July 23, 2024 • 18 mins
This episode focuses on cybersecurity, highlighting its importance as the top challenge for enterprise and government organisations. Special guest Michael Murphy, Director of Operational Technology and Critical Infrastructure for the Asia-Pacific region at Fortinet, shares insights on cybersecurity legislation, immediate steps for organisations, and the importance of collaboration and information sharing.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
Welcome to Vocus Inspire, the podcast full of brilliant ideas
for business.
Hi, I'm Luke Coleman, head of government and corporate affairs
at Vocus, Australia's leading specialist fibre and network solutions provider.
Before we get things underway, we want to acknowledge and
pay our respects to the traditional custodians of the land
(00:24):
from wherever you're listening. In this podcast, we dive headfirst
into what's on the minds of Australian business and government
leaders to help inspire you and your organisation to go forward,
go further, and go faster. So let's go.
Welcome to the Vocus Inspire podcast. Today we're taking a
(00:45):
big picture view of cybersecurity, a topic our research reports
as the single most important challenge voted by enterprise and
government organisations today. And to explore some very important aspects
of cybersecurity, we have a special guest from global leader
of cybersecurity solutions and services, 40NET.
(01:06):
Michael Murphy is the director of operational technology and critical
infrastructure for the Asia Pacific region at 40NET. He's got
more than a decade of real world experience in critical
infrastructure with a background in critical incident response and digital forensics.
He's held various roles as a cybersecurity practitioner and has
(01:26):
built operational technology incident response teams for events with real
world ramifications using a broad range of structured knowledge and
pre-existing frameworks and standards. Welcome to the podcast, Michael.
Speaker 2 (01:40):
Thank you so much. It's wonderful to be here.
Speaker 1 (01:42):
Let's get straight into it, that organisations of all sizes
are becoming increasingly aware of the requirements of cybersecurity legislation.
What are some of the immediate steps, particularly for medium
sized organisations that they can take to make sure that
they're aware, that they understand and that they can comply
(02:03):
with these obligations?
Speaker 2 (02:05):
So uh I'll address the why to begin with. I
think that's the most compelling, um, component of where organisations
are beginning to pay attention. Uh, why are we observing
these increased levels of awareness? Well, threat actors are not
bound to the same physical borders that historical threats have been. Uh,
that means that nothing is truly out of bounds anymore.
(02:26):
Time, energy and effort is now aligned to highly motivated individuals,
groups and syndicates which can be used to leverage at
scale and inflict maximum disruption. I'd start for most organisations
tapping into the basics. So follow the industry recognised and
certified forums. Uh, a good place to start is with
(02:46):
the Australian Signals Directorate ASD and Cyber Infrastructure Security centre,
the CISC.
Connect with the government outreach, or the Australian government outreach
teams where possible, join and collaborate within the trusted information
sharing network, uh, commonly known as the T Tisson, uh,
and really lean in on technology and service partners who
(03:07):
are actively invested in high calibre industry recognised service delivery.
Speaker 1 (03:13):
What about smaller enterprises, how can they best get across
the requirements and make sure that they can navigate the intricacies,
particularly in the context of working with third parties and
software as a service solutions?
Speaker 2 (03:26):
So organisations generally benefit from a blueprint or alternatively a
predefined and flexible framework to adopt and integrate cyber resilience. Uh,
the Security of Critical Infrastructure Act of 2018 covers four
key areas that from my personal perspective, uh, all organisations
should strive to adhere to. Uh, and it's based on, uh, some,
(03:47):
some key points here. So, knowing your assets, both within
the IT enterprise and potentially if you have operational technology
as well.
Uh, second, have the ability to identify malicious manipulation within
your network. Uh, Furthermore, the ability to report on appropriate government, uh,
authority bodies. 12 hours is generally the highly desirable time frame.
(04:10):
A third is invest in end user awareness training, um,
not to neglect proactive preventative activities like vulnerability scanning and
penetration testing.
And finally, what I think is probably the most important
uh is really a form of measurement. So perform an
annual review of how you're investing in the cyber domain.
Have you actually enhanced and uplifted your cybersecurity posture, leverage
(04:34):
an industry recognised standard or framework like NIST as a
key benchmark.
I also find that, uh, especially with regards to software
as a service, thoroughly understand uh and frequently uh review
the shared accountability models that are available to you. Um,
this is something that's often neglected after a point of purchase, uh,
and it is something that, that changes and, and moves and, and, uh, often, um, is,
(04:58):
is not readdressed.
Speaker 1 (05:00):
I'm gonna go a little bit off script for a
minute here, Michael, and just to go to something you
said a moment ago about, um, the obligation to report,
particularly in in the 1st 12 hours, uh, if there
has been a cyber incident. I imagine that for a
lot of businesses, they have seen the fallout of um
of major cyber breaches in the last couple of years
(05:20):
and the reputational damage that it causes that,
There's probably going to be a bit of a discussion
internally about do we really need to report this, are
we going to get away with it? And we don't
want people to find out because the reputational damage of
seeing this in the media could be so immense potentially.
What would your advice be to organisations that are staring
(05:41):
into a real cyber incident and that question of what
they do about reporting it?
Speaker 2 (05:47):
So, uh, when we look specifically at critical infrastructure and
operational technology, um, it's evident that operational disruption leads to downtime,
downtime leads to revenue loss, and revenue loss leads to
irreversible brand damage. And for services that are frequently leveraged
by the, the public, um, it, it's generally best practise
(06:10):
to take ownership and accountability proactively.
Uh, rather than being left, um, in a reactive situation
where you haven't been, uh, open and, and hug the cactus,
so to speak, around what's been observed or what's actually
happened within your network.
Um, so I, I think from, from an Australian perspective,
we are very good at, um, acknowledging where there are
(06:31):
maybe points of failure within a business or if there
have been, uh, points of vulnerability that have been exposed. Um,
but there are also some lessons that are being learned
right now based on, uh, breaches that have recently taken
place where we need to band together and, and ultimately collaborate, uh,
rather than going down the pathway of condemning one another, um, and,
and pushing each other away from learning from the lessons
(06:53):
of the past.
Speaker 1 (06:54):
As smaller enterprises aspire to become suppliers to larger enterprises,
what are the critical things they need to focus on
to make sure they're aligned with the rigorous cyber requirements
of their larger customers?
Speaker 2 (07:09):
So I think this is something that benefits from a
behavioural perspective, uh, and again, at, at the risk of
going off narrative, um, according to American sociologist Diane Vaughan, uh,
we need to better understand the normalisation of deviants from
a trusted state. So Bourne basically identifies the process where
a clearly unsafe practise becomes considered normal, um, if it
(07:34):
does not immediately cause a catastrophe.
Uh, kind of a long incubation period, if you will,
before a final disaster with early warning signs that are
either misinterpreted, ignored or missed completely. Uh, and what does
that look like when we apply it to Australia, uh,
when we kind of neglect the behavioural component of taking
ownership and accountability.
In 2022 to 2023, the mandatory cybersecurity incident response regime
(07:59):
for the SOE Act or the Security of Critical Infrastructure
Act highlighted that there were more than 188 significant or
relevant impacts to Australian infrastructure with flow-on impacts related to
the confidentiality, integrity, and reliability of Australian critical infrastructure.
In the same year, the Australian Signals Directorate responded to
(08:21):
143 incidents reported by entities who self-identified as critical infrastructure,
which was an increase from 95 incidents, uh, the year beforehand.
Smaller enterprises need to take the initiative to understand the
threat landscape, uh, monitor and assess the realised risk and
align to a standard blueprint similar to what we mentioned
(08:42):
earlier to uh to move forward.
Speaker 1 (08:45):
Now there are more and more industries that are falling
under the definition of critical industries, such as hospitals, supermarkets,
and of course telco providers. So if an organisation is
supplying services and products to a critical industry, what could
that mean for their approach to cybersecurity?
Speaker 2 (09:06):
So, you pointed out a very important consideration, and that's
the fact that there are more industries that are now
falling under that definition of critical industry. Minister of Home
Affairs and cybersecurity, Claire O'Neill has highlighted within the cybersecurity
strategy for Australia, um, that we aim to be uplifted, um,
and that Australia's cybersecurity capability is uplifted to become the
(09:27):
world's most cybersecure nation by 2030.
Uh, now, it might sound rather self-indulgent. However, I'm a
firm believer in Murphy's law, where anything that can go
wrong will go wrong, uh, or to the extreme, anything
that can go wrong will go wrong at the worst
possible time. And now, generally, that has some pretty negative, uh, connotations. Uh, personally,
I prefer Christopher Nolan's perspective from Interstellar, where Murphy's law
(09:51):
doesn't mean that something bad will happen. It simply means
that whatever can happen will happen.
Uh, now when we look at the Australian Bureau of
Statistics report from 2023, uh, more than two businesses in
every 10 experience some form of cybersecurity attack. Uh, that's
an increase from 1 in every 10 businesses from 2019
to 20, 2020. Um, now when we break down those
(10:14):
statistics further, um, and what I think adds weight and
gravity to paying attention to this, uh, this report is 34%
of businesses, uh, ultimately reported a loss of time in
managing cyberattacks.
18% reported a downtime of service and 17% of businesses
reported a loss in staff productivity. Thre actors are always
(10:36):
going to be looking for the pathway of least resistance,
and a holistic partner approach is fundamental to successfully mitigating
and recovering from malicious manipulation.
Speaker 1 (10:46):
Emerging technologies like AI and automation bring new challenges for
organisations in terms of cybersecurity. At a time when budgets
are tight and there's a push to do more with less,
what simple things can organisations do to strengthen their cyber defences?
Speaker 2 (11:05):
So, Nvidia's CEO Jensen Hong, recently said, uh, if something
is moving a million times faster every 10 years, what
should you do? Uh, now, I'm paraphrasing here, but his
perspective was the first thing you should do is instead
of looking at the train from the side, is get
on the train, uh, because, uh, on the train, it's
not moving that fast.
(11:26):
Uh, I believe that you need to ensure there are
uh firm internal governance, uh, around pre-approved emerging technologies that
are implemented, uh, within your network. Uh, and certainly be mindful, um,
and reassess the solutions that you already have invested in.
But what we've found is many have actually added, uh,
human machine teaming and AI capabilities that organisations are not
(11:49):
taking advantage of.
Um, so my point back would be, are there additional capabilities, um,
that you're potentially not already using that are available to you? Um,
and in some cases, if there is a slight cost increase,
how does that assist with, um, with some of the
historical challenges we've seen in Australia, like the skills gap?
(12:10):
How can we actually enable, um, the next generation to, uh,
to operate more efficiently and effective, uh, in kind of
this remote hybrid working world?
Speaker 1 (12:18):
Finally, on operational resilience, how can businesses strike the right
balance between the benefits of cloud infrastructure and services and
safeguarding against operational disruptions?
Speaker 2 (12:32):
So we need to acknowledge that Australian critical infrastructure is
indeed being targeted uh due to the increased requirements for
interconnected systems to seamlessly deliver goods and services, not to neglect, um,
taking advantage of real world telemetry.
For competitive advantage, especially within the operational technology realm, uh,
when connected to the internet and into corporate networks, uh,
(12:56):
this is certainly provided opportunity for malicious cyber actors to
attack and compromise these critical systems. Uh, when we look
at the actual examples of this taking place, we saw
the Danish energy grid back in May last year.
Um, there were a number of key assets from a
network perspective that were deployed. These assets were known to
(13:16):
have two zero-day vulnerabilities that were exploited, and that caused
22 sites to go into island operation mode. We've also
seen some hardware providers, hardware and software providers like Unitronixs
that facilitate HMI PLC capability for the automation of critical
functions for critical industries such as water desalination.
(13:38):
And energy generation to have been compromised directly from the internet.
These assets were never designed to be publicly available. And
then finally we've also seen the port of Tokyo, ultimately stop,
grind to a halt because there was no appropriate safeguarding
against these operational disruptions. So we generally see these two
(13:58):
predominant engagement models for safeguarding for future operational resilience. One,
is we're attempting to retrofit cybersecurity into legacy and brittle networks. Alternatively,
it's embedding capability into future infrastructure.
Um, with an endeavour to adopt secure by design and
secure by default so that it's more of an
Speaker 1 (14:19):
afterthought. Now, I always like to give the opportunity to
our guests on this podcast to make one wish, one
request that you could put out to all leaders of
enterprise and government organisations to either um avoid missing a
massive uh opportunity or to prevent making a big mistake.
What is your one wish?
Speaker 2 (14:42):
So I'm, I'm really glad you're asking this specific question. Um,
to me, protecting our critical infrastructure and the underpinning operational
technology needs to be a personal endeavour. Um, many of
us have family, uh, uh, community, close friends, um, that
we really need to think about when we invest time,
energy and effort in, in building resilience within the cyber landscape.
(15:03):
Uh, rather than each to their own approach, uh, I
believe that it's imperative more than ever that we share information,
we collaborate, we lean in on government resources that have
been made available to us. Much like the supply chain,
we are only as good as our weakest link.
Speaker 1 (15:19):
Brilliant. Now we always love to finish up with a
rapid fire segment. I'm gonna ask you a series of
rapid fire questions. Give me the first thing that pops
into your head in response. What is your favourite piece
of technology?
Speaker 2 (15:31):
Hands down without question, smart tags. Uh, travel frequently around AIPAC,
which means that I'm constantly moving and so my critical possessions. Uh,
so knowing exactly where they are at all times is, uh,
is very beneficial. How do you disconnect? Uh, ironically, uh,
healthy dose of game time. I, uh, I kind of
switch on to switch off. Uh, so I'm a big
fan of the old classics.
Speaker 1 (15:51):
What games do you play?
Speaker 2 (15:53):
Uh, Original Doom, bit of Counter-Strike, 1.6, and, uh, and
some Call of Duty in there as well.
Speaker 1 (15:58):
I love it, great taste. What's the most important thing
you do for your own well-being?
Speaker 2 (16:03):
Quality time is, uh, is so incredibly important to me, uh,
especially spending it in meaningful ways without digital distractions. Uh,
I find that connecting with, uh, with close friends and
family to assess and reset my personal perspectives on a
range of different, uh, topics and factors to be extremely beneficial.
Speaker 1 (16:20):
What's the one thing that would surprise people about you?
Speaker 2 (16:24):
Uh, probably the exposure to processing control and, and automation. Um,
it's been something that's covered three generations of, uh, of
my family line now, almost 100 years. Uh, my Dutch
grandfather worked extensively, uh, on aircraft carrier, uh, navigation equipment. Uh,
my 3 uncles worked on, uh, vehicle, uh, electronics and automation, uh,
so I spent many weekends pushing a broom around the, uh,
(16:46):
the family workshop, uh, called HP Auto down in Melbourne,
learning about PLCs, sophisticated electronics, and, uh, physical automation.
Speaker 1 (16:54):
What's the one personal trait most important to
Speaker 2 (16:57):
success?
Uh, I feel that creative thinking and, and storytelling is, uh,
is a bit of a lost art. Um, conveying a
complex or convoluted scenario is a clear and succinct narrative
that can anyone, that anyone can understand is, is something
that I think, um, is, is incredibly important and, uh,
and importance to success as well to, to communicate and
(17:18):
break down the complex challenges.
Speaker 1 (17:22):
Finally, what's the one thing there needs to be more
of in business today?
Speaker 2 (17:28):
General knowledge transfer, to me, um, remote and flexible workplaces
can certainly be incredibly beneficial. Uh, however, for many young
eager starters, it can certainly mean there are barriers and
bottlenecks to share insights and knowledge from the past. And
I think when we look at the IT and cybersecurity domain.
Um, these stories, this shared intelligence and, and, and these
(17:50):
insights are gonna be what really better equipped us in
the future to ensure that we don't repeat the, uh,
the lessons of the
Speaker 1 (17:56):
past. Michael Murphy from 40NT, it has been an absolute
pleasure having you with us. Thanks for joining us on
the Vocus Inspire podcast.
Speaker 2 (18:05):
Thank you so much.
Speaker 1 (18:06):
Thanks so much for listening. I hope you've enjoyed this
episode of Focus Inspire, and we look forward to bringing
you more inspiration in coming episodes. And don't forget, if
you want more inspiration and more episodes, head to vocus.com.au/podcast.
You can follow us on LinkedIn and Twitter to stay
up to date with all things Vocus. Listen out for
(18:27):
the next episode of the Vocus Inspire podcast.
Welcome to Vocus Inspire, the podcast full of brilliant ideas
for business.
Hi, I'm Luke Coleman, head of government and corporate affairs
at Vocus, Australia's leading specialist fibre and network solutions provider.
Before we get things underway, we want to acknowledge and
pay our respects to the traditional custodians of the land
(00:24):
from wherever you're listening. In this podcast, we dive headfirst
into what's on the minds of Australian business and government
leaders to help inspire you and your organisation to go forward,
go further, and go faster. So let's go.
Welcome to the Vocus Inspire podcast. Today we're taking a
(00:45):
big picture view of cybersecurity, a topic our research reports
as the single most important challenge voted by enterprise and
government organisations today. And to explore some very important aspects
of cybersecurity, we have a special guest from global leader
of cybersecurity solutions and services, 40NET.
(01:06):
Michael Murphy is the director of operational technology and critical
infrastructure for the Asia Pacific region at 40NET. He's got
more than a decade of real world experience in critical
infrastructure with a background in critical incident response and digital forensics.
He's held various roles as a cybersecurity practitioner and has
(01:26):
built operational technology incident response teams for events with real
world ramifications using a broad range of structured knowledge and
pre-existing frameworks and standards. Welcome to the podcast, Michael.
Speaker 2 (01:40):
Thank you so much. It's wonderful to be here.
Speaker 1 (01:42):
Let's get straight into it, that organisations of all sizes
are becoming increasingly aware of the requirements of cybersecurity legislation.
What are some of the immediate steps, particularly for medium
sized organisations that they can take to make sure that
they're aware, that they understand and that they can comply
(02:03):
with these obligations?
Speaker 2 (02:05):
So uh I'll address the why to begin with. I
think that's the most compelling, um, component of where organisations
are beginning to pay attention. Uh, why are we observing
these increased levels of awareness? Well, threat actors are not
bound to the same physical borders that historical threats have been. Uh,
that means that nothing is truly out of bounds anymore.
(02:26):
Time, energy and effort is now aligned to highly motivated individuals,
groups and syndicates which can be used to leverage at
scale and inflict maximum disruption. I'd start for most organisations
tapping into the basics. So follow the industry recognised and
certified forums. Uh, a good place to start is with
(02:46):
the Australian Signals Directorate ASD and Cyber Infrastructure Security centre,
the CISC.
Connect with the government outreach, or the Australian government outreach
teams where possible, join and collaborate within the trusted information
sharing network, uh, commonly known as the T Tisson, uh,
and really lean in on technology and service partners who
(03:07):
are actively invested in high calibre industry recognised service delivery.
Speaker 1 (03:13):
What about smaller enterprises, how can they best get across
the requirements and make sure that they can navigate the intricacies,
particularly in the context of working with third parties and
software as a service solutions?
Speaker 2 (03:26):
So organisations generally benefit from a blueprint or alternatively a
predefined and flexible framework to adopt and integrate cyber resilience. Uh,
the Security of Critical Infrastructure Act of 2018 covers four
key areas that from my personal perspective, uh, all organisations
should strive to adhere to. Uh, and it's based on, uh, some,
(03:47):
some key points here. So, knowing your assets, both within
the IT enterprise and potentially if you have operational technology
as well.
Uh, second, have the ability to identify malicious manipulation within
your network. Uh, Furthermore, the ability to report on appropriate government, uh,
authority bodies. 12 hours is generally the highly desirable time frame.
(04:10):
A third is invest in end user awareness training, um,
not to neglect proactive preventative activities like vulnerability scanning and
penetration testing.
And finally, what I think is probably the most important
uh is really a form of measurement. So perform an
annual review of how you're investing in the cyber domain.
Have you actually enhanced and uplifted your cybersecurity posture, leverage
(04:34):
an industry recognised standard or framework like NIST as a
key benchmark.
I also find that, uh, especially with regards to software
as a service, thoroughly understand uh and frequently uh review
the shared accountability models that are available to you. Um,
this is something that's often neglected after a point of purchase, uh,
and it is something that, that changes and, and moves and, and, uh, often, um, is,
(04:58):
is not readdressed.
Speaker 1 (05:00):
I'm gonna go a little bit off script for a
minute here, Michael, and just to go to something you
said a moment ago about, um, the obligation to report,
particularly in in the 1st 12 hours, uh, if there
has been a cyber incident. I imagine that for a
lot of businesses, they have seen the fallout of um
of major cyber breaches in the last couple of years
(05:20):
and the reputational damage that it causes that,
There's probably going to be a bit of a discussion
internally about do we really need to report this, are
we going to get away with it? And we don't
want people to find out because the reputational damage of
seeing this in the media could be so immense potentially.
What would your advice be to organisations that are staring
(05:41):
into a real cyber incident and that question of what
they do about reporting it?
Speaker 2 (05:47):
So, uh, when we look specifically at critical infrastructure and
operational technology, um, it's evident that operational disruption leads to downtime,
downtime leads to revenue loss, and revenue loss leads to
irreversible brand damage. And for services that are frequently leveraged
by the, the public, um, it, it's generally best practise
(06:10):
to take ownership and accountability proactively.
Uh, rather than being left, um, in a reactive situation
where you haven't been, uh, open and, and hug the cactus,
so to speak, around what's been observed or what's actually
happened within your network.
Um, so I, I think from, from an Australian perspective,
we are very good at, um, acknowledging where there are
(06:31):
maybe points of failure within a business or if there
have been, uh, points of vulnerability that have been exposed. Um,
but there are also some lessons that are being learned
right now based on, uh, breaches that have recently taken
place where we need to band together and, and ultimately collaborate, uh,
rather than going down the pathway of condemning one another, um, and,
and pushing each other away from learning from the lessons
(06:53):
of the past.
Speaker 1 (06:54):
As smaller enterprises aspire to become suppliers to larger enterprises,
what are the critical things they need to focus on
to make sure they're aligned with the rigorous cyber requirements
of their larger customers?
Speaker 2 (07:09):
So I think this is something that benefits from a
behavioural perspective, uh, and again, at, at the risk of
going off narrative, um, according to American sociologist Diane Vaughan, uh,
we need to better understand the normalisation of deviants from
a trusted state. So Bourne basically identifies the process where
a clearly unsafe practise becomes considered normal, um, if it
(07:34):
does not immediately cause a catastrophe.
Uh, kind of a long incubation period, if you will,
before a final disaster with early warning signs that are
either misinterpreted, ignored or missed completely. Uh, and what does
that look like when we apply it to Australia, uh,
when we kind of neglect the behavioural component of taking
ownership and accountability.
In 2022 to 2023, the mandatory cybersecurity incident response regime
(07:59):
for the SOE Act or the Security of Critical Infrastructure
Act highlighted that there were more than 188 significant or
relevant impacts to Australian infrastructure with flow-on impacts related to
the confidentiality, integrity, and reliability of Australian critical infrastructure.
In the same year, the Australian Signals Directorate responded to
(08:21):
143 incidents reported by entities who self-identified as critical infrastructure,
which was an increase from 95 incidents, uh, the year beforehand.
Smaller enterprises need to take the initiative to understand the
threat landscape, uh, monitor and assess the realised risk and
align to a standard blueprint similar to what we mentioned
(08:42):
earlier to uh to move forward.
Speaker 1 (08:45):
Now there are more and more industries that are falling
under the definition of critical industries, such as hospitals, supermarkets,
and of course telco providers. So if an organisation is
supplying services and products to a critical industry, what could
that mean for their approach to cybersecurity?
Speaker 2 (09:06):
So, you pointed out a very important consideration, and that's
the fact that there are more industries that are now
falling under that definition of critical industry. Minister of Home
Affairs and cybersecurity, Claire O'Neill has highlighted within the cybersecurity
strategy for Australia, um, that we aim to be uplifted, um,
and that Australia's cybersecurity capability is uplifted to become the
(09:27):
world's most cybersecure nation by 2030.
Uh, now, it might sound rather self-indulgent. However, I'm a
firm believer in Murphy's law, where anything that can go
wrong will go wrong, uh, or to the extreme, anything
that can go wrong will go wrong at the worst
possible time. And now, generally, that has some pretty negative, uh, connotations. Uh, personally,
I prefer Christopher Nolan's perspective from Interstellar, where Murphy's law
(09:51):
doesn't mean that something bad will happen. It simply means
that whatever can happen will happen.
Uh, now when we look at the Australian Bureau of
Statistics report from 2023, uh, more than two businesses in
every 10 experience some form of cybersecurity attack. Uh, that's
an increase from 1 in every 10 businesses from 2019
to 20, 2020. Um, now when we break down those
(10:14):
statistics further, um, and what I think adds weight and
gravity to paying attention to this, uh, this report is 34%
of businesses, uh, ultimately reported a loss of time in
managing cyberattacks.
18% reported a downtime of service and 17% of businesses
reported a loss in staff productivity. Thre actors are always
(10:36):
going to be looking for the pathway of least resistance,
and a holistic partner approach is fundamental to successfully mitigating
and recovering from malicious manipulation.
Speaker 1 (10:46):
Emerging technologies like AI and automation bring new challenges for
organisations in terms of cybersecurity. At a time when budgets
are tight and there's a push to do more with less,
what simple things can organisations do to strengthen their cyber defences?
Speaker 2 (11:05):
So, Nvidia's CEO Jensen Hong, recently said, uh, if something
is moving a million times faster every 10 years, what
should you do? Uh, now, I'm paraphrasing here, but his
perspective was the first thing you should do is instead
of looking at the train from the side, is get
on the train, uh, because, uh, on the train, it's
not moving that fast.
(11:26):
Uh, I believe that you need to ensure there are
uh firm internal governance, uh, around pre-approved emerging technologies that
are implemented, uh, within your network. Uh, and certainly be mindful, um,
and reassess the solutions that you already have invested in.
But what we've found is many have actually added, uh,
human machine teaming and AI capabilities that organisations are not
(11:49):
taking advantage of.
Um, so my point back would be, are there additional capabilities, um,
that you're potentially not already using that are available to you? Um,
and in some cases, if there is a slight cost increase,
how does that assist with, um, with some of the
historical challenges we've seen in Australia, like the skills gap?
(12:10):
How can we actually enable, um, the next generation to, uh,
to operate more efficiently and effective, uh, in kind of
this remote hybrid working world?
Speaker 1 (12:18):
Finally, on operational resilience, how can businesses strike the right
balance between the benefits of cloud infrastructure and services and
safeguarding against operational disruptions?
Speaker 2 (12:32):
So we need to acknowledge that Australian critical infrastructure is
indeed being targeted uh due to the increased requirements for
interconnected systems to seamlessly deliver goods and services, not to neglect, um,
taking advantage of real world telemetry.
For competitive advantage, especially within the operational technology realm, uh,
when connected to the internet and into corporate networks, uh,
(12:56):
this is certainly provided opportunity for malicious cyber actors to
attack and compromise these critical systems. Uh, when we look
at the actual examples of this taking place, we saw
the Danish energy grid back in May last year.
Um, there were a number of key assets from a
network perspective that were deployed. These assets were known to
(13:16):
have two zero-day vulnerabilities that were exploited, and that caused
22 sites to go into island operation mode. We've also
seen some hardware providers, hardware and software providers like Unitronixs
that facilitate HMI PLC capability for the automation of critical
functions for critical industries such as water desalination.
(13:38):
And energy generation to have been compromised directly from the internet.
These assets were never designed to be publicly available. And
then finally we've also seen the port of Tokyo, ultimately stop,
grind to a halt because there was no appropriate safeguarding
against these operational disruptions. So we generally see these two
(13:58):
predominant engagement models for safeguarding for future operational resilience. One,
is we're attempting to retrofit cybersecurity into legacy and brittle networks. Alternatively,
it's embedding capability into future infrastructure.
Um, with an endeavour to adopt secure by design and
secure by default so that it's more of an
Speaker 1 (14:19):
afterthought. Now, I always like to give the opportunity to
our guests on this podcast to make one wish, one
request that you could put out to all leaders of
enterprise and government organisations to either um avoid missing a
massive uh opportunity or to prevent making a big mistake.
What is your one wish?
Speaker 2 (14:42):
So I'm, I'm really glad you're asking this specific question. Um,
to me, protecting our critical infrastructure and the underpinning operational
technology needs to be a personal endeavour. Um, many of
us have family, uh, uh, community, close friends, um, that
we really need to think about when we invest time,
energy and effort in, in building resilience within the cyber landscape.
(15:03):
Uh, rather than each to their own approach, uh, I
believe that it's imperative more than ever that we share information,
we collaborate, we lean in on government resources that have
been made available to us. Much like the supply chain,
we are only as good as our weakest link.
Speaker 1 (15:19):
Brilliant. Now we always love to finish up with a
rapid fire segment. I'm gonna ask you a series of
rapid fire questions. Give me the first thing that pops
into your head in response. What is your favourite piece
of technology?
Speaker 2 (15:31):
Hands down without question, smart tags. Uh, travel frequently around AIPAC,
which means that I'm constantly moving and so my critical possessions. Uh,
so knowing exactly where they are at all times is, uh,
is very beneficial. How do you disconnect? Uh, ironically, uh,
healthy dose of game time. I, uh, I kind of
switch on to switch off. Uh, so I'm a big
fan of the old classics.
Speaker 1 (15:51):
What games do you play?
Speaker 2 (15:53):
Uh, Original Doom, bit of Counter-Strike, 1.6, and, uh, and
some Call of Duty in there as well.
Speaker 1 (15:58):
I love it, great taste. What's the most important thing
you do for your own well-being?
Speaker 2 (16:03):
Quality time is, uh, is so incredibly important to me, uh,
especially spending it in meaningful ways without digital distractions. Uh,
I find that connecting with, uh, with close friends and
family to assess and reset my personal perspectives on a
range of different, uh, topics and factors to be extremely beneficial.
Speaker 1 (16:20):
What's the one thing that would surprise people about you?
Speaker 2 (16:24):
Uh, probably the exposure to processing control and, and automation. Um,
it's been something that's covered three generations of, uh, of
my family line now, almost 100 years. Uh, my Dutch
grandfather worked extensively, uh, on aircraft carrier, uh, navigation equipment. Uh,
my 3 uncles worked on, uh, vehicle, uh, electronics and automation, uh,
so I spent many weekends pushing a broom around the, uh,
(16:46):
the family workshop, uh, called HP Auto down in Melbourne,
learning about PLCs, sophisticated electronics, and, uh, physical automation.
Speaker 1 (16:54):
What's the one personal trait most important to
Speaker 2 (16:57):
success?
Uh, I feel that creative thinking and, and storytelling is, uh,
is a bit of a lost art. Um, conveying a
complex or convoluted scenario is a clear and succinct narrative
that can anyone, that anyone can understand is, is something
that I think, um, is, is incredibly important and, uh,
and importance to success as well to, to communicate and
(17:18):
break down the complex challenges.
Speaker 1 (17:22):
Finally, what's the one thing there needs to be more
of in business today?
Speaker 2 (17:28):
General knowledge transfer, to me, um, remote and flexible workplaces
can certainly be incredibly beneficial. Uh, however, for many young
eager starters, it can certainly mean there are barriers and
bottlenecks to share insights and knowledge from the past. And
I think when we look at the IT and cybersecurity domain.
Um, these stories, this shared intelligence and, and, and these
(17:50):
insights are gonna be what really better equipped us in
the future to ensure that we don't repeat the, uh,
the lessons of the
Speaker 1 (17:56):
past. Michael Murphy from 40NT, it has been an absolute
pleasure having you with us. Thanks for joining us on
the Vocus Inspire podcast.
Speaker 2 (18:05):
Thank you so much.
Speaker 1 (18:06):
Thanks so much for listening. I hope you've enjoyed this
episode of Focus Inspire, and we look forward to bringing
you more inspiration in coming episodes. And don't forget, if
you want more inspiration and more episodes, head to vocus.com.au/podcast.
You can follow us on LinkedIn and Twitter to stay
up to date with all things Vocus. Listen out for
(18:27):
the next episode of the Vocus Inspire podcast.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cold Case Files: Miami
Joyce Sapp, 76; Bryan Herrera, 16; and Laurance Webb, 32—three Miami residents whose lives were stolen in brutal, unsolved homicides. Cold Case Files: Miami follows award‑winning radio host and City of Miami Police reserve officer Enrique Santos as he partners with the department’s Cold Case Homicide Unit, determined family members, and the advocates who spend their lives fighting for justice for the victims who can no longer fight for themselves.