The Canberra Business Podcast
A podcast about all things Canberra Business.
The Canberra Business Podcast
Cybersecurity Strategies for Small Businesses and NFPs
We discuss key strategies to safeguard your small business from the world of cyber threats in our latest episode featuring cybersecurity expert Roger Smith from Care Managed IT. With cyberattacks on the rise, especially ransomware, small businesses and non-profits are more vulnerable than ever. Roger offers invaluable insights into the Essential 8 strategy, emphasizing the importance of multi-factor authentication and other protective measures that can make all the difference. Listen as we uncover the profound impact of cyber threats, which can cripple operations and challenge compliance, while laying out a blueprint to bolster your digital defenses.
This episode is supported by CareSuper.
Hello and welcome to the Canberra Business Podcast. I'm Greg Harford, your host from the Canberra Business Chamber, and today we're talking cyber security with Roger Smith from Care MIT. Roger, welcome to the podcast.
Speaker 2:Thank you, Greg.
Speaker 1:Look, it's great having you here, and and cybersecurity is one of those issues that people are often thinking about, perhaps thinking it's something for other people to worry about, though, and thinking it's something that can be put off till tomorrow. Do you want to tell us? Is that right?
Speaker 2:No, definitely not. One of the biggest problems we've got in our industry is actually convincing people that cyber security is an ongoing problem that we really have to address as much as possible. One of the biggest areas of, I suppose, kickback is the fact that small business, not-for-profit organizations have a lack of resources, so they lack money, they lack expertise. They lack money, they lack expertise, they lack time, and that then becomes something that just gets bigger and bigger and bigger, because they look at the problem and go well, we didn't have the time or the effort to do that two weeks ago. We still haven't got it, so we've left it another two weeks and another two weeks and another two weeks.
Speaker 1:Why does it matter?
Speaker 2:Two reasons. One is the bad guys are always out there, as in cyber criminals, nation states. They're all after your money, even the cluey 14-year-old who you know. He's got lots of time on his hands. He's quite willing to learn things that we are never going to learn in business or never going to learn. Have a requirement to be able to address that. The other point is the fact that everything is changing all the time. Everything that we do, the technology we use now, is always being. They're always finding ways of breaking it, and what happens is those vulnerabilities that are being caused by the breaks in that technology or the software or whatever this is, is being targeted. We need to have things like updates to allow us to patch the system so that that vulnerability is no longer in that software.
Speaker 1:Now there'll be some people listening to this who think well, I'm only a really small business, I've only got one or two employees. Perhaps I'm an electrician working in people's houses who is going to bother trying to hack me?
Speaker 2:It's not a case of who's going to target you. It's a case of the automatic systems that are on the internet. If you've got a system that is connected to the internet, you can be targeted directly, and that then becomes a huge problem. When it comes to it, doesn't matter the size of the organisation All of the organisations it doesn't matter who you are, it doesn't matter what you're doing. I can guarantee you have an email address which is a connection to the internet. I can guarantee that you have an accounting system, which, in most cases, is a connection to the internet. So those are two areas where you can accidentally get targeted. It doesn't matter how big you are. One of the things that we endorse is a system called the Essential 8. And the Essential 8, one of the components of the Essential 8 is multi-factor authentication, so that's the username, password and something you own. If you don't put that in place, it means that anybody can target whatever you're connecting to.
Speaker 1:And what's the consequence of being targeted?
Speaker 2:It can be fourfold reputational-wise If people find out that you are not protecting their data, then your reputation goes out the window. It can be actually now a compliance and governance thing. Since Cyber Security Act 2024, small business have got the same requirements as larger businesses and that means that we have to have security in place. That makes it harder for the bad guys to get into harder for the bad guys to get into when it comes to losing data. Things like phishing attacks. That type of thing allows someone to gain access to your device and from there they can then use your device to target other people. So again, there's lots of things that can happen just by having a breach in your systems.
Speaker 1:And what about ransomware? Is that still a thing you used to hear about that being quite common in some business circles?
Speaker 2:Yes, it's still a big problem. Ransomware can be two problems. One is it locks the computer, which means that you can't do anything, and I'll talk about that in a second. The other is it can lock your data itself and prior to them locking the data, because in most cases ransomware will remain in the system, let's say, two or three weeks before they lock the data, and that gives them the opportunity to steal all the data off the system so they can unsell it to brokers and everything else. Now, when it comes to locking down a computer, if you are a manufacturer, for instance, and you're making something, but you've got a computerized system that does cutting or bending or anything along those lines of an industrial level, and that system gets compromised, then your machine on your factory floor stops working. So you've got a twofold problem Data outside the internet, no work being able to be done in total.
Speaker 1:So that's a really interesting point, because often when we think about ransomware, it's about people not being able to get into their laptops or perhaps even their point of sale system or their customer database. But actually you're saying it can. It can grind your operations to a halt as well if you're a manufacturer yeah, it can.
Speaker 2:It can totally stop you manufacturing. Um, in most cases and when you're talking about a factory floor in the, the actual process within the organization will be there'll be a cad system or a system that does all the designing, which feeds information onto the factory floor, whether the cutting and pasting and everything else is done. If those two get interrupted in any way, you're going to lose the business itself because you won't be able to produce the product that you normally produce, and the moment that happens, I can guarantee your competition is literally rubbing their hands together, going. Thank you very much, because on top of that, it's going to take two to three weeks to get back to business as normal if you haven't taken an attack into account.
Speaker 1:So what do businesses need to be doing to be planning for it? There's obviously some preventative steps, but is planning for an attack a good idea?
Speaker 2:Yes, planning for an attack, attack. We work on the principle it doesn't matter how much security you put around an organization, there is always the chance that something is going to happen. So you need an incident response plan in some way, one that's going to deliver um a capability to your business so that, if something happens, you can literally pull out the incident response plan and go. This is what we have to do right now. This is where we've got to contain the attack. We've got to work out what happened. We've got to make sure that it's not spreading around the organisation. The moment you start putting that type of thing in place, then you are already in a better place because you've thought about it.
Speaker 2:We have a when we're talking about to our clients. We have what is called the what-if process what happens if this happens? By doing that, you can end up with, let's say, 10 scenarios that will cover probably another 90 other scenarios, because you can pick and choose from those 10 that you've already thought about. If this happens, what are we going to do? How are we going to do it? Why do we react that way and how fast can we get back to business?
Speaker 1:Now, of course, over the last decade or so, we've seen businesses move from having all their data being stored on a server in their office or their workrooms and seeing data being put into the cloud. Are those systems inherently more secure and therefore more protected from ransomware or hacking attacks?
Speaker 2:Yes and no. Again, it goes back to that three-point protective strategy that you need to have in place username, password and some sort of multi-factor authentication. When it comes to a terrestrial system, people have to target the people inside the organisation and then they have to be able to get into the system. Now, to do that is relatively complex, and especially if you're not using something like phishing or malware or that type of thing, it's a very complex process. When it comes to the cloud.
Speaker 2:This is one of the reasons why you need to have more security around the cloud. Most cloud environments have a security package that comes with them, so you can actually lock it down. It also means that the underlying structure or the infrastructure is always going to be managed by the people who are giving you the cloud. To be able to do so, part of the security components have already been taken care of, but when it comes to accessing that data, that's where you've got to be very aware of it, because you're, instead of being just one ip address on the internet, you are a domain name that you need to go to, so zero. For one, for instance, to get to zero, you still need username, password and multi-factor authentication. But anybody on the planet with a connection to the internet can target that If they don't know where you are. As a terrestrial system, it's a lot more secure, but it still has its vulnerabilities.
Speaker 1:And obviously not quite as convenient from a business cost point of view or an efficiency point of view.
Speaker 2:This is very true. But then again we are seeing a return to terrestrial systems. There's a large number of organisations that rather have a terrestrial system with a decent firewall, with a VPN into that system, so they can actually control their systems. If something happens to the internet, then your system is going to break, whether that's your connection. And it's also a case of working out single points of failure. You don't want to have a single point like a single ISP connection. You need to have two of them load balance. One goes down, the other one takes over, and they have to be isolated. So Telstra and Optus or Telstra and APT, anything along those lines. It makes your business a lot more robust.
Speaker 1:So there's obviously some risks with the world being interconnected globally around the internet and indeed, I guess, in other ways. But at a practical level, do you think we're better off in the internet connected world than we were in the terrestrial world?
Speaker 2:Yes and no Again. The convenience of having a cloud-based system great because, as I said, you can be anywhere in the world and you can do whatever you need to do. Things like email is an accounting package that you can be sitting on the beach in Bali being able to actually do your work.
Speaker 1:I wish yes, so do I.
Speaker 2:But if you think about it, the terrestrial system is still a viable product and you've just got to work out what's best for the business is probably the best way of looking at it.
Speaker 1:Now there's plenty of businesses around Canberra, and indeed business people at home will have increasing numbers of other devices that are attached to the internet, whether that's fridges, washing machines, dryers, televisions. Do businesses need to be concerned about the viability of those devices as well?
Speaker 2:Yes, we have what is called an asset management system. When it comes and we're not talking about the valuable assets that you have, we're talking about the digital assets. So digital assets are your applications that you use, the people who use it. What is the role your CEO has in the business? What happens if he leaves that type of thing as an asset is very important that you know what those assets can do and why they do what they do. When you're talking about adding more assets to a system that really have no functionality in the business, then you need to address it properly.
Speaker 2:Internet of things, refrigerators that connect to the, to the wi-fi all of these things are really part of the, the way we manage an interconnection itself, and to do that, we need to be able to look at them and go. Does it need to have access to data? And if it doesn't need access to data, put it it on a different network so it can do whatever it needs to do, but there's no reason for it to have access to the real data that's available. In addition to that, if you look at the information that it needs to connect to it. So, going back to your fridge, if it needs to connect to an outside source, then you need to know what information is going backwards and forwards, so you need to have that understanding.
Speaker 2:The other thing about internet of things is most of them are small devices and they've been constructed so that they have minimal processing power. They do what they need to do, so they're a single function or a couple of functions and there's usually very, very minimal security around them. So if you're putting those sort of devices onto your network, you're reducing the security of your network. So put it onto another network, it's on its own, it's doing its thing. If something needs to happen, it'll work.
Speaker 1:So for the non-technical listeners to this podcast, how does it work? You've got a fridge on a Wi-Fi network in an office. That office has got a bunch of laptops on it that is accessing cloud-based services. How can the fridge create a vulnerability that impacts the rest of the business?
Speaker 2:How can the fridge create a vulnerability that impacts the rest of the business? In my younger days, one of the main targets of the people who like to hack into things was printers, and printers are notoriously vulnerable for the simple fact that most people don't change their passwords. So you've already got a password problem because you can look on the internet and get default password for this printer and it'll tell you. Once I've got onto that printer, it's connected to the network. I can use the printer's capability to look at the rest of the network and work out what the next attack is.
Speaker 2:When it comes to the bad guys and just normal hackers, their process is to find a vulnerability they can leverage to get other vulnerabilities, and if you have an easy vulnerability from the start, then it makes it just a lot easier for them to get into. When it comes to Internet of Things, that's one of the reasons why I said keep it on a separate network. Something gets compromised. Then the rest of the network of the Internet of Things yes, you've got a problem with them, but they're not going to get onto the main network and you're protecting your data and your systems and your business.
Speaker 1:It's a scary world out there. Oh yeah, so how did you get into all of this, Roger? How did care managed IT come about?
Speaker 2:Well, I've been in the IT industry since 1989. We had computers the size of this room and we had hard drives the size of mini, mini, minor wheels. It was just incredible. We've seen I've seen the the changes.
Speaker 2:In 2014, I had the experience of being targeted literally targeted and that gave me the um the insight into thinking well, if I can be targeted and I've been in the industry X amount of time what is happening with people who haven't been in the industry, don't understand this stuff, that I don't understand what the cave bad guys are capable of. So that gave me the idea, and the conversation in 2018 literally turned care into what it is. We literally sat down and said what do we want to do? How do we want to help Canberra? This is the way we do it.
Speaker 2:We have a lot of standing arguments with our accountant, because there are things we want to do that we don't want to charge people for, so that becomes a problem. As you can understand, we're a business, but also our target market, which is small business and not for profit organisations. They need all the help they can get and if we're not helping them, then there's a very good chance that they are going to be the next statistic in the race for the bottom. So how big is the business?
Speaker 1:We're not huge chance that they are going to be the next statistic in the race for the bottom.
Speaker 2:So how big is the business? We're not huge. We're only five people at the moment. We are looking to expand significantly over the next 12 months. Last year was a bad year, not only for the actual, I suppose, the environment of what was happening in the world, but we had a lot of personal issues. We had cancer, we had deaths in the family, we had a few other things on both sides of the partners. So literally last year we stood back and went OK, we'll just let it take away and do what it needs to be. This year we're going to go where everything's better. Let's go out and see what's going on.
Speaker 1:Excellent. Well, it's good that things have moved on and you're on the up, because it sounds like it was a challenging and difficult year last year.
Speaker 2:It was a frigging horrible year.
Speaker 1:So what's the plan? You're based here in Canberra. You're servicing Canberra customers. Do you go further afield and work in New South Wales as well?
Speaker 2:Yes, yeah, we're working. We're just at the moment we're implementing an organisation in Tamora, we've got clients down in Cooma, we've got clients in Batemans Bay, so we do, literally we work on 200 kilometres from from Canberra. Anywhere in that space is is fair game for us, but, as I said, we are not. We're not the most expensive, but we're not the most cheap either. We believe in implementing the essential aid as much as possible, and they're. Implementing essential aid does require technology and capabilities that most small business pork at, and that's also something that we have to find a way of getting people to realize.
Speaker 1:This is a big problem and you need to do something about it and is there a way of making it easy for a small business?
Speaker 2:you can implement the essential aid on your own. You don't need any help. Um, it's just eight basic requirements. Um, that will reduce the chance of you being hacked, and just basically it's. It's things like patch applications. Patch, patch your operating systems. Reduce the number of administrators on your system. This includes cloud as well. So if you've got five or six administrators on your cloud account and they have no need to be there, reduce them as much as possible.
Speaker 2:Multi-factor authentication there's two others that aren't part of the essential eight but are really basic things. One is use complex passwords, unique passwords and make sure they're more than 12 characters long. And the other one is um, use an antivirus and there's a, there's a. Even in my space there's a an argument that people reckon that antivirus is useless. And when it comes to antivirus, but when we talk about antivirus, one of the reasons why we do what we do is if you've got an antivirus, it's going to catch 90 of the bad guys stuff, because they're using old technology or capabilities which is designed by the antivirus to pick it up. So it'll catch it. Put it in where it needs to be and you're relatively safe. That other 10, that's a problem and that's why you need the essential aid in place 12-digit passwords sound like a disaster for anyone with a slightly faulty memory.
Speaker 1:Do you advise and Roger, you're putting your hand up there and I think both of us in this room perhaps are not so good at the long passwords but do you advise people to use a password keeper, perhaps Apple Keychain or something like that?
Speaker 2:Yeah, we recommend a password manager, but also one of the things that we do recommend is don't use passwords. Use a passphrase. Okay, rubberducky21, for instance. Okay, you've already specified, you've already got a length of system and if you really want to, it'll be rubber ducky 21 and maybe it's the bank anz. Okay, you've got a password, you can play around with it. You can do whatever you like, something that sticks in your mind as well, which means that you're never going to forget it, but you know roughly what you're going to do challenging to recall, though, for for some, some people, but good advice, I think, nonetheless.
Speaker 1:Roger Smith from Care Managed IT, it's been great having you on the podcast today. Thank you so much for joining us. If we were going to just get you to offer us one last piece of advice for small business owners, what would that be?
Speaker 2:Cyber's not going to go away and, as we've seen, ai, we've got machine learning, we've got all this stuff coming through. Embrace it, but also protect yourself against it.
Speaker 1:Some good advice there. Roger, thank you so much for joining us here on the podcast. Thank you, Greg Much appreciated and just a reminder that this episode of the canberra business podcast has been brought to you by the canberra business chamber with the support of care super, an industry super fund with competitive fees and returns, exceptional service and a focus on real care. You can learn more at caresupercomau and don't forget to follow us on your favorite podcast platform for future episodes of the canberra Business Podcast. Catch you next time.