Cybersecurity Risks Every Mid‑Market Business Must Take Seriously with Luke Irwin Artwork

Sales Trajectory Podcast

Sales Leadership, Growth Strategies & Industry Insights.

The show for leaders, sales managers, and professionals who want to launch innovative products, accelerate growth, and build high-performance sales teams. We dive deep into sales training, cutting-edge sales technology and recruiting sales hunters.

Hosted by Jason Howes, each episode delivers real stories, proven strategies, and expert insights to help you succeed in today’s challenging sales landscape.

Got a new product, or one that's struggling to gain traction, reach out to be a guest.

All Episodes

Sales Trajectory Podcast

Cybersecurity Risks Every Mid‑Market Business Must Take Seriously with Luke Irwin

March 15, 2026 • Jason Howes • Season 2 • Episode 12

0:00 | 30:01

Special Guest: Luke Irwin, CEO & Principal Consultant, Aegis Cyber Security

In this episode, Jason Howes is joined by Luke Irwin, CEO and Principal Consultant at Aegis Cyber Security, to unpack the real cyber risks facing small to mid‑market businesses, and what leaders can do today to reduce exposure.

Luke brings a practical, no‑nonsense view of the cybersecurity landscape, drawn from his work with fast‑moving SMEs and mid‑market organisations that don’t have time for red tape, but can’t afford to get it wrong.

🔐 The Current Cyber Threat Landscape

Luke explains that while ransomware gets the headlines, business email compromise remains the most common and damaging attack. These breaches often lead to:

Invoice fraud and impersonation
Theft of sensitive data
Reputational damage that far outweighs the technical impact

The key issue? Many attacks succeed not because of sophisticated hacking, but because basic controls aren’t in place.

🏢 Cybersecurity for Mid‑Market Businesses

For mid‑market organisations, cybersecurity is no longer an IT problem, it’s a commercial and leadership risk. Luke highlights that these businesses often sit in the danger zone:

Large enough to be targeted
Not always mature enough in controls or governance

A single incident can disrupt operations, impact supply chains, and erode hard‑won customer trust.

🚨 Incident Response, Recovery & Insurance

The discussion covers why incident response planning matters just as much as prevention. Leaders should know:

What happens if systems go down
How quickly operations can recover
Whether cyber insurance actually covers the real cost of disruption

Cyber insurance is important, but only works when paired with strong controls and documented processes.

🔗 Supply Chain & Reputational Risk

Jason and Luke explore a scenario many businesses don’t consider:
If a cyber incident stops you supplying a major customer, they may be forced to buy from your competitor, and never come back.

Beyond lost revenue, the reputational impact can be career‑limiting for executives and directors responsible for risk oversight.

📊 Data, CRM & Cultural Adoption

Cybersecurity isn’t just about technology, it’s about how people use systems. Poor data management, weak CRM discipline, and low user adoption all increase risk.
A strong security posture requires cultural change, not just tools.

✅ Luke’s Top 3 Cybersecurity Tips You Can Act on Today

Enable Multi‑Factor Authentication (MFA)
One of the strongest and simplest protections available.
Back up your data, and test those backups
A backup that hasn’t been tested is not a backup.
Align to a recognised cybersecurity standard
Luke recommends SMB‑1001, a practical framework designed specifically for small and mid‑market businesses.
- Five tiers (Bronze to Diamond)
- Gold is a minimum baseline for businesses with 5+ staff
- Clear, prescriptive controls that reduce risk without unnecessary complexity

🗞 Industry Insight & Media Commentary

Luke also shares insights from his recent media appearances, including commentary on:

High‑profile cyber attacks
Risks to critical infrastructure and education
The growing need for leaders to engage seriously with cyber risk

His mission is clear: start the conversation early, before an incident forces it.

Cybersecurity is no longer optional, technical, or someone else’s problem.
It’s about protecting customers, revenue, reputation, and careers — while ensuring the business can continue to operate when things go wrong.

SPEAKER_01 0:22

Welcome to the Sales Trajectory Podcast, where innovation meets execution in sales. I'm Jason Howes, your host, a 35-year sales veteran and lifelong student of the game. This podcast is for leaders and sales professionals with a growth mindset. You'll hear real sales stories about new products, motivating teams to prospect, and boost productivity. We dive deep into sales process, cutting edge tech, and recruiting top sales performers. Let's get started. Jason, thanks for having me. Great to catch up with you. And uh this is coming off the back of a special LinkedIn feature and episode that we did, and what not more important for our listeners and companies and clients to learn some more about cybersecurity. That's why we've got Luke on. He's an expert in his field. Luke, give us a bit of a rundown of what's happening in your world at the moment and just what sort of clients you work with and yeah, things that you identify as uh the sort of organizations I work with.

SPEAKER_00 1:46

I specialise in the small and medium business space and crossing into the mid-market. I do do occasional work with enterprise, but I don't go targeting it because the time frames and everything else they want to work with just don't sit well with me. I like working in the small and mid-space because they want to move faster, they want to act, and they want to make decisions. And you generally need to speak to one or two people to have a decision being made instead of six different committees of 12 different people. So the sort of stuff that's happening in the cybersecurity landscape now is business email compromise is still one of the largest attacks that are happening on organizations. Ransomware is still there, but it's not as common as much as the fear around it indicates. But the email breaches and email compromise is still the most common. And that normally leads to either theft of information or invoice fraud or invoice impersonation being the most common things. And a lot of the methods to protect against that, we're not talking gold plating or putting Gucci everywhere. We're talking the basics, the one-on-one level stuff that a decent IT team or a managed service provider can do for you. Maybe with some guidance if they need it. But generally speaking, it's not putting in banking grade security onto a timber whole sailor or a retailer. There's no point doing that. So yeah, that's the general state of play at the moment.

SPEAKER_01 3:01

It's an interesting uh topic, and and I think for me as a business owner, and I also see, you know, obviously wearing a lot of hats, trying to keep up with everything. Yes. If I look at a lot of the clients I I work with, a lot of leaders, you know, right now there's a there's a pinch because the costs have increased, sales have dropped for a lot of people, they're reducing costs. They're also the scary thing for me is and what I'm seeing a lot, Luke, a lot of a lot of executives are wearing probably one and a half to two hats at the moment.

SPEAKER_00 3:31

Yeah, and I agree.

SPEAKER_01 3:32

And the scary thing is that and I've been there and it gets to the point where you actually physically or mentally cannot take in anything too technically involved, and and a lot of people shy away from starting projects because they're like, I just haven't got the mindset to be able to do what I'm doing. And that's what sort of made me sort of think that you'd be a great guest to have on today, because that's what we're seeing. I mean, and a lot of companies that we deal with, they don't have a proper HR or they don't have proper IT. So what what would be the five key things that matter most for say companies that turn over roughly between say, you know, 50 and 200 million or 100 and 200 million, which is where we normally work?

SPEAKER_00 4:14

Yep. So you're starting to cross into the mid-market space in terms of the cyber. Now, your head can has an impact on that. The first thing I have to call out is that IT is not cyber, and cyber is not IT. They are cousins, they are not twins. So, Jason, you're a recruitment specialist. Now, if I tell you to go and run a national HR team, but that's part of HR, recruiting's part of an HR function. Like that should be fine. It's in the same ecosystem. It doesn't work that way. They are related disciplines, but they are separate outcomes. IT exists to provide an outcome for operational needs of the business. Does the email work? Does the server work? Does the network work? Can the receptionist answer the phones? Can the sales team use the CRM? Cyber's focus on how do we protect your data, how do we manage your risk, and how do we make sure that your risk is at a level that aligns with what you want so you can continue to chase the opportunities you want to chase and generate revenue. If you're running it really well, we've got your risk control to a level that you can take higher level risks because you're still managing it effectively, so you can outcompete your peers because you're able to take on higher risks while maintaining safety. In terms of the five top things you should certainly be doing, first thing, multi-factor authentication. So that's where you have your mobile phone or something acting as a secondary source of identification. Ideally, you should be using what's called the authentication apps like Microsoft Authenticator or Google Authenticator. But if all that is available is email or SMS, then not as good or as strong, but it's better than having nothing. That's the first thing. Second thing, train your staff in cybersecurity awareness. Teach them how to recognize these scams, these impersonations, what a hostile link looks like. Because most attacks are coming in via email nowadays. If your staff get taught what to do, then you've got a much stronger perspective or position to be able to prevent that. We often refer to security awareness training as the human layer firewall. So if your staff are educated, they're less likely to make a bad or poor decision. Because they don't want to do it intentionally. They just don't know what is dangerous. Third thing, update your computers. That little pop-up you get in the bottom right-hand corner saying your computer needs to be updated, stop telling it to do tomorrow or next week or whatever. Do it now. It's come out because an update has become available to fix a security vulnerability. Do that. That is one of the best things you can do. In terms of the fourth one, I'd be looking at having a firewall. So a firewall on your corporate network, say in your office, it's a bit of hardware, checks and inspects and makes sure the data coming into the business is clean and secured and not going to be causing harm. If you don't have a centralized office and everyone's working remotely, there's a thing called software-based firewalls. Like the laptop I'm using now has one that can be configured to protect a device. The next thing I'd recommend would be, well, I'm going to actually recommend two more for you, so I'm going to give you six, not five, would be having what's called an EDR or endpoint detection and response software or endpoint detection remediation, depending on the vendor. It is the next step on from antivirus. Antivirus in a corporate setting nowadays is largely ineffective. And I say that because there's around 10,000 to 12,000 new pieces of hostile software coming out each day. Now, the problem with antivirus is it relies upon, it works like your immune system. Your immune system has seen something bad. I know how to fight that. Well, there's 12,000 new pieces of hostile software coming out every day. The odds of you being hit is not zero. But what the EDR software does, it looks at one, that, but it also looks at the behavior of the software that is trying to run on the computer. Is it trying to encrypt data? Is it trying to move data? Is it deleting data? Is it accessing things in a way that don't align with normal behavior? And it goes, that's unusual, kill it. Or that's unusual, ask someone to confirm. So that's the next one. The final one is backups. I cannot understate the importance of backups. By default, your Office 365 or your Google Suite environment do not have backups. It is not part of the design or the offering. That's why roughly about only 80% of companies globally actually have backups of their email, because they think Microsoft's doing that. No, they're not. They really aren't. They have a replicated copy, which means that if data is destroyed, corrupted, interfered with, that is replicated. So the data is still gone, the data is still damaged. The backups ideally should be offline in an off-site location. So that means they're not connected to your network. Because if a bad guy breaks in, and I'll pick ransomware as the example here, their first target is going to be what's called your authentication system. So that's what controls your username and password to try and get higher permissions. The second target will be your backups. So you want them to be offline. So it's not part of your standard network. That is your obugger button. Data's been destroyed, data's been captured. You can go, right, we can come back to an offline copy and restore, and that is one of the best ways to improve resilience.

SPEAKER_01 8:59

Is that I think will add the most value. And uh again, I think, you know, in a lot of situations, I'll I'll I'll use an example. You're a building materials or a timber wholesale company that is that is sending out a lot of product every day. You know, you could be turning over 100, 200k a day. Yeah. And you've got builders and building sites relying on your product. Say if you're, you know, servicing one of the national accounts, you've got your DIFOTs, you've got your service agreements. So what happens if someone gets hit?

SPEAKER_00 9:31

So that is a multi-layered question. So let's assume your primary customer and you're pumping volume through that. So, one, you've been compromised to what extent? Are we talking just an email invoice fraud or are we talking a ransomware? If we're talking ransomware and your system is dead, you should budget typically two to three weeks to get back to base operations and two to three months to restore normal activity. Now, that can be shortened depending upon how well you have tested your backups. Do you have an incident response plan? Do you have cybersecurity insurance? Have you tested your incident response plan so people know what to do? The analogy I always use is there's no point trying to figure out how to do CPR when you need to do CPR. So you want to know how to do that before you have to do it. Knowing what to do in a crisis matters because you don't, people do not rise to the occasion. That doesn't exist. You default to your level of training. And if your level of training is zero, your skill level is zero. You are now relying on luck as a strategy. And I wish you the best of luck with that approach. So let's assume that this organization has been ransomware, all their devices are compromised, they've been encrypted. Let's assume that they have backups and the backups are safe. That's not always the case. If you don't have backups, you now have what's called an extinction level event. Speak to your lawyer, speak to your liquidator. That's the level of conversation you're now potentially having, depending upon your contract and your clauses in those contracts. Your clients might seek damages. So you need to recover. So you need to one, get normal restorations. So what's most important? Your network followed by your emails, generally. So that way you can start communicating. Has data been exfiltrated? If data's been exfiltrated to a bad guy, you now need to run through a notifiable data breach response process. Now, you've been issued a ransom demand. If you make a decision to pay that, and I'll call that this isn't legal advice because I'm not a lawyer, you have to make declarations to the Australian Cybersecurity Center under the Cybersecurity Act 2024. So you have obligations to do that. Notifiable data breach. You need to look at the data that's been touched, and as the privacy impact assessment has to be made. Now, you're saying it's uh, let's call it a 100 million turnover company. Let's say they've got, I'm gonna pick the five executives. I've got CFO, the CEO, um, chief marketing officer, chief sales officer, or chief revenue officer, and I don't know, someone else. Let's call it the head of transit, chief operating officer, done. Now, I'm gonna assume that most of these people have been in the business for about five years or longer. As a result, their email inbox will not be small. I'm gonna pick, on average, they're gonna keep around 2,000 to 3,000 emails per year. Okay, so we're now looking at 2,000 per year, five years, 10,000 emails in their inbox plus what they've sent, plus what they've deleted across five people. That is not a small amount of emails. So to conduct the privacy impact assessment, somebody has to go through every single email and make a determination if personally identifiable or sensitive information has been breached or leaked. And thus you then have to follow the notifiable data breach response process and inform the Office of the Australian Information Commissioner. Now, if you want to have your own team do that, great. My first question is what are their qualifications to determine if it constitutes sensitive or private data? This is why you want things like cybersecurity insurance, and they will typically provide you a legal partner, will have a team of paralegals to go through and look at every single email and make a determination of is there a likelihood of harm? Then you'll get a list and you then go, you have to inform those people, inform the privacy commissioner, and run through that entire process. Now, what do you think it's going to cost you to run through 40,000 plus emails to check for privacy and harm? That's not a small amount of money. So that's why you want cybersecurity insurance. Well, let's assume they find that you make your declarations. You need to restore the network. How did the bad guy get in in the first place? So you need to recover and remediate that. You need to restore any service you've got. So you need to make sure your backups work. When was the last time you actually tested your backups? So if you it's great you've got backups, but have you confirmed they actually work? It's like you go on a long car trip, you check the tire pressure, you check the oil, you check the fuel, you make sure the wipers have full fluid. You're doing preventative checks. You have backups. When did you last test you could restore a server, restore a product, restore email? If you haven't done that, congratulations, you've got expensive storage that you're just paying for that does nothing. You have to test it periodically. So let's assume you can bring it back. Email will come back first. Then you want to look at bringing back systems like CRMs and finance systems and so you can communicate with clients. Because while this is happening, you might not be your online systems, if you're running Office 365, will still be getting emails. So you're hoping staff can access it on their phones and reply. But as an outcome of this, what do you tell the investors or the board if there is one? What do you tell the regulators? What do you tell the customers? What do you tell the staff? What do you tell your major suppliers? What do you tell your vendors? So if you can get compromised, does your contract have specific clauses to indicate that you will tell them you have been compromised? Do your contracts also have any other clauses in there and having to meet things like ISO 27,001 or other cybersecurity standards or obligations? Have you actually met that contractual condition? Or have you just said that you do? Yeah. While it's like I've seen organizations, oh yes, we're 9,001 compliant on their finance system, not on the business. But well, they say they've got it, but they don't have it. So if you're looking at that, what you're referring to there, the person who comes in there is what's called an incident commander. And I do that sort of stuff for a few of my clients when things go, we call it an organization gets popped. We come in and that person runs point as a liaison to run all the other teams and the processes to try and minimize the harm because the bad thing has happened. You're essentially going into a triage scenario. I think like let's say there's a car pile up. The prime concern is preservation of life and prioritization of injuries to maximize preservation of life. In this case, we're looking at it going, what can we do to minimize further harm? What can we do to minimize damage to the business? What can we do to bring them back as quickly as we can while reducing financial, reputational, regulatory impact on the business? It's a complex question. Um if you're playing in the$100 to$200 million bucket, then this is something that needs to be firmly on your radar because you're starting to cross into the space where the bad guys are taking notice. Like if you get mentioned in a trade journal, in a tender, in anything, they know that you have money now. They want that money. So they will actually they'll shift from you being a target with like the small businesses in the sub 50 mil space where they're throwing mud at the wall and just hitting whoever gets hit to now going, we're going after you, because you just got a$30 million deal. Okay. We know you 20% of that is a down payment.

SPEAKER_01 16:17

Well, look at a lot of clients we deal with. I mean, they're yeah, they're sending out five, ten, twenty house slots of of product a day. And uh I sort of likened it a little bit to uh I've got an Indian motorcycle, which I love, and on that bike, it's it's it's not good.

SPEAKER_00 16:31

Yeah, yeah, then you hit the white stretched on heat shrunk paint for the pedestrian crossings and you have no control at all.

SPEAKER_01 16:38

It's a dangerous game. And I think even I think just to go back a little bit, and I think you know, a couple of key areas that stand out for me personally is that if a wholesaler, say for example, is buying off 10, 5, or 10 different manufacturers, how does that link of command or the chain sort of progress? Because I mean, you've obviously got suppliers and then you've got customers. So there's obviously a lot there that has to align.

SPEAKER_00 17:05

I can think of two things there. So, one, one of the first things that pops to mind is prevention of invoice fraud. So, do you have the right systems in place so somebody can't impersonate you to a customer? Most organizations are missing. There's three there's three systems you need. One's called DKIM, one's called DMARC, one's called SPF. The first two are free, the third one you need to pay for. Without those, I can impersonate your business in about 15 seconds. Doesn't take me anything. And I can go, hey, please, uh, I know we've just sent you out these invoices. Please make the payment to this address instead or this bank account instead. Really easy to do. Low risk for the attacker, low skill for the attacker. Yeah, that's the first one. Make sure your email security is good. But looking at the supply chain risk is a larger thing. You need to look at your suppliers through two lenses. One from a cybersecurity lens. They've got access to our systems and our data. If they do, what is the likelihood of a breach on their system having an impact on us? The second thing is if this, if one of our suppliers gets ransomware or compromised or destroyed by a cyber attack, who else can we buy from? As an example, like let's say you're working on hydraulic systems and you've got this little gasket that goes around the end of the RAM. Now, the company that supplies you that, if they get compromised, what is the life cycle on that gasket? Who else can supply it to you? Is their production maxed out? Do you have spares in stock? What is the implication of losing that key vendor going to have on your organization? And you need to look at that for everyone who supplies you stuff. You need to look at that in your upstream as well. So the people you supply to. So let's say, for example, you're, let's say you're a you're a timber mill. So you're logging, you're, you're cutting, you're transporting, you're breaking down into panels or sheets or two by fours or whatever it might be, and you're selling into, I don't know, some other wholesaler. Let's say one of your wholesaler of your product or retailer of your product gets ransomware. They stop buying your stuff for three months because they're trying to recover their systems. They can't communicate to their customers. And let's assume this customer takes up 70% of your product. One, you've got a concentration risk. Two, you've now got three months of potential non-product that you can ship or you can't ship. They want it, but they can't pay for it because they can't get their systems back. They can't guarantee they're going to come back. So you're now carrying a risk from your upstream suppliers of people you sell stuff to that they can't buy what you want to sell them because they don't have a functional business right now. So you need to be looking at the downstream to assess if something goes wrong, how can my company be hurt? And under the Corporations Act, you have an obligation as a director to be considering those risks. Now, if you don't know how to assess those risks, bring in someone to help you. It's the easiest thing to do. There are people like me who specialized in this stuff.

SPEAKER_01 19:46

And I can recommend others. It's an interesting point. I might just um book about something else, and uh, and I think I look at it from again, this is from my perspective. You know, we're dealing with clients, they've got salespeople in the field, they've got laptops, they've got phones or iPads or whatever it is. Um they're also saving documents, um Excel or Word or whatever it is. And obviously, you know, we focus a lot on CRM as well. And one of the big areas we like to focus is on making sure that our clients have ownership of their data. Yes. And making sure that their data is very easy to find. So they're onboarding someone new that they can come in, they know where the data is and they can find it all. And not only that, but also, you know, developing those systems and processes to support onboarding and that. Talk to me a little bit about that.

SPEAKER_00 20:36

So if you're not centralizing and controlling that information, you've got what's called an information sprawl problem. Um, and then then that flows onto being a garbage in, garbage out problem. So if your staff aren't working off a centralized, managed, contained system, where are we at with that deal? Who knows what vendor? Who knows what client? Who knows what about the business? The added risk you've got there is you're then saying you're hiring a you're hiring a BD specialist. Now, a good BD, 150 plus incentive plus super, plus plus, plus call it 200 grand. Yeah. Yeah, 200K for a good BD and including on costs and all the other stuff that goes with it. Now, if you're not running a CRM, then you're investing money into this person by way of salary, by way of meetings, by way of meals they're having with clients and prospects, functions, dinners, events that they're building a relationship. That's great. You're helping your BD grow their own personal profile. Great. What are you getting out of that? If they leave and you haven't got a CRM, all of those relationships go with them. You don't know where they're at. You don't want to what the status is. You don't know who they know, who they've been meeting with, where they are in the pipeline of various transactions. Without having that CRM, you're creating a large risk for your business around information leakage. You don't know what's going on. You can't track where you are. The other risk that it gets exposed there is if you allow the BD team to use their own personally Owned mobiles rather than a company owned mobile. When they leave, your prospects, your clients have their personal number, not your business number, which means that all that money you've invested is just walked out the door. So you're meeting with a client, like your BD is meeting with a client now, and I'm not exactly sure what the sales cycle is like in your ecosystem. I'm going to guess it's going to be not short, call it six-month lead time. Your BD leaves in six months' time when that prospect goes, hey, yeah, I need that. He goes, Oh, now I can certainly supply that to you. That competitor is now getting advantage from the investment you made. You need to have these CRMs and they're missioned and configured and put them into the right workflows to make sure that your information stays with your business because you're the one paying for it. Not doing that.

SPEAKER_01 22:46

That's a great answer. The risk is too high. I think and the the other thing for me too, Luke, is uh at the the ease and the speed to be able to find that data. I I think again, if you don't have it in one system, I mean when we're working with our clients, you know, if you're my client, well then I know phone calls that were made to you, messages, emails, calendar appointments, orders. I know everything. But I mean, if some people leave, you've got to go looking in Excel spreadsheet. And even though it sounds weird saying this, but a lot of companies they don't have the tech and they're relying on old school. The other one the the issue is that a lot of people haven't implemented the tech or they've got the tech, but they haven't implemented it because their workforce doesn't want to use it or they're not good with technology.

SPEAKER_00 23:30

So what you have there is a cultural and an enablement problem. So the staff need to be taken on what's called an organizational change management journey on what's in it for them. What is the advantage they get? How does it benefit them and what they do? And once staff have been shown the advantage and the benefit it provides them, it provides the business, then they'll start adopting. And you might want to create some incentivization mechanisms around that to improve the utilization of the products. Hey, whoever has the most updates, or that's not a great one to measure because people think I'll make dummy updates. But whoever has the most complete records about their clients, everyone who has that, for every complete client record you have, you go into a draw and you get a nice dinner, I don't know, a Blackbird or something else like that. Minor incentivizations to encourage that use, moving away from the pure sales competition approach, encouraging the utilization and the uptake of the product to help drive improvements. Um, a good example of where something like this can be done, taken to the next degree when you start talking about business intelligence platforms and the like. A colleague of mine worked on a business intelligence option for a pie company in Melbourne. They were able to track all this data around weather-related data and stuff like that, and they could show that for every two degrees dropping in temperature, they sold 7% more pies. So as a result, they could tie that into their production forecasting, into their sales metrics, into their rostering requirements. We need to make this many more pies because the temperature from the bureau says it's going to be 14 degrees today. Okay. So we know based upon the normal baseline of 20, more people are going to want a hot pie. Because they were gathering this data and correlating it, they're able to go, okay, this is what data science can do. This is what business intelligence can do. You find the external signals that have an impact on your organization. So I'm looking at, say, the timber industry, it could be impacts on fires, international fires, like what's happening, like from the timber we may import or the timber we may export. What is that going to do from a market impact? If we're looking at data coming in from approval rates, from loan rates, from interest loans, from government policy, all of that can be fed into business intelligence things so you can help determine where the market might move. It's not always going to be 100%, but it gives you a more guided position instead of gut feel. Because gut feel, when driven by is only 55% roughly.

SPEAKER_01 25:55

It's interesting statistics. And I think from my perspective, again, ownership of your data is critical. Don't accept and accept excuses for non-compliance in using technology, get everyone using the right one. But I think what you said made a lot of sense as well. And this is what I do is that if if you you've got to be able to go to your team and provide the best value and things like voice to text that'll save them time. Yeah, massively. So Luke, just I'll just keep mindful of the time here, but would you mind uh it's been great catching up with you? Would you mind just running through three of your top tips for users to I know you've already mentioned some, but just refresh again on three things they can do today that will help them.

SPEAKER_00 26:37

Have multi-factor authentication. Cannot stress that enough. That is one of the strongest things you can do. Back up your data and test your backups. I'm going to throw a different one in. Align to a cybersecurity standard. So there's a cybersecurity standard called the SMB 1001. It's designed for small and medium business. It's designed to not be big and complex and expensive. It's designed to be very specific and it's really good at lowering and controlling risk. Align to a framework like that, and you're in a good position. It comes in five tiers: bronze, silver, gold, platinum, and diamond. Pick the level you want to go at. Um, I normally recommend gold as an absolute minimum for any firm with more than five people, but it gives you very prescriptive rules of what you should be doing and always happy to have a chat on it.

SPEAKER_01 27:22

The other one, the other thing for me would be that, you know, and this is a story you don't want to hear, but say for example, if you if you're supplying a major builder uh or a major construction project and you have an issue and you can't supply them, well then this company is going to have to go to your biggest competitor and buy a product. Right. And they may not come back. And it could be because they have to get product on the site.

SPEAKER_00 27:48

You just the reputational harm that goes with that. You've become the executive or the director that allowed that to happen. How is that going to impact your reputational industry? Yeah. How's it going to impact?

SPEAKER_01 28:00

And the other thing for me too, Luke, is that if you've had this customer for a very long period of time and you lose them, can you replace them? Because a lot of salespeople at the moment are really struggling to create and win new business. So I suppose it's again, it's like me driving, you know, riding the Indian in the in the wet. I need to make sure that I'm kitted up for that and also need to make sure the tyres are in good condition. I think it's been really great talking to you. And just another one here, Luke. Just give us a bit of a little snapshot on.

SPEAKER_00 28:30

I've done uh two sections on Sky News around cyber risk and cyber impact. One was on the ICAT engineering attack where threat actors or hackers stole the plans for the new Army, the Army's new infantry fighting vehicle. Was also on talking about the attack on the cyber attack on Victorian schools. I presented some stuff around the social media ban. So there's been all sorts of bits and pieces I've presented on. I present at conferences probably about half a dozen times a year, do public speaking bits. I enjoy getting out there and trying to communicate around cybersecurity and cyber risk because if it's a start to the conversation, that's what I want to do. Have people think about this is a risk that could impact me and start addressing it.

SPEAKER_01 29:07

It was really impressive. And I know every time I've caught up with Luke, I always learn something. He's an expert in his field. But not only that, he's a genuine person that has, you know, your company in his best interest. And I think that's why he's doing so well in today's economy. So, Luke, I do really greatly appreciate your time. It's been great to catch up with you. And if anyone wants to get in contact with Luke, uh, he's certainly uh active on LinkedIn or reach out to me, and I'm happy to provide his details.

SPEAKER_00 29:35

So thank you very much.

SPEAKER_01 29:36

Thanks, Luke. Got a product that's struggling or launching something new? Reach out. We're inviting guests who want to make a real impact.