• Garrett O’Hara

    Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.


    Add comment

This week our hosts were live online, streaming on our new GCR TV YouTube channel and hosting a live audience via Zoom. Dan, Gar and Brad take a look back over the cyber events and challenges that shaped the year, review some of the insights that our incredible guests have brought to the show in 2020, discuss how to cyber resilient across the holiday season and peer into the crystal ball to make some predictions on what 2021 will bring.

View the video from this episode on our new GCR TV YouTube channel here: https://www.youtube.com/channel/UCpJWYZq9-RvCBMVZif8YgZg


The Get Cyber Resilient Show Episode #41 Transcript

Garrett O'Hara: [00:00:00] Welcome to The Get Cyber Resilient podcast, I'm Gar O'Hara. This is our end of year wrap up episode recorded live via Zoom, and you YouTube for the inaugural GC or TV episode with Dan McDermott hosting and regular Bradley Sing. After 40 episodes where we spoke to seven CSOs, six boaters, five podcast hosts, a professional actor and an organizational psychologist and CEOs, security practitioners and vendors, we've gone broad and we've gone deep over the year. So, Dan and myself go through the themes and the learnings from a year of those cyber resilience conversations, Brad and Dan then cover off the big stories from the year, and we finished with the traditional crystal ball gazing for what 2021 will bring with some big hole there. It's nothing like recording live for good energy. So I hope you enjoy over to the episode.

Dan McDermott: [00:00:53] Good afternoon. Welcome to, uh, the end of the year wrap up for, uh, The Get Cyber Resilient Show. Now, we are live on air, um, and obviously, uh, being joined today by our regular podcasters and Garrett O'Hara. Garrett, great to see you.

Garrett O'Hara: [00:01:09] You too Dan. And, and was nearly gonna say the phrase of 2020, which is, sorry, I'm on mute.

Dan McDermott: [00:01:16] Yes. [laughs] And, uh, and the second person on mute Bradley Sing. Brad, welcome back to the show.

Bradley Sing: [00:01:21] Hey guys. How are we?

Dan McDermott: [00:01:23] Terrific. And, uh, obviously, uh, our conversation of wearing Christmas gear was just stitching me up. So, uh, and that's a great start to the show. Um, but, uh, in is interview, we are getting to Christmas time, um, we've decided to do today live. So thank you all for taking time out of your busy schedules. Um, particularly at this time of year to join us. Um, and as part of that, we wanna make the show as interactive as possible. So please take the time to ask any questions in the Q and A or chat box down that you have as part of the webinar, uh, feel free to click on that. And at any stage we'll look to answer your questions throughout the, uh, throughout the show.

Um, we have dedicated some time at the end for Q and A session as well, if we don't get to everything, but like I say, do feel free to absolutely, uh, join in, uh, as, as we go, ask the questions and uh, um, we'll do our best to, uh, to answer them throughout the show. Uh, I thought we would kick off the year end review by really looking back at actually the show itself, have a look at back at the podcast and, uh, and what's been delivered, um, throughout the year, you know, 40 episodes, um, huge effort by yourself and all of the amazing guests. Um, w- what can you tell us a bit about like what, what you've seen throughout the year?

Garrett O'Hara: [00:02:36] Um, yeah, like it was a big year. I think that's probably the big thing, yeah, that's, took it for me. Um, you know, way back when we were talking about doing this, um, and you, you and I, and at the time Gregor and I were talking about and what the cadence should be. And, you know, we, we decided on one per week and got, as I led said, at this point we've done 40 episodes, which I think is a pretty tremendous commentaries during, during the year. And we've had a bunch of different types of people on. So one of the things I think I, I really like about what we've done is that it's a broad range of folks like CSOs. Where we've had like seven CSOs on, we've had, uh, six co-authors, we've had a professional actor, we've had a, an organizational psychologist, and academics and, and vendors, you know, people experts in particular kinda functional areas of cy- of, uh, cybersecurity. So, I feel like that has been, I, I mean, I'm personally, I've just learned an, actually a ton.

And, um, I know for the sort of the, the sides messages I get from people on LinkedIn and email that they, they, it feels like there's a lot of value in the conversations that we're, we're having. Um, and also it's interesting for me anyway, to see when I went back over the episodes that most of them we've actually done during COVID times, um, which is hilarious. 'Cause I don't know if you remember when [laughs] I went dead in both the recording gear, thinking that [laughs] you know, we would, we'd be, you know, getting taxis around and, and sitting with people and, in Victoria and, uh, Queensland and New South Wales, and bought the gear and then ended up basically doing everything [laughs] via, via Zoom. So we've got that backdrop the whole way through, and then just a big year in, uh, in terms of cybersecurity, I would say in general with the government's enhancements and, you know, all of that stuff. So, yeah, I feel like, you know, for me personally, it just feels like a really like an epic thing that we've managed to do this year.

Dan McDermott: [00:04:25] Yeah. Terrific. And, uh, and as I sort of reflect back and look on the show itself and, and I guess all the guests and that sort of thing, there's been some, I guess key themes that I think have really sort of stood out throughout the, the course of the interviews. Um, really, I guess in some ways, not deliberately, right? Like, like the conversations have been with the people and taking those learnings and that, but as you look back, there's some really cool themes. And I think the first one to me is, is that we are in a technology business. You know, we talk about cyber and the tech and what's required, yet, the number one theme that's come out in many facets is people. Um, what's been your take on, like, as people as a theme throughout the year?

Garrett O'Hara: [00:05:03] I couldn't agree more. It didn't matter almost who the, the guest was. And, and for the audience, this information, maybe it's a little bit heavier sausages are made, but when we're, we have a guest who's lined up, one of the things we ask is like, it's driven by your interests and your passion. So, you know, we don't come with any agenda in terms of, you know, what we wanna talk about. It's really like what's gonna provide value for the audience. So, and to your point, Dan, it's been really interesting to kinda reflect on the, the guests and what they're talking about 'cause [inaudible 00:05:30] people in some format or another, and, you know, that, that's taken different modes. It could be, uh, the end user conversation, you know, how do we get the end users doing the right [inaudible 00:05:42]. There's a lot of, um, I would say [inaudible 00:05:44] from lots of people, um, you know, Chirag, Dr. uh, Jerram, um, Phil Zongo.

Like there's been a bunch of people who... And Beverly Roche, um, Leonie Smith. Like you can just start naming names, but they all have talked about the importance of influencing the individuals and how do we do a better job of that. Um, I think what I took from that is the behavior change thing. You know, once a week, we need to get away from compliance-driven training, and we need to really start thinking about this stuff that is behavior change and, and sort of true cut-through. Um, so definitely saw that as one. The other [inaudible 00:06:17] that surfaced for us [inaudible 00:06:20] insecurity leaders we've had on the call it the, I don't know if you'd call it politics, but the, the need for security leaders to be really good with people and leading, not just their teams, but leading peers within organizations and influencing the business within their organizations.

And, and that has being from like interview one, Mitch Owens and from Gilbert and Tobin right away through, um, all the interviews that has been one of the other key, I would say trends. Is that the people who are really good in, in security are really actually good at people and navigating politics, creating advocates for programs within their organizations, um, you know, and maki- maki- getting people to understand the value of what it is that they're doing and being seen, not as the department of no, but the department of, okay, how do we support you to get where you need to, you know, with the view of, we need to also be secure while we do that?

Dan McDermott: [00:07:12] Hmm. No, definitely that, that buy-in. And I think the other thing, and from a people aspect is as we've gone through COVID, and, and that is like the cyber teams have been like at the frontline from an industry and organizational perspective in many ways. Where I'd like one of the attack volumes going up and with remote working and doing that securely and all of these types of things, um, the impact on, on, on people has been huge. And I think that, you know, at the start of the year, we were talking a bit about the impact on so-and-sos, but I think as the years gone on, I think it's the impact on all sort of cyber teams.

It's every person has worked incredibly hard, the hours that have gone in, um, the stress that's been involved. I think everyone's done an incredible job, but we're seeing sort of, you know, that fatigue and burnout across these teams across the board as well. And, and I guess the, the psychological welfare and wellbeing of people, um, certainly is front and center, uh, for these groups. And, and I think we'll continue to be, you know, in ongoing sort of challenge and part of that, and that people challenge that we have.

Garrett O'Hara: [00:08:14] I, I couldn't agree more. Um, one of the, the things that, it's, it wasn't necessarily the podcast, but that has definitely reinforced m- my kinda view of our industry, which is, it really is a bunch of people who [inaudible 00:08:27] are trying to do some good stuff. Um, you know, how often, when you think about the interviews that we did, people would mention, you know, family or their parents or somebody overseas that they cared about and, or their employees, as, as you said, Dan, you know? So, um, and I think what that leads to is that, that caring, you can't do that without at some level feeling stressed about the fact that it may not go well, and-

Dan McDermott: [00:08:49] Hmm.

Garrett O'Hara: [00:08:49] ... and that is for people's parents, for their, for their kids. Like, you know, Leonie Smith was talking about that, the, um, cybersecurity lady, uh, Cyber Safety Lady, and, you know, that, that whole, how do your parenting in today's day and age, but to your point then around the CSO kinda burn out, um, you know, justly, um, who's an organizational psychologist who's on and talk us through, you know, maybe some of the reasons for that. And in large part, it is because it is an incredibly, uh, stressful job with so many unknowns, with so many things that are, you know, not in your control limited, limited, and fun our resources to, to basically fight out potentially on the, the bad side in infinite army, you know, with infinite kinda opt- options for, for attack. So, and I think I, I totally agree with you. Like, I think it's the fact that [laughs] we are, you know, a caring industry. Um, and I think it's very hard not to, to be a little bit stressed when you care about something. And I think those two things are interrelated.

Dan McDermott: [00:09:43] Yeah, indeed. I think, uh, moving from sort of the people aspect that was sort of seen as, as probably the number one theme and then all of those assets throughout the year, we're seeing some big industry trends as well. So what's been your take on the big key industry movers in 2020?

Garrett O'Hara: [00:09:58] Um, so just sort of what, what I took from the, the interviews and our conversations, the three of us was that, um, I think there's, there's moves in terms of technology. And, uh, you know, when we look at, we had, you know, Palo, uh, Damien from Palo Alto on, you know, we had Kendal from Recorded Future and Luke Francis from CrowdStrike, uh, you know, we've had, uh, a bunch of different vendors and, you know, I'm, I'm kinda scanning over and I'm sure Mr., um, Mr. Joe Carson from Thycotic. Um, but you know, I suppose the point there is that on a platform level, there's some very, very cool things happening now in terms of data protection technologies. So, you know, the, the idea of protecting an organization from the bad things or remediating, you know, in the case of something like threat intel, you know, having the, the insights to, uh, get things fixed quickly or, or an organization like Dekko Secure, you know, where they've brought out their Dekko links, you know, the, um, encrypted ENS and VC technology, which is incredibly timely given code.

And then some of the stuff that's happened with maybe some of the other platforms out there. So just broadly, not just the protection technologies, but I would say, you know, global cybersecurity companies are doing cool things, but also amazing stuff coming, coming out of Australia. The talent here is, you know, if there's an industry trend that, you know, and I know I bang on [laughs] about this all the time, but it just blows my mind, you know, the, the talents we have in terms of technology, in terms of business leadership, when it comes to cyber. Um, I think that that was definitely one that, um, you know, I've seen. Um, and, you know, to, to maybe riff on that is, yes, there's a lot of amazing things happening from technology, but one of the biggest trends, um, that I think we're all sort of becoming more and more, um, aware of and embracing is, um, the idea of integration and, and automation as, uh, sort of an outcome of that.

So, uh, you know, organizations like [inaudible 00:11:47] for integrating with Mimecast, for example, or how does Mimecast integrate with Palo or, you know, pick any two vendors, I'm just using those as examples. Um, so that kinda horizontal, you know, threat intel sharing between platforms has become, uh, a key. Um, but also automation, you know, you're watching things like, uh, store integrations become a, a critical component now as people move forward because the, the overwhelming amount of stuff that's coming through, you just, it's sort of almost we're at a point where humans just can't keep the meantime to detect and respond low enough to be able to do that well. So I think, you know, from a tech perspective, definitely see those, those two kinda trends.

Dan McDermott: [00:12:26] I think looking back, the, the third mega trend that I, so- sort of seeing throughout the show is, and that is I think, and, and why the show has been able to, to exist, right? And have an audience is, is the elevation of cyber in, in the overall consciousness of, of the country overall. And I, I would argue that, you know, behind COVID, um, it's, it's probably almost number two on, on the national conference radar at the moment, um, from so many aspects around what needs to happen in, on daily life to your organizations to the way that you work. Um, and the importance of, of what the industry does seems to really elevate it. Is that something that you sort of seeing come through from the guests as well?

Garrett O'Hara: [00:13:06] Yeah, it, so absolutely. I would say, you know, the voice of security has gone from, you know, 8 to 11 or 12 on the dollar for months. And, you know, and we'd always say it could be ladder and, you know, I get that, but I think it's the work in progress and we're, we're on a good trajectory. And like, my comment on that is, I don't know if this kinda confirmation bias here, given that we've had some, you know, incredible guests on, you know, Phil Zongo, Craig Ford, Shamane Tan, um, Dr. Cate Jerram, um, Chirag Joshi. Like there's been a bunch of, uh, like people who were leading the charge when it comes to elevating the conversation about how to do cyber and do it well.

And, you know, I think that is a big part of it. We've moved from being seen as an industry that maybe is, you know, tenfold hat, you know, bits and bytes to actually now we're part of the business conversation because we have to, we have to be, um, you know, we're watching those big news stories hit internationally and locally, and it's moved, um, more from a, you know, a bubble of security into the mainstream on it. And I, you know how I know that's true. Um, and I think I've mentioned this to you guys before, like my secrets, uh, Ashes, Jack Reacher novels, which like they're ridiculous, but oh my God, they're just, they're so enjoyable. And, you know, there's one every year, everybody knows exactly what's gonna happen. Um, you know, he's, for those who don't know, they're, they're sort of action sort of adventure, thriller novels with a guy called Jack Reacher who's just this unbeatable, um, ex-military intelligence guy or, uh, military, um, police guy.

So the, the fulcrum or the pivot point of that whole novel list here, and I'm not giving anything away 'cause it happens pretty early, but it's around ransomware in the US 10. [laughs] So, you know, for me, it's like, okay, here we are, you know, we, we've hit mainstream. Um, you know, and it wasn't, uh, most of it was pretty realistic in terms of what the outcomes were. You know, traffic lights were at, uh, the, the 10 citizens were very annoyed at one particular person 'cause they kinda blamed him for it. Um, but for me, there you go, like, do you need a better signal that we, you know, we hit the mainstream? Then, you know, um, Lee Child has now kinda, Lee Child and Andrew Child, his brother co-wrote the book. But, um, yeah, it, it feels maybe disrespectful of it. We've just had, we've mentioned a bunch of very respectable cyber authors and then I've managed to bring it into Jack Reacher novels, but, you know, hopefully the point stands.

Dan McDermott: [00:15:26] [laughs] Yeah. Well, you know, cyber might be number one on the bookseller list after all. So, uh, you know, which is a, which is a good place to be. Um, just a last reflection from you, I guess on the year, and then in the show, you know, has there been any aha moments that have occurred, um, that really has stood out to you?

Garrett O'Hara: [00:15:44] Yeah, pretty much every single conversation. And, you know, I, I do sort of say that and yeah, I chose, you know, that I learned a lot and that's, that isn't sort of BS. That's been very, very much true. Every single person I've talked to, um, you know, selfishly part of the reason I love doing it is because at the end of it, I'm sort of I know more, um, hopefully. [laughs] Eventually I'll get there. You know, on motive. But,, uh, some of the big ones, I, I thought the conversation, like, they were all amazing. So, you know, absolutely really loved all of them. Um, like Joseph Carson's, uh, the conversation about Estonia and cyber resilience at a national level, uh, that just really struck some chords with me.

Just in terms of the, the things that they thought about like data embassies, hence, you know, the implications for when you think about resilience and the potential to be allo- you know, allowing invasions to happen, it's not good enough to have your data backed up spoils within your country, but actually now you need to have basically embassies where your data lives. And, you know, it see some air code sovereign soil, but actually it's, you know, sitting in Belgium or less than Bora Bora or other places in Europe, I think that was, um, that was quite impressive. And, you know, Phil Zongo, I go back to that guy all the time. 'Cause his book, um, you know, the, The Five Anchors of Cyber Resilience, it's like for me, it's, it's one of the best books I've read in, on this topic, you know, it's just such a shortcut.

Uh, but he had some commentary about, um, just kinda, um, what do you call it? The conservative approach to target in-state when you're a security practitioner or a CSO. So as you go into an organization and you're looking at building out a program, there was this kinda local moment where I think sometimes maybe we all maybe try and over-promise because we're so desperate to fix the problems. And his comment was, you know, one of those moments that it's, it's not so much obvious, but it seems clear when somebody says it. And, but that point of choosing a, a realistic target in-state, working a program, getting advocates to buy into that, getting to that in-state. And then what you've done is proven that you can do it and that you're realistic and that you understand the business. Um, so, you know, it's not as exciting as that MCs, but it was one of those moments from like actually that, that really makes a huge amount of sense.

Dan McDermott: [00:17:50] Yeah. Like you say, like when you, when you say it, it sounds obvious, right? But it's not necessarily a way because people wanna solve everything and no one wanna, you know, and also it's hard to get secure budget and resources. And so, so you feel like sometimes you have, you've got to stretch things to, you know, really promise the world, right? In order to get what you need. Um, and then it's like, but then you're on the hook for, for that delivery as well. So it's definitely being realistic and achieving incrementally is a, is a fundamental part of, of the role and what needs to occur.

So, look, thanks for spending time looking back on, on the show and the great guests that we've had in that. Um, and we'll pivot, sort of, another word for 2020 pivot, uh, for, uh, uh, to Brad and really start to have a look at the, the news it's been in the year and, um, kick off with, I guess, um, the year in review. And, and I think that we start with a bit of cyber making, I guess, the headlines for all the wrong reasons, right? The breaches that were, um, that seems to be unrelenting. Right? I've got from the start of the year, till this week. Right? Or there's always a new breach in the news and that. What do you take from the, from the approaches of, of 2020?

Bradley Sing: [00:18:54] Uh, I think we spoke about this, um, in an earlier episode, but it- it's almost like breach fatigue, right? Like it's another day, another news article, another company getting ransomware. But, um, I think the reality is like, it's, we've seen consistently over 2020, more and more Australian organizations being targeted. Um, if we remember back to the very start of the year, we had a few logistics companies get breached. Um, there was few public transport companies and then there was driver's licenses flying around on the dark web. Um, I really take your point in terms of the, um, I guess, feeling targeted. Um, I feel like I get a missed call from a dodgy phone number every single day. Something, which I don't think I, I got for, for quite a few years there. So I think for, for all of us, we're definitely feeling a bit under the pump.

Dan McDermott: [00:19:37] Yeah. And it's, uh, and like you say, it's interesting though, to sort of, some of those purchases were pre-COVID, if we can remember those days. Right? But I think that the second big thing that's happened this year is, is obviously, is COVID, right? And, um, what sort of thing, your take on its impact on the world of cyber?

Bradley Sing: [00:19:55] I think we've seen, uh, [laughs] see a whole range of different things. Like we've obviously seen, um, uh, uh, well actually quite recently we've seen, uh, allegedly vaccines being posted on the dark web and a, a whole range of scams trying to sell vaccines, which obviously in Australia, not as relevant 'cause we're relatively COVID-free, but in other areas of the world. You can imagine how successful some of those scams might be or how much money some people might pay to, you know, to jump the queue effectively.

Dan McDermott: [00:20:21] Yeah. But I think it's like, I remember it that way, like right at the start in, in March when we sort of, you know, got, got marched home from the offices and, and everybody was working from home, like the spike that we saw in, in actual activity and using COVID as lure as in, you know, I think it was everything from, you know, uh, pretending to be sort of camp local councils, um, and saying, you know, how to get information or where to get tested through to, you know, things like, you know, obviously sort of buying toilet paper and, and hand sanitizer, the public, the big purchase items of the year. Right? So, um, it's been used in so many different ways, I think to actually really create that cut-through and it shows that when times of vulnerability for people, um, the attackers don't need somebody to do that.

Bradley Sing: [00:21:12] Yeah c- certainly not. And I think we see this around kind of obviously any holiday period, but I mean, specifically with COVID like for our, for our core correctly, we saw thousands of domain names registered within the first week. So, you know, these are people out there actively trying to gain off, I guess, I guess this d- disruption, um, we we're not gonna see it go away as well. We're gonna continue to see cover related scams though, because it's, it's obviously gonna be, um, the, for a bit longer.

Dan McDermott: [00:21:37] That's right. And I guess some of the other thing that, um, that was still sort of, you know, rise up and have a, a big debate within the community, or either around the COVIDSafe app and, you know, the first thing sort of being like, well, what's happening to my data. Is it secure? Can I use this, um, uh, yet I don't know about you, but I haven't seen anybody really use the COVIDSafe that very much.

Bradley Sing: [00:21:59] COVIDSafe. It's yeah. It's certainly been a while since we discussed it. And it's, it's been a continuing conversation, like a very, uh, interesting one to follow on Twitter and social media as well. Like a lot of, I think a lot of people in cybersecurity really caring about their privacy, but obviously wanting to do what's best for, for health as well. Um, for those who don't know COVIDSafe is coming back. Um, so apparently, or allegedly, um, it's being redeveloped using a protocol, uh, from VMware called Herald,, and a big part of that allows it to effectively communicate between iOS and Android devices.

Whereas, I think before one of the initial big problems was if you had an iPhone or something was relatively hard to get reliable, um, t- contact tracing data. Uh, well, uh, in, in COVIDSafe's defense, um, it was used during one of the New South Wales outbreaks to find a, a, a untraceable previously unknown casters. I think we have seen some success with it. Unfortunately it wasn't used in Melbourne during our kinda, you know, really, really harsh lockdown and kinda, uh, COVID outbreak down here. Um, but I believe the plan is, to um, there's gonna be a lot of advertising from the government around COVIDSafe and they're gonna kinda try and re-push people to, uh, download the app for, uh, the holidays.

Dan McDermott: [00:23:06] Yeah, look, uh, and we're going to refer to it as the second wave of this thing [inaudible 00:23:10]. I think that would go down too well, but it definitely like the notion of contact tracing as an important mechanism for, you know, for protection and going forward is certainly something that, uh, is, is I think required and we need good ways of doing it. Right? And then obviously there's, you know, the health and implications at the macro level of the cyber implications are huge and we've gotta make sure that that's well protected and well covered. Brad, one of the things that you mentioned as part of sort of, I guess, those preachers and, and what's been happening throughout the year is, is the sort of dirty work ransomware. Right? It's, uh, and, and I feel like it has just gone to another level altogether, um, this year. Um, you know, I don't know if it's just, you know, d- drinking from the fire hose, right?

Being in the industry and, and sort of seeing everything that comes through. But I feel like it's just gone, escalated to a new point altogether in terms of the volume of attacks, the sophistication, but more so the ask, right? The, the, the a- the actual ransoms being applied no longer is it, you know, a, a couple of iTunes vouchers sort of thing. It's, you know, tens of thousands of not more, of dollars being asked for. And then the notion of, you know, uh, putti- basically threatening that, you know, they'll release the data onto the dark web, um, and for sale. So the negotiation, with the, you know, ransomware terrorists, if you like, um, it's got even more complicated. Garrett, I know you've got some thoughts on, on what's happened here. And, and I think the challenges that are inherent in ransomware as we sort of move forward as well.

Garrett O'Hara: [00:24:48] Yeah. Like it's, uh, it's, it's, it's one of those ones that h- has, it felt like the, the torrent has turned into, like a float has turned into, you know, just this overwhelming, um, amount of ransomware. And to, you know, your like to your point earlier, and the volume has increased. And, and then what we're, what we're seeing and witnessing is the trajectory increase in terms of what they're doing to apply pressure. And it almost feels like the good old days when really all you had to worry about was your files being locked up. And, and then to your point, now is your files being locked up, but actually we also have them and we're gonna publish them, so, you know, pay it up. And, um, we're, we're starting to see a little bit, um, potentially of, even a third type where you might have, um, the exfil of data, but then depending on what the company is or the organization that is, that has been breached, the ability to use the breached data to go after individuals.

So for example, if it was, um, I don't know, like the, there was one example, I think, in the Scandinavian countries, which was around a psychology, um, essentially a franchise organization from what I understood. But you think about the, the, the potential for very, very sensitive records, that would be part of that breach. And, um, you know, if you got an email saying, "Hey, look, we have this stuff, we're gonna email your work in your workplace. And, um, you know, your family, we have all that information, you know, unless you, uh, pay, pay off some..." I think what we're seeing in ransomware is that it's turned from, you know, the, what, what originally was actually quite a, a sort of consumer-focused attack, right? It was, you know, they bob your photos that you took over the last 10 years, aren't available. So, you know, that's a nuisance, but no one's life has really changed going after the corporate entities where there's obviously a bigger pay, it's bigger money.

And, and now the escalation of that within those corporate environments into now going after potentially either deliberately or accidentally, but you're seeing critical infrastructure, healthcare, uh, you know, the, the, the, the things that are very meaningful to the society operating where you probably don't really get to be as cavalier as saying, "Hey, we're not gonna pay the ransomware because, you know, 'cause people are in ICU," you know, like, I, I don't know, but it feels like you can't really have that conversation. If you, if there's the chance you're gonna save a bunch of lives and you're probably gonna pursue that avenue.

Dan McDermott: [00:27:04] Hmm.

Garrett O'Hara: [00:27:04] And then you're into the complexities around regulations and legislation, where, what do you do if it's a sanctioned organization? And what do you do if it sort of, uh, you know, goes absolutely against, um, government regulations or law, then you're instead a, a sort of bunch of hot water. And, you know, we've, we've sort of seen examples and stories during this year where very large organizations got popped very visibly. And, um, have come back online, you know, sometime later and you'd hope like that that's through the remediation activities, but potentially it's not.

And I suppose, as a society, we, we now have a choice where we, we need to figure this out, I would say. Uh, is that sanctions, is it regulations? Is it something around cryptocurrency? And which is weirdly being legitimized this year with PayPal's moves and a bunch of stuff there, but previously, you know, it's maybe it's controversial, but you know, the most part cryptocurrencies were kind of a question mark, when it came to most legitimate or respectable organizations, but now you're starting to see it become more mainstream. And that makes the job of making that controlled much more difficult. So, you know, potentially governments could have done something on that level.

That's now become more difficult. So, you know, sanctions regulations great in theory. But if it means an organization's operations are shut down for any meaningful amount of time, you know, job losses, the impact, you know, the economies, you know, the impact to GDP. So it's like, to me, it's, the conversations now at that level, it's not, and you made the, you made the point, right? It's, it's second after COVID. It has to be because the impact economically is so meaningful that it has to be on government's radars to take this beyond just, you know, beyond a nuisance factor and, you know, the equivalent of somebody breaking into a car. It's actually a huge societal level issue now.

Dan McDermott: [00:28:56] Hmm. Yeah. Very true. So just a quick reminder to the audience. If anybody does have questions, please feel free to use the, the Q and A box there, um, ask the questions and then we'll get to address those. But there are a couple of things. I think one that you spoke about there is, is we saw, you know, the very real world consequences of COVID and ransomware coming together for the most devastating impact with, uh, the first report of deaths from ransomware, um, being in Germany, um, during this period. So it does show like the, the crossover into, you know, I guess, real world implications and what that means as well. So I think that, you know, we saw those two things combined tragically during the year as well. Um, and it really does show that like, you know, we've got to be, you know, be able to sort of, I guess, take control and take back control as much as possible, um, to not allow these things to occur because the implications are huge.

The last thing that you were talking about there, as well as this is, I guess, the role of government, the role of government overall in cyber and what's happening. And, and, um, I think I will always remember, uh, June 16th, um, this year without our, our prime minister standing up and saying, "Australia is under cyber attack." And, um, and all of us sort of having a quick freak out that it was actually happening right there and then, and then realizing he was talking about this sustained, I guess, attack on us. But it has opened up the conversation in a new way, right? It has some brought to life, you know, that as a nation, we were under attack and, and that other nations are interested in what we have and, and, and come after us into a whole variety of different ways.

Um, that the volume of attacks are so high that, um, you know, being, you know, a reasonably, you know, well-off of economy that, you know, individuals can be targeted very easily and, you know, for reasonable amounts of money, right? And for them devastating personally, but, you know, for, for the attackers, uh, you know, a very viable way of actually getting some money as well. So it's, um, I think that like the notion of, I guess the role of government, Brad, and then sort of like sit and think what we've seen off the back of that announcement with the cybersecurity strategy. Um, and what's the investment that's been sort of promised into the sector, um, I guess is sort of a, a real positive for the industry and where we're heading as well.

Bradley Sing: [00:31:09] Yeah, certainly I think it's like, it's the first time in, in a long time I think we've seen the government formally announced how big of an issue cybersecurity is, and almost, you know, um, parodying the, the private industry where they've got similar issues with skills, shortages, lack of expertise. You know, it's hard to find good people who know how to do cybersecurity. So it's obviously gonna cost, uh, I think a lot of money and a lot of investment is needed. Um, what we have started to see though, is I guess the, I guess the, the stretch of what is defined as critical infrastructure within Australia. It's actually going through reform and parliament right now.

Um, and it's quite interesting if you think about a world of interconnected technologies and on a guy who spent quite heavily about IoTs. Um, I think when those new guidelines came out. But if we think about a world where you've got IoT drones fighting bush fires and, um, parking meters and all that kinda stuff, that's a lot of different areas for compromise. And we also learned during COVID how, or what's critical, right? So is it just gonna be a hospital? No, the supermarket's important 'cause you need to eat food, right? So it's part of this new bill. Um, I'm gonna read all the sectors 'cause there's a lot of sectors there. [laughs] Um, um, basically what it means is, um, for the sectors, they're defined as critical infrastructure, like they have to maintain a risk register and there's penalty units, if they do the wrong thing.

So, basically, a high degree of cyber hygiene and safety. Um, but also the government can send in their crack team or their cybersecurity response team or whatever it is and look at your files and potentially, yeah, protect it because it's an asset. So absolutely fascinating in terms of, I guess, a shift in terms of the industries, it's communication, financial services and markets, data storage processing, the defense industry, higher education research, energy, food and grocery, healthcare and medical, the transport sector, water and sewage, and finally space technology, which is, uh, which is awesome.

Garrett O'Hara: [00:32:59] And I think-

Dan McDermott: [00:33:00] Oh. Sorry, go ahead. Yeah.

Garrett O'Hara: [00:33:01] Yeah. I was just kinda gonna riff on what Brad said. I mean, tend to, to both of your comments, like this is so complex when you think of it. It, it's across pretty much everything, you know, it's private enterprise and, you know, the, the story that's gonna hit in the US, uh, recently where, you know, a lot of their, um, large kinda agencies and organizations have being hit, but through, you know, private organizations who are very, very good at what they do and, you know, having to get hit by the, you know, very advanced combination state. And, you know, how does that play out given that there's government's information sitting in a private enterprise and vice versa, and th- the role of universities and the IP that's locked up and them? Um, you know, small businesses, medium-sized, large enterprises, how this stuff all plays together.

Like we, I really feel like we, we need to figure it out because, um, if we don't, if we don't sort of all come together and not to sound like a bi- big hippie as always, but it feels like that's where the power is. You know, if we, if we really start collaborating to kinda beat this stuff down, that's where the win is. And, you know, as much as I'd love to see that happen naturally through kinda, you know, their "marketing forces", I think sometimes because it's so easy to externalize costs when you're operating a business, sometimes it actually takes, you know, u- unfortunately the big stick of regulations to get this stuff done. And so I don't know this a lot of interesting stuff I think will happen in 2021.

Bradley Sing: [00:34:17] It's, it's certainly, certainly pretty interesting regulation. Like there was, um, I did, so you can go on the government website and read like all the individual submission statements and there's about 125 submissions from different Australian organizations. And, um, I won't name which oil and gas company, but there was an oil and gas company breached a while ago. And their submission was kind of like, "Oh, we don't want the government coming in," and their argument was, um, something along the lines of, uh, the gas pipeline isn't critical a- and we don't own it, so it shouldn't apply to us.

But I thought it was fascinating if you think about that, that whole conversation around privacy. And then if we think about the Patriots Act in America, which is, you know, originally designed around terrorism with the American government can effectively go into any private organization if the data is held there, it's a very similar thing here in Australia. And it's a scary thing. Um, you know, we've seen that AFP raid journalists office [laughs] over the past two years, you know, it's, it's, it's even more central power, I'd argue.

Dan McDermott: [00:35:13] Yeah. Look, and we've got comment from, uh, from the Episode Number One, if you ever go back and have a listen, uh, uh, interview, uh, um, Mitch Owens talking about the fact that, like, I think the thing is, is that it is how wide reaching will this be? Right? Because if you start layering it out into all of these different areas, the supply chain effect and the impact on not only sort of the big businesses and, you know, you sort of think of the utility company running the power grid. But that's one thing, but it's like, it's all, everybody that's involved in, all of the suppliers to that.

Um, and then sort of, Mitch's speaking about the fact that, you know, will the local 711 franchise become part of national critical infrastructure. And, you know, when we look at what happened this year and, you know, if you think of food or groceries or, uh, you know, critically as we know, sort of toilet paper supplies and that type of thing, you know, if they're part of that, are they're now caught up within the overall legislation. And then what's the, I think the, the cost implications for that, for those businesses as well, like how can a small business, you know, look to take on some of these obligations? I think is gonna be really, really challenging as we move forward.

Garrett O'Hara: [00:36:25] Yeah, totally agree. Once Dan actually makes that list, uh, and kinda refuse, like, I'll be okay, seem to...

Bradley Sing: [00:36:31] You're right. 'Cause bottle shops were open. Right? So technically, does that mean... Yeah. Interesting.

Dan McDermott: [00:36:37] Yeah. Food supply chain. So, uh, um, I guess, uh, um, final sort of notion from looking back over the news in the year and that, and a little bit of looking forward, Brad, any, uh, any holiday tips that you have for us or warnings?

Bradley Sing: [00:36:50] Well, I don't know about everyone else, but this year, Black Friday, Cyber Monday, whatever you wanna call it, definitely felt a li- little bit bigger, and I think that's because we were all stuck at home, trying to order things for Christmas, getting all those tech deals. Um, interestingly enough, it was the biggest weekend ever for Australia post. So I feel like me, you know, waiting for several things and making a daily trip to the post office, [laughs] there's probably a reason it hasn't come yet. Um, but you've also missed out on the deadline for Christmas.

So if you are ordering something for somebody, don't order online, go, go buy it in the shops, but also just be mindful of all the last minute COVID scams, um, uh, which, you know, we think is around online delivery, free delivery, free shipping, get the latest schedule, et cetera, et cetera. Um, it's gonna be a, a busy Christmas, it's gonna be, uh, a warm Christmas as well. So I guess, make sure you keep safe. And the biggest thing in, in back towards Gar's theme, around people at the start of the day, as well is, uh, make sure you can be cyber aware to other people as well. I think, you know, if you can help your friends and family, then they're the ones who will need most help during this time.

Dan McDermott: [00:37:47] Yeah, very true. And, um, just to finish on 2021, looking forward, any sort of predictions that you guys have, or what's your, so, what's the crystal ball saying?

Garrett O'Hara: [00:37:58] Yeah. I, I reckon by July, 2021, we'll have cybersecurity figured out, um, you know, w- some real events, uh, you know, 100% effective engine and, uh, we can all just go and sit at the beach. Now, look at, the, the reality is I think, you know, every year, um, Dan, you and I think we'll be totally [inaudible 00:38:15] and actually Brad as well, like the predictions that come in and, you know, things change for sure, but they tend to not change as much as you would want to. And I don't think things like ransomware, uh, those kinds of attacks, you know, when we, when we spoke to Prescott Pym actually, our very own from Verizon, the D- the, uh, the DVR reports, uh, one of the things he commented on, or the reports sort of shows is just how often the, the sort of vanilla attacks are the ones that everybody kinda continues to use because they're effective.

So I feel like that, that's my prediction. Is like, you know, it won't be changed. And actually so much of this stuff will stay the same. And I think what I've seen this year is that, um, you know, and I always make this joke, I'm afraid to say machine learning and AI on any call where there's people in cybersecurity, 'cause they tend to roll their eyes and, you know, blah, blah, blah. But I think we're, we're at a point where it's utility in pattern analysis. So, you know, uh, whether that's email, language, salutation anal- uh, analysis, um, sending pattern analysis, that sort of stuff, and, you know, it's used within things like, uh, URLs and domain. So web security, email security, um, but also then some of the AIs to proceed to recognize what a credential hosting, uh, looks like on a website. I think that stuff is starting to feel pretty exciting. And I think we've luckily at this stage come past, I would hope the hype cycle, and actually now we're starting to see some real utility in that.

So I think by the end of 2021, you people won't roll their eyes anymore. And you know, it'll be more of a conversation about cool, like, "How does that stuff, you know, how does that stuff work?" And then maybe, uh, maybe a huge prediction, but somewhere around the world, the government's gonna go hard on the ransomware problem, um, and maybe their involvements in radiation. And that may be sanctioning. And maybe, um, you know, somebody mentioned cryptocurrencies in one of the questions and maybe, you know, legislation around, what, how do we actually deal with this thing of cryptocurrencies where we take away the ability to anonymize currency through, you know, through tumblers, um, if you do it properly, um, like how do we fix that? Because you cut all the finances, you know, largely the problem starts to go away.

Dan McDermott: [00:40:23] Cool. To the hit on that I heard Danka was that AI will solve cybersecurity. I don't know what you think of that?

Garrett O'Hara: [00:40:29] On, on July, 2021.

Dan McDermott: [00:40:31] Yeah.

Bradley Sing: [00:40:31] Yeah. And to, and to buy, and to buy Bitcoin.

Garrett O'Hara: [00:40:34] Yes. Well, it's hit a new, a new high. It's hilarious. I feel like I just missed that boat completely.

Dan McDermott: [00:40:40] And Brad, what about yourself?

Bradley Sing: [00:40:42] Um, yeah, I de- definitely should have prepared for this one a bit, but, um, look, I just wanna echo Gar's point as well. I think the fact... Part of the... The big challenge of cybersecurity is that we're seeing a lot of organizations getting breached by known exploits and known tools and the same basic stuff over and over again, if organizations would follow, you know, basic patching antivirus to a large degree, I feel like cybersecurity wouldn't be in the news as much. Um, what I do suspect, I, I, I guess the, the prediction made for 2021 is I think, we're gonna see a lot more IoT-related breaches. And we're kinda speaking about like COVID checking in and stuff earlier in the, in the, um, the show. But you know, like when you go and put your details in every little cafe and every restaurant you go to, where are those details going?

I have absolutely no idea. I mean, it's the first name, it's my email address at the end of the day. But what happens when I have to go to the doctor's the next time or go, I don't know. It's... Yeah. So I d- I, I'd say IoTs be, be wary of them, and be wary of the ones you have in your home as well. I watched this fantastic video on YouTube the other day where these guys bought this really cheap router from Walmart. They set it up and installed it at home. And I think within 10 minutes or something, the network was infected. So really cool stuff.

Dan McDermott: [00:41:53] Yeah. No, very true. I think you're right. And the, the, the prevalence of IoT is just exploding, right? And so, um, in every aspect of sort of loss and that as well. So, it's, you know, you're right that it is gonna have a major impact across, you know, your personal life as well as for every organization out there, as well as they start to deploy and utilize that technology for sure. So Gar, we do have the first set of questions through which you, you answered a little bit, um, around cryptocurrency and, and has that actually accelerated cyber attacks?

Garrett O'Hara: [00:42:22] It definitely has. Uh, what I would say is, I mean, the two, the two kinda funnels from money when it comes to cyber attacks and there's more, right? So, you know, we won't get into, you know, attacking a company to short stock and, you know, do that kinda very, very esoteric kinda, uh, advanced, um, sort of financing from cyber, but really the two big ones is business email compromise. So how do you just fool people into sending money to the wrong bank account? Pull the money that way? But the other big one, um, you know, ransomware, it kinda doesn't exist without cryptocurrencies, or it doesn't exist nearly as easily, um, I would say.

Um, you know, we, we've seen the rapid emergence of ransomware as a service and not just that, but actually, you know, access brokers. I mean, you guys are probably aware of all the, the, the sort of the industry that has now risen up around ransomware, where you've got just specialized operators that can give you the access and they'll charge for access broker. And you've got the amazing crews that, you know, build, um, you know, the, the front pages and, and do logistics. You've got literally service delivery and support teams, [laughs] right? There are outsourced support for, uh-

Dan McDermott: [00:43:31] Yeah.

Garrett O'Hara: [00:43:31] ... ransomware, like, think about it, all of those, like how many of those can only exist with, with cryptocurrencies being the, the way that they get their funds. I think, you know, if you, if you shot both of that as a mechanism for them receiving funds, like everybody's life just gets a little bit easier. But kinda the point of cryptocurrencies is that that's pretty hard to do. So, you know, it's a little bit like saying, you know, we're gonna make a, you know, end-to-end encryption in [inaudible 00:43:58] or that's cool. It takes two seconds for people who want to, to go spin up something else that can do end-to-end encryption. So, you know, I, I suppose that the, the question would be, how do you control cryptocurrencies? But I think it's, it's undeniable that the existence of cryptocurrencies has led to just a huge proliferation of ransomware.

Dan McDermott: [00:44:17] Yeah. I mean, we spoke before about the fact that it mo- has moved from, you know, uh, sort of a consumer play with iTunes vouchers to, you know, a very lucrative hundreds of thousands of dollars, if not millions of dollars of ransom, which is all through, through cryptocurrency, right? That's the only way to sort of be able to pay. You're not going and buying that many iTunes vouchers. So, um, so it's definitely has increased the, the, the stakes that are at play. Um, and like you say, it's incredible to think that, you know, it's, it's very nice of the ransomware attackers to provide a help desk, you know, to, to help you out to, uh, to be able to pay the ransom.

And that as well, it's incredible, like it is an industry in its own, right? Um, the way that it's now developed and got to, and I think the question is spot on that it is, you know, and like you say that if we need to try to cut it off at the knees, otherwise, um, you know, it will, it's got huge amounts of funding now. Um, and the infrastructure then that's put in place around it to continue to fuel that as an industry, um, unfortunately is, uh, is there and we need to find ways to, to cut it off. Otherwise, it, uh, will continue to exist and, and probably continue to, uh, to escalate in terms of the, the asking prices as well.

Garrett O'Hara: [00:45:31] Definitely. So, I mean, y- y- you may have heard that the first ransomware that ever happened was like back in the early '80s and it was, um, part of, uh, th- the, they used to send, uh, floppy disks and, you know, you know, disks with magazines where you can get like utilities, they're free and all that stuff back in the good old days. And, uh, there was, uh, VISA ransomware on one of those magazines out of the UK originally, and, and you had to mail a ch- a check or a postal order to Panama, uh, to get the key to unlock. So, you know, we've, we've definitely come a long way. Um, maybe not in a good way. [laughs]

Dan McDermott: [00:46:04] [laughs] Yeah. Very true. And we'd like to just say a huge thank you to, to Gar for doing this every week. 40 episodes, um, has been an incredible effort, um, been very privileged to have you actually run this for us. And that Brad for joining us every month and really giving your insights and being in the cybersecurity expert of what's happening, you know, in the market and getting those insights has been fantastic. But most importantly, uh, we couldn't do this, we couldn't deliver 40 episodes and, and be able to have these shows without an audience, without people who actually do listen in and actually provide feedback and provide generosity of their time, both as guests and as listeners.

So, um, so we thank you all sincerely for that. We wish you all the very best for a very safe, COVID-safe Christmas and, and New Year and holiday season. Um, if you're like me, certainly need a break, um, time to refresh and, um, will then look to, to bring back The Get Cyber Resilient Show next year, um, so we'll kick off in early February, um, and continue to, uh, hopefully be able to deliver interesting insights, conversations, and people for us all to learn from. And, um, on that note, we'll, uh, we'll wrap up the, the interview show, um, and, uh, really look forward to having a break and seeing you all again, um, and hopefully, uh, tuning in and listening from February. So thank you again.

Garrett O'Hara: [00:47:21] And thanks to you, Dan. You know, none of this happens without your support. So, uh, yeah, definitely don't wanna let that opportunity to, to say kinda things publicly to, uh, fly past. And also to the guests as well. For me personally, I've loved talking to absolutely every single one of you. So I appreciate that. And, uh, thank you for being there.

Dan McDermott: [00:47:38] Terrific. Well, thanks all. Enjoy the rest of the day. And, uh, we'll see you again in February. Have a great break.

Garrett O'Hara: [00:47:51] And that is a wrap for 2020. We're back in February, 2021 with the podcast, and we're looking at some exciting changes in our approach. So watch this space. Huge thank you to every single guest this year. It's an absolute privileged to have gotten your time and your insights. We really, really do appreciate it. And huge thanks to Dan and Brad for being such a pleasure to work with and for all of their support. But most importantly, thank you for listening to The Get Cyber Resilient podcast. We came into podcast with one purpose in mind, and that was how can we create something of value for the broader cyber community? I'd like to think we did that during 2020 and look forward to doing it even better in 2021. So, thanks to you for being part of The Get Cyber Resilient community. I'll say goodbye for now. And I look forward to catching you on the next episode in 2021.


Chief Field Technologist APAC, Mimecast

Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara