- Market services
-
Compliance audits & reviews
Our audit team undertakes the complete range of audits required of Australian accounting laws to help you to help you meet obligations or fulfil best practice procedures.
-
Audit quality
We are fiercely dedicated to quality, use proven and globally tested audit methodologies, and invest in technology and innovation.
-
Financial reporting advisory
Our financial reporting advisory team helps you understand changes in accounting standards, develop strategies and communicate with your stakeholders.
-
Audit advisory
Grant Thornton’s audit advisory team works alongside our clients, providing a full range of reviews and audits required of your business.
-
Corporate tax & advisory
We provide comprehensive corporate tax and advisory service across the full spectrum of the corporate tax process.
-
Private business tax & advisory
We work with private businesses and their leaders on all their business tax and advisory needs.
-
Tax compliance
We work alongside clients to manage all tax compliance needs and identify potential compliance or tax risk issues.
-
Employment tax
We help clients understand and address their employment tax obligations to ensure compliance and optimal tax positioning for their business and employees.
-
International tax
We understand what it means to manage tax issues across multiple jurisdictions, and create effective strategies to address complex challenges.
-
GST, stamp duty & indirect tax
Our deep technical knowledge and practical experience means we can help you manage and minimise the impact of GST and indirect tax, like stamp duty.
-
Tax law
Our team – which includes tax lawyers – helps you understand and implement regulatory requirements for your business.
-
Innovation Incentives
Our national team has extensive experience navigating all aspects of the government grants and research and development tax incentives.
-
Transfer pricing
Transfer pricing is one of the most challenging tax issues. We help clients with all their transfer pricing requirements.
-
Tax digital consulting
We analyse high-volume and unstructured data from multiple sources from our clients to give them actionable insights for complex business problems.
-
Corporate simplification
We provide corporate simplification and managed wind-down advice to help streamline and further improve your business.
-
Superannuation and SMSF
Increasingly, Australians are seeing the benefits, advantages and flexibility of taking control of their own superannuation and retirement planning.
-
Payroll consulting & Award compliance
Many organisations are grappling with a myriad of employee agreements and obligations, resulting in a wide variety of payments to their people.
-
Cyber resilience
The spectrum of cyber risks and threats is now so significant that simply addressing cybersecurity on its own isn’t enough.
-
Internal audit
We provide independent oversight and review of your organisation's control environments to manage key risks, inform good decision-making and improve performance.
-
Financial crime
Our team helps clients navigate and meet their obligations to mitigate crime as well as develop and implement their risk management strategies.
-
Consumer Data Right
Consumer Data Right (CDR) aims to provide Australians with more control over how their data is used and disclosed.
-
Risk management
We enable our clients to achieve their strategic objectives, fulfil their purpose and live their values supported by effective and appropriate risk management.
-
Controls assurance
In Australia, as with other developed economies, regulatory and market expectations regarding corporate transparency continue to increase.
-
Governance
Through fit for purpose governance we enable our clients to make the appropriate decisions on a timely basis.
-
Regulatory compliance
We enable our clients to navigate and meet their regulatory and compliance obligations.
-
Forensic accounting and dispute advisory
Our team advises at all stages of a litigation dispute, taking an independent view while gathering and reviewing evidence and contributing to expert reports.
-
Investigations
Our licensed forensic investigators with domestic and international experience deliver high quality results in the jurisdictions in which you operate.
-
Asset tracing investigations
Our team of specialist forensic accountants and investigators have extensive experience in tracing assets and the flow of funds.
-
Mergers and acquisitions
Our mergers and acquisitions specialists guide you through the whole process to get the deal done and lay the groundwork for long-term success.
-
Acquisition search & strategy
We help clients identify, finance, perform due diligence and execute acquisitions to maximise the growth opportunities of your business.
-
Selling a business
Our M&A team works with clients to achieve a full or partial sale of their business, to ensure achievement of strategic ambitions and optimal outcomes for stakeholders.
-
Operational deal services
Our operational deal services team helps to ensure the greatest possible outcome and value is gained through post merger integration or post acquisition integration.
-
Transaction advisory
Our transaction advisory services support our clients to make informed investment decisions through robust financial due diligence.
-
Business valuations
We use our expertise and unique and in-depth methodology to undertake business valuations to help clients meet strategic goals.
-
Tax in mergers & acquisition
We provide expert advice for all M&A taxation aspects to ensure you meet all obligations and are optimally positioned.
-
Corporate finance
We provide effective and strategic corporate finance services across all stages of investments and transactions so clients can better manage costs and maximise returns.
-
Debt advisory
We work closely with clients and lenders to provide holistic debt advisory services so you can raise or manage existing debt to meet your strategic goals.
-
Working capital optimisation
Our proven methodology identifies opportunities to improve your processes and optimise working capital, and we work with to implement changes and monitor their effectiveness.
-
Capital markets
Our team has significant experience in capital markets and helps across every phase of the IPO process.
-
Debt and project finance raising
Backed by our experience accessing full range of available funding types, we work with clients to develop and implement capital raising strategies.
-
Private equity
We provide advice in accessing private equity capital.
-
Financial modelling
Our financial modelling advisory team provides strategic, economic, financial and valuation advice for project types and sizes.
-
Payments advisory
We provide merchants-focused payments advice on all aspects of payment processes and technologies.
-
Voluntary administration & DOCA
We help businesses considering or in voluntary administration to achieve best possible outcomes.
-
Corporate insolvency & liquidation
We help clients facing corporate insolvency to undertake the liquidation process to achieve a fair and orderly company wind up.
-
Complex and international insolvency
As corporate finance specialists, Grant Thornton can help you with raising equity, listings, corporate structuring and compliance.
-
Safe Harbour advisory
Our Safe Harbour Advisory helps directors address requirements for Safe Harbour protection and business turnaround.
-
Bankruptcy and personal insolvency
We help clients make informed choices around bankruptcy and personal insolvency to ensure the best personal and stakeholder outcome.
-
Creditor advisory services
Our credit advisory services team works provides clients with credit management assistance and credit advice to recapture otherwise lost value.
-
Small business restructuring process
We provide expert advice and guidance for businesses that may need to enter or are currently in small business restructuring process.
-
Asset tracing investigations
Our team of specialist forensic accountants and investigators have extensive experience in tracing assets and the flow of funds.
-
Independent business reviews
Does your company need a health check? Grant Thornton’s expert team can help you get to the heart of your issues to drive sustainable growth.
-
Commercial performance
We help clients improve commercial performance, profitability and address challenges after internal or external triggers require a major business model shift.
-
Safe Harbour advisory
Our Safe Harbour advisory helps directors address requirements for Safe Harbour protection and business turnaround.
-
Corporate simplification
We provide corporate simplification and managed wind-down advice to help streamline and further improve your business.
-
Director advisory services
We provide strategic director advisory services in times of business distress to help directors navigate issues and protect their company and themselves from liability.
-
Debt advisory
We work closely with clients and lenders to provide holistic debt advisory services so you can raise or manage existing debt to meet your strategic goals.
-
Business planning & strategy
Our clients can access business planning and strategy advice through our value add business strategy sessions.
-
Private business company secretarial services
We provide company secretarial services and expert advice for private businesses on all company secretarial matters.
-
Outsourced accounting services
We act as a third-party partner to international businesses looking to invest in Australia on your day-to-day finance and accounting needs.
-
Superannuation and SMSF
We provide SMSF advisory services across all aspects of superannuation and associated tax laws to help you protect and grow your wealth.
-
Management reporting
We help you build comprehensive management reporting so that you have key insights as your business grows and changes.
-
Financial reporting
We help with all financial reporting needs, including set up, scaling up, spotting issues and improving efficiency.
-
Forecasting & budgeting
We help you build and maintain a business forecasting and budgeting model for ongoing insights about your business.
-
ATO audit support
Our team of experts provide ATO audit support across the whole process to ensure ATO requirements are met.
-
Family business consulting
Our family business consulting team works with family businesses on running their businesses for continued future success.
-
Private business taxation and structuring
We help private business leaders efficiently structure their organisation for optimal operation and tax compliance.
-
Outsourced CFO services
Our outsourced CFO services provide a full suite of CFO, tax and finance services and advice to help clients manage risk, optimise operations and grow.
-
ESG & sustainability reporting
There is a growing demand for organisations to provide transparency on their commitment to sustainability and disclosure of the nonfinancial impacts of their business activities. Commonly, the responsibility for sustainability and ESG reporting is landing with CFOs and finance teams, requiring a reassessment of a range of reporting processes and controls.
-
ESG & sustainability advisory
With the ESG and sustainability landscape continuing to evolve, we are focussed on helping your business to understand what ESG and sustainability represents and the opportunities and challenges it can provide.
-
ESG, sustainability and climate reporting assurance
As the demand for organisations to prepare information in relation to ESG & sustainability continues to increase, through changes in regulatory requirements or stakeholder expectations, there is a growing need for assurance over the information prepared.
-
Management consulting
Our management consulting services team helps you to plan and implement the right strategy to deliver sustainable growth.
-
Financial consulting
We provide financial consulting services to keep your business running so you focus on your clients and reaching strategic goals.
-
China practice
The investment opportunities between Australia and China are well established yet, in recent years, have also diversified.
-
Japan practice
The trading partnership between Japan and Australia is long-standing and increasingly important to both countries’ economies.
-
India practice
It’s an exciting time for Indian and Australian businesses looking to each jurisdiction as part of their growth ambitions.
-
Singapore practice
Our Singapore Practice works alongside Singaporean companies to achieve growth through investment and market expansion into Australia.
-
Vietnam practice
Investment and business opportunities in Vietnam are expanding rapidly, driven by new markets, diverse industries, and Vietnam's growing role in export manufacturing, foreign investment, and strong domestic demand.
-
Client Alert Government Grants in FY25As we embark on a new financial year, it’s crucial to take a strategic approach to understanding the government grants landscape.
-
Client Alert Consultation on foreign resident CGT rules commencesTreasury is taking steps to ensure fairer tax treatment for foreign resident investors by tightening Australia's foreign resident Capital Gains Tax (CGT) regime. Proposed changes aim to broaden the CGT base and enhance integrity, impacting infrastructure, energy, agriculture, and more.
-
Insight Australian wine export strategies post-China tariff removalFollowing the recent removal of tariffs on Australian wine by China, the industry is keen to rebuild relations and explore the right export markets. This presents Australian wine producers with a chance to reassess their position in the global market.
-
Insight Cultivating innovation: A guide to claiming the R&D Tax Incentive in the Agribusiness sectorTo facilitate continued innovation in the Agribusiness sector, the Federal Government’s Research and Development Tax Incentive supports companies to undertake research and development activities that meet the eligibility criteria.
-
Renewable Energy
Transformation through energy transition
-
Flexibility & benefits
The compelling client experience we’re passionate about creating at Grant Thornton can only be achieved through our people. We’ll encourage you to influence how, when and where you work, and take control of your time.
-
Your career development
At Grant Thornton, we strive to create a culture of continuous learning and growth. Throughout every stage of your career, you’ll to be encouraged and supported to seize opportunities and reach your full potential.
-
Diversity & inclusion
To be able to reach your remarkable, we understand that you need to feel connected and respected as your authentic self – so we listen and strive for deeper understanding of what belonging means.
-
In the community
We’re passionate about making a difference in our communities. Through our sustainability and community engagement initiatives, we aim to contribute to society by creating lasting benefits that empower others to thrive.
-
Graduate opportunities
As a new graduate, we aim to provide you more than just your ‘traditional’ graduate program; instead we kick start your career as an Associate and support you to turn theory into practice.
-
Vacation program
Our vacation experience program will give you the opportunity to begin your career well before you finish your degree.
-
The application process
Applying is simple! Find out more about each stage of the recruitment process here.
-
FAQs
Got questions about applying? Explore frequently asked questions about our early careers programs.
-
Our services lines
Learn about our services at Grant Thornton
-
Current opportunities
Current opportunities
-
Remarkable people
Our team members share their remarkable career journeys and experiences of working at Grant Thornton.
-
Working at Grant Thornton
Explore our culture, benefits and ways we support you in your career.
-
Current opportunities
Positions available.
-
Contact us
Get in touch
But do Boards and Company Directors really understand the importance of being cyber aware, and the controls they should have in place to combat risks in their business?
In this episode Matthew Green, Partner and Controls Assurance Specialist and Chris Watson, Partner and previously a Detective in the Computer Crime Unit City of London Police discuss why Boards and Directors should be interested in cyber security now more than ever, whether these criminals are ever prosecuted, and new technologies that companies should have on their radar to mitigate cyber-related crimes in the future.
Available on Apple Podcasts, Spotify or within your browser.
Rebecca Archer
Welcome to Navigating the New Normal, Grant Thornton’s podcast exploring trends in business and the marketplace. I'm Rebecca Archer, and today I am joined by Matthew Green, Partner and Controls Assurance Specialist, and Chris Watson, Partner and previously a Detective in the Computer Crime Unit City of London Police.
With cyber security being the number one issue for Australian Directors and businesses and given recent cyber-attacks that we've all heard about in the news, the issue of cyber security and data protection has never been more prevalent.
Welcome, Matthew and Chris, and thank you for your time today.
Chris Watson
Thank you very much for having us on.
Matthew Green
Thanks Rebecca.
Rebecca Archer
So much has happened since our last podcast on cybersecurity. What's new? What's the latest? What can you tell me about updates in this space?
Matthew Green
I don't think there's anything new going on, and I think I could probably speak for Chris in that regard as well, because this feels a lot like what we're used to. It's just now I think we've got some really high-profile incidents; they've hit the mainstream media, and they've hit the mainstream media in a big way. So, visibility has really changed. And that's the main change here, I think. Yes, the crims are doing things a bit differently, a little more sophistication, a little more business savvy to their service, but in reality, this has been going on for forever, in a day, we're just hearing more about it. And I think as individuals feeling more of it more directly.
Chris Watson
I'm always reminded of – I don't know if it's a saying or a song lyric – but it's, “the more things change, the more they stay the same.” It is one of those frustrations, where, you know, it's reported widely saying, you know, that you know, the emerging cybercrime… it's not! You know, WannaCry was back in 2017, Petya was 2017, non-Petya was 2018. Right, you know, these things, you know, and even they weren't necessarily that new, right, you know. So, it's been with us for quite some time, I think, to pick up on Matt’s point, I think, actually, you know, where it's really changed in the last few years is that, you know, if you want to call it the “Dark Web”, or the, you know, Cybercrime – however you want to sort of romantically refer to these people is, they have actually become over the last probably sort of five to ten years very much more business-oriented, far more organised.
And there's the you know, there really is that when it talks about sort of the dark web economy, which again, has been saying has been spoken about for absolutely years, but, you know, we're seeing now that really, really being quite an efficient to set up behind the scenes are things where we have to be, you know, somewhat careful when talking about ransomware, as if you pay the ransom, that's the end of it, because you know, these gangs are, they know that they can make a lot of money from washing your data a number of different ways. One is through ransom, and one is through selling our data and money through selling the exploit that I used to get into systems in the first place. So, look you know, “the more things change, the more they stay the same” – it’s sort of new wine on bottles.
Rebecca Archer
Would you say that state sponsored cyber-attacks are on the rise? Or is it just, as Matt pointed out, it's more visible, there's more attention from the media being paid to this issue?
Chris Watson
It's incredibly tough. If you're not in the security services to gauge accurately, certainly, it's being reported more in the media, I think there's certainly more attention. Sometimes I feel it's a useful headline to have, you know, from both politics and to call out state sponsored. But I think, again, more you've got, what we have to remember is, is that, you know, attacks, you can be a spotter youth in your basement, and you can go into whichever dark corner of the web, and you can download a pre-prepared hacking kit. They're not sophisticated and half the problems with the ransomware attacks are that these are launched by people who don't know what they're doing, using tools that have not really been tested, and you can't decrypt the data.
And there's a real scale of attackers out there or threat actors or however you want to describe them, you know, we still have those so called “script kiddies”, you know, people just go out and, and sort of get a package off the internet because they want to have a go and sort of digital vandalism through to state sponsored without a shout out, but it goes on, I think it's really hard to say that it's increased. Again, I think it's something that has gone on since time in a mooring. But it's certainly something that is far more topical, given what's going on in the world, whether it be you know, Ukraine or whether it be tensions with China, whether it be sort of ongoing tensions with Russia, you know, it's it's definitely something that is out there and has its peaks and troughs.
Matthew Green
Yeah, there's a notion that the state sponsored activity may well be increased due to sanctions that exist at the moment, and that's their way of obtaining a cryptocurrency, which they then convert to US dollars and fund their activities. The notion of things like your Medibanks and your Optus-es being hacked by the large hacking groups, there is some suggestion that they are state sponsored or supported or you know, allowed to operate with impunity in and amongst their environment. So, there's an element of it, but there's a very sophisticated set of individuals within government and private practice that have access to that sort of information. So, what we necessarily read in the paper may not be reflective of what's really going on or who's really doing the work, so to speak.
Chris Watson
I think sometimes what's more worrying about it is actually the true scale is unknown, because there's so many organisations that are compromised and don't even know it.
Rebecca Archer
Has the rise of cryptocurrency and other digital currencies made it easier for these attacks to occur or what role I suppose do digital currencies play in these cyber-attacks?
Matthew Green
It's the medium of payment – they’re not accepting cash; they're not accepting credit card – they do want the transaction paid for in in some form of cryptocurrency. The default go-to in the early days was send us Bitcoin. It still is requested, but sometimes they're now asking for some of the more obscure privacy coins, which are much more anonymous in their use. But that sort of is the main currency, if you like, of ransomware, even though you'll read in the paper that, you know, the Medibank ransom was, you know, $15 million, or there or there abouts. It's whatever the going rate, daily rate equivalent is in the crypto currency of request.
Chris Watson
An attractiveness, of course, of crypto currencies is the anonymity that it provides. So that's why it is favoured in of itself as the means for criminals that the great thing about crypto, blockchain and crypto currencies, obviously, and it is also the worst thing about it from a from a law enforcement investigative point of view.
Rebecca Archer
And so why should businesses in particular Boards and Directors be interested in cybersecurity right now more so than ever?
Matthew Green
It’s visibility for me, in that if you want to a great sort of textbook, learning experience, something we think there's going to end up in the education curriculums in the in the coming years is the response that's required for a significant cyber event. The people that are up in lights are not the Chief Information Security Officers, they're not the CIOs, they're not the IT managers or the Chief Risk Officers. It's the Chairman of the Board, it's the CEO, and they're up there making the statements announcing to the market, the impact or the event occurring. There are clear indications of Boards’ good governance requirements.
You look at Medibank, as the most recent example of an impact on share price, the change in risk profile that comes with having to now clean up from their event. And there's some literature that's come out in the last couple of days, which suggests costs of somewhere in the order of $700 million, potentially up to near a billion depending on how class actions go. So, we're talking some, again, extreme end of the scale, but extraordinary numbers, extraordinary impact to the organisation, and the shareholders. So, the board's those charged with governance really need to be across this issue. And they need to be across it more than ever because activity is increasing. So, the correlation is that the likelihood of experiencing events is growing as well. So, the risk management needs to be more active, more prudent, if you like.
Chris Watson
Yeah. And I think also, you know, there's more regulatory pressure coming down as well. But also, there's a bit of a circular thing to this, which is that Boards need to care because these incidents that are occurring are now getting the public scrutiny, and I still haven't quite put my finger on why it is now that it's sort of caught the, you know, the public consciousness, if you like, why this is. I'm glad it has, of course, but you know, public opinion, and shareholders are just not going to stand for, as Matt said, poor governance or, you know, that – frankly complacency – of Boards around what data they have, where it’s stored, did they even really need it. I think Matt was telling me a story the other day, I can't quite remember what it was that you were signing up for, or applying for, but you know, they asked for date of birth where they just didn't need to.
So, organisations have really got to take a long hard look at what data they're collecting, why they need to collect it, because guess what, cyberattacks are on the rise, you're very likely, you know, you could be, if not already, a victim of this thing. And then there's not only the regulatory sort of pressure, but then the public opinion and shareholder you know, and public confidence. I get frustrated because it's one of those things you know – they should have always cared.
One of my sort of other rants on this as you know, with the Medibank hack or compromise you know, there's a couple of things to it you know, one is the organisation's always say that attacks are sophisticated, right? And undoubtedly, some are but very often than not, they're really simple attacks. You know, compromise of credentials through phishing is not a sophisticated attack, right? You know, it's just, it just isn't and, and I kind of understand some of the logic behind describing this as a “dog act” and sort of making it out to be this sort of, you know, even in Cyber Games, it's the worst of the worst, it's just not true. You know, it just simply isn't true.
As you mentioned, you know, we could do a whole podcast just listing out organisations that have been compromised. So, it's not, it's not anything new, you know, there aren't sort of targets that are off limits, because of what they do. These gangs, criminals, whether they be a “hactivist” end of the scale, whether they be sort of the organised crime, you know, a lot of focus is put on state sponsored, and I get that and understand that, but you know, there's a lot of activity that goes on in organised crime, because it's a really great way of making money anonymously. They know that they can make a lot of money, not only from doing the ransom, but selling the information to other gangs.
You know, so, it's not, you know, Medibank, you know, an aberrant attack, it is exactly the kind of thing that gangs will go for, because it’s data rich; it's got the information that they want; they know they can make a lot of money out of it. So, Boards need to shave that complacency out.
Rebecca Archer
And I imagine businesses, of course, would understandably have less confidence in their company's approach to IT strategy, and IT risk mitigation. So how should they approach risk mitigation in the cyber world?
Matthew Green
It's a really complex topic, you know. We've seen that through the recent spate of hacks that simple things can be the undoing, and significant undoing, of organisations. So, they need to – businesses – need to adopt a strategy of multipronged – you need to do some prevention, you need to do some detection, you need to do a great deal of education. And Chris and I often talk in the context of security is people first; it is absolutely a cultural issue, and once you get the culture right, because you can look at your base of employees and look at them and say, we've got, you know, 1200 risks, or we've got 1200 defensive implements available to us in terms of avoiding the phishing email, of not giving away credentials, of not sharing something inadvertently, because they've had the training, the awareness, so that, that cyber aware culture is paramount. Then we need to look at the elements of process and looking at it and saying, well, what are our business processes, and how is cyber and protection of data and information built into those.
Then we can look at technology. And you know, that's about buying tools and implementing tools for management, monitoring visibility – all really key components. The challenge there is there are so many organisations that will offer you up so many tools to purchase to solve the security problem, none of which will solve the problem. And many of which, that, you know, Chris, and I would go into say an incident investigation, and we'll see that they own three of the same type of tool and none of them are turned on. So, we've got challenges like that in the technology side of things. And then we have probably one of the bigger challenges, but also one of the big benefits is the third-party ecosystem. And that's because we're outsourcing so much of our technology.
So, we've got to bring the suppliers into our tent. And we really have to manage the ecosystem, in a collaborative team-based way to make sure that we know what our suppliers are doing that may impact on our security, either positively or negatively. So, it really is – it’s that people, process, technology and suppliers – those four elements are really key to addressing the broader issue of cyber risk and cybersecurity.
Chris Watson
100%. And I think, you know, one of the many issues and messages is, you know, there's a lot going on in there, right, but we really, really strong on the need the Boards’ have got to have better people around the table. Much like from a financial perspective, you know, with your CFO, who is, that's what they do; they understand the finances, and they can come and explain that to the Board. And they can explain why if you, you know, allocate money to this particular area, or if you know, if you do R&D, you know, these are the benefits or here's what we miss out if we don't do that. We need to have that at Board level, and we see more and more silos appear, which is great, but that needs to be the person and it needs to be directed to CEO or Director but you can't you know, shouldn't report to a CIO or CTO because it's that important. It needs direct access to the Board to help the Board understand the questions that they need to ask and the answers that they're getting in the context of the overall business.
All too often it was mentioned around sort of third and fourth party, you know, the response from a Board level is what we outsource our IT, you know, they deal with the you know, they look after the security there's almost an abrogation of responsibility towards security and an assumption that is being looked after. Now, my old chestnut of an analogy with this is that it's a bit like your GP. Well, you go to your local GP because you have some generic, you know, sort of symptoms, and the GP is a “general practitioner”, and they will fact find and go, “Okay, you need to go and see a heart specialist or an or a back specialist.” It's exactly the same for the, you know, the cyber world, third party IT companies do a fantastic job, but they're not specialists in any one particular area. They're there to sort of give you the, the infrastructure to keep the lights on, to get your emails to do work on the go.
And provide, you know, yes, a modicum of security, that you need those specialists in there to do exactly as Matt has said. What are the people doing? What are the processes doing? What, you know, what does the technology do? Because, again, you know, the other issue we come up against, “No, we’re okay, we've got a firewall.” You know, one particular client says, “No, we've got a firewall – all these things are segregated.” It was like Swiss cheese. I mean, the rules that were applied to the firewall, well, were just almost nonexistent. So, there's so much sort of the technology will save us, you know, the, you know, the box will save us. But again, it comes back to the people that implement this stuff; the people that manage this and the culture that surrounds it.
Rebecca Archer
And so just on that, any organisations that are feeling maybe a bit overwhelmed at the thought of where do you start, where do you start? Is an audit the best place to sort of get things checked?
Matthew Green
Visibility is a key component here, and it's – cyber is one of those issues where if you, if you can't measure it, you can't manage it. So, a baseline, an audit, a health check is an absolutely important activity. But if you were to Google that, the myriad of responses you get, and the options would be vast and different. The challenge is sifting through all the noise, I think. For an organisation, you know, midsize business, the sector of the economy that propels the broader country along, they don't necessarily have the resources available to them to be able to sift through the noise. So, they need to try and ascertain well, do I follow a framework? Do I ask my IT provider?
As Chris has mentioned, and maybe that's a bit of, you know, fox and henhouse going on there, one of the spots they can start is looking to the Australian Cyber Security Centre, or the ACSC. It's a Government Department reasonably well funded, puts a lot of good information out there, and one of their key artefacts or frameworks is called the Essential Eight. And it's eight mitigation strategies for dealing with the, I guess, the most typical aspects of a cyber-attack around sort of prevention, detection and recovery. If any organisation were to take those eight strategies and adopt those, and then work their way through the maturity level, they would find themselves with a much-improved posture for dealing with cyber risk. So, if that's, if there's one thing any listener to this podcast does is goes out, Googles Essential Eight and starts the journey on the framework, which does start with an audit and a baseline. They will be setting themselves on a path to better cybersecurity.
Chris Watson
Whatever you do, and this is the same for any area of risk, right. But whatever you do, it's not a one off exercise. It is something which has to be reviewed regularly, you know. If you have, you know, elements of it. if you talk about BCP, we have a lot of clients coming to us talking about revisiting their BCP in light of ransomware, because the last time their BCP, their Business Continuity Plan, the last time that was written was before ransomware became this sort of big, huge thing, and their organisation doesn't have any way of doing it. So, you know, don't just leave these things on a shelf to gather dust, they've got to be revisited.
Cyber is, you know, I think more than almost any other part of the business, the most dynamic, ever changing, you know. Just think about how many times you're getting updates to your iPhone or your Android device. Think about how many, sort of, new pieces of technology. Cyber does not stand still; it changes. And so therefore, you know, the opportunities for vulnerability and the opportunity to attack change. Whatever you do, whether it be education, whether it be testing, whether it be, you know, the sort of controls of your audit process, it has to be a part of the regular program, not just once off.
Matthew Green
There's this notion of a “once-a-year pen test” is sufficient, and we see lots of organisations say, “Oh, we get a pen test done once a year.” The way their risk posture has changed; the exposure that's changed across that 12-month period. It's simply not enough, and it gives many organisations, I think, a false sense of security. And that's one of the things, as practitioners, we’re trying to avoid here around Boards particularly, thinking the annual pen test is enough and getting the false sense of security that comes through that one time activity.
Rebecca Archer
And you mentioned the Australian Cybersecurity Centre earlier. Obviously, they've said that you should understand and practice good cyber security to combat threats, but what exactly comprises good cyber security? I'm thinking on a very practical level, what sorts of things maybe are employees doing that they don't even realise could potentially compromise the broader organisation? And then, can we maybe have a look at some of the external threats that people just need to be really aware of?
Matthew Green
I reckon Chris has got a really good hobbyhorse in this area with regards to employees and that's passwords. Chris and I often discuss, and he laments, the use of passwords and how poorly they are used these days. And Chris, you said in your investigative practices as well.
Chris Watson
Look, yes, absolutely right. You know, I think there's, there's a lot of finger pointing that goes on with cybersecurity. Now, it's the government's fault, or is that, you know, it's the bank's fault. But actually, there's an element of personal responsibility, like any other sort of aspects of life. So, probably the single most sensible thing that any one person can do is employ a robust password, whether it's through a password manager, you know, or you know, passphrases, as opposed to using a password.
But in 30, over 30 years of doing, you know, cyber investigations and cybersecurity, the fact that “password” is still the most if not the most common password out there, is just mind boggling. And taking a step back, passwords absolutely from an individual perspective, and this is something obviously that, again, Matt and I spoke about at length I think the last time we came together and spoke about cybersecurity in terms of with the whole working from home, and you know that flexible working arrangements that there'll be many CIOs or CEOs were pulling their hair out, because they've gone from a nice little neat perimeter around their building to, you know, 1600 employees are dotted all over the country with their own little vulnerable networks. But, everybody whether as an individual and as an organisation, the first step is to accept you are potentially vulnerable to an attack. I have yet to meet someone who hasn't had some kind of tech scam or some other business email compromised scam, you know. So, we've got to get rid of this notion that it happens to somebody else, that's the first step. It is out, it's happening, and it can, if not, already happen to me.
Matthew Green
And the element of security frustration, as I call it, is a big one, and that's things like multi-factor authentication, logging in and having to put in the onetime password that comes through to text message and things like that. And it's becoming more common, more frequent. Lots more, you know, websites and apps are requiring it, and I think there's a bit of apathy towards it. But it is probably one of the most valuable security controls in the arsenal that we all have, whether that is, you know, for our own logins to our work systems, or whether that's logging into our personal banking app, or even our, you know, mobile phone account these days to get help from your mobile phone provider. That is a really important control, to keep adopting, to deal with the frustration of, because there are many of them, but it will most certainly contribute to stopping an incident in its tracks should you be affected by one of these large events. And we're seeing it you know, SMS scams in this country are going through the roof, largely because of the way the providers manage SMS systems in this country. So, there's a, there's an element there where the providers need to level up on their game to help the individuals, and there's an element there where the individuals need to accept the five or 10 seconds of frustration, because it's good for you.
Chris Watson
Australia is the fifth highest country for scams, you know for for these sort of tech scams, and we've lost over $300 million this year alone just to the scams. I mean, I was just sort of thinking about, you know, if there were three questions, I'd want the Board to ask, you know, if they listen to this podcast would be, you know, as a Board, have we read and understood the Essential Eight? When's the last time we tested our systems? And how are we educating our people? I think they’d be three really good starting points.
Rebecca Archer
And I'm getting the impression from the two of you that the question as to whether these cyber criminals have become more sophisticated or whether businesses have become more complacent, it's kind of, the short answer to that is well, yes to both really. But I wonder, is it ever the case that cyber criminals get caught, and then punished for their crime?
Matthew Green
The ones that are not very good do. Yeah, because they don't necessarily know how to hide their tracks well enough, perhaps or you know, might be a bit greedy, you know, criminals and greed, often the undoing. But the reality is on the internet, it is very easy to mask who you are and where you are, and whilst the very sophisticated criminals have tradecraft that that is indicative when we see the events occur that particular patterns, particular approaches make it look like ransomware gang X or Y. I think the reality is the ability to track these individuals down or even if you can track them down to then track them down to a, you know, maybe a country where we have extradition rights or Interpol type agreements, things of that nature is very, very difficult.
So, they do operate with a sense of safety in anonymity and technology that helps with that anonymity, and they are very, very sophisticated and very, very professional. So, the gang might be sort of selling their wares, as Chris mentioned earlier, and that will come with a full suite of helpdesk, it will come with the sort of the 1300 Number equivalent of ring up and get some help with how to run your ransomware campaign and how to hide your own identity as the perpetrator and things like that. So, they've tested it all, they've sort of worked through the model, and they're probably going to be the last ones to get caught.
Chris Watson
I think the biggest you know, one of the single biggest issues on this is, Matt’s already mentioned, is the jurisdiction one. If we accept that, you know, these gangs, as they are reported from Russia, or Eastern Europe or China, there's just no jurisdictional or political willpower to do anything, you know, to go after these people. So, you do stand more chance of I think there was there wasn't any young chap recently called in Sydney for sort of selling data, right. So, because they're not particularly smart, they're not the people actually carry out these attacks.
So it's unlikely, it's cold comfort, but I think it's just unlikely, you know, again, you know, I think it's only sort of bit obtuse to say, but you know, rather than being that sort of security, chestnut of, you know, the house in the street, you know, rather than being the house in the street that has the open windows and the household goods on show, we know the front door open, that is an attractive target, be the house that has the CCTV, the guard dog, the locked windows – put them off, move them on. I wouldn't say that hackers or cybercriminals are lazy, but it's certainly looking for the quick win. And if you provide a modicum of defense in depth, they're gonna move on to the next target.
Rebecca Archer
And just finally, are there any new technologies or trends that businesses should have on their radar to maybe mitigate cyber-related crimes?
Matthew Green
I think for many organisations, particularly I referred to midsize business earlier, there's technologies that need to be on their agenda that are well proven, and you know, tried and tested that they just haven't yet implemented. And to, you know, what may be a surprise to many is that multi-factor authentication is not being used by everyone, everywhere – and it needs to be used by everyone, everywhere. There are lots of, sort of, what we refer to as AI technologies that are analysing networks to see patterns of network behaviour and filter out the bad stuff, defend against the hackers trying to get in sort of thing, and that will continue to evolve.
It's generally very expensive technology, so some of the more basic technologies such as online training, as basic as that sounds, and when I say online training, I'm not suggesting we get all of our teams to sit through 40 minute, hour long training sessions, you know, the new way of doing it, if you like, is sort of the five minute bite size, watch it in the elevator sort of thing – that actually makes a difference, and that's sort of that culture building aspect. But as we move to Internet of Everything, Web3, Web4, Internet of Things, you know, people are bringing things to the workplace, people are installing CCTV, as Chris mentioned. These are all technologies, which change your security footprint, whether it's your personal security footprint or your work security footprint. So having an awareness of what you're buying, maybe where you're buying it from.
The cheap CCTV system on Alibaba is probably not the greatest choice and might come with a few more holes than you would hope. So some, some of those sorts of technologies are really changing things in terms of people opening up risk, but not necessarily knowing about it. So, there's big change there. Obviously, lots of organisations are adopting cloud in a big way, moving more things to the cloud. So, understanding what that means from a security and risk perspective, making sure that you're buying good providers, turning on all the features that you're buying. And so, it's not necessarily about new technologies. I think for a lot of organisations, it's actually just using the ones they've got better.
Chris Watson
Yeah, that's exactly what I was gonna say mate, is that you know, that they're, of course, will be and will always continue to be new and bright and shiny things that will claim to do and actually do some good things. But you know, what, just use the stuff that you've already got well, implemented properly, you know, look at the rules, implement that properly. MFA as Matt says, if it’s there, switch it on, you know, I mean, we've been to clients where they sit well, but you know, it will, it will put some of our Senior Executives out if we switch MFA on you know, while we change over. You go, “What's more important, irritating the CEO for 10 minutes or you know, stopping yourself from being compromised”?
I think the other element to it as well, as individuals we work; companies aren't this sort of abstract thing that exist outside of regular life and us as individuals, and more needs to be done. I firmly believe more needs to be done in high school education, for starters, around cybersecurity, you know. There's a lot less done around cyber safety for young kids going on the Internet, and that's fabulous; it's really important. But I think there needs to be also additional or a bit more emphasis on what is cyber security? How, you know, again, the password thing, you know, what is a strong password? What are the perils of sharing your password with your friends to play on Xbox, right, which is, incidentally, is connected to your home network, which is, incidentally, probably somewhere that you're connecting to your corporate network, right? So, you know, I think the more that we can get that education in will help people to embed this sense of security around our day-to-day life, which will then, we can carry on into our work life so that we're not, we're not falling prey to the tech scams or the email scams or we are considering what password to use more properly. And I think that will obviously flow into how organisations improve their cybersecurity posture as well.
Rebecca Archer
Matt and Chris, thank you so much for being so generous with your time today. It's been so interesting and informative to speak with you. Now if people are listening to this podcast, and they'd like to hear more or get in touch with you even to learn more specifically about what you do and how you might be able to help them, what's the best way for them to find you?
Matthew Green
Head to the Grant Thornton website; Chris and I both profiled on there. There's a lot of information about the services we can support our clients with, whether it's an Essential Eight Audit, whether it's you know, technical penetration testing, incident investigation, whatever the case may be, you'll find our details on there. We'd really like to hear from you.
Chris Watson
Absolutely. We're on LinkedIn so you know if that's your preferred medium of choice, search us up on there.
Rebecca Archer
Thanks for listening to our latest episode. If you liked this podcast and would like to hear more, you can find and subscribe to Grant Thornton Australia on Apple podcasts or Spotify.
So how has COVID-19 changed how businesses survive and how can they set themselves up to thrive, now and into the future?
From business strategy, to industry innovation and economic landscape analysis, we’ve brought together our experts to unpack how Australian businesses are doing things differently and managing this period of uncertainty – at magnitudes never seen before in Australia.