The Canberra Business Podcast
A podcast about all things Canberra Business.
The Canberra Business Podcast
The Hackers Are Coming Every Six Minutes – Is Your Business Prepared?
"Every six minutes, an Australian business is hacked. Is yours next?"
Roy Borekar, founder of Solution Tech and a 20-year cybersecurity veteran, shatters the dangerous myth that small businesses are too insignificant to attract hackers. In this eye-opening conversation with Greg Harford, Roy reveals why smaller operations are actually prime targets for cybercriminals who recognize these businesses lack the resources to properly defend themselves or recover from attacks.
Roy challenges the common assumption that cloud services automatically keep your data secure: "Just because it's in the cloud doesn't mean it's secure." In fact, cloud-based systems can sometimes make businesses more vulnerable by providing hackers with a 24/7 online target. Without proper protection, your business information becomes easier to access than when it was stored on physical servers.
The most practical advice? "Prepare your business like you know for sure you're going to get hacked tomorrow." This means not only implementing security measures but developing comprehensive incident response plans. Could your business survive being offline for three days? What's your strategy if ransomware locks up all your customer data?
Solution Tech offers free initial cybersecurity audits to help businesses identify vulnerabilities before hackers do. Visit solutiontech.com.au or stop by their Braddon office to learn how to protect your business in an environment where digital threats are no longer a matter of if, but when.
This episode is supported by CareSuper.
Hello and welcome to the Canberra Business Podcast. I'm Greg Harford, your host from the Canberra Business Chamber, and today I'm joined by Roy Boracar from Solution Tech, a Canberra-based cybersecurity firm. Roy, great to have you here. Thanks for joining me.
Speaker 2:Yeah, thanks for having me.
Speaker 1:Now let's start at the beginning. You've got a really interesting background, a 20-year career in IT. I guess things have changed a lot over that time. How did you get started in technology?
Speaker 2:So technology I was always in technology since I was 18 years old, probably earlier than that. I was building computers back then and that's how it sparked my interest in IT and started doing courses and ended up doing a master's degree in cybersecurity in 2003, when cyber wasn't a big thing. But at that age and during that 2003 and 2004, it just sparked my interest and since then I've always been in cybersecurity. It's only the last five, six years we're actually hearing the cyber the buzzword quite a bit, but we've been doing it for 20 years.
Speaker 1:So you were ahead of the trend, perhaps, but what was it back then that sparked your interest in it?
Speaker 2:Because I actually started my career as a little bit of coding and the hardware and software. How do you talk to a hardware using a software? That was the trend coming up 25 years ago and that time I was curious, saying, hey, if somebody can control and hardware writing a piece of code, how would you protect yourself? That was my initial thought 25 years ago nearly, and that's how I got started.
Speaker 1:After that, so how long have you been in Canberra and how did the business start?
Speaker 2:So I've been in Canberra for eight years. So I actually started the business in WA in 2015. And we moved in Canberra about eight years ago just expanding in the government sector, looking at government work and mostly cybersecurity work within the government itself, Because we've been doing small businesses since 2015.
Speaker 1:So here we are now 10 years later, in 2025. What services are you delivering?
Speaker 2:So we actually started as an IT managed service, so it provider, so we're doing it support. And then we added more features and functionalities and services like cyber security, obviously, so we offer 24-hour socks sock as a service. We offer it support as a service, as a managed service. We, when we look at the small business, it's more like we're looking after everything from your internet, your phones, your backup, your email, your hardware, so that you don't have to ring up 10 different vendors to have these services With us, you just get it as a combined deal all in one solution. And, yeah, being cyber on top of everything, we look after all aspects of cyber within the IT industry on top of everything, we look after all aspects of cyber within the IT industry.
Speaker 1:Now you mentioned your SOC, which I think is your 24-7 security operations center. That sounds quite high-tech and exciting. Is this a giant room somewhere with walls that roll back to reveal exciting displays and things? What does it actually look like? How big is it and where is it?
Speaker 2:Yeah, so it pretty much looks like that, but we shrink it down to two or three monitors. It used to be like seven or ten. But technology has changed. Before it was one dashboard for one service. Now we can have combined dashboards, so you don't need that many monitors and because we are still looking after small businesses and the clientele is still small, so we don't need 50 monitors, but we do have about four rows of monitors that we look at all the dashboard and we're based in Braddon, right in the middle of the city in Canberra, okay, and you've got a team on site literally 24-7.
Speaker 2:Yeah, correct. So we have two teams, one in WA, one in ACT, so we share and the time zone actually helps in our favor because there's a three-hour or two-hour time gap during the daylight saving. So we work together with our WA and ACT team.
Speaker 1:So how big is your team overall?
Speaker 2:So we are currently eight of us total and we also have a lot of contractors on the books, as we've needed when the work goes up and down, so we can hire them contractors as well.
Speaker 1:So who are your customers? Who are you targeting? Is it small business or are you really aiming to build into that government space as well?
Speaker 2:So, as I said when I started the business 2015, we were only doing small business and we're still doing small businesses as well, but, being in Canberra, we're getting into more government side as well. So current business model is 50% private sector and 50% government sector, but from the revenue point of view it's 50-50 split, but from the number of customer point of view we have a lot more small businesses than the government agencies.
Speaker 1:Has it been easy to build and start the business?
Speaker 2:Not that easy. Every business has its challenges. We went through a lot of up and downs, but I followed the lean model and I kept it only high when we need it and when there's absolute need for it. So every employee in the business is pretty much doing two jobs at the same time, because we are still a small business but also considered as a start-up, so we really have that start-up mindset as well.
Speaker 1:And a start-up sort of getting into government. 50% of your revenue now coming from government sources, that's quite an achievement. I mean, what lessons have you learned along the way and how did you manage to secure that government work?
Speaker 2:So government has a lot of challenges, one of the biggest challenges being on those panels. So getting on those panels to be able to apply for that tender or that RFQ and security clearance has been one of the key challenges. But it was worked out a little bit in favour of us or in me is because I do Army Reserve. I'm a cyber officer within the Army Reserve, so I already had an NV1 clearance before even I started my company, so I was slightly ahead of the curve and that's how we managed to get our first contract in Canberra while I was in WA, and the first contract was 12 months. So I moved here for 12 months just to try it out. And the first contract was 12 months. So we moved here for 12 months just to try it out. And then since then we never left.
Speaker 1:So a cyber officer within Army Reserve? That sounds kind of interesting as well. How does that work and how are you fitting it in with you running the business?
Speaker 2:Yeah, so it is time consuming. Obviously it has a time commitment. Um, the being cyber officer is only something we start. The defense only started recently. So I've been in defense as a reservist for 15 years. I was a sig. I was doing it satellite communication, not so much cyber. So even within the defense force, cyber has just really picked up in last four or five years and that's our transition from being a signaler to a cyber officer.
Speaker 1:Excellent, and how big is that time commitment to be in the reserves?
Speaker 2:It really depends on what role, what unit, you're in, but it's a minimum commitment. We're looking at anywhere between 20 days a year as a bare minimum, and then on top of that you have your courses and activities and exercises that you have to do.
Speaker 1:So potentially that's quite challenging when you're trying to run a business at the same time. How are you personally juggling those things?
Speaker 2:Yeah, it is challenging. The time is the biggest commitment and also, yes, running a business, managing family on top and having two young kids. It does get challenging. But the defence part is what I do is for my passion. That is more that sometimes it's like a hobby, you can call it. I do need something on the side to take my mind off, and it's stress relief or sort of thing, something slightly different. But I ended up doing both side, on both sides anyway.
Speaker 1:Excellent. Well, look, let's jump back to your business, and I guess the business has been going for a decade or so. You're still in startup mode, but what lessons have you learned along the way?
Speaker 2:Right. Okay, a lot of the lessons actually. The first is never be too comfortable with just because you have one contract or one customer. A lot of things changes in IT. Where it could be a tender, could be a government regulation, could be a cancellation of your contract. That happens as well. And the staff. So over the five, six, seven years we had a lot of staff come and go and obviously you can't keep every staff that you've once started. Luckily, we still have some staff who have been with us for two, three years. But a lot of changes happen to staff from customer point of view as well. Some customer decides to move, take a different route than we originally discussed or originally agreed on. And cash flow. So cash flow in the business is probably the key. So you have to, between all of that up and down, you have to make sure your cash flow is strong.
Speaker 1:Cash flow is obviously king for any business. Do you find your customers are good payers? Do they pay on time?
Speaker 2:Most of them. Most of them they do, but most of them are now on 30-day net term. Most of them they do, but most of them are now on 30-day net term. So we can at least predict our revenue month by month.
Speaker 1:But we do have some ad hoc as well. Yeah, and that's really important and in terms of your people, I mean, you know, relatively small team still, but it's certainly challenging to retain and indeed recruit here in the Canberra market. Have you got any tips or tricks for keeping your people engaged and then finding good new?
Speaker 2:engaged people as you need to. Yes, absolutely so, multiple ways. I do this. So initially, when we started, I was just putting an advertisement on SEEK to find a staff. But we changed that approach. We hardly post on SEEK. We do some occasion.
Speaker 2:But what we've done is we've set up an agreement the University of Canberra and other universities and we get interns from from their their courses, who's finished their master degree, and we run that internship in-house. And the selection process is very tough within just to get to the internship, because we don't want every person coming in. We need to know yes, you've done the qualification, that's your fundamental, but we also need what else. Have you done? Have you done any industry certification? Have you worked anywhere? All of that combined we then have that selection criteria. We run them through an internship, 12 weeks internship program. If they pass that internship program and if you have a role available, we offer that to them.
Speaker 2:So instead of going via seek in that route, we try to go with this route because during the internship we can then train them the way that we wanted the product that we use, the services we offer. And now we actually hire three university staff from university, students from University of Canberra. So that's one of the approach. And the second is I'm heavy on industry certification. So the technology that we use once you come on board as an employee, we have a minimum standard that you must complete this certification during this period 12 months or six month period. So that helps not just us but the candidate itself, because that person is actually doing upskilling his technical skill and that is very crucial in IT and cyber industry. So even if they decide to leave two months later or six months or 12 months later, they have actually been a better position when before, when they started with us, because they got more qualification, they got more skill set and they're more attractive to other companies as well.
Speaker 1:So the internships are really interesting because I talk to a lot of people who are interested in using interns. Often there's a bit of concern, maybe, about how much input is going to be required, how much management commitment is required to look after those interns. Does it?
Speaker 2:work well from your point of view. Initially we had some ups and downs because a lot of the time commitment was on my part. But because we've been doing it for three years, we've set up a process in place now where the first employee who came as an internship program sort of becomes the team leader and now he's passing on that knowledge and he's managing those teams and that way we can test our processes to see if it's actually working.
Speaker 1:So you've really systemised the internship process and I guess that's a win for your business, but it's also a win for the students who are coming through right because they're getting that practical experience and potentially a pathway into a role.
Speaker 2:Yes, that's correct.
Speaker 1:Fantastic, so you're providing managed IT services or the full suite of IT services, but cybersecurity obviously is a real passion for you. Let's talk a little bit more about that. What advice have you got for Canberra business people about keeping their data safe, keeping their systems safe?
Speaker 2:A lot of the basics. So we still see in the market a lot of people are not doing the basic stuff, the basic thing like MFA for example. A lot of people still don't have MFA enabled on a lot of the application they use. Just because it's in cloud doesn't mean it's secure. You still need to enable that MFA function. So some of the product they might be using may have the MFA, but the users have not taken that extra step to go and enable that MFA. So that's one of the first ones, sorry.
Speaker 1:Mfa multi-factor authentication yes.
Speaker 2:And other simple things like passwords. People are still using their pet's name, their date of birth and all of those usual suspects and the other part is the backup and the other part is the backup. So people don't think the misconception is I'm too small or my business is too small. Hackers are not interested in my business. But the reality is the smaller the business, the bigger the target you are, because hackers have figured it out very common. This is a common theme. If they go after a bigger company, they will have their it, they will have their cyber, they have the resources, money to handle that situation. Small businesses don't and that's why they are the highest, biggest target.
Speaker 2:Because now in the industry, in the hacker industry, there's tools. You can just go online and buy hacking tools and a 16 to 17 year old can sit in the bedroom and start, can hack you using that free tool. Yes, they're not as sophisticated, but they're learning. They want to get into that hacking industry and you know the unethical side of things and that's you become target, easy target for them. So they may have spent 400 to buy this tool and few hours of learning it, how to hack it, and your business might be small, five users or 10 users and you have not done those basic, you become the first target Because they just go after the low-hanging fruit as well.
Speaker 1:And the bad guys you reckon are often just teenagers sitting in a bedroom. We're not talking about the Russian mafia or anything like that. Both Both.
Speaker 2:So the hack has. One is the sophisticated, where they're funded, well-funded, and all of that. They go after the bigger piece. But then all of these, now the rise of chat GPT, and there's something called the evil twin of chat GPT is called the warm GPT or the hack GPT. All of those are actually designing the codes for people to go and hack these things. So this is, yes, they are the mafia, but they are all the young kids that want to make quick money or you know unethical way of having the quick buck. So those sort of hackers are out there as well.
Speaker 1:It's a scary world, isn't?
Speaker 2:it really.
Speaker 1:You know, if you're a small business perhaps you're a plumber or a hairdresser you're using cloud-based services to book jobs, to invoice your customers and so forth. Is it not enough to assume that your cloud services are looking after you and keeping your data secure?
Speaker 2:I would say yes and no to that because, yes, most of them are secure. But again, going back to that multi-factor authentication, if you haven't secured your online provider with the MFA and have the password protected or complex password, they can easily hack into it. So there are tools the password hacking tools that they can run it and they can crack your password in 15 minutes. So what you've done is you actually made it a lot easier for the hacker by using that cloud service, because now they don't have to attack your device, they just have to attack that provider online, which is 24 7 available. All they have to do is crack your password and mfa. So you just actually made it easier for them.
Speaker 2:Before the traditional it was everything was on premises, you had, you were running servers and all that. Yes, it was costly, but it was in a way, it was slightly secure than running in the cloud. But the other side of that is, just because the data is sitting there, what happens if that company gets hacked? Yes, they have the backup and all that in process. They can recover it, restore it in maybe two days or three days, but can you afford to be offline for three days, especially if you're a plumber or electrician or something. If you can't invoice your customer, you can't book any jobs, you can't do any of the admin stuff. Can you still survive after that?
Speaker 2:So all of that factor you need to be factoring when you're thinking of cloud and also asking your cloud provider how are you securing? What are your measures? Are you certified? What cybersecurity certification or the compliance that you securing? What are your measures? Are you certified what certification? Cybersecurity certification or the compliance that you have? And every industry has their own cybersecurity compliance, like we obviously heard, essential aid that applies to everyone. Then there's ISO standard. Then legal industry has their own, financial industry has their own. So at least you need to be aware of what industry you are in and what cyber compliance applies to your industry, so at least you can have you're prepared to ask those better questions.
Speaker 1:And the bad guys who are out there. What are they looking for? Are they looking for your data to sell? Are they looking to lock your machines up or your data up and get a ransom out of you? What's the most common sort of thing that you're seeing?
Speaker 2:So both. So first thing thing that you're seeing, so both. So first thing, if you're a bigger company and doing anything sensitive, like confidential or medical or all that, so they're after your data because then they can sell that data and make more money. But if you're small, like plumber, electrician and things like that, they're just after ransom. They want to lock you out of your system and say pay us a quick ransom and then we'll give you the key. But there's no guarantee, first, that they're going to give you the key and, second, that they're not going to hack you again. And if you haven't learned from that experience, haven't tightened your security, most likely you're going to be hacked again. So it's a bit of both.
Speaker 1:So we talked a little bit about some of the basics making sure that you've got backups, that you've got your password sorted, that you've got multi-factor authentication turned on. Are there other sort of key things that you'd be advising small businesses to be thinking about?
Speaker 2:Yes, absolutely. So get an advice. I would probably say, like we offer free advice as well. So get an audit to basically at least get an audit where you know where you stand, and then that audit will clearly say you're missing these five things. For example, if you implement these, your chances of getting hacked is a lot lower.
Speaker 2:And also backup, as I mentioned, backup is good thing, but if you never tested your backup, how do you know the backup is a good thing? But if you never tested your backup, how do you know the backup is actually working and when you do need to restore from a backup? And if it fails and it has happened to a lot of customers before they never tested the backup and when they try to recover, there's nothing to recover because either the backup is corrupt or the backup is old, or they didn't even know the backup stopped all of a sudden. So those monitoring it's not just once that you have implemented this service and yes, I say I'm all good you need to be constantly doing that and monitoring those things and be better prepared. So what?
Speaker 2:The way I like to say is prepare your business um like as you think that you're going to get hacked tomorrow. You know for 100 sure you're going to get hacked tomorrow. You know for 100% sure you're going to get hacked tomorrow. And if this happens, what are your chances and also what processes and things you have put in place to mitigate that. So we call it incident response plan. So if X happened, how would you recover? What do you do? If Y happens, how would you do it? What's your strategy? What's your backup and resource strategy and your business continuity strategy? How would you continue to business? Let's say, if you're offline for three days?
Speaker 1:Now there'll be people out there listening to this who think, yes, I know that's right, but I'm just a small business. But your message is that actually this can happen to you.
Speaker 2:This actually happens more to small businesses than to the bigger business. So, as the ASD and ACSE has pointed out, every seven minutes and I think it's gone down to every six minutes now that one business is getting hacked. So while we're sitting here, somebody's already probably got hacked.
Speaker 1:That's a terrifying thought really and lots to think about there, so it's great to know you offer some free advice and some auditing work. How do people get in touch with you through your website?
Speaker 2:Yeah, with our website, solutiontechcomau, or just ring us our phone number, send us an email to support at solutiontechcomau. We're based in Cranborough. We're based in Braddon, just in the Midnight Hotel in Commercial Floor, ground floor. Come and see us. It's a five star hotel. To come have a coffee with us.
Speaker 1:Sounds good. We'll take you up on that. Lots to think about there, Roy. Thanks so much for joining me.
Speaker 2:My pleasure. Thanks for having me.
Speaker 1:Now I'm Greg Harford from the Canberra Business Chamber and I've been talking to Roy Boracar from Solution Tech solutiontechcomau. And just a reminder that this episode of the Canberra Business Podcast has been brought to you by the Business Chamber with the support of Care Super, an industry super fund with competitive fees, returns, an exceptional service and a focus on real care. You can learn more at caresupercomau and don't forget to follow us on your favourite podcast platform for future episodes of the Canberra Business Podcast. We'll catch you next time.