Josh Rubens
Good morning good afternoon to wherever you are welcome to episode 53 of the leading IT podcast hosted by Tom Leyden the CIO at Longview g’day Tom,
Tom Leyden
g’day Josh uh good to be back
Josh Rubens
again yes welcome back and myself Josh Rubens, CEO at Cloud Solutions Group if you’re new to the podcast welcome and if you’re a returning listener thank you for coming back. The purpose of our show is for IT leaders to discover unique and valuable insights into current trends from both sides of the vendor client paradigm and we tackle relevant and time sensitive topics like Cloud, AI, cyber security, infrastructure strategy, and Leadership, and how to deal with emerging IT threats and opportunities.
And in today’s session we’re going to give a little bit of a sum up of the uh recent AISA the Australian Information Security Association conference that was hosted in Melbourne and we’re also going to talk about the future of cyber security in Australia with David Stevenson who recently joined Cloud Solutions Group as our head of cyber security so welcome David.
David Stevenson
Thank you.
Josh Rubens
How have you been Tom what’s been what’s been happening in your world?
Tom Leyden
Hey mate, we’ve been very good um we had Optus on our mobile phones of course so we we got through that that fun should we just start talking about Optus straight away and get that off our chest
Josh Rubens
is that is that we should start as bagging up the the Opus bagging
Tom Leyden
well it’s good to see someone else really stuff it up right it’s not me it’s I think every IT person goes yeah you know what they should do a lot better and if it was me in that in those shoes I’d be doing a lot better than that right, um I mean there’s so much to that story uh I want to talk about well maybe I could talk about the communication bit right that’s that’s the story right their communication during that outage was horrendous um so Josh did you have customers on Optus did you have
Josh Rubens
yeah yeah yeah so lots of customers and staff on Optus I once um quite a few years ago I had two mobiles one Optus and one Telstra yeah and I I I very quickly gave the Optus One to my dad and stayed with Telstra even though even though it cost me twice as much because the coverage and service was the coverage was just so much better
Tom Leyden
so yeah look I mean the outage um itself we’ll talk about that in a second but the the communication I think you know just absolute dropped the ball with a lack of communication so much so that the um the minister for communications had to step in and just make stuff up right uh so I think she got more coverage than the actual CEO of Optus uh so you know I think we’ve all been taught how to communicate during a crisis you you have regular updates you tell people what’s going on you’re transparent about the process even if you haven’t got the solution at least you tell people what what you’re doing about it right um and you give regular updates.
But Optus just completely failed to do that so many people just are bumping around into each other going what do we do what’s going on I don’t know there’s no update there’s no update where’s the update so that caused an enormous amount of frustration I think for a lot of people
Josh Rubens
right yeah so um so they said it was about uh changes to routing information after a routine software upgrade that impacted 400,000 businesses and 10 million users so what happened was uh the routing information changes propagated through multiple layers in the network and exceeded preset safety levels on key routers which could not handle this I’m just trying to get to the the technical piece yeah uh so it means the Opus technicians had to physically reconnect or reboot the system this is funny so it meant that people had to physically go go to the data center right go to each of the sites and Tom Leyden
press buttons, pull wires out
Josh Rubens
yeah yeah and do a reboot and they’ve made changes and uh it said the uh compensation was they’ve given their customers an extra 200 gig of data there you go
which my kids use up in about three minutes thanks for that um I mean what a classic so you know I think patch management we’ve all been the victims of faulty patch management right but there’s a reason why we do patches you know we have alternate patch processes so half of you get the patch on one day and half you get the patch now this this is a good reminder as to why that why you do that you also have pretty good rollback plans right Josh yeah I’m sure you know these guys I know people Optus they’re smart people they know this stuff right so there must have been more to it than just just that
Josh Rubens
eventually we’ll get the uh we’ll get the full story. David do you have any any comments on it besides how deplorable it was
David Stevenson
no I think you know looking forward to see what comes out of the committee hearings over the next couple of days sort of what does get relayed back and yeah I think you know kind of timely on it the ACSC has released the continuity in a box that does cover off how to handle Communications in a crisis exactly at least two days ago and just very fitting after the Optus hack
Tom Leyden
I’m sure op this will be a case study on what not to do
Josh Rubens
did you say they were added to the SOCI or whatever they were they were added to something
David Stevenson
yeah so security of critical infrastructure it’s now being listed for telecommunications which sort of always on the road map that they would be and they’re sort of doing a phased roll out but now it’s precedent that you know what happens when communication goes down in Australia it affects millions of users
Tom Leyden
oh and trains and hospitals and a whole bunch of other add-on Services downstream services
Josh Rubens
so so what do we think so after the uh hack and uh even Telstra talking you know the advertising is all about how secure they are which is you know almost almost laughable but maybe compared to say is this uh you know second strike or what what do what do we think the future is for Optus here
Tom Leyden
um well they need some good fortune don’t they they need they need some a long period of time of good productivity or high up time high availability people move on I let’s face it and the cost of transferring your your Optus accounts to Telstra or whatever there is an amount of pain around that so some people will no doubt a lot of people will probably just stay and get on with it and hope to God they don’t do it again so that’s that’s you know they just move on that’s what I suspect is gonna…
Josh Rubens
There there was one other bit that I that I sorry that I I saw somewhere else and it said that was the issue came through from a peering Network propagated through their network but it came out that that peering network was from Singtel yes their their parents their parent company so yeah it’s it’s it’s embarrassing so all right and Tom what other do you want to do your news or I’ve got mine you got your other news Tom?
Tom Leyden
You go, you go for yours
Josh Rubens
Mine’s a mine’s a controversial uh it’s going to get it’s going to upset some people this one so this is uh an output of the uh the solar winds 2020 incident and the SCC is now um taking action against Solar Winds and the CISO particularly the CISO of solarwinds uh whose name is Timothy Brown and the the the the reason why this is interesting is there this action could take a set of precedent for holding security officers personally liable for for think for security incidents and uh and consequences
so um yeah they’re sort of alleging that he failed that he essentially lied about the uh the security posture of their environment really yeah yeah so alleges that solarwinds failed to disclose critical weaknesses that led to the breach of its network monitoring software Orion ultimately leading to an estimated 18,000 Solowinds customs unwittingly installing compromised software uh they specifically called Timothy Brown out for his alleged role in fraud and control failures
so it’s saying the company and brand knew of the of the deficiencies in their cyber security practices as well as elevated risk for a long time and that he acted negligently when he failed to resolve security issues or raise them to the right teams within the organisation um yeah so fair enough I
Tom Leyden
that was a pretty was a brutal attack right that was a brutal and very clever attack where I think everyone recalls that solar winds patch went out with a with malicious software in it and then went out went out to 18,000 customers is that right yeah and that caused havoc absolute havoc and carnage so as a customer you hope that these guys are doing their job what you’re telling me is that guy didn’t do his job
Josh Rubens
and he was and he was so the the big why this has caused a big uproar is you know there’s concern that you know people want to get into the security industry they could now be concerned about am I going to be held personally liable and should you hold individuals personally liable are CEOs held liable and is the CIO and what if what if the CISO went up to the board and asked for money and was told no you know there’s a lot
Tom Leyden
they’re not saying that though right they’re saying that he didn’t he didn’t go and ask he didn’t he didn’t highlight the risks which is his job that’s his job right to do that yeah yeah for sure for sure so I don’t know if I have a problem with it Josh I’m not sure if I think I think I think sounds like a good idea to as as a recipient of this stuff right yeah and I’m not not a CISO either by the way
Josh Rubens
well so I mean so what does it mean so if if that uh if a if you you know let’s say you’re the CISO or you’re the CIO you don’t have a CISO Tom and and your company get hacked but you went to the board a year ago and you put forward a whole bunch budget things and they said no and you warned them and they got done so yeah what do you have to do
Tom Leyden
I’ve done my job yeah
Josh Rubens
so you done a job obviously you got to make sure that you document everything yeah yeah you see have to keep keep records and um and if you get done you can you know if someone comes for you you can say well hang on it’s the CEO I told them
Tom Leyden
exactly yeah but I think where what I’ve seen um where uh you know CISO even even CIOs will go well you know like things like audit reports or cyber security reports they’ll go yeah we’ve done this or we but they maybe they like they don’t provide all the detail about what they’ve done or maybe they’ve left something out maybe maybe by mistake maybe maybe on purpose who knows but yeah and that’s that’s what the point of this thing is right like if you’re going to say you’ve got these controls in place you better make sure you’ve actually got them and you’ve tested them
Josh Rubens
so David as a someone who does you know virtual CISO what are what’s your thoughts on this
David Stevenson
yeah I think the interesting thing on this one is it is a fraud charge from the SEC so on that you know it’s a little bit more than the negligence it is either paperwork towards the shareholders has been fraudulent around the position that they’re currently in is it insurance fraud you know there’s the monetary aspect around the fraud that’s being claimed especially if it’s coming from the SEC so I think that’s sort of the element here of you know if you have deficits call out the deficits make sure it’s well and truly heard within the business that it’s on the risk register that it’s understood and you know understandably you can’t tackle everything on your risk register at one time but more so focusing on sort of your impact risk assessments focusing on where the company needs to go to secure that posture and have that tracking along and I think you know the big thing that I’m looking forward to see sort of how all of this plays out is what did he do to raise that fraud case where are the SEC coming from of you know fraudulent information being supplied with his name on it
Tom Leyden
yeah it’s detail that we don’t have at this point that I’d like to see yeah
Josh Rubens
but yeah I mean this whole concept of personal liability liability for these things whether it’s a CIO CISO I mean CFOs if you think about it they’re you know when they have to Lodge Financial reports to the stock exchange if it’s here they’re legal documents that’s so they are they are liable or a CEO when he says we’re going to do this or that that so is it it’s is it is it a natural thing that this is now moving into the IT
Tom Leyden
I think so I think I think it’s a um a badge of honor as well people taking this job seriously yeah if it’s not this guy’s responsibility whose it yeah for sure for sure um and
David Stevenson
I think that’s the main point of it too is you do have an executive at that level who is encapsulating security as that service through and domain through for the company ultimately it does lie on their head to make sure that they’re doing the best efforts to manage that risk and yeah I think that’s sort of where that one is and it’s good that you know Australian government are starting to put that on directors of companies at the moment as well that cyber incidents are related to the company not to the individuals in position for those companies
Josh Rubens
so we all have to get our big boy pants on
Tom Leyden
and some personal liability Insurance
Josh Rubens
yes well I think you can in your insurance you can get like executive yeah so when you when you’re negotiating your job you can maybe put that in your package that they pay for your executive Insurance
Tom Leyden
pretty standard yeah yeah yeah yeah
Josh Rubens
you know a lot about this Tom
Tom Leyden
it’s good just be prepared I think
Josh Rubens
no it’s good it’s good excellent all right Tom back over to you your just one more um because we want to speak to David but um
Tom Leyden
we should just talk about the DP World hack as well I think that occurred last Friday took down um ports something like 40% of cargo through Australia went through DP world had to be shut down um so three or four days of delays uh no shipping at all which is in this country a a big deal right um Now by contrast in terms of communication they were a bit slow on the update to the government but once they did they were providing the government with two hourly updates on how things going and as a result the government has turned around and said yep that’s that’s what we expect we’re not going to pull you through the through the coals here or rake you over the coals um
but there’s a lot of work to do to understand what happened with DP world as well which I don’t have the detail at this point
Josh Rubens
Dave have you got a any
David Stevenson
yeah not so much so I’ve kind of been following the high levels of it but haven’t really delved into it too much just yet but I think you know they’ve shown a mature response of it wasn’t a threat within the Australian border it was most definitely an overseas threat that they responded to but to protect their Network they chose to shut down certain systems that then impacted Australia and you know sort of as Tom mentioned they slow to initiate the comms but got on to the comms quite well from everything that I’ve read they did really well with that communication plan there as well and I think you know realistically it just highlights the third party risks associated within Australia and for companies just in general and even touching upon the solar winds as well it’s not just protecting yourself but it’s knowing your third parties and making sure that their security standards are in line and I think in this case they had really good security standards
Tom Leyden
yeah and I think that they brought in their cyber Security Experts straight away as well from my understanding I think that makes a big difference soon as you press that button to get the cyber security expert in then you know your job particularly as a CISO or CIO becomes a lot easier you’ve got you’ve got that support behind you yeah all right shall we get into the next part Josh
Josh Rubens
yes yes so welcome now officially welcome David Stevenson so Dave do you want to give us a bit about your background tell everyone
David Stevenson
yeah no worries so I’ve been a cyber security strategist for the last 20 years working with Australian companies across sort of Education law Professional Services focused mainly on operational practices and bettering and improving security postures these days I’m mostly focused on risk management helping customers build out and Implement security controls and to mitigate cyber related risk great
Josh Rubens
and uh your new role
David Stevenson
yeah so joined on with Cloud solutions group as the cyber security practice lead yeah
Josh Rubens
and we’re we’re enjoying we’re enjoying having you around so thank you enjoying being around certainly brought a level of a level of maturity and competence so it’s been been fantastic and a lot of our customers are already benefiting from it so excellent all right so you went to the uh the conference so the ISA conference a few weeks ago do you want to maybe you know as a starting point talk about the highlights or how many you know about the conference in general was it big small what was it like
David Stevenson
yeah most definitely so you know always a thank you to the Australian information security Association for putting it on each year I think you know every year I’ve been more and more attendants are coming every year and it’s sort of from all walks of life it’s sort of your business admin into the C level into the Cyber Security Professionals as well as the students that are coming along and trying to get into the industry always daunting there’s so many sessions on it’s really hard to sort of select which session that you want to get into and sort of visit so for myself this year the track was very much around digital identity and kind of machine learning you know AI is very much Hot Topic at the moment so sort of staying within that sort of digital ID I am space and following through sort of three days of 45 minute conferences and sort of downloads of information so you know it’s three four weeks old now but a few of the highlights were around digital identities in the age of in the era of cyber threat sort of a really good speech from the ANZ team over there um empowering security teams with generative AI so again very much in that GPT space very much Hot Topic at the moment and then going Beyond MFA so getting into the password-less phishing resistant deployments and sort of looking at what real world examples are from Microsoft themselves so they were kind of the highlights of course walking around the vendor floor and sort of getting bits of updates from the vendors and from the booths always fun never really enough time to sort of get into depth about new features that they’re coming back with but you know every day I’m receiving countless emails of quality information from them so more to come on that front
Josh Rubens
excellent so how many how many were there was it how many how many attendees do you think was was it 5,000 10 a couple
David Stevenson
look I’d say 5 to 10,000 wow a lot more than I’m used to post pandemic that’s for sure yeah so yeah quite a lot of people packed halls packed seminars again fantastic to see it’s sort of when you think of Australian cyber you kind of think you know there’s a few people here and there but going into the conference you see that it is in the droves of thousands that’s fantastic
Tom Leyden
it’s a big deal it’s a major industry now so there’s a lot of of it is support for that yeah so do you want to get into some of the detail I think um I think for us I think understanding MFA but what’s going on with MFA what what’s next for M MFAs it’s a very important piece of what we do in IT these days so where’s it going
David Stevenson
most definitely so I think you know realistically MFA was kind of the poster boy 5 years ago very good around sort of trying to get that uptake a lot of companies move towards enforcing SMS authentication and I think you know realistically we found early on that SMS can be bypassed, Sim swapping became quite prevalent especially in the crypto industry that if you really wanted to get into someone’s MFA that’s protected with SMS you would be able to bypass it I think moving forward with that moving over to sort of authenticator based sort of token based authentication that that was fantastic for a time as well but sort of time and time again we’ve seen with the O OCTA breach recently that that can also be bypassed if the attacker is focused on bypassing it
so we’re kind of moving into that phishing resistance era now so going beyond MFA and I think from that point we’re more looking at certificate based authentication we’re looking at the fido 2 security Keys Windows hello for business is sort of the more seamless easy to adopt technology at the moment and then sort of the big future on moving forward from that is Pass Key authentication so kind of mixing in the Biometrics with the certificate based and the device so that’s really taking it a lot further but I think you know a lot of what we’re seeing at the moment is it’s quite a journey to get into that phishing resistance realm and it’s been good a lot of vendors are sort of coming to the party now traditionally what we did find was a lot of vendors would give you the option for SAML or open ID Connections in their Enterprise product we are seeing the market sort of swing a little bit towards you know the business grade licensing is starting to get those features I think you know
that’s the big thing for industry at the moment that really needs to occur so we can move into these phishing resistant Technologies we can get IAM Solutions implemented either through OCTA duo or even entra ID to make sure that we can bring everything back down to your identy your device your posture and come back to that attribute version of authentication right
Josh Rubens
so I mean so if you’re in the in the in the Microsoft world so we’re talking Windows hello for business we’re talking authenticator app and and so from a a phishing resistant MFA point of view is that you’re recommending are we saying that’s for all accounts or is it more for important admin type accounts what’s your
David Stevenson
look from a user perspective I would say windows hello for business is seamless and I think that’s sort of the big thing that I’d be looking to get to and I think you know if we look at risky insiders it’s not necessarily the admins that are the risky insiders you can go cool it’s the CFO they’re going to be the target they’re going to be the whale you also need to look at new members coming on board new members who don’t quite know the policies and procedures just yet you know it’s quite easy that the CFO from a Gmail account has asked for 100 iTunes vouchers to be purchased on your personal credit card they’re always targeting new people on boarding when you update your LinkedIn profile you then become that risky insider
so you know as a general rule of thumb you can move to a pure passwordless environment that’s where you want to be and you know Microsoft have done Leaps and Bounds with Windows hello with the onetime tokens and pass back it’s sort of getting to that and you know noting it’s quite a journey to get there but you know removing the password means there’s nothing to be phished
Josh Rubens
yeah okay so no more you know sticky notes with your password
Tom Leyden
it’s the um it’s the Microsoft take you on a journey so I think that’s great I think that’s made a big difference to a lot of people it’s the more your legacy apps isn’t it the internal it Legacy apps that they’ve whatever they might be externally focused some sort of Supply portal you know some sort of exactly they’re the ones that are outside of the mainstream they’re the ones that people find hard to wrap around any advice on on how they might quickly control those beasts
David Stevenson
yeah look it’s always going to be a struggle and it’s always going to kind of come back to that application as well don’t really want to single out the legal industry but you know the legal industry does have a lot of legacy applications that are hard to move from
Tom Leyden
yeah they need to secure those guys, I don’t know if they’ve looked at the news lately but they need to secure
David Stevenson
yeah exactly it and I think you know this is kind of where zero trust Network architecture comes into play having private access tied back to your passwordless authentication your device attributes your user attributes you’re taking you know you might not necessarily be able to replace the identity for the application but you’re replacing the identity around accessing the application
Tom Leyden
yeah right that’s that’s interesting so you kind of get put a layer before you get to the app yeah it’s quit good right so I was going to say this this is the sort of stuff that you know we should be reporting up to the board through the risk Frameworks as well right this is stuff exactly going back to early conversation if you’re not talking about the risks here you’re not doing your job
Josh Rubens
exactly it yeah so so David so the the process so sort of the steps would be uh MFA um you know and hopefully phishing was resistant MFA Now using Windows hello or something then SSO right try to SSO as many as possible or like what’s the
David Stevenson
not quite so the issue comes into having that identity access management and to go into the SSO sort of Journey I’d actually probably put that before you go into the phishing resistant authentication yeah so most definitely MFA everywhere step one I think realistically you want to start creating that password replacement offering so you know depending on the type of applications and depending on your sort of user personas you might be able to do phishing resistance for some users but not for all users day one
where Legacy apps are involved realistically you know I’d be putting them on the risk register of we’re either looking to replace them in the years to come or we’re looking at what alternatives we can have there and you know there’s still a lot of applications out there that are Legacy applications that do have update paths sometimes those update paths are payable so you are waiting for the sort of next refresh to get that approved and to sort of upgrade those applications but most definitely sort of reducing user visibility for the password surface so getting everything enrolled into SAML or open ID updating and removing Legacy apps were applicable within the organization getting devices ready so enrolling Windows hello getting sort of the security posture in check so you know if we are looking at the Microsoft landscape it’s getting Defender it’s getting InTune getting everything rolled out and secured at the device endpoint then sort of getting that credential registration and bootstrapping
so you know what we look at is when we onboard a new user are we assigning a temporary pass to register that device then for Windows hello when that user first logs on right once all that’s done and windows hello is done we’re sort of looking to drive education around a user adoption and then we start that transition to passwordless authentication
Josh Rubens
yeah and with Microsoft then it’s the like the conditional access policies and all that sort of stuff right where you’re setting exactly Zero trust yeah so that’s at the front at the front end of it okay no it’s good yeah the identities right that’s the as we’ve always said that’s the that’s the beginning right that’s the that’s the foundation and you exactly and you mentioned talking about sort of modern threats to digital ID was a was a big theme there do you want to maybe expand on that bit
David Stevenson
it is so I think you know sort of taking that a little bit further that when we look at sort of the modern threats we are looking at phishing we are looking at malware we’re looking at password attacks Insider threats social engineering and then sort of lack of security awareness so with sort of three to four of those points we are talking about the digital identity so what we’re finding is that we’ve had rapid growth for digitalisation where in the past you’d have AD you’d have your legacy apps you may have authentication on those Legacy apps you might have ALD apps on those apps realistically everything’s maintained within that AD on Prem environment with the sort of sperse out into now SaaSifications for most modern applications you are looking at having identities at each application so bringing that back into sort of a central repository so having that IAM solution having everything tied back to that single source of truth for identity that kind of becomes more and more precedent I think when we’re looking at digital identity we’re looking at that rapid growth we’re also looking at sort of identities are now around the individual the organization and the devices they’re no longer just the individuals and I think you know that’s sort of the challenges that we’re facing that you’ve got sort of now that password protection sprawl you’ve got multiple identities across you’ve got passwords that are normally weak we’re normally seeing users are reusing those passwords or a variation across multiple systems we lack identity verification we’ve got multifactor authentication on some devices and kind of coming back to not all SaaS platforms have these functionalities on their base level platforms you do need to look to sort of Enterprise to get certain features and then just that user awareness of sort of trying to combat Shadow IT to a degree as well within that user awareness
I think when we do look at real world examples of identity security breaches we are seeing people like solar winds we are seeing people like Equifax and Marriott that are all sort of leaking out that identity and that pii information because we have these identities sitting within multiple realms now
Josh Rubens
yeah right yeah a big risk yes it’s a sprawl of identity that’s so yeah yeah
David Stevenson
exactly it so I think you know the main things for us to look at is implementing an IM solution sort of centralising those identities controlling the access and authentication requests using MFA and again coming back to trying to get to phishing resistant identity and auth authentication where possible but at least we can have that MFA policy applied and we can centralise what that policy looks like
Tom Leyden
it’s a big deal you’re talking about Shadow IT actually like bringing in all those various apps into the central location it’s a lot of work for a lot of people there and that also means often means upgrading uh licenses doesn’t it to get into some sort of Enterprise or business scale
David Stevenson
very much so yeah
Josh Rubens
which is not fun for everyone and so um moving on to sort of the next uh thing um a lot of organisations yeah we’re working with to help them move to Essential eight that seems to be the the de facto so yeah what are you what are the sort of the common challenges we around essential eight what are you what are you seeing out there among our customers at the moment
David Stevenson
yeah so I think essential eight’s a fantastic framework that you know if you can’t meet all of the controls within the essential eight
and noting that a lot of them are tailored around the Microsoft stack so it’s not always achievable for all organizations but most definitely getting those alternative controls in place and I you know typically what I am seeing is oh we can’t do that with our current licensing therefore we’ll focus on other areas so most definitely coming in and building out that Risk Index across your essential
eight audit and understanding the controls that you have and haven’t passed and you know at the end of the day they’re all essential but realistically we do find that a few of them hold a little bit more weight when it comes to a Risk Index I think what we look at is sort of certain strategies such as application whitelisting and Patch management they have quite a large administrative overhead they’re quite a complex project to complete with a remote Workforce the dispersement of getting those Solutions deployed can also become quite challenging but realistically they’re two of the large major so two of the larger impacts for organisations when we are looking at what happens when there’s a zero day for Google Chrome or adobe if we don’t have patch Management in place we can’t patch out those software again if we come back to Shadow IT if we’ve got users who prefer to use Firefox but we don’t have in our insurance patch management for Firefox we’re going to start missing those tools and applications that are installed that then create a risk surface for our users and Company
I think when we look at application whitelisting it’s kind of a headache a lot of companies find that the interruption to end users is going to be too much of a concern to sort of have that in place but realistically with application whitelisting patch management and a good EDR solution your endpoints are fairly secure
when we look at the macro settings a good EDR is going to protect you from a lot of the common macro concerns so it’s one of those ones where having that sort of alternative control in place could be worthwhile but we also find a lot of people will rip out Microsoft Defender and go down the track of using a different EDR solution so even with that one sort of having that co-managed environment where we’ve got Microsoft defender on there just to do the attack surface reduction
so it’s sort of those challenges that we see quite a lot with and then of course it’s that sort of budget constraint and time constraint that a lot of the organisations that we’re dealing with and seeing three four Engineers on site focusing on large security projects that are mostly just going to upset and interrupt users yeah there’s a bit of resistance so they focus on other security projects or other projects within the organisation
Tom Leyden
yeah it’s a hard one uh but I think this is why it’s really important to have a risk framework so that the decision around what you should work on is actually not down to your sis admin it’s actually a business level risk decision so the risk the business should be able to turn around and say actually we get the risk and we’re prepared to wear that because we want to push these other projects ahead or actually we’re not comfortable with that risk let’s resource that project properly that’s really important that’s really important when when it leaders make that choice to actually bring it out of their own departments and put it in front of their risk people their even their COOs CEOs say guys this is this is the framework we’re working on um without that you know you’re actually you actually end up in a bit a fair bit of trouble
Josh Rubens
yeah on on yeah I mean definitely Dave as you said it’s always application white listing and third party patch management it’s not 95% of people don’t have it but anyway we know someone who can help them David but um of course yeah right now the other big thing that’s coming um is the updates to the privacy laws in 2024. A) I don’t think people know about it and B) I don’t think they realise the impact it’s going to have on them and uh you know and so Dave over to you tell us please
David Stevenson
yeah no worries so very much not a sexy topic that’s for sure but I guess in September this year the Australian government released the response to the Privacy Act review report in the response they’ve agreed to 38 proposals they’ve agreed in principle to 68 of the proposals and they’ve kind of made note of 10 proposals within that report and I think you know sort of taking a step back the big thing that’s coming in this report is how we handle private information and what our rights as Citizens in Australia are to that private information that’s being kept about us yep
so we’ve got the Privacy Act of 1988 yep 1988 there wasn’t a very big digital footprint no so over the last seven years we’ve seen the GDPR come into full effect and you know America have their version as well Australia have quite realistically lagged behind on what we’re doing around digital identity and how we’re handling pii so the new reform that’s come in it’s not quite GDPR but does borrow a lot from what the GDPR looks like and I think you know when we look at it there’s quite a large number of changes that are going to be coming into effect in 2024 and quite a large number of changes that aren’t going to affect just sort of the top end of town the Enterprise style clients but actually the small businesses as well and you know again it is for the Australian citizens it’s good it’s good that the government’s treating it seriously but with that businesses will also need to treat it seriously because there are quite large Financial impacts if they don’t moving forward
Josh Rubens
so so what are the key what are the key elements in this what do people need to prepare for
David Stevenson
yeah yeah so I think you know one of the big ones is the small business exemption will be removed so all businesses within Australia will have to comply with the Privacy Act moving forward yeah there’s stricter consent requirements so improved quality of consent by requiring to be voluntarily informed current specific and unambiguous collection of data I think we’ve already seen that it’s you go to a website do you accept or reject these cookies that we’re tracking you I don’t think anyone reads it everyone just says yes or they say reject you sort of you fall on the left or right of those buttons every time but it’s truly detailing to the end user what you’re collecting why you’re collecting it and where it’s going to be utilised we gain the right to erasure so any information that is being collected about us we can request to The Entity that I would like my information to be deleted or masked and I think you know that’s a big thing of a lot of companies collect this data but that’s it they’re collecting the data they don’t know where it is they don’t know how to mask or erase that data but now as a citizen we have the right to request that it is removed
Tom Leyden
yeah so this is a big deal um so erasing data turns out to be massive pain in the neck particularly if you talk about backups so going through and erasing data on your backups a good like a lot of modern backup Services have got got this place they’ve had to for for Europe right but yeah if you’re still on Old systems or you’ve got some weird funky backup system you think you’re saving, you think you’re doing a great job by saving money you are in for a bit of a shock around this one I think.
David Stevenson
Very much so.
Josh Rubens
So what’s the so um let’s let’s hone in on the audience David so audiences, heads of IT you know what which in here what’s the main you know Big Ticket items what are they going to have to implement what are they what are they going to need to do to comply in in the near future
David Stevenson
yeah so I think outside of the consent requirements so you know that’s very much kind of within that devop space to make those changes in that side of things
Josh Rubens
that’s more the marketing you know the marketing
David Stevenson
exactly yeah that’s not IT but I think you know realistically if you don’t already have governance tools in place you’re going to need governance tools right it’s being able to identify where your data is and where it’s stored and then being able to do that sort of e-discovery style features to be able to identify of you know if we’re looking at Tom I might know that sure I’ve got Tom in my CRM but do users have information about Tom kept outside of that CRM and where does that lie
so being able to audit the entire ecosystem and be able to identify that pii information right being able to label and determine where it is and the safe storage of that pii is all going to become very pressable to moving forward with this right
I think the sort of other big change as well is we’re going to receive the right to sue so not only can we ask that data is not kept we can ask that data is erased we can also ask that data is sent over to us and collected but if data is lost or stolen or we believe that the information hasn’t been removed successfully as an individual or as a class action we will now have the right to sort of Sue an organisation so if we do look at something like the Optus hack in the past if we do look at the is it Bupa or Medi Bank
Josh Rubens
Medi Bank
David Stevenson
we are looking that you know that loss has caused damages suffered due to that loss therefore we’d have the right to do a class action yeah so yeah there’s now that financial implication of if you’re not handling the data correctly there is more of the financial
Josh Rubens
I did say it says there’s the implementing civil penalties for mid-tier and low tier low level privacy interferences so it’s not just the big ones and there’s increased latitude on the courts to make orders once a penalty has been imposed so it’s now it doesn’t just have to be a huge one it’s if someone wants to come to you so what okay so what we’re talking here David is you know in our world we’re talking purview right it’s like Microsoft purview so focusing on the Microsoft stack it’s Microsoft purview right or veronis if you want to do more of a broader so you can label your data you can tag it you can find all where your PII data is you can put controls on it you can you can do records management you can you know delete things after you’re holding them because I assume you can only hold data for a period of time you can automate sorts of things
David Stevenson
it draws to the point of if you don’t need the data post regulation period you shouldn’t keep the data anymore there’s no point to have data on hand indefinitely if you’re not using it for a purpose and if you are using it for a purpose realistically masking out that data to only retain what you need yeah
Tom Leyden
the good news is that that as you said they’re following Europe’s lead here and they’ve been doing that for the least three or four years now right so exactly there’s some mature solutions in place like Microsoft have got this ready to go for example and the other vendors are the same because this is not a brand new thing for the for the world – it’s brand new for us.
David Stevenson
No, sort of the best thing for Australia is we’re not trying to invent the wheel the software vendors are not trying to invent the wheel as we go and as sort of court cases appear we’re now following suit so it means we’re in a good position to adopt
Josh Rubens
yeah yeah yeah so there’s stuff in there I did have a read through that where you know if other countries comply with GDPR so the sharing of information and if they don’t so there’s other ways but yeah I mean as we know you get purview in your business pre you get some of it in your business premium some in your E3 there’s add-ons so there’s definitely good solutions that are no longer you know it’s no longer a six figure project you can get it done there’s a bit of user change you can automate a lot of it now um but um but yeah but a lot of but you know what percentage of your customers have implemented it very very few
Tom Leyden
very very few it’s just not a priority though for most people
Josh Rubens
well that’s what I’m saying it’s going to become a priority when will be now yeah yeah will be now so I think I think that that’s very important so that’s yeah that’s really good that’s really good info thanks you made me read the updates today David I I haven’t been across it so thank you and Tom and I don’t think Tom was either so I’m assuming many many of our our our listeners or or Watchers will be as well all right we we we’ve we uh we’ve gone through time uh pretty quick so what do you you know Dave to you know last few minutes here what do you see as the sort of the short medium-term future of cyber in in Australia over the next few years
David Stevenson
yeah so I think you know when we look at the current Eco system we’re seeing a large sort of uptake in sophisticated cyber threats in Australia where normally we’ve always been a victim to circumstance we’re starting to see more and more attacks and breaches occur due to being targeted so I think you know when we’re looking at it ransomware attacks are on the rise data breaches are on the rise and other cyber crimes that pose significant risk to Australian businesses and government entities are on the rise as well and you know we only need to look at the SOCI ACT to see that Australian government is taking that seriously so I think realistically stricter regulation measures the Privacy Act reform is going to be a part of that the SOCI act reform is a part of that we’re going to see stricter cyber insurance and you know ultimately that’s every year
Tom Leyden
more expensive cyber insurance I think
David Stevenson
more expensive cyber Insurance more intrusive Audits and forms to fill out to get that cyber insurance I think you know artificial intelligence is going to play a large part on both sides of the fence you know the business email compromises that we’re seeing are a lot smarter than what they’ve ever been the language is a lot more natural when we’re seeing Ransom letters come through they’re a lot more natural
fighting that it comes down to introducing machine learning and introducing generative AI to do sentiment reading within emails to be able to identify and collate emails that are coming through a lot smarter I think we’ve already had a couple of Technology players in the market that have been doing that for a few years I think we’re really going to see a boom in that and you know ideally when we’re looking at sort of that business email compromise we should start to see that actually ramp down a little bit
we now do have QR phishing which is you know artificial intelligence can’t read a QR so most definitely we are starting to see vendors being able to scan those QR codes and explode those links through QR so fantastic to see but realistically it’s going to come down to the Australian government introducing new regulations providing more and more content sort of as I mentioned a bit earlier that we now have the what do they call it sorry it’s the ACSC business continuity in a box and you know that’s targeted small to medium businesses to have that continuity plan here’s ours run with it so we’re getting more and more information from the government to better support small to medium businesses
That’s only going to increase
Josh Rubens
yeah and AI what’s your what’s your word on security co-pilot what’s your what’s what’s your word
David Stevenson
yeah look it’s going to be fantastic I think coming from a security background I can talk Tech I can talk security I know so many other colleagues that are exactly the same but when it comes to doing that sort of board level conversation when it comes to sort of making that business case or explaining a breach it’s that natural language that people can struggle with and sort of to get the point across they’re not really talking in the right language when they’re advertising what’s happened
so I think you know when we’re looking at co-pilot security to be able to take in all of the analytical data and build out a natural language response to Target it to an audience and being able to present that a bit cleaner and more rapidly I think you know it’s only a positive uptake there yeah
Josh Rubens
and also I suppose using AI to to combat the AI from the other side right both sides
David Stevenson
very much required
Josh Rubens
yeah yeah yeah yeah so if they’re getting smarter we’re getting smarter.
Tom any any other questions for Dave.
Tom Leyden
No there’s heaps, I think we’re going to talk about this into next year as well obviously those those security changes coming through that that gets the obligations to people to our audience right that people have to drive these changes within within their own firms there’s a lot of uh I guess shared learning we’re gonna have to start talking about right
David Stevenson
very much so
Josh Rubens
great thanks David for joining us you welcome to the cloud solutions group family, it’s been a pleasure how long now it’s been a few months now
David Stevenson
uh yeah two to three months now
Josh Rubens
yeah so it’s been and you’re flat out which is great very much so been really good now thank you welcome and uh thanks again Tom as well
Tom Leyden
thank you I think we’ll all be up in the wee hours of the morning listening to the Microsoft ignite conference Josh
Josh Rubens
yeah geez so there’s going to be another bunch of releases about AI so uh probably our next our next one will be we’ll be giving a rundown on the ignite so that’s their big customer one they usually save quite a few announcements for that so yeah that’ll be the next
and then um a lot of uh our customers will have seen um that yeah we’re changing our name ah rebranding to Empyrean so EMPYREAN which means above the clouds because the market’s changed we’re all going above the clouds so um so yeah so we we will be becoming Empyrean from the fifth of uh from the 5th of December but you know it’s the same team it’s the same business there’s no ownership change or legal entity change so it’s still it’s still Dennis and Andrew and David and myself so it’s still still still the same the same people behind it but uh yeah thank you everyone for listening uh I hope you enjoyed the episode if you got any comments queries or if you want to talk get deep into cyber security to prepare yourself for the Privacy Act or Essential
8 or want to have a session with David with David here more than happy to uh to engage you can reach out to me at jrubens@CloudSolutionsGroup.com.au or David at dstevenson and ‘son’ at the end is ‘son’ not ‘sen’ so you know feel free to reach out directly and please subscribe to our podcast on iTunes Spotify or wherever you listen and uh thanks once again thank you thank you see you all later.
