Cybersecurity insights from Telstra, Loop Technology, Enosys and more

The Australian government estimates the cybercrime hit to the Australian economy at a conservative $1 billion a year. So it instructed cyber spies at the Australian Signals Directorate to offensively hack organised crime attacking Australians.

Meanwhile, the insurance industry has woken to the fact that the next round of attacks will be worse. In the wake of disruptions such as WannaCry and Petya, global insurer Lloyds is provisioning for a devastating $US53 billion ($A68 billion) blow to the world economy.

But the challenge for cybersecurity experts is to wake their customers – and their customers’ customers – to the reality of doing business in the 21st century’s cyber war zone.

With the sponsorship of cybersecurity vendors Mimecast and Sophos, we assembled some of Australia’s top cybersecurity partners to dig deep into what the channel is doing to protect Australians from cybervillains.

Guests
Patrick Butler, CEO, Loop Technology
Michael Connory, CEO, Security In Depth
Michael Demery, director, Seccom Global
David Hunston, business development executive, PowerNET
Audrey Lyon, chief revenue officer, Aquion
Jason McClure, CEO, Sliced Tech
Jacqueline McNamara, head of security services, Telstra
Joseph Mesiti, sales director, Enosys Solutions
Chris Mohan, head of threat research & intelligence, Telstra
Davis Pulikottil, GRC practice manager, Sense of Security
Rupert Taylor-Price, CEO, Vault Systems
Scott Thomas, principal, Securite

SPONSORS
Jon Fox, channel director, Sophos
Nicholas Lennon, country manager, Mimecast

Facilitator
Nate Cochrane, CRN

Take the cyber out of cybersecurity

Chris Mohan, Telstra
Think about sun safety: slip-slop-slap. I know nothing about what sun radiation does to my skin, but I know I need to wear a hat, stay in the shade and use sun cream. That’s user awareness at its simplest: protecting us against a present threat that’s getting worse. We should make matters simpler, not more complex.
Big numbers and scary things like ‘the world will end tomorrow’, no one cares about that but they care about their kids, protecting their families. So use the technologies, tell people where to go and [what] to do in a very simple message. Remove the word ‘cyber’ and you have ‘crime’. Take ‘cyber’ away from cyberespionage, you have espionage. Make it real to people.

Jacqueline McNamara, Telstra
All of us have had an investment in making it more complicated. And if you’re a major bank, suddenly you have a team of 500 sucking up all the cybersecurity resources in the country. There’s a lot of value in reducing complexity from the user and infrastructure sides.

Rupert Taylor-Price, Vault Systems
We had a customer who kept pushing back until he was hit at home and lost his personal photos that meant something to him. And then he said, ‘OK, now I’m interested; I’m looking at it now from a business perspective’. Because he’d been hit with something that meant something to him personally, that translated into a business conversation.

Mandatory breach laws will move us toward full disclosure

Joseph Mesiti, Enosys Solutions
I got an email from the accounts department asking for authorisation to pay a bill from a multinational supplier. At the end of the email it said, ‘Unfortunately, and as is publicly known, we were a victim of the latest Petya outbreak, so please be aware that some items on your invoice may not be accurate. Please review and confirm prior to paying.’ I thought, ‘Wow! This is an organisation that has hundreds of thousands of customers worldwide and this is going on every invoice’. We’ll see more in of this in Australia.

CRN: What is your advice to a client who gets, or has to send, an email like this?

Joseph Mesiti
It has to be full disclosure. If you’re worried about mandatory disclosure, I say: ‘Let’s take a step back and assess where your critical data lies’. There’s no use applying a technical control if you don’t know where that data resides; then apply controls accordingly.

Villians are getting smarter

Audrey Lyon, Aquion
It’s getting very tricky to be aware, and the villains are getting smarter. Even that email: ‘We’ve been a victim of the Petya virus, click here and check your invoice’, could be something.

We need to assist the populace [with technology]. A high level of scepticism is important when you’re on email, but I find it difficult because I’m getting emails, and I think:  I don’t know and I’m not game to click the link.’

Build security into the infrastructure

Jacqueline McNamara
Telstra’s approach is to put anything we can in the fabric [of the network]. There are always going to be zero-days that need a specific response but the more we can do in the fabric so that people don’t have to think about it [the better].
We can’t make it any more complex; we just don’t have resources or people. We do a lot of the work for our customers to clean stuff out; to make sure mobiles aren’t picking up malware as a very low-cost customer service. That helps everybody – even if you aren’t buying your services from Telstra – because there’s less circulating.

Protect against threats of tomorrow

Nicholas Lennon, Mimecast
We see maturity in why people choose service providers. It’s not only what the technology does today but how have you architected the services to deal with threats tomorrow? How have you put wrappers around it, whether it’s services that remove administrative pain from the client dealing with one-off, major cyber threats?

The architecture of products is also critical in remaining versatile. And that should take it away from IT organisations, and from users, and ensure they get a consistent service without re-architecting their approach for every new incident.

Users want security without network compromise

Michael Demery, Seccom Global
We have competition coming into the market that doesn’t own the security fabric or connectivity but they’re selling [and] influencing our customers. Now, if building security into the fabric slows down the network, they might say, ‘OK, if you watch a lot of Netflix, these are the best people to use’.

So that influences whom customers buy their connectivity from. We have to understand that, as well as building security, if it slows the network down our customers will lose customers.
No customer sits there and thinks, ‘I don’t need security. I’m not at risk’; there’s too much information out there. We need to understand their network and then influence around their business. Because there might be other reasons why they aren’t implementing security controls.

Machine learning can play a greater role in keeping us safe

Jon Fox, Sophos
No vendor has a silver bullet. It’s important to have a layered security strategy. There’s threats coming from different [directions] and so we’re starting to look at machine learning. Hackers are changing, everything is changing so quickly, so our focus is adapting on the fly because a point product is not going to do it – it needs to learn as it goes along.

Audrey Lyon
Awareness is good and necessary, culturally, but technology and services we’re offering can go a really long way. So I think you’ve got to go both ends.

The personal touch is important

Michael Connory, Security In Depth
From a business perspective, we talk to the CEOs because the CIO is always going to follow suit. And what’s scary is that something like 68 percent of Australian businesses are reported to have an incident response plan, but we surveyed 1100 organisations of all sizes and only 17 percent had one.

Jacqueline McNamara
One of the most important of our new offerings is an incident-response retainer, so when your law firm realises they’re underwater, just call us and we’ll come and help you.
Like the ‘Telstra Help’ vans applied to security. Even our big customers say that is the difference working with Telstra: when it all goes bad, what they want is Telstra in their data centre helping them. The personal touch is really important in security. When you’ve got the board ringing to find out what’s going on, it’s nice to say, ‘So I’m going to do this next with someone who actually knows what they’re doing’.

Michael Connory
A Victorian minister indicated that for the government, the cybersecurity budget was going to be: 15 percent improving existing technology, 15 percent new technology and 70 percent security. People were their biggest challenge. Another agency did a phishing exercise and 27 percent of employees hit the suspicious link the first time. They created a ‘stick’ policy that, if you clicked on a link, HR would sit down with you to counsel on what happened. They got it down to 3 percent.

Culture plays a critical role in cybersecurity hygiene

Jason McClure, Sliced Tech
I’ve seen organisations where scientists would say, ‘I’m going to get a warning. I’m going to do it anyway.’ A lot of issues have come from hierarchical structures where there are scientists trying to get around restrictions in scientific organisations. So it’s all about the culture and aligning IT outcomes to business outcomes, and making sure people feel they can do their role without feeling constrained, because they’ll rebel every time.

Chris Mohan
We turned the conversation around and said, ‘See something. Say something’. We want people reporting phishing faster. We all make mistakes. Click on it. That didn’t seem right. Let’s see how fast we can get the report in to me under that golden hour. People are scared they crossed that barrier: ‘I’ve done something bad’. No, you haven’t; you just made a mistake.

Client buy-in can make or break the security posture

David Hunston, PowerNET
It shocked me to see a 60-staff law firm that didn’t even have anti-virus, off-site or cloud backups. They reached out to us because their email went down for two days. They got hit with ransomware.
We got them up and running quickly but we’re in the phase of trying to get them protected; get their backups working. But whether it’s budget issues or a dated mentality from higher up, it’s been a struggle – but we’re still working with them.

Jacqueline McNamara
Mandatory breach notification is going to make a big difference because everybody’s starting to feel the heat. So you need to work out whether you can get buy-in from the business. And if you don’t, I would encourage my team to qualify out.

Nicholas Lennon
On the other extreme, we just presented to one of Australia’s largest law firms and did a live hack with 90 partners in the room. So you’ve got organisations that are taking it very seriously to know every intricate detail so that they’re educated to raise alarm bells and have certainty around what an incident could look like and how to react.

The public cloud is generally secure but it’s not a silver bullet

Scott Thomas, Securite
We’re definitely safer – any good cloud operator’s going to have redundancy built into their offerings. Mimecast has 12 or 14 data centres but if one goes down, it falls over to another.

The cloud might offer a false sense of security

Davis Pulikottil, Sense of Security
Organisations need to ask, what is the contract they have with the cloud provider? What kind of services are they getting? And what security tool shall we actually pick because there are so many options out there.

Patrick Butler, Loop Technology
There’s a risk of being lured into a false sense of security in the cloud. ‘We’ve chosen a cloud provider, so they’ve got rock-solid security; they’ve got ISO, they’re certified for PCI. I’m good to go.’

But you look at it and say, ‘If that’s AWS, they secured what they’re responsible for, but what do I do with this application?’

Even if it were Office 365, the amount of configurations is incredible. So there’s the opportunity to make a configuration mistake and then suddenly data is available.

Mobile poses unexpected threats

Chris Mohan
A major Android botnet that was doing massive DDoS was taken down last week. You’ve got rogue applications stealing credentials, cloning phones.

That phone is you. You do your banking on that machine. Think: when you type a password on it, do you use that password anywhere else?

So your identity has shifted to that device, your Facebook profile, your corporate email. How is that sandboxed from other applications?

It’s a video and sound recording device too. So imagine sitting at a board meeting and your phone has the cheap version of Angry Birds that your kids downloaded with full rights to your system – and you put that on the table and you’re recording this entire conversation.

Michael Demery
One of our engineers six months ago was demonstrating how to hack mobile phones. He got into my phone and captured everything I did. If I went to a bank account, he would have captured that information; if I opened an email he’d have captured that information. He was showing me as I was typing.