Get Cyber Resilient Ep 1 | Aussie cyber criminal rings, deep faked CEOs and PayID hack with Mitch Owens, CTO at Gilbert Tobin
Listen to Episode 1 of Get Cyber Resilient podcast about Aussie cyber-criminal rings, deep-faked CEOs, and PayID hack. Stay informed with the latest on cyber threats.
The Get Cyber Resilient Show, a podcast brought to you by Mimecast, is the perfect way to stay up-to-date with the latest cyber developments across Australia and New Zealand. Your hosts Gregor Jeffery and Garrett O'Hara will bring you insights and real stories from IT and Security Leaders, just like you.
Don’t get angry at downtime and data breaches, Get Cyber Resilient!
Listen to it on Spotify, Apple Podcasts, Anchor or just hit 'Play' above.
Show Notes:
In this episode, Gregor Jeffery and Garrett O'Hara discuss an Australian cyber-criminal ring targeting Superannuation accounts, scammers using deepfakes of CEO voices and the recent PayID hack that affected the big four banks. Garrett also interviews Mitch Owens, CTO at Gilbert + Tobin Lawyers.
The Get Cyber Resilient Show is brought to you by mimecast.com.
The Get Cyber Resilient Show Episode #1
Transcript
Gregor Jeffrey: [00:00:00] We all know it can be challenging to secure your business, especially when you have limited time. The Get Cyber Resilient Show brought to you by Mimecast, is the perfect way to stay up-to-date with the latest cyber developments across Australia, and New Zealand. Whether you're listening to this podcast, commuting, cycling, jogging, or walking the dog on the weekend, you'll hear real stories from IT, and security leaders just like you. Don't get angry at downtime and data breaches, get Cyber Resilient. I'm your host, Gregor Jeffrey, enterprise marketing manager at Mimecast, and I'm joined by my cohost, Garrett O’Hara, principal consultant at Mimecast, but you can call him Gar. Gar, how are you today?
[00:00:43] Garrett O’Hara: Yeah, I'm doing well Gregor, thanks. How are you?
[00:00:46] Yeah, going pretty well. Um, just wondering, we- every time we catch up, we seem to check out what socks each other has on, ‘cause we've always been wearing vendor socks. What vendors socks do you have on today?
[00:00:56] Garrett O’Hara: I am supporting the home team. I'm in these bad boys, the Mimecast [crosstalk 00:00:59].
[00:00:59] You've got Mimecast socks on. Well, I've got the Octa socks on.
[00:01:02] Garrett O’Hara: They're very pretty. [laughs].
[00:01:03] From our friends at Octa. Welcome to our first episode of the get cyber resilient show. Today we discuss several important security-related issues, including a cyber criminal gang, uh, targeting superannuation accounts in Australia. And also we look at deep fake AI generated CEO voices. Wow, sounds, sounds intriguing. We also speak with Mitch Owens, the CTO at law firm, Gilbert and Tobin.
[00:01:28] Okay, this months insecurity. So Gar, let's dive into this Australian-based cyber criminal ring that's targeting superannuation accounts.
[00:01:37] Garrett O’Hara: Yeah, this was kind of an interesting one. It's a Melbourne woman, she's only 21 years old, and she's up for 53 fraud offenses in total. So at this stage, they're looking at 1.73 mill that she's pulled from super and stockbroking funds, uh, but they reckon that the scams they have under investigation, they're probably gonna see something over 10 mill. So, it's a pretty significant, uh, amount of money that she's managed to, to get.
[00:02:00] Gee, and that- you know, that's people's nest eggs that they've been… yeah. [laughs].
[00:02:05] Garrett O’Hara: It's- [laughs] it certainly is. It's, uh, it- it's kinda shocking. They- it's, it's that lady, and then they're investigating five other people a- as well. So, it's the AFP and ACIC. Uh, all- that's under the guise of the serious financial crime, um, task force. But, um, yeah, look… it, it seems like what she's done is basically done identity makeovers. So, kind of done that thing where she's obviously found PII on people, and built a- these fraudulent identities and then created bank accounts for those people, and then pulled the funds overseas through, basically the jewelry markets, as a way to kind of launder the money out of Australia.
[00:02:41] Yeah.
[00:02:41] Garrett O’Hara: So, that's a significant amount of jewelry. A lot, a lot of Tiffany stuff and, uh, bracelets out there being bought by, by people who are doing cyber crime.
[00:02:50] Wow. That's a lot of… You'd look like Mr. T coming through the airport, potentially.
[00:02:55] Garrett O’Hara: Yeah. [laughs]. You certainly would, it's an easy way to spot the attackers these days if they're wearing lots of jewelry, hey.
[00:03:00] [laughs]. Uh, so, I guess superannuation accounts in Australia typically, we've not seen this kind of activity before. Wou- would that be fair?
[00:03:08] Garrett O’Hara: Yeah, I, I think it's definitely, uh, one of the things we're seeing. Um, in terms of cybersecurity attacks... finance is an obvious target. And when you think about the amount of funds that are sitting in super funds, stockbroking funds, that could sort of make sense actually, uh, as a target. Um, so I s- like I suspect given her success so far, um, we potentially will see more of this. I mean, the, the reality is that these- the firms that were involved, and they're some of the bigger names, they have added new cybersecurity measures. So, potentially this won't be as easy the next time around.
[00:03:40] Yes.
[00:03:41] Garrett O’Hara: But as you and [laughs] and I well know, it's a, a whack-a-mole.
[00:03:45] Yeah.
[00:03:45] Garrett O’Hara: So, you know, they might've had these new security measures added guaranteed somebody will figure out a new way, a new approach to do something similar potentially for larger s- larger amounts of money.
[00:03:55] Yeah.
[00:03:55] Garrett O’Hara: So yeah, so watch this space.
[00:03:57] And I guess typically superannuation funds, they're not always… they're not the first, uh, bunch of companies that you think of at the forefront of technology or cybersecurity technology, or am I wrong there? I, I guess my view, I've seen a lot of sort of superannuation funds, they've had their monthly newsletter that goes out. They've had this big bucket of money that they've, they've had to manage from various means. Uh, a number of them have been slow to introduce online, um, login, um, portals for their members. Uh, you know, they've traditionally done everything through the mail. Uh, you know, now they really have to, you know, get on that forefront of cybersecurity-
[00:04:35] Garrett O’Hara: Hmm.
[00:04:36] ... because they've, they've accrued such large balances, uh, of members’, uh, um, yeah, money that needs to be protected. Uh, it's sort of this sort of shadow… not quite shadow banking, but yeah, it's a whole different part of the financial service industry.
[00:04:49] Garrett O’Hara: I, I think it's, it's not just super. Um, if you look at some of the backend systems in many of the financial organizations, they're running on old school ma- school mainframes. Um, they've got a huge amount of technical debt. And when it comes time to upgrade that or update that, quite often the short term amount of money that would have to be spent to get that to a point where the average CSO today would feel okay [laughs] about all the systems, it's a huge amount of money. Um, there's a massive amount of technical debt that exists in, I would say, a lot of these companies. Um, not just Super, but, you know, the, the big four banks had a lot of the same issues-
[00:05:22] Yeah.
[00:05:22] Garrett O’Hara: … running on those, um, those legacy systems. I mean, you see it often, uh, when you go to renew your driver's license, or if you get a sneak peek at this screen behind the teller, uh, they're sitting on a Mac. But actually when you look at the screen, what's on the screen is this old school tech space interface.
[00:05:38] Mm-hmm [affirmative].
[00:05:38] Garrett O’Hara: Um, I was in a fairly large health fund organization only yesterday-
[00:05:41] Yeah.
[00:05:41] Garrett O’Hara: … doing something and, um, the guy said, “Yeah, look, I can print you a letter to, to state what I was looking for.” And I could see [laughs] the screen, and it honestly looked like something from the ‘80s. So, you know, you can imagine how much of that exists out there.
[00:05:55] Yeah.
[00:05:55] Garrett O’Hara: And, um, they're kind of issues that are ‘causes... Like Equinox was the perfect example, you know?
[00:05:59] Yeah.
[00:05:59] Garrett O’Hara: Everyone kinda had a go. Uh, and I'm not saying that there [laughs] wasn't fault the- there, but if you look at the, the systems that were in place, a lot of organizations out there would have very similar frameworks in place, and would be probably susceptible to those same threats. Because the tentacles of those legacy systems are sitting there, the cost of the business to undo them, um, and kind of retrofit modern approaches, it's just too big quite often.
[00:06:25] Hmm.
[00:06:25] Garrett O’Hara: So instead of that, they kick it down the road, and then you see stuff like this happen.
[00:06:28] Yeah. Certainly my car insurance company, every time I call them up, they apologize ‘cause their computers are running so slow.
[00:06:35] Garrett O’Hara: Mm-hmm [affirmative].
[00:06:36] Uh, I thought five years ago, uh, five years later, that would still not be the case, but it seems to be.
[00:06:41] Garrett O’Hara: It- it's that, and the unusually high volume of calls that they're-
[00:06:44] Oh, yes.
[00:06:44] Garrett O’Hara: … always experiencing.
[00:06:46] [laughs].
[00:06:46] Garrett O’Hara: It's quite bizarre. Yeah.
[00:06:47] At least, um, my call may be used for, for training purposes.
[00:06:52] Garrett O’Hara: Mm-hmm [affirmative].
[00:06:52] That's always helpful.
[00:06:53] Garrett O’Hara: And you know what they might do? They might actually record your voice.
[00:06:56] Ah, they may. Speaking of, of voices being [laughs] recorded, uh, we've got a story around deep fake AI, um, being used to generate a CEOs voice.
[00:07:08] Garrett O’Hara: Yeah.
[00:07:08] Um, and, u- used against them.
[00:07:09] Garrett O’Hara: I love this story. The- this just… it tickles my fancy, uh, in, in so many ways. So, this is a CEO out of a UK energy company, and he got a “phone call” from his boss. Um, and that was a, a guy who worked out of a German, uh, parent company for them, but it wasn't really the, uh, the boss, it was actually a deep fake of the, uh, that person's voice. So, they had used AI and kinda pieced together the, um, the ability to do this kind of fake phone call into the CEO and managed to get a substantial amount of money transferred into, first of all, a Hungarian supplier and then onto Mexico. And, um, so the reason I love this story is ‘cause it probably points to [laughs] where things are gonna go.
[00:07:54] Mm-hmm [affirmative].
[00:07:55] Garrett O’Hara: Um, you know, you think about deep faking of voices, and I think there was a Joe Rogan deep fake happened some time ago, and-
[00:08:00] Yeah. So, te- tell me what exactly is a deep fake-
[00:08:03] Garrett O’Hara: Yeah.
[00:08:04] … for the listeners out there.
[00:08:05] Garrett O’Hara: It's, it's the, the situation where you can record, uh, parts of somebody's voice. And if you think of the average senior exec, they're probably out speaking at events. Uh, there's a tendency towards them being in some way, public these days. So, it's not hard to go and grab their voices from public forums. You know, you go to YouTube, and you'll probably find that person's voice somewhere.
[00:08:26] And then deep faking is using AI to then essentially create a simulated version of them, but you can feed that voice anything. So, you can make the, in this case the, the, um, the boss in that German parent company, say whatever you want them to say. So, if you don't have good processes in place from a security perspective, you can make a phone call and say, “Hey, we need this money transferred to this su- supplier.” And then essentially it's social engineering [laughs] but a fairly high, high level, and advanced version of social engineering, but it's sort of the same thing. Um, scary technology, and we'll probably get to the point where you'll see that in deep faking of videos as well.
[00:09:02] Yes.
[00:09:02] Garrett O’Hara: Um, ‘cause that's probably where the, the average person will go as well. Once I see them on a VC screen, cool. Like, I know it's, I know it's Gregor, but what, [laughs] what happens when we get to the point where there's enough video out there of Gregor-
[00:09:13] Yeah.
[00:09:14] Garrett O’Hara: … that we can piece together a perfect version of you having this conversation with me and I as a human, don't necessarily even realize that it's, it's not you.
[00:09:23] Yeah.
[00:09:24] Garrett O’Hara: It's actually a, a fraudster.
[00:09:25] Se- seems to be a great unknown for, for us in the future. Uh, certainly, I think from a video perspective, they only need, um between sort of 30 to… 30 minutes to 60 minutes to have… yeah, to be able to do seamless deep fakes.
[00:09:40] Garrett O’Hara: Hmm.
[00:09:41] Um, and I think the- there was a Chinese app on the app store that, uh… similar to the, uh, the f- one of the face swap apps that was out recently, uh, and that only needed 10 seconds of video, uh, of, of yourself and then you could superimpose your s- your face onto, you know, the latest, uh, video clip of a- of your favorite pop star, and so on. Uh, so they, you know, they're forecasting within the next sort of 12 to 36 months that, that deep fake video will be imperceptible to real video.
[00:10:10] Garrett O’Hara: Hmm.
[00:10:11] Uh, so, you know, we get into this notion of what is real and [laughs] what's not, especially when you're communicating over these digital mediums.
[00:10:17] Garrett O’Hara: Yup, 100%. And, and, you know, I know we chatted about this, uh, previously, but one of the things that it says to me is that, uh, I, I suppose there, there needs to still be some reliance on the notion of people, process, and technology, and that seems really old school. Uh, we've got a lot of good tech out there. Um, we've got a lot of good people out there, but there is this notion of process being really important. And in this case, this is something where potentially a process that was in place, where a phone call isn't enough, but there is some other verif- you know, verifying process or a thing that needs to happen before a transfer of that size-
[00:10:50] Yup.
[00:10:50] Garrett O’Hara: … actually, uh, takes place.
[00:10:52] Wow. Is, is blood the next, um, mechanism for two f- [laughs] two-factor authentication?
[00:10:58] Garrett O’Hara: I, I really hope not. Um, I'm okay with maybe thumbprints and, and iris scanning, but I, I-
[00:11:03] Yeah.
[00:11:03] Garrett O’Hara: … don't have to have my finger pricked.
[00:11:04] You know, just pluck, pluck a hair out of your head.
[00:11:06] Garrett O’Hara: Yeah. Who knows? We'll all be walking around bald because we're-
[00:11:09] [laughs].
[00:11:09] Garrett O’Hara: … we're authenticating.
[00:11:11] You've only got so many authentication keys-
[00:11:14] Garrett O’Hara: Yeah. [laughs].
[00:11:14] … in your lifetime.
[00:11:15] Garrett O’Hara: Yeah.
[00:11:15] Uh, okay. Up next, uh, we've seen a hack on the PayID, uh, system within Australia.
[00:11:21] Garrett O’Hara: We have, yeah. This is the, uh, the Myki system. Um, uh, sorry, the, the PayID system, um, where they… Yeah, there was a leak of the phone numbers, the BSBs and the account numbers for, I think it was about 10,000 customers for the big four banks. So, you know, if you're with any of the big four banks, you could have been part of this, although you would have been notified.
[00:11:42] Um, look, to, to me, this points to really an issue that we have these days in terms of the, the storage of data that seems to be innocuous in and of itself. So something like a phone number you think, “Yeah, is that really a big deal?” It becomes a big deal if it's gonna be used for something like a PayID bank transfer. So, um, if you think about the, the data that you might store with lots of other platforms, so not just your banking, but other places, that on its own is fine. So, an example that's very obvious is in like Facebook where people include their date of birth.
[00:12:14] Yeah.
[00:12:15] Garrett O’Hara: People do that on LinkedIn and actually make that public. How often is your date of birth one of the verifying pieces of information that's asked for, when you call up to prove that you're Gregor?
[00:12:24] Yeah.
[00:12:24] Garrett O’Hara: All the time, right? Uh, likewise with your, you know, your pets name, the city you grew up in, that's all getting stored on, on platforms. In this case, there's a fairly, you know, structured format and database, but where you'll see this pop up is you seeing other attacks. And, um, look, one of the examples, it's sort of peripherally related, only in terms of that it's a social engineering attack.
[00:12:46] I mean, this PayID when they were sending, uh, phishing SMSs to look for further information, but, um, you might've heard the sextortion emails that went around a little while ago? Where they were using the treasure trove of call it, you know, owned credentials that are out there, from your previous breaches that have happened around the world. And they would include one of your old passwords to prove that they really had a webcam that was-
[00:13:10] Yes.
[00:13:10] Garrett O’Hara: … turned on and, you know, might've seen you do something that the rest of the world isn't… um, that you might not want the rest of the world [laughs] to, to kind of know about. Um, perfect blackmail, perfect social engineering. It's a similar kind of thing. So with this SMS, if they, um, they have that, uh, the phone number, that information, and they can use that information to then say, “Look, we already know this piece of information around you, that sort of proves that we are filling the blank for your bank. Now tell us, you know, your PIN number, reset your password, whatever it might be.” And, and away they go. Um, to me, look, it points to a bunch of different things. It points to the, the requirements, uh, for good regulation- uh, regulatory, um, le- legislation to be in place-
[00:13:53] Yes.
[00:13:53] Garrett O’Hara: … to, to kinda push for secure storage and maintenance of this stuff. I think it points to how important, even innocuous data can be, uh, in terms of it being stored and then potentially used by attackers down the line. And I'll be honest and, and Gregor, you know me, I'm not huge in terms of trust when it comes to [laughs] third party platforms. Um, one of the things I would like to see is that, you know, our Australian citizens and, and to New Zealand and people in this region just being a little bit less trusting of… and it sounds horrible, but of everything.
[00:14:23] So, if they get an SMS that they, they double-check that. Um, if there is an issue, they, they call the phone number for their bank that's on the bank's website. They don't take the one that's in an SMS message that they always refer back to call it the source of truth, which in this day and age is, is generally the bank, the company, the platform's website, and use that as their way to talk to an account representative to figure out the problem with the bank directly, not clicking on a link within an SMS, or doing anything that's ever asked of you within an email, for example, or within an SMS.
[00:14:55] Yes. Look, it's, it's very challenging for those who aren't that technically adept to do those double spot… those spot checks, um, and always, yeah, know which number to call and to revert to. You know, it is that changing behavior, um, broadly across the whole community.
[00:15:14] Garrett O’Hara: 100%.
[00:15:15] Um, it's, it's great. I guess, you know, for companies, you know, we can have in place different things to help with that so- sort of security training. Whereas for the, yeah, the normal mum and dad, um, it's, it's, it's a real challenge, and, you know, also what their kids clicking on-
[00:15:31] Garrett O’Hara: Hmm.
[00:15:31] … and just, um, you know, calling straight through to.
[00:15:33] Garrett O’Hara: 100%, yup. Uh, my parents worry me. Like my dad books a lot of travel online and I'm just waiting for that phone call, you know, that, that horrible phone call, which is like, "Yeah, our credit cards are smashed and some..." you know, these horrible things have happened because he's, whatever, he's in his 70s now.
[00:15:48] Yup.
[00:15:49] Garrett O’Hara: And he's not what we would call a digital native-
[00:15:51] Yes.
[00:15:51] Garrett O’Hara: … but he uses the internet to do-
[00:15:53] Yeah.
[00:15:53] Garrett O’Hara: … this stuff of life, which is what many people do these days. So, um, yeah, that's, that's always been my worry, is just the wider population and the, the, the fairly easy social engineering that can happen to have horrible results.
[00:16:04] Yes. Okay. Next up we have a story around, um, Victoria's, uh, Department of Transport. They actually, um, they breached the data privacy laws. Now, they thought they were doing this, um, the right way. Uh, the, the, the data that they shared had been, um, anonymized, uh, and they shared it with the Department of Premier and Cabinet, uh, who were running a- like a hackathon, but for data, uh, so a datathon. Uh, and as part of this, the dataset that there was given across, which was, um, Myki travel records for, uh, 15 million travelers, uh, it actually breached our data laws. So, tell me more about that, Gar.
[00:16:43] Garrett O’Hara: Yeah, sort of an interesting one to me for so many different reasons where… The, the notion of datasets being useful for things like research is valid, in my opinion. So, the, the notion that you, for example, have demographic information, something that might come from a census, for example, and then use that as a way to analyze trends in terms of what happens to plus 40s in terms of, uh, diseases or, you know, things that can happen in anyone's life, really useful. Um, but the issue is when you get those datasets that are “de-identified,” quite often what you can do is identify them by correlating them with something else that isn't part of that dataset.
[00:17:23] In this example, uh, some of the researchers actually were able to use a tweet from one of the, uh, the MPs. His name is Anthony Carbines. And, um, they used that as a way to de-identify the data, cross correlate that with this kind of, you know, like I say “de-identified” dataset from Myki, and basically identify that data set. They also talk about being able to look at co-travelers, because they'll tap on at the same time, tap off, et cetera. So, you know, the- the notion of de-identified datasets can be really, really useful for researchers for lots of very valid reasons. And then the danger lies in the bit where you can take that- that sort of secondary piece of information or event and use that as a way to pull an identified, uh, dataset or set of data about a person or people from that, from that set of records.
[00:18:12] The other example of this is the… it's fairly famous where in London, the black cab data, so the GPS data from the black cabs over in London. Similar thing. It was like, “Hey, let's like make this publicly available. It's a really interesting data set. Let's see what people can come up with from, from this as a dataset.” So, you're looking at things like, uh, where are cabs most often traveling, very similar to this, um, Myki travel. Um, you know, you can imagine that it's useful in terms of maybe investing in new trains or, you know, those kind of broader high level, uh, discussions and decisions.
[00:18:43] Um, so with the GPS data in the UK, what some clever person did was look at a paparazzi shot with a black cab in it with the registration plate clearly visible as a celebrity got into this cab from a nightclub in, you know, somewhere in London Stringfellows, [laughs] or wherever people go these days, I don't know, it's been awhile for me. Um, but now all of a sudden you've got this GPS data, you've got a photo of a black cab with this person-
[00:19:08] Yes.
[00:19:08] Garrett O’Hara: … and you've got the registration plate, and away you go. Now this person can use that GPS data to figure out where that celebrity lives. That to me is pretty scary.
[00:19:17] Yeah, it's very scary. It seems to me we don't need many pieces of data, uh, to identify someone or what they're doing. Uh, you know, it may be only two or three items that were, uh, needed. Is that right?
[00:19:30] Garrett O’Hara: Yeah, definitely. And, and it's probably less than people think quite often. You know, you think, um, you, you think you're reasonably anonymous out there, but often people will have stuff like their date of birth for example, on, [laughs] on things like Facebook or LinkedIn. Like what do people use when you, you phone up for, uh, validation, it tends to be your date of birth, right?
[00:19:49] Yeah.
[00:19:49] Garrett O’Hara: I mentioned that before.
[00:19:50] Yup.
[00:19:50] Garrett O’Hara: Um, it- it's that stuff. So, you know, you take this dataset, you take a, uh, in this case, a tweet from the MP, or you take a photo from a paparazzi and away you go. You probably know that, um, banks can use things like your keystrokes to basically map a signature-
[00:20:09] Yes.
[00:20:09] Garrett O’Hara: … to who you are. So Gregor types at a certain speed. And when he goes from a G to an I, there's a certain gap in between that quite often accidentally hits the O as well, because it's right beside the I on the keyboard, and all of a sudden we've got a essentially like a biometric signature from you based on your typing. So, you can take something like that, and then correlate it with something else and then use that for, uh, yeah, tracking or de-identifying data.
[00:20:31] Okay. Uh, uh, some of these, you know, advanced AI, you know, cybersecurity platforms, are they, you know, amalgamating some of those data inputs into when they're seeing anom- anomalies on networks?
[00:20:42] Garrett O’Hara: Um, you, you'll certainly see, I think AI play more and more of a role in this type of stuff. Um, they can detect things that humans can't. Um, and that… like the keystroke example is a perfect one. Like realistically, if I sat down and watch you type, I'm never gonna be able to take you out of the picture and then see the keys being tapped and kinda go, “That's Gregor, that's how Gregor types.” But if you introduce, uh, machine learning into that situation, all of a sudden that's where you can build that picture and use that as a way to kinda, to figure out the kind of the, the identifying signatures of somebody's like, a human like Gregor.
[00:21:15] Okay. I, I do see a future for cybersecurity, um, dogs potentially in this identific- identification, um, realm. Uh, being able to validate who the users are indeed on different ends, uh, of the line because they… everyone has a unique smell, uh, and dogs, you know-
[00:21:32] Garrett O’Hara: Right.
[00:21:32] … or a heartbeat, uh, they could, could potentially be used. You know, we do have dogs used in the force already.
[00:21:38] Garrett O’Hara: Why not? Is- So, one woof is good, two woof's bad?
[00:21:40] I think so.
[00:21:40] [laughing].
[00:21:40] Garrett O’Hara: How does that work?
[00:21:40] I think so. Uh, yeah. Type in the passcode or the puppy gets it. Yeah.
[00:21:47] Garrett O’Hara: Wow, that's a really sinister idea. [laughs].
[00:21:50] Uh, i- look, in terms of, you know, these, uh, de-identified datasets, you know, for a hackathon example, you know, there are a lot of, um, datasets out there on the internet, uh, for, for use for, you know, people to just have a play around in Tableau or, uh, different, uh, you know, mass data platforms. Um, you know, is it actually a good idea for some of these companies, especially, you know, uh, state organizations to be supplying these data sets? Uh, is- you know, [laughs] is it a good idea to do that or not?
[00:22:23] Garrett O’Hara: Uh, look, it's, it's probably a personal opinion. Um, I think it's useful for society in so many ways that I think once it's controlled, and if there is a good job done of the kind of, uh, anonymizing of data, and funny enough, they can use things like ML to do that as well. So, there's a force for good and machine learning, uh, sorry, AI. Um, so you can, you can do that. And look, my, my personal take would be that the benefits to society for making those data sets available sometimes is kind of outweighs the potential privacy issues, but it comes back to like good practice.
[00:22:56] Yeah.
[00:22:56] Garrett O’Hara: Um, and you know, being tied in terms of controlling the data-
[00:22:59] Yeah.
[00:22:59] Garrett O’Hara: … and being smart about could it be de-identified?
[00:23:02] Yeah.
[00:23:02] Garrett O’Hara: You know, asking those cynical questions. If an MP tweet- you know, tweets his location [laughs], can we then use that to figure out his travel, um, using the Myki data-
[00:23:10] Yeah.
[00:23:10] Garrett O’Hara: … in this example?
[00:23:11] So, what should have the, um, department of transport done in this scenario? Um, you know, in terms of is there… should have they just not shared this data at all for this, uh, datathon? Uh, is there a way to de-anonymize the data to a greater extent. So, you've only… perhaps you're using a sample size of only 5% of that data rather than the complete travel records. So, you just got this little sample size, uh, or you're still running into some of the, some of the cha- same challenges there.
[00:23:37] Garrett O’Hara: Like- So, I'm, I'm gonna say I'm not a data scientist [laughs], so this is, uh, me kinda guessing in many ways, but I, I suspect what would happen is that the value of the data may veer away from useful-
[00:23:49] Yup.
[00:23:49] Garrett O’Hara: … if you kinda go too far along the lines of kind of, uh, uh, anonymizing or, or de-identifying it. Um, I believe there are some good algorithms out there to do that and to do a good job of it. So, it probably comes down to the quality of, uh, the data scientists that are working to de-identify the, the information.
[00:24:10] Mimecast is a cybersecurity provider that helps thousands of organizations worldwide make email safer, restore trust, and bolster cyber resilience. Mimecast CloudSuite enables organizations to implement a comprehensive cyber resilience strategy. From email and web security, archive and data protection, to awareness training, uptime assurance and more. Mimecast helps organizations stand strong in the face of cyber-attacks, human error, and technical failure.
[00:24:38] Go to mimecast.com/demo to book a personal demonstration with one of our team members today, and you'll find out why more than 30,000 companies rely on Mimecast for cyber resilience.
[00:24:51] Next up we've got Mitch Owens from Gilbert and Tobin, um, chatting with Gar around, um, what it's like to be a CTO for a law firm.
[00:24:59] Garrett O’Hara: So Mitch, uh, lovely to see you today, and thanks for, for having us in to, to have a chat. Um, can we start with just kind of covering off what your kind of role is here at Gilbert and Tobin?
[00:25:09]Mitch Owens: [00:25:09] Yeah. So, here at Gilbert and Tobin I'm, uh, the Chief Technology Officer, so basically responsible for all of technology. Um, the way the structure of, uh, the leadership team works here is, I report in to the COO. So, I've ov- overall responsibility for technology, we don't have a CIO. Um, and then sort of under me, you know, you've got your standard sort of technology op- technology operations areas like, you know, service desk, uh, security, you know, infrastructure, training, application support.
[00:25:36] Garrett O’Hara: Yup. So, kind of everything?
[00:25:38] Yup.
[00:25:38] Garrett O’Hara: Yeah, good times.
[00:25:39] All in sundry.
[00:25:40] Garrett O’Hara: Yeah. And, and sort of how long have you been specialized, um, in cybersecurity when looking at [inaudible 00:25:45]?
[00:25:46] Uh, look, i- it's- That's an interesting question, that one. So, I think you mean, uh, everyone's a generalist when it comes to cybersecurity if you work in technology these days. Uh, I've sort of been in technology as an industry, um, all my life pretty much, at 25 years. Uh, sort of coming into this role and taking out of the CTO role, uh, over the last, uh, three to four years. Um, there's been a big focus on, uh, on cyber. Um, and that's a, a number of reasons. Um, obviously with the law firm, you know, you're, you're holding a lot of data, um, and also being responsible for that. So, you've got to change how you, you approach stuff. So, no longer is it any more just about systems and defenses-
[00:26:26] Garrett O’Hara: Mm-hmm [affirmative].
[00:26:26] ... it's about people as well. So.
[00:26:27] Garrett O’Hara: Hmm. So, and with 25 years in the game, I'm guessing you've seen a lot of changes over that time?
[00:26:33] Yeah. Look, I'll tell you the big change, um, uh, I see is around how people use technology. So, they want more of a consumerized sort of a feed of technology.
[00:26:43] Garrett O’Hara: Yeah.
[00:26:43] So, previously, you know, organizations I've worked for where it's, you know, all banks, you got your desktop, everything's locked down, you can't do anything. There's an image and now it's, you know, people on laptops, you know, mobile phones, iPads. They want to be able to consume their data, whether it be a work device or a personal device, and how do you separate that sort of stuff. So yeah, there- there has been a, a big change in how people consume technology. And I think that's driven a lot to the technology advancements in cyber.
[00:27:06] Garrett O’Hara: Yeah, definitely. Um, and do you see there's a bit of a tension sometimes when we talk to people between that kind of, uh, people's expectations to bring their own devices, spin up their own applications, you know, functional areas within a business, kind of going off and doing their own thing?
[00:27:19] Yeah, look, I, I think that is a challenge, I think, but the, the, the view I take that if, if I become a roadblock to people wanting to consume technology in different ways, um, it's, it's kind of like… You know, a lot of hired people avoid, you know, bringing technology into that discussion. So, I'm sort of fairly open from that perspective, I like to sort of work with people and say, “All right well, what, what do you want to do? Let us help you provide a solution.” Um, and that's the approach we take here.
[00:27:45] Garrett O’Hara: Yup. And I'm, I'm guessing that wins you some, uh, some friends in the business if you're looking [inaudible 00:27:49] roadblock?
[00:27:48] Uh, yeah, look, look it is. I mean like, you know, sort of some of the products that I've used, you know what I mean? We sort of been the first consumers of those products in Australia or Asia, uh, at the time, you know what I mean?
[00:28:01] Garrett O’Hara: Hmm.
[00:28:01] ‘Cause I've seen them, I think they're really good-
[00:28:02] Garrett O’Hara: Yup.
[00:28:03] And let's have a go at them.
[00:28:04] Garrett O’Hara: Yup.
[00:28:04] You know, the way you, uh, buy technology now is no longer, are you locked into three-year agreements you know, per person, per month type of thing.
[00:28:12] Garrett O’Hara: Yeah.
[00:28:12] So it makes it very easy to try and fail.
[00:28:15] Garrett O’Hara: Yeah, absolutely. Do you, do you kind of feel that maybe raises the game for the vendors given that you can walk away fairly easy? Especially with the SAS type models, do you feel like they've upped their game to kind of win your business every year?
[00:28:25] Yeah. So the- there's been a massive change in probably, you know, the account executive sort of pace around that, they now try to partner with you more than just bring pure sales.
[00:28:33] Garrett O’Hara: Yeah.
[00:28:34] Uh, you get lot more access into the technology people behind the scenes, which is where we really need to be because you've got a SAS offering, we've got another SAS offering, we need them to talk together.
[00:28:44] Garrett O’Hara: Yup.
[00:28:44] SO, we, we really need products to talk to each other, as opposed to it's all in house when you're building around solutions.
[00:28:50] Garrett O’Hara: Yeah, I understand.
[00:28:51] But yes, we've seen a lot of change there.
[00:28:52] Garrett O’Hara: So, you raise an interesting point ‘cause a the integration and the idea of that security fabrics, reference architecture, you know, whatever kind of term you want to use, we're definitely seeing in the last three… no, 12 to 18 months-
[00:29:04] Yeah.
[00:29:04] Garrett O’Hara: … more and more, uh, organizations are looking at that as a way to help lift their kind of security posture. Do you guys have a program in place to, to kinda integrate point solutions from a security perspective?
[00:29:13] Yeah, look, we do. So, do you know mean like what we, you know, ultimately, you know, everyone in the back has to go to the same platform. You know what I mean? Anything we bring in now that's got any sort of user behavior app, it has a sort of log in, a log in to that. Um, you know, all our other platforms around security a- awareness and there's a thousand out there now.
[00:29:30] Garrett O’Hara: Mm-hmm [affirmative].
[00:29:30] Um, but you know, we, we sort of always make sure that when we're bringing something in, it's working with our existing state. We don't want to rip it all to pieces.
[00:29:37] Garrett O’Hara: Yup.
[00:29:37] Um, and there is a big focus on those integration points, uh, whether it just be SAP or just general technology consumption.
[00:29:42] Garrett O’Hara: Yup. Definitely get that. So for you, do you… would you see kind of cybersecurity as being a more critical issue for your business compared to others?
[00:29:51] Uh, all of… I think any business that doesn't have cyber probably in the top one or two priorities either in their technology team, or as a business as a whole is probably looking at the wrong things. Uh, definitely G&T i- it is a very big thing that we focus on, and we focus on it for a couple of reasons. Um, we work with a lot of clients that are in regulated environments-
[00:30:12] Garrett O’Hara: Yup.
[00:30:12] … so therefore, you know, when they entrust us with their data, we have to make sure that we are maintaining it and protecting it to their data standards. So, that means sort of we're lifting ourselves up from just being like a law firm, you know, it's almost like mini bank security.
[00:30:27] Garrett O’Hara: Yup.
[00:30:27] Um, yeah, so that sort of has the big folks. And also now that we are a law firm, we work in a lot of, you know, corporate matters. There's a lo- lot of market-sensitive material and, and then, you know, it's been recognized for many years that, uh, law firms are a critical part of the supply chain, when it becomes, um, working with these, with these clients, you've got to protect your data and like, you know, it's the old d- you know, data is the new oil.
[00:30:52] Garrett O’Hara: Yeah. [laughs].
[00:30:52] Uh, do you know what I mean? That's where it's going.
[00:30:54] Garrett O’Hara: Yup. Yeah, I definitely hear that all the time. So, in, in terms of practical, um, approaches, uh, what, what are you doing differently now given the kind of regulatory and compliance pressures that are increasing?
[00:31:05] Oh, look, I think it's, it's, it's meant everyone's got to step up their game.
[00:31:08] Garrett O’Hara: Yup.
[00:31:08] Uh, and do you know what I mean? As a law firm, I've been on a, on a path, uh, to sort of improving our sort of environment for a long time. So in the six years I've been here, and definitely the last four, um, and I think all law firms are doing that, I think everyone's doing that generally. Um, but to become, uh, more, uh… So, when a client gives us data, they're comfortable that yeah, we are applying the controls around it that they would do in their own business. So, we sort of become an extension of their business, as opposed to they've got a bit of a risk when they sending us something out the door, if you know what I mean.
[00:31:44] Garrett O’Hara: Yeah. I definitely get that on the other side of that ‘cause we, we hear supply chain fraud-
[00:31:49] Yeah.
[00:31:49] Garrett O’Hara: … and, and, and, you know, the, the notion of, uh, your reliance on the people that you work with and partner with.
[00:31:54] Yup.
[00:31:54] Garrett O’Hara: Uh, is that something that keeps you awake at night? Um [crosstalk 00:31:57].
[00:31:56] Uh…
[00:31:57] Garrett O’Hara: How do you deal with that?
[00:31:58] Yeah, look, do you know what I mean? I- it always easy. You can… you, you, you're only as good as your weakest link.
[00:32:04] Garrett O’Hara: Yup.
[00:32:04] You know what I mean? So, and, you know, from a, from a technology perspective, um, we spend a lot of time, you know, securing defenses and making sure data is, you know, protected on devices, where it is and who's using it. Um, do you know what mean? There's always, and every business has got it, there's insider threat, you know what I mean?
[00:32:20] Garrett O’Hara: Yup.
[00:32:20] That's probably the thing that, um, keeps me sort of awake at night. You know, the insider th- threat is probably one. And then obviously you know there's some other stuff around the state sponsored type of stuff, especially if you're working in market-sensitive information-
[00:32:32] Garrett O’Hara: Hmm.
[00:32:32] … why go to the bank, when you can go to the law firm, uh, to, to get that sort of information. So, these sort of things sort of keep me up at night, and I work sort of heavily with my team and, you know, sort of the, the securities teams at some of our clients as well, to make sure that we're meeting their obligations.
[00:32:48] Garrett O’Hara: Yup. Yeah [inaudible 00:32:49]. Um, in, in terms of the kind of what your employees direct reports, I suppose, and then in the wider organization, how do you, how do you see them and how do they kind of fair with, call it cyber awareness, or the security awareness and, and, you know… Where are they at?
[00:33:03] Uh, uh, look the… i- it is everyone's responsibility for security awareness in a business these days. Do you know what I mean? We as a business run mandatory annual, uh, cyber awareness training-
[00:33:13] Garrett O’Hara: Yup.
[00:33:13] … or security awareness training, covering not just, you know, technology cyber, but also physical.
[00:33:18] Garrett O’Hara: Yup.
[00:33:18] Um, and we sort of run a lot of testing, uh, throughout the year as well. Um, whether it be penetration testing, you know, monthly, annually and things like that. Uh, and then we also do ongoing, uh, regular security awareness training with users on a monthly basis as well, just to, to give them snippets to keep at the forefront of their minds. Um, you know, and that's sort of been quite well received with sort of, uh, you know, we get a lot of users now, uh, who are rising staff because they think, "Ah, it is something that's a little bit funky that I need to sort of escalate." You know, a, a lot of the times it's a false positive-
[00:33:51] Garrett O’Hara: Yup.
[00:33:51] … but we appreciate that now thinking about it.
[00:33:53] Garrett O’Hara: Yup. Yeah. With false positives, one of the things we hear quite a lot is, uh, security team SOC analysts spend a lot of time chasing smoke.
[00:34:05] Yeah. Yeah.
[00:34:05] Garrett O’Hara: You know, there's nothing really there. Um, is that a problem for you guys? What do you… what are your thoughts on [crosstalk 00:34:10]?
[00:34:10] Uh, yeah, look, do you know what I mean? I- it is. Like, uh, I think there are, you know, definitely a lot of false positives around, um, this sort of part of the technology world.
[00:34:18] Garrett O’Hara: Mm-hmm [affirmative].
[00:34:18] Um, by it- it's a focus area, uh, for our business. Um, purely because if you sort of dismiss the false positives and say everything's a false positive, I'm not going to randomly check is only going to be one positive positive, you know, breach or whatever to get through. And as a business, your reputation's gone so…
[00:34:37] Garrett O’Hara: Yeah.
[00:34:37] Although false positives might be seen to be burning resources, time and money, they're there for a reason. Uh, so whether that's be training, the, uh, training the staff or training the, the SOC analyst to, to be aware of what's happening and they can probably process it a bit q- quicker.
[00:34:53] Garrett O’Hara: Yup.
[00:34:53] Um, but then they can recognize, you know, the actual threats a lot faster because they sort of have been on these sort of training paths around the false positive. So, I'll look at it that way.
[00:35:02] Garrett O’Hara: Yup. Yeah. Understood. Um, with your employees, just to kind of circle back onto the user awareness and the education part of things, um, do you, do you do anything different that you could sort of compare to other organizations in terms of the education? Um-
[00:35:16] Yeah, look, so, you know, we've recently launched this fantastic product called Ataata Security Awareness Training.
[00:35:22] Garrett O’Hara: Okay.
[00:35:22] Um, and it… look, it's been really well received, because cybersecurity training by nature is pretty boring.
[00:35:31] Garrett O’Hara: I guess, yeah.
[00:35:32] Everyone gets bored of it. And, and the thing we sort of found with, with some of these training models, you know, they're very [inaudible 00:35:37].
[00:35:37] Garrett O’Hara: Yup.
[00:35:38] … so you know, they, they, they sort of make it little bit of a joke a- about the topic, but it, it gets people thinking, and they go, “Oh, actually I enjoy watching these videos and they're quite funny.” But, uh, just the way it's being delivered, so do you know what I mean? That's a result of, you know… The- I think we've been running for about five months now. Uh, and slightly uplifting, you know, people's performance and how they're sort of recognizing sort of some threats, whether they be false positives or not, has improved sort of, you know, dramatically. So…
[00:36:06] Garrett O’Hara: Yeah, that's great to hear. Whe- where do you go about getting information? Obviously, you've got a fairly complex job and one of the things you hear in this industry is that there is an avalanche of information every day.
[00:36:16] Yes.
[00:36:17] Garrett O’Hara: There's, there's so much stuff happening in this industry, it's probably… must be one of the fastest moving in the world.
[00:36:21] Yup.
[00:36:21] Garrett O’Hara: Uh, where do you go to, to figure out what's important?
[00:36:24] Uh, look, I read a lot of, you know, specific newsletters, um, that, um, sort of delivered my inbox each day, and also to just pick up topics I like. Uh, I speak to a lot of people as well. So, you know, within, within legal, there's a good fraternity of legal CIOs and we sort of communicate, you know, a couple of times a week actually even just on emails about-
[00:36:45] Garrett O’Hara: Yup.
[00:36:45] … certain things. And you know, over, over the weekend, actually there was one around the sexploitation scam.
[00:36:52] Garrett O’Hara: Right.
[00:36:52] On Monday morning there's an email sort of in inbox and everyone's going, “All right, what happened here? Have you been hit with it? What are you doing?” And things like that. So, we sort of, you know, keep each other on- up to date on sort of what's happening within our thing. So, you know, it sort of helps them, uh, as well. I also, I've got a couple of trusted vendors that I use, um, and integrators as well that, you know, I spend a lot of time sort of talking to and sort of, you know, going back to, you know, as you said, the security fabric and things like that. So, asking questions about, “All right, if we wanna go down this path, how does that kind of sort of fit in here?”
[00:37:21] Garrett O’Hara: Yup.
[00:37:22] So, you know what I mean? You've got to… You can't do everything in house these days ‘cause there's so much. Um, so you've got gotta sort of rely on some trusted people to sort of get you down that path. And, you know, that's not something you just gonna pick up the phone or speak to a vendor and say, “Hey, give us something,” and it fixes it. You've sort of got to go down there, you know, get in the trenches with them and, and do a bit of stuff for them, and you get the value out of it.
[00:37:43] Garrett O’Hara: Yup. Do, do you feel like it's become more, uh, collaborative over the last 25 years and, and sort of more… I mean, I kind of think back and it fe- it felt to me that businesses are often siloed, and they didn't-
[00:37:55] Yeah.
[00:37:55] Garrett O’Hara: … communicate about this stuff and security wasn't even a thing really. Do you feel like you almost have to have your approach where you've got peers in other organizations? And-
[00:38:03] Yeah, I think, I think so. Like, so probably, you know, early on, um, it was very much like that. So, if something happens in the business, it was very quiet.
[00:38:11] Garrett O’Hara: Hmm.
[00:38:11] Um, and do you mean? Nothing got published or, you know, you didn't make any awareness, of it because you didn't want that sort of negative connotation. Uh, like even the communication we're having now and sort of some of the stuff we talk about, it's not that there's something happening malicious within the business, but hey-
[00:38:26] Garrett O’Hara: Hmm.
[00:38:27] … it's a bit of spam or phishing or-
[00:38:28] Garrett O’Hara: Yeah.
[00:38:29] … you know, just a bulk email type, uh, uh, threat. And, you know, we sort of share that sort of information, sort of as a group just to, you know, keep everyone aware of it. You know, then we can sort of work together with some of our vendors and say, "All right well, this happened, we're sort of all using, uh, vendor I. What can we do to protect ourselves sort of next time?" So it, it is quite, uh, good in that perspective because then you sort of get volume in numbers, if- if you know what I mean.
[00:38:53] Garrett O’Hara: I get you. Yeah.
[00:38:53] So, there is that collaboration around that. Um, and you know, like… And for example, you know, we've seen a, a couple of, uh, you know, big breaches in 2018 with, you know, Wannacry and-
[00:39:05] Garrett O’Hara: True.
[00:39:05] [inaudible 00:39:06] and that sort of stuff. Um, but you know, how people sort of have been together when that sort of happened, you know-
[00:39:10] Garrett O’Hara: Mm-hmm [affirmative].
[00:39:11] There was someone hitting us like, "All right, can we help you, what do you need?”
[00:39:14] Garrett O’Hara: Yeah.
[00:39:14] And you know, people sort of just actually try to help other businesses sort of recover and to learn from something too. Although, that worked quite well.
[00:39:20] Garrett O’Hara: Yup. And, and it's sort of related to that, but then the notion of when things go wrong, I'll be keen to get your thoughts on whether they… the perception of when things go wrong, I think there used to be a little bit of finger-pointing-
[00:39:32] Yeah.
[00:39:32] Garrett O’Hara: ... I mean you know, “Oh look at them, they messed up.”
[00:39:33] Yeah.
[00:39:34] Garrett O’Hara: I feel like that's starting to change-
[00:39:36] Yeah.
[00:39:36] Garrett O’Hara: … where I think we all kind of realize it could be any of us.
[00:39:39] Very much so. And look, I mean, there are that many attack vectors these days. And, you know, just doing the simple things right, you know, should do, do a level of protection to a point for you. Um, but you know, you, you are correct, when things go wrong where it used to be, “Uh, yeah, yeah.” But now look, everyone guys, “All right, what's happening over there? Are we protected over here?”
[00:40:00] Garrett O’Hara: Yup.
[00:40:01] You know, you sort of… it's constant vigilance then and you're sort of upping the game, and, you know, that sort of stuff. And you know, you don't wanna be, you don't wanna be the front page of a newspaper if something happened to you here, no one does.
[00:40:11] Garrett O’Hara: Yeah.
[00:40:11] So, there's no, uh, finger pointing, I don't think, any more because you know, it's… the threats are real.
[00:40:16] Garrett O’Hara: Yup. Yeah. Understood. And, and do you guys do cyber insurance? Or what, what are your thoughts on that? ‘Cause I know sort of there's some pros and cons there.
[00:40:24] Yeah, look, I think, um, so yeah, as a firm we do have cyber insurance policies. Um, we've been very lucky today that we've never had to claim on on touch wood. Um, but they're there for a reason, right? So, you know, in the event that there is a cyber attack, um, the cost to recover and investigate that can be significant.
[00:40:44] Garrett O’Hara: Yup.
[00:40:44] Um, you know, whether it be reputational damage to the business, whether it's actually just recovering the technology, um, to an operational point a- and all that sort of stuff. So, that's sort of the reason that we have that, and most business would have that as well. Um, and once again, it is an insurance policy. So, do you mean... to, to sort of maintain that insurance policy, you, you just can't walk down the street and get it.
[00:41:03] Garrett O’Hara: Yup.
[00:41:03] You know, you've got to actually have a level of, you know, um, security and, you know, process and, and, and people around it to sort of say, “All right, well you're an acceptable risk to give you an insurance policy.”
[00:41:16] Garrett O’Hara: Yup.
[00:41:17] So, the fact that you get it means you're doing something anyway, because yeah, if you were real risk, the insurance policy, doesn't matter how much they're gonna, um, charge you for it, if you get hit with it, it's gonna cost them 10 fold. So they, they're not gonna be giving them out to everyone, it's not like a comprehensive car insurance policy.
[00:41:33] Garrett O’Hara: Yeah. Kind of apply online.
[00:41:34] Yeah, yeah.
[00:41:34] Garrett O’Hara: There's a little bit more to it than that. Um, in terms of the, uh, the, the cyber insurance, do you see that showing up in contracts and, and becoming a requirement from- for the organizations that you're working with?
[00:41:45] Um, I haven't, I haven't seen that in, in the pieces that I sort of get involved with around, um, panel tenders and things like that.
[00:41:52] Garrett O’Hara: Hmm.
[00:41:53] Um, but what I'm increasingly seeing is from an organizational per- perspective is that they're wanting, you know, uh, certifications, you know, ISO27001, ISMS, SSAE SOC2, and things like that. So I think, you know, at the moment, I think eventually it will become a standard that you gotta have cyber insurance. I think that at the moment now, um, the clients are trying to sort of push on you a certification, ‘cause then they know if you've got the certification, it's externally audited on an annual basis, you're running a level of, you know, uh, process, procedure and platform, um, to protect your data. So that, I think that's the first sort of step of that, but I can definitely see it down the track.
[00:42:31] Garrett O’Hara: Yup. And, and what conferences do you go to?
[00:42:35] Uh-
[00:42:36] Garrett O’Hara: And then probably a second part of that question, why, why do you choose those particular conferences?
[00:42:39] Yeah, so I've just come back from one. In August I went to ILTA con, uh, in, it was in Florida this year, so that's the International Legal Technology Association Conference. Um, that's like, it's Disneyland, um-
[00:42:54] Garrett O’Hara: Yup.
[00:42:54] … for, you know, legal tech people. Um, and funny enough it was at Disneyland in Florida.
[00:42:58] Garrett O’Hara: Right. Good, good times. [laughs].
[00:43:00] Good times. But yeah, so I go to that. Uh, I've been to that for the last… uh, this year and last year, um, but I put that on my agenda to go annually as well. ‘Cause you pick up a lot, it's just around user, it's around education, it's around networking with your peers, it's around looking at new products coming out from vendors.
[00:43:16] Garrett O’Hara: Hmm.
[00:43:16] And just general discussions around, uh, everything and anything. Whether it be se- security, just generally legal technology, a- and, uh, other stuff. Um, I also try to get the Law Tech, uh, every year, which is an Australian one. Um, uh, I supposed to go to the RQ, um, that's currently one of mine but I can't get there, uh, this year. Um, and in general, um, a lot of our vendors will run specific sort of, uh… whether it be product updates, or things like that. So, um, I'll get to those ones that are I think, uh, you know, fitting.
[00:43:46] So, like I, I have probably five or six core products in my cyber arsenal, as I call it, and I'll make sure that our arm across them, you know. And I'm v- I'm very into the detail of that sort of, uh, stuff. Probably more so than the normal CIO, or CTO. I sort of know how they operate, what they do and how they, how they work for them, because it is such a big piece of what my team have to do and be, and be responsible for.
[00:44:10] Garrett O’Hara: Yup. Yup. And what are your objectives so this financial year?
[00:44:15] Um, so look, do you mean, eh, this, this year we've, we've been a big purchase in general at [inaudible 00:44:23]. I ran change, so we changed a lot of the backend platforms the, you know, technology users use. And so this year for me is all around user adoption. So, you know, just sort of betting down, um, sort of some of the platforms we've got, getting users using them better. Um, though there is some other stuff we're, we're looking around certifications, around ISO, ourselves. Um, and you know, just having a look at, um… probably trying to sort of do a little bit more around, um, data and data security, uh, and data analytics a- as well.
[00:44:54] So, and with respect to the data security, it's, you know, making it accessible but still being secure, and how do we do that? And you know, ownership of data where it is. And if you know, someone loans in organization, making sure that that's all captured. So you mean it's, it's control but accessed.
[00:45:09] Garrett O’Hara: So, Mitch, if you had a magic wand, uh, or even a genie, uh, what's the, the one wish you'd make for cyber security?
[00:45:17] Uh, look, I sort of mentioned earlier probably about data being the new oil. And for me it's all around, uh, security of data. Uh, one thing I would love to be able to do is what I call [TomBOM 00:45:28] data.
[00:45:30] Garrett O’Hara: Nice.
[00:45:30] ... given your email there, it goes here, it goes there, right? And it's, it's in the right hands at the right time, but for some reason you need to sort of, uh, revoke access to that. So, you know, as a digital rights management, you know, and I call it a digital rights management off network.
[00:45:43] Garrett O’Hara: Yap.
[00:45:44] SO, do you know what I mean? He's going to client your expiry date bank? They can't open it, and they can't do anything with it. Um, I think, you know, that would be what I'd call the panacea or utopia-
[00:45:55] Garrett O’Hara: Yap.
[00:45:55] That'd be- that'd make life a lot easier for everyone because… Do you know what I mean? If data got into the wrong hands, you could sort of force that mechanism, and so you're back to where you need to be.
[00:46:04] Garrett O’Hara: Yup. And do you feel that cyber security is seen differently these days by kind of ex CO's, exec leadership teams?
[00:46:12] Yeah, look, I definitely do. So there's a lot of focus, uh, within a lot of organizations and specifically ours, um, from the board level.
[00:46:19] Garrett O’Hara: Yeah.
[00:46:20] Uh, ‘cause now, you know, with changes of, you know, director liability and things like that, with running a business, uh, they're personally liable. Do you what I mean? Um, and cyber is a significant threat to, uh, a lot of businesses, uh, so therefore they've got to push down, you know, protections from them from the board level on that sort of executive leadership.
[00:46:40] So, you know, where it was probably, uh, hard to tr- try and get some of these sort of stuff through maybe even five years ago, uh, now that if you've got a business case and it's valid and, you know, it's there to protect the business, uh, it gets, you know, pretty good board oversight. So, so…
[00:46:54] Garrett O’Hara: Right. So, you feel like it's made your planning easier? You've got a louder voice in-
[00:46:58] Oh, very, very much so. Do you mean like may- Like with everything you do, there's always room for improvement with everything. Um, but you know, with this sort of stuff that we talked about around cyber specifically, um, you know, just the general protection to the firm, you know, and sometimes, you know, and it's not where I really want to be, but you've got to put something in- a control implies that actually limits someone's, um, ability to be able to do something how they previously did it. Uh, so it changes process and how people function. Um, so previously where the process of people function might have won over because it was too intrusive. Now it's, "Oh, well you're just gonna have to get used to the new way of working."
[00:47:33] Garrett O’Hara: Yup. Yeah, the risk is too high.
[00:47:35] Yeah.
[00:47:35] Garrett O’Hara: Um, is there one important thing that as a cyber security leader that you do every day, something that you could share?
[00:47:42] Um, yeah, look, I think it's awareness and visibility. So, just sort of knowing what's going on. So, you know, I speak to my security team a lot. Um, I speak to my service desk, uh, guys a lot as well. And just, you know, just understanding what's happening in the business all right? What are the common issues that we're seeing today. And, you know, we do ready for business reports every morning and you know I handle my security guys, I get them to send me like a infographic or visual graphic of, "All right, last 24 hours, what, what is hitting our perimeter? What are we seeing?"
[00:48:10] Um, then you know, at the same time, I get them to sort of give me, uh, uh, top five extract out of the sim logs and things like that. Or what are the stuff that, you know, we've been dealing with in the last 24 hours. Um, so that sort of stuff is probably what I do on a daily basis.
[00:48:23] Garrett O’Hara: Yup. Awesome. And, and you're well aware, obviously the, the skills shortage in cyber security-
[00:48:29] Yeah.
[00:48:29] Garrett O’Hara: ... and it's something that as an industry we about a lot.
[00:48:32] Yeah.
[00:48:32] Garrett O’Hara: Um, how have you gone around fi… um, not firing [laughs] hiring the right people?
[00:48:37] Um, so, look, there's a couple of things there, right? So, we, we solved security. Uh, it's sort of like, uh, watching [KOK 00:48:45], uh, you know, you couldn't get enough IT people in general because, you know, we didn't know what's gonna happen.
[00:48:49] Garrett O’Hara: Hmm.
[00:48:49] Same sort of thing is happening now in security and, you know, it is becoming an arms race because they can come from work for a law firm or they can go work for an AWS or Google or a, a bank that's got millions and billions of dollars budget in that security thing. Uh, so sort of on that sort of piece. A couple of things I do specifically, um, I'll work closely with vendors or rely on my vendor network. Um, we do do some managed services as well. Um, and then internally with my people, I sort of pick, um, internal so people who know my business and look to train them up, because you've got potential, and they can do the job. And so I invest the time and the money and the training of them, um, knowing that they feel like they're getting an opportunity, so there's a little bit of a loyalty thing there, so I can keep them a bit longer.
[00:49:33] Um, that's sort of how I've had to do it, I haven't been able to go off the, the… onto the street and just hire a CSO type thing. So, I've had to sort of, with a mix of everything, get out there. That's a bit of more all this, a bit of my head of infrastructure role, together we do that CSO function, and then we've got people sort of fit into that as well.
[00:49:50] Garrett O’Hara: Yeah. What are your thoughts in terms of when, uh, you've got people in the security team, the, the debate between experience or qualification? So, if somebody goes out and gets a CISSP qualification versus they've, you know, in the trenches experience or some combination of those? Like what do you think?
[00:50:05] Uh, look, so, I, I think, I think qualifi- qualifications are good in that they verify your experience. So you're not gonna be able to get a qualification really unless you've had some experience. And, you know, you're sort of starting out your journey, whether it be university, um, you know, you're gonna come out with a degree of some sort, but then when you get into the business, you get to say, "All right, well I want to go into security. I need a CISSP or whatever it is."
[00:50:27] Garrett O’Hara: Hmm.
[00:50:28] Um, so you sort of are gonna be doing both at the same time. You, you'd be very unlikely to find someone with a qualification that hasn't got no experience. But that being said, our preference experience to have qualifications at a certain level, because you want people to know how they can function. Yeah, I, I, I don't micromanage-
[00:50:46] Garrett O’Hara: Yap.
[00:50:47] ... I give my team a, a broad range of what their responsibilities are, and how you do that I don't mind.
[00:50:53] Garrett O’Hara: Yap.
[00:50:54] ... but it's up to you to get it done. Um, and that's where that experience comes in handy, because if you've got no experience, you spend a lot of time hand holding, and I don't have the time to hand hold.
[00:51:02] Garrett O’Hara: Mitch, a couple of kind of quick questions then. And, and these are less serious I suppose in some ways. I'm really keen to just get some insights into, you know, your- what you are outside of your role. Um, so just kinda wondering, what do you do outside of work?
[00:51:16] Uh, outside of work, I keep busy. I've got three kids, uh, with a wife, you know, the house, the pool. Um, so I spent a lot of time with them, you know, ferrying kids around to sports and activities after school. My wife does a lot of, but I do the we- sort of weekend sports. I sort of help manage, um, a couple of football teams and things like that, and then just generally catch up with friends and family, um, so when I can.
[00:51:37] Garrett O’Hara: Awesome, awesome. Um, and what, uh, what are you currently reading?
[00:51:41] So current book I'm reading is this [inaudible 00:51:43] of not giving up?
[00:51:44] Garrett O’Hara: Brilliant.
[00:51:44] Uh, it's great. Uh, you know, just it's-
[00:51:47] Garrett O’Hara: [laughs].
[00:51:48] Everyone should read it, I think.
[00:51:49] Garrett O’Hara: Yeah.
[00:51:49] So, it's very funny.
[00:51:50] Garrett O’Hara: Is that- Is it Mark Manson? Is that the author?
[00:51:52] That's correct. Yeah. Yeah. yeah.
[00:51:53] Garrett O’Hara: Right.
[00:51:53] So, I think it was on a New York best seller list for a c- a while. He's got another one that I haven't gotten in to yet, but it's along the same sort of lines as well.
[00:52:00] Garrett O’Hara: Right. Yeah, I've seen in the airport.
[00:52:02] Yeah.
[00:52:02] Garrett O’Hara: It's the orange color?
[00:52:03] Yeah, that's the one.
[00:52:03] Garrett O’Hara: Yeah, definitely I have to get to that one. Um, what kind of music do you listen to?
[00:52:07] Uh, so look, I listen to anything really. I've got Spotify sort of on every rotation on the train trip to work. I usually put in like, you know, the 2019 number one hits. Uh, I like a lot of Foo Fighters, Australian rock, that sort of stuff. But, you know, in general, anything sort of, uh… My middle son, Harry, he loves his music and dancing and things like that. So, he's always got a going around in the house.
[00:52:28] Garrett O’Hara: And you've mentioned sport a few times, and, and you manage a team, did you say?
[00:52:31] Yeah. Yeah. So, uh, my eldest guy, Cuba, he plays, uh, Rugby League, so I sort of manage his under 13s league team this year. Uh, they've just finished the season. They went through the season as minor premiers premiums, but lost out in the grand final. So, uh, it was a hard one for him to take, but you can't win everything. So-
[00:52:47] Garrett O’Hara: Definitely not.
[00:52:48] … good fun.
[00:52:48] Garrett O’Hara: Do you play yourself or do you-
[00:52:49] Uh, I do play a lot of old man sports myself. So, in the winter time I play over 35 soccer so-
[00:52:55] Garrett O’Hara: Yap.
[00:52:56] And then I've just started, uh, coming into summer now, we play summer soccer. So another over 35s summer soccer camp on a Wednesday night with a couple of mates. So, yeah, it's good [inaudible 00:53:05].
[00:53:04] Garrett O’Hara: Well, thanks so much for your time Mitch. I really do appreciate it. I think it's been a lovely conversation for me. So, definitely just wanna say, yeah, a big huge thanks to you.
[00:53:12] No worries.
[00:53:16]Gregor Jeffrey: [00:53:16] What a great interview with Mitch Owens from Gilbert and Tobin. Look, I, I found it really interesting. Um, you know, he had some great insights there in terms of, you know, how he can talk with the C-Suite now, uh, in terms of cybersecurity, and they have that greater understanding. Uh, the skills shortage for cybersecurity, that's always an interesting one. Uh, and especially when you're looking at their qualifications of, uh, you know, those who work in cybersecurity, versus their experience.
[00:53:41] Uh, so, you know, no matter how many different letters after your name, uh, or university courses you've done, it doesn't… you know, you can't trade that in for time in the field and being able to identify those threats out there. I guess what really interested me about what Mitch had to say was around time bomb data. Uh, you know, having that data that you can revoke access to, uh, or just have it literally destroy itself, um, so it's no longer available. I, I think this is a excellent concept, but I'm just not sure it's actually possible.
[00:54:11] Garrett O’Hara: I'm with Mitch, it would be amazing if it was. Um, and maybe someday there's a genie or a magic wand that actually lets it happen. But um… Uh, look, and I think the reality is with the proliferation and things like mobile phones, pens, you know, if you wanna go old school. You know, ultimately people can transcribe information, they can take photos of things. And, um, I think that data control… I've said this before, the only time I've ever seen it done very well or properly was in a call center, uh, overseas where when you walked in, you basically had to sub- give everything that wasn't organic to the security people.
[00:54:43] They run you through a security detector or metal detector and, and that was it. So, you couldn't bring anything in. And even then, if you had a good memory, you're still going to be able to remember a credit card number or something important. So, um, I'm with Mitch, but I think it would take a genie to actually make it happen.
[00:54:59] True. Uh, Snapchat certainly had a crack at it, uh, with the way they share videos and them having, um, them only being time-limited. I've never used Snapchat personally myself.
[00:55:10] Garrett O’Hara: Sure, you haven't. [laughing].
[00:55:11] But you know, the app, I understood, I understood it even at the OS level, it would stop screen recording, uh, being able to take screenshots when you're sharing a message, uh, however, you know, that can simply be circumvented by using another mobile phone to film it.
[00:55:25] Garrett O’Hara: Away you go. Yeah.
[00:55:26] So, there's, there's always a way to photocopy something at the end of the day. Whether it's-
[00:55:29] Garrett O’Hara: [laughs]. There is, that's pretty old school.
[00:55:30] Yeah. Whether it's with the old school photocopier or your, just your memory as you said, Gar.
[00:55:35] Garrett O’Hara: Yeah.
[00:55:36] Okay. That's the end of this episode for The Get Cyber Resilient Show. This episode's music comes from the Melbourne artists Jeff Monye, and can be found on Spotify. If you work in IT or security and make your own music, we'd love to feature it on the next episode, so simply get in touch with us by emailing gcr@mimecast.com.
[00:56:01] If you enjoyed The Get Cyber Resilient show, head over to getcyberresilient.com, a new online destination for cyber professionals in Australia and New Zealand. We all know the constant battles and challenges of addressing cybersecurity, getcyberresilient.com is a place that brings together the local cyber community to collectively problem-solve through innovative solutions. Come with us on a journey to be more resilient to the challenges and risks that exist online. Point your favorite web browser to getcyberresilient.com.