Alex Loizou [00:00:00]:
Everyone is working hard, but you need a central coordinator that perhaps extend beyond that is capable of extending beyond traditional incident coordination. So now what you’re actually doing is your personality shopping. You’re looking for an individual, someone with the right set of behaviors, someone who’s able to ensure commitments are met during the incident, is able to produce real time reports on progress and able to pull simplicity from the complexity. And of course they have to have the right demeanor, someone who stays calm under pressure.
Karissa Breen [00:00:49]:
Joining me now is Alex Loizou, Managing director at Intrinsic Security. And today we we’re discussing the human impact of a cyber incident. Alex, thanks for joining and welcome.
Alex Loizou [00:00:59]:
Thank you, Karissa.
Karissa Breen [00:01:00]:
So, Alex, for those perhaps who don’t know, you are the former CISO of Medibank who was unfortunately breached in 2022. So I wanted to bring you, Alex, on the show today to walk through the incident from where it sat and also for full transparency. Alex won’t be able to talk about certain things due to the sensitivity of the incident, but we did feel the need to bring Alex on to share who has lived through these stories that we all hear about. So on that note, Alex, can you take us back to the moment you first got the alert or the call about the breach?
Alex Loizou [00:01:37]:
Absolutely. So that takes us to the evening of the. Effectively, the call that no SISO wants to receive. Although at that point we didn’t quite understand the significance of what we were seeing. It didn’t start as a fire alarm, but rather, you know, just a detection of unusual behavior by the team. For anyone who has run a large environment, unusual behavior isn’t something that is, dare I say it, that unusual usually is something benign or someone has misconfigured something. In this instance, however, we kicked off our playbooks. We investigated it thoroughly, as we always do, and then through the 12th of October, you know, as our investigation expanded, we started to bring in external specialists.
Alex Loizou [00:02:20]:
We were able to confirm that no, the unusual behavior was in fact a breach. And then that takes us onwards to the 13th of October when we made our first public statement.
Karissa Breen [00:02:29]:
So I really want to get inside your mind on when you get a call or you get informed about what’s happening. How do you feel in that moment?
Alex Loizou [00:02:40]:
It’s a sentence of, I guess, curiosity combined with possibilities of what could be. On one hand, you do need to keep an open and a curious mind because when you see an Identified unusual behavior, you don’t quite know what it is just yet, hence the need to investigate. But of course, you do need to keep an open mind to the fact that it could be nothing more than a false alarm or to the other extreme, which unfortunately, we experienced, it could be a significant incident.
Karissa Breen [00:03:08]:
Yeah, you’re right. And you’re also sort of thinking and hoping, I hope it’s not the extreme. And it was. But then how do you sort of, how do you handle that? I think it’s important because we are really talking about the impact on a human being. Right. And sometimes it’s easy for people even like myself, to sit there and write these articles and do all of that, but then we’re actually trying to hear your side of the story about your human being. At the end of the day, you know, you, your husband, your father, your friend, you know, you’re potentially a sibling, et cetera. So I think that’s the part that maybe people are divorced from in this reality of how you’re feeling.
Karissa Breen [00:03:41]:
So when you figured out, okay, it was the other end of the spectrum, like how, how do you gather your thoughts and how do you know, I’ve got to go into, you know, into a specific mode to, to deal with this incident. So I have to just really think, very focused, and know that any potential thing could be the wrong decision. How do you deal with that?
Alex Loizou [00:04:02]:
Yeah, so the feelings develop over time. I think that to work in the, in the cyberspace, particularly in the operational space, it’s a field that attracts a certain personality, people that really come to life in an incident. And you do need that. You, you need to have individuals who are calm under pressure, able to think clearly when it otherwise seems that, you know, there are problems left and right. So in that initial moment, there’s a very, very strong focus on what do we do now in order to minimize the impact to our customers, to our peers, to our organization. And in a way, you almost end up deferring the emotional weight of, of what’s waiting for you afterwards is when it really, really comes together. And I guess I’ll provide a bit of context regarding some of what we saw in the team and then even speak to my own experiences there. I would start by setting a bit of context.
Alex Loizou [00:04:57]:
So if you’re a large enterprise that experiences a significant cyber incident, first and foremost your customers, they’re actually the victims of a crime. There’s a potential, given where your organisation might sit, that Australia itself could be the victim of a crime. But then the thing that you can Often forget yourself is that your business and your staff are also victims of that same crime. We just all have slightly different roles to play in responding to it. So we definitely saw the mood in the team take a hit. You know, there was a feeling among the team broadly, not just within security, but. But broadly within the organization. It was like everyone’s house had been broken into.
Alex Loizou [00:05:37]:
Within the security team itself, there was a lot of what I like to call time traveling, people going back and asking, what if I’d done this, what if I’d done that? When in reality, there’s never any one individual who, you know, could have done one thing to stop a major incident. These things are a coalescence of a number of factors. In my own case, the emotional hit was really, really there. This is your mission to try and prevent, you know, any kind of an incident in an organization. And when something like that happens, your role changes immediately. The focus now is how do you recover, how do you respond to it, how do you do everything possible in that time to minimize what has now happened to the organization. But with a combination of sleeplessness, combination of extraordinarily long hours, and really the world changing around you, it is quite impactful.
Karissa Breen [00:06:33]:
Gosh, yeah, I know. I’m hearing it in your voice, and I’m trying to think through just as you’re speaking, I’m trying to imagine it. My mind. Do you. Would you say as well, was there a moment with yourself or anyone in your team yet? You know, when people, when people go through something traumatic like this, because like you said, it does feel like everyone’s house being broken into and you, you know, you feel like you failed the mission, Right. How do you deal? Or was it times when there was that fight, flight, freeze sort of moment when you’re dealing with something super stressful.
Alex Loizou [00:07:05]:
So for myself personally, no, I can’t speak to my team more broadly there because we definitely saw the, the myriad of responses within the team. Those who really come to life and need to fight the situation in front of them. You know, those who felt the need to really just step back and get out of the way, you know, those who froze, you definitely get a bit of a combination. The reason why I said I myself didn’t experience it, and maybe I’m. Maybe I’m miscategorizing. Maybe my response was simply fight. But the mission simply changes. Up until the point that an incident occurs, your role is to do everything possible to prevent that incident.
Alex Loizou [00:07:45]:
And then that’s what you put your, your time, your focus, your energies into the Minute it occurs, though, you still have that responsibility, because there being a threat actor in your environment doesn’t mean that there aren’t copycat threat actors and others who might take advantage of. But your mission now is to do everything you can to deal with that incident in front of you, to make sure that the environment can be returned to safety as quickly as possible. And I think that it’s. That moving goalpost, in a way, doesn’t give you the opportunity to pause and consider. Rather, it just gives you a very crystal clear goal, and that’s what you shoot for.
Karissa Breen [00:08:23]:
Okay, so there’s so many things I want to ask you. This is really, really important to definitely hear your side and to get behind perhaps some of these feelings and what was actually happening at the coal face that people aren’t aware of. So I really appreciate you coming forward a lot, and I. I know the audience will as well. One thing that I’m curious to understand from you, Alex, would be recently on Netflix, there was the Osama bin Laden documentary. I started watching it. I haven’t watched all of it, but one thing which was interesting was when the first plane hit the tower, instantly, you know, the CIA and the US Government started to go, okay, well, what about the next thing? Did that happen then for you? Like this has happened, while other things could start happening now too? Did that start to go in your mind around what else could be coming down the pipe?
Alex Loizou [00:09:13]:
For me, absolutely. So part of the way to deal with that was directly in front of us being, I guess, the things that have been publicly reported against the threat actor. Getting into the environment, accessing data. We did absolutely focus on, you know, what would copycat behavior look like? As there’s more and more reporting, will we see, you know, curious individuals in inverted commas? Security researchers start to try and shake the environment. So we absolutely started down that route, doing things to protect the organization more broadly and just put awareness out there that now that this has occurred, be ready for an increase in phishing. You know, be ready for an increase in external scans of our environment, which we absolutely did see. We saw an uptake in both, you know, fishing behavior and, you know, external interest in our environment, an increase in dark web chatter regarding the environment. So you do see those things happen, and you have to prepare for them.
Alex Loizou [00:10:13]:
At the same time, of course, those things are competing for attention and resource with the incident itself. So part of that response is to increase the size of the team, bring in incident response partners, and really virtually balloon the scope and the scale of the cyber Team. And then of course, minibank is a regulated organization. There are still other BAU things that absolutely must carry on. So while you’ve got this big incident that people are responding to, you still need to make sure that there’s enough capacity in, in the team to make sure that all of the ordinary standard BAU stuff happens and, and, and continues on in, in an uninterrupted manner.
Karissa Breen [00:10:57]:
Yeah. Wow. Okay, that’s a lot going on. So I want to take a 2 millimeter step. I’m aware. And I want you to talk through perhaps the impact and how Medibank as a business lessen than the impact. So what does that look? So we’ve spoken now about Medibank’s response, but there was obviously some things to prevent sort of the intensity and the size and the scale. So I’m keen to walk through that with you.
Alex Loizou [00:11:26]:
Yep, absolutely. So, personally, I think the first thing that we did as an organization is we really approached the incident with the perspective of radical transparency. So we made every effort to provide very real time and very, very accurate, you know, external reporting on what was happening to the organization. But then if I actually zoom into the incident itself, so we approached the incident with, I guess, some unusual approaches that really helped, probably the first and foremost being using multiple incident response partners in parallel. So we ended up using multiple separate IR partners in each one of them had a different methodology that they were working to. So effectively. The way I like to visualize it, it’s like having multiple people looking at a criminal’s behavior, which is what they effectively did. But each one is taking a completely different approach to documenting it.
Alex Loizou [00:12:28]:
And the benefit of doing that, of course, is that you’ve got multiple parties independently documenting what happened and taking different approaches to get there. Yet if they manage to land on the same set of facts, the same scope of the compromise, then you actually can have a very high level of confidence that the incident is well understood. And that’s one of the things that we did that was, I guess, a bit different.
Karissa Breen [00:12:52]:
Got it. Okay, so I want to get into this. So you said you’ve had multiple partners with the intent to make sure you’re covering all bases, different methodologies, perhaps things are overlooked. I mean, people do that a lot in penetration testing, as you would know. So did you find that there was a lot of commonalities between these three partners? Did it. Did you give a sense, give you a sense check of confidence as well as fidelity on what you were dealing with?
Alex Loizou [00:13:14]:
Absolutely. The benefit to an organization using multiple IR Partners, especially with different methodologies in use, is that you build a very comprehensive picture of what actually happened. You can go back to your organization with a high level of confidence that you know exactly what occurred and you know what the scope of the incident is. This approach also gives further benefits. Take the post incident recovery phase, for example. By having that high level of confidence that you know exactly what the scope of the incident is and what the threat actor did, you have the benefit of being able to be much more managed and thoughtful in your recovery. Unfortunately, without that confidence, the recovery can often be as damaging as the incident. The old adage that the treatment can be worse than the cure.
Alex Loizou [00:14:06]:
Of course the opposite is also true. If you use multiple IR partners, you could get different reports that tell you different things. That’s still beneficial information though, because what it does is it’s highlighting blind spots for you. It’s giving you a more comprehensive view. So whether you do get the happy path or not, either way you’re still getting a very, very clear picture. It’s still useful data.
Karissa Breen [00:14:31]:
And would you say from your experience now that’s probably a better way to go to make sure that the people haven’t missed anything, would you say, and maybe you don’t know the answer to this I’m just curious to understand is do you think people aren’t using multiple partners to make sure they’re getting that holistic sort of approach to make sure nothing’s missing? Or do they just go with the one or what do you. Do you know anything about that?
Alex Loizou [00:14:53]:
Absolutely. I have some opinions which I’ll happily share, but I’ll also expand that with a bit of the problems that that same approach created and what we had to do next. So to answer the question directly, it is a horses for courses kind of a situation for the scale of Medibank, for the, you know, the importance of what the organization does. Bringing in multiple partners was absolutely the right approach. It wouldn’t necessarily be the right approach for everyone, depending on the nature of the incident, the nature of what has been impacted. But I guess problematic element to that is it does mean that you have a lot of third parties that you need to manage in addition to your own, you know, incident response, you know, any crisis, teamwork, internal reporting. So it ends up ballooning the amount of effort required to manage the incident. I like to think of it as, you know, adding more cats to the cat herding.
Alex Loizou [00:15:48]:
The difficulty. Any organization considering multiple IR partners effectively, what they need to consider is that yes, you do get that high degree of Confidence, you have a great understanding, a great accounting of what actually happened. But of course, it’s not all happy days. The complexity of your incident explodes. So now you have multiple IR partners, perhaps your business has a government regulator, critical customers, internal stakeholders. And what you’re trying to do is you’re trying to sync all of this up in near real time and it becomes very challenging. Of course, there are always ways to address these things. You know, for every challenge, there’s a cure.
Alex Loizou [00:16:30]:
And perhaps we’ve got some further learning for anyone looking to replicate what worked. So with the number of moving parts a major incident brings, compounded with the further burden of using multiple IR partners effectively, your underlying challenge is trying to keep everything synced up and incident response. The way I look at it, it starts to look like a major project that’s sitting there in crisis mode. Everyone is working hard, but you need a central coordinator that perhaps extend beyond that is capable of extending beyond traditional incident coordination. So now what you’re actually doing is your personality shopping. You’re looking for an individual, someone with the right set of behaviors, someone who’s able to ensure commitments are met during the incident, is able to produce real time reports on progress and able to pull simplicity from the complexity. And of course, they have to have the right demeanor, someone who stays calm under pressure. In my own case, I guess I was very, very fortunate I found that person in my head of security delivery.
Alex Loizou [00:17:34]:
And to many it sounds like an odd mix, bringing a delivery head into an incident, but it actually worked very well. Normally you would never bring delivery and an incident together, but in this instance, that actually almost ended up being one of the, one of the best decisions we could possibly have made.
Karissa Breen [00:17:51]:
I want to talk about the operative word, prepared. Now. There’s a lot of people in the industry that I interview out online talking about being prepared for a cyber breach. Do you think, given your experience, and this is real world experiences and theories, do you think you can get to the point in your cybersecurity career that you can say, yes, hand on my heart, I’m prepared.
Alex Loizou [00:18:13]:
So I’m almost going to throw a question out. They’ll respond it at the same time. And that is, what does anyone mean by the word prepared? And the reason I say that is, unfortunately, most enterprises that have a requirement to be prepared for an incident, they’ll typically have something like an annual desktop activity where people sit around a room and they discuss in an incident, what would you do? And provide responses and, you know, tick it off. We’ve met our obligations it doesn’t cut it and I don’t think it cuts it at all. The unfortunate reality is an incident won’t be scheduled as a meeting in advance. You won’t know that it’s coming. You don’t get to say a few words, you know, wave a wand and things will change. So I do think that we’ve got a, I guess a little bit of a challenge at the moment that the nature of an incident doesn’t necessarily gel with reality when it comes to the way that we, corporate Australia, often prepare for them.
Alex Loizou [00:19:15]:
Now, that being said, I don’t necessarily think we could try and take an organization through all of the time that an incident would consume. You would effectively lose a lot of your cyber and management capacity for an extended time frame. I do think that there is a bit of a delta there at the moment. We were quite fortunate in our own case that only a short while before the incident, the Cyber security team had actually gone through practical exercises at Cyber Gym. For those in the audience that aren’t aware, Cyber Gym is a facility that allows you to simulate a real world environment and then actually respond to a. Yes, simulated, but in, in effect real incident in an environment that won’t impact your technology environment. And then they’re even able to an extent replicate what your production environments look like. So we were fortunate that muscle memory was there for the team to leverage.
Alex Loizou [00:20:13]:
But at the same time, I’d argue that even having gone through one major incident, you know, Yes, I, as well as, you know, my colleagues from Medibank, some of the few people who’ve been through a recent major incident, no two incidents are alike. So it doesn’t necessarily mean that you know exactly what will happen in the next one. Instead, I almost feel that what you need to train for is effectively aptitudes. Do you have the right kind of people who can think on their feet, who can like we needed to do with multiple IR partners with bringing delivery into the incident response, people who can see a problem, visualize a solution and then execute it in real time. Even though there isn’t text that says this is the way it’s been done in the past. I almost feel that in an abstract sense that’s the challenge in front of us, is creating more people who can do that.
Karissa Breen [00:21:08]:
Yeah, this is interesting and I think that is a great question because often people say you got to get prepared. But yeah, what does that mean? And I think, what was that famous quote, Mike Tyson? Like, everyone has a plan until they get punched in the face.
Alex Loizou [00:21:19]:
Yes.
Karissa Breen [00:21:19]:
So I Feel like we can all plan all day, but then something’s just going to hit us. Nothing’s going to your point, you’re going to be blindsided. We’re not going to know what’s coming, you know, good point around the aptitude. One of the things that was cut my mind is, and let’s use this as an example, when I work for a very large retailer here in Australia, we had a security manager come in, tell us about, we have these toolbox things. So he’d say, okay, this is an incident. What do we sort of do? How do you respond? Every day there was an incident and it wasn’t the same. There was no blueprint. However, the DNA was there on how do we respond? We get on the radio, we talk to one another in our codes, we do our thing.
Karissa Breen [00:21:53]:
So there was that. That is engendered into you. But it’s not like, oh, this specific incident that we’re going to talk about that may occur, may not. But the whole perception of how to respond and deal with it as a group was there, but not the specificity of what gets carried out.
Alex Loizou [00:22:11]:
Absolutely. And in fact, I would take it one step further, which is that repeated exposure to various different forms of incidents would give you very, very good muscle memory for staying calm while dealing with one, for knowing what kind of responses you might have. And that makes it actually easier to see where you might have a gap if something unique comes your way. But it also, I think helps with the connective tissue within the organization, understanding who it is that you need to work with, who it is that you need to respond to. If we sort of, I guess, zoom in one step further with where I think we have a bit of a gap in preparedness. The major one that always strikes me is the time element of it. And what, when I say that, what I mean is if you’re dealing with an incident, there is a very, very good likelihood that the threat actor is doing, doing something outside of your hours of operation. So first things first, it’s not going to happen during your business day.
Alex Loizou [00:23:11]:
We now know through the AFP’s work and use publishing on it, we now know that the threat actor was, you know, Russian based. We could actually identify who the individual was. So we know that they were simply working in their own time zone. Hence a lot of what we saw happened when it was nighttime. If I think back to another organization I’d worked for previously, you know, we were constantly being targeted by a certain threat actor. We understood that they were from an area that wasn’t too far outside of our time zone yet. They would consistently try and target our environment at night, typically on a Friday night. And we believe that was strategic to try and exhaust the team by making sure people didn’t have weekends.
Alex Loizou [00:23:53]:
So that, that exhaustion elements I think is the is. Is the first thing. A lot of the traditional ways that we train and we approach it don’t really handle for. The other challenge is actually the time frames that you’ll be working on. Again, desktop exercises, they typically occur over the course of a day or a couple of hours. But in reality an actual incident, you measure it in weeks.
Karissa Breen [00:24:15]:
You said something really interesting, repeated exposure. I want to get into this because again, like I said, I got a lot of people coming on, be prepared and all of that. But we’ve sort of one thing that’s clear here today, Alex, is there’s no blueprint. Nothing’s going to be the same. You’re not going to know what’s coming for you. You’re going to get hit in the back of the head and it’s going to hurt. So how do you get to the point or where companies do this repeated exposure? Where they’re, yes, okay, the incident may not be the same or not what we prepared for in inverted commas, but you know, it’s sort of, it’s in the same family. We can deal with it a bit better than perhaps not having the repeated exposure.
Karissa Breen [00:24:51]:
Did you say before the cyber gym, would you say that’s sort of a good way to approach this?
Alex Loizou [00:24:55]:
Absolutely. And I best feel I need to clarify, I’m not being sponsored by Cybergem. They’re simply a service that I’ve used and it was quite happy with. But yes, I think that those kind of real, simulated, you know, environments make an absolute difference, you know, red teaming within your environment, you know, if you’re able to support that. But even those desktop activities, I guess I have a concern with the idea of running them only once and only annually, you know, running them frequently absolutely helps because you do need to understand it’s not just a cyber problem. How does my incident response tie in with risk? How does it tie in with crisis management? How do we all work together collectively? So the more repetition the better. Of course, the other obvious thing is the IR partners themselves in our businesses, unless you’re in the incident response, you know, world, this isn’t something that you will deal with on a day to day basis. You know, absolutely.
Alex Loizou [00:25:54]:
Hand on heart, hope there aren’t organizations that are dealing with this on a day to day basis if they’re not an incident responder. But that’s why you need to have the right partners as well. You should be partnering with organizations that have that muscle memory, that deal with these things day to day, because that is their 9 to 5. And I’ll always remember one of the senior management from one of our incident response partners saying that to me, he said, this is your worst day. But for me, this is just my nine to five. So it is critical to make sure that you’ve got those skills that you’re able to effectively buy in on demand when they’re needed.
Karissa Breen [00:26:31]:
Now, as you know, any incident breach, something happens, there’s always someone, there’s always one that’s an ambulance chaser. So now I want to flick over to the other side around, what do you think didn’t work. Now, it can be internally, but also externally as well. Right. I really want to. It is important because again, like, you’re a human being at the end of the day and yes, we have to have empathy and yes, you know, Medibank’s being held accountable and all that. Things are happening right. Justice is being served.
Karissa Breen [00:26:57]:
And for full transparency, I am a Medibank customer. So this isn’t me trying to, you know, trying to play devil’s advocate. Like I, I was personally impacted as well. So I’m curious to understand, what do you think the industry, the market, from how you, you know, how you were seeing Alex out there, what do you think? Sort of wasn’t good on how things were being handled.
Alex Loizou [00:27:21]:
So it is a cliched term, ambulance chaser, but wow. I have never had my email, my phone, my LinkedIn. I’ve never had these things explode quite the way that we did during the incident. Now, in fairness, you know, there was, there was an enormous amount of reach out from the security industry, broadly from, from, you know, friends and colleagues. And that actually, you know, kept me feeling, I guess, loved in a time that was quite dark. That’s not what I’m referring to here. And in fact, I would argue that the way the cyber industry bands together is one of our greatest strengths. It’s what I love about this industry and it’s, it’s what makes me excited about it.
Alex Loizou [00:28:02]:
The concern was organizations that we’ve never, ever worked with that we don’t have a partnering relation with. Which relationship with suddenly jumping in and spamming everyone’s inboxes with, you know, products that will solve all of our problems and, you know, solutions that will fix everything. Yes, that was utterly unhelpful and it created a lot of noise, you know, to the extent that if anyone who’s listening to this has rung my phone, or at least my Medibank phone, which is no longer with me, and hit my voicemail, you would know that it says up front, please don’t leave, you know, a voicemail if it’s unsolicited sales. I had to do that because I was running out of voicemail space on a constant basis. It was, it was really quite crazy. If I was to pivot back to other incident learnings, then I absolutely have to talk about human impact, as I’m sure anyone can appreciate. Assuming the choice is still within your control, you can’t just stop the entire organization in order to deal with an impact. With an incident, there are still BAU things that need to keep happening, especially if you happen to operate in a regulated environment or you are simply a listed entity.
Alex Loizou [00:29:11]:
Now, the natural process here is to assign people. Some are inside the incident dealing with that and some are outside the incident focused on bau, keeping the lights on, if you will, effectively making sure the organisation continues to function even though there’s a crisis taking place within that same organisation. This model, if done well, means you have clear separation and focus. There’s no blurred lines, there’s no gray areas in the middle. But it’s not without pitfalls and problems effectively become evident later. You now have two teams. One who feels they were inside the tent dealing with the incident and one who feels they were outside the tent. The team who was outside the tent, the BAU team, they will end up feeling a sense of isolation.
Alex Loizou [00:29:59]:
And the problem is that it’s very clear cut to recognize the contributions of the incident response team. The team that was inside the tent, the whole business will typically understand their contribution. But the BAU team, they’ve also been working long hours. They’ve also been working through a form of trauma. They have the added difficulty that it may take time for the people around them to recognize this and B, depending on the nature of the incident, they may never be let into the tent. The other thing that really, really jumps to my mind, and it’s funny because I’m saying this on a podcast, but it’s actually the media and the incident reporting itself. As I mentioned earlier, we made absolutely every effort as an organization to be as real time as possible. The problem that we identified though, is that the language of an incident is not compatible with the way that you would typically report things in media.
Alex Loizou [00:30:52]:
An incident is all about evidence based reporting at this point in time, we know this and it’s quite black and white, it’s almost a bit robotic. The problem is that what that meant and I actually had looked up some articles prior to us jumping on to really refresh my mind. But we had early reporting where we’d stated as an organization we’ve seen unusual activity, but that we in the early days, because we didn’t, we had no evidence of customer data compromise. That’s not to say it didn’t occur, but again, an incident is evidence based reporting. At that point we had no evidence. When we saw evidence, we actually reported immediately. The problem is that what we then saw was, you know, headlines saying that we changed the story. And in reality that wasn’t the case.
Alex Loizou [00:31:41]:
It was evidence based incident reporting where we were very, very clear of what we know and don’t know. And then when that situation changed, we updated what we know and don’t know. So I think that was another key learning was a little bit more sensitivity to the fact that the way things might get interpreted and more importantly the way there might be an inclination to read between the lines, that’s I guess a tricky pitfall to be careful of. And the evidence based incident reporting style does not quite gel with that.
Karissa Breen [00:32:15]:
Okay, this is interesting. So in terms of going back to. So some of the verbiage that was being said in the, I’m assuming more mainstream media and I’m also under the assumption, Alec, there’s a massive disconnect in what was being said versus what was being done. And then obviously people believing that buying the story, which then perpetuated the viewpoint that, you know, Medibank didn’t do this or they didn’t do that based on what people were reading. Was that something that you saw a lot of now when you sort of look back retrospectively.
Alex Loizou [00:32:46]:
So I guess that what I’m sort of focused in on is that interpretation, that reading between the lines. So when we gave our earliest reporting, as I said, we simply stated what we had evidence of and what we didn’t have evidence of. But it got reported as a very, very clear statement. This has not occurred. And that’s not the statement that we’d made because at that point in time, it was at the absolute earliest point in the investigation. I recognized that for many organizations that might be why they try to keep as much of a lid as possible on an incident, try and hide it as long as possible before they need to report. As I said, we made a commitment to try and be as transparent and as real time as possible. I still stand by that.
Alex Loizou [00:33:33]:
I actually think that I take, I guess, a pragmatic approach to these things. I know that at some point some other service provider that I use will be hit with an incident. It’s the very unfortunate reality of our digital connected world. But I would just hope that they are transparent as real time as possible. So I think that objective is a good one. It’s just that there’s a little bit more work to consider. How do we make sure that doesn’t get, I guess, misreported with a bit of reading between the lines? Of course the other challenge there as well is, you know, perhaps again you’re in the security media space so you’ve got a different understanding. But outside of the security world, even outside of the technology world, how do we also better educate more of the mainstream media? So.
Alex Loizou [00:34:20]:
So when they are dealing with an incident or reporting against one, they understand how to interpret the language of an incident. You know, I think that we were fortunate at minibank that we’ve got a pretty exceptional media team or comms team that they are able to identify what was going on and quickly. Course correct. But another organization may not be so fortunate and I would hate to see a scenario where them trying to be transparent actually backfires on them because all it will do is discourage the next organization from being transparent.
Karissa Breen [00:34:56]:
Very interesting points. So in terms of what you’ve just discussed, what advice then would you have to ensure other organizations that are perhaps, you know, a little bit outside the security arena and you know, some of the languages can be quite complicated if you don’t know it, and complex. What would you say to ensure that companies are not misreporting what is being said, particularly through a very sensitive time like a breach?
Alex Loizou [00:35:23]:
Yep. If I had a, you know, I guess a set of key advice, there’d be a few things. The first is to recognize that incident reporting is extraordinarily fact based and very, very focused on what is known. I’ve always take the approach that if you know that something can be a problem, it’s easier to be cautious of it. So the first is simply be cautious for that, creating a potential for misreporting. The second is that while I still stand by our approach of aggressive transparency and this very, very real time reporting rhythm, if I had a magic wand and could do it again, I would probably push for a bit more of a steady rhythm. For argument’s sake, we will always report on a Wednesday and a Friday or something like that. It means that there’s a clear set of expectations.
Alex Loizou [00:36:10]:
But, but it also means that you’ve got perhaps a little bit of time to make sure that we understand how this could be interpreted. Now that, of course is with the enormous caveat that I’m not a media and comms expert and media and comms experts would probably hear this and say, stay in your lane, buddy. That’s not how we do it. And I think that’s, if I was to say it, that’s actually the next critical thing. If you’re in an organization, you know, running the cyber team or part of the cyber team, and you don’t have a relationship with your external comms team or your media team or whoever there is that works in that capacity, that’s a gap. Fix that. Take that person out for a coffee, meet with them. Make sure you actually have a, an understanding and a working relationship upfront.
Alex Loizou [00:36:55]:
Don’t wait until you need to build that common understanding in the middle of an incident. And again, I think that was, you know, know one one of our areas where we were quite fortunate. The cyber team had very strong relationships with our comms teams prior to the incident and those relationships carried on through the incident. That trust allows you to work together more effectively.
Karissa Breen [00:37:18]:
So, Alex, I’m keen to. Now, maybe if you had a look forward, what do you, what are you optimistic about now given everything that you’ve discussed, and I wish I had another hour to talk you through this more. It’s just so exciting and it’s the first time really this has been being shared, so. But I want to sort of end this interview on a positive note. So given what you’ve been through, what you’ve learned, all of the battle scars you have now, what do you wake up for? Makes you really positive about being in the industry.
Alex Loizou [00:37:45]:
So the first thing, and I’m repeating something I’d said beforehand, it is actually the strong sense of collaboration that the security industry has. It’s a funny world because in many other areas I recognize that something happening to a competitor might be viewed as a competitive edge. That’s not the way the cyber teams across industry work. We were in communication with our competitive organizations, they were in communication with us through this because there’s a real sense that this isn’t an advantage, this is a problem that impacts the whole industry, but it’s also a problem that real humans are being impacted by. I know from my work previously in the banking space, it’s a very, very similar environment there where no bank sees it as a competitive advantage for another bank to be, you know, targeted or hit by a threat actor. And they will work together and share knowledge and share information to try and prevent those outcomes. So that that’s the first thing that makes me extraordinarily excited about the cyber landscape. The fact that we are, I guess, an industry that is first and foremost around protection, be it our customers, be it our organizations.
Alex Loizou [00:39:01]:
And that mission focus, I think is what gets people up in the morning. The other thing that I’m excited about is, and it’s unfortunate because it did come off the back of I guess the three incidents in quick succession, Optus, Medibank and Latitudes. But off the back of that, suddenly the government focus swung as well. And a lot of the facilities that are made available for organizations to report, a lot of the support that is available from the federal government that has really, really moved. And that’s exciting to see because this is a problem that impacts the entire nation. And you know, I’d be upfront to say that we tried through our incident to provide as much real time reporting to government, the acsc, to the AFP as we possibly could because there was a recognition that this impacts more than just a single organization. But seeing a lot of those kinds of efforts being, you know, formalized or codified now that makes me quite excited too because as I said, the unfortunate reality is this is part of the world we’re in today. We will see more incidents, we will see other organizations get targeted.
Alex Loizou [00:40:14]:
My genuine hope is that each and every one of those helps to make us stronger and effectively makes Australia less of a target over time.
