Cyber Security Risk Management with Brian Hay.

In this 45 minute conversation you will learn from the front line what it is like to fight Cyber Crime and how the people in your organisation really matter.

We are very excited to share this conversation with Brian to help raise the awareness and need of education around preparedness for Cyber Security incidents.

You can learn more about Brian Hay and his Cyber Security Services by going to his website www.culturalcybersecurity.com/brian-hay

Brian Hay spent decades in the Queensland Police Service fighting Cyber Crime as the Detective Superintendent. He now runs his own business called Cultural Cybersecurity, where he consults companies on the importance of people management in relation to Cyber Security.

 

Welcome Brian and thank you for having a chat with me about cyber security. I had a look at your website Cultural Cyber Security and I must say I’m intrigued.

First of all, you have a rare blend of cyber security skills and business attributes. You are long considered a thought leader in the world of cyber security and you have learned your craft not from the technical demands of cyber industry, but rather by focusing on the activities of organised crime and cyber criminals. So, you have a very colourful background police, Head of Security Team for – was it Dimension Data, and now you run your own business focusing on what I seem to understand the cultural or the people side of cyber security. So, please enlighten me.

What is your version of your bio?

BRIAN: My goodness and oh boy they’re just words to put together that someone introduce you to when you present at a conference or something, but I think what I’m trying to say is you know I’ve been always Chair of the ANZPAA’s – Australia New Zealand Police Advisory eCrime Working Group from inception for 5 years, I was on the National Cybercrime Working Group of the Federal Attorney-General’s Department for some years when it kicked off. I’ve seen the policy level and lot of the strategy development around cybercrime from a governmental perspective. Then of course as a Detective and the Operational Commander at the Fraud and Cybercrime Group I had the insights to financial crime and the consequential impact of cyber, and then the ever stronger emerging presence of cybercrime.

So a lot of that focuses on two echelons.  One is the victim, the victim entity, the victim person. The second of course is the offender themselves, and then you have what everyone typically thinks in the first instance about cyber security and that’s the technology. So, it’s given me a blend of course when I went to work with Dimension Data, and then to Unisys they gave me further insights into the whole mainstream digital economy from a cyber security technology perspective. And from all those things we were very much missing there on a couple of key components because whilst I was originally driven by services, and then response to communities, and then you go into the technology sphere and it’s driven by making money and profit which is completely normal and that we had all the standard criticism. But I think what has been forgot along the way are couple of things. One is that people should come first and that’s a great vulnerability we have, and the other thing that I think gets forgotten along the way is that strategy should be led by the business it should not be dictated by the technology. We forgot that technology is a tool it’s not a strategy, and I think a lot of companies feel a great sense of assurance if the technologies they’ve got in place or they’ve purchased sit in the top right quadroon Gartner rather than being actually you know what does it reduce risk, does it grow people, does it meet our company needs and there’s a little bit of a false assurance process in there.

One of the obvious things that we’ve never addressed, it doesn’t get addressed enough is ‘why’. Why do we need cyber security? How do you assess your risk? Who are the threats? Everyone talks about the threats being the technology the malware, the viruses, the worms, the Trojans, and the APTs they’re merely the tools.

And there are tools orchestrated, put together and exploited by people and the biggest threatening group is organised crime. The purpose of organised crime is to make money. That’s the ‘why’. And the other thing is the ‘what’, what that we’ll need to protect? Indeed most organisations don’t know really what their risk is. It’s all been driven by the banter of technology giants as opposed to a full and honest appraisal of their environment understanding first of all the ‘why’, then the ‘what, then the ‘where’, then the ‘when’, and the ‘how’. And then after all that’s said and done where do you start? And you know the problem is that too many strategies start with the technology they want to use because that gives them more assurance because of being rated high rather than doing a very honest account of their environment and looking where the vulnerabilities are and what do they want to protect.

And you know what everyone wants to protect their data, but what about the people at the end of the day that’s most important asset you’ve got. I think it’s got lost in the whole translation and that’s a whole bit longwinded speech about some of the fundamentals that you touched on before. But let’s get back to basics and the most important entity we need to protect is the people. You get the people onboard your data is going to be lot safer.

IVANKA: So, you talk about the ‘why’, the why side of the crime, and the why behind the reason for cybercrime. What is your ‘why’?  Why did you get so passionate about fighting cybercrime and cyber security?

BRIAN: Well, that goes back to my law enforcement days and it wasn’t a choice. I was sitting up as an investigator – Detective Inspector Heading up the Public Sector Corruption Team at the then it was called Crime and Misconduct Commission and I’d had enough – at that I’ve done five tours of duty fighting corruption in the history of Queensland and I needed a change and I got a phone call one day. I was so desperate to get out that I even applied for the Rural Stock Squad which meant you know you look at cattle doffing and all sort of stuff, and I had an Assistant Commissioner ring me up and he said, “Brian you didn’t get the Rural Stock Squad, but what on earth were you thinking?” I said, “I just got to get out.” He said, “We’d like you to come and take over the Fraud Squad,” which later became known as Fraud and Cybercrime Group.

I had never thought of it before, and once I got in there I realised that we need a paradigm shift in how law enforcement approaches these challenges of cybercrime and international financial crime. When I first joined the Queensland Police you can stand on the borders of the Queensland turn your back on the rest of the world and say, “This is my patch I’ve got to protect it.”

But with the advent of the internet there are no geographical borders.

You had law enforcement, legislation, politicians they still think and respond in terms of geographical boundaries. I don’t think the thinking is elevated you to the standard that needs to do to understand how we approach these things. And so, I took on a paradigm shift of focusing how do we actually – I remember presenting at an International FBI Conference. You know my Commissioner was sitting in the front line of the audience and I didn’t clear the statement with him first, but I said law enforcement needs to adopt of a willingness to contribute without expectation of return, and what I mean that is you got to pay it forward.

You got to work internationally collaboratively and we’ve got to give other countries intelligence to allow them to do their job. So, traditional response is if someone offends against a member of your community you do the investigation and you put in together a brief, and then you and go and – if that person is outside of your jurisdiction you look to extradite them back so you can prosecute them. Now one of the things we saw with cybercrime and the internet was that it went from a high-value, low-volume crime type to high-volume, low-value. So, no one is going to pursue an extradition process for $5,000, $2,000, $200. That would only get done once it gets into the millions where they actually notice it’s a very expensive exercise. But if you are able to share information with the agencies around the world well it gives them an insight what they need to do and they can pull all that information together to form a picture then take action.

For example, if we had 50 victims in Queensland, 20 victims in New South Wales all for $200 each, and then across the other States and territories that’s still going to assemble itself to several thousand dollars but not of significance. But what if they multiplying that by the factor of 500 all the other populations around the world, .and all that money was going back to say London. Now, do we have five to eight agencies in this country pursuing individual investigations or do we actually harnass synergy of intelligence and giving it to the agency in London that can centralize. Imagine every country did that then all of a sudden the people in the UK have a far greater picture of what’s going on. Now, the question gets asked will they pursue a prosecution, then an extradition, and flying witnesses from all over the world, and of course that’s not a cost effective exercise either. But you know what country like that is going to have wealth creation provisions it’s going to have proceeds of crime legislation, it’s going to have tax evasion offences, and it’s going to have money laundering offences. And let me give you an insight, you get done for a hack in this country you might be looking at 3 or 5 years as a top line that’s off the book which no one ever gets anyway, but money laundering carries 20 years.

And what’s the purpose of organised crime? To make money. What do they value most? Making money. So, if you can actually centralize it and have another country, because you work with and provide information, take more effective action using the tools at their disposal, and then enable them to be more effective against the criminal environment then you’re going to make a difference. 

IVANKA: No, but that has a really big assumption as well that countries work together towards a similar goal, whereas there are different jurisdiction, and like you say you started off with Queensland is separate from New South Wales is separate from Victoria so that’s a really big maturity journey to go from each do their own to we have to work together to make a difference, and to be able to fight this type of cybercrimes.

My question is how does that translate to the commercial sector, because my assumption is that with countries even though there maybe some reluctance, there’s still that overarching governance idea. But when you talk about commercial entities they could be competitors or they could be in the same industry, so how does that – because you’ve made a jump from the police force into the commercial sector, how does that approach to fighting cybercrime translate into the commercial sector?

BRIAN: Look, there are a number of issues, right? Commercial sector is there to make money, but also has a social responsibility, a corporate responsibility. I think that you’ve seen a lot more collaborations in cyber space in the commercial environment in the last decade. I think we had the Global Site Alliances and the Threat Intelligence and the most and in the main the private sector has been far more mature in the mind. I think that’s where a lot of collaboration. They’re doing more things at law enforcement the other nations can learn from.

IVANKA: Is that because there’s a direct financial impact, whereas with countries there’s more of a political clout around it all?

BRIAN: Absolutely, make no mistake. Bottom line it’s about getting your brand out there being positive and doing stuff, but it’s about doing things smarter, and being more effective, and then being more competitive. And they actually hold more of the data. Law enforcement is not at the front line it’s a response.

I always said if we have to arrest someone it means that crimes have already been committed. The purity of cyber security is that it’s crime prevention you know if I could say it actually wants to stop it. And there’s the other anomaly is that we don’t know – no one knows how much cybercrime occurs because most of it isn’t reported. So, the front line is the industry, and I always saw that the couple of things when I left the Queensland Police I straightaway was stripped off the border restrictions. There’s more innovation no doubt in the private sector than there is in the world of government, and so there are more opportunities and the thinking is more expensive, and sure this can be a selfish motivation to that thinking process but they are open to new ideas and thinking, so protection is a good thing. I remember there was a senior detective who was quite – which I find incredulous, we’re going to arrest our way to prevention, what a lot of nonsense but that was someone said that sort of I thought you got to be kidding me, and that is absolutely ridiculous. Prevention is the essence of successful policing, because you’re enabling the community to protect themselves, reduce the opportunities for criminal offenders, and therefore having less negative consequences on our communities.

IVANKA: Is that the reason why you focus so much on people first like it’s the whole – it is the education and awareness of people to be able to prevent cyber and being a victim of cybercrime or what’s the link there?

BRIAN: Well, there are several links. One is I’ve always been prevention focused in Police.  I think it’s tantamount to success. The other thing is I think – let me put – let’s be realistic, I wanted to start my own company with a purpose to be successful and that means making money, and I think there’s a vast opportunity because that’s where the gap is around the people.

It’s something that I’m passionate about and my business partner is passionate about, and how do we actually add value to companies and going there and make the organisations safer, because there are no scruples for the cyber criminals and if they – I’ve seen examples where they have targeted children of family members to get to an entity. So, there’s a lot of apathy that people think cyber security is only at work – we in this country have had the internet 25 years. We’ve only got our first piece of legislation in February this year that said you got to report your Mandatory Data Breach Compliance legislation. We’re 25 years behind the crooks, you know they’ve been exploiting virtually from day-1 and we’ve got a lot of catch up to do.

Unless I say there’s apathy that you got to be secure with home mates doesn’t matter. But where do you think the crooks are going to go to?. They are going to go to the house with the open window and if we’re not teaching our kids, our grandparents, our brothers, sisters, uncles, aunties how to protect themselves well who is going to? And so, one of the things we want to work for the company is not just to focus on the security or the behavior of the people at work, but we take that to their behaviors in the home because like I said, I have examples where crooks have targeted the home environment to get to the work environment and that will continue.

IVANKA: Yeah. And you’re not talking dark web or that’s it, so you’re talking day-to-day internet that people use on a daily basis to do their work, to do their school work as part of everyday living?

BRIAN: Absolutely. So, if I go into someone’s Facebook profile and they are a person that you know what the hell the manager of a certain – say Manager of Finance in the job title in the LinkedIn, so then I take from their LinkedIn profile and what they look like, there’s a photograph there, i know who they work for, whether they were educated, they passed from, resume and work history. So, I can now look at their Facebook page or start to look at who is who in the zoo, how many family members, how many kids.

I go there, there are photographs there embedded into those photographs, I’m moderately confident those people do not turn off the location setting on their phone when they take those photographs, so in the metadata is the GPS coordinates of exactly where they live. If I look further in photographs in the background I see there’s a ProHart painting on the wall, solid timber furniture, big screen TV.

And so on so on, and of course they’ve signed the fact that next week the whole family is going on a wonderful vacation on a cruise or in the South Pacific Islands, beautiful.

I know where you live, I know what furniture, you’ve financially profiled yourself, therefore I want to do a tangible crime that is real world as in you can touch it, well there is a potential of breaking in, and again I could tell you horrible stories that I don’t want to go into, but you can have far more damaging, physical damaging side effects as well. But now for example, if I know let me go a little bit left field of that, I know that you’re into quarter horse racing and it’s your passion. So, I’m sitting back as a cyber crook and I maybe it’s one of your children that were into quarter horses, and all of a sudden I introduce myself, I develop a fake profile, I’m saying I’m the Vice President of Wyoming Quarter Horse Association, I put a letter out there, put some photos, I reach out on Facebook, I see you’ve got a love of quarter horses do one the thing, socially engineering you, you say yes, we connect up, then I’ll to say have a look at my latest stallion just got in, really good, dah, dah, dah, great bloodlines. You click on the photo which are embedded as zero-day exploit and now own your machine, very simply. Now I own – say-  the child’s machine. Now a parent is going to be less vigilant about what they accept and download from their child are they not as opposed to if it was from a stranger, so now if I can own the child’s machine I send them a zero-day exploit to their parent who is my primary target to get into a certain organisation and you see how you can follow this and we’re not prepared for that.

And what it is all about? It’s about people. Giving ourselves – we teach our kids from the time they can walk we teach them how to cross the road safely, we teach them how to play in the same pit with other kids, we teach them how to share toys, we teach them to show the elders respect, we teach them how to use a knife and fork at the table but we throw them an i-Pad as a babysitting device and we’ve never been taught ourselves the fundamentals of how to be safe online and we got Buckley’s end up teaching that to our kids and we think our education system is going to solve life problems for us. Well, guess what the teachers haven’t been taught either, so we’re in this vacuum of 25 years. I often use the analogy of a motor vehicle, modern motorcar arguably started in 1886, worst consequence road death. It took in this country nearly 100 years to get the road tolls steadily declining and there are a lot of parallels and lessons to be learned in that process. But the big catch up where we can – if you look at the vulnerabilities ran statistically around organisations I think there are some that suggests 91% of most breaches occur through phishing emails. If you look at I think the first 63 reports on Mandatory Data Breach in the first 6 weeks of the legislation coming into effect I think was only 7% was attributed to technical failure the rest was people behaviour.

Let’s get back to the basics. Let’s focus on the most important asset we possess. It’s not the data, it’s not our systems or the tools it’s our people. So, when we talk of building…

IVANKA: it’s another way to get to the data. Isn’t the data the ultimate goal?

Of course yeah, but through our people. We think we got to put the systems in place that’s our first line of defence. It’s not our first line of defence it’s people. Giving them the tools to actually make it safer for themselves and they are becoming targets. You know I often say in front of audiences if you’re a director or manager or director and you’re an executive in your job description you’re bigger target. We’re all being profiled constantly.

IVANKA: Yeah. But how do you not get paranoid, I mean you’ve been in this industry for 35 years so you’ve seen the dark side of society probably way more than you ever wanted to see. So, how do you not get really paranoid about everything?

BRIAN: Somebody told me once when I was joining the police they said you become very old and cynical, and you know I’ve never had greater faith in humanity. I think our communities are fantastic and I think that 99% of people always try to do the right thing. We have a wonderful culture in Australia. We do actually look after people and each other pretty well, and when you hear these horrible stories of that not happening but in the main in does and I think it’s about – I used to say take a little pill called cynicism, and if you understand that you will be approached and if you know how to protect yourself or have a better idea you’re less likely to get caught. So it’s not about being cynical just being aware that okay look all the wonderful opportunities technology offers us today. You know the digitization, the social media and all that it’s brilliant. It’s not that we’re not using it, but no one ever said, “Okay. Let’s become aware of it.” You wouldn’t put your 15-year old son or daughter behind the wheel of the car for the first time and say, “Here you go, have a go driving.”

IVANKA: Yeah, have fun. Make good choices.

BRIAN: Exactly. So, it’s not about being cynical I’m actually all for the technology and they present it it’s about big way and that’s a big difference.

IVANKA: So, on the back of that what do you feel is the biggest myth about cyber security?

BRIAN: That you can have zero exploits and your risk tolerance is zero, you have zero risk tolerance for cyber security. As I say to people I’m sounding like, “Did you drive here today.” “Yes.” ‘You’re going to drive home, can you guarantee me you’re not going to have car accident?” And they say, “No, don’t be ridiculous.” So I’ll say, “Exactly. So, why you expect zero tolerance for cyber incidents? It’s not possible.” And so that is complete mythology. There’s no such thing as absolute protection.

So, you’re never going to be absolute it’s about how you manage. Cyber security is a risk management exercise. It’s about understanding the risks, being aware, and then managing the processes.

BRIAN: Yes. I think the biggest myth is that you can be protected. So, the other thing that people don’t correlate very well to is incident response component. I think that we only need that if something bad happens. Well, you know what the reality is there will be those accidents and there’s no research that shows that – just only the other day if you can actually find out within 30 days of a breach that’s occurred you can actually reduce your costs by up to a million dollars, and investment in preparedness is akin to most successful business.

IVANKA: Yeah. So, it’s really identifying your vulnerabilities, identifying the types of threats you might be open to, and have a preparedness program, a strategy to work on it if and when things happen?

BRIAN: Yeah, to a point. And it goes back to the very first thing you said that it was identifying the vulnerabilities, because vulnerability of people yes it’s the last thing that had been addressed. Why is that?

There are a couple of reasons for it. From a cultural perspective we’ve grown up on the dart of the technology companies telling us you got to have us we’re going to save you, and we’re trying to solve – we believe we can solve human behaviours through technical applications. Well, guess what to-date it hasn’t worked, and so most of the organisations actually don’t understand the vulnerabilities. They rely upon those technical conversations. From a technical IT perspective that yeah we’ve identified that technical breach we can solve with this technology. I think what about people factor? What about the human behaviours have you fixed those yet?

And you’ve got to have a human based approach to it. You’ve got to look at the culture and the culture is going to be I think a very big stepping – that’s going to fill lot of your gaps. And when I talk about what are your vulnerabilities? Well, that’s a really interesting thing. It’s like asking what data do you want to protect. I spoke to this gentleman one day and I said, “What data do you want to protect?” I asked him that question. He said, “Well, I want to protect my merger and acquisition information, the board papers, I want to protect resource stock listings, I want to do this, do this, do this.” I said, “Is that it?” ‘Yeah, that’s it.” I said, “You’re sure about that?” “Yeah, that’s it.” I said, “Okay. How many people do you employ?” He said, “Five thousand.” I said, “Okay.” I said, “And you’ve got HR files on them?” “Yes, yeah of course.” “With all their personal details, and all the next of kin personal details?” ‘Yeah, yeah.” And I said, “Well, and you pay them by electronic bank transfer?” ‘Yes.” “So, you got their bank account details.” ‘Yeah.” “And you’ve got all their tax file numbers?” ‘Yes.” I said, “And you’ve got their superannuation details?” “Yes, yes.” And I said, “No doubt there will be some automatic payment deductions from the payroll system goes into other providers that they have bank account or you know telephone, health insurance anything like that?” “Yeah.” “By those he could see where it’s going.” And I said, “Well.” I said, “If you gave me that profile,” I said, “It’s not a problem to make $30,000 to $50,000 that’ll breach your identity if you gave me all that information.” You know I said, “It’s not what data you think is important, but what data your adversary thinks is important because that makes you the target.”

 

It’s not what data you think is important, but what data your adversary thinks is important because that makes you the target.”

BRIAN: Okay and we keep thinking from the technology perspective. What motivates a criminal to do certain things? What actually would make a criminal look at you or your organisation as being the target, now starts the art of war: know your enemy. So, the more you put out about yourself the bigger you promote yourself online in your business title this sort of stuff and post it that way we just had a great win, won a lot or you just imagine we never thought is that we actually giving the crooks the reason to target us, and in fact understanding how they act? Why they will act? We can then better prepare ourselves.

IVANKA: Yeah. So, as a business you just mentioned we focus on technology, we focus oncorporate documentation, we focus on the business side and forget the fact that there are people involved as well. So what would be the biggest risk that we as business owners face at the moment and I am talking not just the large organisations, but also medium-to-small, small organisations from a cybercrime point of view?

Because it’s easy to think, oh you know a big organisation you know like Dimension Data because that’s where you came from. They have so much information, they have so many employees, there is so much data that can be extracted that is valuable in one way shape or form, I’m not even talking BHP Billiton because that’s even bigger, but what about a small-to-medium business owner with 10 to 20 staff that is really sort of flying under the radar most of the time and running their business. What is the biggest risk they face?

BRIAN: They face the biggest risk of all. 

They are not losing the terabytes of data, but they haven’t spent the millions of dollars to secure their systems and processes, and they haven’t invested in the cultural programs to actually protect the behaviour of their people. They’re the soft underbelly and worst is that SMEs being attacked every single day and it’s going to continue to occur in large quantities. What you’ve all got to understand too is when you look at the organised crime and cyber criminal environment fundamentally speaking you’re looking at pyramid and at the top of that pyramid are the smaller numbers of entities that can do highly skilled covert cybercrime operations. They are not massive and what they do this in their business model is they now perform services for other criminals and if you imagined say there were five…

IVANKA: Multi-level marketing for crooks.

Exactly what it is. Absolutely, and of course at your entry point at the lower level anyone can go in and just buy every aspect of cybercrime as a service or as a product or as a commodity. You don’t need to have any deep technical skills these days to get into cybercrime and make a lot of money, but what it means is you have the vast number of your cybercriminal players today are not targeting the massive enterprises.

They’re coming after SMEs because they’re softer, faster, smaller targets and they can hit more in one go. So, a ransomware attack you know is going from maybe on a higher entity it’s going to be a million dollars, but they’ve invested a lot of time in that to get there and it needs really high skills they’ve put it in, but most of your crooks are going to be operating at lower level say they’re going for the faster turnarounds and smaller target and something they convert to cash quickly. So, the SMEs are absolutely the soft underbelly and they often pay for it. And they are not prepared for it.

IVANKA: No. So, how can we help them be prepared for that? What can a business owner do to be prepared for that? Understand their risk.

BRIAN: Okay. You raise that question understand your risk.

Well, let’s go back to the fundamentals that cyber security is business responsibility it’s not an IT issue.

And then, we look at where is the business going, what is the purpose of the business, what’s your direction, your growth strategy, what do you want to be and what do you want to achieve, how are you going to deliver your business outcomes. Then conduct your risk assessment. Now from that purpose of how you’re going to operate, where you’re going to go, then you can look at okay how do we reduce risk, and then you make a determination around how much digitisation is involved, where do you keep your data, how do you keep your data? And then, we look at culture.

I always look for culture first, but business so I’m going to talk about business yeah comes first, and then to grow your people not only you know three elements to it be your cyber safety, high performance, and digital transform. So, change has a normative value in today’s digital technology world. So, then and only after you’ve looked at the business outcome, direction, risk, and people. Then say: right, what technologies do we need? So, everything to-date has been here is the technology. It’s the latest and greatest. It’ll solve all your problems, buy it, and patch it, and put it in and take it on. So, we’re turning upside down, so how does business going to make it successful. Let’s do a risk assessment with your people, and then give consideration to what technologies you need.

Now, the reality is we’re going to see more migration as we have seen over time to many security services on the basis of it’s such a sophisticated and complex environment and you just want a one that’s going to help you grow your business because why you know where you want to go and you’ve got to consult with your cyber security provider to make sure the solution you’re getting is not about the technology today but there’s a bit of a strategic sense about where the technology is going and therefore the attacks because the crooks – the first entities are reverse engineering new technologies.

There was a very interesting study with University of New South Wales and the graph that I saw, and when the technology comes out the first adopters are the criminals because they want to reverse engineer it, look for vulnerabilities, find ways to exploit it because they want to make money out of it. So, an SME is you don’t have to spend lots of money, understand your business, get a good sense of appreciation of your risks, protect your people that then protect you and straightaway you can reduce that risk landscape by 90% by having a skilled workforce who are cyber security aware and that’s not being technically aware that’s being just on the line.

All of a sudden your risk has gone way down because you’ve got people onboard with you, and they’re going to be –they’re your eyes and ears and giving you alerts.

And I was talking to someone this morning and I say you know there are 17 people in the office and they said we talk a lot, we share information, and so if one person sees an email that he’s suspicious about they don’t try to make the decision always by themselves they’ll chat about it and come in have a look at this that’s a community that’s supporting each other. Sadly there are too many SMEs out there or SMBs that think, “Oh, we’re too small to be bothered with. No crook is going to come at us.” That is the biggest mistake you could possibly make or a line of businesses that thinks, “Oh, we wouldn’t be of interest to cyber. We’re only a…” I saw something just recently on a plastic surgery business that got hacked and then extorted. Of course, that business will be out-of-date inside 6 months because of certain events that took place and what it chose to do or not to do and its reputation will absolutely get under toilet. 

I would come back where is your business going, what is your appetite for risk, grow your people and once you’ve got those three elements done say righto.. how do we get onboard with the right security partner, and I say partner not provider, not seller, not vendor, security partner. Now, I talk to people and I say, “Look I’m not interested in you selling your stuff one off. I am interested in being partner with you on a journey to help you grow and be successful tomorrow. I’m not transacting here today,” and that’s one of the biggest criticisms I see with the vendor community is its true transactional thinking, because I just hate things all about the sale, it’s not about the purpose, not about the why.

IVANKA: No, and ultimately it is a partnership issue. You go hand-in-hand to a shared common enemy?

BRIAN: Absolutely, and that’s it. You just nailed it. We’re all in this together, everybody’s responsibility. It’s just as much the CFO, the CRO, the CMO, the CEO, there’s a CIA to the CISO.

As it to the person and the dispatch doc that’s signed for the receipt of the – whatever comes in the loading bay. Absolutely everybody’s responsibility.

IVANKA: Yeah. So, how do you see this in the future? What trend do you see developing, I mean, we have the GDPR regulation going into effect next week Friday, I mean that’s a big thing. To me it’s a big thing. I’m not sure if it’s a big thing for everybody, but how do you see that moving forward like you said 25 years of internet in Australia, cybercrime is definitely picking up. It’s not just for big organisations. Small-to-medium enterprises and businesses need to be aware of that. What’s next, what’s the trend, what’s – how can we future proof our business?

BRIAN: Okay. So first of all, I think now that we have opened the door to our politicians to solve the cybercrime problems that door will never close. It’s one thing I know from working in government for all those years is that solution to all the problem is making new legislation, but we need regulations. I think as we have more high profile hacks get reported or data losses we will get something that will tickle the media’s fancy. They’ll make a big song and dance about it. Some politician who wants to get on another soapboxes is going to get a – they will make a statement, oh we will do this and we will hold them accountable, we’ll see the emergence of new legislation.

IVANKA: But like you said before that’s looking in the rearview mirror that’s not preventative.

BRIAN: But that’s history telling us what’s going to happen. You asked me where do I think things are going obviously going through it from the regulated environment and forced compliance on people. If you ask me from a cybercrime threat perspective how do I see it going that’s probably a little bit different. We will continue to see the migration of more tangible – why on earth would I go rob a 7/11 for $27.50 a pack of cigarettes and two cans of Red Bull risk going to jail for 7 years when I go online in 30 minutes make 5 grand as a cyber criminal extorting someone else.

So, we will see more migration of traditional street crime into the cyber environment, so it’s not going away any time soon. As you’ve touched on, we’re going to see more and more attention given to the SMEs and we’re going to see it into the individuals in the family. We’re going to see I think more personal extortions, I think we’ve had a situation where a lot of people have shared a lot of personal data out there online I think that’s going to come back and people will pay not to have that made public because it’s emotional. I think sadly when we see some cyber terrorism is something now it’s going to be on the horizon. It’s been put out there if you’re Iranian you say you’ve already been victim of cyber terrorism anyway with the Stuxnet attack on the nuclear facility. I think we’ll see sadly more significant events take place before…

I think we’re going to see stuff that gets everyone’s attention, seriously gets everyone’s attention. I remember doing a lecture on counter-terrorism course maybe about 10 years ago, and I said, “Well, you know in First World War whoever controlled and land and the sea won. The Second World War whoever controlled the air won? So does that mean next time we go to war whoever controls the internet wins?” And I don’t think we’re going to be far from that.

When you look at everything we see more and more IT overlay on the operating technologies, because it saves money and lot of efficiency is being gained but it carries risk.

What we’re seeing today is the inside what we’re going to see in the future. It’s going to – well sadly we have a lot of apathy until something tragic happens and it’s just going to be one of those things, and I am not professing to have a crystal ball or anything like that. But I can see – maybe I’ve just got a warped mind, but I can still see so many ways for a criminal to make money and when I see the apathy and issues like – I saw a report today that Australians have lost $350 million in the last 12 months to fraud and scams. Well, where are most of those scams happening today? They’re happening online. Why is it that our community still send hundreds and million dollars to crooks overseas and scams, to Nigeria, to Ghana and we think even then when you get education – this is the challenge with people, I think we’re pretty unique animals. I remember I did a lot of work on Nigerian scams and we had more arrests affected in Nigeria than I think any other country in the world but working with them and paying it forward, and sharing intelligence at that point in time, and I started looking into why is it that senior citizens in our communities who are now behind those keyboards so vulnerable to these sort of things. We think it’s because they’re more trusting and actually fact is there’s been a university in Iowa that did a lot of research into that, the part of the frontal cortex responsible for cynicism and doubt and as we get older that part of the brain starts to deteriorate. What they found doing these control studies which those that showed more marked deterioration that part of the frontal cortex was twice as likely to fall victim for a scam.

So, maybe the problem is not always the behaviour it’s actually physiological, and so our defences would have to change and that goes in a whole different path. It’s not simplistic and lot of technology companies would like you to think that you buy a technology you’re going to save the world, but we live in a thousand shades of grey and there are multitudes of colour but we got to come back to ourselves.

So, where are the criminals going to go? It’s going to get worse; they’re going to target more and more individuals.

They’re going to be more exploitive of our members and show you how nasty they can go. I know someone who received a photograph of a child and was saying, “Pay me $5,000 or I’ll ruin their online reputation for the rest of their life.” Okay, so what would you do? And it’s going to get more personal and it’s going to get ugly. And the amount of data that’s being stored out there by each and every one of us is quite alarming. It’s just time for a refresh.

The sky is not falling. World is a beautiful place and full of wonderful people, but it’s about knowing their enemy. Today their enemy has been pretty silent in many respects, and unknown and faceless. It doesn’t really matter what country they come from or what their first name is at this point in time. If we can actually take steps to keep them outside the locked door then that’s fantastic, but we just got to be told what their skill sets are as a starting point and when we do have that accident how do we respond more quickly?

IVANKA: And share that information so that our people know what’s going on.

BRIAN: Exactly, you know with too much the time the information is power, we’ll know information shared is benefit, and at the moment people don’t like to talk. We’ve been forced into silos, because we’re worried about the brand and reputation harmed comes as a consequence, and now we got legislations if you don’t report you’re going to get fined and you do report you’re going to be reviewed . So, look I think we’re privileged to be working in this part of an organisation, since I work in this part of an industry we can actually make a positive difference to people’s lives, and it’s actually even though you don’t join the police let me tell you for the money you do it because you’ve got a sense of service and working in the security industry you still have that wonderful sense of service that you can actually still contribute to make a positive difference in people’s lives and families and as long as you never lose sight of that I think we’ll be in a great place.

IVANKA: Fantastic. Well, thank you so much for sharing your views and I loved the way you focused on the people side of things and the culture in not just in organisations but in families and societies as a whole, because you know the time is behind us and we can put our head in the sand and just pretend it’s not happening because it’s all around us, it’s everywhere. And I love the fact that you’re focusing on the people side and not so much on the technology side. So, thank you so much for your time and sharing your knowledge.

BRIAN: Thank you very much and I know rabbit on a bit, so I do apologise for that, but I do get passionate about it.

If we can make a difference then it’s been a good day.

To find out more about Brian and his business, go to www.culturalcybersecurity.com/brian-hay  

or their Facebook page: www.facebook.com/CCStransformation/

His Twitter handle is @DetSuptBrianHay ? (although this hasn’t been active since 2015)

 

Categories: Articles