Ivanka: Welcome to the “Art of Service Series” around cyber security risk management. My name is Ivanka Menken, and today’s conversation is with Mr. Peter Maynard. Is that how you pronounce it? Maynard?
Peter: Yeah, that’s correct. Very well done. It’s good to be here, Ivanka, thank you.
Ivanka: Thank you! You’re the founder of the cyber security firm “Cybermetrix”.
Ivanka: And your focus is on helping individuals and organizations of all sizes to improve their cyber resilience through better education, awareness and understanding.
So if you like Peter’s approach to cyber security as part of this discussion and would like to reach out to him, his website is “cybermetrix.com.au” and I will also post that in the notes. So, I hope you enjoy this conversation! Welcome, Peter!
Peter: Terrific. Thank you very much, good to be here.
Ivanka: Lovely, lovely. So tell me, what has been the most significant moment in your professional career in relation to cyber security? Because you’ve devoted your life to it, by the looks of it.
Peter: It’s been a good chunk of my life, especially in the last few years it seems to, to never go to bed. But look, you summed it up, really, in what our mission statement is there. And for me it was really an identification of the power of really… identifying cyber as business risks and the value that education awareness brings to improving your organization’s cyber resilience. And it’s probably been the missing component and will be the biggest challenge moving forward in the short term, is just about getting people’s understanding of what cyber risk looks like, and how it relates to them. So, that was probably one of the most significant points I made when the light bulbs switched on. And that it wasn’t just about technical controls and “this is a job for I.T.”. That definitely brought home the fact that this wasn’t going to go away in any great hurry and if we’re going to make any great in roads to it, we needed to get behind this a whole of business and not just push it to one department.
That was probably one of the most significant moments but, having moved forward from there, I would definitely say that my involvement with my mentors has been critical to my path to where I am today. They are absolutely an essential piece of the puzzle, and they’ve served me tremendously well.
Ivanka: Ok. So can you elaborate on that a little bit more because I love mentor stories. *chuckles*
I would encourage people to seek mentors out at every level of business.
Peter: Yeah definitely, definitely. There’s a lot of push to improve collaboration in cyber security and that’s one way that we will see a fairly good uplift across the sect of resilience, is if we can collaborate. Getting along to conferences, exposing yourself and identifying people that really know what they’re talking about. It can even be in really fine areas. It doesn’t always have to be someone who can answer every question for you. But I’ve been blessed to have really solid mentors that understand the technical area of cyber security very well, all the way through to risk experts that understand business risks and understand some of the challenges that cyber risk brings to the table. And then add on the fringes, the people on the front line that are dealing with social engineering and security awareness training; delivering to small companies or to some of the biggest companies in the world it really has been a critical component of understanding cyber risk in a broader context, being valued when you speak to boards and when you speak to small businesses about what they may need to do.
I would encourage people to seek mentors out at every level of business. Whether it be a small business looking to their accounts as a mentor in cyber security or size as big firms constantly looking for different people with different skill sets that can to the greater value.
Ivanka: So, would it be fair to say that cyber security risk management is not just a big people game, it’s not just a big company game?
Peter: Not at all, not at all. Really some of the biggest risks lie in smaller businesses. But the good thing there, too, is it’s not all doom and gloom. What may be approaches or methods of managing cyber risk in big firms could be very difficult to orchestrate and difficult to execute and results may be varied, they can be some of the easiest projects to implement and deliver some of the biggest results for some of the lowest costs. That understanding of cyber risk and how it affects me and my business is really critical, and I would encourage any small business owner too really to seek to have an understanding of how it effects them.
Ivanka: With which is interesting because I talk to a lot of small business owners and cyber security risk management is not on the agenda that much. It’s almost like “Oh that’s not… nobody’s interested in us because we’re only small business. We only have five, ten or twenty employees. We only turn over a couple of million, who would come for us? Surely they go for the big financial institutions or the big healthcare institutions”. So what is it in small businesses that makes us so vulnerable?
Peter: You’re absolutely right on a number of fronts there, Ivanka. So, firstly, small businesses have an awful lot to deal with on a day to day basis. Cyber security is just another. Very few businesses do it harder and do it with less resources then small businesses do. Their time is limited, their resources are limited. That misconception, that myth, that a small business has nothing to lose or has nothing to offer a cyber-criminal is probably the most important thing for them to get out of their mind as soon as possible.
Also, to back that up to say, once you’ve got that out of your mind and you understand that this is something that absolutely has to be on your radar, help is available and it doesn’t have to be the end of the world to get there. Let’s just look at two situations specifically with small business. If you have a look at some of the bigger the bigger publicized attacks, they’re coming in through small business. Small business is the attack vector of choice for cyber criminals for the exact reason you mentioned that started our question. They don’t perceive to have a problem that’s talking around bigger objectives. So, using small businesses to get to bigger fish is a very easy thing to do. Let’s ask a small business this: how well can they go on if they can’t access their accounting package for a month? If they can’t do billing for a month, would that have an impact on their business? If they couldn’t access their email for a day, or even worse if they lost all of their email archive, what impact would that have on their business? Or to a graphic design firm, if we can’t get to the files that they’re working on for a week and we’ve got five deadlines coming up, does that have impact on my business? And absolutely, the answer is absolutely yes.
Peter: So understanding the threat that cyber risk represent to small business is critical. I understand totally how difficult it is to quantify intangibles, and that’s what we do largely in cyber security. We’re dealing with things that we can’t see.
Peter: But disruption has a very noticeable footprint. And be it disruption from cyber-attack or be it disruption from hardware failure or whatever it may be, being prepared in that situation and knowing how to respond can very well be the difference between “you go out of business” or whether you go on.
Ivanka: Yeah, exactly.
Peter: So, it absolutely is critical. It has been difficult for small businesses to get access to actionable, understandable information, but those times are about to change.
Ivanka: Yeah. So, while I’m listening to you, and you know my background is in I.T. service management so I’ve been talking to customers and teaching in the classroom for twenty years not. *chuckles*
Ivanka: About availability management and business continuity management, identifying vital business functions and identifying your vulnerabilities and your threats and your responses and all that sort of stuff. Listening to you, that doesn’t really sound that much different than your approach. It’s just a different type of threat, a different a different style of vulnerability. Or am I completely missing the point here?
Peter: No, Ivanka, you’re spot on. And really, we do it with our health. One of the first things we do, when we perceive there’s a problem or there’s a risk, we go and do an evaluation. We get an assessment from a doctor, that doctor may refer us onto specialists that may be specialists in that particular area or on imaging to get deeper understanding of what the problem or risk may be. And then from there we make informed decisions and we move forward. This is no different than what you have been doing for the last twenty years in continuity management, and it…
Ivanka: Don’t say it so loud that it’s been twenty years, it ages me! *chuckles*
Peter: *chuckles* Oh, I’m sorry! No, it doesn’t. It makes you a valuable commodity in today’s market, that wisdom and knowledge. And it applies to cyber security, it’s no different. If you’re making investments, in something like cyber security, it’s not a productivity based outcome. So if we don’t do it 100% right, sure we may not see 100% efficiency from our investment. Cyber security is very different. If we’re not making the right investments in cyber security, we may have no defense.
Peter: Even though we’re making the investments there could be a wrong way or we’re defending the wrong assets. So understanding that risk, and understanding what it is we have to lose and what we need to protect ourselves from… Let’s not forget this, Ivanka. Small businesses are made up of people that have their house invested in what they do every day. They are some of the people that have the most to lose every day they go to work, yet they’re choosing not to look at one of the biggest problems that’s staring them down the barrel. And that’s a scary situation but, like I said, the times are changing and help might be too far away where it will be accessible through trusted advisors like accountants. Greater insight from I.T. providers that their offerings needs to be more than just technology that we can supplement out our offerings with just trainings and audits and assessments and compliance and just doing the basics really well. That’s the secret source: doing the basics really well.
Ivanka: Yeah. Yeah because there’s a really easy case of “what you don’t know can’t hurt you”.
Peter: Absolutely! And it’s not going to go away by you ignoring it. It will only amplify you as a target to a criminal. There’s no other way to look at it than that. Criminals are always opportunistic and they’ll always attack the weakest point. They’re lazy, they just need to get a job done and all it is, is 95% of our corporate sector, the same sectors that’s saying “it’s nothing. We represent no threat to or we have no value to an attacker”, that’s the golden days to be a criminal.
Ivanka: yeah, exactly. *chuckles* happy days. So if we distil that the one biggest risk that these businesses face right now, and how business owners can prepare for that, what would that be? What is the one thing? You know, if you set a goal for this quarter or for the next quarter, the one initiative that’s going to make the biggest impact for the business in cyber security, what would that be?
Peter: Yeah, fantastic question. Look, there’s lots but, what I’m in the business of doing is “what can we do the quickest that will get the quickest result for the most amount of people?” My advice would be to go back to their accountant and say ‘Can you help us manage cyber risk?”
Peter: Go to their accountant… almost every business that will be listening to this will have some engagement with an accountant, whether it’s to lodge a tax return, a quarterly or a much deeper engagement. Go and ask their accountant “can you help us manage cyber risk?”
Ivanka: Yeah so that’s an interesting question because how educated are accountants?
Peter: They’re in the business of looking at risk. They’re in the business of auditing. They’re one step up. They’re a broader view across your business than what an I.T. function may be. They’re closer to being able to put methodologies and execute methodology or risk management at a small digestible manner for SME’s than probably any other professionalism environment. Let’s just try and keep I.T. and what I.T. do. I.T. have a very important job of enabling technologies for businesses to be successful and profitable. Let’s not bother I.T. with purely its security role, security is very different than information technology. So let’s first of all have an understanding. If security is over here, who am I going to put in charge of that risk center of security if I’m a one person or three person, five person or ten person business? Probably the best access to a trust advisor I have that understands this space would be the accountant.
Ivanka: Yeah, yeah absolutely. So how do you…because immediately in the back of my mind is sort of my mind is my accountant, which I have and I love and have been with the same accountant for almost twenty years now…
So how do I know that I made the right decision to stay with that accountant?
What kind of questions should I ask my accountant, or my solicitor from a legal point of view, what kind of questions should I ask to assess whether or not they were the right fit for me going forward? They were the right fit for me for the past twenty years with the business risks and all the accounting stuff that was happening, but moving forward into the future. Because you’re sort of painting a different picture of the accountant being more of a business advisory role to business owners and more of a trusted advisor for business owners and beyond just doing the tax forms.
Peter: Absolutely. That’s a great question and it will take a degree of evolution for accountants to become proficient in delivering cyber security expertise at this needed level. Look at the Big Four. The Big Four are your go-to organizations if you’re a large business or government, and you’re looking for advice around cyber security and how you manage that risk path right. So look, that’s a great question. You always need to do your due diligence around who your trusted advisors are going to be, as you would with a surgeon. If you’re not confident that your current accountant may have the skill set or the interest or the desire to help you manage cyber risk, look at some others and see who’s available and who’s interested in this particular space. Talk to other business colleagues about how they’re managing cyber risk and see if they’re having these sort of conversations at this advisor level. Lawyers are another great example. They’re essential when it comes to having the clear guidance around “am I doing these things proper from a legal and compliance perspective?”
That is part of cyber security, as you’re aware, the notifiable data breech scheme that’s now become mandatory, will impact on a lot of small businesses in this country. So, compliance there is a part. These people all sit at a table and cyber security isn’t just one person in charge.
It’s going to be the owner of the business first. If the owner of the business doesn’t value this as a risk, and something that they need to mitigate, everyone under him or her will operate at a less level of efficiency because he doesn’t have the same buy in as the boss does. So the boss needs to be there and the boss needs to surround themselves with the people that can help execute this. For a small business, it could literally be the owner of the company, their trusted advisor and their I.T. provider. Between the three of these people, maybe this manager if they’re slightly bigger and have a human resources component to manage. The very essence makes up a digital trusting. That digital trusting may be very different than a large organization on an enterprise level, and they may not even be able to even execute at that digital trusting methodology level. But a small business absolutely can. That’s one of the strategic advantages the small business has in managing cyber security. It all comes from understanding and knowledge and that has to be the first part. If the business owner doesn’t know this needs to be the pathway for them, they can’t start on the journey.
Ivanka: Yeah. So, which part of the business, would you say, is most vulnerable? Would it be financial data? Would it be employee data? Would it be contracts? Would it be just taking over a computer so you can get to somewhere else? What would that be?
Peter: Probably the thing that’s got the most attention with be small business would be disruption attacks, like “ransom-ware”. It’s a very obvious attack, it’s very tangible. They can clearly see something has gone wrong. The can clearly experience pain. You know, “We haven’t been able to access our server now for a day or two days, we’re being held to ransom for X amount of dollars and its effecting X amount of computers” has an immediate business disruption effect. That will get the attention. That’s when this business cyber security seriously. Then there’s a whole range of attacks underneath that, that they probably never will even know has happened, until they hear from a third party that they’ve been breached or are receiving emails under your domain name or whatever the situation may be. So it’s just really important that this visibility is there and that the understanding is there; that they do have things of value be it their time or be it their money.
Ivanka: So, again, listening to you when you talk about cyber security, you’re not talking about I.T. service security are you? Or I.T. security in itself, it goes way beyond that. Because when you talk about ransom rarities, you can have all the I.T. security processes in place, it’s only a person opening an email or a phishing attack or something like that to make you vulnerable to that.
It’s really empowering your people to make the right decisions and empowering them to ask for help or ask for input.
Peter: You’re absolutely right, you’re absolutely right. And that’s where it kind of breaks away, the cyber security component as opposed to the information security problem. This is where it comes back, Ivanka, and this was the lightbulb moment for me, this business risk issue. No matter how much money I delegate my CFO to pay my CIO’s, my I.T. provider, to put the defenses up; no matter how much I invest in that particular area of mitigation, that’s not where I’m being attacked. I’m being attacked through my people and I’m being attacked through age old techniques of leveraging people’s desire to be helpful or trustworthy or assistive. The curiosity, that’s a very, very difficult thing to defend against. And for me my value proposition as a cyber security professional changed when I understood that clearly. The best thing that I can help and organization with is to help them reduce the time that they are impacted by cyber-attack. To be able to stand in front of a customer and say “I can protect you from cyber threats”, I don’t believe that…if there’s an organization on earth that can do that, you can count them on one hand. Therefore where is my best valued proposition that I can be to your business? It’s being able to help you implement the culture that supports people that make mistakes, and knowingly very targeted any one can do it the boss is probably just as susceptible to it as the front line worker is. Put a culture in place that says “If something goes wrong, cyber security is such a threat and a risk to us, these are things we need to be aware of, this is how they’re attacking us.” If this happens to you, best thing you can do for the organization is let us know straight away and not fear your job or fear incrimination for having made a mistake that we can all do. That allows an immediate response that technology can’t do.
Ivanka: Yeah. It’s really empowering your people to make the right decisions and empowering them to ask for help or ask for input.
Ivanka: It’s really an education and training issue, then, rather than a technology issue.
Peter: For a small business, investment and education in training will deliver, if not the same amount, better value than investment in antivirus and a firewall. There’s things that we have to have in place today. If you don’t have a router and antivirus on your computer, then you’re doing nothing right. You haven’t even started considering cyber security. So let’s just say that all you listeners out there have got a router that their internet is coming through and they have antivirus installed, be it free or paid subscription. From there, what are some of the best things I can do moving forward? One of the best things you can do is make sure the people that work for you understand cyber security and the threats and how they relate to them; as a human being, as a member of a family, how it relates to them at home, and that those same threats exist in the work place. But instead of us losing our photos at home of our family vacation for the last twenty years, at work we could lose all of our records. Really, your role in helping making sure that if something does come in or somethings gone wrong, is that you let us know. That is the very best position you can put this company in when it relates to cyber security.
Peter: And that’s really achievable for a small business. For a business with a hundred people or less to be able to get that culture up and running and to get that awareness training out there, is really doable. For large organizations it’s much harder. But for some that early kill chain investment of knowledge and awareness, pays massive dividends.
Ivanka: Yeah. Yeah I can totally see that. So for a larger organization you mention it’s much harder, but it still comes down to culture, it still comes down to awareness and training.
Ivanka: Let’s say up to one hundred employees is fairly easy to do. But if you have a business with one hundred and fifty employees or one thousand employees, what’s the different approach there?
Peter: Well, we just expect that you have greater access to resources; be it financial, access to human resources. Your capabilities are greater, you should be able to do more. So, implementing schemes across your organization like mandating two-factor authentication for example, across all email and across all remote access devices. If we’re connecting to servers remotely, they all must have two-factor authentication on them. For an organization to hide, to put intellectual property or business property being a username and password today, it just blows my mind. These measures are near no cost to implement two-factor. But they do take—they’ve taken awareness campaign within larger organizations, there’s a little bit more friction to roll out, but the dividends they pay are enormous. Increasing your ability to detect whether you have been intruded and not just disrupted. They’re things that organizations can do. And we’ve worked with some, and work alongside some vendors at the moment that are doing some really incredible things to simplify the cyber security landscape from a hardware management perspective, to give much greater visibility across an organization’s threat vectors, and to make it much easier for them to join systems to be able to get much better intelligence so that machines can start to do a lot of the interpretation work and there not be a reliance on humans to do it. So the market is moving forward. When I first really became involved in cyber, there was a gaping wound around people and the identification around people as a main threat vector. That, now, is really improving. Everyone’s really understanding that people are a big risk to us. The vendor market needs to catch up still and the security training needs to catch up, the curriculum needs to catch up. This will all take time, but it’s actually happening. And now we’re looking at some of the other issues, some of the bigger issues that are facing the larger businesses and the governments. And it’s their supply chain. Who makes up their supply chain? The small businesses do. It’s a whole ecosystem where big business, large business, can absolutely be helping small business to make cyber a business enabling activity, it doesn’t have to be negative. And more often than not, the treatment for small business, is education and awareness.
Peter: It’s not dipping into my pocket and going and paying $100,000 for a new piece or kit. It’s more about understanding “what am I at risk of? What do I have to protect?’ and “what do I need to do?”
Ivanka: Yeah. Yeah. And no business is an island, is it? We’re all working together…
Peter: We absolutely are.
Ivanka: …and we’re all in the same supply chain.
Peter: If we email each other, we have a digital interaction together.
Ivanka: So where does cloud computing fit in, from your experience? Like, is that a good development? Or is that a dangerous development or indifferent? Where do you sit?
Peter: Look, I think cloud computing is an essential part of the mix being able to move forward and to move security, and the securing of infrastructure to enterprises that have the capacity, the capability and the resources to provide that service.
For organizations to think that they can do this internally moving forward, they’re literally swimming upstream.
Organizations need to start to consider moving up the stack in terms of what they can stream in information technology. And streaming services that are already pre-hardened. There’s a number of the main service providers now that, if you used their cloud based services, and you activate security controls that come with that particular service, from a technical perspective, you’re almost done. You’re almost finished. The rest is up to the business around the people, understanding how we’re going to be attacked, understanding what we do if we are attacked, how do we recover, and being on top of that; people having a game plan to go to. I absolutely think cloud services integral to moving forward in commerce and moving security away from something an organization has to look after themselves.
Ivanka: Yeah because that could be a really good approach for small businesses. If you don’t have the budget to put technical measures in place to protect you from cyber security or cyber-attacks, then move your data to a cloud provider that does have that kind of capabilities.
Peter: Absolutely, Ivanka. And it’s not even just the case of if you don’t have the money to do it internally. Chances are you won’t be able to access the people that know how to secure it properly to even buy. They’re being consumed by government and large business in its entirety. I remember going to a recruitment session with a really prominent and strange federal government department a couple of years back. And they were recruiting for cyber security experts and they were looking for 357, or around that number.
Peter: To fill their current requirements. They themselves admitted “There’s probably only a thousand of you in Australia.” So immediately there’s one organization consuming one third (1/3) of the capacity of people able to do that job in this country. The skill shortage is enormous! I know the heads of governments have been working really hard to start to improve the curriculums that are being developed, university courses that are being offered to students because it’s something that is vitally needed. Where I still see a large gap is there’s very little focus around the development of courses around the soft skills, around the social engineering, around security awareness training. They’re still mainly technical degrees that we’re seeing coming out.
Peter: The honey hole is that general awareness training that everyone can be subjected to and I think should be part of school curriculum, myself.
Ivanka: Yeah. Starting at high school, actually.
Peter: I’d start in primary school, personally. When we start to teach our kids about their own identity, I think it’s also a really important time to start introducing the concept of digital identity. Because before they know it they’re involved in social communities that have wider impacts. So to understand in this world now that you can share yourself like you’ve never been able to before in the history of mankind, is a really important concept and one I think our kids need to know.
Ivanka: Yeah, yeah. Just to protect themselves.
Peter: Absolutely! And the rest of their family!
Ivanka: So moving forward, I mean, I really like that point of starting the education at primary level because that really future proves them from a personal point of view. Have that awareness of, you know, “don’t post certain photos online”, “don’t post on Facebook that you’re asking for house sitters because you’re going on holiday from the first of April to the 30th of April.”
Ivanka: *chuckles* Just for the next generation to understand that it’s not ok and that whatever photos you put online will always be online and you cannot get rid of them. So don’t ruin your entire future, your career, your image, your everything.
Peter: For what would have ordinarily been another silly mistake done in the privacy and security of your own family. That would’ve been addressed but someone that trusted you and loved you, that only had the right intentions for you. But now with the click of a button, a kid can disseminate a photo, that’s illegal, that the rest of the world can see within the space of a very short period of time, without even having any understanding of the severity of what they’ve just done.
Peter: And then be persecuted for that forever. That mechanism, that control, that ability to control the environment that our kids live in until the truly understand what they need to know, that’s shifting away from us. And when social media platforms are available to children from the age of thirteen, Ivanka I ask you, would we give our kids alcohol at thirteen? Would we let them go out and drink at thirteen? Would we encourage them to smoke? No, we don’t. Because we’ve seen the tangible effects of what happens if they do that. This is no different.
Peter: And being able to share to a level that probably isn’t healthy before you have a mature mind could be a dangerous thing.
Ivanka; Yeah. I must admit, I have a seventeen year old son and his school is really good with these sort of topics. They spend a lot of time and effort in building the awareness in, starts from grade seven, I think. Really building the awareness of cyber, protecting yourself and being safe with cyber safety, for lack of a better word. They put a lot of effort and a lot of speakers come in and they have programs and curriculums as part of their schooling. But, yeah, it can always be done better because I also see the photos that some of his peers put up online and I go like “yeah, not a good idea.”
Peter: Yeah, absolutely. And look, I have nothing but good words to say for the schools. They’re just like small business. They’re time poor, they’re resource poor and they’re just constantly being asked to perform things and do things that are outside of their core responsibility. But they do out of the sheer need and necessity for kids to understand these concepts. They do it and they do it really well. We had a great experience with a primary school here in Brisbane a week or two ago. Fantastic involvement from the parents, fantastic involvement from the principal just looking to want to understand “how can we do this better?” And it all comes back to knowledge and understanding. And it all comes back to that basic security awareness training that we all need to start consuming. Theres no point in us teaching it in a work place and expect someone to listen to it. The reality is it has to be made relevant in my own personal life before I can even bring those lessons into a work place.
Ivanka: Yeah, yeah. So moving on from that, well it basically triggered me, talking about the future. You know, these kids are the future. The teenagers of today are the business owners of ten years from now. They’ve grown up in a digital environment, they’ve grown up with all this knowledge. Whats it going to be like? Whats the future going to be like for business owners, be it small, medium or large business owners, in relation to cyber security. What trends do you see at the moment?
Peter: There’s so much on how it rises, it’s not funny. The artificial intelligence machine learning big data, they’re all things that were hearing about a lot now. Robotics, where one of our offices are we’ve got a robotics lab next to us. And to see the progress that they’re making its astounding. I remember hearing, I’m thinking about 2013, our futurists saying that by 2019 we’ll be carrying around a digital environment with us and it’ll be part of who we are. Sure enough, what does our phone represent to us now? We do everything digitally through our phone now. And that’s coming ahead of time.
So, what does 2025 look like? What does 2030 look like? It’s scary but super exciting to see what’s going to unroll. Look, I’m no futurist and I won’t put predictions out because I’m absolutely consumed with dealing with the now, but all I can say is we can expect, I’m sure we can expect more and more small business. More people with a single business with a laptop running really successful businesses. Leveraging different skill sets from all around the world, working at truly global capacity. Maybe less of that centralized coming into a work place.
All of this decentralization is just more challenges for the digital environment and for the cyber security environment. But that’s the nature of the world we live in. We live in a progressive world. Don’t get me wrong, I am one of the biggest fans of technology. It has enabled me to do more things in my life than I would have ever considered possible. It’s an essential part of where we’re going forward. It’s just around that need to understand “when we use these tools, what are we actually doing?” and around valuing our data.
The share price of Facebook tells a really sad story. Have a look at the share price of Facebook from when everything blew up a short period of time ago, and how quickly its responded back. How much do people really care about the substantial nature of what’s happened? It’s really difficult if you can’t see it, and if you haven’t had your identity stolen, and if you haven’t had your life disrupted or your photos stolen or work shut down. But at some point you have to say “look, we now take smoking as giving you cancer. You need to accept that cyber is something you just need to learn a little bit more about.”
Peter: And implement some principle. But I was really encouraged by what I saw at the school. And this younger generation that are coming through the school that do have a greater appreciation of a digital environment. I think things will only get better.
Ivanka: The other side of the coin is that the criminals themselves are getting smarter and smarter. And it’s getting harder to stay in front of—well I don’t think we are in front of them, but. I think it’s a myth that we can catch up to them. But it’s a matter of how do we manage the risk that we’re faced with?
Peter: Let me add one little component to that. What other criminal has such low chances of being caught and going to jail that a cyber-criminal does?
Peter: That in itself is an alarm built to say to business “this is not going anywhere. I need to make sure that I’m harder to get into and harder to disrupt than the person next to me.” Because I said in the start, criminals are opportunistic. They’re looking for the quickest, easiest wins. They’re not out to prove a point to every security operation control system that “we’re smarter than you with our attack and here we got through to you.” That’s not their gain. They’re financially motivated or they’re ideologically motivated. To try and even stay up or have that you will stay up with the cyber attackers and the hackers is not one worth even considering. But what you do want to consider is doing everything that is in your capability, and in the interest of your business, to protect yourself from that.
Peter: Just like you would not go home at night and not only leave the front door unlocked to your business, but leave it wedged open so its clear to the world that you can walk straight in.
Ivanka: Yeah *chuckles*
Peter: Just as you wouldn’t do that, for physical crime and physical information security, someone coming in and stealing all your work papers physically, it’s even easier for them to do that through a cyber channel. So you need to get on top of it and fast.
Ivanka: Excellent. Well we need to wrap it up because I don’t want to take too much of your time.
Peter: Am I talking too much? *chuckles*
Ivanka: No, no I love it! I love listening to your experiences and your stories. I learn so much from these talks I have with people.
Ivanka: It’s amazing.
Ivanka: So one final word advice do I.T. professionals, as well as business owners in relation to cyber.
Peter: If I can give on to I.T. professionals, what a fantastic job they’ve done and they continue to do. A very, very difficult task that I.T. professionals are tasked with today toward so many security. And let’s be honest, they’ve done such a fantastic job, criminals being who they are, its harder to go through technical boundaries and fortifications than it is to go through people that have had no investment whatsoever. So to all the I.T. community, which I’ve been a part of, fantastic job and keep doing an excellent job. To business owners, do your best to engage with a trusted advisor that can help you on this pathway. It doesn’t have to be hard, and your wins can be quick.
Ivanka: Yeah. Well, thank you so much for those wise words and again your website is Cybermetrix.com.au. Is that the easiest way they can get in touch with you?
Peter: Yeah. That’d be the best way. Absolutely. If I can be of any assistance, I’m happy to help out. Thank you for the opportunity, Ivanka, it was great to speak with you today.
Ivanka: Not a problem. Lovely to talk to you too, and enjoy the rest of your day!