Share this article on:
From where and how to spend your money on security to how to prepare for the inevitable security incident, here are five essential learnings for every Australian business.
Cyber Daily was recently lucky enough to sit down with one of the veterans of Australia’s cyber security industry – Tim Redhead, founder and chief executive of DotSec. The conversation covered a wide range of topics and is well worth watching, but if you want to get to the essence of the piece – the essential five points, if you will – we have got you covered.
1. Help is out there – don’t be afraid to use it
If you’re unsure where to start, there are a lot of standards out there that are good frameworks to follow and that will set up your business from the ground up.
According to Tim, ASIC has a very good, very straightforward document called “Cyber resilience good practices”, which is a great place to start. It features advice on governance and risk management, information sharing, asset management, detection systems, and more.
2. Understand your risk appetite
Every business should ask themselves, “What really matters?” What can a business do without, what is essential, and what are the costs if those essentials are suddenly compromised or unavailable?
“So think about those assets, the kind of damage they can sustain, the cost to the business in terms of a range of things,” Tim said. “These could be short-term operational costs, loss of revenue, long-term repair and recovery costs, increase in insurance premiums, and so forth, possible fines, and so on.”
Once you know what you need to protect, that’s where you start.
3. Follow what’s happening overseas and prepare for regulations to change
In a lot of ways, Australia is playing catch up with the rest of the world when it comes to our regulatory response to data breaches and similar cyber incidents. Tim believes that if you want to see where things could be going here in the future, look to what’s happening overseas.
“Follow the class action bandwagon that’s been going in the US for quite some time now, surrounding breaches, and loss of sensitive information,” Tim said. “I think we’re just starting to see the first part of that train coming into Australia – I don’t see any reason why that’s not going to continue.”
4. Consider the right cyber insurance for you
When it comes to risk, insurance is all about transferring the risk you may face as a business to a third party – the insurer.
According to Tim, insurers are starting to become much more cyber savvy, and they will ask you hard questions about your resilience and readiness. However, this is where the first point comes back into play because if you’re following an established playbook, your cyber maturity journey is already well underway, and you should have the answers to those hard questions.
“Did you implement multifactor authentication? Do you have endpoint management? Do you have a way of managing and monitoring what goes on in your organisation? And so forth? If you’ve got those in place, you’ll probably get paid out,” Tim said. “But if you don’t, then I guess you’re at the mercy of the insurer at that point. And that answers your question: what would they pay and what they won’t? It’ll depend on what the causes are.”
5. Understand who the bad guys are and the scale of their operations
Modern cyber criminals are not some kid sitting in a basement wearing a hoodie – they are well-organised, highly skilled, and often very well-resourced.
“It’s proper organised crime,” according to Tim, complete with support desks to help their victims navigate paying a ransom, and often with a range of affiliate organisations backing them up.
“There are hacking groups that create and sell tools and software for a profit,” Tim told Cyber Daily. “So they’re basically … attack-as-a-service. And if I’m not very smart, but I do want to get into some phishing and business email compromise, and I can go to these, pay some money – it’s not so expensive, a couple of $1,000, usually first – and you get a good starter kit.”
These points are just the tip of the iceberg of what we discussed with Tim, and if you did miss the live stream, you can still watch it right here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.