Interview: Why companies are still paying $1m to cyber criminals

1
00:00:03,960 –> 00:00:06,389
Sean Aylmer: Welcome to the Fear and Greed Business Interview. I’m Sean

2
00:00:06,390 –> 00:00:11,069
Sean Aylmer: Aylmer. Cybersecurity remains a top priority for Australian business and

3
00:00:11,070 –> 00:00:14,880
Sean Aylmer: with good reason. We’re constantly hearing about new attacks, including

4
00:00:14,880 –> 00:00:17,969
Sean Aylmer: this week’s hack on freight operator DP World. And there

5
00:00:17,969 –> 00:00:21,210
Sean Aylmer: are plenty more that we don’t hear about too. One

6
00:00:21,210 –> 00:00:23,939
Sean Aylmer: of the biggest risks is ransomware. For the third year,

7
00:00:23,940 –> 00:00:28,080
Sean Aylmer: McGrathNicol Advisory has partnered with YouGov to survey 500 Australian

8
00:00:28,080 –> 00:00:31,320
Sean Aylmer: business owners, partners, directors, and C- suite leaders on the ransomware

9
00:00:32,190 –> 00:00:37,110
Sean Aylmer: threat facing Australian businesses.
Darren Hopkins and Blare Sutton are Cyber

10
00:00:37,110 –> 00:00:40,440
Sean Aylmer: Partners at McGrathNicol Advisory, which is a supporter of this

11
00:00:40,440 –> 00:00:43,019
Sean Aylmer: podcast. Darren and Blare, welcome to Fear and Greed.

12
00:00:43,380 –> 00:00:43,890
Darren Hopkins: Thanks, Sean.

13
00:00:44,250 –> 00:00:44,848
Blare Sutton: Thanks Sean.

14
00:00:45,659 –> 00:00:47,999
Sean Aylmer: Darren, we spoke to you about this last year when

15
00:00:48,000 –> 00:00:50,848
Sean Aylmer: you did this research. What can you tell us about

16
00:00:50,848 –> 00:00:54,029
Sean Aylmer: the headline results? Has the ransomware threat changed much since this

17
00:00:54,029 –> 00:00:54,750
Sean Aylmer: time last year?

18
00:00:55,260 –> 00:00:57,570
Darren Hopkins: Sean, this is our third year of running the research,

19
00:00:57,630 –> 00:00:59,940
Darren Hopkins: and some good news this year is that the results

20
00:00:59,940 –> 00:01:03,120
Darren Hopkins: show that there’s a reduction in the number of ransomware

21
00:01:03,120 –> 00:01:06,750
Darren Hopkins: attacks in Australia. Now, what we’ve got this year is that 56%

22
00:01:06,750 –> 00:01:10,440
Darren Hopkins: of those that we actually surveyed have said that they

23
00:01:10,440 –> 00:01:12,690
Darren Hopkins: had an attack in the last five years. Now, that’s

24
00:01:12,690 –> 00:01:15,540
Darren Hopkins: actually down on last year, 69%, so that’s some good

25
00:01:15,540 –> 00:01:19,200
Darren Hopkins: news.
The number of businesses that also paid the ransom

26
00:01:19,200 –> 00:01:22,469
Darren Hopkins: has dropped as well, which is nice. Three years ago

27
00:01:22,469 –> 00:01:25,229
Darren Hopkins: what we saw was that it was 83% of these businesses

28
00:01:25,230 –> 00:01:27,660
Darren Hopkins: were saying that they were paying the ransom. That’s dropped

29
00:01:27,660 –> 00:01:30,420
Darren Hopkins: right back now to 73%, but that’s still very high.

30
00:01:30,450 –> 00:01:33,810
Darren Hopkins: That’s almost three quarters of the businesses that suffered an

31
00:01:33,810 –> 00:01:37,319
Darren Hopkins: attack looked at paying.
We also got some different statistics

32
00:01:37,319 –> 00:01:40,200
Darren Hopkins: this year to help try to understand why this is

33
00:01:40,200 –> 00:01:42,809
Darren Hopkins: still such a big issue for Australia. We got some

34
00:01:42,809 –> 00:01:45,389
Darren Hopkins: details on who the main threat actors were that were

35
00:01:45,389 –> 00:01:50,970
Darren Hopkins: attacking Australia, with AlphaV, or aka BlackCat, being the most prevalent in the

36
00:01:51,270 –> 00:01:54,330
Darren Hopkins: research.
We had a look at how the attacks were

37
00:01:54,330 –> 00:01:57,270
Darren Hopkins: happening, and the most common way that attackers are getting

38
00:01:57,270 –> 00:02:00,660
Darren Hopkins: into systems still seems to be phishing emails and people

39
00:02:00,660 –> 00:02:04,049
Darren Hopkins: falling victim to those attacks there.
And we had some

40
00:02:04,049 –> 00:02:09,630
Darren Hopkins: other information which would suggest that 83% of the respondents

41
00:02:09,690 –> 00:02:12,840
Darren Hopkins: say that if someone was to find out that they

42
00:02:12,840 –> 00:02:15,478
Darren Hopkins: had paid or if they had someone in their supply

43
00:02:15,480 –> 00:02:20,130
Darren Hopkins: chain that had paid, that would absolutely adversely impact their

44
00:02:20,130 –> 00:02:21,839
Darren Hopkins: perception of that particular business.

45
00:02:22,650 –> 00:02:25,590
Sean Aylmer: Blare, bringing you into it here, I mean, I’m astounded

46
00:02:25,590 –> 00:02:29,580
Sean Aylmer: that so many people pay the ransom. It just seems

47
00:02:29,580 –> 00:02:32,700
Sean Aylmer: businesses are still more likely to pay a ransom. They’re

48
00:02:32,700 –> 00:02:36,450
Sean Aylmer: not, I mean, obviously your numbers back that up. How

49
00:02:36,450 –> 00:02:38,969
Sean Aylmer: much are they paying? Is it all because they’re too

50
00:02:38,969 –> 00:02:42,239
Sean Aylmer: worried that if it gets out, it destroys their reputation?

51
00:02:42,240 –> 00:02:43,470
Sean Aylmer: What’s the deal there, Blare?

52
00:02:44,190 –> 00:02:49,109
Blare Sutton: Yeah. Thanks, Sean. There’s a variety of different reasons and

53
00:02:49,110 –> 00:02:54,418
Blare Sutton: drivers. As Darren just said, over three quarters of businesses

54
00:02:54,419 –> 00:02:58,499
Blare Sutton: that suffer a ransomware attack are paying the ransom, which, as

55
00:02:58,500 –> 00:03:03,388
Blare Sutton: you rightly say, is rather alarming.
Probably what’s equally alarming

56
00:03:03,389 –> 00:03:08,548
Blare Sutton: is how quickly they’re paying and how much they’re paying. We

57
00:03:08,550 –> 00:03:13,230
Blare Sutton: see through the research that most organizations, or the average

58
00:03:13,230 –> 00:03:16,738
Blare Sutton: that organizations are paying, is around about a million dollars,

59
00:03:16,770 –> 00:03:22,500
Blare Sutton: which is astounding. But actually they’re prepared to pay more.

60
00:03:22,740 –> 00:03:24,240
Blare Sutton: I don’t know whether we should be saying that out

61
00:03:24,240 –> 00:03:27,300
Blare Sutton: loud, but it looks like they’re prepared to pay about

62
00:03:27,330 –> 00:03:31,919
Blare Sutton: 30% more when asked how much they would pay. And

63
00:03:32,070 –> 00:03:38,070
Blare Sutton: of those that paid, again, 75% paid within the first

64
00:03:38,070 –> 00:03:42,780
Blare Sutton: 48 hours. So there’s a variety of drivers there. We’ll

65
00:03:42,780 –> 00:03:45,390
Blare Sutton: probably explore that in more detail as we talk, but

66
00:03:45,960 –> 00:03:48,960
Blare Sutton: certainly reputation and wanting to keep out of the media,

67
00:03:48,960 –> 00:03:53,969
Blare Sutton: and possibly also trying to protect the people whose information

68
00:03:53,969 –> 00:03:55,440
Blare Sutton: has been involved in the attack.

69
00:03:55,950 –> 00:03:59,010
Sean Aylmer: Okay, Darren, so the federal government continues to advise against

70
00:03:59,130 –> 00:04:02,820
Sean Aylmer: ransom payments. Why is this the case? I mean, what

71
00:04:02,820 –> 00:04:05,400
Sean Aylmer: could happen to businesses and boards if they actually do

72
00:04:05,550 –> 00:04:07,679
Sean Aylmer: pay? Is there some sort of legal or regulatory issue

73
00:04:07,679 –> 00:04:09,239
Sean Aylmer: they’re likely to run into?

74
00:04:10,559 –> 00:04:14,430
Darren Hopkins: Whilst it’s still not illegal to pay a ransom in

75
00:04:14,430 –> 00:04:18,419
Darren Hopkins: this country, what businesses do need to do is first

76
00:04:18,420 –> 00:04:21,388
Darren Hopkins: get legal advice. There are times that you can’t make

77
00:04:21,389 –> 00:04:24,809
Darren Hopkins: a payment. For instance, if the threat actor is one

78
00:04:24,809 –> 00:04:28,109
Darren Hopkins: that is sanctioned, therefore they’re considered a terrorist organization, you

79
00:04:28,109 –> 00:04:31,260
Darren Hopkins: can’t make that payment. But you generally get advice to

80
00:04:31,260 –> 00:04:33,690
Darren Hopkins: that before you look at whether or not you could

81
00:04:33,690 –> 00:04:36,539
Darren Hopkins: consider a payment. The government has said that they won’t

82
00:04:36,540 –> 00:04:39,660
Darren Hopkins: ban payments, but they have come out this week and

83
00:04:39,660 –> 00:04:42,360
Darren Hopkins: said that there’s got to be mandatory no liability ransomware

84
00:04:42,540 –> 00:04:47,070
Darren Hopkins: obligations for reporting in this country, and they’re going to

85
00:04:47,459 –> 00:04:51,390
Darren Hopkins: expect businesses to tell them about a ransomware event that they’ve

86
00:04:51,390 –> 00:04:53,430
Darren Hopkins: become a victim of or if they’ve made a payment.

87
00:04:53,430 –> 00:04:55,890
Darren Hopkins: So that’s going to be interesting.
A lot of the

88
00:04:55,890 –> 00:04:59,159
Darren Hopkins: businesses that go down the path of looking to pay

89
00:04:59,610 –> 00:05:01,889
Darren Hopkins: do so for two reasons. And the research came out

90
00:05:01,889 –> 00:05:03,540
Darren Hopkins: and said that the number one reason they would do

91
00:05:03,540 –> 00:05:05,609
Darren Hopkins: that is likely to minimize harm, and they want to

92
00:05:05,609 –> 00:05:08,909
Darren Hopkins: minimize further harm to their people, their clients, or the

93
00:05:08,910 –> 00:05:11,969
Darren Hopkins: third parties that they deal with. They don’t want data

94
00:05:12,089 –> 00:05:14,639
Darren Hopkins: that may have been taken to be leaked publicly, and

95
00:05:14,639 –> 00:05:17,758
Darren Hopkins: that’s a way of reducing that damage.
The other issue,

96
00:05:17,759 –> 00:05:19,320
Darren Hopkins: and the other thing that they pay for, is to

97
00:05:19,320 –> 00:05:23,459
Darren Hopkins: reduce brand damage. And if an event doesn’t become public

98
00:05:23,459 –> 00:05:26,010
Darren Hopkins: and there’s no leakage then that certainly doesn’t impact your

99
00:05:26,010 –> 00:05:27,599
Darren Hopkins: brand as much if you don’t tell others.

100
00:05:28,290 –> 00:05:36,479
Sean Aylmer: Stay with me. We’ll be back in a minute. My

101
00:05:36,480 –> 00:05:39,869
Sean Aylmer: guests today are Darren Hopkins and Blare Sutton, Cyber Partners

102
00:05:40,109 –> 00:05:45,000
Sean Aylmer: at McGrathNicol Advisory.
Okay, so we have an enormous amount

103
00:05:45,029 –> 00:05:50,099
Sean Aylmer: of companies being hit with ransomware attacks, yet nine out

104
00:05:50,099 –> 00:05:54,359
Sean Aylmer: of 10, or 88%, of executives believe their organization is prepared for

105
00:05:54,360 –> 00:05:58,560
Sean Aylmer: a ransomware attack. Tell me, Blare, where’s the confidence coming from?

106
00:05:59,520 –> 00:06:02,700
Blare Sutton: It’s a really good question in that the statistics that

107
00:06:02,700 –> 00:06:07,650
Blare Sutton: we see there around being prepared for a cyber attack

108
00:06:07,650 –> 00:06:12,118
Blare Sutton: or a ransomware attack versus those that have been impacted, I

109
00:06:12,120 –> 00:06:15,270
Blare Sutton: mean, maybe some of that comes from the fact that

110
00:06:15,270 –> 00:06:17,729
Blare Sutton: they’ve actually had to deal with this before, if we’re

111
00:06:17,730 –> 00:06:21,210
Blare Sutton: looking at the large proportion of businesses that have been

112
00:06:21,210 –> 00:06:23,820
Blare Sutton: surveyed have actually had to deal with one. So there

113
00:06:23,820 –> 00:06:27,060
Blare Sutton: might be a little bit of perceived bench strength there.

114
00:06:27,540 –> 00:06:30,928
Blare Sutton: But I’d have to say from what we’re seeing in

115
00:06:30,928 –> 00:06:34,949
Blare Sutton: all sectors is that it probably infers a little bit

116
00:06:34,949 –> 00:06:40,950
Blare Sutton: of overconfidence. We also shouldn’t confuse people’s willingness to make

117
00:06:40,950 –> 00:06:44,610
Blare Sutton: ransom payments with not being prepared. I think sometimes we

118
00:06:44,610 –> 00:06:47,669
Blare Sutton: can have a look at some of these statistics and think, ”

119
00:06:47,940 –> 00:06:50,880
Blare Sutton: Well, if all this money’s being paid and all these

120
00:06:50,880 –> 00:06:53,219
Blare Sutton: people are prepared to being paid, surely that means they’re

121
00:06:53,219 –> 00:06:57,540
Blare Sutton: not prepared.”
To explain that a little, we do see

122
00:06:57,540 –> 00:07:01,349
Blare Sutton: a lot of Australian businesses improving their ability to respond

123
00:07:01,350 –> 00:07:05,130
Blare Sutton: to a ransom attack, and they do this by, obviously,

124
00:07:05,130 –> 00:07:09,178
Blare Sutton: doing all the cybersecurity work around controls, et cetera, but

125
00:07:09,178 –> 00:07:14,040
Blare Sutton: also in developing instant response plans and appointing incident responders

126
00:07:14,370 –> 00:07:17,580
Blare Sutton: and then testing those plans. And quite often when you

127
00:07:17,580 –> 00:07:21,630
Blare Sutton: test those plans, through running a simulated exercise, you’re going

128
00:07:21,630 –> 00:07:24,659
Blare Sutton: to include the fact that there’ll be a ransom demand

129
00:07:24,929 –> 00:07:28,049
Blare Sutton: and this will allow the boards or the executives or

130
00:07:28,049 –> 00:07:32,520
Blare Sutton: the owners of that business to plan in advance about, ”

131
00:07:32,520 –> 00:07:35,640
Blare Sutton: Well, how would we deal with the ransom? Would we

132
00:07:35,640 –> 00:07:40,679
Blare Sutton: pay it?”
So, yes, it doesn’t necessarily add up, that

133
00:07:40,679 –> 00:07:44,280
Blare Sutton: statistic. We think there’s a little bit of overconfidence, and

134
00:07:44,280 –> 00:07:48,119
Blare Sutton: especially when you start to look at the emerging trend

135
00:07:48,119 –> 00:07:52,890
Blare Sutton: of attacks on supply chains and critical infrastructure, we need

136
00:07:52,890 –> 00:07:56,550
Blare Sutton: to build out those plans to consider for people outside

137
00:07:56,550 –> 00:07:59,490
Blare Sutton: of what we’re controlling in our immediate business.

138
00:08:00,030 –> 00:08:02,519
Sean Aylmer: Okay. I’ll get to critical infrastructure in a moment, Blare,

139
00:08:02,520 –> 00:08:06,960
Sean Aylmer: but just on that, in terms of what McGrathNicol is seeing and what you

140
00:08:06,960 –> 00:08:10,920
Sean Aylmer: just said, it sounds like Australian business are getting better

141
00:08:11,490 –> 00:08:14,639
Sean Aylmer: at getting ready for it, at least, even if not

142
00:08:14,760 –> 00:08:17,280
Sean Aylmer: necessarily the ransomware part of it, but they’re thinking more

143
00:08:17,280 –> 00:08:17,730
Sean Aylmer: about it.

144
00:08:18,360 –> 00:08:23,039
Blare Sutton: They’re thinking more about it. They’re certainly preparing themselves to

145
00:08:23,039 –> 00:08:28,140
Blare Sutton: respond, which is absolutely positive movement and positive sentiment. And

146
00:08:28,140 –> 00:08:32,460
Blare Sutton: we are seeing that increase in preparedness over the course

147
00:08:32,460 –> 00:08:36,780
Blare Sutton: of the surveys that we’ve been conducting and also from

148
00:08:36,780 –> 00:08:38,130
Blare Sutton: what we’re seeing out in market.

149
00:08:38,940 –> 00:08:43,020
Sean Aylmer: Okay. Now, Blare, DP World, Australia’s second- largest port operator,

150
00:08:43,020 –> 00:08:46,050
Sean Aylmer: shut down over the weekend because of the cyber attack.

151
00:08:46,980 –> 00:08:49,410
Sean Aylmer: There’s all sorts of talk about what that means in

152
00:08:49,410 –> 00:08:54,270
Sean Aylmer: terms of new critical infrastructure, legislation, supply chains, et cetera.

153
00:08:54,540 –> 00:08:57,989
Sean Aylmer: Are these the sorts of areas which are likely to

154
00:08:57,990 –> 00:09:02,820
Sean Aylmer: attract more cyber attacks in the future, these critical infrastructure

155
00:09:02,820 –> 00:09:07,170
Sean Aylmer: plays like ports, maybe telcos, poles, wires, those sorts of things?

156
00:09:07,920 –> 00:09:11,730
Blare Sutton: To understand the trends, the future trends, we need to

157
00:09:11,730 –> 00:09:16,469
Blare Sutton: delve into what are the motivators for these malicious actors?

158
00:09:16,889 –> 00:09:20,429
Blare Sutton: And if we have a look at recent events, not

159
00:09:20,429 –> 00:09:25,740
Blare Sutton: just DP World, and going back a little bit further,

160
00:09:25,740 –> 00:09:29,429
Blare Sutton: Optus and Medibank and the like, if we look at

161
00:09:29,429 –> 00:09:34,350
Blare Sutton: the broader global geopolitical situation, we can understand that the

162
00:09:34,350 –> 00:09:40,200
Blare Sutton: malicious actors are both financially and politically motivated.
So if

163
00:09:40,200 –> 00:09:44,489
Blare Sutton: we think about the conflicts in Ukraine and Israel, both

164
00:09:44,490 –> 00:09:49,889
Blare Sutton: of those were preempted by cyber attacks and cyber attacks

165
00:09:49,889 –> 00:09:53,159
Blare Sutton: have formed a large part of the response. So it’s

166
00:09:53,160 –> 00:09:57,809
Blare Sutton: not just financial motivations, it’s political motivations. And so if

167
00:09:57,809 –> 00:10:02,728
Blare Sutton: you then extend that to thinking about critical infrastructure and

168
00:10:02,730 –> 00:10:07,469
Blare Sutton: other key businesses in the supply chain, it gives dual

169
00:10:07,469 –> 00:10:12,119
Blare Sutton: motivation to attack those targets. I mean, we’ve seen incidents

170
00:10:12,119 –> 00:10:15,510
Blare Sutton: where an attack on a managed service provider, which is

171
00:10:15,510 –> 00:10:19,800
Blare Sutton: an IT company that manages servers and IT systems for

172
00:10:19,830 –> 00:10:25,080
Blare Sutton: various clients, that’s resulted in not just a ransom demand

173
00:10:25,080 –> 00:10:28,199
Blare Sutton: against that IT company, but ransom demands on each of

174
00:10:28,199 –> 00:10:31,260
Blare Sutton: their clients.
So if we think of it in that

175
00:10:31,260 –> 00:10:35,370
Blare Sutton: perspective, the ability to attack someone in the supply chain

176
00:10:35,550 –> 00:10:39,900
Blare Sutton: actually improves their likely return on investment. Instead of it

177
00:10:39,900 –> 00:10:44,579
Blare Sutton: being one possible payment, they might have 10, 20, or 30 possible payments

178
00:10:44,790 –> 00:10:48,239
Blare Sutton: of lower value, but to a better return on investment.

179
00:10:48,600 –> 00:10:51,300
Blare Sutton: And then you flip that on its side and you

180
00:10:51,300 –> 00:10:56,040
Blare Sutton: look at it from a geopolitical perspective, to infiltrate something

181
00:10:56,040 –> 00:10:58,830
Blare Sutton: at someone like DP World, whether that’s an… I don’t

182
00:10:58,830 –> 00:11:01,229
Blare Sutton: believe that’s been confirmed that it was actually a ransom

183
00:11:01,230 –> 00:11:05,549
Blare Sutton: attack, that’s certainly a great geopolitical lever, whether it’s to

184
00:11:05,549 –> 00:11:09,300
Blare Sutton: get information or access to information or to even be

185
00:11:09,300 –> 00:11:12,510
Blare Sutton: able to shut down their systems whenever you like. So

186
00:11:12,570 –> 00:11:16,800
Blare Sutton: absolutely, I think given that understanding and given what we are seeing,

187
00:11:17,190 –> 00:11:20,910
Blare Sutton: there’s absolutely going to be a trend of supply chain

188
00:11:20,910 –> 00:11:23,458
Blare Sutton: and critical infrastructure attacks in the year ahead.

189
00:11:24,600 –> 00:11:27,958
Sean Aylmer: Darren, what should Australian organizations be doing now to prepare

190
00:11:27,960 –> 00:11:31,230
Sean Aylmer: for and anticipate these types of major cyber disruptions? What

191
00:11:31,230 –> 00:11:32,880
Sean Aylmer: are the steps they can take right now?

192
00:11:33,599 –> 00:11:35,490
Darren Hopkins: Well, a great question and the one we get asked

193
00:11:35,490 –> 00:11:38,520
Darren Hopkins: all the time to consider. We’re going through, I guess,

194
00:11:38,520 –> 00:11:42,660
Darren Hopkins: top 10, what should Australian businesses think about right now?

195
00:11:42,809 –> 00:11:45,480
Darren Hopkins: Elevate cyber to be a material risk for your business.

196
00:11:45,480 –> 00:11:47,429
Darren Hopkins: Actually put it on the top of the list and

197
00:11:47,429 –> 00:11:50,010
Darren Hopkins: actually deal with it.
One thing we’ve seen out of

198
00:11:50,010 –> 00:11:53,880
Darren Hopkins: all the surveys is your IT hygiene needs to be

199
00:11:53,880 –> 00:11:57,150
Darren Hopkins: managed and it needs to be up- to- date. These

200
00:11:57,150 –> 00:12:00,630
Darren Hopkins: attacks generally come through very simple controls that have failed.

201
00:12:01,290 –> 00:12:04,470
Darren Hopkins: Consider guidance that government gives us, like the Essential Eight,

202
00:12:04,530 –> 00:12:06,840
Darren Hopkins: and put a program in place to deal with that.

203
00:12:07,320 –> 00:12:09,900
Darren Hopkins: Know where your information and your assets are, where are

204
00:12:09,900 –> 00:12:13,319
Darren Hopkins: the crown jewels that you’re trying to protect, and protect

205
00:12:13,320 –> 00:12:16,170
Darren Hopkins: them. In a lot of cases people don’t know what

206
00:12:16,170 –> 00:12:20,040
Darren Hopkins: was taken because they haven’t considered that information. We always

207
00:12:20,040 –> 00:12:22,978
Darren Hopkins: ask people to go off and test their defenses and

208
00:12:22,980 –> 00:12:26,910
Darren Hopkins: their preparedness for an attack.
At the same time, formalize

209
00:12:26,910 –> 00:12:30,330
Darren Hopkins: your incident response plans and actually undertake some drills. Go

210
00:12:30,330 –> 00:12:33,390
Darren Hopkins: through and see how you would respond during an incident.

211
00:12:33,420 –> 00:12:37,110
Darren Hopkins: Blare did talk about those simulations and tabletops, so important.

212
00:12:37,740 –> 00:12:41,010
Darren Hopkins: Understand your legislative landscape you’re operating in. Things are changing.

213
00:12:41,010 –> 00:12:44,250
Darren Hopkins: The Privacy Act has changed and will continue to change.

214
00:12:45,059 –> 00:12:47,699
Darren Hopkins: We’ve got a cyber strategy coming out for the country

215
00:12:47,759 –> 00:12:50,400
Darren Hopkins: next week, we believe. There’ll be information in there that

216
00:12:50,460 –> 00:12:54,179
Darren Hopkins: relates to us. We may have mandatory reporting obligations. ASIC

217
00:12:54,179 –> 00:12:56,578
Darren Hopkins: is very vocal.
So be aware of what you need

218
00:12:56,580 –> 00:13:01,319
Darren Hopkins: to do and start to consider other risk management considerations,

219
00:13:01,320 –> 00:13:05,070
Darren Hopkins: such as cyber insurance, beyond your IT. But the key

220
00:13:05,070 –> 00:13:07,410
Darren Hopkins: thing is, is actually start doing something about it.

221
00:13:08,070 –> 00:13:10,199
Sean Aylmer: Darren, Blare, thank you for talking to Fear and Greed.

222
00:13:10,740 –> 00:13:11,189
Darren Hopkins: Thanks, Sean.

223
00:13:11,549 –> 00:13:12,090
Blare Sutton: Thanks, Sean.

224
00:13:12,958 –> 00:13:16,020
Sean Aylmer: That was Darren Hopkins and Blare Sutton, Cyber Partners at

225
00:13:16,020 –> 00:13:19,170
Sean Aylmer: McGrathNicol Advisory, which is a great supporter of this podcast.

226
00:13:19,470 –> 00:13:21,840
Sean Aylmer: This is the Fear and Greed Business Interview. Join us

227
00:13:21,840 –> 00:13:24,029
Sean Aylmer: every morning for the full episode of Fear and Greed,

228
00:13:24,030 –> 00:13:27,300
Sean Aylmer: Australia’s best business podcast. I’m Sean Aylmer. Enjoy your day.