March 12, 2025 • 23 mins
We discuss key strategies to safeguard your small business from the world of cyber threats in our latest episode featuring cybersecurity expert Roger Smith from Care Managed IT. With cyberattacks on the rise, especially ransomware, small businesses and non-profits are more vulnerable than ever. Roger offers invaluable insights into the Essential 8 strategy, emphasizing the importance of multi-factor authentication and other protective measures that can make all the difference. Listen as we uncover the profound impact of cyber threats, which can cripple operations and challenge compliance, while laying out a blueprint to bolster your digital defenses.
This episode is supported by CareSuper.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:09):
Hello and welcome to the Canberra Business Podcast.
I'm Greg Harford, your hostfrom the Canberra Business
Chamber, and today we're talkingcyber security with Roger Smith
from Care MIT.
Roger, welcome to the podcast.
Speaker 2 (00:21):
Thank you, Greg.
Speaker 1 (00:22):
Look, it's great having you here, and and
cybersecurity is one of thoseissues that people are often
thinking about, perhaps thinkingit's something for other people
to worry about, though, andthinking it's something that can
be put off till tomorrow.
Do you want to tell us?
Is that right?
Speaker 2 (00:37):
No, definitely not.
One of the biggest problemswe've got in our industry is
actually convincing people thatcyber security is an ongoing
problem that we really have toaddress as much as possible.
One of the biggest areas of, Isuppose, kickback is the fact
that small business,not-for-profit organizations
(01:00):
have a lack of resources, sothey lack money, they lack
expertise.
They lack money, they lackexpertise, they lack time, and
that then becomes something thatjust gets bigger and bigger and
bigger, because they look atthe problem and go well, we
didn't have the time or theeffort to do that two weeks ago.
We still haven't got it, sowe've left it another two weeks
(01:21):
and another two weeks andanother two weeks.
Speaker 1 (01:25):
Why does it matter?
Speaker 2 (01:28):
Two reasons.
One is the bad guys are alwaysout there, as in cyber criminals
, nation states.
They're all after your money,even the cluey 14-year-old who
you know.
He's got lots of time on hishands.
He's quite willing to learnthings that we are never going
(01:48):
to learn in business or nevergoing to learn.
Have a requirement to be ableto address that.
The other point is the factthat everything is changing all
the time.
Everything that we do, thetechnology we use now, is always
being.
They're always finding ways ofbreaking it, and what happens is
(02:09):
those vulnerabilities that arebeing caused by the breaks in
that technology or the softwareor whatever this is, is being
targeted.
We need to have things likeupdates to allow us to patch the
system so that thatvulnerability is no longer in
that software.
Speaker 1 (02:30):
Now there'll be some people listening to this who
think well, I'm only a reallysmall business, I've only got
one or two employees.
Perhaps I'm an electricianworking in people's houses who
is going to bother trying tohack me?
Speaker 2 (02:47):
It's not a case of who's going to target you.
It's a case of the automaticsystems that are on the internet
.
If you've got a system that isconnected to the internet, you
can be targeted directly, andthat then becomes a huge problem
.
When it comes to it, doesn'tmatter the size of the
organisation All of theorganisations it doesn't matter
who you are, it doesn't matterwhat you're doing.
(03:08):
I can guarantee you have anemail address which is a
connection to the internet.
I can guarantee that you havean accounting system, which, in
most cases, is a connection tothe internet.
So those are two areas whereyou can accidentally get
targeted.
It doesn't matter how big youare.
One of the things that weendorse is a system called the
(03:32):
Essential 8.
And the Essential 8, one of thecomponents of the Essential 8
is multi-factor authentication,so that's the username, password
and something you own.
If you don't put that in place,it means that anybody can
target whatever you'reconnecting to.
Speaker 1 (03:48):
And what's the consequence of being targeted?
Speaker 2 (03:52):
It can be fourfold reputational-wise If people find
out that you are not protectingtheir data, then your
reputation goes out the window.
It can be actually now acompliance and governance thing.
Since Cyber Security Act 2024,small business have got the same
(04:12):
requirements as largerbusinesses and that means that
we have to have security inplace.
That makes it harder for thebad guys to get into harder for
the bad guys to get into when itcomes to losing data.
Things like phishing attacks.
That type of thing allowssomeone to gain access to your
(04:35):
device and from there they canthen use your device to target
other people.
So again, there's lots ofthings that can happen just by
having a breach in your systems.
Speaker 1 (04:44):
And what about ransomware?
Is that still a thing you usedto hear about that being quite
common in some business circles?
Speaker 2 (04:51):
Yes, it's still a big problem.
Ransomware can be two problems.
One is it locks the computer,which means that you can't do
anything, and I'll talk aboutthat in a second.
The other is it can lock yourdata itself and prior to them
locking the data, because inmost cases ransomware will
remain in the system, let's say,two or three weeks before they
(05:13):
lock the data, and that givesthem the opportunity to steal
all the data off the system sothey can unsell it to brokers
and everything else.
Now, when it comes to lockingdown a computer, if you are a
manufacturer, for instance, andyou're making something, but
you've got a computerized systemthat does cutting or bending or
(05:35):
anything along those lines ofan industrial level, and that
system gets compromised, thenyour machine on your factory
floor stops working.
So you've got a twofold problemData outside the internet, no
work being able to be done intotal.
Speaker 1 (05:53):
So that's a really interesting point, because often
when we think about ransomware,it's about people not being
able to get into their laptopsor perhaps even their point of
sale system or their customerdatabase.
But actually you're saying itcan.
It can grind your operations toa halt as well if you're a
manufacturer yeah, it can.
Speaker 2 (06:09):
It can totally stop you manufacturing.
Um, in most cases and whenyou're talking about a factory
floor in the, the actual processwithin the organization will be
there'll be a cad system or asystem that does all the
designing, which feedsinformation onto the factory
floor, whether the cutting andpasting and everything else is
(06:29):
done.
If those two get interrupted inany way, you're going to lose
the business itself because youwon't be able to produce the
product that you normallyproduce, and the moment that
happens, I can guarantee yourcompetition is literally rubbing
their hands together, going.
Thank you very much, because ontop of that, it's going to take
two to three weeks to get backto business as normal if you
(06:52):
haven't taken an attack intoaccount.
Speaker 1 (06:56):
So what do businesses need to be doing to be planning
for it?
There's obviously somepreventative steps, but is
planning for an attack a goodidea?
Speaker 2 (07:07):
Yes, planning for an attack, attack.
We work on the principle itdoesn't matter how much security
you put around an organization,there is always the chance that
something is going to happen.
So you need an incidentresponse plan in some way, one
that's going to deliver um acapability to your business so
that, if something happens, youcan literally pull out the
incident response plan and go.
(07:28):
This is what we have to doright now.
This is where we've got tocontain the attack.
We've got to work out whathappened.
We've got to make sure thatit's not spreading around the
organisation.
The moment you start puttingthat type of thing in place,
then you are already in a betterplace because you've thought
about it.
We have a when we're talkingabout to our clients.
(07:48):
We have what is called thewhat-if process what happens if
this happens?
By doing that, you can end upwith, let's say, 10 scenarios
that will cover probably another90 other scenarios, because you
can pick and choose from those10 that you've already thought
about.
If this happens, what are wegoing to do?
How are we going to do it?
(08:09):
Why do we react that way andhow fast can we get back to
business?
Speaker 1 (08:14):
Now, of course, over the last decade or so, we've
seen businesses move from havingall their data being stored on
a server in their office ortheir workrooms and seeing data
being put into the cloud.
Are those systems inherentlymore secure and therefore more
protected from ransomware orhacking attacks?
Speaker 2 (08:35):
Yes and no.
Again, it goes back to thatthree-point protective strategy
that you need to have in placeusername, password and some sort
of multi-factor authentication.
When it comes to a terrestrialsystem, people have to target
the people inside theorganisation and then they have
to be able to get into thesystem.
(08:55):
Now, to do that is relativelycomplex, and especially if
you're not using something likephishing or malware or that type
of thing, it's a very complexprocess.
When it comes to the cloud.
This is one of the reasons whyyou need to have more security
around the cloud.
Most cloud environments have asecurity package that comes with
(09:19):
them, so you can actually lockit down.
It also means that theunderlying structure or the
infrastructure is always goingto be managed by the people who
are giving you the cloud.
To be able to do so, part ofthe security components have
already been taken care of, butwhen it comes to accessing that
data, that's where you've got tobe very aware of it, because
(09:40):
you're, instead of being justone ip address on the internet,
you are a domain name that youneed to go to, so zero.
For one, for instance, to getto zero, you still need username
, password and multi-factorauthentication.
But anybody on the planet witha connection to the internet can
target that If they don't knowwhere you are.
As a terrestrial system, it's alot more secure, but it still
(10:03):
has its vulnerabilities.
Speaker 1 (10:06):
And obviously not quite as convenient from a
business cost point of view oran efficiency point of view.
Speaker 2 (10:12):
This is very true.
But then again we are seeing areturn to terrestrial systems.
There's a large number oforganisations that rather have a
terrestrial system with adecent firewall, with a VPN into
that system, so they canactually control their systems.
If something happens to theinternet, then your system is
(10:37):
going to break, whether that'syour connection.
And it's also a case of workingout single points of failure.
You don't want to have a singlepoint like a single ISP
connection.
You need to have two of themload balance.
One goes down, the other onetakes over, and they have to be
isolated.
So Telstra and Optus or Telstraand APT, anything along those
(11:00):
lines.
It makes your business a lotmore robust.
Speaker 1 (11:06):
So there's obviously some risks with the world being
interconnected globally aroundthe internet and indeed, I guess
, in other ways.
But at a practical level, doyou think we're better off in
the internet connected worldthan we were in the terrestrial
world?
Speaker 2 (11:26):
Yes and no Again.
The convenience of having acloud-based system great because
, as I said, you can be anywherein the world and you can do
whatever you need to do.
Things like email is anaccounting package that you can
be sitting on the beach in Balibeing able to actually do your
work.
Speaker 1 (11:46):
I wish yes, so do I.
Speaker 2 (11:49):
But if you think about it, the terrestrial system
is still a viable product andyou've just got to work out
what's best for the business isprobably the best way of looking
at it.
Speaker 1 (12:02):
Now there's plenty of businesses around Canberra, and
indeed business people at homewill have increasing numbers of
other devices that are attachedto the internet, whether that's
fridges, washing machines,dryers, televisions.
Do businesses need to beconcerned about the viability of
those devices as well?
Speaker 2 (12:23):
Yes, we have what is called an asset management
system.
When it comes and we're nottalking about the valuable
assets that you have, we'retalking about the digital assets
.
So digital assets are yourapplications that you use, the
people who use it.
What is the role your CEO hasin the business?
(12:47):
What happens if he leaves thattype of thing as an asset is
very important that you knowwhat those assets can do and why
they do what they do.
When you're talking aboutadding more assets to a system
that really have nofunctionality in the business,
then you need to address itproperly.
(13:08):
Internet of things,refrigerators that connect to
the, to the wi-fi all of thesethings are really part of the,
the way we manage aninterconnection itself, and to
do that, we need to be able tolook at them and go.
Does it need to have access todata?
And if it doesn't need accessto data, put it it on a
different network so it can dowhatever it needs to do, but
(13:31):
there's no reason for it to haveaccess to the real data that's
available.
In addition to that, if youlook at the information that it
needs to connect to it.
So, going back to your fridge,if it needs to connect to an
outside source, then you need toknow what information is going
backwards and forwards, so youneed to have that understanding.
(13:54):
The other thing about internetof things is most of them are
small devices and they've beenconstructed so that they have
minimal processing power.
They do what they need to do,so they're a single function or
a couple of functions andthere's usually very, very
minimal security around them.
(14:16):
So if you're putting those sortof devices onto your network,
you're reducing the security ofyour network.
So put it onto another network,it's on its own, it's doing its
thing.
If something needs to happen,it'll work.
Speaker 1 (14:35):
So for the non-technical listeners to this
podcast, how does it work?
You've got a fridge on a Wi-Finetwork in an office.
That office has got a bunch oflaptops on it that is accessing
cloud-based services.
How can the fridge create avulnerability that impacts the
rest of the business?
Speaker 2 (14:49):
How can the fridge create a vulnerability that
impacts the rest of the business?
In my younger days, one of themain targets of the people who
like to hack into things wasprinters, and printers are
notoriously vulnerable for thesimple fact that most people
don't change their passwords.
So you've already got apassword problem because you can
(15:11):
look on the internet and getdefault password for this
printer and it'll tell you.
Once I've got onto that printer, it's connected to the network.
I can use the printer'scapability to look at the rest
of the network and work out whatthe next attack is.
When it comes to the bad guysand just normal hackers, their
process is to find avulnerability they can leverage
(15:33):
to get other vulnerabilities,and if you have an easy
vulnerability from the start,then it makes it just a lot
easier for them to get into.
When it comes to Internet ofThings, that's one of the
reasons why I said keep it on aseparate network.
Something gets compromised.
Then the rest of the network ofthe Internet of Things yes,
(15:54):
you've got a problem with them,but they're not going to get
onto the main network and you'reprotecting your data and your
systems and your business.
Speaker 1 (16:01):
It's a scary world out there.
Oh yeah, so how did you getinto all of this, Roger?
How did care managed IT comeabout?
Speaker 2 (16:10):
Well, I've been in the IT industry since 1989.
We had computers the size ofthis room and we had hard drives
the size of mini, mini, minorwheels.
It was just incredible.
We've seen I've seen the thechanges.
(16:31):
In 2014, I had the experience ofbeing targeted literally
targeted and that gave me the umthe insight into thinking well,
if I can be targeted and I'vebeen in the industry X amount of
time what is happening withpeople who haven't been in the
industry, don't understand thisstuff, that I don't understand
(16:55):
what the cave bad guys arecapable of.
So that gave me the idea, andthe conversation in 2018
literally turned care into whatit is.
We literally sat down and saidwhat do we want to do?
How do we want to help Canberra?
This is the way we do it.
We have a lot of standingarguments with our accountant,
(17:19):
because there are things we wantto do that we don't want to
charge people for, so thatbecomes a problem.
As you can understand, we're abusiness, but also our target
market, which is small businessand not for profit organisations
.
They need all the help they canget and if we're not helping
them, then there's a very goodchance that they are going to be
(17:41):
the next statistic in the racefor the bottom.
So how big is the business?
Speaker 1 (17:44):
We're not huge chance that they are going to be the
next statistic in the race forthe bottom.
Speaker 2 (17:48):
So how big is the business?
We're not huge.
We're only five people at themoment.
We are looking to expandsignificantly over the next 12
months.
Last year was a bad year, notonly for the actual, I suppose,
the environment of what washappening in the world, but we
had a lot of personal issues.
(18:09):
We had cancer, we had deaths inthe family, we had a few other
things on both sides of thepartners.
So literally last year we stoodback and went OK, we'll just
let it take away and do what itneeds to be.
This year we're going to gowhere everything's better.
Let's go out and see what'sgoing on.
Speaker 1 (18:30):
Excellent.
Well, it's good that thingshave moved on and you're on the
up, because it sounds like itwas a challenging and difficult
year last year.
Speaker 2 (18:38):
It was a frigging horrible year.
Speaker 1 (18:42):
So what's the plan?
You're based here in Canberra.
You're servicing Canberracustomers.
Do you go further afield andwork in New South Wales as well?
Speaker 2 (18:49):
Yes, yeah, we're working.
We're just at the moment we'reimplementing an organisation in
Tamora, we've got clients downin Cooma, we've got clients in
Batemans Bay, so we do,literally we work on 200
kilometres from from Canberra.
Anywhere in that space is isfair game for us, but, as I said
(19:11):
, we are not.
We're not the most expensive,but we're not the most cheap
either.
We believe in implementing theessential aid as much as
possible, and they're.
Implementing essential aid doesrequire technology and
capabilities that most smallbusiness pork at, and that's
also something that we have tofind a way of getting people to
(19:32):
realize.
Speaker 1 (19:33):
This is a big problem and you need to do something
about it and is there a way ofmaking it easy for a small
business?
Speaker 2 (19:40):
you can implement the essential aid on your own.
You don't need any help.
Um, it's just eight basicrequirements.
Um, that will reduce the chanceof you being hacked, and just
basically it's.
It's things like patchapplications.
Patch, patch your operatingsystems.
Reduce the number ofadministrators on your system.
(20:02):
This includes cloud as well.
So if you've got five or sixadministrators on your cloud
account and they have no need tobe there, reduce them as much
as possible.
Multi-factor authenticationthere's two others that aren't
part of the essential eight butare really basic things.
One is use complex passwords,unique passwords and make sure
(20:24):
they're more than 12 characterslong.
And the other one is um, use anantivirus and there's a,
there's a.
Even in my space there's a anargument that people reckon that
antivirus is useless.
And when it comes to antivirus,but when we talk about
antivirus, one of the reasonswhy we do what we do is if
(20:45):
you've got an antivirus, it'sgoing to catch 90 of the bad
guys stuff, because they'reusing old technology or
capabilities which is designedby the antivirus to pick it up.
So it'll catch it.
Put it in where it needs to beand you're relatively safe.
That other 10, that's a problemand that's why you need the
essential aid in place 12-digitpasswords sound like a disaster
(21:12):
for anyone with a slightlyfaulty memory.
Speaker 1 (21:18):
Do you advise and Roger, you're putting your hand
up there and I think both of usin this room perhaps are not so
good at the long passwords butdo you advise people to use a
password keeper, perhaps AppleKeychain or something like that?
Speaker 2 (21:29):
Yeah, we recommend a password manager, but also one
of the things that we dorecommend is don't use passwords
.
Use a passphrase.
Okay, rubberducky21, forinstance.
Okay, you've already specified,you've already got a length of
system and if you really want to, it'll be rubber ducky 21 and
maybe it's the bank anz.
(21:50):
Okay, you've got a password,you can play around with it.
You can do whatever you like,something that sticks in your
mind as well, which means thatyou're never going to forget it,
but you know roughly whatyou're going to do challenging
to recall, though, for for some,some people, but good advice, I
think, nonetheless.
Speaker 1 (22:10):
Roger Smith from Care Managed IT, it's been great
having you on the podcast today.
Thank you so much for joiningus.
If we were going to just getyou to offer us one last piece
of advice for small businessowners, what would that be?
Speaker 2 (22:25):
Cyber's not going to go away and, as we've seen, ai,
we've got machine learning,we've got all this stuff coming
through.
Embrace it, but also protectyourself against it.
Speaker 1 (22:38):
Some good advice there.
Roger, thank you so much forjoining us here on the podcast.
Thank you, Greg Muchappreciated and just a reminder
that this episode of thecanberra business podcast has
been brought to you by thecanberra business chamber with
the support of care super, anindustry super fund with
competitive fees and returns,exceptional service and a focus
on real care.
You can learn more atcaresupercomau and don't forget
to follow us on your favoritepodcast platform for future
(23:00):
episodes of the canberraBusiness Podcast.
Catch you next time.
Hello and welcome to the Canberra Business Podcast.
I'm Greg Harford, your hostfrom the Canberra Business
Chamber, and today we're talkingcyber security with Roger Smith
from Care MIT.
Roger, welcome to the podcast.
Speaker 2 (00:21):
Thank you, Greg.
Speaker 1 (00:22):
Look, it's great having you here, and and
cybersecurity is one of thoseissues that people are often
thinking about, perhaps thinkingit's something for other people
to worry about, though, andthinking it's something that can
be put off till tomorrow.
Do you want to tell us?
Is that right?
Speaker 2 (00:37):
No, definitely not.
One of the biggest problemswe've got in our industry is
actually convincing people thatcyber security is an ongoing
problem that we really have toaddress as much as possible.
One of the biggest areas of, Isuppose, kickback is the fact
that small business,not-for-profit organizations
(01:00):
have a lack of resources, sothey lack money, they lack
expertise.
They lack money, they lackexpertise, they lack time, and
that then becomes something thatjust gets bigger and bigger and
bigger, because they look atthe problem and go well, we
didn't have the time or theeffort to do that two weeks ago.
We still haven't got it, sowe've left it another two weeks
(01:21):
and another two weeks andanother two weeks.
Speaker 1 (01:25):
Why does it matter?
Speaker 2 (01:28):
Two reasons.
One is the bad guys are alwaysout there, as in cyber criminals
, nation states.
They're all after your money,even the cluey 14-year-old who
you know.
He's got lots of time on hishands.
He's quite willing to learnthings that we are never going
(01:48):
to learn in business or nevergoing to learn.
Have a requirement to be ableto address that.
The other point is the factthat everything is changing all
the time.
Everything that we do, thetechnology we use now, is always
being.
They're always finding ways ofbreaking it, and what happens is
(02:09):
those vulnerabilities that arebeing caused by the breaks in
that technology or the softwareor whatever this is, is being
targeted.
We need to have things likeupdates to allow us to patch the
system so that thatvulnerability is no longer in
that software.
Speaker 1 (02:30):
Now there'll be some people listening to this who
think well, I'm only a reallysmall business, I've only got
one or two employees.
Perhaps I'm an electricianworking in people's houses who
is going to bother trying tohack me?
Speaker 2 (02:47):
It's not a case of who's going to target you.
It's a case of the automaticsystems that are on the internet
.
If you've got a system that isconnected to the internet, you
can be targeted directly, andthat then becomes a huge problem
.
When it comes to it, doesn'tmatter the size of the
organisation All of theorganisations it doesn't matter
who you are, it doesn't matterwhat you're doing.
(03:08):
I can guarantee you have anemail address which is a
connection to the internet.
I can guarantee that you havean accounting system, which, in
most cases, is a connection tothe internet.
So those are two areas whereyou can accidentally get
targeted.
It doesn't matter how big youare.
One of the things that weendorse is a system called the
(03:32):
Essential 8.
And the Essential 8, one of thecomponents of the Essential 8
is multi-factor authentication,so that's the username, password
and something you own.
If you don't put that in place,it means that anybody can
target whatever you'reconnecting to.
Speaker 1 (03:48):
And what's the consequence of being targeted?
Speaker 2 (03:52):
It can be fourfold reputational-wise If people find
out that you are not protectingtheir data, then your
reputation goes out the window.
It can be actually now acompliance and governance thing.
Since Cyber Security Act 2024,small business have got the same
(04:12):
requirements as largerbusinesses and that means that
we have to have security inplace.
That makes it harder for thebad guys to get into harder for
the bad guys to get into when itcomes to losing data.
Things like phishing attacks.
That type of thing allowssomeone to gain access to your
(04:35):
device and from there they canthen use your device to target
other people.
So again, there's lots ofthings that can happen just by
having a breach in your systems.
Speaker 1 (04:44):
And what about ransomware?
Is that still a thing you usedto hear about that being quite
common in some business circles?
Speaker 2 (04:51):
Yes, it's still a big problem.
Ransomware can be two problems.
One is it locks the computer,which means that you can't do
anything, and I'll talk aboutthat in a second.
The other is it can lock yourdata itself and prior to them
locking the data, because inmost cases ransomware will
remain in the system, let's say,two or three weeks before they
(05:13):
lock the data, and that givesthem the opportunity to steal
all the data off the system sothey can unsell it to brokers
and everything else.
Now, when it comes to lockingdown a computer, if you are a
manufacturer, for instance, andyou're making something, but
you've got a computerized systemthat does cutting or bending or
(05:35):
anything along those lines ofan industrial level, and that
system gets compromised, thenyour machine on your factory
floor stops working.
So you've got a twofold problemData outside the internet, no
work being able to be done intotal.
Speaker 1 (05:53):
So that's a really interesting point, because often
when we think about ransomware,it's about people not being
able to get into their laptopsor perhaps even their point of
sale system or their customerdatabase.
But actually you're saying itcan.
It can grind your operations toa halt as well if you're a
manufacturer yeah, it can.
Speaker 2 (06:09):
It can totally stop you manufacturing.
Um, in most cases and whenyou're talking about a factory
floor in the, the actual processwithin the organization will be
there'll be a cad system or asystem that does all the
designing, which feedsinformation onto the factory
floor, whether the cutting andpasting and everything else is
(06:29):
done.
If those two get interrupted inany way, you're going to lose
the business itself because youwon't be able to produce the
product that you normallyproduce, and the moment that
happens, I can guarantee yourcompetition is literally rubbing
their hands together, going.
Thank you very much, because ontop of that, it's going to take
two to three weeks to get backto business as normal if you
(06:52):
haven't taken an attack intoaccount.
Speaker 1 (06:56):
So what do businesses need to be doing to be planning
for it?
There's obviously somepreventative steps, but is
planning for an attack a goodidea?
Speaker 2 (07:07):
Yes, planning for an attack, attack.
We work on the principle itdoesn't matter how much security
you put around an organization,there is always the chance that
something is going to happen.
So you need an incidentresponse plan in some way, one
that's going to deliver um acapability to your business so
that, if something happens, youcan literally pull out the
incident response plan and go.
(07:28):
This is what we have to doright now.
This is where we've got tocontain the attack.
We've got to work out whathappened.
We've got to make sure thatit's not spreading around the
organisation.
The moment you start puttingthat type of thing in place,
then you are already in a betterplace because you've thought
about it.
We have a when we're talkingabout to our clients.
(07:48):
We have what is called thewhat-if process what happens if
this happens?
By doing that, you can end upwith, let's say, 10 scenarios
that will cover probably another90 other scenarios, because you
can pick and choose from those10 that you've already thought
about.
If this happens, what are wegoing to do?
How are we going to do it?
(08:09):
Why do we react that way andhow fast can we get back to
business?
Speaker 1 (08:14):
Now, of course, over the last decade or so, we've
seen businesses move from havingall their data being stored on
a server in their office ortheir workrooms and seeing data
being put into the cloud.
Are those systems inherentlymore secure and therefore more
protected from ransomware orhacking attacks?
Speaker 2 (08:35):
Yes and no.
Again, it goes back to thatthree-point protective strategy
that you need to have in placeusername, password and some sort
of multi-factor authentication.
When it comes to a terrestrialsystem, people have to target
the people inside theorganisation and then they have
to be able to get into thesystem.
(08:55):
Now, to do that is relativelycomplex, and especially if
you're not using something likephishing or malware or that type
of thing, it's a very complexprocess.
When it comes to the cloud.
This is one of the reasons whyyou need to have more security
around the cloud.
Most cloud environments have asecurity package that comes with
(09:19):
them, so you can actually lockit down.
It also means that theunderlying structure or the
infrastructure is always goingto be managed by the people who
are giving you the cloud.
To be able to do so, part ofthe security components have
already been taken care of, butwhen it comes to accessing that
data, that's where you've got tobe very aware of it, because
(09:40):
you're, instead of being justone ip address on the internet,
you are a domain name that youneed to go to, so zero.
For one, for instance, to getto zero, you still need username
, password and multi-factorauthentication.
But anybody on the planet witha connection to the internet can
target that If they don't knowwhere you are.
As a terrestrial system, it's alot more secure, but it still
(10:03):
has its vulnerabilities.
Speaker 1 (10:06):
And obviously not quite as convenient from a
business cost point of view oran efficiency point of view.
Speaker 2 (10:12):
This is very true.
But then again we are seeing areturn to terrestrial systems.
There's a large number oforganisations that rather have a
terrestrial system with adecent firewall, with a VPN into
that system, so they canactually control their systems.
If something happens to theinternet, then your system is
(10:37):
going to break, whether that'syour connection.
And it's also a case of workingout single points of failure.
You don't want to have a singlepoint like a single ISP
connection.
You need to have two of themload balance.
One goes down, the other onetakes over, and they have to be
isolated.
So Telstra and Optus or Telstraand APT, anything along those
(11:00):
lines.
It makes your business a lotmore robust.
Speaker 1 (11:06):
So there's obviously some risks with the world being
interconnected globally aroundthe internet and indeed, I guess
, in other ways.
But at a practical level, doyou think we're better off in
the internet connected worldthan we were in the terrestrial
world?
Speaker 2 (11:26):
Yes and no Again.
The convenience of having acloud-based system great because
, as I said, you can be anywherein the world and you can do
whatever you need to do.
Things like email is anaccounting package that you can
be sitting on the beach in Balibeing able to actually do your
work.
Speaker 1 (11:46):
I wish yes, so do I.
Speaker 2 (11:49):
But if you think about it, the terrestrial system
is still a viable product andyou've just got to work out
what's best for the business isprobably the best way of looking
at it.
Speaker 1 (12:02):
Now there's plenty of businesses around Canberra, and
indeed business people at homewill have increasing numbers of
other devices that are attachedto the internet, whether that's
fridges, washing machines,dryers, televisions.
Do businesses need to beconcerned about the viability of
those devices as well?
Speaker 2 (12:23):
Yes, we have what is called an asset management
system.
When it comes and we're nottalking about the valuable
assets that you have, we'retalking about the digital assets
.
So digital assets are yourapplications that you use, the
people who use it.
What is the role your CEO hasin the business?
(12:47):
What happens if he leaves thattype of thing as an asset is
very important that you knowwhat those assets can do and why
they do what they do.
When you're talking aboutadding more assets to a system
that really have nofunctionality in the business,
then you need to address itproperly.
(13:08):
Internet of things,refrigerators that connect to
the, to the wi-fi all of thesethings are really part of the,
the way we manage aninterconnection itself, and to
do that, we need to be able tolook at them and go.
Does it need to have access todata?
And if it doesn't need accessto data, put it it on a
different network so it can dowhatever it needs to do, but
(13:31):
there's no reason for it to haveaccess to the real data that's
available.
In addition to that, if youlook at the information that it
needs to connect to it.
So, going back to your fridge,if it needs to connect to an
outside source, then you need toknow what information is going
backwards and forwards, so youneed to have that understanding.
(13:54):
The other thing about internetof things is most of them are
small devices and they've beenconstructed so that they have
minimal processing power.
They do what they need to do,so they're a single function or
a couple of functions andthere's usually very, very
minimal security around them.
(14:16):
So if you're putting those sortof devices onto your network,
you're reducing the security ofyour network.
So put it onto another network,it's on its own, it's doing its
thing.
If something needs to happen,it'll work.
Speaker 1 (14:35):
So for the non-technical listeners to this
podcast, how does it work?
You've got a fridge on a Wi-Finetwork in an office.
That office has got a bunch oflaptops on it that is accessing
cloud-based services.
How can the fridge create avulnerability that impacts the
rest of the business?
Speaker 2 (14:49):
How can the fridge create a vulnerability that
impacts the rest of the business?
In my younger days, one of themain targets of the people who
like to hack into things wasprinters, and printers are
notoriously vulnerable for thesimple fact that most people
don't change their passwords.
So you've already got apassword problem because you can
(15:11):
look on the internet and getdefault password for this
printer and it'll tell you.
Once I've got onto that printer, it's connected to the network.
I can use the printer'scapability to look at the rest
of the network and work out whatthe next attack is.
When it comes to the bad guysand just normal hackers, their
process is to find avulnerability they can leverage
(15:33):
to get other vulnerabilities,and if you have an easy
vulnerability from the start,then it makes it just a lot
easier for them to get into.
When it comes to Internet ofThings, that's one of the
reasons why I said keep it on aseparate network.
Something gets compromised.
Then the rest of the network ofthe Internet of Things yes,
(15:54):
you've got a problem with them,but they're not going to get
onto the main network and you'reprotecting your data and your
systems and your business.
Speaker 1 (16:01):
It's a scary world out there.
Oh yeah, so how did you getinto all of this, Roger?
How did care managed IT comeabout?
Speaker 2 (16:10):
Well, I've been in the IT industry since 1989.
We had computers the size ofthis room and we had hard drives
the size of mini, mini, minorwheels.
It was just incredible.
We've seen I've seen the thechanges.
(16:31):
In 2014, I had the experience ofbeing targeted literally
targeted and that gave me the umthe insight into thinking well,
if I can be targeted and I'vebeen in the industry X amount of
time what is happening withpeople who haven't been in the
industry, don't understand thisstuff, that I don't understand
(16:55):
what the cave bad guys arecapable of.
So that gave me the idea, andthe conversation in 2018
literally turned care into whatit is.
We literally sat down and saidwhat do we want to do?
How do we want to help Canberra?
This is the way we do it.
We have a lot of standingarguments with our accountant,
(17:19):
because there are things we wantto do that we don't want to
charge people for, so thatbecomes a problem.
As you can understand, we're abusiness, but also our target
market, which is small businessand not for profit organisations
.
They need all the help they canget and if we're not helping
them, then there's a very goodchance that they are going to be
(17:41):
the next statistic in the racefor the bottom.
So how big is the business?
Speaker 1 (17:44):
We're not huge chance that they are going to be the
next statistic in the race forthe bottom.
Speaker 2 (17:48):
So how big is the business?
We're not huge.
We're only five people at themoment.
We are looking to expandsignificantly over the next 12
months.
Last year was a bad year, notonly for the actual, I suppose,
the environment of what washappening in the world, but we
had a lot of personal issues.
(18:09):
We had cancer, we had deaths inthe family, we had a few other
things on both sides of thepartners.
So literally last year we stoodback and went OK, we'll just
let it take away and do what itneeds to be.
This year we're going to gowhere everything's better.
Let's go out and see what'sgoing on.
Speaker 1 (18:30):
Excellent.
Well, it's good that thingshave moved on and you're on the
up, because it sounds like itwas a challenging and difficult
year last year.
Speaker 2 (18:38):
It was a frigging horrible year.
Speaker 1 (18:42):
So what's the plan?
You're based here in Canberra.
You're servicing Canberracustomers.
Do you go further afield andwork in New South Wales as well?
Speaker 2 (18:49):
Yes, yeah, we're working.
We're just at the moment we'reimplementing an organisation in
Tamora, we've got clients downin Cooma, we've got clients in
Batemans Bay, so we do,literally we work on 200
kilometres from from Canberra.
Anywhere in that space is isfair game for us, but, as I said
(19:11):
, we are not.
We're not the most expensive,but we're not the most cheap
either.
We believe in implementing theessential aid as much as
possible, and they're.
Implementing essential aid doesrequire technology and
capabilities that most smallbusiness pork at, and that's
also something that we have tofind a way of getting people to
(19:32):
realize.
Speaker 1 (19:33):
This is a big problem and you need to do something
about it and is there a way ofmaking it easy for a small
business?
Speaker 2 (19:40):
you can implement the essential aid on your own.
You don't need any help.
Um, it's just eight basicrequirements.
Um, that will reduce the chanceof you being hacked, and just
basically it's.
It's things like patchapplications.
Patch, patch your operatingsystems.
Reduce the number ofadministrators on your system.
(20:02):
This includes cloud as well.
So if you've got five or sixadministrators on your cloud
account and they have no need tobe there, reduce them as much
as possible.
Multi-factor authenticationthere's two others that aren't
part of the essential eight butare really basic things.
One is use complex passwords,unique passwords and make sure
(20:24):
they're more than 12 characterslong.
And the other one is um, use anantivirus and there's a,
there's a.
Even in my space there's a anargument that people reckon that
antivirus is useless.
And when it comes to antivirus,but when we talk about
antivirus, one of the reasonswhy we do what we do is if
(20:45):
you've got an antivirus, it'sgoing to catch 90 of the bad
guys stuff, because they'reusing old technology or
capabilities which is designedby the antivirus to pick it up.
So it'll catch it.
Put it in where it needs to beand you're relatively safe.
That other 10, that's a problemand that's why you need the
essential aid in place 12-digitpasswords sound like a disaster
(21:12):
for anyone with a slightlyfaulty memory.
Speaker 1 (21:18):
Do you advise and Roger, you're putting your hand
up there and I think both of usin this room perhaps are not so
good at the long passwords butdo you advise people to use a
password keeper, perhaps AppleKeychain or something like that?
Speaker 2 (21:29):
Yeah, we recommend a password manager, but also one
of the things that we dorecommend is don't use passwords
.
Use a passphrase.
Okay, rubberducky21, forinstance.
Okay, you've already specified,you've already got a length of
system and if you really want to, it'll be rubber ducky 21 and
maybe it's the bank anz.
(21:50):
Okay, you've got a password,you can play around with it.
You can do whatever you like,something that sticks in your
mind as well, which means thatyou're never going to forget it,
but you know roughly whatyou're going to do challenging
to recall, though, for for some,some people, but good advice, I
think, nonetheless.
Speaker 1 (22:10):
Roger Smith from Care Managed IT, it's been great
having you on the podcast today.
Thank you so much for joiningus.
If we were going to just getyou to offer us one last piece
of advice for small businessowners, what would that be?
Speaker 2 (22:25):
Cyber's not going to go away and, as we've seen, ai,
we've got machine learning,we've got all this stuff coming
through.
Embrace it, but also protectyourself against it.
Speaker 1 (22:38):
Some good advice there.
Roger, thank you so much forjoining us here on the podcast.
Thank you, Greg Muchappreciated and just a reminder
that this episode of thecanberra business podcast has
been brought to you by thecanberra business chamber with
the support of care super, anindustry super fund with
competitive fees and returns,exceptional service and a focus
on real care.
You can learn more atcaresupercomau and don't forget
to follow us on your favoritepodcast platform for future
(23:00):
episodes of the canberraBusiness Podcast.
Catch you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.