Tony skinner 00:01
Hi and welcome to the podcast channel
www.podcastmybusiness.com.au and today we have Julian Challingsworth from www.tesserent.com
Tony skinner 00:25
So how are you Julian?
Julian Challingsworth 00:30
I’m really well. I’m locked down in Melbourne. But aside from that we’re getting a lot of work done and we’re seeing a lot of interesting activity in the market. So aside from being locked up we’re doing really well.
Tony skinner 00:44
Well, exactly and you are on the ASX as TNT which is a name that we know for so many different things, but that’s okay. And yeah, you guys and your shares. I mean, you are up massively at the moment.
Julian Challingsworth 01:01
We really are, I mean, we’re up from a low of around two and a half cents. And we’ve touched a high recently of 30 cents. And I think the markets waking up and starting to see the importance of cyber security. They’re seeing the Prime Minister talk and give presentations about the threats we face. But they’re also talking to friends and colleagues and other businesses and and seeing the impact of cyber-attacks and what it does on the business. So, I think there’s a general business and community awareness of cyber. And that’s then following through into the stock market and the pricing we’re seeing, and we are the number one by market cap listed ASX pure play cyber security firm. So, we’ve benefited from what’s happening in the news and the publicity and awareness that cyber is getting at the moment.
Tony skinner 01:50
So, what business needs to be aware of cyber security?
Julian Challingsworth 01:56
It’s really it’s all businesses, you know. I mean It’s very difficult if you use technology and technology is a core part of your business, you really do need to be cyber aware. And even if it’s just your accounting system, and at the end of the day you put out your customer invoices, we see attacks where those accounting systems get locked up, or ransomware is applied where the owner can’t get access to their business tools unless they pay a ransom. So, it’s all businesses of all sizes.
But also any organization with greater than $3 million in revenue needs to know that they’re covered by the legislation, the mandatory Breach Notification legislation. So, if your turnover is greater than 3 million, it’s important you Google that legislation and you make sure you’re across it because if you have an impact, if you have an attack and it impacts your customer records, it can put you in a difficult position that you need to write to your customers and let them know that you’ve had an attack.
So, I’d recommend Any, any business with greater than 3 million in revenue Google’s that mandatory Breach Notification legislation and make sure they’re across the details of that.
Tony skinner 03:11
Yeah, absolutely. I mean, even in a small business like mine, I have it through my direct debit provider. That level as well. So yeah, every business needs to have that. So, when you’re talking about issues like accounting software, if you’ve got an accounting package – I’m not going to mention any in particular – that’s in the cloud, can that still get hacked?
Julian Challingsworth 03:34
I think almost anything can get hacked if the if the hacker is persistent enough. So, it’s important that you do have a sense of security, you understand the types of assets that you have, and they’re appropriately protected.
I think one of the myths in moving to the cloud is that security becomes somebody else’s responsibility. And I think moving to the cloud is fantastic. It’s been a great enabler for business, to lower their overall costs and become more responsive to customers.
But it doesn’t change the fundamental that you’re still responsible for your data, and it and you’re on the hook if something happens. So, moving to the cloud is a great thing. But you really do need to think about, okay, is my data secure? Is it in a cloud environment that’s secure? And it may be as just a simple case as turning on multifactor authentication or using some of the tools that your cloud provider may make available to, but you just haven’t switched them on yet. So, it’s really worthwhile, you know, talking to somebody who can help you understand what are the right protection devices and layers, are they turned on? Because generally, they’re there and they’re available to you, but you’ve got to make a conscious choice to use them.
Tony skinner 04:52
Yeah, even something as simple as that. I always locked my computer when I walk away from it. I did work in a shared office as well. Even something as simple as that can help, but you’ve got something really good here. You’ve got the cyber 360 and the C2M2. And I guess that’s for much larger organization where you can do an audit to see how the business is going?
Julian Challingsworth 05:17
It’s really important I think, doing the audit gives you a clear baseline of where you are today, versus the types of risk you can face. So if you understand your data assets and what’s important to your business, and you understand your cyber maturity, you can then make really informed decisions of what do we need to do as an organization to protect those digital assets?
And it’s a really good place to start from. And cyber 360 is what we talk to our customers about. And fundamentally it’s really driven by identifying the risks that you face, understanding your maturity, based on your people, process and technology. Then building out appropriate security. Putting the right products in place to defend those digital assets. But important then, having that capability to monitor those controls to make sure they’re effective.
And it’s that combination of identity awareness, building out the right architecture to protect your digital assets, and then making sure it’s monitored. We have a security Operation Centre in Box Hill. And from there we monitor our clients 24 – seven and give them that peace of mind that somebody is actually looking at their security 24 seven, 365 days of the year.
Tony skinner 06:39
Yeah, I’m looking at a lot of things you do, and you guys do a lot of stuff. You are the place to go to for anything secured. I’m thinking you look after the firewall, email filtering, all those wonderful things. And you’ve got thing called threat hunting. I like the sound of it. Is that like they do with a submarine? and you go out hunting people down?
Julian Challingsworth 07:01
look, it’s pretty close. I can’t tell you everything we do in that space. But as a concept what we find is threats often come into your environment undetected. And typically, the average number of days a threat lives in your environment is 190 days. And that’s potentially doing malicious behaviour, exfiltrating data out of your network, monitoring communications in your organization. And 190 days is a long time for somebody to be inside your system.
So, what threat hunting does is, we go into our clients on a regular basis. Maybe we spend a fixed number of time every week or every hour, and we look for threats that are in there. And our goal is to massively shorten that time from 190 days down to a few days or a few hours, so that we can proactively hunt out the threats that are in your system and eliminate them before they cause significant damage to your business so your business reputation. So, threat hunting is really turning passive security where we’ve got a firewall and the front doors locked. Threat hunting is about actually a proactive process of looking through your business, making sure there are no active threats working in your business.
Tony skinner 08:20
Yeah, I was in a meeting yesterday and cybersecurity insurance was something that came up because there’s an offer through that meeting organisation, cybersecurity insurance. And I guess, if you’ve got cybersecurity insurance, if you don’t have an organization taking care of your cybersecurity, I wonder if the insurance will pay out?
Julian Challingsworth 08:43
It’s a pretty thorny issue. And you know, the cyber insurance will have have some expectations that you have reasonable practices working in your organization. And we’ve really seen premiums go up as more organizations take it but more organizations are making claims on it. So I think it’s a very valid policy to have. But it’s not the only thing you need to do. You can’t sign up for a cyber security policy and think that’s it, we’re done we’re protected, we’re protected. You really need to see that as just a part of the solution. You really do need to put the right levels of protection in place, and to make sure that they’re effective because your business is changing your networks., Your IT changes constantly. You constantly need to make sure you’ve got the appropriate level of cyber protection in place.
Tony skinner 09:37
For a business, what would be the priorities or what should every business do to be secure?
Julian Challingsworth 09:47
I think the first thing is understand and understand where your digital assets are. Understand what is the most important systems. Understand where your customer data is, and make an inventory of those key digital assets that you have. And then for each of those assets, look at how they’re protected.
Look at how your backups are working. You know, even today, and in cloud, we still see a lot of organizations that feel they’re backing up, but they’re not.
You know, they’re not effective and they can’t restore from them. Make sure you do have backups, make sure that you can restore from a backup in case you have a ransomware attack. And you can restore to a point pre the attack, like the next thing is then start to have a look at some basic things.
There’s, a reference framework called the essential eight, which identifies the eight most important things that all organizations should be doing. So have a look at that on Google the essential eight, and make sure you’re thinking about that.
And then where your applications support multifactor authentication, and what that is – you log into an application, perhaps your email, and it sends you a text message. So, you get a one-off code on your phone or on a different device. And you log in with a unique code each time. So, if that’s an option for you. Activate multi factor authentication.
They’re the fundamentals for the small business, make sure you’ve got a firewall, make sure that it’s up to date. Make sure that you’ve patched your, your applications with the latest security patches.
You know, if, your phones or your computers notify you that there’s a patch available, it’s important that you get it down and that your patching is up to date.
But look, I think, the most important thing – audit your assets – know where they your digital assets exist. And look at the essential eight, consider all of those eight as really important. And then look at multi factor authentication.
Once you’ve got those things done, that’s a really good starting point. You can then look at, well what is the risk to my business of an attack and what is the appropriate level of defence in other areas. Yeah, I would definitely start with those three key things.
Tony skinner 12:06
Yeah, absolutely. And I know with my accounting software, I’ve got to login and it wants the two-factor authentication, I’ve got the Google Authenticator on my phone, I’ve got to put in the code and everything else. And you know what, sometimes it becomes a bit of a pain, but it is beneficial. And something I would like to add is a password manager. Yeah, not an Excel spreadsheet with all of your passwords in it!
Julian Challingsworth 12:31
yeah, and definitely not a post-it-note on your screen with your top five passwords.
Tony skinner 12:38
There was that movie, what was it that movie recently? Ah, trying to remember. It was about a gaming thing or something and this guy had his password on his post-it note.
Julian Challingsworth 12:53
We have seen that plenty of times. Or a shared password across the office. Let’s have the same password! It’s, it’s extraordinary! Two factor and multifactor authentication can feel like it is annoying. But spending an extra 30 seconds logging in once a day, versus the issues that you can have, if you do have a serious breach. I mean, it’s really worth taking the extra few seconds to log in every day and getting that sense of comfort that you do have some additional protection.
Tony skinner 13:28
Yeah, that’s definitely helpful. Okay, anything else you’d like to add?
Julian Challingsworth 13:33
Look, I think they’re the main things you know, keep across there’s some good government websites. The ASD, the Australian Signals Directorate often publishes great information for mid-sized businesses to stay across some cyber issues. And if you’ve read that and you want help, call Tesserent. We’re really here to help Australian businesses protect their digital assets.
Tony skinner 14:00
Fantastic. Thank you very much for that. Yeah, it’s an interesting topic. And I’m glad that we’ve covered it without getting into too much technical details. I know people think, geez, here we go again, and it can get technical or whatever.
It’s not technical. Just remember, just because you’ve got Google Drive, or Microsoft, or all the different Dropbox and all the other ones, doesn’t mean that you don’t have to backup and doesn’t mean you don’t have to be secure.
Julian Challingsworth 14:27
And make and test those backups. You know, a lot of people just feel they doing backups. But every few months test they work. You know, you really don’t want to have an attack and find your key business information is encrypted, and you go to your backups and they don’t work! So, take an afternoon or a couple of hours and just make sure that that works.
Tony skinner 14:48
Absolutely. All right. Thanks very much, Julian, and good luck in Melbourne. You guys will be out of everything soon. I am sure.
Julian Challingsworth 14:57
I hope so. Tony, thanks for your time.
Tony skinner 15:00
All right, thank.