• Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

    Comments:0

    Add comment
Content

In this week’s news episode, our resident cyber experts review the most recent cyberattacks, explore their impact, and discuss what can be learned from them. Over the past week we have seen 3 large-scale attacks including GoDaddy who announced an attack that exposed the email and customer number of 1.2 million active and inactive Managed WordPress customers, Tasmania casino operator Federal Group who suffered an attack on their payroll system which left employees without their regular paycheque, and production delays are likely for the giant wind turbine manufacturer Vestas after a data breach that required systems to be shut down.

We also take a closer look at the recently released Cybersecurity Workforce Study 2021 which revealed the very positive news that Australia’s cyber security workforce grew 23% in 2021 with flexible work arrangements making cyber staff happier than ever.

Content

The Get Cyber Resilient Show Episode #82 Transcript

Daniel McDermott: Welcome to episode 82 of the Get Cyber Resilient Show. I'm Dan McDermott and I'll be your host for today. This week is our in the news episode, and I'm joined by our resident cybersecurity experts, Bradley Sing and Garret O'Hara. We will re- start by reviewing three major recent attacks. Firstly, the GoDaddy managed service WordPress service has been compromised, exposing 1.2 million records of email addresses and customer numbers. Followed by, for the second time this year, the Tasmanian casino operator Federal has suffered a cyber attack. And the third recent attack was suffered by wind turbine company, Vestas Wind Systems, putting at risk their production. In better news closer to home, we will explore how Australia will receive a boost of 26,000 new cyber workers, as well as re- we will review progress in the federal government cyber hubs initiative known as Hardening Government IT Initiative. So, Brad, it's been a busy attack season, it seems. Let's kick off today's episode in reviewing the spate of recent high profile attacks hitting the headlines.

Bradley Sing: Yeah, certainly Dan. It's definitely been a, a busy attack season, I like that, but I'm not sure if the season ever really ends or, or when it actually starts so [laughs] it's, it's kinda the new norm, isn't it?

Daniel McDermott: Yeah, it is.

Bradley Sing: Looking at the first b- breach this week so GoDaddy announced a security incident affecting their managed WordPress service. I'm sure you've heard of GoDaddy. If you think of GoDaddy, I think they entered the web hosting market, oh, close to 20 years ago, but they always used to have these ads with these very scantily clad ladies, that was kind of their, their way into web hosting, the market, they were meant to be the sexy ones behind it. And they even sponsored, I think, a NASCAR, which is kind of cool, seeing, like, their, their logo on the side of it. But anyway, they, their marketing must have worked because they had over 1.2 million customers sitting on their managed service WordPress kind of hosting, so for those who don't know, that's probably just, I don't wanna say C Panel, but it's, it's some kind of large commodity-based kind of pre-provision WordPress design for, you know, kind of usually for individuals or small businesses.

It appears that 1.2 million of those customers had their emails and customer numbers exposed but also the original WordPress admin password that was set at the time of provisioning was exposed as well, so if customers never went through and changed their SFTP details, or their database details, or anything like that, there's a good chance that the hacker probably, or whoever it is, probably has access to the original details. So I think, yeah, quite, quite a few big things there, but I think in terms of scale, like, we've definitely seen GoDaddy accounts compromised before, but, yeah, probably not an entire platform.

Garrett O'Hara: Yeah, WordPress is such an interesting one and comes up so often in cyber. You know, it's a- as you said, it's a content management system, Bradley, but it's riddled, or in the past certainly has been riddled with bugs and, and sort of exploits that were available, and as an ex-WordPress user and actually this, this story has me worried because I still have a bunch o- [laughs] bunch of websites that I was running on WordPress that I completely had forgotten about and they're w- yeah, I'm, I'm just kinda thinking back on what passwords they have.

Bradley Sing: 3.9 or something, like very old versions [laughs].

Garrett O'Hara: Oh, yeah. I mean I think I might have even set it up to auto update, but what worries me is that I'm the guy who goes away and then a year later remembers that a, you know, there's a WordPress site, forgets what the password is but it's actually relatively easy. I mean, you just go into the MySQL database and you you can generate the, the hash for a new password, it's actually trivial to, to do. Where as you're talking through this story, Brad, I think the, the thing that pops into my mind is this, I, I suspect, I don't know if this is true, but I suspect Wix and some of those other CMSs may have overtaken WordPress, and I think WordPress is maybe and you already said this, used by maybe smaller organizations, you know the, the types of people who may reuse passwords might not be cyber aware.

That's kinda the point of WordPress is that you don't have to be a techie, you know, you can spin it up and then start curating and adding content and blogging and all of that stuff without having to be too tech savvy. So, I, yeah, I wonder how many of those people in those exposed passwords, you know, that that stuff is out there, and if you get a rainbow table then, away you go.

Bradley Sing: Yeah. And I, we've definitely seen the shift as well, like, just when you comment about Wix, like, I used to work in a little place-

Garrett O'Hara: Mm.

Bradley Sing: ... in the industry as well, and we saw heaps of customers move, like, originally starting on WordPress or Joomla, and they paid developers, like, thousands of dollars to build them this website, and then what would happen within, after 12 months, maybe the developer [laughs] would disappear, or something would happen, the website could never be updated, and suddenly it'd be this huge security risk for something a customer had no idea in terms of how to manage. But I definitely saw the push towards Shopify, Wix, and things like that and, and, you know, for a small business, like, where do you place your trust? Like, if you don't understand the technology, like, you need to be able to, I guess, work with, with an organization which can support you.

But I think one of the challenging things for this also is that GoDaddy have to go through [laughs] a, sorry, I'm laughing, I shouldn't be, reissue 1.2 million SSL certificates. So that's definitely [laughs] gonna be a big task.

Garrett O'Hara: Oof. Well, my, my claim to fame is that I've had a Wo- WordPress site attacked and taken down by people in Saudi Arabia, believe it or not, um-

Bradley Sing: Wow [laughs].

Garrett O'Hara: ... so, yeah, I, I ma- I made some comments on some stuff and apparently they didn't like that at all, and I rebuilt it, and then they took it down again. And then I realized I was absolutely out-gunned, so I just took the site down completely, day one. The hackers won, guys. I feel embarrassed to say that.

Bradley Sing: Maybe you had Pegasus or something, I'm not sure [laughs].

Garrett O'Hara: Oh, that was probably it. You know, and you know what's funny, Bradley, you're talking about GoDaddy's marketing. I'm just remembering, I was at c- s- it wasn't a cybersecurity, it was a general sort of IT conference in the Philippines [laughs] and part of the marketing strategy, GoDaddy, were there, and they had a booth, and they had those people that you mentioned, kind of dressed up, you know, in kind of way that might attract a certain type of person. And you could get photos with them. And our booth was kinda [laughs] not too far away from there but I got so much entertainment watching [laughs] all these kinda IT nerds w- hover handing-

Bradley Sing: [laughs].

Garrett O'Hara: ... and just completely you know, bashful and awkward as you l- you know, it was like watching deer in the headlines.

Bradley Sing: Two worlds collide [laughs].

Garrett O'Hara: Hilarious. Yeah, absolutely hilarious. We were on the other side of the, the walkway crying laughing watching as people just didn't know, didn't know what to do basically.

Daniel McDermott: Well, it's interesting that when when we actually kicked off this project of Get Cyber Resilient and we wanted to stand up the blog WordPress was considered as, as one of the platforms obviously to, you know, to, easy to use, get that up and running, that type of thing. But we actually had advice not to use it because of the security risks involved, even at the time. And so so we went down a different content management system path and touch wood you know, so far, so good, right? But uh, so, yeah, we uh, we had to take those things into consideration ourselves as part of, you now, setting up, sort of, you know, as a, as a small sort of site on our own and, um, and and needed to really consider that, you know, we didn't wanna [laughs] put ourselves at risk from day one particularly with that domain name.

Bradley Sing: It's interesting isn't it, like, I think also just o- on WordPress, 'cause I think we were talking a lot about it, but the whole plug-in ecosystem, a lot of, of, ran a lot of development today, like, just, I remember when I was going through and trying to build a couple basic WordPress websites, it's like, I can have this, I can have this, I can have this, and like, you're chucking all these things in there, and then one from a compatibility perspective, as soon as something updates everything breaks, but also secondly, like, I don't know, I'm installing some things which have, like, 20 installs sometimes, just to do one little thing, but it's gonna help me, but is that causing this huge security incident or risk in the future?

Garrett O'Hara: Spot on, like it's it is supply chain, right? And that's the thing. You pop the plug-in, you pop the [laughs], all the sites that are using it, it's a little bit like ja- JSON libraries, the same thing. Or GitHub, or any of those places where, you know, everyone's going to a central repository for any kinda shortcut for code you know, you get that and you get a lot of people I, it's funny, as you I'm feeling nostalgic guys, I r- actually [laughter] I really wanna go back and [laughs], and log in and have a look at what's there and all those cool [inaudible 00:07:55] and there was hardening, that, that was the one thing I do remember, was the emergence of the hardening plug-ins, so that it would actually go through and it would rename the databases so they weren't defaults uh, the tables rename yeah, [crosstalk 00:08:08].

Bradley Sing: The login page, [crosstalk 00:08:09] reset passwords. Yeah, yeah, yeah.

Garrett O'Hara: Yeah, yeah, that WP-admin, it would change it so, yeah, it was hard to find.

Bradley Sing: That one little thing stops your, your website getting hit crazy. I remember I spawned a new WordPress website on a little VPS in Australia, and I forgot to harden the ports, and it just got port scanned non-stop. [laughs] It was crazy. Like, every time I logged on it was like hundreds of thousands of people port scanning my little VPS. Insane.

Daniel McDermott: Well, it's definitely a, a vulnerability that is out there, so anybody that, with a WordPress site, with a, with a Go- GoDaddy take those actions and, and update your SSL certificates, and anything else that's recommended, and make sure that you've got the hardening in place because we don't wanna see anybody compromised from that as well.

Moving to the second story is one that is is unfortunately a, a repeat attack on a, on a company. The Federal Group out of Tasmania who are the casino operator, and interestingly the largest private sector employer in, in the state have been attacked for a second time this year. Brad, what's happened to these guys?

Bradley Sing: Yeah, certainly. So again, seeing Federal Group in the, in, in news as you suggested they're one of Tas- well, Tasmania's largest private employer, I think you said. So obviously really important to the local economy down there uh, and obviously with, with COVID kind of ending and the lockdowns ending and stuff like that, like, tourism for Tas is, is absolutely huge, right? What we're seeing here is a, a, unfortunately another attack. So there was a ransomware attack against them earlier in the year, which, which kind of took things like pokies offline for a few days. This one's via, a, a piece of software called ELMO 21 I think is but it's, it's, it's offered via Frontier Software. It's effectively, like, a payroll software.

What the company has said, or some staff members have said, is that they've received an advance of $250 from, from their employer, so Federal, because, you know, some payments might be slow. Um, The union reps, 'cause again it's, g- it's, it's kinda private but there's also a union behind the gaming aspect of it the union said advanced payments are a pretty good attempt at trying to deal with the incident, so I think there's a couple things here. One, we've got a repeat target to a degree, and two, we've also got the, the people side of it like, you know, what happens if you can't get paid because of a ransomware attack? Whose fault is that, and then, yeah, like, people still need to pay bills. So I think there's a, a real human element here o- as well.

Garrett O'Hara: And you kinda wonder, is it a repeat attack or did they just get unlucky? You know, was, was the Federal Group the, the target here, or was it just that, I think it's Frontier Software is the name of the, the organization, they got popped and, you know, the, the Federal Group got caught up in it. It does point to, I mean, we had the same thing with PageUp, you know, a very widely used HR platform and how many issues that causes. Um, It feels like anything employee-related, so, you know, those HR type platforms, payroll, anything like that, is just so, so sensitive. Whatever about you know, the, I mean, there's lots of downsides to cyber attacks, but the bit where people don't get paid, I mean, that is, that's the one thing you just, so, kind of a line you don't cross, right? I mean as far as employees goes. People tend to be a little bit upset when they can't eat or pay their bills or spend money on whatever they spend their money on.

Daniel McDermott: And as you both said, it's an interesting one where this is, it's not really Federal themselves. You know, I guess they, they're, they're sort of the victim, right? But it's like, it has come through again an- another third party IT supplier that they're using. So I wonder whether, like, there was something particular around the Federal side as to why they've been compromised, but you would think, you know, that there would be others using that payroll software that may also face the same vulnerability, and whether they've realized yet, or are at risk as well. So definitely work to, I think, do on the Frontier front to make sure that other customers of theirs are not being impacted by this attack as well.

Bradley Sing: Yeah. Seems like it's... I'd probably tend to agree with, probably, what Garret said. I don't think Federal Group's necessarily got targeted again themselves. Obviously there's a lot of money in that industry and I'm sure there's a lot of politics involved as well, that I'm not aware of, but just to clarify as well, so it was Chris 21, the, the software by Frontier Software, it wasn't Elmo. My, my mistake, they have such interesting names. But I think Federal Group was potentially one of the largest customers of, of that kind of system, so it's probably why they're the ones which we're hearing about in the news, but outside of that, like, they've got a whole range of other clients which have been affected potentially, like, I think, strangely Melbourne Theatre Company as an example. So, yeah, I, it's, it's, i- I think it's, think it's unfortunate, but I think it's good that stuff like this is highlighted because it's just gonna start happening more. Like, real human impact in terms of not being able to pay bills, due to, due to a cyber attack.

Garrett O'Hara: And, you know, we, we talk about it all the time, but you move to the cloud, you move to those, you know, those services, you, you don't move the risk. You know? That, you know, the, the organization still owns the risk of an employee not being paid and, and I think that is a, such an important point that needs to be made. You don't, you know, you don't get to, sort of, put the risk in the cloud. You know, the risk stays with your organization consuming whatever the service is and, you know, in this case obviously a payroll. But there's lots of other examples of that. You know, any HR systems, leave systems expense managements it feels like anything where, you know, s- certainly finance [laughs] is involved that's particularity susceptible to, to attack and, and the risk is just intrinsically higher.

Bradley Sing: Do you even wanna believe that, I mean, I'm not saying, certainly not saying you were, but you don't wanna even leave that stuff on prem though, do you? Because you can't really secure it enough and you probably don't have the capability. So most people would probably look for payroll systems in the cloud but then, again, to your point, it's like, you, the r- you haven't mo- really moved the risk at all, so it's hard as a buyer, isn't it [laughs]?

Garrett O'Hara: Y- it is, but, I mean, to me it comes down to a, a valuation, and then you're into, you know what's the form of the organization that you're gonna purchase the service from, and what can they prove to you as far as, like, good security controls and, and thoughtful approaches to reducing their risk, you know? Is there options for basic things like multifactor authentication? You know uh, all those kind of questions I think become more and more important and should be part of the buying process, right? I mean, you want a good payroll system, cool. Like, th- that's kind of a given. And presumably there'll be some sort of head to head, a valuation of, you know, platform X and platform Y in terms of features and functionality, but, yeah, these days it just feels like the, the, I don't know, cost of entry or the table stakes has to be, you do security well.

Daniel McDermott: And I think you've both mentioned that, I guess, you know Federal have done the right thing by their employees in terms of, you know, being proactive in actually making sure that they are, you know, issuing payment and trying to, I guess, take care of the staff while they're dealing with this in the background to, you know, not sort of pass on that liability, right, of, of the impact and the effect. But obviously it would be having an impact on them and their IT team, and, and obviously-

Garrett O'Hara: Mm.

Daniel McDermott: ... their, their HR teams and that as well, so it's a, it, it certainly, you know, one, a big deal, and like you say, Garret, I think that, that evaluation process of, of a security review as part of buying software has to become, you know, o- probably more prevalent, right?

Garrett O'Hara: Mm.

Daniel McDermott: I think it's been there, but you wonder whether sometimes it's a bit of a tick box and stuff and so you know, what sort of due diligence needs to be done in order to, you know, n- sort of try to mitigate those risks in the first place as a, as a buyer.

Garrett O'Hara: W- one of the things that I think becomes important as you're talking through that, I'm, I'm imagining, you know, a s- a small organization, maybe a five-person operation, or, you know, 10 people no IT team, certainly no security jobs at all, you know, they're just busy trying to stay in business and, and make some money. And they're not really gonna be in a position to know the questions to ask, or how to even do a security evaluation, and you know, we, [laughs] you know, we've talked about this so many times, right? The, you know, the importance of the smaller organizations and protecting those because they're the gateway into the bigger organizations, but, you know, as you, you, you think about that organization of five people, 10 people, and they realize they need payroll, Bradley, you're spot on.

Like, they're not gonna build something on prem these days, I mean, that's, that's just, doesn't make any sense. So they'll go to cloud. And then it's how, you know, how do they even, how do you even get to the point where the, the security consideration is part of that buying process for the, the smaller end in town?

Bradley Sing: Mm.

Garrett O'Hara: And do we get to, you know, it's fine to say we've got certifications and, you know, you get, you align with ISO and all of that stuff, but we all know, you know, sort of security controls and compliance isn't security, they're, they're actually very different things. Yeah, it's, it's definitely a tr- it's a tricky, tricky one, I don't know there's an easy solution for it.

Daniel McDermott: No, I wo- won't jump on my hobby horse on how to protect a small business again. Garret, I think I've given that one a, a fair go recently.

Garrett O'Hara: I was totally setting you up.

Daniel McDermott: Yeah, I know [laughs].

Garrett O'Hara: I was assuming that, that your, the soapbox [laughs] was coming out, and you were about to step up onto it [laughs].

Daniel McDermott: I could feel it p-, I was pulling it out, but I thought I'd resist the temptation this time around [laughs].

Garrett O'Hara: [laughs].

Daniel McDermott: We'll have a look at the final third breach that has hit the news recently. And a company that may not have heard of, but obviously big in their own space. So it's called Vestas Wind Systems and they produce wind turbines, they've been compromised as well by a cyber attack. Brad, the, saying that, you know, it was potential risk to output delays, but I'm not sure where this has got to and and what impact it's had on them directly.

Bradley Sing: Yeah, so it's a bit of a breaking story but I guess just thinking, I guess, about kind of where we are in the world right now, like, I don't know if you guys have ever seen a wind turbine, like on the back of a truck, but those things are absolutely massive.

Garrett O'Hara: Huge. Yeah.

Bradley Sing: You ever tried to overtake one [laughs]? But the, so obviously there's a huge push in the world right now to go towards things like green energy and one of the, the largest producers, a company out of a th- a Danish company, so Denmark Vestas Wind Systems, has been hit with a, a cyber attack. Interesting enough as well, they're kind of, the source we're working off, Bloomberg, it we can see their share prices is go, [laughs] going up and down like a little bit of a yo-yo and we can definitely see huge decrease after they were hit as well. They also do a lot of delivery and stuff, they have a relationship with Maersk. Maersk? The sh- large shipping container company as well.

Garrett O'Hara: Mm-hmm [affirmative].

Bradley Sing: Because, as you can imagine, getting these large wind turbines, it's hard to get from point A to point B. But I think in terms of, of disruption and stuff as well, it's, we're starting to see more and more targeted attacks against the, or, the manufacturing industry, and also thinking out loud, there is a bit of a, a technology race going on when it comes to creating and manufacturing things like green technology such as wind turbines, so I wonder if there's potentially a bit of a geopolitical play there.

Um, I I think also we're just, at the end of the day, it's just again, shows how fragile some of our largest and most valuable companies are when it comes to the risk of cyber. Like, it doesn't even matter these days if, to, to answer your point, Dan, if you're a small business, or if you're Microsoft. You, you have just the same chance of getting popped.

Daniel McDermott: Yeah, Brad, as you said, I think this also points towards, you know, the whole notion of attacks on critical infrastructure. Obviously mm- you know, Colonial Pipeline being the lar- you know, the most high profile, but this continues to sort of mm- proliferate around the world, and obviously it's right at the time in Australia as the government is going through getting legislation ready and, and moving forward on that critical infrastructure bill as well, so you know, it's certainly a, a hot topic in the market as well.

Garrett O'Hara: And thinking about stuff like wind turbines design in general and this is me absolutely putting my tinfoil hat on probably putting two tinfoil hats on, if I'm honest, you get to the point where you could pop an organization that's building that that sort of technology and poison design. So, you know, if you imagine you're a competitor organization, you're gonna get in there and change, you know, the angle of attack of a turbine by 1%, something that maybe you, you wouldn't pick up, but would impact, you know energy production efficiency, and like as you then go to market, competitors can say, "Hey, look where we're outperforming XYZ brands, you know, we've got this better turbine." Like, do you get to the point where, y- you know, cyber starts to be a way into that hardcore competitive stuff?

Bradley Sing: I, I'm picturing, like, the hackers are going in and they're hacking the CAD file of this massive wind turbine, adding, like, this one little bolt or washer which just doesn't come with the kit or something [laughs] and that's how the, that is just, 'cause... It's like an Ikea package or, or except it's kinda missing, but that's a really good point. Like, and it's back to that whole idea of almost defensive hacking, but then in that scenario, then that's another, you know, seemingly legitimate business potentially targeting another business. Ul- ultimately like corporate espionage, and it's something we hear about in books and we see in spy movies, but statically I wonder how much stuff, how much of that actually happens and, and potentially to your point, Garret, I think we're probably gonna see an increase of it.

Garrett O'Hara: All the time. Like, if Netflix has taught me anything, this stuff, this is, like, every single day, all the time.

Daniel McDermott: [laughs] Well, at least we know your sources are credible, Garret.

Garrett O'Hara: [laughs].

Daniel McDermott: That's always an important aspect. [laughs] We had uh, good journalism 101 right there, so...

Garrett O'Hara: Yeah, that's it.

Daniel McDermott: Oh well, you... And and you put it into Dr. Google and you found out, all, all your woes, you didn't even have to go, go see the GP again.

Garrett O'Hara: [laughs] I, I, really, it's w- w-, this is nothing cyber related, but I actually went to the GP a couple weeks ago for something very trivial, and the g- [laughs] it was hilarious. Sat down and you kind of expecting the expert to be an expert, and he looked at the, the sort of test results that had come back and he goes, "Okay, let's have a look and see what that means."

Daniel McDermott: [laughs].

Garrett O'Hara: And I assumed he was gonna, you know, bring out his big book of explanations of doctor stuff. Nope, jumped onto his computer and literally opened Google search, typed in the thing that was in the report, and then just started scrolling through the results to see, "Oh, okay, this one looks good." Went in and then read me a PDF from Google.

Daniel McDermott: [laughs].

Garrett O'Hara: So that a- that, no joke, that happened to me two weeks ago.

Daniel McDermott: I, you know, like, I I thought o- I've, I've had a similar scenario, so observed similar stuff before, and, like, if you think about our jobs, right? Like, we can't be expected to remember every single little thing. But, like, a big part of, I think, kind of the modern world is validating information quickly. But I guess, yeah, you would expect that your medical specialist probably has something a bit better than Google [laughs].

Garrett O'Hara: I, I walked out of there with a PDF printed from a random website. I don't know, I just, I felt a little bit like, hang on...

Bradley Sing: It's like WebMD.com or something [laughs].

Garrett O'Hara: Yeah, no, I mean, it was literally, I can't remember what the website was, but it was a- yeah, it was one of those ones from, like, oh my God, like I r- is that where we're at? I, I take your point though, you know? Skills, and I would say when you think about cybersecurity or tech developments, so much of being good in that world is actually going and finding the information that you can use to build good code, or to understand what a particular threat means, for example. So I go- you know, I'm kinda, I'm joking about the, the, you know, medical stuff but, like, you're actually spot on, Brad, I reckon that the, a huge part of being good these days is just an ability to f- first of all quickly find information, and secondly, knowing that that information is, you know, reliable source, like Netflix, like Hollywood movies. I mean, they're absolutely reliable.

Daniel McDermott: [laughs] Well maybe addressing the skills gap in a bit more of a serious manner h- w- has our next story of looking at of we do know the skills shortage that exists, and that and it's, you know, it's going to continue to exasperate and create so many problems if we don't actually have the cyber professionals to help us take care of the threats today as well as the emerging threats of tomorrow. And a recent announcement around Australia getting 26,000 new cyber workers seems like a really positive intent in the right direction.

Bradley Sing: Yeah, definitely, like, I think all of us have been hearing about the skills shortage for, oh, since we've be- [laughs] since we've been in the cybersecurity industry. Like, I think as recently I probably haven't heard as much about it personally, like, I think a lot of the conversations I've been having have started to be more about the automation aspect of it now, so cool, once we have the people, how do we start maturing into that. But obviously as, as a country we're still far behind in terms of the amount of, amount of bums on seats when it comes to working in this industry. So to your point, we've seen an increase of 26,000 cybersecurity workers this, in Australia compared to this time last year.

Considering we had a, you know, pretty harsh lockdowns as well, I think that that's amazing. There's also a big push from uh, I think kinda like at a federal level to start opening up immigration as well, when it comes to the things like skilled professions, so potentially get more capability there. But I think one of the, the big points as well from kind of this, this bit of research is that working from home seems to be something which has made it a lot easier to get people in these rolls, or potentially there's a link there, and I, I think back to something I remember reading in Amer- it's like an American it was an article about maybe the FBI or the NSA, but they were very seriously considering removing their policy on recreational marijuana because it pretty much removed all their candidates for blue team hacking and stuff like that.

So it kinda reminds me of that, you know, like, if hackers are sitting in, I don't know where, [laughs] [inaudible 00:25:04] whatever, Lamborghinis, it seems, these days, if they're sitting in these places and have access to all these things then we kinda need the guys on our side defending to have the same kinda setup, right? Like, I mean, this is how these people work. This is how... I don't know, I think there's a, there's an appreciation there in terms of that we can do this a little bit better, and, yeah, I think the numbers are coming in as well. I also wonder, with all the disruption, are we're seeing 26,000, is that a lot of local talent coming in as well? There's people retraining and reskilling, which, which is fantastic.

Garrett O'Hara: No, it's, you, you s- in my mind you painted a picture, Bradley, of instead of, like, pizza and footballs, the incentive to come more for company. It's more like a Snoop Doggy Dog video.

Bradley Sing: [laughs].

Garrett O'Hara: Just, you know, [crosstalk 00:25:39].

Bradley Sing: Sign me up [laughs].

Garrett O'Hara: Sitting on sofas, blazing [laughs] yeah, h- having a good time doing the, the good work of cyber. I- it's, you know, a- and a more serious point though, I think one of the things I've observed over the last probably six months or year is an acceleration of the sort of vacuuming o- of talent into sort of the big four, and, and some organizations that are presumably gonna be very well paid, and that's to the potential detriment of, you know, other organizations, and I wonder, do we end up in a, you know, almost like a, you know, class system when it comes to cybersecurity within organizations where the, you know, the, the organizations that can afford to pay for really good talent get a competitive advantage, and therefore can move faster, innovate more quickly, et cetera, et cetera, and you al- you almost set up a tiered system where if you can't afford the good talent, you, you know, it's just sorta self-reinforcing in a way. You get your brands attacked, you lose customers, and and therefore you'll make less money, you can't afford the, the best talent, et cetera, et cetera, et cetera.

Like, I think cyber's become one of those investment areas within an organization that's gone away from cost center thinking to, you know, this is competitive advantage. If we do this well, we can go quickly, and we can go more quickly. We can retain customers better you know, we can in- innovate more quickly, so yeah, w- it'll be interesting to see where that 26,000 workers, where do they go.

Bradley Sing: I think you had a very good point there. I think, I remember, I think it was like two years ago, but I just remember looking at my LinkedIn and suddenly so many people were either working at, like, ANZ or some of the other big four banks. It was like the, the big four banks were literally just going through and hiring every single grad, regardless of, of their capability. Which is great, right, like, it's good to see investment in, in, into the area and the region, but yeah, it's almost a bit greedy, isn't it? Like, what about all these other companies who need access to these heads? It's unless you've got a, you know, a pocket book, then ca- can you fill these, these, this headcount?

And I, I think what we're seeing before, especially in remote areas of Australia, like, you know, working in places like, I say [laughs] [inaudible 00:27:34], but working in, working in smaller re- uh, s- smaller city centers and stuff, like, you know, down in Hobart, or, or even over in Adelaide, they do sometimes struggle to attract people with high levels of cybersecurity experience because people you me- you know, that would usually work in a city uh, well, they'll have to pay extra, you know, large sums of money in order to attract that person, or relocation fees.

So potentially there needs to be... I don't really know what you do about it though, right? 'Cause it's, it's kind of a free market to a degree. And people should be rewarded for their skill, and if there's no one skilled in the market, then it's kinda how it works.

Garrett O'Hara: It's, I mean, same as legal teams and accounting teams, right? I mean, if you're big enough you can pay amazing lawyers to get, you know, get your way, fight the good fight in court, or sometimes the not good fight, but you've got the money to back you, and then accountants who are, air quotes, creative in terms of you know, how tax is not sort of gathered [laughs] from your organization. I mean, that's a conversation over the last, what, three, four years, and the Dutch Irish Sandwich and all of that stuff and so maybe cyber's just part of that. You know, we b- we've become part of the you know, those functional areas within organizations where that top talent's just buoys of organizations to the point where you, they become untouchable. You know, legally, accounting-wise, and then maybe, you know, lockdown, cybersecurity-wise.

Bradley Sing: And do you have do you almost have l- like you know how we've got Legal Aid, so if you, you know, if you get in trouble, you go to court and you, you can't defend yourself, you'll get, like, a court appointed lawyer and stuff. I wonder if one day they'll almost have that for hacks. Like, you know, if you're a business who can't secure your data, and that's kind of what, back to the national critical infrastructure, but that's the whole, the whole idea, right? Like, if a company can't look after its data or protect the critical infrastructure of Australia the government's gonna come and, and, I don't wanna say do your job for you, but they're gonna help and assist to make sure that no Australian's data's gonna be breached, or there's no security risks there.

Garrett O'Hara: Some guy who turns up with doughnuts, completely stoned, wanting to, to help.

Bradley Sing: [laughs] Yeah. Kinda messed up with their policy.

Daniel McDermott: We're from headquarters and we're here to help. So,

Bradley Sing: Yeah, let me in [laughs].

Daniel McDermott: Yeah. I think that that that's a great segue into our last story for today, and one of the areas that we have discussed a number of times over the year is the government putting out a range of sort of plans and initiatives, critical infrastructure, a ransomware action plan, all of these other sort of things and one of the question marks that we've had and the industry has over this is those in glass houses shouldn't throw stones. So what is there the government doing themselves in terms of their own cybersecurity posture and how are they actually looking to protect themselves. Now obviously part of last year's sort of announcement around a cybersecurity plan and the investment of $1.6 billion kicked that off. And it's great that we're starting to see some progress in this, and we're starting to see some outcomes.

The initiative's known as the Hardening Government IT Initiative, or HGIT, 'cause we need an acronym for everything run by the DTA, the Digital Transformation Agency, under Home Affairs. So as good government is, it's a little bit complex of how it's heard up, but the idea is, is actually looking at building and operating a cyber hub and delivering services for whole of federal government. So rather than each agency, as we know, maybe defense has a good budget and does things at a certain level you know, Centrelink and ATO have big budgets but some of the smaller agencies, again, are just like smaller businesses and struggle to get at the investment, the skills and the best practices required. So this is trying to take a whole of government approach around that, and to actually deliver that so that there is consistency across our federal government and the national services that it delivers. So, Garret, be interested in your thoughts on sort of where this has progressed to and where it sort of goes from here.

Garrett O'Hara: Yeah, I mean, it's, it's open at the moment on TenderLink for people to have a go and see if they can get you know, be in there as part of the hub. I think it, like overall, it seems to me a really, really good move and I think one of the things, and I say this as a tax payer, that I like to see [laughs] is any sort of opportunity for efficiency good efficiency. You know, not the, not the efficiency at all costs efficiency, but, you know, here what I'm thinking is if you can, you know, create those shared services or, or vetted set of platforms, what that means is the local council doesn't have to do that evaluation or, you know, federal agency, or whoever's gonna be involved in, you know, the final version of this hub. I think that's a really good thing.

And ideally what you get to the point is the, the platforms, the services that sit in the in the hub are gonna be good. You know, and they, they won't be the, the fly-by-nights or the, you know, the, the sort of half-baked ideas, they'll be solid security platforms, and, and securing, like, us as Australian citizens, and the agencies that support us as as Australians. I think this is, you know, it's a fundamentally it's a good, it's a good thing.

Daniel McDermott: Yeah, I guess there's been some political commentary um, of, sort of, you know, using one of the big four, so Ernst & Young-

Garrett O'Hara: Mm.

Daniel McDermott: ... have been appointed as sort of the advisor and that. Like, I have no problem with that personally. You know, like, if you, if you, like, to acknowledge that they don't have all of the in-house skills themselves and to bring in the, an expert you know, even if, h- you know, foreign, you know, company and all those sort of things, like, you, we need world best practice in this space, and, and as we've said a number of times, the big four have, you know, been actually sucking up a lot of the actual talent in the market and that as well, so, you know, if that's the right approach and they've done their due diligence and all those sort of things then, you know, I don't sort of see a probably with actually using best in class to make sure that we're delivering that for the nation.

Garrett O'Hara: Yeah, agreed. I mean, there's ferocious talent in government there's definitely no comment and, you know, kinda know some of those people. They're incredibly, incredibly good at cybersecurity, but to your point, Dan, that the scope and the scale of what this is, is, is enormous and, you know, in the audits, in the statements to parliament, one of the consistent and key themes is that, you know, quite often the, the, the talent goes to the private sector 'cause the money is better. And to your point, this is such a big project and it is gonna be so important for many, many years to come that, yeah, I'd sort of tend to agree with you that getting that outside expertise in to build it well and build it, you know, w- build it once and do it, do a really good job, I think that sort of is valid. You know, assuming it's not like one of those episodes of Utopia where the consultants come in and, you know, sort of-

Bradley Sing: [laughs].

Garrett O'Hara: ... f- faff around and, and actually don't do a whole lot, but I suspect with something as serious as this, i- it won't be that.

Bradley Sing: Is it really like that? I like that show, by the way, but you gave me a, whenever I think of government, unfortunately I start thinking of that show [laughs].

Daniel McDermott: [laughs] Well, let's say, let, let, let's hope it's it's the right outcomes from it.

Bradley Sing: Yeah.

Daniel McDermott: But definitely, at least, like you say, it's heading in the right direction. So thank you both for your insights and expertise, as always. Gar, would love to hear who your special guest is for next week.

Garrett O'Hara: Yeah, Dan, next week we've got Bruce McCully, he's the chief security officer at an organization called Galactic Advisors. An awesome guy. I'll be honest, I didn't know Bruce, he was an intro from uh, the team over at fuck, brother, what's our [crosstalk 00:34:49].

Daniel McDermott: Fishy Business.

Garrett O'Hara: Let me go from the top again and...

Daniel McDermott: [laughs].

Garrett O'Hara: Yeah, Dan s- next week we've got Bruce McCully. He's joining. He's the s- chief security officer over at Galactic Advisors, and I actually didn't know Bruce before the interview, but we got on, like, I have some far... He's a, he's a really awesome guy [laughs] and his approach for cyber's actually heavily revolves around storytelling, and he's got some really, really good ones. I personally find that really engaging when people can answer question through stories. Andrew Pritchard, actually, was very much the same. Just sort of phenomenal approach to, you know, getting the information across, and, and definitely Bruce kinda does that. Bruce is very, very passionate and you'll hear this in the conversation round the MSP space, and spends a lot of time looking at MSPs providing services, how they can do that better, more securely to their customers.

So things like how do you evaluate an MSSP the, he's actually done lots of analysis of literally thousands of MSPs, so has very good gauge on some of the gaps, sometimes where it goes wrong, how it can go right. So it, it's that kinda conversation, yeah, really, really good one.

Daniel McDermott: Excellent, really looking forward to that, sounds like an en- engaging conversation. Well, that brings this week's episode to a close. If you wanna continue to explore some of these topics and more, please jump onto Getcyberresilient.com and check out some of the latest articles, including last week's pod cast guest, Andrew Pritchard, from Grant Thornton, has come back as a, as a second time guest contributor, this time looking at how the [CITO's 00:36:23] guide to winning the board's confidence and securing the funding that you need to build your cybersecurity practice.

We also in Black Friday shopping season. Right in the peak of things right at the moment, so let's take a look at our online retailers equipped to handle the Black Friday blitz and the cyber risk that comes with it. And also, teaching your employees to think like hackers, Brad provides some practical insights into what that means and how it can strengthen your cybersecurity approach. Thanks for listening, and until next time, stay safe.

Tags
Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott