Simon Hodgkinson [00:00:00]:
So if you think now about AI, the amount of people that talk about they just want to deploy AI, and they let a, you know, an AI engine loose over their their data internally to try and find things like ability to standardize, optimize processes, reduce cost, etcetera, all good intents, but, actually, they often don’t understand the data.
KB [00:00:37]:
Joining me back on the show is Simon Hodgkinson, strategic advisor at Semprest. And today, we’re discussing current affairs of state sponsored cyberattacks and their evolving tactics. So, Simon, welcome back.
Simon Hodgkinson [00:00:55]:
Thanks, KB. It’s a it’s a pleasure to to talk to you again.
Karissa Breen [00:00:58]:
Okay. So, Simon, let’s give a bit of a snapshot from you on how you are seeing state sponsored cyber actors continually target Australian organizations. So maybe walk us through it and how that looks in your eyes.
Simon Hodgkinson [00:01:10]:
Thanks, Katie. I think first first, I’ll say that I’ve just pulled down the, Australian signals directorate report, their annual cyber threat report from twin 02/2023 2023 to 2024. And they very specifically call out state sponsored cyber actors persistently is the term they use target Australian government’s critical infrastructure and businesses using evolving trade craft. The ASD saw a 12% increase over the previous year in terms of cyber attacks reported. So this is very real. It’s very real to Australia. State sponsored attacks are typically advanced persistent threats. So nation state actors typically don’t have constraints.
Simon Hodgkinson [00:01:58]:
So they don’t have time constraints. They don’t have financial constraints. So they typically operate where they infiltrate networks. They would try to remain undetected for extended periods of time, sort of gathering intelligence, and at some point, potentially, exfiltrating data and disrupting systems. Typically, they’re in it for a few reasons. It could be espionage. So cyber espionage is a common tactic, so stealing sensitive information. It could be around critical infrastructure attacks.
Simon Hodgkinson [00:02:31]:
So we’ve seen, obviously, nation state sponsored attacks in Ukraine around things like the power grid. Disinformation campaigns are fairly common within state sponsored attacks. And, again, we’ve seen lots of disinformation campaigns including allegedly activity around US elections in 2036. And then, obviously, there is cyber warfare, but that’s at the sort of extreme end. So Australian organizations are subject to all of those types of attacks as are most Western organizations, actually. And like I said, it’s critical people recognize that if a nation state comes after an organization, whether it’s public or private, they only need to be successful once to get in, where the defenders need to be successful kind of a % of the time. And because they don’t have any constraints in terms of time and resources, they can constantly be trying to breach your defenses. So it’s absolutely critical organizations focus not only on trying to prevent or withstand those attacks, but they also focus on their ability to recover from them as well.
KB [00:03:41]:
Okay. So there’s a couple of things in there which is interesting. So going back to the top of the interview, I sort of said, you know, state sponsored cyber actors are continually targeting Australian organizations. So quick question. Our GDP here in Australia is significantly lower to other places like The United States, even United Kingdom, for example. So what sort of would you say the reasoning behind that?
Simon Hodgkinson [00:04:01]:
Well, a lot of the cyberattacks are not to do with from nation states are not financially motivated. It’s more about espionage, stealing secrets, sensitive information. It’s also potentially actually attacking critical national infrastructure, not necessarily deploying an attacks to disrupt, but actually prepositioning, putting putting essentially essentially either malicious software or leaving backdoors in environments which they could exploit in future should should they require it. So if you think about people like China, if the geopolitical tension increases with Taiwan and ends up resulting in in some kind of some kind of warfare, you know, the Chinese would be prepositioning activity to potentially disrupt critical national infrastructure should those things occur. So, typically, it’s not financially motivated with nation states. There are some nation states, and I’ve personally seen when sanctions increase on certain certain jurisdictions. So Iran and North Korea spring to mind. When sanctions increase on those those countries, I’ve seen cyber activity increase as a mechanism to actually get revenue for the organization, the lost revenue that they have as a result of trade sanctions.
Simon Hodgkinson [00:05:22]:
But, typically, that’s not the motivation of nation states.
Karissa Breen [00:05:25]:
But maybe just to build on that a little bit more. So if you look at, like, The US in terms of critical infrastructure, there’s a lot more options than, like, Australia, for example. So what would sort of be more of the motivation to sort of target, like, in Australia versus like, even our population’s pretty small. We’ve got quite a large country, etcetera. But is there any sort of thing there even if it’s, you know, maybe in tandem to the GDP, but more so just, hey. Like, if people are gonna focus their efforts, wouldn’t they try to focus it on on bigger targets like The US even though they are doing that? But what’s sort of your reasoning as to why, like, Australia sort of comes up as, like, a continual focus?
Simon Hodgkinson [00:06:01]:
Well, I think Australia is part of kind of the five eyes organizations. They’re very interlinked with most Western countries from a defense perspective. So if you think about AUKUS, etcetera, that those are and and we were at the AUKUS event, which is the last time we had an interview. But, you know, so there is a very tight connection between Australia and the rest of the world. So should an event occur, Australia likely would be involved alongside The US and European countries. So therefore, they would just be and New Zealand, and and therefore, they would be another interested party to those nation states. And and, equally, there’s a lot of sensitive information that will be shared between the Australian government and other governments across the world as well. So from an SBNR’s perspective, if they were able to breach Australia’s defenses, is they may get information about that’s being shared with with other countries as well.
Simon Hodgkinson [00:06:56]:
So I think Australia’s as interesting to nation states as as any other organization. Again, not related to a financial motivation.
Karissa Breen [00:07:05]:
Yeah. That’s interesting. So would you say this is I wanna get into this a little bit more because would you say from your experience, perhaps people in Australia, like, lose sight of that. So people will say, oh, yeah. But, Simon, like, our GDP’s smaller, so therefore we don’t have to worry about it as much. Or, oh, but our population’s smaller. Like, do you think sometimes people may lose the the mindset that, hey. We are part of the five eyes.
Karissa Breen [00:07:26]:
And to your point, perhaps part of their plan would be, yes. Okay. US is big target, but what we can do is, like, weaken their allies like Australia and New Zealand and friends. Right? So do you think people maybe forget about that a little bit?
Simon Hodgkinson [00:07:39]:
I think they probably do. And it’s a little bit surprising actually to me in Australia because there’s been so many, not nation necessarily nation states attacks, but there’s been so many cyberattacks in Australia over the the past few years where probably every individual in in the country has had their sensitive information leaked through through one of those breaches, presumably alerted to the fact. And and therefore, I would have thought cyber would be fairly high up on their on their radar. That said, you know, lots of people don’t necessarily then think through through the sort of state implications of cyberattacks. Obviously, we do. As being part of the whole industry, it’s very natural to us, but I guess most people are just focused on their own personal cyber hygiene.
Karissa Breen [00:08:28]:
The only thing that’s come in my interviews as well from people like yourself sort of saying, like, just us being geographically, like, so far away. It’s kind of, like, you know, out of sight, out of mind a little bit. So do you think that that could play into it a little bit in terms of like, oh, Australia is so far away. Despite being part of an allied five ice, you know, conglomerate, we just seem to forget about Australia a lot. I I often just hear that a lot in my interviews.
Simon Hodgkinson [00:08:51]:
It’s interesting because that that may be the, perspective of people in Australia. Actually, I think that’s not the perspective of certainly myself and and people in the in The UK. I mean, Australia seems like a very tightly integrated nation alongside many of the other Western allies. So so, yeah, it it that’s an interesting perspective. I’d not thought of of how Australia view Australian citizens view themselves so much as, you know, actually how intertwined Australia is in terms of sort of the geopolitical landscape. So, yeah, interesting.
Karissa Breen [00:09:27]:
And I think another point I would sort of add to that as well is because we’re surrounded by water. Right? So I think that’s another thing that people think that we’ve got this moat around us, that people think that we may or may not be invincible. Right? So I think that is something that I’ve often heard on the show as well in terms of just the general sort of perception in terms of Australia that we’re, quote, unquote, safer.
Simon Hodgkinson [00:09:48]:
Well, so is The UK. We’re we’re surrounded by water, and and and, clearly, we we aren’t we’re in the same position. Actually, potentially a worse position in terms of the the level of cyber activity against UK critical infrastructure. But, yeah, I I guess that could be a a perspective. But, you know, I would imagine most people now recognize that the world’s kind of flat from a from a digital perspective. I mean, most in most people will be using some form of social media. They’ll be using their banking apps. If they happen to travel across the world, of course, all of that is accessible.
Simon Hodgkinson [00:10:25]:
So you would start to think that people would recognize that, actually, they’re part of this global interconnected digital ecosystem now that, you know, something that’s happening in in in The US or or Europe is likely to impact, Australia as any other as any other country. It was interesting. I think I actually think there is a little bit of desensitization globally going around cyberattacks, certainly around data breaches. I think everybody now recognizes that data in some form has been breached through some form of attack. And, you know, if you think back to 2017 when NotPetya occurred and WannaCry occurred, cyber was right in the public domain. It was you know, the NHS was impacted. So for people in UK, you know, that’s something they they know and love. So so people really got engaged with the whole cyber messaging.
Simon Hodgkinson [00:11:20]:
Not Petra was another in in organizations that really woke up the executives and leadership teams and boards to the fact that cyber could they could be collateral damage for that. You know, if you look at the likes of Maersk and Merck, etcetera, they were just collateral damage from from a nation state attack. So maybe that one of the things is we haven’t necessarily had one of those massive cyber events in the last couple of years that have continually bring that to people’s attention. I I don’t want one, by the way, but maybe that is part of the thing that is just, you know, data breaches as an everyday event, and and people see it, and they just move on.
Karissa Breen [00:12:00]:
Yeah. That’s an interesting observation because I have asked people on the show, in the industry, etcetera, like, hey. Do you think people are becoming desensitized to breaches? I’ll give you an example. So when I’m doing, like, certain interviews, I’ll go out and do some recon, even look at, like, what people are commenting online, etcetera. And a lot of, like, everyday Australians have said, like, oh, well, who cares? I was caught up in the Optus breach, the Medibank breach. Like, who cares now? But how does that that doesn’t really help, like, the security industry sort of cause, right, if people are becoming desensitized. So do you have any sort of thoughts on that, on how do we sort of overcome that?
Simon Hodgkinson [00:12:34]:
Well, I do have some thoughts, and they’re not necessarily based on facts. But, you know, one of the things that I’ve seen of massive increase in is attacks on health care. And I wonder whether there’s any not, again, not necessarily nation state attacks, but this is, you know, from a criminal motivation perspective. I wonder if there’s a couple of reasons for that. One might be that, actually, that’s one area where people would get particularly perturbed by losing things like sensitive medical data, whereas, actually, people now recognize that, you know, your email address, telephone number, potentially home address, all of that, potentially passport information, all of that is is out there in in somewhere in the ether through the variety of different, like, data breaches and, you know, hundreds, if not thousands, of different data breaches that have happened over the last couple of years. And people are less concerned about that, but, actually, you know, there’s been a direct increase in a huge increase in attacks on on health care organizations. And I wonder if that may that part of the reason for that is, actually, they’re more likely to try and prevent that data from being leaked to the dark web and therefore potentially more likely to pay the ransom. So, you know, I think overcoming the problem is gonna be difficult because because, you know, most people’s personal information is out there already, and and I think, yeah, a lot of people are in that place.
Simon Hodgkinson [00:13:59]:
Oh, it’s another data breach. There’s nothing particularly concerning about this one. But if it was medical records, I think that would be different.
Karissa Breen [00:14:07]:
So I mentioned before that, you know, there are evolving tactics from the state sponsored cyber actors, for example. Is there anything you can sort of elaborate on on, like, what this looks like?
Simon Hodgkinson [00:14:17]:
Sure. Well, first first thing to say, KB, is actually nation states will launch very sophisticated attacks. As I said, they tend to be advanced persistent threats, so they tend to be low and slow. They’ll get into an organization and just sit there. You know, they’re not as I said, they’re not necessarily constrained by having to do something in a particular time frame. But what I would say is a lot of the initial compromise is through kinda tried and tested mechanisms credential theft. So efficient’s still part of it. Spear efficiency is still part of it.
Simon Hodgkinson [00:14:52]:
Exploiting Internet. Facing vulnerabilities, still, that’s how people get their foothold into into organizations. And if you think about, Australia but also most countries, the critical national infrastructure is made up of public and private organizations. It’s not one organization we’re trying to defend here. All of them have different security postures, and despite enormous amounts of regulation, often those organizations are still way behind on their security posture with huge amounts of technical debt. And even fundamental things like multifactor authentication are still not consistently deployed across critical national infrastructure. So, therefore, you know, getting into the organization doesn’t necessarily need any form of sophistication. But so I thought I’d raise that first because those foundational controls and getting those foundational, as some people call them basic, nothing in security is basic, but I would call them foundational controls in place are absolutely critical.
Simon Hodgkinson [00:15:55]:
But when a nation state is actually in your organization, typically, they use a technique called living off the land. So this is where they use widely used tools, legitimate tools that people running their organizations all the time, and they use those tools to effectively deploy whatever capability they want. So if you think about it, in a Windows environment, there’s things like PowerShell, the Windows management instrumentation that’s known as w I WMI, remote desktop protocols. They’re all star standard things that people running organizations, and the nation states will leverage those because, actually, they’re much more difficult to detect malicious activity versus normal activity. They don’t typically put malware out there because when you put something like malware in environment, you know, people would detect those kind of things. So they’re trying to lay low and and just use normal activity that won’t get spotted by your traditional security technology. So that that’s that’s one way. Obviously, they still do things like exploit vulnerabilities, so exploit zero dev vulnerabilities in software.
Simon Hodgkinson [00:17:10]:
If you go back to one of the most high profile attacks, that was Stuxnet back in the day. That was the attack on the Iranian nuclear facility. But, also, there was a more recent one where Cisco firewalls were attacked, and that was a a nation state campaign to leverage those firewalls and to leverage leverage vulnerabilities in those firewalls from an espionage perspective. So, you know, that’s another typical attack. Supply chain, you know, software is there’s always a supply chain in software. You know, there’s typically, say, open source libraries. There’s commercial off the shelf products that’s used. Nation states will potentially attack that supply chain.
Simon Hodgkinson [00:17:52]:
If you think back to NotPetya, that was an attack on a Ukrainian tax system that then spread globally. You think about SolarWinds. That was another nation state attack that was attributed to Russia. I talked about at the start, you know, we got disinformation campaigns as well. That’s a fairly standard approach for nation states. So, you know, manipulating things like social media, deepfakes, propaganda websites. You can see that with with Russia at the moment and disseminating misleading information in order to further their cause with the, Ukrainian crisis. So there’s a variety of techniques they use.
Simon Hodgkinson [00:18:32]:
I’ll come back to, though, that initial compromise typically is following a tried and tested path to get into the organization. And from there, they go low and slow and therefore are very difficult to detect.
Karissa Breen [00:18:44]:
So in terms of the the rise of AI, I’ve spoken to a lot of people on the show around, you know, cybercriminals leveraging AI, which then increases, like, the velocity, the agility to get into these organizations. So in terms of going back to the evolving tactics, how do you sort of see this piece now fitting into everything that you just discussed? And what does that sort of look like now as we sort of traverse forward into somewhat uncharted uncharted territories for people, but anything you can sort of share?
Simon Hodgkinson [00:19:10]:
Well, I think I think first, AI is both a positive and a negative from a cybersecurity perspective. I mean, on the positive side, obviously, it improves our ability to detect threats, our ability to automate response. As you as you’re well aware in a cyber context, speed is everything. So if you can if you can see something quickly and automate your response quickly, then you’re you’re likely to to limit the the blast radius if you have an attack internally. And, of course, you know, every organization, be it public or private, always has constraints from a financial perspective, and therefore, AI can help us with that sort of efficiency in terms of our security operations and therefore cost. But on the other side of that is the negative side. So I think you’re just gonna see more and more sophistication in things like phishing attacks, deepfakes, and, also, you’ll see software now evolving malicious software now effectively being deployed, but actually learning about the environment which is deployed and evolving to avoid detection. And the final thing would be organizations are obviously deploying AI themselves to either commercial upside or operational efficiency or to get, you know, much more insight into their own organizations again, be it public or private.
Simon Hodgkinson [00:20:38]:
And what I think you’ll see is that, you know, nation state attackers will try to influence those models by what they call poisoning the data. So, you know, if you can feed the model misinformation or disinformation that actually affects the model in a way that changes the the prescribed outcomes, then AI can can be very successful. From a deepfake perspective, I think there was a fairly high profile attack in 2024. I don’t think actually the company was ever ever fully disclosed, but, you know, there was a, deepfake I a AI that impersonated the CFO of an organization through a video conference call, and the finance person in that organization transferred 25,000,000 to a fraudulent account because they were absolutely convinced that the person on the other end of the call was was the CFO. So deepfakes are incredibly, incredibly good now. I personally worry for us as individuals around the deepfake. If I think about my my elderly mother, she’s turn turns 90 in a few, few weeks. If she thought my son was calling and needed help by transferring money, she, you know, she could be easily convinced if, if if it sounded like one of my sons asking for that.
Simon Hodgkinson [00:21:59]:
And, you know, I have to remind her all the time, if something doesn’t appear right, check. Call me and check. And I think us as individuals will have to become very, very sensitive to what’s gonna happen in the world of deepfakes. It only takes a couple of seconds of a a recording of a voice in order to be able to create a deepfake audio and, you know, and not a lot more to to create video as well. So I think you’ll see a lot more activity around deep fakes as well. So I’m I’m really concerned about that because I think this is the next, scammer’s paradise.
Karissa Breen [00:22:34]:
So speaking of scammer’s paradise, as you know now, like, you can just there are certain sort of in the cybercriminal supply chain, you can if you don’t know how to do something, you can get someone to do it. You can buy a tool, etcetera, as you would know. So overall, like, back in the day, you had to be somewhat technically sophisticated. Nowadays, you don’t. Right? So any sort of Joe Blow could sort of start getting into cybercrime despite not necessarily knowing everything like you had to historically. So now that sort of the bar for entry is lower, do you see this now being an added problem to the already the problems we already have, or what are your thoughts on that?
Simon Hodgkinson [00:23:11]:
I absolutely do. I think, you know, if you describe it, cybercrime is very low cost of entry, low sophistication in terms of, you know, the knowledge you need to do it. The rewards tend to be pretty high, and the risk of being apprehended is virtually zero. So if you’d if you would look at that in a traditional business, low cost of entry, very low risk, high reward, people would be piling into it. And, you know, I’m afraid, afraid we’ve seen that from a cybercrime perspective. Add to that across the world with the geopolitical instability, rising inflation, rising cost of living challenges, then I’m sure more and more people will be attracted to that, you know, potential cybercrime as a mechanism to fund their lifestyles. 99.99% of people are good and honest, so, you know, I don’t think we’re gonna see the whole world move to it. But you could see, you know, an increase in number of people trying to leverage that of way of making money and affording to live.
Karissa Breen [00:24:12]:
So before you said speed, so I wanna go into this a bit more. So recently, one of my interviews, I was interviewing, someone, and they were talking around, like, businesses need to make faster decisions. Faster decisions meaning when, obviously, responding to a breach, but then also when we’re procuring technology because things are just moving so much quicker than they ever have before. So in terms of, like, responding to a breach, etcetera, like, obviously, people talk a lot about, you know, get a plan and all the basic stuff we’ve all heard, etcetera, practice your IRP, etcetera. But in terms of speed now, in terms of companies making decisions and look at you know, I’m ex, you know, a big bank. Like, things just weren’t happening quickly. But now we’re sort of seeing a shift that businesses have to make decisions with speed behind them because if they don’t, they’re gonna get left behind. So what is your sort of view then on that now as we’re sort of getting into this sort of territory of, hey.
Karissa Breen [00:25:11]:
We can’t sit around for ages and make a decision. We just need to make a decision and perhaps time box those decisions in order to move forward.
Simon Hodgkinson [00:25:18]:
Two things there. I think that is absolutely true. That that commercial imperative is absolutely critical to organizations because if you’re not quick enough, somebody else will take the the market. So so I think speed is is really important for businesses to evolve and adapt and and be successful. So that’s a that’s a good thing. That’s what they should be doing. I think one of the challenges now is with the democratization of digital is it used to be that they would go to the digital organization to go and procure whatever technology they wanted to deploy in order to deliver that strategic outcome for the business. Now they can do it themselves.
Simon Hodgkinson [00:25:57]:
And one of my biggest challenges in my previous employer, the the core of our technology landscape, we were really good at at securing that. It was all the things that go around the edges. So businesses spinning up their own solutions, not necessarily coming to IT to do it because IT had been traditionally quite slow. So I think the IT organizations need to speed up as well and recognize that, you know, we we have to be able to solution things much faster in order to to enable the business to to be successful, but still make sure that you put those foundational controls in place. So if you think now about AI, the amount of people that talk about they just want to deploy AI, and they let a, you know, an AI engine loose over their their data internally to try and find things like ability to standardize, optimize processes, reduce cost, etcetera, all good intents. But, actually, they often don’t understand the data. They don’t understand the sensitivity of the data. It’s not classified in any way.
Simon Hodgkinson [00:27:02]:
It’s not necessarily invented in the right way that is meaningful. So if you do that, you’re essentially then if you essentially then if you go fast and you don’t put those foundational controls in place, you don’t put the things like asset discovery and inventory to understand what you’re dealing with. What you’re doing is actually expanding your attack surface, amplifying it by an order of magnitude, frankly, when you think about what AI can can do with that data. So you have to you know, whenever you’re going through that, you can still do it quickly, but you still have to make sure that whenever you bring technology in, and every business now is a digital business. So anything a business is doing is fundamentally gonna be underpinned by digital. You need to make sure that those foundational controls are in place. It’s so much more expensive to retrofit cybersecurity than getting it right first time. But, you know, the speed point is really well made, but, you know, and IT organizations within their organizations need to recognize that we, you know, we need to evolve and make sure that we are much faster at delivering what the business require.
Karissa Breen [00:28:08]:
So that being said, would you say, Simon, that people generally are afraid is not the right word, but perhaps are apprehensive about making those decisions because it’s like, oh, well, I don’t have a lot of time because back in the day, we’d have to run it through risk and tech risk and business risk and all this sort of stuff just to procure, for example, a product. Now it’s like, well, we don’t have that time on our hand anymore. This is something that I’m seeing coming up a lot of my conversations now. So do you think that as a result, people are gonna be more worried about making these decisions because it’s really on their head then? Or what do you what’s your view on that?
Simon Hodgkinson [00:28:39]:
Digital technology is now so easy to procure a cloud service, a SaaS service. Anybody can do it. Right? And I’ve seen lots of examples where people are using SaaS applications, and they log in with their credentials. They’re at joeblogs.comorganization, and they assume that’s part of their company at that point. And and it isn’t because they’re not federated in terms of the identity down to those digital solutions. And therefore, you’ve got orphan data in in a SaaS environment. You can’t let that happen. You need enough process.
Simon Hodgkinson [00:29:16]:
You can still do it quickly, but you need enough process in an organization so that that that can make sure those foundational controls are in place. So speed is important, but you can imagine the the cost. You you’ve seen the cost of data breaches. I I think the average is is in the millions now. In large scale events, it’s in the hundreds of millions. And, therefore, you know, there there is a massive cost of getting it wrong as well. So we’ve got to find a nice balance between, you know, helping the business, procure that technology, but putting those foundational controls in place that you don’t leave your yourself in a world where you’ve got a whole bunch of orphan data in SaaS environments because you haven’t put the right controls around identity in place. And then there is lots of examples.
Simon Hodgkinson [00:30:06]:
It’s not just identity, but you just you you know, speed is great, but you also need to make sure you do it right. And, of course, the other thing, KB, is is the regulators now, especially when we get to things like critical national infrastructure. There’s huge implications of of getting those decisions wrong and having either disruptive ransomware or data breaches in those environments. So, you know, people have gotta be thoughtful about their regulatory commitments as well.
Karissa Breen [00:30:34]:
So where do you think people are at at the moment? Do you think they’re scrambling, or what are you sort of hearing? Because there’s all this, you know, like you said, the regulators and the Psaki, and then there’s the AI component, and there’s, you know, there’s an election coming up, so people get nervous around that in Australia. Where do you think, though, people are where’s their head at generally speaking?
Simon Hodgkinson [00:30:53]:
So, certainly, all of the organizations that I speak to, there there’s a spectrum. There’s there’s you know, you’ve got people that are very much in the control side of things. So things are still fairly slow to deliver capability, and you’ve got the other end of the spectrum where people are just throwing technology at at the problem. So I don’t think there is a a standard thought on, you know, about things like AI adoption. I mean, everywhere you’ll read, you’ll read the demand of the business to to make sure they can adopt AI. But I actually think there’s lots of organizations putting a lot of good work into making sure that they have the right frameworks in place to make sure every AI they deploy is is secure, but it’s also it also has good ethical boundaries in place within that within that AI engine as well. So I think there’s peep people are massively keen to adopt it to see the benefits of for their businesses, but I do think there’s almost like a bell curve, I guess. There’s those that are very, very slow at the adoption curve, probably won’t do it for many years.
Simon Hodgkinson [00:31:57]:
There’s those at the other end which are throwing the the the AI at it, and then you’ve got a good bunch of people in the middle, the 80% which are doing the right things around making sure that you’ve got good controls in place and whatever AI you’re deploying or whatever technology that you’re deploying isn’t gonna leave your your organization, vulnerable.
Karissa Breen [00:32:17]:
And where do you think we sort of go as an industry from here now with everything that you we’ve sort of discussed today, what you’re seeing, etcetera? I know that’s a big question, but people are curious to know.
Simon Hodgkinson [00:32:29]:
What a question. If I think back to just generally in in the cyber world, it’s kind of a an asymmetric war. Right? I mean, it’s it’s nation states and to a degree, some of the the more sophisticated criminal gangs, they have significantly better resource and no constraints in order to achieve their objective. So for organizations, they have to focus on resilience. For a long time, we have been focused on trying to withstand through good protective and detective controls, and I think we need to rebalance that now. Every organization should have a an assumed breach mentality, and they need to make really rebalance their resources, working hard to withstand attacks where they can, but really focusing on that capability to recover. So part of that is that and that’s a really complex thing to do. Right? So if you have a major ransomware attack, you can’t recover everything all at the same time.
Simon Hodgkinson [00:33:33]:
So it takes real work between the business and the technology organization to really understand what are those business activities have to re be restored first. You know, there’s this concept of minimum viable business, public sector as much as private sector. But in order to recover your minimum viable business to get your business back and running up and running is really important. And in order to do that, you then need to map your strategic outcomes to your business processes. And from your business processes, then map that down to the the the technology landscape. And interestingly, as one goes through that exercise, every organization will realize there are a few core capabilities that they have to really recover quickly. And identity I’ve mentioned identity a couple of times through this. Identity is the lifeblood of of the digital ecosystem.
Simon Hodgkinson [00:34:29]:
So you in order to recover anything, you have to have your identity platform back. So people need to really focus on, you know, how do we how do we protect where we can withstand those attacks. But when the bad things happen, how can you recover quickly from those those events? So I think there’s gonna be a rebalancing in the kind of thought process, and I’ve even seen, I think, Gartner have produced something on it recently about this this need to rebalance where we’re spending our time, money, people resources on focusing on, actually, let’s assume breach. Let’s assume something really bad is gonna happen at some point. It’s inevitable, and therefore, let’s figure out how we’re gonna recover quickly from that event should it occur.
Karissa Breen [00:35:13]:
So, Simon, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Simon Hodgkinson [00:35:18]:
Well, yes. So there there are a couple of things, really. I think I talked about recovery. And, as I said, I’m strategic adviser with Semprest. You know, one of the things that Semprest does is make sure you got people process and technology to actually recover should you have that big event occur. God forbid it happens to people. But if it does occur, you can recover your identity system. That’s the first system you’ve gotta recover.
Simon Hodgkinson [00:35:45]:
But there’s a key thing you have to think about, and you’ve gotta recover with integrity. We talked at the very early stage about, you know, the nation states and this notion of a persistent threats. Either leave backdoors in the environment such that once you think you’ve recovered from a destructive attack, they’ll be leaving backdoors so they can breach you again. And I would encourage people to pull down Semprest’s ransomware report because in there, the amount of there was massively substantial amount of organizations if they’d been, ransomed once, they would be ransomed two, three, four times within the same twelve months, and that’s typically because backdoors have been left. And when they’ve recovered, they’ve recovered that that either malicious software or or that capability in in their environment. That’s really, really important. It’s also really important that you’ve got technology deployed that can look for anomalous behavior. They’re very difficult to spot, but, actually, the thing that the the attackers want to do is own your own your identity system, own your domain.
Simon Hodgkinson [00:36:51]:
Because once they’ve got domain admin capability in that environment, they can pretty much go anywhere, do anything within your digital ecosystem. And therefore, you know, you’ve got to deploy sophisticated technology in order to spot those anomalies. And, again, that’s where where kind of Semprest provide the security capability as well as the recovery capability to help you spot that that that activity in your identity system, but critically auto automate the response to that as well. So if they see something bad happening, we can back that out, immediately. So I wanna leave people with rebalance your resources, not only on the ability to withstand, but also the you know, focus a lot on your ability to recover. And it’s critical that, you know, we we deploy the right technology that makes sure that when we do recover from one of those events, we’ve got integrity in the system. The last thing I’d say is produced two ransomware reports last year. I’d encourage people to go to their website and read both of those.
Simon Hodgkinson [00:37:55]:
They’re they’re kind of a fascinating read, pretty scary read, actually. And there’s a report coming out in the next few days, hopefully, where where they surveyed about 350 utility organizations, so water water treatment electricity operators in The US and The UK. And it really that report really highlights, you know, real crucial lessons for public or private organizations in the crack or national infrastructure area. And, you know, six I’ll just share share a couple of stats. 62% said their organizations have been targeted by threat actors in the past twelve months, and 80% of those were attacked multiple times. I would hazard a guess that, you know, it’s larger than bigger numbers than that. It’s just people don’t necessarily have visibility of those attacks. But 59% confirmed that nation state sponsored cybercriminals were behind the attack.
Simon Hodgkinson [00:38:50]:
So that comes back to the Australian signals directorate report. You know, Australia, along with all of these all of Western organizations are a target for nation states. So you’ve got to think about that ability not only to withstand, but your ability to recover from those sort of attacks as well.
Podcast Voice-over [00:39:12]:
This is KV cast, the voice of cyber.
