Tech Insights with Alisha Christian
In today's rapidly evolving tech landscape, staying informed is more important than ever. "Tech Insights" by Mercury IT is your go-to podcast for expert analysis, industry trends, and actionable insights from top technology professionals.
Whether you're interested in cybersecurity, IT infrastructure, emerging technologies, or digital transformation, this podcast covers it all. Tune in to stay ahead of the curve and navigate the complexities of the tech world with confidence.
Tech Insights with Alisha Christian
Your Data Is More Valuable Than You Think: Why You Need the Essential Eight
Cybersecurity isn't just for the big players anymore. In this enlightening conversation, cybersecurity experts Chris and Martin break down Australia's Essential 8 framework - revealing why these eight categories of technical controls have become the gold standard for business protection across the country.
The duo dismantles the dangerous myth that small businesses aren't on hackers' radars. "They use a scattergun approach," explains Chris, detailing how automated phishing campaigns target millions simultaneously before compromised credentials are sold between criminal groups. This sobering reality check comes with a compelling comparison: most businesses wouldn't think twice about purchasing building insurance despite the low probability of a fire, yet many resist implementing cybersecurity measures despite the significantly higher likelihood of experiencing a data breach.
Supply chain requirements are rapidly changing the game. Even small businesses are finding themselves subject to cybersecurity requirements flowing down from larger contracts, particularly those touching critical infrastructure or government services. As Martin notes, "You might not have realised your widget eventually ends up in critical infrastructure," highlighting the importance of understanding your full supply chain.
For listeners just beginning their cybersecurity journey, the experts provide practical starting points: identify what data you have, where it's stored, and who has access to it. They recommend engaging with cybersecurity specialists to assess your current posture against frameworks like Essential 8, NIST, or ISO 27001, depending on your specific needs and risk profile.
The conversation closes with personal security tips everyone should implement - from locking down social media accounts to using different passwords across services. Check "Have I Been Pwned" to see if your credentials have already been compromised, and remember that proper data governance includes deleting information you no longer need. As Chris emphasises, "Every little point of data is a point of risk."
Today, on Tech Insight, we're having a panel discussion, and I have joining me our two cyber security experts, chris and Martin. Today we'll be talking about the essential eight the importance of it for your business and also how to go about getting an assessment to get the ball rolling. Hope you enjoy the show. Welcome to Tech Insights. Today I have with us Chris, our Chief Information Security Officer.
Speaker 2:Hello.
Speaker 1:And Martin O'Riordan, our Head of Cyber Security. Hello, welcome to Tech Insights. So recently, you both completed your certification for Essential 8 Assessors.
Speaker 3:Yes, yes right.
Speaker 1:Could you start by sharing with the listeners a little bit about what the Essential 8 actually is.
Speaker 2:Yeah, sure, look, it's a government-led initiative that started back in 2017. It came from the Australian Signals Directorate and what they did is they were looking at well, how do we protect businesses more specifically around government. So government agencies initially, and then it spread out to other companies. But they looked at a number of controls or mitigation strategies that would. But they looked at a number of controls or mitigation strategies that would mitigate ransomware and malware bad things basically happening to people's computer systems and that list was around 37 controls initially, but they were ordered into essential excellent, good, nice to have, basically and the essential eight is the Essential 8 of those 37 controls.
Speaker 2:And then that has evolved over the years to expand as computer systems change rapidly and you've got now also different maturity levels within Essential 8. So where maturity level one, which they'll sometimes say ML1, maturity level one in Essential 8, is what government now would like most, if not all, businesses across Australia to adopt so that they're protecting themselves adequately, businesses across Australia to adopt, so that they're protecting themselves adequately, ml2, so maturity level two and three are generally there for companies that are of a higher risk. So I think again, government agencies, which are actually mandated to level two, but then contractors to government, universities et cetera. So they kind of choose between level two or level three is generally the idea.
Speaker 1:Wow Sounds pretty heavy. Do you think we could break it down a little bit further and just let the listeners know what those actual eight components are?
Speaker 2:Yeah, sure, the eight components, just from a high level. And I think something to be aware of straight from the beginning is it's not just eight things, it's eight categories. So it's not eight controls, it's eight categories of controls. So even at maturity level one you are at like 40 plus controls I think it's about 47-ish controls that you would need to put in place to meet that particular requirement. But what they are just from a very high level and we can dig into them a little bit more afterwards, but just from a high level it's application control, right. You have which they might call application whitelisting is what it used to be called. You've got patching of operating system. You've got patching of operating system. You've got patching of applications, right. You've got MFA, so multi-factor authentication, regular backups. You've got macro management right, so restrictions of macros. You've got restricted administrative access and you've got hardening of user applications. So it's those eight things as categories.
Speaker 3:Probably really important for everyone to understand that the essential eight are technical controls. So when we talk about security and we talk about our layered security posture, there are hard control or technical controls, like the essential aid, and then you have the soft controls, like the training and policies and other things that you need to have in place. So, whilst the essential aid is a really, really good place to start, it's not all of the security posture that you need. So it's one of those things we really do want to let people know that you can't just put the essential aid in and you're magically protected from all security risks.
Speaker 1:Correct. That's good to know that is very good.
Speaker 2:There's a lot of, you know. We've spoken about this often with businesses. It's like essential aid is a good starting point, like Martin said, from a technical control perspective, but there's a lot of different frameworks that you could choose and the best thing to do is actually get your incumbent or someone with knowledge, a cybersecurity expert, to actually sit down with the business, find out what that business does, actually understand a bit about the business and then talk about the different frameworks and what's actually going to meet your requirements. Some of the top frameworks that we generally discuss with our clients are things like obviously, essential Eight is what we're speaking about today, but you've got stuff things like NIST Cybersecurity Framework, which is a global North American standard but taken up globally, and it's a very popular one. Taken up globally and it's a very popular one.
Speaker 2:Another one would be things like an ISO standard, because that you can actually be certified in, whereas you can't be certified in Essential 8, you can't be certified in NIST, but you can be certified, so have a stamp of approval, much like ISO 9001, people relate to quality control, right, so ISO 27001 is around cybersecurity. So you've got those ISO standards and there's others out there as well. But those kind of top three the essential aids, nist and ISO are probably the top ones I would like to mention as well. There is a newer one picking up ground and getting a lot of chats with governments at the moment and companies is something called SMB 1001. So that is something to watch and it's something that we're starting to have discussions around for our customers as well.
Speaker 3:It's kind of a set of framework that is designed more for small and medium business, so it is a little bit easier for businesses to meet the requirements of that and have that framework actually deliver something for them. And it still has, uh, some elements of uh self-assessment, but as you increase in the levels in that particular framework, you can also be assessed in it as well.
Speaker 2:Yeah, so it's quite it's. It's an interesting starting point and again, it's, it's, it's like a hundred dollars to get going. So it's a it's an interesting one to start with as well.
Speaker 1:Yeah, and it's good that you mentioned that. Basically, not one size fits all. It's important to make sure that your situation and your business is assessed so that you go down the right path and have the right cover.
Speaker 3:Absolutely. We actually find quite often that we take bits from lots of different frameworks because that works better, so not necessarily that one framework is the right fit. It can be that you take elements from different frameworks for that particular business.
Speaker 1:That also is important that people know that they can have a customised solution and not have to take all of it.
Speaker 2:Yep absolutely.
Speaker 1:What are you sort of finding? That people out there are thinking cybersecurity-wise. What's their biggest fear, do you think?
Speaker 3:I think it's a hard one, because people do value things like insurance.
Speaker 3:so especially businesses Businesses you rarely find one that doesn't have building insurance or contents insurance, or even insurance against their directors and officers doing the wrong thing, but quite often they don't think that putting protections in place, like cybersecurity, as being as important as those sorts of insurances, or that they think just having cyber insurance fixes all of the problems. Because we do know that prevention is always better than the cure and you would much prefer to not have the building burned down than just claim the insurance afterwards.
Speaker 3:It is kind of one of those scenarios where it is always better to have the things in place beforehand and it can be hard for businesses to think and justify and go. Well, hang on a second, I've never had a breach. I've got all these things in place, but I've never had a breach. Well, that's probably the point is to have the things in place to prevent the breach and that's why you don't. So it really makes a lot of sense to do those things and have that in place before there is an issue.
Speaker 1:Yes, definitely, prevention is always better than cure, for sure.
Speaker 3:But it's interesting, a lot of people don't necessarily think like that. And you have businesses who've paid insurance for years and years and years against their building burning down. The likelihood of your building burning down is way less than having your systems breached.
Speaker 1:Yeah, agreed I think often too. Um, people of small businesses think that you know why would they be targeted that kind of thing like they. Only the cyber criminals only target big business. So I think that's kind of a bit of a myth that needs to be yeah, it's a.
Speaker 2:It's a myth that we bring up often, I think in most conversations, because it tends to persist out there for some reason. And, uh, yeah, we always discuss it as the scattergun approach. It's a case of, like, a lot of these things start with a phishing email and those phishing emails are generally not targeted. They scattergun sprayed out there in the millions and someone happens to click and hand over the details. So as far as a cyber criminal and it's all automated, by the way. So cyber criminals got awesome tools these days and probably making it worse with AI now, where it's an automated run and whoever clicks and hands over the details, it automatically passes it into a list and then that list gets onsold to another third party and then that third party does the initial breach and then that breach or that access is then sold on to another criminal party. So it's a big, big operation and it's not necessarily targeted. Don't get me wrong. It can be targeted, and that's when we started talking about ML2 and 3, like a university would be targeted.
Speaker 3:Government agencies are targeted, yeah, and big business is targeted.
Speaker 2:Yeah, critical infrastructure.
Speaker 3:But also, you see, any business that handles large financial transactions. They are well and truly targeted.
Speaker 1:That's just a scary thought. So you've both been involved in cybersecurity for quite a number of years. Just curious to know why you're so passionate about it. Maybe I'll start with you first, Chris.
Speaker 2:Yeah, sure, Cybersecurity I always found interesting, maybe from just because I was a techie and interested in technology and being able to circumvent systems right. So back in 98,.
Speaker 2:I taught my first cybersecurity course to students on securing Windows NT4. And that was basically teaching them how to secure an on-premise server. And I've been hooked on the technical side for a long time. But then I started once I ran my own businesses and things like that I got onto that thing of hold on a second. I got passionate about educating people and business owners, or protecting their business, because it was that point, that knowledge gap, let's say, of actually connecting the dots between, if this piece of technology goes down right because it's been hacked, breached or it's had a denial of service attack or something on it around cybersecurity, what does it actually mean to that business? Right, and to equate or connect the dots is very, very important around. If that goes down, what is the reputational damage to your business? Or if you can't, if your payroll system goes down, as an example, because of something going down affecting the payroll and you can't pay your drivers right of a delivery business. I'm looking at you, tole. How long are you going to stay in business?
Speaker 1:It would be disastrous, wouldn't it that?
Speaker 2:was close on disaster. So yeah, so I'm passionate about helping business understand, so for me, a lot of it is an education piece, which is why I love to do a podcast like this to actually discuss it.
Speaker 1:Yeah, excellent. And Martin, I know you two have also had many years in cybersecurity and probably seen a lot of changes happening over the years. What sort of brought you into this industry?
Speaker 3:I think I was just I'm probably, while Chris sort of got involved quite early in the technical side, I got quite early involved in the the bits you don't think are too uh exciting that the governance and risk and oh, my favorite word governance it is one of those areas where, uh, it's really important and people don't necessarily think it's important.
Speaker 3:So I think I just got involved quite early because I saw the importance of it and from there it just came to a point where you want people to put it in. You want people to actually value having security across their organisation, valuing the data of their customers. It's one of the things that I get quite passionate about is the fact that people most businesses will value their customers. They do that is their bread and butter, that's what they get up every morning to do, and yet a lot of them don't value their customers' data to the point of being able to put effective controls in place to prevent that data being stolen or leaked. So I like to try and, like Chris, educate people on the need of having those effective controls in place to make sure that your business can be there tomorrow when other businesses might fail because they've been breached and had all of their customer data stolen and the government's now fining them $50 million and the Australian Security Commission is now fining them for breaching their directorial responsibilities.
Speaker 3:Those things are bad. Maybe if we take more of a stock on preventing it in the first place, it would be a lot better. And yes, there is a cost involved to that. But like everything in business, there's always costs involved. Staff are a cost, buildings, premises are a cost Everything's a cost. If you can't afford to protect your data, you probably can't afford to be in business.
Speaker 1:Yeah, and that definitely is a good point. And as much as I say governance, yes, it's not the most exciting topic. It is important to have people like you that are passionate about that and can explain to businesses the importance of it. So, yes, I'll stop teasing you about it now.
Speaker 3:No, you won't.
Speaker 1:So what kind of pushback do you have from businesses with regards to cybersecurity, like what is normally their main objection?
Speaker 3:I think you actually sort of touched on it before it's I'm not going to suffer a breach, it's not going to happen to me is probably one of the biggest ones. Or that it's too expensive is probably. Another pushback is that they don't see the value in spending the money to actually protect the data. But, as I said, they'll protect the building and they'll put locks on the doors, but they won't necessarily put locks on their data.
Speaker 2:I think it's human nature at the end of the day, because you're talking about trying to assess risk and it's not an easy topic, mostly because you want to fall asleep when talking about it, right? And it is so when people are going from like a gut instinct of do I want to spend this money to protect? The risk analysis has not been done. Because if you had done the risk analysis then it's an easy decision because you can actually show what that loss rate is annualized. You know if it happens because you can take that percentage oh money going to get breached once every 10 years. You can still work out what that would cost then per year and then your security mechanism costs X against that and you know if your security mechanisms are around the same or lower, then it makes sense to go in. But quite often that risk analysis has not been done and, like I said, humans are not great at off-the-cuff risk analysis.
Speaker 3:We've actually seen more traction in the cybersecurity space since the government implemented fines for privacy breaches. So the notifiable data breach that came in in 2017? 2018. 2018, yeah, that really did see a bit more traction in the marketplace where people saw well, hang on a second. I actually have to do this.
Speaker 1:Well, they're more accountable, aren't they? Because?
Speaker 3:all of a sudden, there's a punishment for not protecting people's data and not just the reputational damage, because before it was mostly just reliant on reputational damage as being a driver for people to do the right thing or the fact that you might, have you know, be sued by customers for losing data. Now you know you don't have to have that particular driver. It's government will actually control that side of things.
Speaker 1:Yeah, I think it definitely does put more emphasis on it and people take it a bit more seriously, that's for sure.
Speaker 2:And I think also having a few fairly large breaches regularly kind of brings it to a floor as well, Some of the Optus and Medibank and those breaches yeah people are watching the medibank one now because it's going through the legal process with the class action suit. So there could be some really interesting things that actually come out of that around what? Because a lot of the legislation is written relatively open in language, so there's um open to interpretation, right, and then it's often tested in the court of law. And well, now it's in a court of law. So now we start to see some of what is expected of businesses. Okay, admittedly it's businesses of that size like Medibank is large compared to, you know, a small medium business it's. It's not going to be quite same, but it's going to give you at least a starting point of going. Okay, well, what does a judge consider appropriate controls, cybersecurity controls within a business of that size. So that will be interesting and I think the cybersecurity community is actually watching that very carefully to see where it goes.
Speaker 1:Yeah, I think having the spotlight on it definitely brings a lot more notoriety to the cybersecurity and people giving it a bit more thought and you know, where is? My data. What's happening to it? You know it's definitely important.
Speaker 3:Also I think that it brought it home to a lot of people in their own lives that having those you know identity documents like driver's licenses and passports, and having to get them reissued tends to actually bring it quite make it quite real that it does have an impact on people. So losing someone's license number or their license does have an impact on someone.
Speaker 2:Yes, that was a bit of a. It is, and you're right, it's because then people do start to question a little bit more of the businesses that they are trusting. Because, because I think there was almost like a blanket trust of like, oh, of course they're looking after the documents. I was like, well, are they? So I know, I know, I went to my financial advisor and they asked for, as they do, like everything right, and I was like, because again, they were like, oh, just email it to us.
Speaker 1:I was like that's not happening well, it's amazing how many places still do that yeah exactly.
Speaker 2:So I explained to them why and they were like oh, okay, that makes sense. And I was like do you have multi-factor orphan installed and do you have this? And it was like pretty much, uh, what is that? So I was like go speak, because they had an incumbent it. So I said can you go and speak to them? Make sure you got mfa on, make sure you're storing these documents correctly. Come back to me when you did. And they came admittedly awesome, which is why now I do work with them because they came back after two weeks and went okay, okay, got MFA installed and everything. We store it over here. This is what we do.
Speaker 1:And I was like cool, great, but most people wouldn't question it. And that is the thing, isn't it? That most people would just email it over. I mean, I know previous to our discussions, I probably would have just emailed it.
Speaker 2:But now it's like, like.
Speaker 1:Well, if you don't do that, I'll bring it in or securely transfer it somehow.
Speaker 2:Yeah, exactly, it's interesting, but I think it is because, again, cyber security, as it's a normal saying, right, it's everyone's responsibility and it does have to start again with us. It's our documents, it's our identity. You know it's like um, you know you, you uh lose your um, your tax file number. That is a pain because they don't issue a new one. So what they do is they put a note on your account at the ato and every time your accountant needs to check something, they've got to call the ato, have them unlock the account so that they can access it, do stuff with it and then they lock it again and that's for life.
Speaker 2:Oh, I never knew that, so it's complicated you know, and of course your accountant is just going to charge you more because it takes so much longer.
Speaker 1:Yeah, exactly, there's an ATO 30 minutes.
Speaker 2:So don't lose your tax file number.
Speaker 1:Try not to do that. So I guess can you share any stories or case studies relating back to the essential eight where you know it's made a big impact on the business to have those components in place?
Speaker 2:look, I think and I'll hand over to Martin after this one, I think the the last one I dealt with is kind of a more, let's say, obvious one, and they had a contract contract with a large provider that was contracted to government. So what happens is you have an on-flow effect in that contract. So they were at risk of losing a multi-million dollar contract because they were not a central aid certified to at least level two. So in that case it was obvious that they had to get those controls in place. So in this case it was not lose a X million dollar contract.
Speaker 3:Yeah, so the supply chain now is getting quite difficult to navigate. So you have a lot of small businesses who may provide goods and services to larger businesses, who provide goods and services to larger businesses, who provide goods and services to government, and it flows all the way down. So now they're getting quite a lot better at making sure that everyone in the supply chain has the basic level of security in place, which means that we're seeing more small businesses being captured by these requirements, and this isn't even the threat of having a cybersecurity fine placed against them. This is just about losing their bread and butter, making sure that they actually can deliver the services and deliver those contracts. So it's an interesting space. You're going to see a lot more businesses being required to actually deliver on that.
Speaker 2:That's a good point. If you're a business owner, I would be having a look at who I supply to and check who they supply to. Because if you supply like you make a widget that goes into a, let's say, a valve, that then is supplied to a water company for those valves and they have a contract to like mains water right now, all of a sudden you've got critical infrastructure in your path and you might not have realized, because you know those valves also get sold to pool companies and various other things, but you happen to also supply to this company. That's critical infrastructure. And think critical infrastructure, right, and governments, that's where I would start.
Speaker 2:So things like water, electricity, any kind of transport as well. So if you supply to rail, um shipping, so anything through docks, um airports, those sort of things, you need to think about as a supplier, because they may not have asked yet, right, but, um, you know it could come like a one we had was a contractor, the electrical contractor, um, but they supply to main roads, so now it's sitting on like the M1 connector and et cetera, so that all connects. So they're going to be asked okay, what level do you meet at some point?
Speaker 1:So people really do need to analyze every aspect of their business these days, don't they?
Speaker 2:Unfortunately.
Speaker 1:yes, For those just starting out on the cybersecurity journey, what would be your advice?
Speaker 3:Engage with your IT provider would be the first port of call, I would suspect, and ask them the questions what have they been recommending to them that at some point you said no, no, no, I don't need that and revisit it? Because quite often you know IT providers make lots of recommendations over time but companies will make decisions based on their priorities and sometimes it just never gets revisited. So it's probably a good opportunity to just revisit that and just go back to your provider and say, hey, look, I might have said yes or no in the past. Can we just run through it all again and maybe have a look at my entire cybersecurity posture?
Speaker 1:And do all IT providers have cybersecurity departments or is there, you know, for people?
Speaker 2:They won't necessarily have departments, but most MSPs will handle elements of security. Definitely you have to, like you know, patching your operating systems, doing backups, recommending MFA things like that are going to be done. It's just a case of whether that is a holistic approach, if it's enough around that. So if I was running a business, I would definitely be looking for a provider that had something like a cybersecurity department, or look for a third party to do the cybersecurity, to work with your MSP Like we do a lot of that as well where we'd have a business that wants to do essential aid. As an example, they've got their provider that's put in the controls because these are all freely available on the government site, which is awesome. You can go, you can download all the controls, you can hand it to your provider and go hey, we're interested in level one, which is where you should start, and then they can start looking at putting those controls in and then potentially have a dedicated cybersecurity partner. Actually do an assessment for you would be a good way of doing it. So you're getting that third party look as an example and then bring in the incumbents whether it's around cybersecurity or IT to come and then fix or remediate those issues that they found in the risk analysis. But just going back to you know where do you start, and so forth. So bear in mind then, if most MSPs are doing some elements of cybersecurity and you say to them, are you doing cybersecurity?
Speaker 2:The short answer is yes. Now, is it enough for what you have? That's not necessarily true. So what I would do is probe a little bit more. It's kind of like start talking about directed due diligence, right, and making sure that you understand a little bit more about it. So you're asking the appropriate questions, sure that you understand a little bit more about it. So you're asking the appropriate questions. And if you're not sure where to start, I wrote a document a while ago which is just a simple set of questions, like a starting point of going back to your MSP going, hey, can you answer these questions for me? Because if those get answered appropriately, then you know, okay, I've got a good starting point.
Speaker 2:If you're still concerned. Another way again is bring in a provider that's dedicated on cybersecurity or has specialty in cybersecurity to come in and have that initial talk. So it's not an initial assessment like an essential aids assessment, but certainly come and have a chat about cybersecurity, what things are in place, because that will get the conversation going at least and you'll have an understanding of oh okay, I need to look at NIST or I don't have this, or maybe I should do an essential aids assessment, because I do supply this to that provider. So it's good to have that conversation.
Speaker 1:Because I feel like it could be quite overwhelming for businesses just sort of starting out on that extra cybersecurity journey.
Speaker 2:Yeah, absolutely.
Speaker 1:Is there anything else that you'd like to share with the listeners about Essential 8 or cybersecurity in general?
Speaker 3:Look, I think you're going to see more businesses sort of go down that pathway to Essential 8. I mean, australia is trying to up the game quite a lot in its cybersecurity posture and that starts from the individuals, so from everyone, through businesses, through to government. So the fact that I think people are starting to value their own data a lot more will drive businesses to comply more and it does drive decision-making in government to make sure that businesses are doing everything that they can to make sure that their customers' data is secure.
Speaker 1:Well, their expectation's set, isn't it? It's a bit higher.
Speaker 3:It is, and I think that that's for too long. People just didn't really value their own data. You know how many people I've spoken to go, oh, the hackers can have all my data, but it doesn't matter. And then you start to talk about well, these are the implications of that Connecting the dots, yeah. And then they start going, oh, maybe they shouldn't have my data and maybe they shouldn't have my tax file number and driver's license and passport and, yes, it'd be preferable for them not to have that.
Speaker 3:Yeah, it is definitely preferable not to have that and I guess some of the tips that we also talk about a lot is just your social media. Make sure you've got it locked down. Like, really honestly, too many people have it open that everyone can go and see everything, and it is a very good starting point for cyber criminals, not just in personal life, but that's how they can target people in businesses as well, because quite often people share where they work and if they're trying to target a business, they'll look for all the staff first and that's how they can start doing targeted phishing email attacks and there are a lot of oversharers on social media
Speaker 3:there are, and then almost everyone's probably been involved in some kind of a uh a website breach. So where you signed up for something, you've bought something from somewhere and your email address that you signed up with and a password that you put in were probably involved in some kind of a sale on the dark web. You you can go and have a look online. Have I been pwned? It's a good place to have a look. Your email address is probably out there and probably a password associated with it. So a lot of people who don't have different passwords for everything it's a very easy way into a business is having someone who uses their one password for everything across their personal life, not me.
Speaker 3:And use it in their business life as well. So it starts at home.
Speaker 1:It's lots of small things, isn't it really?
Speaker 2:Starts at home. It's also small things, isn't it really? Tips I would give for a business owner is start with your data, because you're talking about valuing your data. So two questions, right. What data do you have? First question. The second question where is it so? How do you protect it? So who's got access to it? That's what I mean by where is it so, what data are you collecting and how is it stored? How is it so? How do you protect it? So who's got access to it? That's what I mean by where is it so, what data are you collecting and how's it stored? How's it secured? Who's got access to it? But that's the first thing, because you're not going to get much further than that. If you don't know, if you don't know what you have, you don't know what you're protecting. So start there Once that little thread is going, because you'll probably have to ask a couple of people and they'll go off and start to look and come back to you with some answers.
Speaker 3:engage with some experts to come and have a chat and then there is the next stage after that, which is one of my real pet areas is if you don't need the data anymore, get rid of it. Too often, we just keep data forever and ever, and if you don't need it, if it's going back years and years and it's old personal data of customers, just get rid of it.
Speaker 1:I think it's because people just don't know what to do with it, so they just keep it because that's easier, just in case I might need it for marketing. Well, you never know.
Speaker 3:It is true, and also it's probably a case of they don't think about it. It's just. It's just data, isn't it?
Speaker 2:All. I said what data and where is it? Yeah, just think about it. Like every piece of data, every little element that you have, whether it's a date of birth, it's a you know, the tax file number to this, every little point of data is a point of risk, every single one. There's. Technically, there's a cost. Yeah, there's a value attached to every single one of those.
Speaker 1:So well, that's some great advice there always scary but very helpful uh. So if listeners would like to get in touch, uh, chris, very active on linked.
Speaker 2:Yep. You can find me on LinkedIn. Yep Christopher Haig. Yep.
Speaker 1:And if people want to reach out to Martin, probably best via the Mercury IT website. Yes, because he does have his LinkedIn very locked down.
Speaker 2:Locked down. No social media, none.
Speaker 1:Well, thanks for joining me today and, yeah, we appreciate your insights.
Speaker 3:Thank you, thank you.
.png)
.jpg)
