• Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.


    Add comment

On this week’s episode, the team kick off with a review of the latest developments and impacts from the Medibank and Optus breaches. We then investigate the Thales data breach that wasn’t through their IT systems, as well as another win for the good guys with the arrest of 59 suspected scammers across Europe.  We then wrap up of the latest breaches and vulnerabilities to make the headlines.


The Get Cyber Resilient Show Episode #118 Transcript

Dan McDermott: Welcome back to the Get Cyber Resilient Show. This week is our Behind the News episode. I'm Dan McDermott, your host for today, and I'm joined by our resident cyber security experts Garrett O'Hara and Vinh Nguyen.

Today, we will continue our review of the latest developments and impacts of the Medibank and Optus breaches. Next, we'll look into the Talos data breach that wasn't through their IT systems. Then, we'll look at another win for the good guys, with the arrest of 59 suspected scammers across Europe. And as always, we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines.

Gar and Vinh, welcome to episode 118. Let's start this week, as we have for the past several episodes now, with the continued saga and fallout from the Medibank and Optus breaches.

Garrett O'Hara: So you know it's a good story, Dan, isn't it? We have to do less work. The, the first story's chosen for us. Yeah. Look, it's, obviously it's been a couple of weeks since we've since we've talked about this, and I suppose a lot has happened in that time.

More data, obviously more important data has been kind of exposed d- I mean, some awful stuff. I'm sure you guys are aware of some of the lists that have been published where, things like people that had you know, terminations of pregnancies and just incredibly personal stuff. So kind of heartbreaking, I suppose, to see that happen.

They made the announcement that they weren't going to pay the ransom, which I think was applauded generally in the cyber community. I did see somebody on a certain show say that, you know, paying ransoms is an option. And I d- don't know if I necessarily agree with that in this case. I think that was a good move.

One of the things that I think has come out and, and to me is sort of interesting, because we spend a lot of our time worrying and wondering about, "What's the cost?" You know, so many times in conversations with CISOs, their biggest struggle is putting the dollar figure on what security means for their organization.

And you know, if there's a silver lining in this very dark rainy cloud, it's that we're starting to see some numbers get made un- you know, as part of the public record for things like, you know, Medibank where their chief executive has come out and kind of said that they're looking at probably 25 to 35 mil pretax and their one-off costs. And there's probably going to be, you know, additional costs that will be recurring in the future. So you know, not insignificant.

Optus, I think, have, have priced theirs at at least 140 mil. And you know, yes, they're a huge organization, but you're starting to get into, you know, meaningful numbers when, when there's three digits and then an M. That's kind of where people start to sit up and pay attention.

So I, I find that really interesting. And and, like, I'm sure we're going to get to this, but what does that mean, then, if you're an investor in these companies? You know, we saw what happened with Medibank. And you know, obviously Optus is on the, the private market. But you know, it s- starts to get really interesting.

And Medibank had their investor meeting and, you know, no surprise, this stuff came up as part of that investor meeting. And, and the tone is, it feels like it's sort of shifted, and hopefully in a good way.

But I'm kind of interested to see, what sort of signal does this send to other sort of boards, ex-cos ELTs? And, and you know, what does it mean kind of going forward for the place of cyber onboard on senior leadership teams and the understanding of that?

Because you know, we, you know, and we've all talked about this for years, right, that they were [laughs] the board, you, you oversimplify things into, like, a RAG indicator for something that is potentially much more complex and, and needs more than just a, yeah, red, amber green to tell us, you know, we're all okay.

But the reason for that, in large part, is because the lack of understanding in the p- you know f- generally the board members just don't know cyber, don't understand what this world is or how to evaluate or quantify risk in a, a way that's sort of analogous to traditional business risk, like compet- competition, you know, new market entry c- and probably climate change, all of those things that, you know, p- probably operate a little bit differently.

Yeah. I think the investor meeting is going to be a turning point for that organization.

Dan McDermott: Indeed, and I think one of the most interesting parts of that, right, is that we've spoken a lot around, how do you get the attention of the board? What does that mean? So one is that quantification is obviously, you know, an important aspect in that, you know, you put it into all the terms that makes it real and tangible for people.

But making it [laughs] even more real is the notion of, you know, if there was some degree of, you know, mismanagement or misunderstanding of, you know, what was possible and things not put in place, the idea of executive pay clawbacks to actually say, "Well-"

Garrett O'Hara: Mm-hmm.

Dan McDermott: "... you know what? You know, you're not going to get your big bonus. You're not going to... This isn't going to happen. You can't achieve these outcomes because of what's actually happened here through the security incident itself."

And there was a really interesting piece in sort of the Sydney Morning Herald focusing around that and what is going to be possible and could come to a head at this investor meeting in, on the sixth s- 16th, was it?

Garrett O'Hara: Yeah. So it was last, 

Dan McDermott: Yeah.

Garrett O'Hara: ... wen- last Wednesday, if I have my dates right?

Dan McDermott: Last week. Yeah.

Vinh Nguyen: Yeah.

Garrett O'Hara: Yeah.

Vinh Nguyen: I know, you know, Dan, from the investor meeting last Wednesday the pay reviews for execs and whatnot have actually been delayed until next year. So this time around, they actually got paid their bonuses, which is maybe not the best timing but you know, can't ignore the fact that they've put in a lot of work themselves as well. But just an interesting piece I kind of read yesterday on what happened in the investor meeting last week.

Dan McDermott: Yeah. Makes it real.

Garrett O'Hara: It, it definitely does. And, and I suppose on the s- the sort of bonus payouts and, and whatnot, I was kind of thinking about that, you know. What does it mean in the grand scheme of operating a business the size of Medibank or, or Optus as, you know, as the case may be? And I think this, the problem is that we, we are in the world of cyber, so we think it's everything.

Dan McDermott: Mm.

Garrett O'Hara: But actually, for a chief executive, like, there is [laughs] so many other parts to an organization that size that you know, we all kind of, in our industry, obviously, [laughs] we're quite offended or potentially offended by the, the bonuses still being paid.

But, but actually, you know, if the share price in, you know, every other way has been moving in a, you know, good direction and, you know, you could maybe, and I'm not making this argument, but you could potentially make the argument that you know, it still makes sense to, to sort of pay that pay the bonuses and whatnot.

But I, I do think there's a really interesting signal being sent and, and some very, very aggressive language from some of the organizations that were at the investor meeting CGI Lewis being kind of one of them.

And yeah. To your point, you know, that, that pointing to the need to maybe bolster the skills and the knowledge of cyber security in the boards, the executive teams, and I would say that applies to so many organizations, not just the ones that we're talking about now.

But then, the other part of it was the accountability for the loss of privacy for customers and obviously, the loss of value for the shareholders, which you know, probably takes precedent [laughs] too often. But the loss of privacy for, I mean, these are Australian citizens who're now looking over their shoulders but also having to deal with incredibly personal information being made public. That's just an awful thing that should, there should be accountability somewhere.

Vinh Nguyen: I think the other big update that's happened around this is, is the response from the government. I mean, they've been pretty vocal-

Garrett O'Hara: Mm-hmm.

Vinh Nguyen: ... all along, but it's gone to the next level in the last couple of weeks with, I think, two key aspects of this. The first is name and shame. People are actually p- blaming Russia as the attackers who have actually come after this and actually sort of going to that extent that we haven't seen before now, for a whole range of reasons, and some of which is cyber, and attribution is difficult, and those things, and some are obviously bigger political issues around, do you want to go and poke the bear, so to speak? So I think that actually naming that's really interesting.

The second is the whole idea of getting on the front foot, and we're going to hack the hackers.

Garrett O'Hara: Mm.

Vinh Nguyen: Where, I mean, it's a great headline but what does that really mean? What's the reality of what that will look like for our, for Australia's cyber defense?

Garrett O'Hara: They've got a, I mean, it's, it's sort of interesting. Like, they've spun up a, well, it's, it's a, a function across two organizations that will be working together, about 100 people across the ASD and AFP. And you know, it's a permanent rolling f- task force, I suppose they would call it.

And c- it's, it's sort of an interesting one. I, I, I don't really know what to make of it and how successful it will be. But the, the idea that, you know, we aren't already doing this at some level, I, I mean, again, I don't know, but I suspect it's happening all around the world, all the time. But this is just a p- you know, politician actually calling it out.

And I'm, I'm sure you guys saw the interview, because it was all over LinkedIn, the, the snippet of Clare O'Neil on TV. It was just so dense with sound bites with, you know, these are the guns of cyber.

Like, it was just very evocative you know, political speech that was designed, you presume, to appeal to really the broad range of Australians who would have seen that interview and, you know, are going to talk about it at barbecues and will feel a little bit of ra, ra, and you know you know, go Australia [laughs] you know, really sort of rattling the sabers.

Vinh Nguyen: [laughs]

Garrett O'Hara: But, but also, you know like, you know, if, if they can start to pull apart or pick apart these organizations, then go for it. You know, if it's doable, then let's do it.

And, like, you know, we talk about this all the time. We have got incredible talent in this country, like just astonishingly, very, very clever people. And if they could be directed correctly and, and meaningfully to, to potentially limit the, the damage or to, even better, kill the monster before it grows big, you know, brilliant.

But, yeah. It'll be interesting to see how much of it is what's real versus what's the, the, the politics and the oration. That'll be the, the interesting part. And, and, yeah. I suppose time'll tell.

Dan McDermott: Indeed. And like one of those I guess, headlines as well was, you know, Australia needing to wake up from its cyber slumber, which again, I think all of these things is is continuing a narrative that's been there for a couple of years. Right? We've spoken many times around Scomo. We're under attack.

Garrett O'Hara: Yeah.

Dan McDermott: It was like, "Oh, my goodness. [laughs] Here we go." And then realizing that he probably didn't elaborate enough on what that actually meant. But we're now really seeing that and the, and the government, I think, becoming more aggressive, as you say, and sort of al- you know, evocative in their language. There's no doubting that. But also putting in some of these, these mechanisms that will be interesting to see how they play out.

But there's no doubting that, like, I think it is legitimate to try to do the right thing. But it is also a big political play to show that we're, they, you know, they're serious about this, and that they're, you know, you know, we're not going to sit back and just, you know, wait to be attacked. We're going to get on the front foot as well, which is always a-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... you know, I think a, an interesting and, and positive sentiment for for people to hear.

Garrett O'Hara: Definitely. Definitely. And look, it's not just here. I think there's, there's a, there's more language around attribution and calling one nation out as as the attackers. You know, I don't think it's in our run sheet for today's show, but the the stuff CISA called out in the US about you know, FedGov getting popped by potentially [laughs] Iranian criminals and using the log for [inaudible 00:11:46] to get in there.

But you know, being very open about, yeah, s- sort of saying that it's Iran and, and just seeing that more and more, where yeah, countries are, are literally, you know, pointing the finger and saying, "Hey, th- this is who did the, the bad thing."

Dan McDermott: I think it's all part of the cyber warfare that is playing out as well. Right? It is showing that it is, cyber is part of that much bigger, you know, international political play and what's actually needing to occur.

So I well, we'll see whether we start the next news episode with another update from Medibank and Optus or whether something else may may trump it in the headlines. But I'm not sure that that we're going to get that in the next couple of weeks.

Garrett O'Hara: Hopefully not.

Dan McDermott: [laughs] Yes. Let's move to our next story, where we'll take a look at Talos, which is a well known global company in the defense and security industry who have been breached themselves, but interestingly, not necessarily through their own IT systems. What can you tell us about this case?

Vinh Nguyen: This one sounds sounds odd, right? It's like your internal systems haven't been breached. There's no kind of sense of that. But at the end of the day, there still is data exfiltration.

And it really comes with this notion that a lot of organizations now are leveraging the likes of third party SaaS vendors, collaboration portals, in order to host a lot of their corporate information, their data, things to be productive.

So what we know is how this big French juggernaut that works in the aerospace defense security space their stance is that the cyber crime group LockBit has actually published a 9.5 gigabyte archive file which contains that type of information.

And when we say it's information, it's things like commercial document, accounting files, [inaudible 00:13:30] client structures and softwares, et cetera. So what we're seeing now is a breach that wasn't through IT systems but through a collaboration portal.

And we get this quite a lot especially us working at Mimecast as a vendor, when we start to feel like those RFIs, RFPs for our services for these organizations, they're always asking around for our certifications, how we align to certain laws and privacy regulations, things like that because it's very important that when you're looking at a solution out there that, that you're probably vetting them to make sure that they are holding your data properly, they are hosting it properly, and they are putting certain security measures around it as well.

Garrett O'Hara: Yeah. It's this one, oh, man, like you, you see this stuff, and it just makes you worry about the complexity of organizations.

Vinh Nguyen: Mm.

Garrett O'Hara: You know, we talk about digital inter- [laughs] interconnectivity all the time. This is a real clear example of the, the increased risk surface that, that digital interconnection and collaboration present.

And [inaudible 00:14:32] head of the third party collaboration portal that was one of the partner orgs said basically you know, a partner, a person in one of the partner organizations had their credentials stolen or compromised or whatever. And that was the way in.

And I, I think about this a lot, because you see more and, more you know, project management type tools that are used to, you know, work on a project between three or four different companies. And everyone's got their log-ins, and people are uploading, you know, as being kind of described, potentially really sensitive or commercially sensitive information, you know, with a view to delivering some big project.

And you, you think about how much of a concentrator of data that could be if you had, say, three or four high, very high profile companies or organizations working on, you know, a particular outcome, multi-year project, blah, blah, blah.

And if you're able to compromise that one place, you're, you're sort of, in a way, accessing, you know, to their point, not their IT systems per se, but you're accessing essentially, like, the, the sort of concentrated data around a project or a thing.

It reminds me of conversations with people in healthcare, and it has, it's slightly different, but it's, it's around the idea of trying to contain your data, like, where that stuff lives and where it's sent and where people collaborate.

And you know, in an ideal world, you're a security person and can tell the, the, [laughs] the IT teams, "These are the sanctioned applications, and we won't use anything else, and data shouldn't live anywhere else."

And then you hear these horror stories in healthcare where doctors are sending X-rays over WhatsApp because that's the easiest, lowest friction way to get the thing done in the shortest amount of time. And they're discussion pa- discussing patients on, you know, a nonsanctioned, noncommercial app like, like WhatsApp.

So you know, th- they're, I'm conflating two kind of issues, but you know, the overall issue is, like, data creeping out of an organization, getting to places where it's difficult to manage or, or you're just not expecting to have to manage it there.

Dan McDermott: And I think the one thing with Talos, and the analogy to me is a bit like Medibank and healthcare and that, like, you know, sensitive i- you know, we've looked at it from that personal sensitive information that might be held, and you know, that getting out, and therefore, you know, the pressure that comes onto them to, to pay the ransom in order to try to stop that.

In Talos's situation, it is much more like, it's not, it's not the ransom this time. It is what information is there. Given the industry that they're in, what they actually do as a business, you know, they actually do physical protection of nations and things. Like, like, if this gets out, my goodness, what, what could come of that, right?

So it's the down flow effect. There's no doubting that there's pressure on them to pay a ransom to try to stop it, but we all know that that won't necessarily stop anything. But it's also what happens from here with this data, because how sensitive is it? What is actually exposed? And what's now needing to be done to basically go back and retrofit potentially systems and processes around some of those things that may have been exposed?

Garrett O'Hara: And, and that point you just made there, Dan, is so important. Right? When you think about something at this level the value of data, like if it's sort of a military advantage-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... for one nation over another, you're talking big, big bucks. Right? That's not chump change. You know, that's, that's going to be a huge amount of money. And also, you know, you can't put the toothpaste back in the tube. Like, if it's, if it is, like, that valuable, chances are, it's probably going to get sort of pinged and, and nicked anyway. You know, it's in oh, the risk of, [laughs] you know, attackers stealing from other attackers, which happens. You know, it's not like-

Dan McDermott: [laughs]

Garrett O'Hara: ... You know, you can attack the attacker. Sorry. It's not like you can't you, you know, there's p- you see that all the time, is I suppose the point I'm trying to make.

Dan McDermott: Mm.

Garrett O'Hara: So w- like, at that point, do you then just assume breach and assume that your enemy knows your defenses? You, you probably have to, at some level.

And you know, do our milit- I'm assuming our military think in these terms, where you know, there's, there's some version of, hey, what happens if the worst, the worst thing happens and they get all the, you know, the, the, the blueprints for the, you know, amazing submarines or spaceships or whatever that might be, that you just assume that, you kind of have to assume then your enemy knows how they work, its weaknesses, potentially its strengths, and they would operate strategically accordingly.

Vinh Nguyen: Yeah. Absolutely. And just another point on that too, and that's a really good point, Dan. When you're quantifying risk, I think even if we talk about Talos and information around infrastructure like nation protection, I think at the end of the day, like, one thing that we can't not consider is the safety, the public safety, right, because this will have a flow-on effect, like you said, to, to people within these nations as well.

So it's a very interesting conversation around quantifying the value of certain data, because you know, if someone gets their hands on the right prints and they have access to XYZ that has a downstream effect to civilians, then that's going to be quite important. Right?

Dan McDermott: Indeed. Well, I think we, we all remember that, you know, Luke did get access to the blueprints-

Vinh Nguyen: [laughs]

Dan McDermott: ... of the Death Star you know, and that worked out well. But, like, this is the thing, right, is, is that, exactly as you said, Garrett, like, you, there probably needs to be a presumption that some of these things might be out anyway. And then, what is the protection put around the fact that that might be the case?

And therefore, let's add additional layers of protection because otherwise, yeah, like you say, the, the notion of the weak spot being found and being exposed, you know, to the wrong parties you know, incredibly, you know, devastating consequences from there.

Looking at a brighter note, the final deep dive story for this week looks at the arrest of 59 cyber criminals across Europe who were using stolen credit card details to buy high value goods and then onsell them at a profit.

Garrett O'Hara: It's funny, Dan, the way you say looking at the bright, you know, the bright side. I think that shows the difference between Australians and us, because I see this, and I'm like, "Ah, man. There's, like, 59 scammers. That's probably the tip of the iceberg." [laughs]

Dan McDermott: [laughs]

Garrett O'Hara: But it's good news. Right? I mean, I, I love seeing this stuff. And it just points to progress, and it points to well, the collaboration in this case between 19 countries that came together as part of the 2022 Ecommerce Action Initiative. Not quite as, you know, sort of impressive as stuff that FIFA's doing over in Qatar at the moment, but you know, still, still an important thing on the, the calendar each year.

But you know Europol have basically done a month long sort of crackdown across Europe against, yeah, these scammers. So what's kind of nice here I think is the, call it the vertical integration of the teams that were working together, so across organizations that are, you know, merchants the logistics organizations the folks who do the payment cards, the banks, all kind of working together to help go after the, the scammers.

I suppose it's another example where you're seeing the enforcement of cyber happening, like, geographically dispersed. It's not one country. It's a bunch of countries working together to, to kind of go and tackle a big problem. Plenty of analogies in the world these days for that sort of stuff. But you know, I think that's, that's heartening here.

And look, there's going to be, like, a good outcome for the merchants, for the logistics companies. Like, they're, all the people involved in, in sort of helping with this, it's not like they're doing it, I'm sure, for charity, because what it means is if you're a merchant, you know, the customers will have more confidence to spend money shopping. If you're a bank, you probably have to do less you know, paybacks on fraudulent payments, et cetera, et cetera. So you know, they d- they'd have a vested interest here.

But it seems like a, you know, really good outcome, you know, nearly 60 people. I'm going to be optimistic and r- round it up to 60. Nearly 60 suspected scammers kind of busted [laughs] in Europe.

Dan McDermott: Come on, Garrett. You've got to look at the bright side in these things, and I think, like-

Garrett O'Hara: Definitely.

Dan McDermott: ... I think it continues to show, I think, the, I guess the role now of police in cyber as well. Right? Like, we've sort of seen it at times before, but now it's like there's concentrated task force-

Garrett O'Hara: Mm.

Dan McDermott: ... like you say, across nations that are pooling resources together to focus on, on, on these things. And you know, looking at it, that's so many different levels from, you know, the sort of, you know, we saw the Raccoon in- Infostealer, you know, get arrested.

We've we've now seen these scammers actually be, you know, be indicted. We're seeing a lot more of this sort of come, I guess, to the surface to try to get after. And I think this is a bit of the, you know, getting after the hackers and getting on the front foot as well.

Yes, it's, it's retrospective, but it means that it's putting a dent into their capabilities, you know, significantly, that will hopefully, that we start to see, you know, the flow-on benefits of over a period of time as well.

Vinh Nguyen: Yeah. I love this sense of community, not just with the nations, but also we talk about who was part of the response. And Garrett, you mentioned this, like the merchants themselves, logistic companies, shipping, like, everyone putting in their best foot to help find I guess these criminals who were ordering high value goods. Now, I don't think they specify what the high value goods were, but I imagine they'd be things like designer bags, you know, your Louis Vuitton, things like that, potentially. 

Garrett O'Hara: The, the stuff that Dan wears.

Vinh Nguyen: [laughs]

Dan McDermott: [laughs]

Vinh Nguyen: Yeah. The, the stuff that yeah, a lot of my money seems to be going away [laughs] based on those types of shopping.

Garrett O'Hara: [laughs]

Vinh Nguyen: But this was a very new topic for me. I, I don't think I'm very well across the whole eCommerce. And I know it's important to have security, but one thing I came across that was very interesting was what they call SCA, so strong customer authentication.

And really, from my quick read, it sounded like MFA for, for cards, essentially something that you have, like, your, your card, or in your case, your phone something you know, like your PIN and then something you are, so biometrics, things like your fingerprint or your face, stuff like that. So this is actually mandatory in Europe, which is what I read, but we also use it quite a lot here in Australia too.

Garrett O'Hara: Yeah. It's, that yeah, the S- SCA stuff they, they talk about, I think when they implemented it, they [laughs] really saw a huge dropoff in customers buying things. They'd get to the end stages of the, the, you know, in, in the cart kind of thing, and then they would abandon the cart-

Vinh Nguyen: Mm.

Garrett O'Hara: ... When they had to actually, yeah, verify their identification. And I wonder, was that just, do you think it just, you would assume it would be, you know, that thing at the start where it's kind of a new process.

People are like, "Whoa. What's this? You know, I need to do what?" and then you know, they're desperate to buy that [laughs] Louis Vuitton bag. You know, they'll figure out a way to, to kind of get through it.

I think it's a really good thing. You know, I think more and more of that will be yeah, useful going forward. I think, I mean the long term solution here is probably multi-pronged, as it always is. Right?

It's the, it's the merchants and using SCA. It's the banks and you know, using verification on transactions, you know, where the description [inaudible 00:25:33] certainly in Australia matches the VSP and account number and all of those kind of things, I think, all come together to, to help.

Dan McDermott: Ah, you're right, Gar. I've, I've never abandoned a Louis Vuitton shopping cart-

Garrett O'Hara: [laughs]

Vinh Nguyen: [laughs]

Dan McDermott: ... in my life, so so I was able to work my way through, through the SCA process. No problems.

Finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make the headlines. The first news item is how New South Wales has introduced the country's first state based mandatory data breach notification scheme. What's going on here, Gar?

Garrett O'Hara: Yeah. It's pretty much that. Sort of maps to the kind of federal level one. First state to, to do it which is kind of interesting. First mover. I think we're seeing a little bit of that with New South Wales and, you know, the stuff that Victor Dominello has kind of pushed for in this state not to kind of rub it into the Victorians.

Dan McDermott: Hm.

Garrett O'Hara: You might think you've got better coffee, but we definitely have more progressive cyber security policies-

Dan McDermott: [laughs]

Garrett O'Hara: ... at a state level. Look, and this is another example, you know. I think we're seeing some, some cool moves here. The idea would basically yeah, a- apply this the mandatory data breach notification down to kind of New South Wales agencies and departments looking at the quote here, statutory authorities, local councils, and some universities. So you know, that's a pretty broad net of, of organizations that would be covered in, in this. And I think, you know, it's, it's a good thing.

Dan McDermott: And is it really? Like, I'm being s- a little bit skeptical. Like, aren't they already covered under the national scheme? What's different here?

Garrett O'Hara: Well, some would be, and some wouldn't, I think is the thing.

Dan McDermott: Hm.

Garrett O'Hara: There was the s- there was a bunch of exemptions and get out of jail free clauses in the, the sort of n- the end of the legislation.

And look, in much the same way, I mean, wouldn't it be great if we just had one federal set of policies for privacy? But we don't, we've got state based privacy legislation, unfortunately, so that's fragmented. And then, you know, maybe you see a little bit of that happening here too.

I mean, that's a way bigger conversation, but it's one of the killers in the US, is just navigating so many different states and their different privacy policies and l- you know, requirements. And you know, California's pretty hardcore, and then other states are much more cavalier when it comes to privacy.

I'm not, I think, I think Australia, to me, feels much more hom- you know, homogenous. I think we're generally on the same page. And this is not cyber, but how come all Australians have pretty much the same accent? That has never made sense to me in a country this big-

Dan McDermott: [laughs]

Vinh Nguyen: [laughs]

Garrett O'Hara: ... that, you know, literally thousands of kilometers away, basically the Australian accent is pretty much the same. Maybe that's, you know, there's something going on in the water supply here where cyber kind of follows the same way, where there's nuance, but you know, generally speaking, like, cyber laws are pretty much aligned.

Dan McDermott: Very true. Well and broadening the net, right, in terms of that catch for New South Wales definitely seems like a, a great introduction by them.

Next is the recent call out from the Insurance Council of Australia, highlighting that three in four businesses don't have cyber insurance. Vinh, do we need cyber insurance?

Vinh Nguyen: That, that, that's a toughie, Dan. [laughs] but the way to-

Garrett O'Hara: [laughs] This episode's going to be, like, three hours long, I think.

Vinh Nguyen: M- Maybe the next installment of the pod, but yeah. Cyber security is it's on the up in terms of premium. Like, things are getting more expensive in terms of getting insured by cyber insurance.

And cyber insurance now globally is worth over nine billion US. So it's only going to grow as well. It's tipped to be way higher in the next few years given especially the climate right now.

But what we're generally seeing with cyber insurance is I guess the vagueness of it, and speaking to a lot of organizations, it's what does it exactly cover? And you know, the idea of insurance is you've got to make it compelling enough that people would take it on, but you've also got to look after yourself with bottom line perspective as well.

So I think when we talk about insurance things, like say for example your car insurance or your house insurance, like, there's been plenty of information history behind that, so that could be correctly quantified.

Whereas I think with cyber, an instance in the past, like, we're still getting to the stage with legislation just to say, "Hey, we, we've actually been breached. Like, this is how, and these are the learnings."

It's still very early days so I think there's still some things to work out, some kinks around what exactly, how we quantify the value and cost of cyber. But yeah. Interesting space to be in, for sure.

Dan McDermott: Indeed. And we'll end with a, a look at back to our cyber poster child of New South Wales in this country, at the notion of how to limit the collection of data by real estate agents. Perhaps this is the first sign of some commonsense prevailing and a practical solution to identity verification, Gar.

Garrett O'Hara: Absolutely. And hopefully, it's, you know, it's the first the beachhead for other verticals and for other industries, because I don't think these the real estate industry [laughs] is the only the only sort of guilty industry of what I would say is just a massive overcollection of data.

You know, anyone who's ever been through a rental application or buying a, you know, buying a home, it is absolutely crazy the amount of stuff that you're providing to so many different people along the way. But certainly when it comes to rental, you know, they want they want everything.

They want all, you know, all, all sorts of things, like I mean d- driver's licenses, passports Medicare details, your work history in detail bank statements, which I've actually read in some forms they're not technically allowed to do that.

They can ask for the balance, but not the statement. But apparently, a lot of the agencies do ask for you know, statements s- you know, listing transactions for the last three months, which seems kind of interesting.

And I think even these days, which seems crazy to me, is, like, things like social media profiles, which I kind of think, "Well, what has that got to do with anything when you're renting a property?"

But anyway, you know, I guess the point is, like, it's one of many, many sectors that just collect a massive amount of data on the people that they're serving, in essence. And you know, part of the move here with Victor Dominello is the move to potentially centralize that into kind of rental bonds online.

So what we've talked about in previous episodes, where you get a centralizing agency to do it really well, do it really securely, you know, the Fort Knox of data. And then, you know, if you need to verify somebody's kind of rental history, cool. Like, they just get a token to say that they've done it, but they don't get the data.

Dan McDermott: Indeed. And we spoke last time about the Harcourts breach. And you know, that was right focused on the heart of exactly this issue, and you know, looking at that rich data set that is, you know, collected very widely by all of these different sort of agencies.

So so definitely a good move there and another sort of shining light on, on, I think the progress, I guess, that is being made based off all of the, the bad news of these breaches and being in, in the headlines. So great to see some progress there.

Gar, Vinh, thank you so much for your insights, as always. Another big news episode for us today.

Until next week, if you'd like to continue exploring key topics in cyber security, please jump onto getcyberresilient.com and check out some of the latest articles, including part one in our series on securing Australia's cyber feature, the nightmare of big breaches. We also explore the big idea, why IP cyber theft is a much bigger risk than you may think. So thanks again for listening, and until next time, stay safe.

Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott