AUSTRALIA’S MOST POPULAR BUSINESS PODCAST

Fear & Greed, Fear and Greed

Earlier this month, internet giants Google (Alphabet Inc.), Amazon, and Cloudflare revealed they’d blocked a cyber attack that Google said was seven times bigger than anything seen before.

Fortunately, they fended it off. But with more businesses using the cloud to store so much data, it’s a salient reminder of the need to be taking cyber security seriously.

Sean Aylmer talks to Paul Garner, the co-founder and COO of the Australian cloud security platform Plerion, about the biggest vulnerabilities and risks for Australian businesses.

Plerion is a supporter of this podcast.

Find out more: https://fearandgreed.com.au

See omnystudio.com/listener for privacy information.

1
00:00:04,019 –> 00:00:06,389
Sean Aylmer: Welcome to the Fear and Greed Business Interview. I’m Sean

2
00:00:06,390 –> 00:00:09,780
Sean Aylmer: Aylmer. If businesses ever needed a reminder of the importance

3
00:00:09,780 –> 00:00:12,898
Sean Aylmer: of cybersecurity, they got it earlier in the month. Internet

4
00:00:12,900 –> 00:00:17,309
Sean Aylmer: giants, Google, Amazon, and CloudFlare revealed they’d blocked a cyber

5
00:00:17,309 –> 00:00:20,639
Sean Aylmer: attack, a denial of service attack that Google said was

6
00:00:20,640 –> 00:00:25,170
Sean Aylmer: seven times bigger than anything seen before. Fortunately, they fended

7
00:00:25,200 –> 00:00:27,840
Sean Aylmer: it off, but with more businesses using the cloud to

8
00:00:27,840 –> 00:00:30,750
Sean Aylmer: store so much data, it’s a salient reminder of the

9
00:00:30,750 –> 00:00:34,500
Sean Aylmer: need to be taking cybersecurity seriously, with responsibility going all

10
00:00:34,500 –> 00:00:37,050
Sean Aylmer: the way up to board level.
Paul Garner is the co-

11
00:00:37,050 –> 00:00:41,040
Sean Aylmer: founder and Chief Operating Officer of Australian cloud security platform,

12
00:00:41,040 –> 00:00:44,250
Sean Aylmer: Plerion, which is a supporter of this podcast. Paul, welcome

13
00:00:44,250 –> 00:00:45,030
Sean Aylmer: to Fear and Greed.

14
00:00:45,598 –> 00:00:46,919
Paul Garner: Hi, Sean. Great to be here.

15
00:00:47,490 –> 00:00:49,829
Sean Aylmer: So I just talked about that attack on Google, Amazon,

16
00:00:49,830 –> 00:00:54,450
Sean Aylmer: CloudFlare. What impact does an attack like that one have

17
00:00:54,450 –> 00:00:58,110
Sean Aylmer: in terms of general awareness around the business community?

18
00:00:58,860 –> 00:01:01,740
Paul Garner: Yeah, it’s a good question, Sean. And I think what

19
00:01:01,740 –> 00:01:05,669
Paul Garner: it does, given that the organizations who were the subject

20
00:01:05,670 –> 00:01:10,530
Paul Garner: of that attack are household names, right? Google, Amazon, CloudFlare.

21
00:01:11,219 –> 00:01:17,820
Paul Garner: It just helps bring the consideration around cybersecurity, how your data

22
00:01:18,300 –> 00:01:21,840
Paul Garner: is protected back to the top of the priority list

23
00:01:21,840 –> 00:01:26,549
Paul Garner: of many people whose data is hosted by these types

24
00:01:26,549 –> 00:01:30,330
Paul Garner: of organizations. And then for businesses as well, how well

25
00:01:30,330 –> 00:01:34,020
Paul Garner: are they geared up to protect themselves from these types of

26
00:01:34,020 –> 00:01:35,640
Paul Garner: attacks if it were to happen to them?

27
00:01:36,450 –> 00:01:39,179
Sean Aylmer: Okay, so how prepared are we? There’s been a bunch

28
00:01:39,179 –> 00:01:42,750
Sean Aylmer: of security breaches locally across the past 12 to 18 months, or

29
00:01:42,750 –> 00:01:44,819
Sean Aylmer: maybe it’s just that we’re hearing more about it. I’m

30
00:01:44,819 –> 00:01:48,660
Sean Aylmer: just interested why have there been more? Is it more

31
00:01:48,660 –> 00:01:50,940
Sean Aylmer: attackers out there? Is it because we use the cloud

32
00:01:50,940 –> 00:01:53,400
Sean Aylmer: more or greater volume of data? What’s the reason?

33
00:01:54,120 –> 00:01:57,210
Paul Garner: Yeah, I think the reality, Sean, is it’s an amalgamation

34
00:01:57,210 –> 00:02:01,259
Paul Garner: of all of those things. So there’s organizations who have

35
00:02:01,259 –> 00:02:05,789
Paul Garner: benefited hugely from the transition to the cloud, that empowers

36
00:02:05,789 –> 00:02:10,050
Paul Garner: them as businesses to grow faster without too many barriers,

37
00:02:10,139 –> 00:02:15,360
Paul Garner: and to really empower their developers to bring about the

38
00:02:15,360 –> 00:02:18,508
Paul Garner: results that the businesses want. So scale faster, get more

39
00:02:18,508 –> 00:02:22,230
Paul Garner: users, get more customers, have more growth. And one of

40
00:02:22,230 –> 00:02:27,510
Paul Garner: the unfortunate consequences of that is that security sometimes isn’t

41
00:02:27,510 –> 00:02:30,570
Paul Garner: one of the fundamental pillars with which these organizations are

42
00:02:30,570 –> 00:02:35,370
Paul Garner: building from day one.
So that leaves a situation where

43
00:02:35,370 –> 00:02:39,719
Paul Garner: attackers know that data might be exposed, and if they

44
00:02:39,719 –> 00:02:42,600
Paul Garner: go looking for it hard enough, they might find it.

45
00:02:42,930 –> 00:02:45,690
Paul Garner: And as you quite rightly mentioned, in Australia, we’ve seen

46
00:02:45,690 –> 00:02:48,570
Paul Garner: a lot of these kind of issues, especially over the

47
00:02:48,570 –> 00:02:52,020
Paul Garner: last 12 to 18 months. And my guess is that that will

48
00:02:52,020 –> 00:02:53,369
Paul Garner: only accelerate somewhat.

49
00:02:53,910 –> 00:02:58,649
Sean Aylmer: So Plerion is all about protecting company’s data when it’s

50
00:02:58,650 –> 00:03:02,100
Sean Aylmer: in the cloud or helping that data be protected. Are

51
00:03:02,100 –> 00:03:04,530
Sean Aylmer: we getting better at doing the right… So I’m sure

52
00:03:04,560 –> 00:03:08,490
Sean Aylmer: whatever Plerion or AWS does, it’s fantastic, right? But what

53
00:03:08,490 –> 00:03:11,099
Sean Aylmer: about us as individuals, as a business? Are we getting

54
00:03:11,099 –> 00:03:16,590
Sean Aylmer: better at this, at not making silly mistakes, but often

55
00:03:16,590 –> 00:03:20,460
Sean Aylmer: quite… Everyone understands the mistake people make, but are we

56
00:03:20,460 –> 00:03:21,840
Sean Aylmer: getting better at it, understanding it?

57
00:03:22,380 –> 00:03:25,380
Paul Garner: I think it’s a really pertinent question, and I think

58
00:03:25,380 –> 00:03:31,078
Paul Garner: principally, organizations who do really well understand and they understand

59
00:03:31,110 –> 00:03:35,459
Paul Garner: early that this is always a mixture of people, process

60
00:03:35,459 –> 00:03:39,390
Paul Garner: and technology in terms of how you equip yourselves to

61
00:03:39,420 –> 00:03:43,590
Paul Garner: be protected, and most importantly, how you’re equipping yourselves as

62
00:03:43,590 –> 00:03:49,469
Paul Garner: an organization to protect your customer’s data. Because principally, that’s

63
00:03:49,469 –> 00:03:53,129
Paul Garner: where the attackers know that the highest value is.
So

64
00:03:53,129 –> 00:03:55,890
Paul Garner: if we’re talking about breaches that we’ve seen in Australia,

65
00:03:55,890 –> 00:04:02,850
Paul Garner: across telco, across insurers, across financial institutions, attackers are always looking, ”

66
00:04:02,970 –> 00:04:05,250
Paul Garner: How do we get to the customer data?” Because they

67
00:04:05,250 –> 00:04:08,940
Paul Garner: know that’s going to cause businesses the biggest headache. And

68
00:04:08,940 –> 00:04:13,710
Paul Garner: fundamentally, there’s still progress that needs to be made, I

69
00:04:13,710 –> 00:04:16,350
Paul Garner: think, across the ecosystem where that’s concerned.

70
00:04:16,770 –> 00:04:18,150
Sean Aylmer: Is that an education piece?

71
00:04:18,930 –> 00:04:23,339
Paul Garner: I think it’s an education piece, it’s an awareness piece,

72
00:04:23,790 –> 00:04:29,039
Paul Garner: and it’s how senior leadership and boards think about the

73
00:04:29,039 –> 00:04:32,460
Paul Garner: impact. And when I say the impact, it’s easy to

74
00:04:32,460 –> 00:04:36,210
Paul Garner: think about, well, the average data breach costs companies in

75
00:04:36,210 –> 00:04:42,118
Paul Garner: Australia $ 4 million. That’s an important headline, but fundamentally, there’s

76
00:04:42,210 –> 00:04:44,578
Paul Garner: always that case at a board level that says, ” Well,

77
00:04:44,580 –> 00:04:47,910
Paul Garner: if it hasn’t happened to us, should we be proactive

78
00:04:48,180 –> 00:04:51,750
Paul Garner: about investing in the people, in the process, in the

79
00:04:51,750 –> 00:04:55,500
Paul Garner: technology to ensure that it’s not us?” And then there’s

80
00:04:55,500 –> 00:04:58,620
Paul Garner: a thought process that says, ” Well, if we are compliant,

81
00:04:58,860 –> 00:05:01,619
Paul Garner: if we’ve gone through the ISO certification or the SOC

82
00:05:01,620 –> 00:05:06,570
Paul Garner: certification process, then we must be secure.” Unfortunately, it doesn’t

83
00:05:06,570 –> 00:05:09,930
Paul Garner: work like that.
So there’s two elements to it at a board

84
00:05:09,930 –> 00:05:13,200
Paul Garner: and senior level. One is how do you buy down

85
00:05:13,200 –> 00:05:15,779
Paul Garner: on risk? The other is how do you set your

86
00:05:15,779 –> 00:05:21,750
Paul Garner: business up successfully to grow without limitations? That to me

87
00:05:21,750 –> 00:05:23,999
Paul Garner: is one of the key business drivers. And if you

88
00:05:24,000 –> 00:05:28,650
Paul Garner: haven’t baked in the right level of security processes and

89
00:05:28,650 –> 00:05:32,849
Paul Garner: the technology to underpin it, then that’s usually where problems

90
00:05:32,849 –> 00:05:34,620
Paul Garner: can arise further down the track.

91
00:05:35,250 –> 00:05:37,170
Sean Aylmer: Stay with me, Paul, we’ll be back in a minute.

92
00:05:43,410 –> 00:05:45,810
Sean Aylmer: My guest today is Paul Garner, co- founder and COO

93
00:05:46,529 –> 00:05:50,789
Sean Aylmer: of Plerion. I hesitate to ask this because I’m a non-

94
00:05:50,790 –> 00:05:54,719
Sean Aylmer: technical person, but how do you do it? So Plerion,

95
00:05:54,779 –> 00:05:58,738
Sean Aylmer: as an organization, how do you help safeguard this data

96
00:05:58,740 –> 00:06:00,060
Sean Aylmer: of my business, for example?

97
00:06:00,479 –> 00:06:03,839
Paul Garner: So it is a technology play. So Plerion is a SaaS

98
00:06:03,839 –> 00:06:09,388
Paul Garner: platform that effectively continuously scans cloud environments, whether it be

99
00:06:10,110 –> 00:06:13,709
Paul Garner: AWS, Microsoft, Google. And not only are we looking for

100
00:06:13,710 –> 00:06:20,970
Paul Garner: vulnerabilities or misconfigurations or overly permissive resources in the environment,

101
00:06:20,970 –> 00:06:24,089
Paul Garner: we are looking to bring all of that data together to

102
00:06:24,089 –> 00:06:28,379
Paul Garner: drive context. Because another thing that organizations are really struggling

103
00:06:28,380 –> 00:06:31,829
Paul Garner: with, even those who want to have an acute focus

104
00:06:31,830 –> 00:06:35,610
Paul Garner: on cyber and cloud security is, ” Where do I start?”

105
00:06:35,850 –> 00:06:38,969
Paul Garner: If I’m a huge organization who’s got a massive cloud

106
00:06:38,970 –> 00:06:43,620
Paul Garner: footprint, I could go and find thousands, tens of thousands,

107
00:06:43,710 –> 00:06:47,640
Paul Garner: if not hundreds of thousands of things that aren’t actually

108
00:06:47,670 –> 00:06:51,539
Paul Garner: built to best practice, but they don’t necessarily leave my

109
00:06:51,540 –> 00:06:56,609
Paul Garner: business or my customer’s data exposed to risk any one

110
00:06:56,610 –> 00:07:00,060
Paul Garner: moment in time.
So the value proposition of a platform

111
00:07:00,060 –> 00:07:02,700
Paul Garner: like Plerion is how do we bring all of that

112
00:07:02,820 –> 00:07:08,460
Paul Garner: telemetry together to drive context? And context could be, ” Okay,

113
00:07:08,460 –> 00:07:12,450
Paul Garner: we’ve assessed your environment. There’s an attack path that exists

114
00:07:12,540 –> 00:07:16,680
Paul Garner: from the internet right through to your customer’s data where

115
00:07:16,680 –> 00:07:21,269
Paul Garner: you’ve got PII, PCI, PHI information that you thought was

116
00:07:21,270 –> 00:07:25,080
Paul Garner: protected, but actually it’s not. So it’s all about empowering

117
00:07:25,080 –> 00:07:29,819
Paul Garner: organizations to understand where is the risk right now and

118
00:07:29,820 –> 00:07:34,650
Paul Garner: take proactive measures around that because security teams and investment

119
00:07:34,650 –> 00:07:37,650
Paul Garner: just isn’t there for organizations to try and look at

120
00:07:37,650 –> 00:07:41,969
Paul Garner: every minor little indiscretion by itself. You’d never get on

121
00:07:41,969 –> 00:07:43,140
Paul Garner: top of things in that way.

122
00:07:43,950 –> 00:07:46,199
Sean Aylmer: Where are you looking? Where are the greatest risks from

123
00:07:46,199 –> 00:07:48,179
Sean Aylmer: now? We had the denial of service attack that we

124
00:07:48,180 –> 00:07:50,340
Sean Aylmer: talked about at the top of the show. Obviously that’s

125
00:07:50,340 –> 00:07:52,770
Sean Aylmer: happening a lot more, but what are the areas that

126
00:07:52,770 –> 00:07:57,869
Sean Aylmer: you are seeing criminals effectively tapping into to hurt businesses?

127
00:07:58,710 –> 00:08:01,559
Paul Garner: Probably the biggest one that we see, Sean, is around

128
00:08:01,559 –> 00:08:07,350
Paul Garner: identity and permissions. And more often than not, when you

129
00:08:07,350 –> 00:08:11,940
Paul Garner: hear about attacks or data that’s been infiltrated out of

130
00:08:11,940 –> 00:08:16,020
Paul Garner: an organization’s cloud environment into the hands of attackers, it’s

131
00:08:16,020 –> 00:08:21,150
Paul Garner: because the attackers have managed to implement themselves somewhere into

132
00:08:21,150 –> 00:08:25,530
Paul Garner: the permission stack. So that’s whether there are actual assets

133
00:08:25,530 –> 00:08:29,040
Paul Garner: in the cloud environment that are vulnerable and overly permissive

134
00:08:29,490 –> 00:08:32,728
Paul Garner: or where they’ve managed to get hold of credentials that

135
00:08:32,790 –> 00:08:36,570
Paul Garner: allow them into the cloud environment and then give them

136
00:08:36,570 –> 00:08:40,289
Paul Garner: escalated privileges to go and access things that they shouldn’t

137
00:08:40,289 –> 00:08:45,030
Paul Garner: access. So the identity and permission segment is a consistent

138
00:08:45,030 –> 00:08:49,140
Paul Garner: challenge for organizations to get right, and monitoring that is

139
00:08:49,140 –> 00:08:52,770
Paul Garner: really important and being proactive about, ” Okay, we had users

140
00:08:52,770 –> 00:08:55,469
Paul Garner: that we don’t have anymore. Let’s make sure that we

141
00:08:55,469 –> 00:08:59,070
Paul Garner: delete those users and all associated permissions,” as opposed to

142
00:08:59,070 –> 00:09:02,400
Paul Garner: just leaving them hanging in the embers because that’s where

143
00:09:02,400 –> 00:09:04,500
Paul Garner: attackers can often find a way in.

144
00:09:04,950 –> 00:09:07,890
Sean Aylmer: Okay. So I’m a business, got 200 people, and I’ve

145
00:09:07,890 –> 00:09:09,870
Sean Aylmer: listened to this interview and I think, ” What do I

146
00:09:09,870 –> 00:09:13,468
Sean Aylmer: do?” I obviously call Plerion. That’s the short answer, but

147
00:09:13,469 –> 00:09:16,708
Sean Aylmer: let’s go beyond that. What should I as a business

148
00:09:16,708 –> 00:09:20,100
Sean Aylmer: with 200 people, maybe it’s a 1,000 people, I think, ” I have to take

149
00:09:20,100 –> 00:09:22,740
Sean Aylmer: this more seriously.” What’s the first step? What’s the second step?

150
00:09:23,190 –> 00:09:27,420
Paul Garner: Yeah, so the first step genuinely isn’t technology because I

151
00:09:27,420 –> 00:09:28,830
Paul Garner: don’t want to do myself out of a job here,

152
00:09:28,830 –> 00:09:31,679
Paul Garner: but technology isn’t the silver bullet in and of itself.

153
00:09:32,130 –> 00:09:33,960
Paul Garner: What you need to be able to do is get

154
00:09:33,960 –> 00:09:38,280
Paul Garner: better visibility first and foremost. So where is the edge

155
00:09:38,280 –> 00:09:41,790
Paul Garner: of my environment? What assets do exist in my environment?

156
00:09:41,790 –> 00:09:44,400
Paul Garner: And once you’ve got that map and it’s easy to

157
00:09:44,400 –> 00:09:49,199
Paul Garner: visualize and understand, then you can start to drill down into, ”

158
00:09:49,410 –> 00:09:53,069
Paul Garner: Well, where are my users? What are their permissions? What

159
00:09:53,070 –> 00:09:57,090
Paul Garner: are the vulnerabilities or misconfigurations that exist in the environment?”

160
00:09:57,450 –> 00:09:59,940
Paul Garner: And you can start to then understand, ” Well, if this

161
00:09:59,940 –> 00:10:02,880
Paul Garner: is what we’re working with today, how do we do

162
00:10:02,880 –> 00:10:06,660
Paul Garner: a moment- in- time assessment of how effectively we are

163
00:10:06,660 –> 00:10:10,289
Paul Garner: geared up from a security and compliance perspective? And then

164
00:10:10,289 –> 00:10:13,110
Paul Garner: how as an extension do we then drive to a

165
00:10:13,110 –> 00:10:15,960
Paul Garner: position where we can do this on a continuous basis?”

166
00:10:16,170 –> 00:10:21,150
Paul Garner: Because in that segment that you mentioned, organizations with between

167
00:10:21,780 –> 00:10:27,208
Paul Garner: 200 and a 1,000 or 2, 000 people, these are often organizations, especially

168
00:10:27,210 –> 00:10:30,690
Paul Garner: in the technology space that have been growing quickly, have been

169
00:10:30,690 –> 00:10:35,160
Paul Garner: growing without abandon because until recent macroeconomic headwinds, that was

170
00:10:36,179 –> 00:10:39,600
Paul Garner: the playbook. And it just needs a little bit of

171
00:10:40,139 –> 00:10:43,289
Paul Garner: pragmatism to say, ” Right, let’s make sure we understand what

172
00:10:43,290 –> 00:10:46,770
Paul Garner: we’ve got.” Because there are many stats out there. Around,

173
00:10:46,799 –> 00:10:51,000
Paul Garner: I think it’s 62% of hypergrowth businesses are actually using

174
00:10:51,000 –> 00:10:54,360
Paul Garner: security as an enabler for growth. And so that’s the

175
00:10:54,360 –> 00:10:57,389
Paul Garner: mindset I would encourage businesses to have. It’s like, ” We

176
00:10:57,389 –> 00:11:00,389
Paul Garner: want to grow, we want to grow fast. Actually, we

177
00:11:00,389 –> 00:11:04,380
Paul Garner: can do that more effectively if we bake security controls

178
00:11:04,708 –> 00:11:07,140
Paul Garner: and the importance of them into the organization at a

179
00:11:07,140 –> 00:11:10,559
Paul Garner: design level as quickly as possible,” effectively.

180
00:11:11,309 –> 00:11:13,230
Sean Aylmer: Paul, thank you for talking to Fear and Greed.

181
00:11:13,710 –> 00:11:14,130
Paul Garner: Thank you.

182
00:11:15,000 –> 00:11:17,850
Sean Aylmer: That was Paul Garner, co- founder and Chief Operating Officer

183
00:11:17,910 –> 00:11:20,669
Sean Aylmer: of Plerion, a supporter of this podcast. This is the

184
00:11:20,670 –> 00:11:23,279
Sean Aylmer: Fear and Greed Business Interview. Join us every morning for

185
00:11:23,279 –> 00:11:25,559
Sean Aylmer: the full episode of Fear and Greed, Australia’s best business

186
00:11:25,559 –> 00:11:27,900
Sean Aylmer: podcast. I’m Sean Aylmer, enjoy your day.