You're listening to KBKast, Cyber security podcast for all accessories executives cutting through the jargon and hype. Do you understand the landscape where risk and technology meet? Now, here's your host Karissa Breen.
Joining me today is Dane Meah, CEO and cofounder from MyCISO. And today we're discussing Dane's thoughts on the recent Australian breaches. So Dane, thanks for joining. I know there's definitely been quite a few in the last few weeks in particular, so I'm keen to get your thoughts. So maybe you start with that. What are your thoughts on all these Australian breaches happening at the moment?
Dane Meah (00:51)
Great, thanks for having me. KB. Yeah, it's certainly breen very busy, hasn't it? But realistically, you know, we're hearing about a lot more of the breaches of recent times, but we have to bear in mind breaches occur on a regular basis. And what you're hearing, what you're seeing about is really only the tip of the iceberg, but certainly not be downplayed at all. And something we should take heed in and take any learnings from my perspective. Having analysed some of the publicly known breaches, the likes of October, Benny, Bank, Bulls, etc, one of the interesting observations is that none of those breaches were particularly indefensible or amazingly sophisticated. So to ask, why are these breaches occurring? Particularly with businesses in this case, quite large, quite often sophisticated in the defences that they have, with the resources and the smarts to have the best of the best. So you kind of have to go back and ask, why are the breaches occurring? Again, looking at the breaches, they're not particularly sophisticated or part of an attack that not being preventable. So I've certainly drawn some conclusions from that and, you know, informing an opinion as more and more information comes about what happened.
It's so interesting because, like, all of a sudden it was like the optus and there was like woolworths and then Telstra and then like, medibank. It always feels that it was an organised like all the criminals got together and said, okay, who's going to attack this company? This one and this one? I've never personally seen it like this. In the Australian market, we're hearing about.
Dane Meah (02:44)
A lot more breaches and certainly has put boards and the government on high alert. And it's not to be downplayed. As I said earlier, having analysed the breaches, that question quite often there was a lapsed defence stage of the attack chain. Be that in the case of optus, we've read a lot about the exposed APIs and how that was accessible through an unauthenticated communication that's really 101 for many organisations and would have been part of the process that I dare say would have existed for optus, just to call out as a specific example. So it's not a lack of process necessarily that caused that breach to occur. My optimization is that these breaches usually occur due to not lack of process of smart capability. It's often a person or a function of the business sidestepping process or a piece of technology and then when you have to analyse why would somebody do that? It boils down to, in my opinion, culture in the organisation to do you prioritise speed of doing business, bringing new features into your application or sharing information or using apps that appear to be more effective for the use case. There are many reasons why you might make a shortcut in the security process but it boils down to culture.
Dane Meah (04:22)
Culture across your supply chain, end users, your development functions, the culture of really caring and being bought into the need for everybody in the business and the supply chain to make decisions that are going to ensure the protection of data of those critical assets, the personally identifiable information or credit card numbers, etc. So that has a high level of my summers of what's occurred. And of course, culture is not an easy fix. There's been many books written about creating culture and I'm sure there will be many more written and in my opinion it falls down to leadership values in the business and also getting buying into the programme of whether or not it's done from cyber security driven from cybersecurity or ideally driven from the business leadership itself. And I think that's probably one of the positive things we've seen from the recent rise in breaches is that business leaders now CISOs and the executive teams are now aware of the cyber risk, and everybody is taking it upon themselves to make sure that it's not their department or it's not a cause of the leadership that's resulted in those breaches.
Yeah, great point. So there's a couple of things that as you were speaking, what was coming up my mind, you raised a point about boards are on high alert. Is there anything that you sort of hearing in your network or perhaps as customers that you work with that people are sort of saying to you that may be a little bit of a theme that you're sort of seeing?
Dane Meah (06:05)
Yes, definitely. So my business, my sizeo, speaks with a lot of sizes, big information security officers about what are they hearing, how has it impacted their business in the recent times? What I've seen as a trend is a request from boards, have an update on where the business is at from a site security perspective. And these are important questions boards should be asking of the business and of CISOs and sizes. So that's one question and then of course be able to answer that question comprehensively. It really boils down to how are you measuring your security posture, what ways are you testing the strength of those defences? How can you provide assurance that your environment is secure from cyber attack? That's often the conversations that we get drawn into to help an organisation perform assessments of their security posture, aligned to frameworks like ISO 27,001, NIST Central Eight and so on. So those are the sort of recommendations that we make, but generally we're hearing CISOs now, kind of not necessarily scrambled, but those that maybe don't have a good handle on exactly where they're at. They're looking to perform assessments to identify the critical controls.
Dane Meah (07:38)
Things like MFA, obviously, strong password security training for end users, making sure these types of roles are in place, activated on all the systems that could house critical data.
Yeah, that is interesting because it just seems all of a sudden the board sort of turn to their sizer or head of secure or whoever, saying, like, are we covered? So do you think that now the recent breaches is a catalyst to people sort of checking up on their security?
Dane Meah (08:07)
Yeah, absolutely. But the practicality of answering that question comprehensively is for a lot of businesses, are you ever covered, can you say, for a certain that you're going to be able to stop or cyber attack? And the reality is no. So really, it's about doing the basics. Well, over the past decade, I've met hundreds and hundreds of businesses and in some cases, we've seen businesses that have every well known vendor, top end, tier one vendor known to man in their staff. They've all of the theme technologies, all of the edge technologies, all of the data protection technologies. But really good security maturity boils down to more than just having the tech, it boils down to also having process technology and a management structure that's going to manage and support that whole environment continuously. So that's why it boils down to more than just having the tech in place. And the likes of ISO 27,001 are really critical to seeing where you're on a listed basis. And of course, there are other, more comprehensive frameworks as well, but that's kind of what we recommended for businesses that not just for providing border assurance. One of the biggest challenges at the moment is cyber insurance.
Dane Meah (09:42)
You know, cyber insurance market has grown enormously over the past decade, but today many businesses finding out, to their surprise, that they're uninsurable. And why is that? Well, cyber insurance is also affected by the rising breaches because those underwriters are now having to make huge payments out to businesses for breaches. So the cyber insurance providers are standing back and saying, well, we need to see a level of maturity that makes us comfortable that you're not going to have a breach. And again, what does that boil down to? It boils down to having a maturity assessment more or less aligned to a commonly known framework like this or ISO 27 one. And not to bang the drum too much, but those kind of maturity framework is really where we need to all get very comfortable with the vernacular. And what are the critical components of those and then gradually mature our environment aligned to a structured framework like that. So in terms of cyber insurance, though, it is an evolving market. And the way that I've breen hearing from cyber insurers that we've spoken to in recent times is businesses are broadly aligned into two key categories.
Dane Meah (11:07)
You have on the one side, businesses that test their security posture, aligned to a proper framework, they assess and manage their risk and they can demonstrate an improvement plan. That may mean they're not perfect, but they're improving over time. That's the good bucket. Those are the companies that insurers want to insure. But even though what we're hearing is that even those will see an increase between ten and 50% in their current premiums, but then the other bucket. So the businesses that are not running a very high ship in terms of security management, maybe they don't operate to a framework and they don't test their risk for cyber on a regular basis, or they can't demonstrate an improvement plan. What we're hearing is increases between three to 500% or in one third of cases, they won't be insured is what we're hearing. That paints a pretty dire picture for organisations who have held the view that, well, we have cyber insurance for that. And a couple of years ago I was hearing to hear that more and more where we might not have the best defences, but we have cyber insurance. I think those organisations are going to have a bit of a rude awakening when they have neither strong defences or cyber insurance pretty soon.
Okay, I want to get into the cyber insurance because this is interesting and I really want to hear your thoughts, but before we do that, I want to go back a step. Now, you're absolutely right, it's hard to answer like, are we covered? It's not so binary like yes or no, but what would be what would be the response from a board if a psycho or head of security said, actually, no, we're in a really bad place. Would that sort of rattle board a little bit? Because everyone wants to hear like, yes, we're covered, or we're somewhat covered the best that we can be, but what if someone said, no, actually, we're not? Maybe this is your sort of time now to start maybe listening to what me as a security person has to say. Have you ever heard of cases like that in your experience so far?
Dane Meah (13:15)
That would be the majority of cases, surprisingly, and in a case from organisations that are taking cyber seriously, it's actually the organisations that are running cyber well are the ones that are communicating that message. And it's really for two reasons. One, as I said earlier, we can't be in a position where we can't believe that we're in a position of leap defence and safety when it comes to cyber. That's the first point. So you would be presenting the wrong impression if you said we're good, but conversely, because of that, you would want to really flag where you are weak and what the risks are. I think the boards are asking questions, not because they necessarily want to feel good, they want to understand where the risks are. So I can think of two examples recently where we've had this conversation and feedback to the board was, this is what we've got, but we're by no means secure and the risks are X, Y and Z. And what that allows us to do is make a decision about do we want to invest, how much do we want to invest to address the gaps that have been presented to us.
Dane Meah (14:39)
The organisations are sharing saying we're good. I think that's a false sense of security and wouldn't be in the majority of cases. So I'm hearing more businesses actually want to communicate the risks and ultimately the old saying, never let good prices go to waste, is probably true in this case as well. But look, we've been we've had a shot across the bow where the number of incidents occur at an increasing rate. Let's jump ahead and let's get ahead of the curve before it happens to us. That's the message that should be going to the boards. In most cases, I would say. Yeah.
And I absolutely think that that's why they're triple checking their bags and really asking those hard questions, because no one wants to be next. I really want to get into this cyber insurance. Now, you probably seen people on the internet for against. Where do you sit on the cyber insurance side of things. Now, I know it's sort of evolved over the last few years, but I'm really keen to hear your thoughts.
Dane Meah (15:44)
Well, it's like any insurances written, cyber is a risk, whether it's being a victim of crime and about someone breaking into a building and causing damage or stealing assets. It's exactly the same for cyber. For the past several years, as I just mentioned, there were some concerns that it was being used in lieu of having strong defences, kind of like having an insurance policy for your car, but then driving recklessly or leaving the car unlocked in dodgy neighbourhoods. No one would recommend doing that. It's only going to hurt you in the long term. So my view on cyber insurance is to avoid some catastrophic impact your business in terms of cost, downtime, ability to manage or handle a response time. Insurance is absolutely necessary, but it should be coupled with strong cadence in terms of measuring where you're at in terms of security maturity, because that's what the insurers want to know, but also demonstrating an improvement plan that you can potentially share with the siren insurer. That's going to give them the comfort that you're in the good bucket, so to speak, and you're one of the clients they want to insure and it just will come through with lower insurance premiums and there's some speaking to some cyber insurers directly recently who are interested in the My size application for their clients.
Dane Meah (17:32)
But speaking to them, the money that you save on your premiums alone would go a long way towards paying for the goody uplift in your environment. So, you know, home insurance isn't cheap. Any few thousand dollars up to as big as you like, hundreds of thousands of dollars for an organisation and more. That money can easily be offset by the reduced number of breaches or incidents that might occur. But also the money will save in reduced premiums can be demonstrated through improving your posture so that you become more insurable, if that makes sense.
Yeah, sure. No, that makes perfect sense. Why do you think people in the industry, though, are pretty against it? Like I said, I've heard both sides. There are definitely practitioners out there that are just really against it.
Dane Meah (18:20)
Yeah, maybe there's some aversion to people profiting from an emerging problem, I don't know. But certainly I've not come across that during the formative years of cyber insurance. Perhaps there was a view that how good was the COVID there were some rogue policies out there that wouldn't pay if there was an incident. And really, that kind of boils down to ensuring you understand your risk. Start with understanding your risk, understand what types of incidents would have greatest impact on your business, and then go and ask those questions to your insurer. And then you're not in a situation where you pay for something and you feel like you haven't received the benefit when you needed it. But going back to your question, why do people dislike their insurance? I don't know. I've not heard that one myself.
Yes, well, I guess you're not nostradamus. You don't have all the answers to these questions. Okay, I'm really curious, now that you made a comment, are we adequately addressing cyber? Now, I probably know the answer to this, but I'm keen to get your thoughts on how do we adequately address cyber in the market?
Dane Meah (19:35)
Yeah, sure. It's the million dollar question, of course, so I won't claim to have the answer for that one either. But breaking it down, whether you make widgets or provide services or whatever, that's first and foremost what you have to do. So Fibre has to fit into that. It has to be support players, supporting role. You're doing business. So whether that you have a critical being in your factory floor, which it goes down, could cause major problems, or whether your business is online, you have to kind of build your defences around a what you can afford, but B, where your key risks are. So my kind of suggestion for any It leader is, first of all, understand where they're at in terms of security. Once you've understood your maturity, understand your risk, identify the improvements that are going to have the greatest impact. That means that you're focusing less of your budget on things that don't really have an impact. So that's my kind of key thing, is how do you identify which of those critical controls that are going to have the best impact on mitigating risk in your business? And look, there's several ways that you can do that, but that's how we address the cyber.
Dane Meah (21:02)
Not necessarily going to guarantee to stop a breach, but if we focus on basics, we focus on things like the essential eight first and even before the Essential Aid, looking at what are your critical assets, critical devices and your crown jewels, and building your defences around those first. I think that's kind of what I want in terms of security. And of course, with any improvement plan, it's making sure you've got the basics right first. If you're just starting out in your security journey, don't go and think, right, we need to implement a sock or a theme. There's going to be a tonne of work that you can do, probably within technology that you've already got, like your Firewalls, like your Microsoft stack, etc. Doesn't have to be super, super expensive. Often cases, getting the basics done really well and then incrementally improving based on what's going to have the greatest thing.
Do you think people do basics well? Because, again, I mean, I've spoken about this on the show before, like, patch management seems easy in theory, but still people struggle with that, whatever the reason is. So I'm curious to know, you mentioned before, like, you don't have to go out and think about, oh, we've got to leverage a sock or build their own sock, or whatever it is. How do people sort of get to that stage, like going quite far into the future when they haven't got the basics right? Is it that perhaps they're seeing stuff online, they're influenced by service providers or vendors or whoever it is? How do people sort of think so far ahead when it's like, hey, you've actually got to think about doing the basics as to what you've just sort of said?
Dane Meah (22:42)
Yeah, like I've mentioned already, there are some fundamentals of security, which things like enabling multifactor authentication on all external accessible systems, these kind of fundamentals. And you'd be surprised how frequently we learned that that's not been deployed. So doing the basics, it doesn't necessarily cost a lot of money. Clearly, on occasion there's a reason for that not occurring, or complexity users or geographic locations that prevents and controls being deployed. But as a general rule of thumb, getting the basics in place is critical. I mean, to answer your question, why wouldn't an organisation do that? Often case, businesses are a complex Kbkast. They have many cases bringing together of different environments, different businesses, maybe a merger or acquisition. These kind of constantly changing, evolving landscapes and also great landscape is constantly evolving. So not to downplay how hard or how easy it is to deploy to controls, which is why focusing on fewer technologies and getting the basics in places is really key.
Yeah, there's more curiosity from people like perhaps jumping the gun. Let's do all these amazing like, fully intense things. It's like, okay, let's start, like I said, with the basics. Is this more of a curiosity as to why people would be so eager to jump the gun when it's like, well, hey, what's that old saying, you've got to crawl before you can run, so to speak. People are trying to run like pretty quickly and I'm just curious to know where is that being influenced by doing.
Dane Meah (24:43)
The basics isn't necessarily not the exciting project. Right? So going back and reviewing all of your firewall for making sure that things are locked down, making sure there's no on a consistent basis, doing all of those behaviours, cyber security isn't necessarily the exciting part of the job. So whereas rolling out new tech security managers and sizes or were top technologists come from the tech side of the business, so that can be a reason why people would rather focus on the project style and implementing new tiny things versus the cadence and operational side that potentially can be where the gap merges. But what we see in larger businesses and more mature businesses is that separation between project and run or operations for that very reason. And then overlaid with governance, kind of policing and making sure that we're, the systems, maintain a standard that has been set by the government's function.
Yeah, no, that makes sense and I appreciate you showing that because again, it's so easy to say the basics are easy to do, but it's like, well, in reality a lot of people still don't get them right. So it's always a question I like to ask people and hear their thoughts. Now I want to get your view on we've sort of touched at a very high level about all the breaches that's happening in Australia. But you're just to know really from your perspective, Dane, what can people learn? And I think it's illuminated that boards are going to take it seriously. People are checking their security, they're going out, they're getting cyber insurance. Is there anything else that you'd like to add to perhaps learnings that you're sort of seeing in the market even from your perspective?
Dane Meah (26:47)
Number one, getting the basic right, we've covered that already. Whether that be implementing MFA, which we've seen what the cause of one of those breaches, ensuring don't leave your APIs open to use is another. These are relatively basic purity controls to have in place. Number two, I would say, is your culture. Do we have a culture of us versus them? I e. Security versus software development or security versus business development? Often case inside a business that culture is what drives the behaviour of people to sidestep security or sidestep a process that's keeping the business safe. So those conversations need to happen at a leadership level to make sure that right from the top it's very clear and evidence that fibre is a critical component in the business. And I think these are the conversations that are being had right now across boards, across ELT, around the country, purely how do we make sure we're not the next business in the headlines? And then the other is more of a zero. Trust architecture and approach across the architecture and supply chain would be advantageous. So, you know, real authenticate and really assume nothing is the kind of simplifying.
Dane Meah (28:28)
The assume that there's no trusted communications and all access is potentially malicious. If you look across the breaches that have occurred to take that view, whether that be to ask for step up authentication on every login for clinical systems or having some authentication for your API, those kinds of principles are good things to take away as learnings. The other is to regularly assess your security maturity. We're not talking weekly or monthly, but do you know where you're at, you know, possibly speaking, what your security maturity would be aligned to a proper framework or if you don't, then you're probably winging it. You're watching problems emerging business. Be that a breach, be that by, for instance, and you're patching. You're implementing better email security roles or you're making better firewalls. But actually the better approach is set back, take a ballistic view and build a multi year improvement roadmap that's not just looking at incidents and putting out the fire that's breen in the brightest. Those probably three or four my observations and learning that I've taken away.
Sure you said people that are phishing it. Do you think most people are weird or do you think they're sort of like crossing their fingers, closing their eyes and just hoping do you think there's a lot of that in there or is it less of that or what's your barometer on that?
Dane Meah (30:10)
I think to a degree, many organisations, businesses are doing their best to do the best to stay secure. But probably ten years ago you walk into most businesses, Cyzo or security manager didn't exist. So winging it is. We haven't had a choice. I think there's businesses, the amount of infrastructure managers that I've met that were transitioned to security manager overnight, now, they didn't undergo rigorous training to do that. So, you know, winging it sounds harsh, but it's true. I think it's basically a necessity to stand up and do the best that we can under the circumstances. But I think that what's changing is that doing our best now requires using the tools at our disposal. And a greater amount of rigour is one of those tools through maturity frameworks, like I've said many times, CISO and others. And that's no longer becoming an edge case, kind of, oh, you're taking it really seriously then. Using the framework now, it's become the mainstay. And if you look at the government's response to the recent breaches, we've seen an immediate response, which was to increase the penalties relating to serious or repeated breaches. Rising from a fairly modest 2.2 million wouldn't be nice if you were receiving that penalty, but equally probably is a rounding error for some businesses to 50 million.
Dane Meah (32:07)
Does it go far enough? Well, it certainly would think for most, if not all businesses to receive that penalty, but compared to penalties under other legislation like GDPR, where it's significantly higher and this is still relatively low. But yes, certainly a step in the right direction.
Yes, you're right. I definitely think there will be a few penalties issued this year in Australia. So in addition to the government stuff that you sort of just touched on in terms of the increase of the penalties, is there anything else that you sort of expect that we can see moving forward? As for Australian businesses, is there anything that you can sort of hypothesise that you think will happen as we sort of traverse into this post all these breaches that have happened that you sort of expect that should happen, even like whether it's now or even in 2023?
Dane Meah (33:02)
For example, we saw in the press recently, coles have doubled cyber security budget. So any It leader should be preparing a board briefing, sending that to the board to really say, this is the state of the current cyber landscape in Australia. To respond to that, we should be looking to double down and improve our security posture to make sure we're not exposed or one of the next unfortunate victims of cybercrime. So there's going to be an increase in expenditure and focus in cyber that's going to have a flow on impact to the skill shortage as more and more businesses look the highest type of security personnel. But then also an opportunity as well for MSPs and consulting firms to build out more security capabilities to kind of augment whatever other services, whether that be managed It or otherwise, that's the opportunity that exists. Any of your listeners are in that space and they're not in security or they're not playing, they're not able to offer a comprehensive engagement to their clients. That's a huge opportunity that they're probably missing out on at the moment. And I've seen that directly myself, where we've been asked for a business that has a managed service provider in place.
Dane Meah (34:38)
The MSP is really not doesn't have the skill set to comprehensively address if you're a managed service provider, go and skill up and make sure that you have security in your stack comprehensive way. The old days of offering your security package being firewall endpoint protection and email security and a bit of awareness training, obviously those days are behind us. Terms like frameworks I've mentioned, risk management are going to become more mainstream and less exclusively the five and also that have regulatory requirements to write to a certain standard or framework.
Yeah, great points. Great tangible point as well for people to take away in. Terms of any final thoughts or closing comments or anything quickly, Dane, you'd like to leave our audience with today?
Dane Meah (35:37)
This rising breach and the kind of threat vector is obviously put a lot of business on edge. I've created a few assets that I'll include the link in the comments of this blog, a board briefing, which really is a summary of all of the breaches we've seen over the past couple of months, some of the observation. So I'll be happy to share that with your audience. And outside of that, always happy to help with anybody that needs to assess their security posture, cheque out mysizer co and we'd be happy to take you across how that may be able to help you.
Awesome. Wonderful. Now, I appreciate your thoughts and your insights, and I guess, like, you know, some of the questions I ask, they're not an easy answer. So I appreciate you taking the time today for coming on the show.
Dane Meah (36:30)
You're more than welcome. Thank you. It's been a pleasure. Thank you.
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes.
This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercsec.com to connect today.
If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of Cyber.