is the biggest myth around cyber security from your technical standpoint?
There’s a few, but I’ll touch on one. You know, often people believe that antivirus will protect us from everything. As you know, if you asked me the same question back in the nineties, I would’ve said yes, antivirus can protect us. These days, the effects are very sophisticated and with billions of devices connected to the internet, that’s no longer the case. That’s one of the myths. For small businesses say “we don’t have anything worthy of stealing.” That’s another mindset. The nature of the hacks we have these days, any information personal or otherwise can be very valuable. If it goes into the hands of a hacker. So no one’s safe. We just have to take measures. With a bit of homework and procedures in house, these things can be avoided. And everything from personal data to data Teresa just mentioned are of very high values to these attackers. You know, back in the days it was only big banks and financial institutions or big organizations. But these days, every organization is as vulnerable as any other. So other than that, any other myths?
Lenny: I think Teresa and I can probably think of one more each. One I can think of is prevention is better than a cure. A lot of these organizations may not have these barriers and face to put things in the first place because they might think, you know, “if anything happens that’s ok. I’ll just restore from backups and it’ll be fine.” But we know that because that happens often, loss of productivity, loss of revenue or even loss of business, we may not recover from it. So that’s another myth.
Teresa: I think the other thing is that people think they’re small business, that they’re not a target. I would actually strongly argue that that’s not correct. I actually think that small business is an easy target unfortunately. I was reading an article a couple of weeks ago where it says that Forbes thinks that this business of cyber security will net $6,000,000,000,000,will be a cost of $6 trillion dollars to business by 2021. So, I have personally been involved in a couple of sites that were attacked and they actually, they paid the money. It was easier to pay the money then to actually try and retrieve and recover from the attack, from a reputation point of view and a time point of view. Because obviously to retrieve your data from a backup and central, takes a lot of time. It was much easier. And in reality the cyber criminals actually excited to pay me the money and I’ll release the data. And they’re normally generous. Because they’ve got their own reputation, believe it or not, to protect.
Ivanka: True. So, from your experience, it’s the ransom attacks that are most prevalent at the moment?
Teresa: That’s the ones we hear about the most. But I wouldn’t say they’re most prevalent. You know, like we all went through Facebook a couple months ago.
Guru: Every now and then, you know, like in the past 10 to 15 years, there has been one network hack that catches everyone’s attention. Recently, it’s the ransomware and the variants of those ransomware. But also just simple things like breaking into a large database such as Sony network or even, the dating website, Ashley Madison. So the aftermath of that would, it was so much personal data that was stolen. The people’s personal data was available from the Dark Net for save. That included everything from their addresses, to phone number and credit card, you know, all of those things. So there are different types of threats. It’s just, you know, being mindful and taking some measures personally, and both from an organization’s point of view. So yeah, this is always a catch up quickly. The protectors and the attackers. So it’s a, it’s a never ending game.
Ivanka: So I’m just trying to gather my thoughts. So its prevention is better than fixing it afterwards. And you also said there’s a couple of things you can do to be prepared. What are the top three really simple things we can do to be less vulnerable to attack? And “we” is workers out there in the big bad world.
Lenny: From our I.T. background and an easier way to look at it would be people process and technology. Why don’t I just touch on people? And the reason I’ll touch on people is because this is one thing that we experience all the time, you know, offices that we’re in and offices that we go to. And it’s really just that whole education awareness because despite all the things that you can do with technology, people don’t understand, I.T. security. They then begin to leave important documents lying around on the printer. The printer is a real easy place to go to. You will find things that have been printed out for payroll or personal information and you know, who picks that up could be a third party, could be someone who isn’t authorized to look at that. Now the people side I think is one that is going to be an ongoing challenge. It’s a big job, but it’s a big part of the puzzle because you can go into a lot of different and other areas, but it might just take a simple mistake, as in an usb left somewhere or something said that’s not protected.
Teresa: I guess if you want to future-proof yourself, it’s a little of that. You have to have some sort of protection and response strategy as well. Because I do have a belief it’s not if, it’s probably when you’re going to be attacked because I don’t really think they can stop it totally 100%. And like you said, people have to understand that they have to have clear roles if an attack happens. So what’s their role in that process? What are they responsible to do? Who do they talk to or how quickly do they report to? And what do just general staff do? You know, tell them not to click on links that they think did not come in on our server. Guru can probably talk about software that’s available that helps businesses put in place. I know that we have it here and it helps us…probably cuts down on 99.99% of attacks. So .01% one day may get through. You might want to talk about the fact that, you know, you need to keep the systems up to date with patches and stuff like that, technical is not my area. And just genuinely have a risk management strategy, about how are you going to… one, what do you want the staff to do to avoid the attacks or your clients to avoid? But then what do you do in response and then how do you tie up after that?
Guru: As Teresa said, there are things that we can put in place to control these threats, not necessarily work 100%. Its simple things like antivirus. Yes, antiviruses will not protect all of the threats, but something is better than nothing. And it’s part of a whole software strategy. You have to have. Antivirus that is up to date all the time, and antimalware. Take a layered approach with the firewalls, email filtering, that kind of thing. For small businesses, you can look at, like Teresa said, we call this unified threat management. These are very sophisticated piece of software that work even before it gets to people, it’s stopped. So a combination of these things can actually avoid a lot of these threats. But once again, like Teresa said, nothing is 100%.
Lenny: I think Teresa made a good point too around the response side. Because certainly if you looked at the Notifiable Data Breach Scheme, that’s really designed more around when rather than if. So it’s taking this approach, that no matter what you do, it’s going to be easy for someone to make a mistake. For protection that you have in place to exploit vulnerability. So, it’s more of a when and so when it happens, you have to respond in the way that, that you’re talking about too, the rule is mitigate the risk of some of these things will despite all of your efforts. So you’ve got to have things in place to try and minimize the damage and also recover as quickly as possible.
Guru: Another thing I want to mention is the web browser. These days, web browsers are one of the most widely used piece of software on our desktops. So the attackers exploit several on regular days on the web browser. So it’s really important to keep our web browsers up to date and with all the security patches and everything. There are certain browsers that are not as safe as the other. Not going to go into those details. But having a good browser, keeping it up to date, all of the time is extremely important.
Ivanka: Can you give me a color? So basically what I’m hearing you say it’s people process, strategy. So it’s really a business issue, isn’t it? Yes, there’s a technical component, but it’s a business issue.
Teresa: It is. And it really starts from the top. So you know small business, like yourself, you’re a single liner so it would start with you. If you are a medium size or a high level company, it starts at the board. It is a board responsibility to ensure that they’re caught up on this risk for the company. And then it’s about them having it implemented downward, so to speak. But it’s not something a director can get away with and say, “Well we talked about it at a meeting 12 months ago. So we thought that was the end of it.” It actually doesn’t stop there. To be prominent at the board level is that you constantly have it on their agenda and you know you trained it and effectively putting in actions too…whatever action is necessary and time and making sure all the staff underneath understand.
Ivanka: Yeah. And then with the measurement, I mean the ultimate is to have lead indicators rather than just leg indicators. The leg indicator is, “hey, we got hacked.” or “There’s an attack.” So, what lead indicators have you been using with clients that have been really successful so far?
Teresa: Well, I know from one client I’ve worked with, one of the things that we’ve looked at, they actually do monitor how often they’re being attacked because their software will tell them that. So the one thing is we’ve had no attacks, that’s what we like to see on a board paper. Two then is, if you know that you’ve had 2,000 plus tried attempts in the last month and they haven’t been successful, that does give you a little bit of confidence, I guess, that the processes and the software particularly that you’ve put in place is working to its best advantage. I guess the other indicators from a technical point of view, I’m betting Guru could probably talk about this a bit more, is it’s about having, you know, your patches or monitoring that. So you can talk to more about that. That’s more at a hardware software level more so than governance. But what you would look at…
Lenny: Yeah that’s, what Guru talked about earlier, making sure that on a monthly basis, there’s a regular cycle or patch management. That your virus definitions are up to date, that there is a regular backup, there is a backup strategy, there is also a restore strategy, a D.R. strategy and business continuity. So, if you have all those things in place then if anything happens, first of all hope that you stopped it, but if it does get through and you have an issue and once again you can recover.
Ivanka: Yeah. And then from the people side, because you’re talking about the processes of disaster recovery strategy or a business continuity management. You talked about the technology side of things with patch management and making sure you do all your browser security patches. But then from the people side, what type of training do people need in 2018?
Lenny: It’s a good question. Like we’ve mentioned earlier, sometimes it’s information overload, but ideally you’ve really got to start with the core team. Because your core team are going to be your change agents, you know, there’ll be others around some of these processes that look out for your I.T. security process and procedures and you’ve got to get them on board. You’ve got to have, I guess, you’ve got to practice in the event of something happening. Who does what? Clear roles and responsibilities. Outside of the core team, now you want to try and get the message out to everyone what this is all about, some of the behavioral changes. In terms of an organization, they do have the opportunity, when you take on your staff, to take them through orientation and teach them and educate them on things such as you know passwords and locking your computer or leaving things on the printer, you can take them through your I.T. policy. Organizations need to find a way to repeat that because you can’t tell it to a new person once and expect them to remember everything first when they hear it. So, you know, depending on how big you are, on how small you are…Here at our firm on a regular basis, We get these privacy or training reminders to do certain things that keep us on top of these sort of important topics. So organizations need to find a way, not to do it once but, to do it on a regular basis.
Ivanka: Do organizations provide like test scenarios? You know, with disaster recovery, you have all these drills and these unannounced disaster recovery “plays”. Do you do something similar like that with your clients in relation to cyber security? Or is it old banged up into the one big test?
Speaker 4: There’s minor tests you can do all the time, really. There’s, I shouldn’t say this, but you can do what I call “false phishing” that emails to your staff. So it’s really testing whether your staff understand your policy. So you might send an email that looks like a ransomware or something, something that looks totally, and we’ve all probably saved it, is the simple one of Australia post. “You have a parcel sitting at the post office waiting for you”, and you can test whether your staff will actually click on that link. And, it has no harm to the business, but it actually does produce some testing and some training opportunities with your staff. Because just as Lenny said, you can’t just do this once with your staff, they’re not going to remember. It’s something you have to constantly reiterate to them so that they are just aware all the time that this stuff can happen. So, there’s those sorts of tests that you can do randomly, without them even knowing, other than doing a big test. It’s like anything. When you have a policy in place and you have a strategy, you do have to put it through, at least once a year, through the testing process to make sure that everybody knows and understands what they need to do if a situation occurs.
Lenny: But there’s also a lot of resources online from trusted sources such as governments. The Australian government’s a great one. They have a number of government partners that provide resources, such as assessments. Some of the assessments, in a way, are there to provoke scenarios where ” if you do have some sort of security breach, what would you? Do you have the right processes in place?” I also think some of the resources I have that would be useful to businesses is a whole set of loop systems. So when they come across or they’re aware of a new strain of virus that’s causing havoc across other places, you know, that’s fit to notice it as well. So these resources are available obviously, as you say, outside of government, there are trusted advisors, you can go to who specialize in providing those sort of resources to customers as well.
Ivanka: Yeah. And as trusted advisors, I would think that would be your accounting firm. It could be legal advisors. Who else should be on your trusted advisory board in relation to cyber security? So that’s a new acronym for CAB. So it’s not the change advisory board, it’s the cyber advisory board.
Teresa: You would certainly try…for us, for instance, we use an external I.T. provider to give us advice on what software et cetera that we have, so I would rely on them to actually keep us abreast of what’s happening in that area at least once a month and they do that quite well.
Lenny: And subscriptions to third parties, such as in Australia you can subscribe to cert.gov.au They give you a lot of resources, even though its third party, you can still interact with them as well. And also, you know, you may want a third party’s say. For us, we have another services provider. But, from time to time, we will need some gadget third party, just to make sure, just like an order I guess, to make sure that from an organization standing outside, everything on the inside is working well. You can also just include some of the key vendors who provide services to you. It’s good to have relationships with those who provide core services. So if you’re a big hardware type business with a lot of infrastructure, you would want them on board at some point as well.
Ivanka: Excellent. Thank you so much. And then looking into the future because cybercrime is really on the increase and like Teresa said earlier, the criminals are getting smarter and smarter and we can think we can catch up on them, but we probably won’t. So how can we as business owners or business executives, how can we future proof our business?
Guru: I guess from a technology point, some things Teresa has already touched on. Making sure that there is a strategy to manage the data. That is why people need the organization. Having your backup and disaster recovery plan in place, raising awareness within the organization; just simple things like password management, having a password policy, expiry of the password, simple things like that. And possibly educating the users on things which I think Lenny and Teresa has already mentioned; what you do and what not to do. And just to give an anecdote, there was one incident where a hacker actually left a USB key at the gates of an organization. Someone walking into the premises just picked up a nice flashy, 64G USB key and that was it. Now, in a normal circumstance, the vector that was in the USB, a virus or some sort of malware would not have been able to would not have gotten into the network. Now this is the kind of sophistication and you know, simple delivery mechanism hackers come up with. So, it’s all about awareness and making sure employees know what to do and what not to do. Simple things like that can go a long way.
Teresa: I just thought of something else that businesses can do. You can actually have companies come in and do what they call “penetration testing”. It’s something large organizations should do. Because really, what they are doing is they’re the good guys and they’re actually just testing whether they can or cannot get into your system very easily and that’s where you would use the results of something like that and work with your cyber team and make sure that you’ve covered up on anything that they discover, and or what they don’t discover. Ethical hackers.
Ivanka: Excellent.
New Speaker: I want to add too, this is why you’re talking to us, I guess Ivanka. I think for businesses, don’t try and do it alone. Businesses have a core function of what they’re trying to do whether they’re retailers or transport or whatever, when it comes to this side of things there are resources, you have trusted advisors, there are suppliers out there, there is product, there is software. They can use that to future proof the business. If I get back to what Teresa state, start with a plan. Start with risk mitigation, a risk plan, start with the end of line. “What is it that you’re protecting?” and work your way backwards. And Guru said it, it may not be perfect but having something in place is better than nothing. So you know, get some help, there’s good resources and there’s advisors in numbers.
Ivanka: Wonderful. Well, I think on that note, that’s a really good point to end. Thank you so much for your time. Thank you so much for your insights and your experiences. If people want to, not if, when people want to reach out to you, they can reach you via the website, PitcherPartners.com?
Teresa: PitcherPartners.com yeah.
Ivanka: Yeah. Excellent. So I’ll put that in the description as well. Any last words from you guys?
Lenny: Look, if they have any questions, send us an email. We’ll gladly assist you in any way we can.
Guru: Be safe with your passwords!
Teresa: Don’t hand them out!
Ivanka: Excellent. Thank you.