The cyber world: where are we now?

Rebecca Archer 

Welcome to Navigating the New Normal, Grant Thornton’s podcast exploring trends in business and the marketplace. I'm Rebecca Archer, and today I am joined by Matthew Green, Partner and Controls Assurance Specialist, and Chris Watson, Partner and previously a Detective in the Computer Crime Unit City of London Police.

With cyber security being the number one issue for Australian Directors and businesses and given recent cyber-attacks that we've all heard about in the news, the issue of cyber security and data protection has never been more prevalent.

Welcome, Matthew and Chris, and thank you for your time today.

Chris Watson

Thank you very much for having us on.

Matthew Green

Thanks Rebecca.

Rebecca Archer 

So much has happened since our last podcast on cybersecurity. What's new? What's the latest? What can you tell me about updates in this space?

Matthew Green

I don't think there's anything new going on, and I think I could probably speak for Chris in that regard as well, because this feels a lot like what we're used to. It's just now I think we've got some really high-profile incidents; they've hit the mainstream media, and they've hit the mainstream media in a big way. So, visibility has really changed. And that's the main change here, I think. Yes, the crims are doing things a bit differently, a little more sophistication, a little more business savvy to their service, but in reality, this has been going on for forever, in a day, we're just hearing more about it. And I think as individuals feeling more of it more directly.

Chris Watson

I'm always reminded of – I don't know if it's a saying or a song lyric – but it's, “the more things change, the more they stay the same.” It is one of those frustrations, where, you know, it's reported widely saying, you know, that you know, the emerging cybercrime… it's not! You know, WannaCry was back in 2017, Petya was 2017, non-Petya was 2018. Right, you know, these things, you know, and even they weren't necessarily that new, right, you know. So, it's been with us for quite some time, I think, to pick up on Matt’s point, I think, actually, you know, where it's really changed in the last few years is that, you know, if you want to call it the “Dark Web”, or the, you know, Cybercrime – however you want to sort of romantically refer to these people is, they have actually become over the last probably sort of five to ten years very much more business-oriented, far more organised.

And there's the you know, there really is that when it talks about sort of the dark web economy, which again, has been saying has been spoken about for absolutely years, but, you know, we're seeing now that really, really being quite an efficient to set up behind the scenes are things where we have to be, you know, somewhat careful when talking about ransomware, as if you pay the ransom, that's the end of it, because you know, these gangs are, they know that they can make a lot of money from washing your data a number of different ways. One is through ransom, and one is through selling our data and money through selling the exploit that I used to get into systems in the first place. So, look you know, “the more things change, the more they stay the same” – it’s sort of new wine on bottles.

Rebecca Archer 

Would you say that state sponsored cyber-attacks are on the rise? Or is it just, as Matt pointed out, it's more visible, there's more attention from the media being paid to this issue?

Chris Watson

It's incredibly tough. If you're not in the security services to gauge accurately, certainly, it's being reported more in the media, I think there's certainly more attention. Sometimes I feel it's a useful headline to have, you know, from both politics and to call out state sponsored. But I think, again, more you've got, what we have to remember is, is that, you know, attacks, you can be a spotter youth in your basement, and you can go into whichever dark corner of the web, and you can download a pre-prepared hacking kit. They're not sophisticated and half the problems with the ransomware attacks are that these are launched by people who don't know what they're doing, using tools that have not really been tested, and you can't decrypt the data.

And there's a real scale of attackers out there or threat actors or however you want to describe them, you know, we still have those so called “script kiddies”, you know, people just go out and, and sort of get a package off the internet because they want to have a go and sort of digital vandalism through to state sponsored without a shout out, but it goes on, I think it's really hard to say that it's increased. Again, I think it's something that has gone on since time in a mooring. But it's certainly something that is far more topical, given what's going on in the world, whether it be you know, Ukraine or whether it be tensions with China, whether it be sort of ongoing tensions with Russia, you know, it's it's definitely something that is out there and has its peaks and troughs.

Matthew Green

Yeah, there's a notion that the state sponsored activity may well be increased due to sanctions that exist at the moment, and that's their way of obtaining a cryptocurrency, which they then convert to US dollars and fund their activities. The notion of things like your Medibanks and your Optus-es being hacked by the large hacking groups, there is some suggestion that they are state sponsored or supported or you know, allowed to operate with impunity in and amongst their environment. So, there's an element of it, but there's a very sophisticated set of individuals within government and private practice that have access to that sort of information. So, what we necessarily read in the paper may not be reflective of what's really going on or who's really doing the work, so to speak.

Chris Watson

I think sometimes what's more worrying about it is actually the true scale is unknown, because there's so many organisations that are compromised and don't even know it.

Rebecca Archer 

Has the rise of cryptocurrency and other digital currencies made it easier for these attacks to occur or what role I suppose do digital currencies play in these cyber-attacks?

Matthew Green

It's the medium of payment – they’re not accepting cash; they're not accepting credit card – they do want the transaction paid for in in some form of cryptocurrency. The default go-to in the early days was send us Bitcoin. It still is requested, but sometimes they're now asking for some of the more obscure privacy coins, which are much more anonymous in their use. But that sort of is the main currency, if you like, of ransomware, even though you'll read in the paper that, you know, the Medibank ransom was, you know, $15 million, or there or there abouts. It's whatever the going rate, daily rate equivalent is in the crypto currency of request.

Chris Watson

An attractiveness, of course, of crypto currencies is the anonymity that it provides. So that's why it is favoured in of itself as the means for criminals that the great thing about crypto, blockchain and crypto currencies, obviously, and it is also the worst thing about it from a from a law enforcement investigative point of view.

Rebecca Archer 

And so why should businesses in particular Boards and Directors be interested in cybersecurity right now more so than ever?

Matthew Green

It’s visibility for me, in that if you want to a great sort of textbook, learning experience, something we think there's going to end up in the education curriculums in the in the coming years is the response that's required for a significant cyber event. The people that are up in lights are not the Chief Information Security Officers, they're not the CIOs, they're not the IT managers or the Chief Risk Officers. It's the Chairman of the Board, it's the CEO, and they're up there making the statements announcing to the market, the impact or the event occurring. There are clear indications of Boards’ good governance requirements.

You look at Medibank, as the most recent example of an impact on share price, the change in risk profile that comes with having to now clean up from their event. And there's some literature that's come out in the last couple of days, which suggests costs of somewhere in the order of $700 million, potentially up to near a billion depending on how class actions go. So, we're talking some, again, extreme end of the scale, but extraordinary numbers, extraordinary impact to the organisation, and the shareholders. So, the board's those charged with governance really need to be across this issue. And they need to be across it more than ever because activity is increasing. So, the correlation is that the likelihood of experiencing events is growing as well. So, the risk management needs to be more active, more prudent, if you like.

Chris Watson

Yeah. And I think also, you know, there's more regulatory pressure coming down as well. But also, there's a bit of a circular thing to this, which is that Boards need to care because these incidents that are occurring are now getting the public scrutiny, and I still haven't quite put my finger on why it is now that it's sort of caught the, you know, the public consciousness, if you like, why this is. I'm glad it has, of course, but you know, public opinion, and shareholders are just not going to stand for, as Matt said, poor governance or, you know, that – frankly complacency – of Boards around what data they have, where it’s stored, did they even really need it. I think Matt was telling me a story the other day, I can't quite remember what it was that you were signing up for, or applying for, but you know, they asked for date of birth where they just didn't need to.

So, organisations have really got to take a long hard look at what data they're collecting, why they need to collect it, because guess what, cyberattacks are on the rise, you're very likely, you know, you could be, if not already, a victim of this thing. And then there's not only the regulatory sort of pressure, but then the public opinion and shareholder you know, and public confidence. I get frustrated because it's one of those things you know – they should have always cared.

One of my sort of other rants on this as you know, with the Medibank hack or compromise you know, there's a couple of things to it you know, one is the organisation's always say that attacks are sophisticated, right? And undoubtedly, some are but very often than not, they're really simple attacks. You know, compromise of credentials through phishing is not a sophisticated attack, right? You know, it's just, it just isn't and, and I kind of understand some of the logic behind describing this as a “dog act” and sort of making it out to be this sort of, you know, even in Cyber Games, it's the worst of the worst, it's just not true. You know, it just simply isn't true.

As you mentioned, you know, we could do a whole podcast just listing out organisations that have been compromised. So, it's not, it's not anything new, you know, there aren't sort of targets that are off limits, because of what they do. These gangs, criminals, whether they be a “hactivist” end of the scale, whether they be sort of the organised crime, you know, a lot of focus is put on state sponsored, and I get that and understand that, but you know, there's a lot of activity that goes on in organised crime, because it's a really great way of making money anonymously. They know that they can make a lot of money, not only from doing the ransom, but selling the information to other gangs.

You know, so, it's not, you know, Medibank, you know, an aberrant attack, it is exactly the kind of thing that gangs will go for, because it’s data rich; it's got the information that they want; they know they can make a lot of money out of it. So, Boards need to shave that complacency out.

Rebecca Archer 

And I imagine businesses, of course, would understandably have less confidence in their company's approach to IT strategy, and IT risk mitigation. So how should they approach risk mitigation in the cyber world?

Matthew Green

It's a really complex topic, you know. We've seen that through the recent spate of hacks that simple things can be the undoing, and significant undoing, of organisations. So, they need to – businesses – need to adopt a strategy of multipronged – you need to do some prevention, you need to do some detection, you need to do a great deal of education. And Chris and I often talk in the context of security is people first; it is absolutely a cultural issue, and once you get the culture right, because you can look at your base of employees and look at them and say, we've got, you know, 1200 risks, or we've got 1200 defensive implements available to us in terms of avoiding the phishing email, of not giving away credentials, of not sharing something inadvertently, because they've had the training, the awareness, so that, that cyber aware culture is paramount. Then we need to look at the elements of process and looking at it and saying, well, what are our business processes, and how is cyber and protection of data and information built into those.

Then we can look at technology. And you know, that's about buying tools and implementing tools for management, monitoring visibility – all really key components. The challenge there is there are so many organisations that will offer you up so many tools to purchase to solve the security problem, none of which will solve the problem. And many of which, that, you know, Chris, and I would go into say an incident investigation, and we'll see that they own three of the same type of tool and none of them are turned on. So, we've got challenges like that in the technology side of things. And then we have probably one of the bigger challenges, but also one of the big benefits is the third-party ecosystem. And that's because we're outsourcing so much of our technology.

So, we've got to bring the suppliers into our tent. And we really have to manage the ecosystem, in a collaborative team-based way to make sure that we know what our suppliers are doing that may impact on our security, either positively or negatively. So, it really is – it’s that people, process, technology and suppliers – those four elements are really key to addressing the broader issue of cyber risk and cybersecurity.

Chris Watson

100%. And I think, you know, one of the many issues and messages is, you know, there's a lot going on in there, right, but we really, really strong on the need the Boards’ have got to have better people around the table. Much like from a financial perspective, you know, with your CFO, who is, that's what they do; they understand the finances, and they can come and explain that to the Board. And they can explain why if you, you know, allocate money to this particular area, or if you know, if you do R&D, you know, these are the benefits or here's what we miss out if we don't do that. We need to have that at Board level, and we see more and more silos appear, which is great, but that needs to be the person and it needs to be directed to CEO or Director but you can't you know, shouldn't report to a CIO or CTO because it's that important. It needs direct access to the Board to help the Board understand the questions that they need to ask and the answers that they're getting in the context of the overall business.

All too often it was mentioned around sort of third and fourth party, you know, the response from a Board level is what we outsource our IT, you know, they deal with the you know, they look after the security there's almost an abrogation of responsibility towards security and an assumption that is being looked after. Now, my old chestnut of an analogy with this is that it's a bit like your GP. Well, you go to your local GP because you have some generic, you know, sort of symptoms, and the GP is a “general practitioner”, and they will fact find and go, “Okay, you need to go and see a heart specialist or an or a back specialist.” It's exactly the same for the, you know, the cyber world, third party IT companies do a fantastic job, but they're not specialists in any one particular area. They're there to sort of give you the, the infrastructure to keep the lights on, to get your emails to do work on the go.

 And provide, you know, yes, a modicum of security, that you need those specialists in there to do exactly as Matt has said. What are the people doing? What are the processes doing? What, you know, what does the technology do? Because, again, you know, the other issue we come up against, “No, we’re okay, we've got a firewall.” You know, one particular client says, “No, we've got a firewall – all these things are segregated.” It was like Swiss cheese. I mean, the rules that were applied to the firewall, well, were just almost nonexistent. So, there's so much sort of the technology will save us, you know, the, you know, the box will save us. But again, it comes back to the people that implement this stuff; the people that manage this and the culture that surrounds it.

Rebecca Archer 

And so just on that, any organisations that are feeling maybe a bit overwhelmed at the thought of where do you start, where do you start? Is an audit the best place to sort of get things checked?

Matthew Green

Visibility is a key component here, and it's – cyber is one of those issues where if you, if you can't measure it, you can't manage it. So, a baseline, an audit, a health check is an absolutely important activity. But if you were to Google that, the myriad of responses you get, and the options would be vast and different. The challenge is sifting through all the noise, I think. For an organisation, you know, midsize business, the sector of the economy that propels the broader country along, they don't necessarily have the resources available to them to be able to sift through the noise. So, they need to try and ascertain well, do I follow a framework? Do I ask my IT provider?

As Chris has mentioned, and maybe that's a bit of, you know, fox and henhouse going on there, one of the spots they can start is looking to the Australian Cyber Security Centre, or the ACSC. It's a Government Department reasonably well funded, puts a lot of good information out there, and one of their key artefacts or frameworks is called the Essential Eight. And it's eight mitigation strategies for dealing with the, I guess, the most typical aspects of a cyber-attack around sort of prevention, detection and recovery. If any organisation were to take those eight strategies and adopt those, and then work their way through the maturity level, they would find themselves with a much-improved posture for dealing with cyber risk. So, if that's, if there's one thing any listener to this podcast does is goes out, Googles Essential Eight and starts the journey on the framework, which does start with an audit and a baseline. They will be setting themselves on a path to better cybersecurity.

Chris Watson

Whatever you do, and this is the same for any area of risk, right. But whatever you do, it's not a one off exercise. It is something which has to be reviewed regularly, you know. If you have, you know, elements of it. if you talk about BCP, we have a lot of clients coming to us talking about revisiting their BCP in light of ransomware, because the last time their BCP, their Business Continuity Plan, the last time that was written was before ransomware became this sort of big, huge thing, and their organisation doesn't have any way of doing it. So, you know, don't just leave these things on a shelf to gather dust, they've got to be revisited.

Cyber is, you know, I think more than almost any other part of the business, the most dynamic, ever changing, you know. Just think about how many times you're getting updates to your iPhone or your Android device. Think about how many, sort of, new pieces of technology. Cyber does not stand still; it changes. And so therefore, you know, the opportunities for vulnerability and the opportunity to attack change. Whatever you do, whether it be education, whether it be testing, whether it be, you know, the sort of controls of your audit process, it has to be a part of the regular program, not just once off.

Matthew Green

There's this notion of a “once-a-year pen test” is sufficient, and we see lots of organisations say, “Oh, we get a pen test done once a year.” The way their risk posture has changed; the exposure that's changed across that 12-month period. It's simply not enough, and it gives many organisations, I think, a false sense of security. And that's one of the things, as practitioners, we’re trying to avoid here around Boards particularly, thinking the annual pen test is enough and getting the false sense of security that comes through that one time activity.

Rebecca Archer 

And you mentioned the Australian Cybersecurity Centre earlier. Obviously, they've said that you should understand and practice good cyber security to combat threats, but what exactly comprises good cyber security? I'm thinking on a very practical level, what sorts of things maybe are employees doing that they don't even realise could potentially compromise the broader organisation? And then, can we maybe have a look at some of the external threats that people just need to be really aware of?

Matthew Green

I reckon Chris has got a really good hobbyhorse in this area with regards to employees and that's passwords. Chris and I often discuss, and he laments, the use of passwords and how poorly they are used these days. And Chris, you said in your investigative practices as well.

Chris Watson

Look, yes, absolutely right. You know, I think there's, there's a lot of finger pointing that goes on with cybersecurity. Now, it's the government's fault, or is that, you know, it's the bank's fault. But actually, there's an element of personal responsibility, like any other sort of aspects of life. So, probably the single most sensible thing that any one person can do is employ a robust password, whether it's through a password manager, you know, or you know, passphrases, as opposed to using a password.

But in 30, over 30 years of doing, you know, cyber investigations and cybersecurity, the fact that “password” is still the most if not the most common password out there, is just mind boggling. And taking a step back, passwords absolutely from an individual perspective, and this is something obviously that, again, Matt and I spoke about at length I think the last time we came together and spoke about cybersecurity in terms of with the whole working from home, and you know that flexible working arrangements that there'll be many CIOs or CEOs were pulling their hair out, because they've gone from a nice little neat perimeter around their building to, you know, 1600 employees are dotted all over the country with their own little vulnerable networks. But, everybody whether as an individual and as an organisation, the first step is to accept you are potentially vulnerable to an attack. I have yet to meet someone who hasn't had some kind of tech scam or some other business email compromised scam, you know. So, we've got to get rid of this notion that it happens to somebody else, that's the first step. It is out, it's happening, and it can, if not, already happen to me.

Matthew Green

And the element of security frustration, as I call it, is a big one, and that's things like multi-factor authentication, logging in and having to put in the onetime password that comes through to text message and things like that. And it's becoming more common, more frequent. Lots more, you know, websites and apps are requiring it, and I think there's a bit of apathy towards it. But it is probably one of the most valuable security controls in the arsenal that we all have, whether that is, you know, for our own logins to our work systems, or whether that's logging into our personal banking app, or even our, you know, mobile phone account these days to get help from your mobile phone provider. That is a really important control, to keep adopting, to deal with the frustration of, because there are many of them, but it will most certainly contribute to stopping an incident in its tracks should you be affected by one of these large events. And we're seeing it you know, SMS scams in this country are going through the roof, largely because of the way the providers manage SMS systems in this country. So, there's a, there's an element there where the providers need to level up on their game to help the individuals, and there's an element there where the individuals need to accept the five or 10 seconds of frustration, because it's good for you.

Chris Watson

Australia is the fifth highest country for scams, you know for for these sort of tech scams, and we've lost over $300 million this year alone just to the scams. I mean, I was just sort of thinking about, you know, if there were three questions, I'd want the Board to ask, you know, if they listen to this podcast would be, you know, as a Board, have we read and understood the Essential Eight? When's the last time we tested our systems? And how are we educating our people? I think they’d be three really good starting points.

Rebecca Archer 

And I'm getting the impression from the two of you that the question as to whether these cyber criminals have become more sophisticated or whether businesses have become more complacent, it's kind of, the short answer to that is well, yes to both really. But I wonder, is it ever the case that cyber criminals get caught, and then punished for their crime?

Matthew Green

The ones that are not very good do. Yeah, because they don't necessarily know how to hide their tracks well enough, perhaps or you know, might be a bit greedy, you know, criminals and greed, often the undoing. But the reality is on the internet, it is very easy to mask who you are and where you are, and whilst the very sophisticated criminals have tradecraft that that is indicative when we see the events occur that particular patterns, particular approaches make it look like ransomware gang X or Y. I think the reality is the ability to track these individuals down or even if you can track them down to then track them down to a, you know, maybe a country where we have extradition rights or Interpol type agreements, things of that nature is very, very difficult.

So, they do operate with a sense of safety in anonymity and technology that helps with that anonymity, and they are very, very sophisticated and very, very professional. So, the gang might be sort of selling their wares, as Chris mentioned earlier, and that will come with a full suite of helpdesk, it will come with the sort of the 1300 Number equivalent of ring up and get some help with how to run your ransomware campaign and how to hide your own identity as the perpetrator and things like that. So, they've tested it all, they've sort of worked through the model, and they're probably going to be the last ones to get caught.

Chris Watson

I think the biggest you know, one of the single biggest issues on this is, Matt’s already mentioned, is the jurisdiction one. If we accept that, you know, these gangs, as they are reported from Russia, or Eastern Europe or China, there's just no jurisdictional or political willpower to do anything, you know, to go after these people. So, you do stand more chance of I think there was there wasn't any young chap recently called in Sydney for sort of selling data, right. So, because they're not particularly smart, they're not the people actually carry out these attacks.

So it's unlikely, it's cold comfort, but I think it's just unlikely, you know, again, you know, I think it's only sort of bit obtuse to say, but you know, rather than being that sort of security, chestnut of, you know, the house in the street, you know, rather than being the house in the street that has the open windows and the household goods on show, we know the front door open, that is an attractive target, be the house that has the CCTV, the guard dog, the locked windows – put them off, move them on. I wouldn't say that hackers or cybercriminals are lazy, but it's certainly looking for the quick win. And if you provide a modicum of defense in depth, they're gonna move on to the next target.

Rebecca Archer 

And just finally, are there any new technologies or trends that businesses should have on their radar to maybe mitigate cyber-related crimes?

Matthew Green

I think for many organisations, particularly I referred to midsize business earlier, there's technologies that need to be on their agenda that are well proven, and you know, tried and tested that they just haven't yet implemented. And to, you know, what may be a surprise to many is that multi-factor authentication is not being used by everyone, everywhere – and it needs to be used by everyone, everywhere. There are lots of, sort of, what we refer to as AI technologies that are analysing networks to see patterns of network behaviour and filter out the bad stuff, defend against the hackers trying to get in sort of thing, and that will continue to evolve.

It's generally very expensive technology, so some of the more basic technologies such as online training, as basic as that sounds, and when I say online training, I'm not suggesting we get all of our teams to sit through 40 minute, hour long training sessions, you know, the new way of doing it, if you like, is sort of the five minute bite size, watch it in the elevator sort of thing – that actually makes a difference, and that's sort of that culture building aspect. But as we move to Internet of Everything, Web3, Web4, Internet of Things, you know, people are bringing things to the workplace, people are installing CCTV, as Chris mentioned. These are all technologies, which change your security footprint, whether it's your personal security footprint or your work security footprint. So having an awareness of what you're buying, maybe where you're buying it from.

The cheap CCTV system on Alibaba is probably not the greatest choice and might come with a few more holes than you would hope. So some, some of those sorts of technologies are really changing things in terms of people opening up risk, but not necessarily knowing about it. So, there's big change there. Obviously, lots of organisations are adopting cloud in a big way, moving more things to the cloud. So, understanding what that means from a security and risk perspective, making sure that you're buying good providers, turning on all the features that you're buying. And so, it's not necessarily about new technologies. I think for a lot of organisations, it's actually just using the ones they've got better.

Chris Watson

Yeah, that's exactly what I was gonna say mate, is that you know, that they're, of course, will be and will always continue to be new and bright and shiny things that will claim to do and actually do some good things. But you know, what, just use the stuff that you've already got well, implemented properly, you know, look at the rules, implement that properly. MFA as Matt says, if it’s there, switch it on, you know, I mean, we've been to clients where they sit well, but you know, it will, it will put some of our Senior Executives out if we switch MFA on you know, while we change over. You go, “What's more important, irritating the CEO for 10 minutes or you know, stopping yourself from being compromised”?

I think the other element to it as well, as individuals we work; companies aren't this sort of abstract thing that exist outside of regular life and us as individuals, and more needs to be done. I firmly believe more needs to be done in high school education, for starters, around cybersecurity, you know. There's a lot less done around cyber safety for young kids going on the Internet, and that's fabulous; it's really important. But I think there needs to be also additional or a bit more emphasis on what is cyber security? How, you know, again, the password thing, you know, what is a strong password? What are the perils of sharing your password with your friends to play on Xbox, right, which is, incidentally, is connected to your home network, which is, incidentally, probably somewhere that you're connecting to your corporate network, right? So, you know, I think the more that we can get that education in will help people to embed this sense of security around our day-to-day life, which will then, we can carry on into our work life so that we're not, we're not falling prey to the tech scams or the email scams or we are considering what password to use more properly. And I think that will obviously flow into how organisations improve their cybersecurity posture as well.

Rebecca Archer 

Matt and Chris, thank you so much for being so generous with your time today. It's been so interesting and informative to speak with you. Now if people are listening to this podcast, and they'd like to hear more or get in touch with you even to learn more specifically about what you do and how you might be able to help them, what's the best way for them to find you?

Matthew Green

Head to the Grant Thornton website; Chris and I both profiled on there. There's a lot of information about the services we can support our clients with, whether it's an Essential Eight Audit, whether it's you know, technical penetration testing, incident investigation, whatever the case may be, you'll find our details on there. We'd really like to hear from you.

Chris Watson

Absolutely. We're on LinkedIn so you know if that's your preferred medium of choice, search us up on there.

Rebecca Archer 

Thanks for listening to our latest episode. If you liked this podcast and would like to hear more, you can find and subscribe to Grant Thornton Australia on Apple podcasts or Spotify.