Episode 4: Cybersecurity 101: What’s really important for a busy business owner?

Show Notes

In this episode, Mia chats to Fil Strati, Owner of TechSeek about how small business owners can tackle cybersecurity on a budget. Later in the episode, Nick Mann, founder/principal of Polaris Lawyers joins to give first hand insights into keeping your small business cyber secure. 

Transcript

Mia:

You might not think that your small business is worth a hacker's time, but the reality is being small doesn't necessarily make you safe from a cyber attack. In Australia, 43 % of all cyber attacks happen to small businesses and the average small business victim loses a staggering $46,000 in an attack. 

Cybercriminals like small businesses because they assume you don't have the time or money for proper cybersecurity. And in a lot of cases, they are unfortunately not wrong. If you're a business owner, you've probably had to compromise on cybersecurity to some degree, if you've had time to think about it at all. So if you're in this position, how do you get on top of your cybersecurity and keep yourself safe from those costly attacks?

Our expert guest today makes a living helping small business owners tackle cybersecurity on a tight budget. Fil Stradi owns the small business IT consultancy, TechSeek, and he's here to unpack cybersecurity from a small business angle. Later on, we're also gonna talk to a small business owner who experienced a cyber attack firsthand and discuss how they've since shored up their protection. But first, thank you for joining us, Fil.

Fil:

Thank you for having me.

Mia:

It's a pleasure to have you on the show. So Fil, you work with small business owners every day. Where are you seeing the biggest mistakes when it comes to preventing cyber attacks?

Fil:

Well, we look at both cyber attacks and data breaches when it comes to assessing risks. I mean, it can be things like a staff member managing the company's IT and that relationship goes sour. We've had business partnerships, even when there's maybe husband and wife in the business or just a platonic partnership where somebody leaves the business, but they've essentially got all the keys to the castle. So the partner never really took an interest in the IT side of things. And it can be quite hard to try and take ownership of some of those accounts. Even things like your phone system, like receiving calls and whatnot, your business can pretty much fall apart overnight. There is not taking cyber security seriously. So no 2FA, no endpoint security like your basic antivirus, no encryption of devices, meaning that if someone steals your device or you lose your device, that data is easily accessible.

There's no safeguards like standard operating procedures on how people should adhere to compliance requirements when it comes to IT. There's no planning about it, there's no discussions about it. People are just too trusting with employees. And that's great and it's great for culture, but the issues that we're seeing is things like everybody has access to the same public drive or staff are given things like admin access to everything because it's just too hard to granularise the access levels. People will share the same passwords for the sake of convenience. And your things, and I mean, the ones that are common, you guys will see, you walk up to a client's desk and there's a post-it note with their password stuck at the bottom of the screen. That's probably the most common one. The other one as well is we're hearing, I clicked on a link and I don't think I should have done that, but I've done it now. What do we do? So then there's no sort of, you know, going, there's no sort of any vigilance when it comes to that stuff saying, you know, maybe I should check this with my tech company, my superior, whatever the case, there's a lot of just, you know, acting before you think.

Mia:

So it sounds like a sort of laissez-faire attitude, not taking cyber security seriously, that seems to be where the most people are going wrong from what you've seen, kind of on the ground.

Fil:

It's a very lax, it's a lax sort of thing and that can happen with backup as well. don't, people don't worry about it until it happens to them.

Mia:

Mm. Mm. Mm, yeah. And we're gonna talk a lot about backup later in the episode. But first, Phil and I had a chat before recording for those listening, and Phil said that most cybersecurity breaches could be traced back to human error. So Phil, if you're a small business owner, how can you actually manage the humans in your business, including yourself, to avoid risks?

Fil:

The main one, and you're seeing a lot of this cybersecurity awareness training and you're seeing a lot of cyber insurance companies also trying to enforce this as a requirement or at least a recommendation. But essentially it's helping people determine the legitimacy of an actual email. So knowing things like, you know, is it really from that person? Was I expecting that email? Is it normal to have these sort of attachments? Because I mean, that's something we do just when we're in the thick of it, we just click it and do it and we don't really care.

You know, even paying suppliers that you are not even your suppliers or paying bills that are not even related to you just because you're busy and you've got to get stuff sorted. There's devices as well. Like, you know, you want to live in access to work approved devices on what they can and can't do. So there's the issue of, you know, when you're a small business, you want to kind of have everyone with BYO devices and that has its pros and cons. But if they're going to do that, maybe, you know, there's a certain amount of programs that should or shouldn't run on there or they must have antivirus or they must have encryption or two factor or whatever the case is to try and reduce that risk. 

Restricting like we said, restricting access to things that they don't actually need access to. So not just opening the sort of floodgates for this is everything you need. And then, you know, there's even cutting corners, which I see a lot in terms of licensing. So Microsoft's getting a little bit tougher with it now, but you know, you could, you know, once upon a time and still can if you're, if you're buying an office license for home, can share it with five devices. 

But people were sharing that five devices with five users at work. So the CEO is writing a termination letter and everyone's seeing it in their recent documents. So it becomes a bit of a massive breach. And that's not even hack related. That's because just, yeah, trying to save money and cut corners.

Mia:

Now we've sort of covered the risks that people in your business can bring. Let's talk about the sort of day-to-day processes that could make or break your cybersecurity. How do you build these sort of everyday business processes to actually protect your cybersecurity?

Fil:

Look, the SOPs or the standard operating procedures are great. We need a sort of have that sort of awareness or some sort of a procedure to say if you do this, if you're going to bring a device in, do this, if you're going to get a new phone, do this, whatever it is, right? So they're important to discuss. We do go in and talk to clients when we're doing their audits and we'll say, you know, do you have two factor? Do you have this? Do you have that? We'll have a bit of a checklist. We'll give them a checklist. And as once we do onboard, then we will talk about things like these are our recommendations, you know, password, complexity, encryption, blah, blah, blah. But it's up to them and also we have to be aware of the fact that not all businesses we look after have the same level of budgets and so we try and help them navigate if you're going to go for something, let's start with this first. 

So having unique passwords, having the multi-factor authentication, they don't cost you any money. Password vaults, there are subscriptions, but if we have password vaults, we're less likely to start using the same password one for everything or you know, your pet's name or you know, your date of birth and all those common ones people love to use. Encrypting the devices, like I said, pro version of Windows, you don't have to pay anything extra. It's just there, but we're just not using it. Payment identification processes, the procedures. So like, for example, we save our suppliers in our banking and we make sure we just use those. But sometimes instead of doing that, we're like, oh, I can quickly pay this myself and do it on my phone.

An email comes through saying the bank details have been updated. We don't bother to look at it. We just take it at face value and there's that sort of breach and stuff as well. Yeah, like those invoice scams, we're seeing a lot of those at the moment very very common. What they tend to do is they will get in usually with a token attack. So someone's clicked on a link to sign into some perceived file that's been given to them. They've surrendered their details over. They'll usually try and get into an account email or finance type email and then wait for conversations about payments coming up and we'll send a follow up email to say by the way we've also changed our banking details. 

So it's very, very common. And because we're so busy, you know, your bookkeeper may not reconcile those accounts or you might not catch up on payments. And then by the time you realise that both of you haven't really received money, one of you has actually paid into a fraudulent account. So that regular communication, you know, yeah, like I said, payments are a big one and verifying those details. I mean, you see what happened with PECSA and things like that. So those are a must.

We've had a new like we've had a staff member that just started and they got an email saying, it's the boss here. His name is, let's say we'll call him Darren. Darren's the boss. I want you to keep a secret for me. I want to buy some Apple vouchers for all the staff. It's a surprise. So please don't tell anyone. And she's gone and bought the cards. Now that's because as the business grows, there's a bit of a disconnect b etween you can't just walk up to the manager and say, Hey, great idea, I've got some questions. She was just emailing back and forward. So she then started buying the, we can't protect that. So that's down to, you know, training the actual staff members about what's, you know, what's, what's right and what's wrong.

Mia:

I think when people think cybersecurity, they often think about software, big expensive programs, you know big investments in people that really know computers and having that permanent person. But I imagine for a lot of business owners, these are often out of reach, particularly if you're a micro business or a sole trader. And, you know, maybe you're not included in that typical business plan. We'd love to know what kinds of software you think are worth the investment for small businesses with fewer resources.

Fil:

It all depends on the sensitivity of the data. I mean, I get some people that will say to me, hey, I just went to the seminar on cyber security and we should do penetration testing and we should do this and we should do that. And it's 20 grand for this and it's 10 grand and that's great. But the thing is that same person doesn't have password complexity. That's the same person that's got everyone using the same password because it's just easier. So you need to find that balance between convenience and security. 

I mean, we don't want to have 200 locks on our front door to stop anyone getting in, but then it takes us, you know, four hours to get out of the door. So we have to find that balance and same with small business owners. You've got to find that balance plus the balance. You've got to take into account the cost. So types of software that might be, you know, good for that sort of stuff is, you know, your endpoint protection. It's a must. I mean, you can, it can cost anywhere from like, even $10 a month per device, if not less, depending on that there are bells and whistles that may or may not benefit you. There are things now where there are providers now vendors now that have what's called a sock. So a security operations center, which will be based in the U S or whoever, wherever the vendors from, and they will monitor the telemetry that comes from the agent that's been installed on your computer and act on it accordingly. So if at two in the morning, I'm asleep and you have a breach on your computer, they can shut that down at that point. 

We don't have to wait for, “Hey, while you're asleep your customers data all got encrypted.” It's just a quickly shut down as quickly as possible and that's that's getting to the point now where it's so accessible because every other vendor was offering it that you know a couple of dollars device it's a no-brainer. The other one is that the data encryption like I said if you've got a pro version of Windows it takes five minutes to enable it so again people are forgetting about the fact that yes I don't want to get hacked but if someone breaks into my house and picks up my computer all those passports, drivers license, all the stuff that I've been that's even my own personal like I'm going on a trip in July and I've got scans of my passport and my you know everything my itinerary all that sort of stuff like that's just sitting on my desktop I know that if I lose it mid trip or now or whatever it's they can't read the data It's gonna be a long key that they need to enter in so Must must have don't know why you haven't done it yet, but people just don't know right the endpoint security must have.

There's even solutions now and this is what I like doing in my sort of role in the business is going what's out there, what's out there, what's out there. Are we doing enough? Can we do enough? Is it affordable for our client base? Blah, blah, blah. So there's another product now that actually connects into the back end of Office 365 and it will basically monitor all the audit logs that Microsoft provides about anything and everything that's happening in the back end, which we'd have to even if we had a full time analyst in our business, you're not going to sit there and be able to read 200 to 300 logs at once. 

So this thing will pick information that's relevant. So somebody at some time in the morning is downloading a whole heap of files off SharePoint. It'll flag it and you can either set it to flag or you can get it to basically even just shut that account right down. So there's like a detect and there's a response option and each client is different. So we start reading these logs, but people jumping in and changing your email rules. That's a common one. 

They get in and they will start putting in rules that say if anyone mentions spam virus something something to warn you put that email in the bin or put it in a folder where they can't find it and they'll usually create a folder with just a full stop so it just flies under the radar so we're trying to warn you hey you've been breached you're trying to share this dodgy attachment but you're not telling anyone but they're not actually receiving these emails either so all that sort of little things that are happening or somebody like we had a a company that was sharing a lot of files externally and they that was part of their procedure and that's why we need to ask the questions but they were all anonymous links so anyone can have access as long as they have the link. 

And again, we're saying, well, you need to make it more like registered mail where we actually name the actual email address we're sharing it with so that, you know, if the sense, if the data is sensitive, we don't want anyone just jumping on and reading it. And so these programs allow us to have more eyes on what's happening in that Office 365 ecosystem because everything's living on there now as opposed to on your computer.

Fil:

All that stuff is very cost effective and there's no reason you shouldn't be implementing it even as a small business owner.

Mia:

And where do you Fil go when you're kind of researching these new potential programs for clients, these cost effective programs?

Fil:

So we look online, mean, there's is things like there are there's Reddit, there is lots of tech sites. There is there are forums designed specifically for MSPs.

Mia:

So aside from what we've already discussed, so we've talked about staff training, your standard operating procedures, software, et cetera. What are some other protective measures that you can take to safeguard your business?

Fil:

Look, cyber insurance security or cyber insurance policy, it's not a protective measure in the sense that it's going to stop people hacking your systems, right? But there is a, I mean, again, having these meetings with these guys as well, there's a PR side of things. You know, because reputations can get really damaged severely from this. There's a business interruption side of things. There's cover for mitigation of those sort of infections and things like that. So, cyber insurance is getting cheaper and cheaper and it's still very obtainable for small businesses. 

Mia:

All right, well, you can try and prevent cyber attacks as much as you can, but if your business does get breached, what do you do? I mean, like, who is your first point of contact and what are some steps that you can take if you're in that situation?

Fil:

Look, the first thing I sort of say in terms of, um, you know, getting yourself ready for a cyber attack or, or I guess is to, usually say to my clients, look, just imagine you've walked in and nothing's on, nothing's turning on. What do you do? Who do you call? That's when you can at least start having some sort of a disaster recovery plan to say, first point of call is let the tech company know what's their number, who's, is there account manager? Who do I speak to? Blah, blah, blah.

Then it’s like, right then it's like okay it's um you know if it's a ransomware related and the extent is enormous and like we spoke in that last article if they're over three million, I think it was they need to report within 72 hours so they need to reach out to their cyber insurance provider ASAP and then obviously the tech company if they are using stuff like the programs we talked about where they're doing audit logs on what's happening in 365 or they're using an endpoint detection and response software there are logs being created on what's happening. So at least you can tell these people, hey, I can see that they accessed these files on this day and this is the sort of damage that was done. But usually a cyber insurance provider will provide, as part of the policy. So if you invoke a policy, they will provide their own forensics teams to legally advise what the actual extent of the damage is. The last thing you want to do is go on a sort of advice of your tech provider.

I mean, they can give you lots of information, but from a legal standpoint, the insurance provider needs to provide their own forensics team to actually say, cost is clear because especially when you're dealing with passports, driver's license, all that sort of stuff, you want to make sure that your clients are, you know, they're in the green when it comes to whether their data has been affected. Discuss who and who, you know, who and how you'll inform when the breach comes to your clients as well, because until we know what's been breached, we're not going to say, everyone within breached. You know, quick, quick, you run away, leave us. The best thing to do is to say, we're aware of a breach. This is what happened. Be transparent. And this is how we've contained the breach.

Mia:

Obviously having solid backups of your data is really important to get things back on track as quickly as possible. How should small business owners be backing up their information before an attack?

Fil:

The first thing I need to stress is learn how to actually check the backups are working. So don't leave. The biggest mistake I see is people, I'll go into an audit and I'll say, okay, so what exactly are you backing up? I'm not sure. Do know when you're backing up? Do you back up to the cloud? Do you back up to a drive? I don't know. The IT guys have got it sorted. 

Have that conversation with your IT. I've often had to write an email on behalf of the client, you know, using their email because we don't want to create any sort of tension and whatnot and saying, Hey, can you please answer these questions for me? When am I backing up? What backup software am I using? How often does it happen? Because we are, we are changing programs and the way we do things, especially with small business owners, when we grow our systems break and then we put a new system on, we never go back to the IT company and go, I actually started using stuff on Dropbox now. I don't use that program anymore. Should we back this up as well.

That's conversations not being had. So everyone just assumes that everyone is backing up this stuff. And the other thing as well is like, you know, do you actually need all the data to be backed up? Is it just my SharePoint sites? It's just my, the CFO and the CEO's email. Is it just these documents? You know, sometimes you can spend, you know, six, $700 backing up this server and having images and stuff. And really you have a conversation with them and they say, you know what, we don't really want to use this server moving forward. It's just here, but we just need the files. Well, okay. There's a better alternative that's going to cost us $150 a year to back this up every night because I don't have to take a snapshot of the whole server. it's asking those questions about what really needs to be backed up. Don't assume that Dropbox and OneDrive and Google Drive are storage locations. I mean, they're not backup locations. They're online storage, not online backup. 

So looking you know, can I back up my SharePoint to an external provider? How often does it happen? Can I check whether those backups are accessible? All that sort of stuff. 

Mia:

You were quite a proponent of physical backups, like having a hard drive and disconnecting that from the computer. Is that the best way to typically do a backup? Because I know a lot of people do it in the cloud now.

Fil:

Most of our clients, maybe 90%, are all in the cloud. The other thing to ask as well with your IT providers is my data being backed up in the US or here or a different country because some, I think it's medical and I believe dental is the same. Child care would probably be the same, but there are some governing laws that dictate that you can't have your data stored in a server that's outside of Australia. we made sure that whatever was backing up those SharePoint files was in Sydney or Melbourne. So that's another question to ask as well. If you're gonna have an external hard drive, it's just something physical to keep somewhere. Is that drive encrypted so that if someone steals that it can be accessed? Is that drive just connected to your PC where if you get any ransomware and all the files get encrypted, it can jump over to that external hard drive. One of the crazy ones I hear is like, they're using their backup drive to store movies on so they can plug it into their TV. And I'm like, the risk of that corrupting it, it's just, it's like, you know, it's so cheap to buy a hard drive. Just please just buy one specifically for the business. 

Mia:

All right, well thank you so much for coming on Phil. I think your insights have been really, really valuable and I hope that we've saved a few businesses from worrisome cyber security practices over the course of these last 35 minutes. So thank you so much.

Mia: 

So talking to an IT professional, seems like there can be a lot for a business owner to think about when it comes to cybersecurity. So how on earth does all this actually fit into a small business's operations day to day? I'm now going to chat to a small business owner who has been through a bit of a journey when it comes to cybersecurity. Nick Mann is the founder of personal injury law firm Polaris Lawyers, and he's upgraded his cyber defenses from literally non-existent to strong and secure. He also experienced a cybersecurity breach along the way, which we'll hear about in a second. But first, Nick, thanks for coming on the show. 

Nick:

Thanks so much for having me, Mia.

Mia:

Awesome to have you. So Nick, your business hasn't always been as cyber secure as it is now. In the past, what were the kinds of things that held you back from upgrading your cyber security?

Nick:

So when I started Polaris, I really had absolutely no idea about cybersecurity. I had a practice management system that I was assured would keep my clients data secure, which was great. But at that stage, I didn't have any clients either. I started from literally from ground zero. And so at a very small scale, that is at one level very easy because cyber security starts and finishes with whatever's on your laptop. 

In the early days, I have this distinct recollection of trying to get through very simple sort of IT or cyber security issues with one of the two staff that came on board in the early days and having people say to us, just contact your support, your IT support team. They can help you handle this. And we were too embarrassed to admit we didn't have any cyber security or tech support at that stage. It was just us trying to muddle through. And so one of the key questions for us was as we grew, what protections should we put in place? What protections could we afford to put in place? And then what was appropriate for not just the size and scale of the business at that given time, but also where we wanted to be in 12 or 18 months. 

Mia:

And was there anything in particular that made you start taking cyber security more seriously or was it just something that you kind of knew in the back of your mind that you should be doing better but you didn't really have say the knowledge or the money or you know the scale to do that yet?

Nick:

Yeah, I think we had a good awareness of the need from an early stage. The how of it was...

was trickier for us because we understand we're dealing with in-person injuries work, we're dealing with client sensitive information all the time. So on any given day we're looking through clients medical records, tax returns, it's deeply personal for the clients and the information they're providing us is sort of backed by a leap of faith that they make to hand over all of this information about their lives to a lawyer. And so I think the why of it for us always resonated. 

Mia:

Yeah, with that kind of customer base. Yeah.

Nick:

Yeah exactly right and I know that there's a bit of a perception that law firms are low-hanging fruit because of their sort of low tech savvy but also because they're dealing with financial personal information that is ripe for the picking we recognised that from the outset and we took some steps in the early stages to do things like cyber security audits and the like but it probably wasn't until COVID came around when we had more people working from home that we really and a larger organisation so even at the start of COVID sort of eight to ten staff at that stage thinking well how is this information secure or with folks working hybrid, you know, they're connected to the wifi at a cafe. The screen is there in public view. How do we secure this information for our clients?

Mia:

I mean, speaking with Fil in the first half of this episode, we learnt that cybersecurity breaches pretty much always come down to a human mistake. And you know, this can happen to everyone. I'm not being accusatory here. And I'm interested to know, Nick, how you manage the humans in your business to stay cyber secure.

Nick:

Yeah, absolutely. I think a large part of that starts with the onboarding. And we've also put in place quite a bit as we go to stress test our systems and our people, you know, and put in place some backups and supports training, but also some white hat testing to test our staff. We can have all of the tech systems and redundancies in the world.

But if our staff aren't appropriately trained and we don't have the systems in place that mean that they're picking up potential risk, then the job is only halfway done.

Mia:

And I understand that you actually experienced a cybersecurity breach in your business last year. Can you tell us a bit about what happened with that?

Nick:

We had an issue with some of our onboarding that meant that staff who were trying to get online very quickly, like we doubled the size of our business in two years from 15 staff to 30. And part of that meant, you know, bringing people online very quickly. And some of our folks were very eager to respond to any email that was asking for their credentials that got them online. And unfortunately, one of the things that we had was that some of those new staff, as we look to sort of unsilo information and our authorisations, some of those staff had higher levels of authority than we really needed in terms of access to the systems. And had someone into our system because they were credentialed in. A huge learning for us in terms of who has access to what information and authorisations, but also another sort of stress test for us in terms of onboarding new staff and how we can do that in a way that can help scale the business quickly but carefully, safely. We were very lucky in hindsight. There was some good luck, some good management. So because of the systems we had in place, the breach meant that no Polaris or client money was changed hands. And that was the principal purpose of the breach.

Mia:

Do you mind maybe at a more top level to protect your own cyber security explaining what it was that actually stopped that cyber breach from going further?

Nick:

It was actually someone within our company who flagged an unusual request. And we then dug back into that and saw that another unusual request had come through. And at that stage, you know, it was a small business. We can pack it down pretty quickly. So, everyone's passwords were changed, we were able to go in and really look at the historical and what had been going on there and really quarantine any potential further risk. 

We had, for a long time, talked about getting cyber insurance and it had been on our to-do list and to her eternal credit our ops director before she went on parental leave said this is something we absolutely need to cover off on before I go. We did and that was a matter of months before we had our breach so we had access to cyber insurance and I don't know what we would have done without it.

Nick:

So to a granular level, a slightly frightening level, they're able to establish exactly what movement is going on in our system. And so, yeah, that really gave us some comfort around exactly what had gone on, where the breach had occurred, the fact that it was limited to these particular occurrences.

And you know also to give you a sense that this had been on our mind and something we'd been working towards prior to you know prior to the attempt we had a cyber audit with Annie Hager who is you know sort of a giant of this space I think and she'd given us a report and made recommendations which we took up and which ultimately I think led to us being way better positioned to respond and to protect ourselves and our clients. Well, helping to broker cyber insurance was among them and also some recommendations about changes to our systems, which I think made us more robust in the face of what is going to occur in the life of any small to medium sized business, particularly knowing that hackers are targeting law firms because we have a lot of client's money and we're moving it a lot and we also have access to a lot of data.

Mia:

And who was your first port of call after you noticed that this happened?

Nick:

Our first port of call was TechSeek, so Fil and the team. And my inclination was to shut the entire firm down for 48 hours until we got to the bottom of it. We worked through a series of steps that we could take immediately with Fil and the team and they were brilliant. And then I called Annie to let her know. And then we got onto our cyber insurance people who are really brilliant in connecting us with a forensic IT team and a set of lawyers who could help sort of make the appropriate declarations to any affected clients. It was surprising to me, I mean, the amount of information that was accessed for clients was relatively low in the end because that wasn't the purpose. They weren't seeking to download large swathes of information about our clients. And a lot of that's protected by a practice management system.

It was sort of incredible to- I said to clients, call me directly. I'll talk you through it. And I think I received one call, one call. People now are sort of inert to the fact that this might be something that occurs in their online transactions and their dealings with people. But I don't think that means that we should be blase about it either.

I don't think the client response, or the general perception that, yeah, this is going to happen from time to time should mean that we take our foot off the accelerator when we think about cyber security.

Mia:

Yeah, absolutely. And it sounds like you had access to quite a few resources, especially around the responding to the attack part of this. We'd love to quickly talk about the software and services that you have bought for your business. Because I know this is the sort of thing that can really rack up in cost, especially for a small business. What kind of programs has your business invested in to stay cyber secure that you think have really been worth it in terms of software?

Nick:

Yeah, so we've got a couple of things that we've implemented. One in relation to phishing testing. So our team is now routinely pinged with suspicious emails that they can report as fishing and those are basically add-ons and a couple of products that Phil and the team have recommended at fairly low cost to us. And the other big...

There are two other pieces there. We also have Know Before training for our staff. So that's new and existing original staff all get a requirement to go through that training periodically so that we're up to date. But the other thing that's been really integral, think, and we're rolling this out at the moment with Fil, is real-time reporting. So not I come into the office and I see that someone has been trying to access our system from overseas, but that in the middle of the night, the system detects that someone from an unexpected location is trying to access our system and shuts off that access immediately. 

So that real-time response and reporting is something that Fil and I have worked on and he's been strongly recommending so we're rolling that out which I think is going to give him so much peace of mind. When another breach is attempted could we take the response from into immediate, you know, an immediate sort of prophylactic response to shut that person out of the system. And some of that is about limiting any potential damage, preventing a breach at all. But a big part of it is my peace of mind, the peace of mind of our staff and our clients that at two in the morning when the office is shut, we're not wondering about whether someone's trying to breach our system.

Mia:

Well Nick, thank you so much for talking to me about your cyber security profile in your business and especially about the cyber breach. I'm so glad that you know, the worst didn't happen for that and yeah it was fantastic having you on the show so thank you.

Nick Mann:

Thanks so much for having me there. It's great to chat with you.