Tech Insights with Alisha Christian
In today's rapidly evolving tech landscape, staying informed is more important than ever. "Tech Insights" by Mercury IT is your go-to podcast for expert analysis, industry trends, and actionable insights from top technology professionals.
Whether you're interested in cybersecurity, IT infrastructure, emerging technologies, or digital transformation, this podcast covers it all. Tune in to stay ahead of the curve and navigate the complexities of the tech world with confidence.
Tech Insights with Alisha Christian
Beyond Prevention: Building Cyber Resilience
Cyber threats continue to evolve at an alarming rate, and for small to medium businesses without dedicated security teams, the landscape can feel overwhelming. Mercury IT's Chief Information Security Officer, Chris Haigh, cuts through the complexity to deliver practical guidance that business owners can immediately implement to protect their operations.
The conversation opens with a frank discussion about why cybersecurity feels so complicated for smaller enterprises. Chris explains how the challenge isn't necessarily any single security element, but rather understanding how multiple tools, policies, and training programs fit together to create comprehensive protection. He shares how managed service providers can bundle these solutions to match varying budgets while removing the burden of managing dozens of vendors independently.
Ransomware emerges as the most disruptive threat currently facing businesses of all sizes. Chris recounts a revealing case study where proper preparation allowed a client to recover within 24 hours, while less prepared businesses suffered two weeks of downtime following similar attacks. "Every day is money," he reminds listeners, highlighting how preparation dramatically reduces both financial and operational impact.
The most compelling insights focus on the shift toward cyber resilience rather than just prevention. Chris advocates for detailed incident response planning and regular tabletop exercises that simulate attacks, allowing teams to practice their responses before a real crisis occurs. His approach to communication during breaches is particularly valuable, emphasising speed, honesty, and proactive messaging to preserve customer trust.
Perhaps most surprising is the revelation that many small businesses remain unaware of their compliance obligations under Australia's Notifiable Data Breach scheme and recent ransomware payment disclosure laws. With regulators increasingly taking action against organisations for cybersecurity failures, understanding these requirements has never been more important.
Connect with Chris on LinkedIn to receive his exclusive questionnaire for evaluating your IT provider's security capabilities and start strengthening your business's cyber defences today.
Today I'm joined by Chris. Today, chris will be sharing with us some information about cyber security for small to medium businesses, focusing on how to avoid a cyber attack and what to do in response if you are attacked. I hope you enjoy the show. Welcome back to Tech Insights, chris. Nice to have you on the show again.
Speaker 2:Thank you very much.
Speaker 1:So you're our Chief Information Security Officer here at Mercury IT, otherwise known as our cybersecurity expert. Here Today, we're going to be focusing a little bit more around small to medium businesses and I guess we'll just kick off the show with how do you simplify cybersecurity for small to medium businesses?
Speaker 2:Look, cybersecurity can be very complex, like IT, I guess. So most vendors in that, like Microsoft, et cetera are trying to simplify things as much as possible like Microsoft, et cetera are trying to simplify things as much as possible. But at the end of the day, cybersecurity, depending on your business, can be a complex task and that's why we have experts in the industry. So there's a lot of tools that would be coming from various vendors that you would need to put in place to have a range of, say, preventative measures in place. You know whether they're tools, it's your policies, it's, you know, training for start.
Speaker 2:There's so many things it gets overwhelming. So I wouldn't necessarily say that any one of them aren't specifically complex. But trying to cover all of it and actually understanding where they all fit in and why they fit in is complex. So when you look to outsource that to a provider like Mercury IT, we're going to simplify that. So essentially, what happens is we would bundle a set of tools together that meet your budgetary requirements and meet what you need. You know whether that's for compliance reasons or other. You know all the way from base level security to a higher level of maturity where you might need a 24 by 7 security operations center. We can bundle those in into set fees and costs so that we take care of. So, from a business owner perspective, you don't have to think about. You know the 27 different vendors you need to put in place plus the policy. We can actually just do all of that for you.
Speaker 1:Yes, because I think that would be very overwhelming having to deal with all those vendors separately it absolutely is.
Speaker 2:And if anything goes wrong, same thing. You know you've got to deal with those. So we handled that vendor management escalation, you know if there is a particular problem because you've got to get these tools to talk together as well, so there are complexities within that. So we've done all the like, the research and the groundwork, to make sure we're picking out the best tools and then, once we've done that is, we look after a very large set of customers. So we actually get good pricing options as well. So if you've got a small medium business that's maybe 50 seats, and they're going out to an enterprise level tool like endpoint security, like Sentinel one, it would cost them a fortune to do, whereas we can get that in at a much cheaper price because we got it across thousands of endpoints.
Speaker 1:So we get a good price bracket on that as well, yeah, which I mean is great for small to medium business owners that are normally working on a tighter budget. Obviously like downtime for that size business, or any business really can be quite disastrous for that size business, or any business, really can be quite disastrous. What would you say? The most common cybersecurity threats for disrupting business operations are these days.
Speaker 2:Look, the biggest ones we've seen are still those things like ransomware. So it's that full where the threat actor gets in somehow, whether it's through a phishing email or whatever it is. But from an impact perspective I suppose there's two. There's one ransomware basically pulls the entire business down. So if you're not ready for it and you've got your backups in place incident response plans et cetera that again we manage and deal with so you can do it quicker. I've heard of businesses being down for two weeks trying to restore services. An example over a year ago now we had a particular incident at a client. There was a specific ransomware event that managed to get through defenses, because that does happen on zero day attacks etc. So again, not always 100 protected, but you do what you can. So what becomes important then is your restore time.
Speaker 2:So we managed to get this customer back up within 24 hours well, that's amazing and when he spoke to us about it, obviously like super appreciative, worked with us, it's still a. It's a horrible experience regardless. But he actually spoke to some of his peers in that profession as well and they had had an incident a few months prior and they were going like what you were back up within 24 hours it's like yeah, like yeah, we had all the backups.
Speaker 2:Mercury started to back up and we're up, up and running. There's knock-on consequence effects, you know know that do also affect business. But their business was up and running for their clients. And yeah, he was saying some of his peers were down for two weeks.
Speaker 1:And every day is money, isn't it? Not only? Yeah, obviously not operating, and then all the cost to investigate what went wrong and then getting it up and running, so 24 hours is, as you say, still devastating, but a pretty good case scenario for getting back up and going.
Speaker 2:Absolutely Great.
Speaker 1:Can you suggest some proactive measures that businesses can take to avoid that kind of thing?
Speaker 2:Yeah, absolutely, and I'll preface that by saying again you're never going to be 100%. That's not how it works and it it's why insurance exists, etc. But you know, having done any kind of pre-work is way cheaper than post-incident kind of response work, so whatever you can do to prevent.
Speaker 2:So your preventative tools are very important. There's a couple that are quite specific that you would need in place, and you'd find, if you go out for cyber insurance, the questions on the cyber insurance sheet that you get, you know whether it's chubb and there's 60 page sheet that you've got to fill in, or some others that are a bit shorter they all ask relatively the same questions around whether you've got endpoint security, you know, etc. There's there's a set of things that you need to have in place. So your preventative tools are good.
Speaker 2:Once you've got those in place, though, then you also want to look at post-incident setup, and that can be around policy and that. So for our clients that we look after, we would have an incident response plan in place as well and that's tested. So the idea is, if something happens, we know exactly what we're doing with the clients and, more importantly, the client also knows what we're doing and the insurance company knows what we do Everybody's involved and we know exactly how to bring that customer back up as fast as possible that meets the requirements for the insurance company, for that business, their clients and so forth. So there's a pre and post incident that you can set up, then kind of cybersecurity would then your insurance cybersecurity insurance would kind of wrap over those two areas for you as well.
Speaker 1:I mean, I guess definitely having the post in place is reassuring, knowing that if and hopefully it doesn't something does happen, that you sort of have a plan to get up and running. And yeah, scary thought though.
Speaker 2:Absolutely, and it depends on the client's cyber security maturity of where they are on that journey, because it depends on budget understanding and so forth of where we're going to put those things in place. So a lot of the pre-work that gets done is well understood. We've done that for many, many, many years. We can kind of fix most of the costs around. That it's relatively easy and you can get those things in place. The post is very, very important and what we're finding is most well, certainly our clients, but maybe it's the environment of Australia kind of maturing to that threat landscape is becoming worse and worse every year. So people are learning that they're seeing the Medibank, they're seeing it in the news and essentially what's happening is you need to move to a cyber resilience mindset. So that doesn't mean you can't do all your pre work. That needs to be done, but that's almost a given. And now you need to focus on okay, when this happens, what am I doing? Because I don't want to get to a spot where you know you are turning around and going.
Speaker 2:Well, I've put all these tools in place to stop it Now it's happened and you're not ready because that's actually going to hurt A lot of businesses if they impacted with a $60,000 charge, right, that might be the end of it. They might not have that money to even continue.
Speaker 1:So data breaches can severely impact, obviously, customer trust. What advice would you give to businesses for, I guess, reputational damage or how to try and avoid that?
Speaker 2:Absolutely. You know, previously we spoke about business downtime, which is one aspect of a impact or incident to a business, and the other side of that is customer trust. So it's reputation of the business, and I'd say a lot of business owners are actually concerned about that. That is a big impact because if it's going to impact sales and business further down the line, then that's something we want to protect. So there's a couple of things and it's mostly the same sort of stuff that you would need to have in place Right.
Speaker 2:So we're talking about having all your pre-work done, so your preventative measures around tools, but also training staff and so forth. You've got your post work, which is your incident response plan, tested. Everybody knows what they're doing so that you get back up and running quick. But part of that's actually a communications plan. So you have to have your executive, your HR, your marketing, all actually around that. Now, that might be your. Depending on the size of your organization, it could be legal. It could be your PR teams as well. You need to have an understanding of what you're saying to your clients, and a piece of advice I'd give is do not delay If something happens and you do not want your customers finding out before you've said anything.
Speaker 1:That is the worst case scenario that would be terrible.
Speaker 2:Right. So you don't want a customer coming to you and going I'm being like, let's say, extorted for money based on the information they stole from you. You need to get ahead of that really, really quickly, because what you might again what I've heard of is you get a situation whereby that's sort of happening in the background and you have a reporter calling the CEO for comment before they even know what's going on.
Speaker 1:Oh, that is not a good look. It's not a great situation.
Speaker 2:So you kind of need in that case you actually need to know what you're saying to like a reporter, straight up, Like it's basically got to be already created. You got to have practiced these things so is that sort of, I guess.
Speaker 1:Coming back to the post, absolutely so.
Speaker 2:Part of that post or incident response preparedness is actually running something like a tabletop exercise, and that's where you get the incident response team, which is the executives, maybe the technical, depending on what you're doing and actually run an incident. So this is a bit of a role play. It is literally a role play. So it's like literally set aside two, three hours, four hours, depending on the size of the business, and you can actually run a full scenario where you can go right, it's ransomware what happens, or they've breached the customer information system, and this has happened. And then, okay, well, what would you do? Actually, this has just happened. What do you do? Like? Maybe you start that tabletop exercise of the ceo receives a call from a reporter yeah okay, what do we do?
Speaker 2:it's like no comment. Initially, immediately onto pr, onto your teams, figure out what's going on, get the information and then, if you've got like in that particular case, if you've got like in that particular case, if you've got contact with reporters, you know you've got friends that you do often speak to. You want to contact them and break the story that side, because then you can at least control some of the narrative versus just a random reporter's calling you. So they break the story first, and that's really important, right, oh?
Speaker 1:sure.
Speaker 2:But again, don't lie to your customers and don't delay it's. It's got to be as honest as you can be without giving away information that's going to impact the incident response. All of that's important as well. You're probably going to have to have legal involved and figure out what you're doing, how that looks. Making sure you're up front and communicating with your clients is going to save your reputation. That is what you want to do.
Speaker 1:Well, I think honesty in that sort of situation is definitely the way to go, and taking accountability. And then obviously doing the role playing. It's much easier to do that when you're all cool, calm and collected and the incident hasn't hit yet.
Speaker 2:Otherwise headless chickens again herding cats all the rest of it. And it does and it's. You know. I've been through a few breaches with various clients over the years and you know whether you're dealing with insurance businesses that are putting in certain provisions or you're dealing with legal PR, whatever it is, it is a very heightened emotional situation it's not great.
Speaker 1:I can only imagine.
Speaker 2:Absolutely, and you think from a business owner perspective, like quite often, that is their baby right and it's being directly attacked. It's not great.
Speaker 2:I mean, I've even spoken to staff that have been involved around it and it's probably not a bad thing to actually talk about mental health around this aspect as well, and something that I learned early on around the mental health aspects of this as well is that empathy Like it's, you know, you can't, absolutely can't be a situation of going like well, we told you to put in a new firewall, you know.
Speaker 1:Well, that's going to help. No one, is it Exactly?
Speaker 2:It's just like nope wrong.
Speaker 1:Maybe just think that yeah.
Speaker 2:So it's working with that client, being empathetic to what's happening, understanding that it's emotionally charged and working through that. So a well-designed tabletop exercise can elicit some of that.
Speaker 1:Yeah, so a well-designed tabletop exercise can elicit some of that, and it's just how you run it and it's a good good idea to run the practice, but no one wants a. I told you so on site when there's no space for that. No, that's right, uh, and small to medium businesses, I guess like they hear the word compliance and it's like, wow, where do you find? Like the biggest downfalls for that size business is around compliance yeah, it's an interesting one.
Speaker 2:Um, because no business just wants to be compliant for the sake of being compliant. Right, it's, it's just it's not there. What what a business owner or executives are worried about is fines yes, that's it.
Speaker 2:Yeah, like I'm going to be fined if I don't do this properly, and and that's fair enough. So the biggest headache, then, is number one most businesses. Again, I've not done studies on this, this is just my opinion. Most businesses don't understand that the compliance even exists around that. So a simple example is in 2018, we had the notifiable data breach scheme come into place. That affects almost every business. There's certain caveats to it, but most businesses because it affects their staff, because you have a tax file number, and as soon as you've got a tax file number, immediately you're captured under that. So the other thing is like you're turning over X million per year, or whatever it is. There's a couple of criteria to it, but, for most, businesses are actually captured under the scheme, right? Not many businesses know that, though, so if something happens, are they reporting correctly?
Speaker 1:Well, that's it, isn't it? And especially for small to medium businesses, where they kind of think, oh, I'm not that big, yeah, it doesn't affect me Exactly the case.
Speaker 2:So you could take even on the micro businesses. So you're a one-man show basically doing like maybe you're a masseur, you know you go and do massage. It falls under health. It immediately falls under the data breach scheme because it's health, but you're one person. You're not turning over X million or anything like that, right? So the idea there is having this plan and you want it simple. So I think for most businesses, you don't want to be thinking about it. You want an expert to tell you what you need to put in place. So it's like okay, yeah, yeah, I understand. Like what's it going to cost? How do you, can you do? It Is what you want in in place. So you need, you need a business and again, we look after a lot of our clients whether it's a notifiable data breach scheme, a plan because that's what you need to meet those requirements is. Is that plan uh, understanding what data you keeping, keeping where and where this starts to come into place is? You're talking about having a governance. It's a favorite word.
Speaker 1:It is a favorite word.
Speaker 2:And it's having that governance in place for a business. But again, how do you know about it? So, unless you're actually in the industry? So, like I'm in cybersecurity for many years, I'm looking at what legislation is coming out. There was new legislation at the end of last year.
Speaker 1:Yeah, it's a lot to keep on top of if you're a small business. Exactly so business goes what legislation.
Speaker 2:I mean, like there was a cyber security legislation that came out last year that basically compels you to notify the government if you've paid a ransom. Yeah, so if you don't know about that, you could easily just go ahead and do it and you might be in breach of legislation. So there's a couple of things around that. And then if you're dealing with an accountancy and you fall under APRA or there's a couple of things, depending on your business, whether it affects you and if it does, you want to be on top of that, because there's been a number of court cases now that are literally happening now where ASIC has gone and hauled them in front of a judge going they've done the wrong thing with regards to cybersecurity. There was another one, I think it was last week, so it's kind of ramping up and I can understand from an executive or a business owner going getting a little bit concerned now yes, for sure yeah, you got, you know, the institute of company directors, etc.
Speaker 2:All turning around and going. It's on the directors. The directors need to be responsible for cyber security and they're going hold on a second, like, basically, it's like I didn't sign up for this. I'm like I'm running my business that creates roof tiles or whatever it is. Why am I now being hauled into this? And, honestly, the advice there is outsource it. You know and I know that sounds very salesy because it's like, well, that's what we do, but trying to do it yourself is complicated.
Speaker 1:But I think, just even, like I said, staying on top of all the changes and the new legislation that's coming in I mean you know? If you're running a, you know, small to medium business, you don't have time to be worrying about that and you know what happens if you do miss something and you get it wrong.
Speaker 2:And yeah, it's definitely there's so many other things to be worrying about. Like you, you like I've I've run small businesses in that as well. You know it's like at night you're busy doing paperwork, or you're doing that, invoicing other ato forms to do, because this has to my baz or this something has to go in it's yeah there's enough to worry about without adding that to the load for sure.
Speaker 1:Yeah, um. What would you um like recommend to small to medium businesses? What should their priority be when it comes to cybersecurity?
Speaker 2:Yeah, that's a great question If you're already working with your MSP provider, so your provider doing your IT as an example, I would be going to them and actually asking more specific questions around cybersecurity specifically. I think for a lot of small businesses. They assume and rightly or wrongly, I'm not sure it's difficult, right? Because, again, you're just worried about your business, right? So if I've outsourced my IT to my provider, I'm expecting that my provider is doing the cyber security as well is what I seem to see out there and the problem is they're not.
Speaker 2:They'll be doing elements of it because it's IT, it falls in IT. But, are they doing enough of the right things, that's, helping you meet legislation requirements, being prepared enough of that pre and post work? All those things are really, really important. So I would go and start asking some questions around. What tools do we have in place for our preventative measures? Are we doing cybersecurity training for staff?
Speaker 2:What are my post measures as well? Do we have an incident response plan? What do our backups look like? How long do we keep them? If we got ransomware, would it actually hit my backups as well? Yes, some of these are technical questions, but you can just start to.
Speaker 1:I'll tell you what Start a conversation.
Speaker 2:It is, and it just reminded me, as I said, that I've actually created a questionnaire for businesses to use to actually ask their MSP about cybersecurity. So I'm more than happy to make that available if they want like a list of questions that they can use to go and ask these questions.
Speaker 1:That would be great, because I think sometimes that's a hard thing is not knowing what questions you should be asking to get the information that you need. So yeah, I mean that would be amazing, absolutely so.
Speaker 2:So the so if they reach out to me on linkedin, I'm happy to just private message them direct and make that available. Um, and if you're not outsourcing your IT at the moment, maybe you need to start looking at doing that. So have a look for a managed service provider or managed security service provider, depending on what you're looking for and start to have those conversations, at least so that you understand what that looks like.
Speaker 1:Yeah, I mean you've got some great advice there. Is there anything that you want to add at the end, or we've covered quite a bit?
Speaker 2:No, that is the most of it. Like I said, it can be quite complex. It doesn't have to be. The key thing is looking for a partner that can actually partner with you. Like I feel, a lot of the time IT is kind of commoditized. It's like buying electricity. It's like, well, who's the cheapest? It is not like that. If you're looking for just the cheapest, you are going to get what you pay for. It's that simple. So I would look for rather, a partner that will take the time to have, for instance, an account manager that understands your business processes and your business concerns, so that they can prioritize your IT roadmap and your cybersecurity roadmap at least over the next 12 months, et cetera, to help your business, improve your productivity of your staff, because the biggest impact of not having the correct IT or cybersecurity is impact to productivity. That's what happens. You have business downtime or you have individual staff members that are down, as in.
Speaker 2:I can't use my Excel or this macro is not working or there's some technical issue, you want to minimize those by as much as you can. If you can get everything smoothly running and your cyber security is taken care of, it's going to pay for itself.
Speaker 1:Yeah, well, look, you've shared a lot today, so we appreciate you coming along and, as Chris mentioned, if you'd like to get your hands on those questions, please reach out to Chris on LinkedIn. Yep, christopher Haig.
Speaker 2:Yes.
Speaker 1:And yeah, we'll see you on the podcast again soon.
Speaker 2:Awesome.
.png)
.jpg)