Tech Insights with Alisha Christian
In today's rapidly evolving tech landscape, staying informed is more important than ever. "Tech Insights" by Mercury IT is your go-to podcast for expert analysis, industry trends, and actionable insights from top technology professionals.
Whether you're interested in cybersecurity, IT infrastructure, emerging technologies, or digital transformation, this podcast covers it all. Tune in to stay ahead of the curve and navigate the complexities of the tech world with confidence.
Tech Insights with Alisha Christian
The True Cost of a Cyber Breach | Chris Haigh
What is the true cost of a cyber breach? Today, we uncover the financial and emotional tolls that ransomware attacks can inflict on businesses. Join cybersecurity expert Chris Haigh as he shares compelling real-life examples, like the Robin Hood ransomware attack, and clears up common misconceptions about cyber insurance. Chris also provides practical, immediately actionable cybersecurity measures to protect both personal and business interests.
Navigating the nuances of cybersecurity vulnerabilities and ransomware attacks can be overwhelming. Chris shares invaluable insights into the challenges of timely software patching and recounts a cautionary tale of a business breached despite being patched—a stark reminder of the complexity of cyber threats. The discussion also explores the decision-making process around involving insurance, the extensive time commitments, and costs of managing a ransomware incident, making it clear why assessing the full impact before taking action is crucial.
Effective communication is pivotal during a cyber crisis. Learn from Chris Haigh why having a well-prepared and practiced communication strategy can save your business from chaos. Understand the importance of cyber resilience through regular practice and the implementation of cybersecurity frameworks like the Essential Eight. Don’t miss out on these critical insights—connect with Chris on LinkedIn to continue the conversation and safeguard your business from evolving cyber threats.
Today I had the pleasure of welcoming Chris Haig to the podcast. Chris and I had a great chat about what it would cost if your business was to suffer a cyber breach. We talked about some real-life examples some a little bit scary and Chris also offered up some actionable tips for our listeners, both personally and for their business, that can be implemented straight away. Enjoy the episode. Welcome to Tech Insights, chris, thank you. So we've worked together for quite some time now, probably about five years.
Chris Haigh:I would say so yeah.
Alisha Christian:So I do know a little bit about your background, but how about you share with the listeners what got you into cybersecurity and why you're so passionate about it?
Chris Haigh:Yeah, sure. So originally South African and back there, I was interested in tech as a young kid and then kind of moved from there. I went into I think it was like sales, firstly in computers and then got more interested in the technical side. So I kind of just started studying the technical side and then eventually moved into that side of things and ended up in training, weirdly enough. So I was actually a technical trainer for many years, firstly within Microsoft. Then the A-plus series came out and I was busy doing that so like hardware and software and things like that, and then eventually Cisco. But even back then so this is probably 98, I was already teaching security subjects. So there was a particular security course I used to teach under the Microsoft side of things, so training engineers how to break in to a system, for the idea being that you then know how to secure it. So that was the concept.
Alisha Christian:Wow, that's pretty cool. I didn't know that you did that.
Chris Haigh:Yeah, so way, way back then it was not quite pen testing, penetration testing, but kind of similar, and it was very Microsoft focused at that, that point. And then I moved to the uk. I was there for 11 years and started my own business there as a microsoft gold partner with a few partners, and, uh, then it was pretty much focused on security, so lots of firewall configurations and that kind of stuff, um, and then eventually moved to Australia.
Alisha Christian:Yeah, Well, you've had quite a diverse background in technology then.
Chris Haigh:Moved around a bit.
Alisha Christian:Yes, I definitely didn't know half of that, so that's, yeah, really interesting. Well, today you're here to talk to us about the true cost of a cyber breach, so I think I mean, the listeners would love to hear about, yeah, what exactly it costs and what happens.
Chris Haigh:Yeah, absolutely. The reason why I came up with this particular topic is, you know, we often do a lot of education, so my main passion is still education, because I came from that trainer background, trainer background. So education around people running business and cyber security within that because I always felt that people didn't quite understand where that fit in, which is understandable. It's kind of like going okay, well, I run a business doing X, right, I don't need to know about the technical side of things you know, because you shouldn't have to. You should know about your business and what you're doing. That's the expert, right, you're the expert in X. So then it was a case of going you know, always educating people around that. And what I found is, when I moved to Australia, I kind of felt like there was definitely a she'll be all right, as in, I'm not going to worry about cybersecurity until I have to worry about it.
Alisha Christian:That sounds about right.
Chris Haigh:Yeah, and I just saw a lot of businesses getting hit like really badly, like so they're not aware of the actual impact that can happen and it does take a toll on a lot of people. And then the last breach that we dealt with as a business, it just reinforced all of that and there's a lot of emotion around it. It's quite hard for a business owner to see how much impact it's having on them the stress levels, staff. It's pretty insane. The last one we dealt with was the Robin Hood ransomware gang and one staff member was telling me at some point they said you know, I was watching TV with my kids and this thing popped up and it was about Robin Hood. And she said I literally had a, I could feel it in my body, so that and I was like, okay, you know what I mean. So it's quite a visceral impact for everyone.
Alisha Christian:Oh, definitely.
Chris Haigh:And when you start getting down to the costs to the business, of not just your psychological costs but then actual costs. And that's where, even where you have businesses going oh, we've got cyber insurance, they'll cover it and mostly, or not at all.
Alisha Christian:Yeah, well, that is a scary side of it I guess is that people think they're covered and then all of a sudden something happens and not at all. Yeah well, that is a scary side of it. I guess is that people think they're covered and then all of a sudden something happens and not so much.
Chris Haigh:You might not be so unfortunately you've got to be answering the questions correctly in the insurance documents and if you make a mistake, right, the insurance doesn't care. It's a case of going. You said you do training with staff. We can see you don't. Therefore we're not paying. So we had a customer must've been about five or six years ago now where they um the criminal gang broke in through a remote desktop service and then from that machine they moved to the accounting system.
Chris Haigh:Oh, that's scary, the payroll system right, and then from the payroll system they changed everyone's bank accounts to theirs. This was on, I think, a Sunday night and then the payroll ran Tuesday morning and then they got their first request Wednesday morning going hey, I don't have my pay-in account. They started looking and it was a bunch of staff. It was about $80,000 for the weekly pay run that they were out. They immediately contacted their bank. The bank managed to retrieve about 40, so put stops and et cetera on, so they retrieved 40. And the other 40,000, they did actually have cyber insurance, which is great, because back then not a lot of businesses did you know four or five years ago, and they were denied because they hadn't done cybersecurity training with their staff.
Alisha Christian:Oh, that would just be devastating.
Chris Haigh:Again, the box was ticked when they filled in the forms. So there's those sort of costs and it's trying to make sure people have a good understanding of what the actual threat is, and so forth. And the other problem is, I think, because you're not an expert in it, you are potentially worrying about the wrong thing. So an example here, the last one we dealt with the company was more concerned about the financial side of things, so that the criminals would get into, for instance, trust accounts and could manipulate funds there, and that's not what the target was. The target was the personal, identifiable information of their clients.
Alisha Christian:Because? So, once they get a hold of that, what do they generally use that for?
Chris Haigh:Yeah, it's an interesting one. So ransomware, so type of malware that encrypts your data so you don't have access to it. So quite often it brings a business to a grinding halt All of a sudden. I can't look up a client's file, I can't print, I can't do this. Basically you can't work, right. So it locks up that entire business.
Chris Haigh:So the idea was then the criminal gang would contact them, go hey, we've locked up all your files, pay us X amount of money and we will unlock it. So this is just through an encryption, unencryption, but we'll basically unlock it and then you can carry on working. And that's how it was for years and the payments were relatively low. So it might've been right down to 200 bucks, 250 bucks somewhere around there, right? So most often businesses would just pay, get their stuff unlocked and they could carry on working. But then people started getting clever, right? So as a business like ours, we've got backups of customer data. So they'd be like, oh, we've locked up all your data and we were like, don't worry about it, we just restore it and you've got all your data back and you can carry on working, maybe within a few hours Great.
Alisha Christian:Easy.
Chris Haigh:So obviously the ransomware gangs had to move on. They were like, okay, how do we get paid then, if this is happening, right? So the first thing they did is look for the backups, so they'll encrypt your data. And they'll find the backups and they'll encrypt that as well. So that's where we had to start getting clever about where the backups were kept and how do you keep that safe off the network so it can't get access to it, all those kinds of things. But again they move one step further. What about if we take a copy of the data, then lock it up and go pay? We'll unlock it. If you don't, we're going to sell the data on the dark web. So then you're going to have public damage, right? It's a publicity issue now, because your customers are going to see that you've not secured your networks properly, you haven't cared for the data you hold on us. So, and that's now that ransom part is. That's where it's moved to.
Alisha Christian:Well, it's really escalated.
Chris Haigh:Yeah, no, it's absolutely escalated and you can imagine if the customer was someone that does collect a lot of personal identifiable information. So you'll see this as PI data or PII data. So personal identifiable information, passports, you know, et cetera, et cetera, et cetera, driver's licenses and so forth and you think of the businesses that keep that kind of stuff. First one in my mind that pops up is real estate.
Chris Haigh:They collect a lot of that information, so real estate, and the other one, of course, is legal. Next one, probably financial, so independent financial advisors, legal, et cetera, where there's other records, probably more medical. So then it starts getting into dentists, hospitals et cetera. They've got that kind of data as well. So in this case, yes, the personal identifiable information is what the target was, and it was exactly that. We will sell this data unless you pay, and it was it's passports, driver's licenses, medicare numbers, a lot of data.
Alisha Christian:As a business owner, to get a message like that must be just so terrifying.
Chris Haigh:It absolutely is, and that's where I wanted to have that conversation with people and educate them. Okay, what is this going to look like and what can you do? Because the main thing is not to panic. Right, it's happened. So what are the correct steps? That you can resolve the matter as quickly and as cheaply as possible, right?
Alisha Christian:Well, I guess that's a hard thing too because, like you say, there'd be so much emotion wrapped up in why me, why was I targeted it would be to? You'd have to step aside, let the emotions go and, like you say, follow the steps to rectify the situation emotions go and, like you say, follow the steps to rectify the situation.
Chris Haigh:And there's there's a couple of things around this, and firstly, we'll just talk about dispelling the myth of why me, which is it's never about you, uh, no, you weren't targeted.
Chris Haigh:So quite often, uh, the majority of the attacks, uh that we see, especially for small and business, is you're just going to get wrapped up in a kind of a spray attack, so they're going to just target anyone and everyone that they can and whoever bites that they can get in.
Chris Haigh:Great, and that's essentially what's going to happen. If you're a different business so let's say you were a contractor for the government or you were a university then yes, you're going to be targeted because you're known to have potential, very valuable information, so you will be targeted and your cybersecurity has got to be on a different level, absolutely. But for the majority of small, medium businesses, again, if they're not contractors to the government and all those kinds of things, or sitting within a supply chain to any kind of critical infrastructure, so you're not contractors to the government and all those kind of things, or sitting within a supply chain to any kind of critical infrastructure, so you're not dealing with electricity, water, airports, et cetera. And then, yeah, they're not after you, but you do need enough cyber security controls in place so that you can actually deal with it.
Alisha Christian:So yeah, yeah, I think it would be hard to not take it personally. But yeah, obviously it's kind of a bit of a numbers game, isn't it? They're just casting the net and seeing what they can catch.
Chris Haigh:Absolutely, and whether that's through a phishing attack or there's a hole in your network because of a vulnerability and the last one we dealt with was exactly that there was a particular vulnerability and unfortunately you start getting down to because people go like, okay, but you just patch right, you update the software and that fixes the vulnerability, and it's like yes and no.
Chris Haigh:There's a lag time between when the vulnerability is live and potentially not known about in the public space but known about in the criminal gangs, to when the vendor knows about it and patches the software. So it's that the lag time becomes an issue. In this particular case that we were talking about, the government's actually issued a warning around this particular vulnerability on this particular device and that was in July, early July, and we double checked that everything was patched and it was. And we were like great, that customer still got done by the criminal gang and when we did the forensics check they had actually been in the system three months prior. So you're talking about an alert coming out from the government going you need to patch this and it's too late.
Alisha Christian:Well, that's scary in itself, isn't it?
Chris Haigh:It is. And just to be clear, when I say we did the forensics, we, as in Mercury, didn't do the forensics. Forensics were done by a third party forensics company, and that's something I wanted to talk about as well is, you know, there's a number of parties that are involved in a ransomware attack and dealing with the aftermath of that. So you kind of need to decide whether you're going to go down that path or you're going to kind of deal with it yourself, and that's the choice for the business. So it's am I going to involve insurance, like I'm paying for it? So should I Versus I can deal with this myself, and that is a conversation you do need to have A lot of people go, well, obviously you'd use the insurance and I go.
Chris Haigh:Go well, no, let's say you yeah, you've got insurance on your car. Right, you've got excess. Take my excess. I'm talking about this because my car got pranked last week right in a parking lot. So park the car. Somebody pulls out wide, scrapes the side of the the Lovely, I've got a thousand dollar excess on my car. So I was like, okay, and it was this man and he actually he drove off.
Alisha Christian:You did tell me this story and I still can't believe that he just drove off.
Chris Haigh:I've got a photo of his number plates and so forth, right, and I'd lodged the claim and I had a mate, look at it and go, they'll just buff out, like just get some cut and polish, and it's not dented, it's just. And I was like, oh yeah, like I didn't even think about it. I was like, oh, I'll just pay the thousand bucks. Like I've got a thousand bucks lying around, right, like everyone.
Chris Haigh:So I was like no, actually no. So I called the insurance company back and I cancelled the claim and they were like oh, why are you cancelling it? And I was like, because I don't want to pay $1,000,. Thank you. Well, that's it, and that's the point. So you do need to decide whether you're going to bring.
Alisha Christian:Lay out the cost. Yeah, because it depends how big the impact is and what you're actually going to be dealing with and I'm guessing that you know your premium will go up and yeah, presumably would, I think in most cases.
Chris Haigh:I mean, I'll run you through the example in this scenario, where they called their insurance and went okay, there's been this massive hack into our system, they've broken into the system and they get the wheels turning in. You know assigning a, like an incident response manager, and then they get a number of people involved. And this is the start of you. What I wanted to educate people about, of you need to be aware of how much time this is going to take. You need to be aware of how much time this is going to take because immediately, they want to have meetings with the customer, with us as the managed service provider of the systems, because we might have to provide evidence and et cetera. So they're calling you into a meeting, right? The first meeting we jumped on, there were 15 people in this meeting across four different businesses Right.
Alisha Christian:I mean, that's a cost alone, isn't it Exactly Just to have that many people there?
Chris Haigh:So we've got from the customer. You've got the owner of the business plus two other staff members that are going to need to help, and there were more staff that had to be involved as well eventually. But so you've got three people on that side that are all being paid X amount of money right to now sit on a call that's maybe an hour long and you having a call. I think within the first week we were doing one, if not two, calls per day talking about various things. So it's getting everybody together and it's the forensics team, it's that incident response manager, it's the legal side of things, and so forth.
Alisha Christian:That sounds expensive.
Chris Haigh:Yeah, it is Um at the end of the day, and it's expensive as well. Just in time, right, because you keep getting pulled into the room and you have to talk and provide this and provide that and answer questions about this and that and et cetera, and it's there's a lot of time for the, the, the owner of that business, so the business itself and staff, as well as then the managed service provider that's involved and everybody else.
Alisha Christian:Yeah.
Chris Haigh:And just cause people will often go like okay, I don't know, why is there so many people involved? And I go okay, well, there's, the insurance company has gotten a vested interest in what's going on, right, because?
Alisha Christian:obviously they don't want to pay out, right?
Chris Haigh:You have an incident manager that's coordinating, right, what happens next. Who do we get involved, Coordinating the meetings, et cetera. You have a forensics team get involved because they need to know right, how did they get in, when did they get in, what did they touch, what data was touched. Then, once they have that information, then you've got specialists that are then combing through the data, looking for personal identifiable information. So there's a almost like a data categorization specialist going through that part and we're talking thousands of dollars to do this right Investigation. So they're running through what that looks like. There's legal to give you advice around the law. Right, Because you've got a notifiable data breach right scheme under the Privacy Act that most businesses are caught under. So and again, a lot of businesses don't understand that they are caught under this there is a legal obligation. If there's personal identifiable information involved in a breach and there's a potential for harm whether it's physical harm, financial harm, you know, psychological harm, there's various harms then you are going to have to notify the information commissioner. So there's a duty there.
Alisha Christian:So what happens if you are breached and that information is stolen, but you don't notify?
Chris Haigh:Look, technically you could get away with it because, who knows? So it might be a case of that data gets sold onto the dark web, becomes public knowledge. You might have clients that have noted their data out there, right, or they might actually be attacked themselves through phishing, and that because their data is out there, and then they go back to you as the business going hey, you've lost my data, so, so technically they could raise a claim. They could go to the information commissioner and go hey, my data was leaked.
Alisha Christian:If they know, of course there's got to be some sort of yeah there's got to be, yeah, that's it.
Chris Haigh:It'd be very hard, I imagine for someone to prove that that's what the information came from yeah.
Alisha Christian:And if they do get caught, is there some sort of fine or?
Chris Haigh:Potentially, yeah, so so far there's been no fines. So you know that law came in, I think it was 2018. So February 2018, we had the Notifiable Data Breach Scheme come in and the fine at the time, I think, was just over 2 million 2.2, somewhere around there.
Alisha Christian:Well, that's a hefty fine, isn't it?
Chris Haigh:It is a hefty fine and they actually threatened directors as well of a fine. So a personal fine of I think it was around 420,000, somewhere around there. They do it in units. It's a weird measurement. Yeah, so the idea is like 400,000 you've got to have lying around as a director because you could be taken to court, and then, of course, 2.2 million for the business. You've got to have that lying around somewhere. Does insurance maybe? Maybe your insurance covers it? It's something to certainly think about. But recently, in the last year, I think somewhere around there, they increased that fund to potentially $50 million or above.
Alisha Christian:That seems a substantial increase.
Chris Haigh:It's a massive increase, but they're bringing it in line with GDPR laws in Europe, right. So their laws are substantially stronger around privacy and protecting privacy, where ours were maybe a little bit lacking, and they still are. They're adjusting them as we go and we expect that they will line up to something like GDPR laws or the Californian privacy laws are also very strict. So, yeah, it could potentially be more than $50 million because it now goes on turnover of business, which is similar to the GDPR laws. So it could be massive. But, again, no funds yet. Medibank would be an interesting one, because now we're seeing what's happening with that.
Alisha Christian:Yes, that's a good case to watch. Yeah, see what happens there.
Chris Haigh:Exactly.
Alisha Christian:But yeah, I think, like a lot of businesses, probably small to medium, aren't that aware of you, know all these things behind the scenes if you are breached.
Chris Haigh:No, absolutely. And you know just kind of coming back to the people that are involved and what that looks like, Because quite often you'll have customers go okay, so they want to charge me, let's say $10,000. Why don't I just pay it and I'll get the data back? There's a couple of things there that I do want to caution against. Number one it's generally not $10,000 anymore, it's probably closer to half a million is where often we'll start. That will hurt or more. So you've got to be careful with that as an actual cost. But the other thing is looking at the legal ramifications around that as well, Because the idea here is you're going like, okay, I'll pay, I'll get the data back and off, I go right, You're negotiating with the criminal.
Chris Haigh:I was thinking that so it's kind of like oh yeah, no, we're honest criminals. You pay us, we will absolutely delete your data. I'm like hmm.
Alisha Christian:Yes, it sounds very suspicious, right.
Chris Haigh:And the thing is is there have been criminal gangs taken apart by one of the three-letter agencies whether it was FBI, cia, I can't remember but they found infrastructure, so servers et cetera, that were used in ransomware attacks and the data was all on those devices.
Chris Haigh:So you could be paying up and still I'm not saying they were used but the data certainly was there on the systems where they've gone back and looked oh, it was this business, right, because they they can see the data, right, so they go. Oh, it's this business. Oh, they paid the ransomware and they said that their delete and it was sitting there. Now were. Were they going to on-sell that? So secondary black market somewhere potentially? You don't know right, but again you're talking to a criminal.
Alisha Christian:I know you can't expect a criminal to be honest.
Chris Haigh:Exactly and I'll tell you what you've got insurance companies that have. So now here's another group, another party that's involved. You have professional negotiators for ransomware. So these people have experience in actually talking to these ransomware gangs to basically lower the costs, Right. So, and they, and what happens is they actually get to know the ransomware gangs and which ones are quote, unquote, honest, as in ah, these, this particular gang would normally reduce the cost of what they've asked by half straight away. They know that, so they don't muck around. They get on there and go hey, hey, yeah, it's you again. Like, can we go from a million bucks to a half a million? Yes, Awesome, I'll go back to my client, that kind of thing. And then they know generally if they pay that data is not going to be sold.
Chris Haigh:That's certainly a different career.
Alisha Christian:It's very interesting Ransomware.
Chris Haigh:Negotiator.
Alisha Christian:Negotiator.
Chris Haigh:Is literally what it is. So and then beyond that, it gets very interesting as well. And then this is another party that gets involved, which is, let's say, you choose to pay the ransom, okay, is the group that you're paying it to right sanctioned by Australia, as in is the group sanctioned, or is an individual in the gang sanctioned by Australia? Because if they are, you're now committing a felony by paying. So what happens is there's actually an investigation around sanctions and who's involved and trying to identify who the criminal gang actually is before you make the payment. And then they're quite smart around it as well, because the insurance company has got to have arm's length from a legal perspective in case they've made a mistake. So the business so, let's say, it gets negotiated down to half a million. So you want to pay it because you don't want the data going onto the dark web.
Alisha Christian:Yeah, enough.
Chris Haigh:Okay, so you've decided, okay, we're going to pay it. We're still going to have to notify everyone. We can do all the right thing, but we're going to pay to try and get it not onto the dark web, and that's a decision for the business. I've got more to say about that, but I'll come back to that. So they investigate. No, there shouldn't be sanctions. So the company itself would have to find the half a million dollars and they're not going to get the money from. So the insurance company is not going to pay, right? What has to happen is the business has to pay because now, legally, they made the payment. So if it is sanctioned, it's on that business and then the insurance company will reimburse it.
Alisha Christian:So you've got to find yourself half a million dollars.
Chris Haigh:Or a million dollars or 20 million or whatever they're asking for, and then hope that the insurance company is going to reimburse you down the track, and who knows how long down the track. Yeah, I don't know.
Alisha Christian:We should invite an insurance person on.
Chris Haigh:We should do that and we can have a conversation, exactly Because I think it would be quite interesting to understand the background of that.
Alisha Christian:Well, especially with other insurances like sometimes there's, you know, long lead time, and I mean that's a long time if you've had to borrow that half a million or a million dollars to cover it.
Chris Haigh:Exactly. Yeah, that's a scary thought, so yeah. So there's the technically you you want to avoid a jail time. I think we don't like to avoid jail time. Yeah, so that. So that's there as well, so you can see like the number of parties that are involved is is pretty, pretty insane.
Alisha Christian:Well, I don't think. I think that is. One thing that people don't realize is, just after the fact, how much goes on behind the scenes to get that business back up and running.
Chris Haigh:Yeah, absolutely. Well, let's take this particular example right. So the breach was detected, you know. Luckily they did have a kind of a quicker warning system. So we saw the breach occur on Sunday morning and we had their systems restored and back up and running by around lunchtime about 90% up and operational by lunchtime, monday morning or Monday afternoon. So that is pretty quick to be back. So they were running again, right, so full running.
Chris Haigh:But now we get insurance involved, all these parties, and now you've got the owner of the business and various other people involved. We sort all those things out over X number of weeks, going forward lots of time, and then there's more time involved and that more time is actually the notification. So you've got to notify the information commissioner and they'll come back to you and go. They might go. We need a list of all the people Now.
Chris Haigh:Remember, they've paid a party to do the PII search to identify everyone that's caught up in this particular breach. Because you have to notify every single person, right? So you're not just notifying the government that there's been this breach, you have to go to every single person. That's so you're not just notifying the government that there's been this breach, you have to go to every single person that's been involved in that breach and explain to them briefly what happened, what data was involved, what they can do to protect themselves, and then offer potentially more help if they need to call so immediately. What you have now is you've got in this case there was probably about three staff full time for about two weeks calling all these people.
Alisha Christian:Oh, I feel like that would be an awful job.
Chris Haigh:It is. It's absolutely a terrible job because you might potentially have irate customers, et cetera. Having said that, what I will say because I did get some feedback is most customers were very empathetic to the business and said oh really Sorry, that's happened to you, it must be awful, and so forth. So I think people are starting to understand where this fits in and its impact.
Alisha Christian:Do you think it's because people are becoming more conditioned to hearing about data breaches and their information being taken, whereas maybe 10 years ago, maybe?
Chris Haigh:Medibank, optus, et cetera. Yeah, it's becoming more of a norm. Unfortunately, it doesn't mean it's right or you have to accept it. And for me, there's a couple of things. There is educational business. What do you need to be doing to protect yourself or at least reduce the risk? Right? That's the main thing. When you're talking about cybersecurity, you could throw so much money at it and you're still not going to be 100% safe. You never 100% de-risk the situation, so it is a risk strategy. So how much do I invest to reduce the risk to an acceptable level to run my business? And that does take some thought.
Chris Haigh:I would put it out there to anyone that owns a business. I'd be like right, what personal identifiable information do you hold on your customers? Right? So think about what you collect dates of birth, et cetera. Think about what you collect. Then the next question is where is it stored in your business? Right? Because I could tell you what most people I ask is. Number one they're not 100% sure of what personal identifiable information they do collect. So they've got to go and ask, like the business owner would be like oh, go ask the business manager here, the sales what are you collecting, right? So there's a bunch of stuff there. Then where is it kept? And it's like, oh, okay, that gets interesting. I'd be like do customers email you stuff? Oh, yeah, all the time, not good. So you, you've got driver's licenses sitting in people's emails various emails, actually, right, plus. Then they they store that to the central you know repository or whatever, and then they go.
Chris Haigh:What about when clients come in and they scan their passport to do the hundred point ID check? They're like, yeah, okay. So is that sitting on the machine that the scanner is attached to? Probably Do you copy it somewhere? Yeah, is that then copied into the case? Okay, so it's sitting in three different places, right, okay, then I'll be like who has access to it? Oh, no, well, the client files are locked down to. Only these particular people can see it. You know, let's say it's lawyers, as an example, only these attorneys can see that. I'd be like, okay, but what about the scanning machine? Who's got access to that? Oh, anyone, okay, so anyone's got access to all the data. Great, so there's, if you start digging and I suggest you do that's where you need to start tightening up.
Alisha Christian:Well, cause you don't even think about those things, do you? Like even you go and you know, hire a car, what do they do? They take a photocopy of your license. And where does that end up? Yeah, I know. Do they shred it later or does that just sit in? I?
Chris Haigh:absolutely hate that. Yeah, they'll be filling in a form and it's like they've written down your driver's license number, your, you know your address, where you are, and then they make a mistake, right, and they put a pen to it and they tear it in half and throw it in their waste paper basket. I'm like, um sorry, could you, could you just take that back and pop it through the shredder that's sitting next to it?
Alisha Christian:but see, most people wouldn't even think, no, to suggest that. I mean, since working with you for over five years, I've definitely become a lot more paranoid, in a good way, but most people wouldn't even think to say can you please shred that no, absolutely or where is that going? Where is that going to be?
Chris Haigh:it really does come to a bit of paranoia around here. It's probably not a not a bad idea, right? So protecting your own data is important, but again, as a business owner and a business, what data you're collecting? Where is it stored? So, is it stored appropriately? Who has access to it?
Chris Haigh:And the question that you quite often should start with is a data cleansing as well. So it's a case of going like well, I've held, so yeah, there'll be client files, let's say and this could be an estate agent, it could be like so many different places, right. And it's like okay, they've got files that are 15 years old. I'd be like, why do you still have it? I mean, that's a long time, exactly. So, from a legal perspective, yes, there might be certain legal things, like keeping stuff for seven years or 10 years, or, in medical, it might be up until the person gets to 18. There's lots of different rules, right, but do not keep information that you do not need because it is literally a target, right. That is a potential for more cost to your business when that data gets breached right and see people just wouldn't really think about it.
Alisha Christian:They just have it probably stored away and they don't no Data cleansing you almost make it sound relaxing, yeah.
Chris Haigh:Well, the other thing is why you're collecting the data in the first place, because the other one is like a common one is collecting dates of birth. I'd be like, please don't. They'd be like, no, but we like to hand out birthday gifts that's right, I always lie anyway.
Chris Haigh:I'd be like well, that's a good strategy. Always younger from uh, but I often just do like birthday month. Then please, like, you don't need to know, um, even if you take the the year away, so it can be the day, and, but you need to be careful on that one as well, because if I can get that data as a criminal and I know the day and month, then I look at your Facebook and people wish you happy birthday or whatever, and then I look back through your phone and there's an old graduation photo. I can quite often work it out, and so can a criminal. So you do have to be careful with the data.
Alisha Christian:I've definitely been a bit more mindful about the social media aspect. It's a big one Since starting at Mercury.
Chris Haigh:It's another one. I love to go into businesses and not necessarily talk to business owners at that point, but actually talk to staff, and quite often, when I'm talking about securing a business right, you start with personal. It's about what people do on an individual basis. So what does their cybersecurity hygiene look like? What do they do on a day-to-day basis? Do they use a password manager or not? Do they store all their passwords in their browser? Bad idea, by the way. Don't use a password manager and I'll go through why. So why shouldn't I store it in a browser way? Don't use a password and I'll go through why. So why shouldn't I store it in a browser? Why should I use a password manager? You know why should I use different passwords on all the? How am I going to remember all of them? Back to the password manager and so forth.
Chris Haigh:You know you run through and social media is a huge one, absolutely massive. You know there's quite a few things online where you could see people posting social media. Started my new job today and they've got photos with their new team and there's, they've got their badge on and it's got their staff ID on and you know criminals will zoom up, get the staff ID, et cetera. Make a call, pretend to be from the IT going. Hey, alicia, just want to. I'm from IT. It's Chris, by the way, congrats on the new job. And yeah, you pretty much at ease at that point, like I just want to confirm, just to make sure that I am speaking to the right person. So they turn this around and go. Your staff ID is da da, da, da, da da and you go.
Alisha Christian:Oh, yeah, it just that's so simple. And if you don't stop and think about it and question it. It's yeah, boom, you're done, unfortunately, and I think that is one thing with um, obviously we have our own internal training is just really reinforcing to stop. Take a minute, think about what you're clicking on. Check the email address. It's, and it is something that you know.
Chris Haigh:Life's so busy, everyone's busy, busy that you just click, click, click, get it done yes exactly.
Alisha Christian:So I think the yeah, the training has certainly helped slow down the team to make sure that we're not obviously putting the business or ourselves at risk?
Chris Haigh:Yeah, and it happens all the time. I was telling you this morning, I was going backwards and forwards with a scammer yesterday.
Alisha Christian:I got an email.
Chris Haigh:It pretended to be one of the owners of Mercury AJ and it was like oh, are you busy right now?
Chris Haigh:And it was to my personal address. So they've obviously cleaned that off LinkedIn, right? They've worked out in Mercury that AJ is one of the bosses. So now I'm pretending to be AJ and of course I like to play along with this sort of stuff because I use it in my training so I've got a nice email trail of exactly what they ask, how they ask, so I can then present that back to people going. Here is a real life example of them trying to get me to go and buy gift cards.
Alisha Christian:Well, they were certainly targeting the wrong person, weren't they? They didn't do their full research.
Chris Haigh:No, it was a little bit quick maybe, but to be fair, they were targeting about four to six people yesterday in our business. So you know it's for us to see that we put an alert out globally across teams going hey, just be aware this is what's happening.
Alisha Christian:but you know there's there's pretty much no one in mercury that's going to fall for that because of the training, and you know we speak about this sort of stuff all the time well, I guess that's kind of what you're talking about earlier too is that you can only um put so much in place, but then it also comes down to your staff and human error.
Chris Haigh:Yeah, absolutely. And then if mistakes get made and they will what is your resilience plan? And that is absolutely critical and again, kind of part of this talk going well, what's the true cost? So there's a couple of things here that we've spoken about the number of parties involved, the number of the time involved is huge. And then if we look at the financial costs, just to put it in perspective, this particular breach was in around 1, 1.2 million as a total cost. So when insurance got all those different parties to do the investigation, that cost you 24 grand to check that it's not sanctioned. It's about, you know, $40,000 to run the PII checks, it's $15,000 for legal advice. It all adds up right.
Alisha Christian:I mean, that's a staggering amount of money.
Chris Haigh:It is. And then think about it. If your insurance and this is common, I can't remember with this particular case, but your insurance you might be insured for half a million. Well, now you have to come up with $500,000 to $700,000, right to cover up the shortfall.
Alisha Christian:Which for a small to medium business.
Chris Haigh:It's going to be hard. Yes, so in this particular breach, as an example, just to give you an idea of the size and the type of business, we've already said there was a lot of PII involved in the business. So you kind of understand, I guess. So it's probably a professional services type business or real estate or something like that, and it was about 40 staff. So that gives you a size and yeah, so 1.2 million as an overall cost, and then that doesn't take into account staff time cost.
Alisha Christian:Yes, that's it.
Chris Haigh:That's not in there right and that is potentially also very expensive. So three weeks of time lost across three different staff members plus the owner of the business, it adds up it's a lot.
Alisha Christian:Yeah, I mean, that certainly would add up, and I guess people don't really think about that aspect of it, do they? They just think data breach oh my goodness, information's getting out there. You've got to pay the ransomware, but all the behind-the-scenes costs and time is Absolutely and there's a good question where you said oh, pay the ransomware is.
Chris Haigh:quite often the correct course of action is to not pay the ransomware is. Quite often, you know, the correct course of action is to not pay the ransomware either. So you look at how Medibank dealt with it. They were like no, okay, data's out there, we're going to have to deal with it. Right, there is talk, for instance, that the government making it illegal to pay the ransom because the idea is if the businesses keep paying the ransomware, it's not going away.
Alisha Christian:Well, that's true. This is more incentive for criminals. How do we?
Chris Haigh:draw a line in the sand and stop it. Is you just force businesses not to pay? Will businesses go under because of it? Probably, and that's maybe where the government needs to have a think about it. Okay, well, what support are they going to give businesses that are impacted by ransomware and they can't make their wages payment, for instance? So they'll go bust, they'll go broke within two weeks if they don't get some sort of help from the government. So I mean, that's something I'd like to see that there's a little bit more support, help, support, you know, from a government. Especially if they're then going to mandate not paying, then it's like, okay, well, how are we going to balance this? Because you're talking about, and it's going to impact, unfortunately, small and medium business. So now you're talking about a lot of people just losing their jobs, and it's not, it's it's a horrible situation, uh, overall, um, which I suppose, when I'm talking about this and the true cost, um, yeah, so now we have a kind of an idea of what's involved and it's a little bit overwhelming.
Alisha Christian:There's a good word.
Chris Haigh:Yeah, um, but then we've got to say, okay, well, what can you do? You know, what should you be doing? And some of the stuff that I'd. I'd say straight up, cause there's obviously lots of different things you can be doing and quite often that's a problem as well. Where do you start? And the advice I would give to start with is the Australian government so through the Australian Signals Directorate initially and now with the Australian Cybersecurity Centre basically put together a number of controls for, initially, government and contractors to government, and there were 37 controls that they put together going. These are the types of controls that you should have in place, and they kind of ordered them in kind of best to nice to have, let's say. And out of those controls, there were the kind of top eight which they referenced as the essential eight. So the essential eight as controls is something that businesses definitely should be looking at. So this came about 2017. So it's been around for a while.
Chris Haigh:Oh, okay, longer than I thought and government agencies are supposed to have this in place and some do not. All they're getting there, but there's different maturity levels as well. So maturity level one, two and three, I mean there's zero, where you meet none of the controls you don't want to be that person you don't want to.
Chris Haigh:So the idea is that most businesses, most small and medium businesses, should be aiming at least a maturity level, one in essential eight controls, and they're things that you would expect, right, if you've read anything on kind of cybersecurity, which is things like having backups, as an example, you know so pretty basic stuff. Things like patching your software, like we spoke about that, things like using multi-factor authentication on your passwords, you know things. So those are some of the types of controls that we're talking about, and the government just last year launched a training program to train assessors of the essential light. So that's something myself and Martin within Mercury have done. So we've been on that training through TAFE Cyber. So, like I said, government-designed training to assess essential aid controls, and it's definitely something I'd recommend as a starting point for businesses. Do an essential aid assessment so you can see where you are currently with your controls and then start working towards it. That that's going to be the important thing. It's not a case of like, okay, I need to get all these things in straight away.
Chris Haigh:It's very, very difficult to do straight off the bat, but if you've got a plan, a project over six months, 12 months, where you can, you know, go your if you've got an incumbent managed service provider or go to a specialist security provider. And then like, for instance, if a customer comes to us, we'll go through that and then we'll show them the gaps right, what parts are you not meeting? And then we'll put it in like a priority order. We'll be like look, this is probably going to. These three things cost nothing to do, so get those done now. Internally, you can do that. It's like write a policy on this, go, do it right, and we can help check it, et cetera, give them some advice.
Chris Haigh:And then there will be things that do cost money that you should potentially put in place. Like there'll be things that do cost money that you should potentially put in place. Like something like application control. Right, it's one of the controls in Essential 8 that you should have. So it's like okay, application control. Yes, we've got a solution for that. That's what it costs. This is how long it's going to take to roll out. And where do we put that? Oh, can't afford it right now. Okay, can we budget it in three months time? Yes, put it on the roadmap. And at least you've got a roadmap and you're working towards we've got a plan, don't you?
Alisha Christian:that's the idea. You can see where you're at, see what you need to get to, because, I mean, it's not going to get any better out there, is it no?
Chris Haigh:and that that is a very good point and, and that's the thing, there is no magic bullet, like you really do have to be careful with that because, well, sales, you know, it's like you know people coming to your business going oh yes, we've, we've looked at your business and we've worked out big, big, big red flags. Your printers, your printers are going to be hacked. I'm like, yes, potentially true. Last thing you should be worried about when you have all these other things that you haven't done yet right.
Chris Haigh:So, and obviously that's a sales tactic right, they're not wrong, but the focus is like in the wrong place, which is why I like going through something that the government has gone. This is the type of thing that you should be doing and what you should be aiming at, and then we can prioritize that list based on hey, this is a high of thing that you should be doing and what you should be aiming at, and then we can prioritize that list based on hey, this is a high risk, so you should get done first versus yeah, you can replace your printers with more secure printers later, once you've done all these other things.
Alisha Christian:Well, that's it, isn't it? And I think for a lot of people it would be quite overwhelming, so, to be able to have an Essential 8 assessment done, it probably simplifies it a little bit.
Chris Haigh:Yeah, absolutely. And just to be clear, essential 8 is not the only framework that you can work towards. So other businesses, like a larger business, might decide to go with something like an international certification like ISO 27001. Now, that's a security and international standards organization, security certification.
Alisha Christian:I'm pretty sure I've heard you talk about that one before.
Chris Haigh:Yeah, that's a good one to have but it is quite laborious to get. But if you were a contractor to government or like in the public eye a lot, or et cetera, then it may be worth going down that path. Another one that's a little bit more broad is something like the NIST cybersecurity framework. That's something I've spoken about. A lot.
Chris Haigh:I think I've done some videos on our website around NIST as a control system and you can also use those together. So it's really again up to the business to decide. Talk to an expert around cybersecurity to have an understanding of what's going to suit your business best, right.
Alisha Christian:Well, that's it, isn't it? Because it's not sort of like a one-fits-all kind of situation.
Chris Haigh:It really isn't. And I would say if you don't know and you don't know what to do, then just stick with Essential 8. Start there, at least you know and you can get that maturity roadmap moving.
Alisha Christian:Yeah, is there anything else you want to share with the listeners today? I mean, I'm pretty sure you've terrified us all, but I think that's the main thing is just being prepared.
Chris Haigh:You know, we quite I would say that cybersecurity has been focused on all the stuff that you can do pre-attack, pre-breach, and that stuff's important and I would say, most hopefully businesses have a lot of those things in place, whether it's firewalls, using a password manager, you know, using MFA, having backups. All those things are kind of pre. But don't forget about what happens when you breached right, because that is a common saying is it's not if it's when.
Chris Haigh:like you've heard it a million times, I have heard that and it really really is, as I don't care how secure you are and what you've got in place, you will be breached at some point. So, when it happens, what are your resilience controls? Because it's read honestly it's really about how fast can you get your business back on track and running and serving your customers. How do you survive? That's the thing you know. Any business owner or board should be sitting down and actually asking the board right, if we had a breach that did this, we had ransomware, everything shut down. How do we survive? That is an honest question. You need to sit there and think about it and actually go eh, it's going to happen, so deal with it now. I'd even go as far to say boards should be running exercises at least once a year. You should be sitting down and actually running through an actual exercise, going right, we've got ransomware. This is what's happened. The technical teams have told us this as a board. How do we respond?
Alisha Christian:Do you think? By doing something like that too, it does take the emotion out, because if and when it happens it's not sort of your hot off the collar kind of you know freaking out because you haven't spoken about it. Where's that breach response plan?
Chris Haigh:yeah, it's like everybody knows it's like a fire drill it is exactly like a fire drill. So I would say your technical teams probably drill a little bit more, because there's a lot they have to do on the back end, but don't forget about your executive team as well. So Often what's left out as an example is if you are a little bit more public-facing, what are you saying to the newspapers when they come? Businesses that are prepared for this will generally have pre-prepared statements about whether it's ransomware, whether data has been leaked or not, where they are, et cetera, and you'll see which businesses do this. Well, because they'll get breached. That information goes out instantly. There's none of this. No one say anything. It's like you know Medibank. You know what's happening, no one knows.
Alisha Christian:You just wait.
Chris Haigh:Right Now, businesses that do this well. They're well ahead of the game. This is not coming out from a journalist first, or anything like that. They're immediately coming out and going. This is what's happened.
Alisha Christian:They want to get ahead.
Chris Haigh:We even and it is very important that you say things like our teams are on it. You know we've engaged with this. We've engaged external cybersecurity help. We're looking into. We do not know the extent of the breach at this moment. We are looking. As soon as we know, we will let you know, cause that's better than crickets.
Alisha Christian:Definitely. Well then people just come up with their own versions of what's happening. And that can sometimes be even worse than what is actually happening.
Chris Haigh:Absolutely, and again, I'm not saying that's necessarily the correct approach. Every business needs to make a decision of what they think that approach should be, because it is your decision. But then sit down, work out what that statement looks like, right, and that would quite often go through legal. It's going to go through your PR it's going to go, you know it's. But do that. Don't try and scramble when your systems are down. Everybody's panicking and no one can think straight, and so cyber resilience.
Alisha Christian:Good tip there.
Chris Haigh:Practice.
Alisha Christian:Yeah, excellent. Well, look, I mean mean, it's been a great talk today. I'm sure that the listeners all have plenty to think about. If people want to reach out to chris and hear a bit more, what's the best spot for them to get in touch with you?
Chris Haigh:uh, I would say linkedin is probably the easiest. So if you just search for my name chris haig or mercury and it will pop up and you'll see me there.
Alisha Christian:I think you might be actually Christopher now.
Chris Haigh:I have changed it to Christopher to match my passport.
Alisha Christian:Which is a whole other podcast, just so that you know that it's mine. No, that's great. Well, thanks a lot for coming along today.
Chris Haigh:It's been a great chat. Awesome, thank you.
.png)