May 4, 2025 • 22 mins
"Every six minutes, an Australian business is hacked. Is yours next?"
Roy Borekar, founder of Solution Tech and a 20-year cybersecurity veteran, shatters the dangerous myth that small businesses are too insignificant to attract hackers. In this eye-opening conversation with Greg Harford, Roy reveals why smaller operations are actually prime targets for cybercriminals who recognize these businesses lack the resources to properly defend themselves or recover from attacks.
Roy challenges the common assumption that cloud services automatically keep your data secure: "Just because it's in the cloud doesn't mean it's secure." In fact, cloud-based systems can sometimes make businesses more vulnerable by providing hackers with a 24/7 online target. Without proper protection, your business information becomes easier to access than when it was stored on physical servers.
The most practical advice? "Prepare your business like you know for sure you're going to get hacked tomorrow." This means not only implementing security measures but developing comprehensive incident response plans. Could your business survive being offline for three days? What's your strategy if ransomware locks up all your customer data?
Solution Tech offers free initial cybersecurity audits to help businesses identify vulnerabilities before hackers do. Visit solutiontech.com.au or stop by their Braddon office to learn how to protect your business in an environment where digital threats are no longer a matter of if, but when.
This episode is supported by CareSuper.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:10):
Hello and welcome to the Canberra Business Podcast.
I'm Greg Harford, your hostfrom the Canberra Business
Chamber, and today I'm joined byRoy Boracar from Solution Tech,
a Canberra-based cybersecurityfirm.
Roy, great to have you here.
Thanks for joining me.
Speaker 2 (00:23):
Yeah, thanks for having me.
Speaker 1 (00:24):
Now let's start at the beginning.
You've got a really interestingbackground, a 20-year career in
IT.
I guess things have changed alot over that time.
How did you get started intechnology?
Speaker 2 (00:37):
So technology I was always in technology since I was
18 years old, probably earlierthan that.
I was building computers backthen and that's how it sparked
my interest in IT and starteddoing courses and ended up doing
a master's degree incybersecurity in 2003, when
(00:57):
cyber wasn't a big thing.
But at that age and during that2003 and 2004, it just sparked
my interest and since then I'vealways been in cybersecurity.
It's only the last five, sixyears we're actually hearing the
cyber the buzzword quite a bit,but we've been doing it for 20
years.
Speaker 1 (01:16):
So you were ahead of the trend, perhaps, but what was
it back then that sparked yourinterest in it?
Speaker 2 (01:21):
Because I actually started my career as a little
bit of coding and the hardwareand software.
How do you talk to a hardwareusing a software?
That was the trend coming up 25years ago and that time I was
curious, saying, hey, ifsomebody can control and
hardware writing a piece of code, how would you protect yourself
(01:43):
?
That was my initial thought 25years ago nearly, and that's how
I got started.
Speaker 1 (01:48):
After that, so how long have you been in Canberra
and how did the business start?
Speaker 2 (01:54):
So I've been in Canberra for eight years.
So I actually started thebusiness in WA in 2015.
And we moved in Canberra abouteight years ago just expanding
in the government sector,looking at government work and
mostly cybersecurity work withinthe government itself, Because
we've been doing smallbusinesses since 2015.
Speaker 1 (02:15):
So here we are now 10 years later, in 2025.
What services are youdelivering?
Speaker 2 (02:21):
So we actually started as an IT managed service
, so it provider, so we're doingit support.
And then we added more featuresand functionalities and
services like cyber security,obviously, so we offer 24-hour
socks sock as a service.
We offer it support as aservice, as a managed service.
We, when we look at the smallbusiness, it's more like we're
(02:43):
looking after everything fromyour internet, your phones, your
backup, your email, yourhardware, so that you don't have
to ring up 10 different vendorsto have these services With us,
you just get it as a combineddeal all in one solution.
And, yeah, being cyber on topof everything, we look after all
aspects of cyber within the ITindustry on top of everything,
(03:06):
we look after all aspects ofcyber within the IT industry.
Speaker 1 (03:10):
Now you mentioned your SOC, which I think is your
24-7 security operations center.
That sounds quite high-tech andexciting.
Is this a giant room somewherewith walls that roll back to
reveal exciting displays andthings?
What does it actually look like?
How big is it and where is it?
Speaker 2 (03:25):
Yeah, so it pretty much looks like that, but we
shrink it down to two or threemonitors.
It used to be like seven or ten.
But technology has changed.
Before it was one dashboard forone service.
Now we can have combineddashboards, so you don't need
that many monitors and becausewe are still looking after small
businesses and the clientele isstill small, so we don't need
(03:47):
50 monitors, but we do haveabout four rows of monitors that
we look at all the dashboardand we're based in Braddon,
right in the middle of the cityin Canberra, okay, and you've
got a team on site literally24-7.
Yeah, correct.
So we have two teams, one in WA, one in ACT, so we share and
the time zone actually helps inour favor because there's a
three-hour or two-hour time gapduring the daylight saving.
(04:08):
So we work together with our WAand ACT team.
Speaker 1 (04:11):
So how big is your team overall?
Speaker 2 (04:13):
So we are currently eight of us total and we also
have a lot of contractors on thebooks, as we've needed when the
work goes up and down, so wecan hire them contractors as
well.
Speaker 1 (04:23):
So who are your customers?
Who are you targeting?
Is it small business or are youreally aiming to build into
that government space as well?
Speaker 2 (04:30):
So, as I said when I started the business 2015, we
were only doing small businessand we're still doing small
businesses as well, but, beingin Canberra, we're getting into
more government side as well.
So current business model is50% private sector and 50%
government sector, but from therevenue point of view it's 50-50
(04:51):
split, but from the number ofcustomer point of view we have a
lot more small businesses thanthe government agencies.
Speaker 1 (04:59):
Has it been easy to build and start the business?
Speaker 2 (05:03):
Not that easy.
Every business has itschallenges.
We went through a lot of up anddowns, but I followed the lean
model and I kept it only highwhen we need it and when there's
absolute need for it.
So every employee in thebusiness is pretty much doing
two jobs at the same time,because we are still a small
business but also considered asa start-up, so we really have
(05:26):
that start-up mindset as well.
Speaker 1 (05:28):
And a start-up sort of getting into government.
50% of your revenue now comingfrom government sources, that's
quite an achievement.
I mean, what lessons have youlearned along the way and how
did you manage to secure thatgovernment work?
Speaker 2 (05:45):
So government has a lot of challenges, one of the
biggest challenges being onthose panels.
So getting on those panels tobe able to apply for that tender
or that RFQ and securityclearance has been one of the
key challenges.
But it was worked out a littlebit in favour of us or in me is
(06:05):
because I do Army Reserve.
I'm a cyber officer within theArmy Reserve, so I already had
an NV1 clearance before even Istarted my company, so I was
slightly ahead of the curve andthat's how we managed to get our
first contract in Canberrawhile I was in WA, and the first
contract was 12 months.
So I moved here for 12 monthsjust to try it out.
And the first contract was 12months.
So we moved here for 12 monthsjust to try it out.
(06:26):
And then since then we neverleft.
Speaker 1 (06:29):
So a cyber officer within Army Reserve?
That sounds kind of interestingas well.
How does that work and how areyou fitting it in with you
running the business?
Speaker 2 (06:39):
Yeah, so it is time consuming.
Obviously it has a timecommitment.
Um, the being cyber officer isonly something we start.
The defense only startedrecently.
So I've been in defense as areservist for 15 years.
I was a sig.
I was doing it satellitecommunication, not so much cyber
.
So even within the defenseforce, cyber has just really
(07:00):
picked up in last four or fiveyears and that's our transition
from being a signaler to a cyberofficer.
Speaker 1 (07:07):
Excellent, and how big is that time commitment to
be in the reserves?
Speaker 2 (07:13):
It really depends on what role, what unit, you're in,
but it's a minimum commitment.
We're looking at anywherebetween 20 days a year as a bare
minimum, and then on top ofthat you have your courses and
activities and exercises thatyou have to do.
Speaker 1 (07:26):
So potentially that's quite challenging when you're
trying to run a business at thesame time.
How are you personally jugglingthose things?
Speaker 2 (07:32):
Yeah, it is challenging.
The time is the biggestcommitment and also, yes,
running a business, managingfamily on top and having two
young kids.
It does get challenging.
But the defence part is what Ido is for my passion.
That is more that sometimesit's like a hobby, you can call
it.
I do need something on the sideto take my mind off, and it's
(07:54):
stress relief or sort of thing,something slightly different.
But I ended up doing both side,on both sides anyway.
Speaker 1 (08:00):
Excellent.
Well, look, let's jump back toyour business, and I guess the
business has been going for adecade or so.
You're still in startup mode,but what lessons have you
learned along the way?
Speaker 2 (08:12):
Right.
Okay, a lot of the lessonsactually.
The first is never be toocomfortable with just because
you have one contract or onecustomer.
A lot of things changes in IT.
Where it could be a tender,could be a government regulation
, could be a cancellation ofyour contract.
That happens as well.
And the staff.
(08:32):
So over the five, six, sevenyears we had a lot of staff come
and go and obviously you can'tkeep every staff that you've
once started.
Luckily, we still have somestaff who have been with us for
two, three years.
But a lot of changes happen tostaff from customer point of
(08:53):
view as well.
Some customer decides to move,take a different route than we
originally discussed ororiginally agreed on.
And cash flow.
So cash flow in the business isprobably the key.
So you have to, between all ofthat up and down, you have to
make sure your cash flow isstrong.
Speaker 1 (09:12):
Cash flow is obviously king for any business.
Do you find your customers aregood payers?
Do they pay on time?
Speaker 2 (09:19):
Most of them.
Most of them they do, but mostof them are now on 30-day net
term.
Most of them they do, but mostof them are now on 30-day net
term.
So we can at least predict ourrevenue month by month.
Speaker 1 (09:30):
But we do have some ad hoc as well.
Yeah, and that's reallyimportant and in terms of your
people, I mean, you know,relatively small team still, but
it's certainly challenging toretain and indeed recruit here
in the Canberra market.
Have you got any tips or tricksfor keeping your people engaged
(09:51):
and then finding good new?
Speaker 2 (09:52):
engaged people as you need to.
Yes, absolutely so, multipleways.
I do this.
So initially, when we started,I was just putting an
advertisement on SEEK to find astaff.
But we changed that approach.
We hardly post on SEEK.
We do some occasion.
But what we've done is we've setup an agreement the University
of Canberra and otheruniversities and we get interns
from from their their courses,who's finished their master
(10:14):
degree, and we run thatinternship in-house.
And the selection process isvery tough within just to get to
the internship, because wedon't want every person coming
in.
We need to know yes, you'vedone the qualification, that's
your fundamental, but we alsoneed what else.
Have you done?
Have you done any industrycertification?
Have you worked anywhere?
All of that combined we thenhave that selection criteria.
(10:36):
We run them through aninternship, 12 weeks internship
program.
If they pass that internshipprogram and if you have a role
available, we offer that to them.
So instead of going via seek inthat route, we try to go with
this route because during theinternship we can then train
them the way that we wanted theproduct that we use, the
services we offer.
(10:56):
And now we actually hire threeuniversity staff from university
, students from University ofCanberra.
So that's one of the approach.
And the second is I'm heavy onindustry certification.
So the technology that we useonce you come on board as an
employee, we have a minimumstandard that you must complete
this certification during thisperiod 12 months or six month
(11:18):
period.
So that helps not just us butthe candidate itself, because
that person is actually doingupskilling his technical skill
and that is very crucial in ITand cyber industry.
So even if they decide to leavetwo months later or six months
or 12 months later, they haveactually been a better position
when before, when they startedwith us, because they got more
(11:39):
qualification, they got moreskill set and they're more
attractive to other companies aswell.
Speaker 1 (11:46):
So the internships are really interesting because I
talk to a lot of people who areinterested in using interns.
Often there's a bit of concern,maybe, about how much input is
going to be required, how muchmanagement commitment is
required to look after thoseinterns.
Does it?
Speaker 2 (12:02):
work well from your point of view.
Initially we had some ups anddowns because a lot of the time
commitment was on my part.
But because we've been doing itfor three years, we've set up a
process in place now where thefirst employee who came as an
internship program sort ofbecomes the team leader and now
he's passing on that knowledgeand he's managing those teams
(12:23):
and that way we can test ourprocesses to see if it's
actually working.
Speaker 1 (12:27):
So you've really systemised the internship
process and I guess that's a winfor your business, but it's
also a win for the students whoare coming through right because
they're getting that practicalexperience and potentially a
pathway into a role.
Speaker 2 (12:38):
Yes, that's correct.
Speaker 1 (12:39):
Fantastic, so you're providing managed IT services or
the full suite of IT services,but cybersecurity obviously is a
real passion for you.
Let's talk a little bit moreabout that.
What advice have you got forCanberra business people about
keeping their data safe, keepingtheir systems safe?
Speaker 2 (12:58):
A lot of the basics.
So we still see in the market alot of people are not doing the
basic stuff, the basic thinglike MFA for example.
A lot of people still don'thave MFA enabled on a lot of the
application they use.
Just because it's in clouddoesn't mean it's secure.
You still need to enable thatMFA function.
So some of the product theymight be using may have the MFA,
(13:21):
but the users have not takenthat extra step to go and enable
that MFA.
So that's one of the first ones, sorry.
Speaker 1 (13:29):
Mfa multi-factor authentication yes.
Speaker 2 (13:33):
And other simple things like passwords.
People are still using theirpet's name, their date of birth
and all of those usual suspectsand the other part is the backup
and the other part is thebackup.
So people don't think themisconception is I'm too small
or my business is too small.
Hackers are not interested inmy business.
(13:54):
But the reality is the smallerthe business, the bigger the
target you are, because hackershave figured it out very common.
This is a common theme.
If they go after a biggercompany, they will have their it
, they will have their cyber,they have the resources, money
to handle that situation.
Small businesses don't andthat's why they are the highest,
biggest target.
(14:15):
Because now in the industry, inthe hacker industry, there's
tools.
You can just go online and buyhacking tools and a 16 to 17
year old can sit in the bedroomand start, can hack you using
that free tool.
Yes, they're not assophisticated, but they're
learning.
They want to get into thathacking industry and you know
the unethical side of things andthat's you become target, easy
(14:37):
target for them.
So they may have spent 400 tobuy this tool and few hours of
learning it, how to hack it, andyour business might be small,
five users or 10 users and youhave not done those basic, you
become the first target Becausethey just go after the
low-hanging fruit as well.
Speaker 1 (14:54):
And the bad guys you reckon are often just teenagers
sitting in a bedroom.
We're not talking about theRussian mafia or anything like
that.
Both Both.
Speaker 2 (15:06):
So the hack has.
One is the sophisticated, wherethey're funded, well-funded,
and all of that.
They go after the bigger piece.
But then all of these, now therise of chat GPT, and there's
something called the evil twinof chat GPT is called the warm
GPT or the hack GPT.
All of those are actuallydesigning the codes for people
to go and hack these things.
So this is, yes, they are themafia, but they are all the
(15:28):
young kids that want to makequick money or you know
unethical way of having thequick buck.
So those sort of hackers areout there as well.
Speaker 1 (15:36):
It's a scary world, isn't?
Speaker 2 (15:37):
it really.
Speaker 1 (15:39):
You know, if you're a small business perhaps you're a
plumber or a hairdresser you'reusing cloud-based services to
book jobs, to invoice yourcustomers and so forth.
Is it not enough to assume thatyour cloud services are looking
after you and keeping your datasecure?
Speaker 2 (15:54):
I would say yes and no to that because, yes, most of
them are secure.
But again, going back to thatmulti-factor authentication, if
you haven't secured your onlineprovider with the MFA and have
the password protected orcomplex password, they can
easily hack into it.
So there are tools the passwordhacking tools that they can run
(16:15):
it and they can crack yourpassword in 15 minutes.
So what you've done is youactually made it a lot easier
for the hacker by using thatcloud service, because now they
don't have to attack your device, they just have to attack that
provider online, which is 24 7available.
All they have to do is crackyour password and mfa.
So you just actually made iteasier for them.
(16:35):
Before the traditional it waseverything was on premises, you
had, you were running serversand all that.
Yes, it was costly, but it wasin a way, it was slightly secure
than running in the cloud.
But the other side of that is,just because the data is sitting
there, what happens if thatcompany gets hacked?
Yes, they have the backup andall that in process.
They can recover it, restore itin maybe two days or three days
(16:57):
, but can you afford to beoffline for three days,
especially if you're a plumberor electrician or something.
If you can't invoice yourcustomer, you can't book any
jobs, you can't do any of theadmin stuff.
Can you still survive afterthat?
So all of that factor you needto be factoring when you're
thinking of cloud and alsoasking your cloud provider how
(17:17):
are you securing?
What are your measures?
Are you certified?
What cybersecuritycertification or the compliance
that you securing?
What are your measures?
Are you certified whatcertification?
Cybersecurity certification orthe compliance that you have?
And every industry has theirown cybersecurity compliance,
like we obviously heard,essential aid that applies to
everyone.
Then there's ISO standard.
Then legal industry has theirown, financial industry has
their own.
So at least you need to beaware of what industry you are
(17:40):
in and what cyber complianceapplies to your industry, so at
least you can have you'reprepared to ask those better
questions.
Speaker 1 (17:47):
And the bad guys who are out there.
What are they looking for?
Are they looking for your datato sell?
Are they looking to lock yourmachines up or your data up and
get a ransom out of you?
What's the most common sort ofthing that you're seeing?
Speaker 2 (18:02):
So both.
So first thing thing thatyou're seeing, so both.
So first thing, if you're abigger company and doing
anything sensitive, likeconfidential or medical or all
that, so they're after your databecause then they can sell that
data and make more money.
But if you're small, likeplumber, electrician and things
like that, they're just afterransom.
They want to lock you out ofyour system and say pay us a
quick ransom and then we'll giveyou the key.
But there's no guarantee, first, that they're going to give you
(18:24):
the key and, second, thatthey're not going to hack you
again.
And if you haven't learned fromthat experience, haven't
tightened your security, mostlikely you're going to be hacked
again.
So it's a bit of both.
Speaker 1 (18:36):
So we talked a little bit about some of the basics
making sure that you've gotbackups, that you've got your
password sorted, that you've gotmulti-factor authentication
turned on.
Are there other sort of keythings that you'd be advising
small businesses to be thinkingabout?
Speaker 2 (18:52):
Yes, absolutely.
So get an advice.
I would probably say, like weoffer free advice as well.
So get an audit to basically atleast get an audit where you
know where you stand, and thenthat audit will clearly say
you're missing these five things.
For example, if you implementthese, your chances of getting
(19:13):
hacked is a lot lower.
And also backup, as I mentioned,backup is good thing, but if
you never tested your backup,how do you know the backup is a
good thing?
But if you never tested yourbackup, how do you know the
backup is actually working andwhen you do need to restore from
a backup?
And if it fails and it hashappened to a lot of customers
before they never tested thebackup and when they try to
(19:33):
recover, there's nothing torecover because either the
backup is corrupt or the backupis old, or they didn't even know
the backup stopped all of asudden.
So those monitoring it's notjust once that you have
implemented this service and yes, I say I'm all good you need to
be constantly doing that andmonitoring those things and be
better prepared.
So what?
The way I like to say is prepareyour business um like as you
(19:59):
think that you're going to gethacked tomorrow.
You know for 100 sure you'regoing to get hacked tomorrow.
You know for 100% sure you'regoing to get hacked tomorrow.
And if this happens, what areyour chances and also what
processes and things you haveput in place to mitigate that.
So we call it incident responseplan.
So if X happened, how would yourecover?
What do you do?
If Y happens, how would you doit?
What's your strategy?
(20:19):
What's your backup and resourcestrategy and your business
continuity strategy?
How would you continue tobusiness?
Let's say, if you're offlinefor three days?
Speaker 1 (20:27):
Now there'll be people out there listening to
this who think, yes, I knowthat's right, but I'm just a
small business.
But your message is thatactually this can happen to you.
Speaker 2 (20:36):
This actually happens more to small businesses than
to the bigger business.
So, as the ASD and ACSE haspointed out, every seven minutes
and I think it's gone down toevery six minutes now that one
business is getting hacked.
So while we're sitting here,somebody's already probably got
hacked.
Speaker 1 (20:54):
That's a terrifying thought really and lots to think
about there, so it's great toknow you offer some free advice
and some auditing work.
How do people get in touch withyou through your website?
Speaker 2 (21:04):
Yeah, with our website, solutiontechcomau, or
just ring us our phone number,send us an email to support at
solutiontechcomau.
We're based in Cranborough.
We're based in Braddon, just inthe Midnight Hotel in
Commercial Floor, ground floor.
Come and see us.
It's a five star hotel.
To come have a coffee with us.
Speaker 1 (21:22):
Sounds good.
We'll take you up on that.
Lots to think about there, Roy.
Thanks so much for joining me.
Speaker 2 (21:27):
My pleasure.
Thanks for having me.
Speaker 1 (21:31):
Now I'm Greg Harford from the Canberra Business
Chamber and I've been talking toRoy Boracar from Solution Tech
solutiontechcomau.
And just a reminder that thisepisode of the Canberra Business
Podcast has been brought to youby the Business Chamber with
the support of Care Super, anindustry super fund with
competitive fees, returns, anexceptional service and a focus
on real care.
You can learn more atcaresupercomau and don't forget
to follow us on your favouritepodcast platform for future
(21:52):
episodes of the CanberraBusiness Podcast.
We'll catch you next time.
Hello and welcome to the Canberra Business Podcast.
I'm Greg Harford, your hostfrom the Canberra Business
Chamber, and today I'm joined byRoy Boracar from Solution Tech,
a Canberra-based cybersecurityfirm.
Roy, great to have you here.
Thanks for joining me.
Speaker 2 (00:23):
Yeah, thanks for having me.
Speaker 1 (00:24):
Now let's start at the beginning.
You've got a really interestingbackground, a 20-year career in
IT.
I guess things have changed alot over that time.
How did you get started intechnology?
Speaker 2 (00:37):
So technology I was always in technology since I was
18 years old, probably earlierthan that.
I was building computers backthen and that's how it sparked
my interest in IT and starteddoing courses and ended up doing
a master's degree incybersecurity in 2003, when
(00:57):
cyber wasn't a big thing.
But at that age and during that2003 and 2004, it just sparked
my interest and since then I'vealways been in cybersecurity.
It's only the last five, sixyears we're actually hearing the
cyber the buzzword quite a bit,but we've been doing it for 20
years.
Speaker 1 (01:16):
So you were ahead of the trend, perhaps, but what was
it back then that sparked yourinterest in it?
Speaker 2 (01:21):
Because I actually started my career as a little
bit of coding and the hardwareand software.
How do you talk to a hardwareusing a software?
That was the trend coming up 25years ago and that time I was
curious, saying, hey, ifsomebody can control and
hardware writing a piece of code, how would you protect yourself
(01:43):
?
That was my initial thought 25years ago nearly, and that's how
I got started.
Speaker 1 (01:48):
After that, so how long have you been in Canberra
and how did the business start?
Speaker 2 (01:54):
So I've been in Canberra for eight years.
So I actually started thebusiness in WA in 2015.
And we moved in Canberra abouteight years ago just expanding
in the government sector,looking at government work and
mostly cybersecurity work withinthe government itself, Because
we've been doing smallbusinesses since 2015.
Speaker 1 (02:15):
So here we are now 10 years later, in 2025.
What services are youdelivering?
Speaker 2 (02:21):
So we actually started as an IT managed service
, so it provider, so we're doingit support.
And then we added more featuresand functionalities and
services like cyber security,obviously, so we offer 24-hour
socks sock as a service.
We offer it support as aservice, as a managed service.
We, when we look at the smallbusiness, it's more like we're
(02:43):
looking after everything fromyour internet, your phones, your
backup, your email, yourhardware, so that you don't have
to ring up 10 different vendorsto have these services With us,
you just get it as a combineddeal all in one solution.
And, yeah, being cyber on topof everything, we look after all
aspects of cyber within the ITindustry on top of everything,
(03:06):
we look after all aspects ofcyber within the IT industry.
Speaker 1 (03:10):
Now you mentioned your SOC, which I think is your
24-7 security operations center.
That sounds quite high-tech andexciting.
Is this a giant room somewherewith walls that roll back to
reveal exciting displays andthings?
What does it actually look like?
How big is it and where is it?
Speaker 2 (03:25):
Yeah, so it pretty much looks like that, but we
shrink it down to two or threemonitors.
It used to be like seven or ten.
But technology has changed.
Before it was one dashboard forone service.
Now we can have combineddashboards, so you don't need
that many monitors and becausewe are still looking after small
businesses and the clientele isstill small, so we don't need
(03:47):
50 monitors, but we do haveabout four rows of monitors that
we look at all the dashboardand we're based in Braddon,
right in the middle of the cityin Canberra, okay, and you've
got a team on site literally24-7.
Yeah, correct.
So we have two teams, one in WA, one in ACT, so we share and
the time zone actually helps inour favor because there's a
three-hour or two-hour time gapduring the daylight saving.
(04:08):
So we work together with our WAand ACT team.
Speaker 1 (04:11):
So how big is your team overall?
Speaker 2 (04:13):
So we are currently eight of us total and we also
have a lot of contractors on thebooks, as we've needed when the
work goes up and down, so wecan hire them contractors as
well.
Speaker 1 (04:23):
So who are your customers?
Who are you targeting?
Is it small business or are youreally aiming to build into
that government space as well?
Speaker 2 (04:30):
So, as I said when I started the business 2015, we
were only doing small businessand we're still doing small
businesses as well, but, beingin Canberra, we're getting into
more government side as well.
So current business model is50% private sector and 50%
government sector, but from therevenue point of view it's 50-50
(04:51):
split, but from the number ofcustomer point of view we have a
lot more small businesses thanthe government agencies.
Speaker 1 (04:59):
Has it been easy to build and start the business?
Speaker 2 (05:03):
Not that easy.
Every business has itschallenges.
We went through a lot of up anddowns, but I followed the lean
model and I kept it only highwhen we need it and when there's
absolute need for it.
So every employee in thebusiness is pretty much doing
two jobs at the same time,because we are still a small
business but also considered asa start-up, so we really have
(05:26):
that start-up mindset as well.
Speaker 1 (05:28):
And a start-up sort of getting into government.
50% of your revenue now comingfrom government sources, that's
quite an achievement.
I mean, what lessons have youlearned along the way and how
did you manage to secure thatgovernment work?
Speaker 2 (05:45):
So government has a lot of challenges, one of the
biggest challenges being onthose panels.
So getting on those panels tobe able to apply for that tender
or that RFQ and securityclearance has been one of the
key challenges.
But it was worked out a littlebit in favour of us or in me is
(06:05):
because I do Army Reserve.
I'm a cyber officer within theArmy Reserve, so I already had
an NV1 clearance before even Istarted my company, so I was
slightly ahead of the curve andthat's how we managed to get our
first contract in Canberrawhile I was in WA, and the first
contract was 12 months.
So I moved here for 12 monthsjust to try it out.
And the first contract was 12months.
So we moved here for 12 monthsjust to try it out.
(06:26):
And then since then we neverleft.
Speaker 1 (06:29):
So a cyber officer within Army Reserve?
That sounds kind of interestingas well.
How does that work and how areyou fitting it in with you
running the business?
Speaker 2 (06:39):
Yeah, so it is time consuming.
Obviously it has a timecommitment.
Um, the being cyber officer isonly something we start.
The defense only startedrecently.
So I've been in defense as areservist for 15 years.
I was a sig.
I was doing it satellitecommunication, not so much cyber
.
So even within the defenseforce, cyber has just really
(07:00):
picked up in last four or fiveyears and that's our transition
from being a signaler to a cyberofficer.
Speaker 1 (07:07):
Excellent, and how big is that time commitment to
be in the reserves?
Speaker 2 (07:13):
It really depends on what role, what unit, you're in,
but it's a minimum commitment.
We're looking at anywherebetween 20 days a year as a bare
minimum, and then on top ofthat you have your courses and
activities and exercises thatyou have to do.
Speaker 1 (07:26):
So potentially that's quite challenging when you're
trying to run a business at thesame time.
How are you personally jugglingthose things?
Speaker 2 (07:32):
Yeah, it is challenging.
The time is the biggestcommitment and also, yes,
running a business, managingfamily on top and having two
young kids.
It does get challenging.
But the defence part is what Ido is for my passion.
That is more that sometimesit's like a hobby, you can call
it.
I do need something on the sideto take my mind off, and it's
(07:54):
stress relief or sort of thing,something slightly different.
But I ended up doing both side,on both sides anyway.
Speaker 1 (08:00):
Excellent.
Well, look, let's jump back toyour business, and I guess the
business has been going for adecade or so.
You're still in startup mode,but what lessons have you
learned along the way?
Speaker 2 (08:12):
Right.
Okay, a lot of the lessonsactually.
The first is never be toocomfortable with just because
you have one contract or onecustomer.
A lot of things changes in IT.
Where it could be a tender,could be a government regulation
, could be a cancellation ofyour contract.
That happens as well.
And the staff.
(08:32):
So over the five, six, sevenyears we had a lot of staff come
and go and obviously you can'tkeep every staff that you've
once started.
Luckily, we still have somestaff who have been with us for
two, three years.
But a lot of changes happen tostaff from customer point of
(08:53):
view as well.
Some customer decides to move,take a different route than we
originally discussed ororiginally agreed on.
And cash flow.
So cash flow in the business isprobably the key.
So you have to, between all ofthat up and down, you have to
make sure your cash flow isstrong.
Speaker 1 (09:12):
Cash flow is obviously king for any business.
Do you find your customers aregood payers?
Do they pay on time?
Speaker 2 (09:19):
Most of them.
Most of them they do, but mostof them are now on 30-day net
term.
Most of them they do, but mostof them are now on 30-day net
term.
So we can at least predict ourrevenue month by month.
Speaker 1 (09:30):
But we do have some ad hoc as well.
Yeah, and that's reallyimportant and in terms of your
people, I mean, you know,relatively small team still, but
it's certainly challenging toretain and indeed recruit here
in the Canberra market.
Have you got any tips or tricksfor keeping your people engaged
(09:51):
and then finding good new?
Speaker 2 (09:52):
engaged people as you need to.
Yes, absolutely so, multipleways.
I do this.
So initially, when we started,I was just putting an
advertisement on SEEK to find astaff.
But we changed that approach.
We hardly post on SEEK.
We do some occasion.
But what we've done is we've setup an agreement the University
of Canberra and otheruniversities and we get interns
from from their their courses,who's finished their master
(10:14):
degree, and we run thatinternship in-house.
And the selection process isvery tough within just to get to
the internship, because wedon't want every person coming
in.
We need to know yes, you'vedone the qualification, that's
your fundamental, but we alsoneed what else.
Have you done?
Have you done any industrycertification?
Have you worked anywhere?
All of that combined we thenhave that selection criteria.
(10:36):
We run them through aninternship, 12 weeks internship
program.
If they pass that internshipprogram and if you have a role
available, we offer that to them.
So instead of going via seek inthat route, we try to go with
this route because during theinternship we can then train
them the way that we wanted theproduct that we use, the
services we offer.
(10:56):
And now we actually hire threeuniversity staff from university
, students from University ofCanberra.
So that's one of the approach.
And the second is I'm heavy onindustry certification.
So the technology that we useonce you come on board as an
employee, we have a minimumstandard that you must complete
this certification during thisperiod 12 months or six month
(11:18):
period.
So that helps not just us butthe candidate itself, because
that person is actually doingupskilling his technical skill
and that is very crucial in ITand cyber industry.
So even if they decide to leavetwo months later or six months
or 12 months later, they haveactually been a better position
when before, when they startedwith us, because they got more
(11:39):
qualification, they got moreskill set and they're more
attractive to other companies aswell.
Speaker 1 (11:46):
So the internships are really interesting because I
talk to a lot of people who areinterested in using interns.
Often there's a bit of concern,maybe, about how much input is
going to be required, how muchmanagement commitment is
required to look after thoseinterns.
Does it?
Speaker 2 (12:02):
work well from your point of view.
Initially we had some ups anddowns because a lot of the time
commitment was on my part.
But because we've been doing itfor three years, we've set up a
process in place now where thefirst employee who came as an
internship program sort ofbecomes the team leader and now
he's passing on that knowledgeand he's managing those teams
(12:23):
and that way we can test ourprocesses to see if it's
actually working.
Speaker 1 (12:27):
So you've really systemised the internship
process and I guess that's a winfor your business, but it's
also a win for the students whoare coming through right because
they're getting that practicalexperience and potentially a
pathway into a role.
Speaker 2 (12:38):
Yes, that's correct.
Speaker 1 (12:39):
Fantastic, so you're providing managed IT services or
the full suite of IT services,but cybersecurity obviously is a
real passion for you.
Let's talk a little bit moreabout that.
What advice have you got forCanberra business people about
keeping their data safe, keepingtheir systems safe?
Speaker 2 (12:58):
A lot of the basics.
So we still see in the market alot of people are not doing the
basic stuff, the basic thinglike MFA for example.
A lot of people still don'thave MFA enabled on a lot of the
application they use.
Just because it's in clouddoesn't mean it's secure.
You still need to enable thatMFA function.
So some of the product theymight be using may have the MFA,
(13:21):
but the users have not takenthat extra step to go and enable
that MFA.
So that's one of the first ones, sorry.
Speaker 1 (13:29):
Mfa multi-factor authentication yes.
Speaker 2 (13:33):
And other simple things like passwords.
People are still using theirpet's name, their date of birth
and all of those usual suspectsand the other part is the backup
and the other part is thebackup.
So people don't think themisconception is I'm too small
or my business is too small.
Hackers are not interested inmy business.
(13:54):
But the reality is the smallerthe business, the bigger the
target you are, because hackershave figured it out very common.
This is a common theme.
If they go after a biggercompany, they will have their it
, they will have their cyber,they have the resources, money
to handle that situation.
Small businesses don't andthat's why they are the highest,
biggest target.
(14:15):
Because now in the industry, inthe hacker industry, there's
tools.
You can just go online and buyhacking tools and a 16 to 17
year old can sit in the bedroomand start, can hack you using
that free tool.
Yes, they're not assophisticated, but they're
learning.
They want to get into thathacking industry and you know
the unethical side of things andthat's you become target, easy
(14:37):
target for them.
So they may have spent 400 tobuy this tool and few hours of
learning it, how to hack it, andyour business might be small,
five users or 10 users and youhave not done those basic, you
become the first target Becausethey just go after the
low-hanging fruit as well.
Speaker 1 (14:54):
And the bad guys you reckon are often just teenagers
sitting in a bedroom.
We're not talking about theRussian mafia or anything like
that.
Both Both.
Speaker 2 (15:06):
So the hack has.
One is the sophisticated, wherethey're funded, well-funded,
and all of that.
They go after the bigger piece.
But then all of these, now therise of chat GPT, and there's
something called the evil twinof chat GPT is called the warm
GPT or the hack GPT.
All of those are actuallydesigning the codes for people
to go and hack these things.
So this is, yes, they are themafia, but they are all the
(15:28):
young kids that want to makequick money or you know
unethical way of having thequick buck.
So those sort of hackers areout there as well.
Speaker 1 (15:36):
It's a scary world, isn't?
Speaker 2 (15:37):
it really.
Speaker 1 (15:39):
You know, if you're a small business perhaps you're a
plumber or a hairdresser you'reusing cloud-based services to
book jobs, to invoice yourcustomers and so forth.
Is it not enough to assume thatyour cloud services are looking
after you and keeping your datasecure?
Speaker 2 (15:54):
I would say yes and no to that because, yes, most of
them are secure.
But again, going back to thatmulti-factor authentication, if
you haven't secured your onlineprovider with the MFA and have
the password protected orcomplex password, they can
easily hack into it.
So there are tools the passwordhacking tools that they can run
(16:15):
it and they can crack yourpassword in 15 minutes.
So what you've done is youactually made it a lot easier
for the hacker by using thatcloud service, because now they
don't have to attack your device, they just have to attack that
provider online, which is 24 7available.
All they have to do is crackyour password and mfa.
So you just actually made iteasier for them.
(16:35):
Before the traditional it waseverything was on premises, you
had, you were running serversand all that.
Yes, it was costly, but it wasin a way, it was slightly secure
than running in the cloud.
But the other side of that is,just because the data is sitting
there, what happens if thatcompany gets hacked?
Yes, they have the backup andall that in process.
They can recover it, restore itin maybe two days or three days
(16:57):
, but can you afford to beoffline for three days,
especially if you're a plumberor electrician or something.
If you can't invoice yourcustomer, you can't book any
jobs, you can't do any of theadmin stuff.
Can you still survive afterthat?
So all of that factor you needto be factoring when you're
thinking of cloud and alsoasking your cloud provider how
(17:17):
are you securing?
What are your measures?
Are you certified?
What cybersecuritycertification or the compliance
that you securing?
What are your measures?
Are you certified whatcertification?
Cybersecurity certification orthe compliance that you have?
And every industry has theirown cybersecurity compliance,
like we obviously heard,essential aid that applies to
everyone.
Then there's ISO standard.
Then legal industry has theirown, financial industry has
their own.
So at least you need to beaware of what industry you are
(17:40):
in and what cyber complianceapplies to your industry, so at
least you can have you'reprepared to ask those better
questions.
Speaker 1 (17:47):
And the bad guys who are out there.
What are they looking for?
Are they looking for your datato sell?
Are they looking to lock yourmachines up or your data up and
get a ransom out of you?
What's the most common sort ofthing that you're seeing?
Speaker 2 (18:02):
So both.
So first thing thing thatyou're seeing, so both.
So first thing, if you're abigger company and doing
anything sensitive, likeconfidential or medical or all
that, so they're after your databecause then they can sell that
data and make more money.
But if you're small, likeplumber, electrician and things
like that, they're just afterransom.
They want to lock you out ofyour system and say pay us a
quick ransom and then we'll giveyou the key.
But there's no guarantee, first, that they're going to give you
(18:24):
the key and, second, thatthey're not going to hack you
again.
And if you haven't learned fromthat experience, haven't
tightened your security, mostlikely you're going to be hacked
again.
So it's a bit of both.
Speaker 1 (18:36):
So we talked a little bit about some of the basics
making sure that you've gotbackups, that you've got your
password sorted, that you've gotmulti-factor authentication
turned on.
Are there other sort of keythings that you'd be advising
small businesses to be thinkingabout?
Speaker 2 (18:52):
Yes, absolutely.
So get an advice.
I would probably say, like weoffer free advice as well.
So get an audit to basically atleast get an audit where you
know where you stand, and thenthat audit will clearly say
you're missing these five things.
For example, if you implementthese, your chances of getting
(19:13):
hacked is a lot lower.
And also backup, as I mentioned,backup is good thing, but if
you never tested your backup,how do you know the backup is a
good thing?
But if you never tested yourbackup, how do you know the
backup is actually working andwhen you do need to restore from
a backup?
And if it fails and it hashappened to a lot of customers
before they never tested thebackup and when they try to
(19:33):
recover, there's nothing torecover because either the
backup is corrupt or the backupis old, or they didn't even know
the backup stopped all of asudden.
So those monitoring it's notjust once that you have
implemented this service and yes, I say I'm all good you need to
be constantly doing that andmonitoring those things and be
better prepared.
So what?
The way I like to say is prepareyour business um like as you
(19:59):
think that you're going to gethacked tomorrow.
You know for 100 sure you'regoing to get hacked tomorrow.
You know for 100% sure you'regoing to get hacked tomorrow.
And if this happens, what areyour chances and also what
processes and things you haveput in place to mitigate that.
So we call it incident responseplan.
So if X happened, how would yourecover?
What do you do?
If Y happens, how would you doit?
What's your strategy?
(20:19):
What's your backup and resourcestrategy and your business
continuity strategy?
How would you continue tobusiness?
Let's say, if you're offlinefor three days?
Speaker 1 (20:27):
Now there'll be people out there listening to
this who think, yes, I knowthat's right, but I'm just a
small business.
But your message is thatactually this can happen to you.
Speaker 2 (20:36):
This actually happens more to small businesses than
to the bigger business.
So, as the ASD and ACSE haspointed out, every seven minutes
and I think it's gone down toevery six minutes now that one
business is getting hacked.
So while we're sitting here,somebody's already probably got
hacked.
Speaker 1 (20:54):
That's a terrifying thought really and lots to think
about there, so it's great toknow you offer some free advice
and some auditing work.
How do people get in touch withyou through your website?
Speaker 2 (21:04):
Yeah, with our website, solutiontechcomau, or
just ring us our phone number,send us an email to support at
solutiontechcomau.
We're based in Cranborough.
We're based in Braddon, just inthe Midnight Hotel in
Commercial Floor, ground floor.
Come and see us.
It's a five star hotel.
To come have a coffee with us.
Speaker 1 (21:22):
Sounds good.
We'll take you up on that.
Lots to think about there, Roy.
Thanks so much for joining me.
Speaker 2 (21:27):
My pleasure.
Thanks for having me.
Speaker 1 (21:31):
Now I'm Greg Harford from the Canberra Business
Chamber and I've been talking toRoy Boracar from Solution Tech
solutiontechcomau.
And just a reminder that thisepisode of the Canberra Business
Podcast has been brought to youby the Business Chamber with
the support of Care Super, anindustry super fund with
competitive fees, returns, anexceptional service and a focus
on real care.
You can learn more atcaresupercomau and don't forget
to follow us on your favouritepodcast platform for future
(21:52):
episodes of the CanberraBusiness Podcast.
We'll catch you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.