1
00:00:05,680 --> 00:00:08,440
Speaker 1: Welcome to the Fear and Greed Business Interview. I'm Sean Almer.

2
00:00:08,600 --> 00:00:14,080
Speaker 1: The average ransomware payment average ransomware payment in Australia is

3
00:00:14,160 --> 00:00:18,360
Speaker 1: now one point three five million dollars. It seems businesses

4
00:00:18,440 --> 00:00:22,520
Speaker 1: are increasingly willing to pay to regain access to computer

5
00:00:22,600 --> 00:00:26,120
Speaker 1: systems and data locked up by cyber criminals. Every year.

6
00:00:26,120 --> 00:00:28,080
Speaker 1: We talk to the team at mcgrar nickel about this

7
00:00:28,240 --> 00:00:30,680
Speaker 1: because not only do they help companies prepare for and

8
00:00:30,760 --> 00:00:34,000
Speaker 1: deal with these attacks, they also monitor the overall ransomware

9
00:00:34,040 --> 00:00:38,880
Speaker 1: threat facing Australian businesses. Darren Hopkins and Brendan Paine are

10
00:00:39,000 --> 00:00:42,280
Speaker 1: cyber partners at mcgrarnickel Advisory, which is a great supporter

11
00:00:42,360 --> 00:00:45,040
Speaker 1: of this podcast. Darren, Brendan, Welcome back to Fear and Greed.

12
00:00:45,440 --> 00:00:48,320
Speaker 1: Thanks Sean, Thank sure for the four years now mcgrar

13
00:00:48,400 --> 00:00:51,440
Speaker 1: Nichol's partnered with you GUV to survey five hundred Australian

14
00:00:51,440 --> 00:00:55,720
Speaker 1: business owners, partners, directors, c suite leaders across businesses. We're

15
00:00:55,760 --> 00:01:00,080
Speaker 1: talking about companies with fifty plus employees here to work

16
00:01:00,120 --> 00:01:05,160
Speaker 1: out the ransomware threat facing Australian businesses. Darren, why did

17
00:01:05,240 --> 00:01:08,200
Speaker 1: mcgrah nicals start the research? And what trainings have you

18
00:01:08,240 --> 00:01:09,840
Speaker 1: seen over the past four years or so.

19
00:01:10,959 --> 00:01:13,600
Speaker 2: Sure, I was looking at this only on the weekend

20
00:01:13,680 --> 00:01:16,360
Speaker 2: as I was going through the draft results of this

21
00:01:16,440 --> 00:01:20,080
Speaker 2: particular year survey. And we've been doing it for four years,

22
00:01:20,440 --> 00:01:22,960
Speaker 2: and I still remember that four years ago we were

23
00:01:23,000 --> 00:01:25,039
Speaker 2: in the position of seeing a lot of businesses pay

24
00:01:25,120 --> 00:01:28,920
Speaker 2: ransoms and we could in ourselves understand why businesses so

25
00:01:29,880 --> 00:01:33,399
Speaker 2: likely to step up, and given my background in law enforcement,

26
00:01:33,560 --> 00:01:38,120
Speaker 2: to pay a criminal money for an extortion, it seemed incredible.

27
00:01:38,480 --> 00:01:40,840
Speaker 2: So we started the research there. And at the time

28
00:01:40,880 --> 00:01:45,720
Speaker 2: I had just finished a job where our client had

29
00:01:45,720 --> 00:01:49,440
Speaker 2: effectively just had to find seven million dollars US to

30
00:01:49,560 --> 00:01:52,960
Speaker 2: pay a Russian based cyber criminal group to get the

31
00:01:52,960 --> 00:01:55,360
Speaker 2: assistance back up and running and actually to continue business,

32
00:01:55,400 --> 00:01:57,800
Speaker 2: and they needed to do it to operate. They were

33
00:01:57,800 --> 00:02:01,160
Speaker 2: in a really bad position. Six months after that event,

34
00:02:01,640 --> 00:02:05,520
Speaker 2: I was with the team. We were talking to the

35
00:02:05,560 --> 00:02:08,639
Speaker 2: executives and the board about a budget to improve the business,

36
00:02:08,680 --> 00:02:10,480
Speaker 2: to defend itself going forward, all the things that you

37
00:02:10,480 --> 00:02:13,040
Speaker 2: would hope a business does, and we were able to

38
00:02:13,040 --> 00:02:16,720
Speaker 2: get five hundred thousand dollars over three years to work

39
00:02:16,760 --> 00:02:18,799
Speaker 2: on the problem. And at that time I thought, how

40
00:02:18,880 --> 00:02:21,520
Speaker 2: is it that we can pay ten million Aussie to

41
00:02:22,280 --> 00:02:24,640
Speaker 2: a ransomware group, but we can only find this little

42
00:02:24,919 --> 00:02:26,880
Speaker 2: amount of money, and why is it we're doing it

43
00:02:26,919 --> 00:02:29,000
Speaker 2: so often. That's why we started doing the research. It

44
00:02:29,080 --> 00:02:31,160
Speaker 2: was a little bit of the I'd like to know more,

45
00:02:31,600 --> 00:02:33,919
Speaker 2: and we were trying to understand the drivers behind while

46
00:02:33,919 --> 00:02:36,720
Speaker 2: we're doing that, so that maybe we can help businesses

47
00:02:36,800 --> 00:02:38,120
Speaker 2: avoid having to do that.

48
00:02:39,280 --> 00:02:41,960
Speaker 1: Brendan, what about the headline results this year? We've just

49
00:02:42,000 --> 00:02:45,280
Speaker 1: heard why you're doing the survey. How has the ransomware

50
00:02:45,320 --> 00:02:47,640
Speaker 1: threat changed since this time last year.

51
00:02:48,600 --> 00:02:50,640
Speaker 3: It's a good question, Sean. There are a lot of

52
00:02:51,000 --> 00:02:54,040
Speaker 3: key findings from our twenty twenty four survey, so I'll

53
00:02:54,040 --> 00:02:56,400
Speaker 3: do my best to talk to the critic ones and

54
00:02:56,400 --> 00:02:58,119
Speaker 3: the ones that really stand out. But what it does

55
00:02:58,160 --> 00:03:01,000
Speaker 3: show is or reveal, is that tenty four percent of

56
00:03:01,040 --> 00:03:04,880
Speaker 3: Australian businesses that experienced a ransomware attack in the past

57
00:03:04,960 --> 00:03:09,120
Speaker 3: five years actually chose to pay the ransom. Additionally, seventy

58
00:03:09,120 --> 00:03:12,160
Speaker 3: five percent of these businesses reported paying the ransom within

59
00:03:12,480 --> 00:03:16,640
Speaker 3: forty eight hours, which remains unchanged from last year. Now,

60
00:03:16,720 --> 00:03:20,160
Speaker 3: according to the research, there has been a significant increase

61
00:03:20,240 --> 00:03:24,359
Speaker 3: in ransomware payments, with the average payment soaring to one

62
00:03:24,400 --> 00:03:27,720
Speaker 3: point three to five million Australian dollars now. That's up

63
00:03:27,760 --> 00:03:32,200
Speaker 3: from just over a million dollars in twenty twenty three. Now, interestingly,

64
00:03:32,280 --> 00:03:35,600
Speaker 3: eighty three percent of businesses, including those that haven't yet

65
00:03:35,640 --> 00:03:38,320
Speaker 3: been attacked, stated that they would be willing to pay

66
00:03:38,480 --> 00:03:42,000
Speaker 3: a cyber ransom and seventy nine percent of executives believe

67
00:03:42,000 --> 00:03:46,760
Speaker 3: it should be mandatory for businesses to report a ransomware attack. Now,

68
00:03:46,760 --> 00:03:49,520
Speaker 3: if we look at the groups responsible for these attacks,

69
00:03:49,800 --> 00:03:53,360
Speaker 3: among respondents whose business experienced an attack in the past

70
00:03:53,360 --> 00:03:56,080
Speaker 3: five years, almost twenty eight percent of these can be

71
00:03:56,120 --> 00:03:59,040
Speaker 3: tied back to just two threat groups known as lockbit

72
00:03:59,720 --> 00:04:02,720
Speaker 3: and and some hub. But overall, Sean, what we're seeing

73
00:04:02,760 --> 00:04:05,360
Speaker 3: is a return to the highs of the results we

74
00:04:05,400 --> 00:04:06,560
Speaker 3: saw in twenty twenty two.

75
00:04:07,480 --> 00:04:09,600
Speaker 1: What amazes me in this, Darren, is it people are

76
00:04:09,600 --> 00:04:14,720
Speaker 1: so willing to pay, particularly given government legislation and all

77
00:04:14,760 --> 00:04:17,599
Speaker 1: the talk about it. But people in these high pressure

78
00:04:17,839 --> 00:04:19,919
Speaker 1: situations seem willing to pay.

79
00:04:20,960 --> 00:04:23,600
Speaker 2: Yeah, it feels that way. Funny enough, no one wants

80
00:04:23,640 --> 00:04:26,599
Speaker 2: to pay, and that is clear every time we're in

81
00:04:26,600 --> 00:04:30,200
Speaker 2: an incident or in a crisis with a business, they absolutely,

82
00:04:30,320 --> 00:04:32,599
Speaker 2: under the circumstance, want to actually go through a process

83
00:04:32,640 --> 00:04:34,680
Speaker 2: of having to pay an extortion, which is what that is.

84
00:04:35,480 --> 00:04:38,680
Speaker 2: A lot of businesses feel that it's the right thing

85
00:04:38,760 --> 00:04:42,560
Speaker 2: to do, and unfortunately, we've got ourselves into a position

86
00:04:42,600 --> 00:04:45,720
Speaker 2: where we can justify those actions quite easily. One of

87
00:04:45,800 --> 00:04:48,640
Speaker 2: the things that we do is we do tabletop simulations

88
00:04:48,680 --> 00:04:52,799
Speaker 2: with businesses. Almost every week, we're simulating a cyber attack

89
00:04:52,839 --> 00:04:55,680
Speaker 2: with the border an executive and running through this type

90
00:04:55,680 --> 00:04:58,880
Speaker 2: of event. And often even in those simulations, we're seeing

91
00:04:58,920 --> 00:05:02,280
Speaker 2: businesses can justify that this is the right thing to do.

92
00:05:02,640 --> 00:05:04,719
Speaker 2: The research this year showed a shift in what we

93
00:05:04,760 --> 00:05:06,800
Speaker 2: saw last year. So last year what we saw is

94
00:05:06,839 --> 00:05:10,080
Speaker 2: that businesses were we're going to pay because they were

95
00:05:10,080 --> 00:05:12,479
Speaker 2: going to minimize harm to others. So at this point,

96
00:05:12,560 --> 00:05:15,120
Speaker 2: we've lost someone's data. We've got a situation where the

97
00:05:15,200 --> 00:05:17,719
Speaker 2: threat is we are going to lead all this information

98
00:05:17,760 --> 00:05:20,679
Speaker 2: out or misuse that information to cause other people harm

99
00:05:20,720 --> 00:05:24,680
Speaker 2: you that information that you're trying to safe keep. That

100
00:05:24,839 --> 00:05:27,680
Speaker 2: was a real push by threat actor groups to try

101
00:05:27,720 --> 00:05:30,640
Speaker 2: to encourage us to make those payments. They're always changing

102
00:05:30,680 --> 00:05:33,320
Speaker 2: their tactics to be better. This year though the research

103
00:05:33,360 --> 00:05:36,320
Speaker 2: shows it just as many times as that threat that

104
00:05:36,400 --> 00:05:39,760
Speaker 2: still exists of I want to protect businesses from making

105
00:05:39,839 --> 00:05:42,279
Speaker 2: it any worse than I already have. Because this has happened,

106
00:05:42,800 --> 00:05:44,960
Speaker 2: they're needing to pay to get their operations back up

107
00:05:45,000 --> 00:05:47,080
Speaker 2: and running. So the business needs to get back up

108
00:05:47,080 --> 00:05:49,360
Speaker 2: and running quick. They need to get their systems up

109
00:05:49,360 --> 00:05:52,279
Speaker 2: and running because of generally the costs and being down

110
00:05:52,320 --> 00:05:55,520
Speaker 2: and quite significant. And what we're definitely seeing is that

111
00:05:55,560 --> 00:05:58,360
Speaker 2: the longer you are down, the more impacted supply chain

112
00:05:58,960 --> 00:06:01,960
Speaker 2: and the businesses around you, and the more pressure that

113
00:06:02,000 --> 00:06:03,560
Speaker 2: you will feel on your brand.

114
00:06:04,120 --> 00:06:12,480
Speaker 1: Stay with me, we'll be back in a minute. I'm

115
00:06:12,520 --> 00:06:16,200
Speaker 1: speaking to Darren Hopkins and Brendan Payne, cyber Partners at

116
00:06:16,279 --> 00:06:21,640
Speaker 1: Mcgardnickeal Advisory. Okay, Brendan, when a business leaders facing a

117
00:06:21,720 --> 00:06:25,440
Speaker 1: ransomware attack, what are they considering? I'm sure there must

118
00:06:25,440 --> 00:06:29,599
Speaker 1: be other hidden costs, non obvious impacts to the businesses

119
00:06:29,920 --> 00:06:32,520
Speaker 1: that the executive has to think about, well beyond the

120
00:06:32,520 --> 00:06:35,080
Speaker 1: one point thirty five million which is the average payout.

121
00:06:35,880 --> 00:06:39,000
Speaker 3: Yeah. Absolutely, Look, Darren and I and the mcgranical team

122
00:06:39,040 --> 00:06:44,120
Speaker 3: work quite closely with businesses regularly on cyber inostance, and

123
00:06:44,200 --> 00:06:47,560
Speaker 3: I think what we see most is the importance of

124
00:06:47,839 --> 00:06:50,960
Speaker 3: being able to respond quickly in order to contain the

125
00:06:51,000 --> 00:06:54,040
Speaker 3: attack and ultimately minimize the damage, some of which Darren

126
00:06:54,080 --> 00:06:57,000
Speaker 3: just spoke to. So this is where our best practice

127
00:06:57,040 --> 00:07:01,520
Speaker 3: inc response plan is really critical and key for an organization.

128
00:07:02,320 --> 00:07:05,160
Speaker 3: It details the roles and responsibilities and the event of

129
00:07:05,200 --> 00:07:08,760
Speaker 3: an attack, including decisions on whether the business will pay

130
00:07:08,760 --> 00:07:13,120
Speaker 3: a ransom and negotiate. It outlines recovery steps, communication plans,

131
00:07:14,200 --> 00:07:16,760
Speaker 3: and the details of a person responsible for reporting the

132
00:07:16,760 --> 00:07:21,120
Speaker 3: incident to the authorities and excellent advisors if necessary. Now,

133
00:07:21,200 --> 00:07:25,640
Speaker 3: in relation to the costs, whether it's hidden or unexpected,

134
00:07:26,360 --> 00:07:28,760
Speaker 3: you know there could be a financial impact associated with

135
00:07:28,880 --> 00:07:32,480
Speaker 3: downtime or business interruption and recovery efforts. This is where

136
00:07:32,520 --> 00:07:36,480
Speaker 3: a cyber insurance policy can really pay off. Reputation or

137
00:07:36,480 --> 00:07:39,320
Speaker 3: brand damage should also be considered, leading to a loss

138
00:07:39,320 --> 00:07:41,680
Speaker 3: of customer trust and businesses. I think we've seen that

139
00:07:42,200 --> 00:07:44,640
Speaker 3: numerous times in the sort of past couple of years,

140
00:07:45,480 --> 00:07:48,520
Speaker 3: and depending on what information has been compromised, there's also

141
00:07:48,520 --> 00:07:51,920
Speaker 3: a risk of data loss and intellectual property having a

142
00:07:51,920 --> 00:07:55,960
Speaker 3: long lasting effect on the business. And finally, the last

143
00:07:55,960 --> 00:07:59,560
Speaker 3: thing I'll add is the organization may face legal and

144
00:07:59,680 --> 00:08:03,880
Speaker 3: regular lay consequences which could result in potential fines for

145
00:08:03,920 --> 00:08:07,160
Speaker 3: non compliance, which obviously has a cost attributed to it

146
00:08:07,200 --> 00:08:07,600
Speaker 3: as well.

147
00:08:08,400 --> 00:08:10,360
Speaker 1: Okay, so that leads us into the idea, Darren of

148
00:08:10,400 --> 00:08:14,760
Speaker 1: the federal government's mandatry was proposed mandatory ransomware reporting changes.

149
00:08:15,560 --> 00:08:21,080
Speaker 1: What does the survey say about business's attitudes towards reporting,

150
00:08:21,400 --> 00:08:23,600
Speaker 1: When will they kick in? Do you think they'll have

151
00:08:23,680 --> 00:08:24,520
Speaker 1: the desired effect?

152
00:08:25,800 --> 00:08:28,080
Speaker 2: Yeah, So the changes that are coming through at the

153
00:08:28,120 --> 00:08:31,280
Speaker 2: moment with this new cybersecurity bill that's been put forward,

154
00:08:31,320 --> 00:08:34,920
Speaker 2: which has a section in there around mandatory reporting of

155
00:08:34,920 --> 00:08:37,400
Speaker 2: a RANTSOM payment to businesses. There's been something we've been

156
00:08:37,400 --> 00:08:39,520
Speaker 2: watching for a while a few years ago, there was

157
00:08:39,559 --> 00:08:42,240
Speaker 2: going to be a ransomware bill itself, and it was

158
00:08:42,280 --> 00:08:45,320
Speaker 2: bipartisan approval for this bill to go through. And they're

159
00:08:45,360 --> 00:08:49,760
Speaker 2: even talking back then about potentially making it not legal,

160
00:08:49,960 --> 00:08:53,640
Speaker 2: so banning payments and maybe with some safe harbor provisions

161
00:08:53,679 --> 00:08:57,360
Speaker 2: around in certain circumstances it might be okay, but generally

162
00:08:57,520 --> 00:09:00,320
Speaker 2: we didn't want anyone to be able to pay. Think

163
00:09:00,320 --> 00:09:02,199
Speaker 2: that would have been the best outcome, because what we've

164
00:09:02,240 --> 00:09:05,600
Speaker 2: got now is this regime where if you if you

165
00:09:05,679 --> 00:09:08,400
Speaker 2: pay a ransom, you've got seventy two hours to report

166
00:09:08,440 --> 00:09:11,320
Speaker 2: that back to the government. And if you don't report that,

167
00:09:11,400 --> 00:09:15,240
Speaker 2: there's a small penalty of non reporting sixty penalty units

168
00:09:15,679 --> 00:09:19,200
Speaker 2: eight or nine double, not a lot of not a

169
00:09:19,240 --> 00:09:24,000
Speaker 2: significant penalty by any means. So when we asked during

170
00:09:24,040 --> 00:09:27,800
Speaker 2: the survey what business has thought about reporting, generally, the

171
00:09:27,880 --> 00:09:30,640
Speaker 2: vast majority seventy nine percent said yes, we think we

172
00:09:30,679 --> 00:09:33,760
Speaker 2: should be reporting these ransomware attacks of the government. So

173
00:09:33,840 --> 00:09:36,400
Speaker 2: there doesn't seem to be any any angst to around

174
00:09:36,600 --> 00:09:40,199
Speaker 2: reporting if it's legal. And you know, quite often I'm

175
00:09:40,200 --> 00:09:43,360
Speaker 2: seeing businesses justify this because their insurance even covers it.

176
00:09:43,400 --> 00:09:44,640
Speaker 2: You know, if I insurer is going to pay for

177
00:09:44,679 --> 00:09:48,400
Speaker 2: the ransom payment, then then it can't be that bad. Yeah,

178
00:09:48,440 --> 00:09:50,560
Speaker 2: they will make the decision they think their business needs,

179
00:09:50,559 --> 00:09:53,040
Speaker 2: and if they just have to report, then so be it.

180
00:09:53,800 --> 00:09:55,920
Speaker 2: I think the government was hoping that this might be

181
00:09:55,960 --> 00:09:59,280
Speaker 2: a mechanism to reduce the likelihood of people paying because

182
00:09:59,320 --> 00:10:02,240
Speaker 2: you can keep it secret, you've got to talk and

183
00:10:02,280 --> 00:10:05,040
Speaker 2: tell the government about it. The other thing I don't

184
00:10:05,200 --> 00:10:07,680
Speaker 2: particularly agree with with the Act is that it has

185
00:10:07,720 --> 00:10:10,480
Speaker 2: a small business provision it's for businesses over three million

186
00:10:10,520 --> 00:10:13,640
Speaker 2: dollars that have to report. Our survey deliberately looks at

187
00:10:13,679 --> 00:10:18,640
Speaker 2: small business sme larger and enterprise, and our stats show

188
00:10:18,679 --> 00:10:21,520
Speaker 2: that is a large number of smaller businesses are getting hit.

189
00:10:21,840 --> 00:10:24,840
Speaker 2: That's the vast majority of the businesses that don't have

190
00:10:24,880 --> 00:10:27,400
Speaker 2: the controls for victim and pay and they're going to

191
00:10:27,400 --> 00:10:29,680
Speaker 2: be exempt anyway, Darren.

192
00:10:29,760 --> 00:10:32,439
Speaker 1: Can they afford the ransomware? Can they afford the amount

193
00:10:32,440 --> 00:10:34,040
Speaker 1: of money being asked with in a small business?

194
00:10:35,440 --> 00:10:37,320
Speaker 2: This is where I think the threat actor groups. You know,

195
00:10:37,360 --> 00:10:40,040
Speaker 2: these hacking groups are really good, you know, they're business

196
00:10:40,080 --> 00:10:42,000
Speaker 2: is and to go off and try to ask a

197
00:10:42,040 --> 00:10:44,960
Speaker 2: small business to pay ten million dollars, that they get

198
00:10:44,960 --> 00:10:47,640
Speaker 2: to know who they've they've successfully attacked, and they'll make

199
00:10:47,679 --> 00:10:51,760
Speaker 2: sure that the extortion amount fits within the mechanism and

200
00:10:51,800 --> 00:10:54,600
Speaker 2: the means for that business to pay, and quite often

201
00:10:54,640 --> 00:10:56,600
Speaker 2: it might be around five percent of their revenue. So

202
00:10:56,640 --> 00:10:59,440
Speaker 2: it's not it's not an easy amount of money to find,

203
00:10:59,440 --> 00:11:02,080
Speaker 2: but certainly every time we've seen these things, most businesses

204
00:11:02,080 --> 00:11:05,360
Speaker 2: can afford it, and you can negotiate, and we've seen

205
00:11:05,400 --> 00:11:08,200
Speaker 2: the negotiations where we say we can't afford that much money.

206
00:11:08,200 --> 00:11:11,280
Speaker 2: It's been a tough year. It's post COVID, and they

207
00:11:11,320 --> 00:11:13,680
Speaker 2: will come back and give you a discount until you

208
00:11:13,679 --> 00:11:16,600
Speaker 2: can get to a point that you're both comfortable that

209
00:11:16,640 --> 00:11:17,839
Speaker 2: you'll ever be comfortable paying.

210
00:11:18,720 --> 00:11:20,880
Speaker 1: I don't think so, Breton. More than nine percent of

211
00:11:20,920 --> 00:11:25,480
Speaker 1: executives say that their organizations are prepared for a ransomware attack.

212
00:11:26,160 --> 00:11:29,679
Speaker 1: Is that what you're seeing in terms of actual preparedness

213
00:11:29,679 --> 00:11:30,240
Speaker 1: on the ground.

214
00:11:31,000 --> 00:11:35,280
Speaker 3: Yeah, Having worked dozens of incidents this year alone shown

215
00:11:35,320 --> 00:11:40,160
Speaker 3: into surprising number. That's a certain look compared to previous years.

216
00:11:40,440 --> 00:11:44,120
Speaker 3: More respondents believe their business is prepared in responding to

217
00:11:44,160 --> 00:11:46,120
Speaker 3: a cyber attack. So I think it's ninety three percent

218
00:11:46,920 --> 00:11:49,079
Speaker 3: in this year's results, up from eighty eight percent in

219
00:11:49,120 --> 00:11:53,200
Speaker 3: twenty twenty three. Inclusives of nearly one in two, so

220
00:11:53,280 --> 00:11:57,440
Speaker 3: forty eight percent who believe their business is very prepared

221
00:11:57,480 --> 00:12:00,400
Speaker 3: to respond, and that was up from thirty five percent year.

222
00:12:00,920 --> 00:12:04,720
Speaker 3: Now just three in ten or twenty eight percent of

223
00:12:04,800 --> 00:12:08,480
Speaker 3: respondents who don't have or are unsure if their business

224
00:12:08,520 --> 00:12:10,880
Speaker 3: has an instant response plan say their business is very

225
00:12:10,920 --> 00:12:13,640
Speaker 3: prepared in responding to an attack. Which is interesting because

226
00:12:13,960 --> 00:12:15,800
Speaker 3: I can assure you if you don't have an instant

227
00:12:15,840 --> 00:12:18,640
Speaker 3: response plan in place, then you're likely not prepared to

228
00:12:18,679 --> 00:12:22,160
Speaker 3: respond to one. Those in larger businesses, so by larger,

229
00:12:22,200 --> 00:12:24,600
Speaker 3: I'm referring to two hundred and fifty employees or more

230
00:12:24,920 --> 00:12:27,360
Speaker 3: are more likely to say that their business is very

231
00:12:27,400 --> 00:12:31,360
Speaker 3: prepared in responding to an attack than those with say

232
00:12:31,480 --> 00:12:34,800
Speaker 3: fifty to two hundred and forty nine employees. And finally,

233
00:12:34,840 --> 00:12:38,199
Speaker 3: those in newer companies are aged up to ten years,

234
00:12:38,360 --> 00:12:41,319
Speaker 3: are more likely than those in older companies over ten

235
00:12:41,400 --> 00:12:45,000
Speaker 3: years to believe their business is very prepared and responding

236
00:12:45,040 --> 00:12:49,360
Speaker 3: to a cyber attack. So, yeah, certainly some interesting results there.

237
00:12:50,240 --> 00:12:52,800
Speaker 1: Yeah, so they're there numbers, Darren, do you think, I mean,

238
00:12:52,800 --> 00:12:54,440
Speaker 1: you've tracked this for a few years now, do you

239
00:12:54,480 --> 00:13:00,480
Speaker 1: think the senior execs are now more prepared for ransomware attacks? Broadly?

240
00:13:00,679 --> 00:13:03,600
Speaker 1: Just sort of almost a gut feel as much as anything.

241
00:13:04,760 --> 00:13:07,760
Speaker 2: Look, executives and boards are absolutely aware of the risk

242
00:13:07,800 --> 00:13:10,920
Speaker 2: and they know the issue. The regulators are making it

243
00:13:11,040 --> 00:13:13,600
Speaker 2: very clear to all those business leaders that this is

244
00:13:13,640 --> 00:13:15,480
Speaker 2: something you have to be prepared for, you have to

245
00:13:15,880 --> 00:13:19,439
Speaker 2: plan for, and you have to demonstrate as an executive

246
00:13:19,760 --> 00:13:22,720
Speaker 2: or an owner or as a director that you're doing

247
00:13:22,840 --> 00:13:25,520
Speaker 2: enough And the penalties that we're seeing come out of

248
00:13:25,559 --> 00:13:28,640
Speaker 2: these regulators for getting this wrong are significant. You know,

249
00:13:28,720 --> 00:13:31,360
Speaker 2: we're talking you know, fines of fifty million dollars and

250
00:13:31,440 --> 00:13:34,080
Speaker 2: more for getting this wrong. And we're all now also

251
00:13:34,160 --> 00:13:36,520
Speaker 2: seeing US and other regulator has been very vocal about

252
00:13:36,559 --> 00:13:40,600
Speaker 2: those obligations. So yes, businesses are aware and are doing

253
00:13:40,600 --> 00:13:43,720
Speaker 2: a lot more and we're actually even starting to see

254
00:13:43,760 --> 00:13:48,680
Speaker 2: businesses asking to do more preparedness type work. But is

255
00:13:48,720 --> 00:13:52,360
Speaker 2: it enough? And you know, we're Australia is a country

256
00:13:52,400 --> 00:13:54,760
Speaker 2: with a lot of small business. You know, vast majority

257
00:13:54,800 --> 00:13:58,400
Speaker 2: of our businesses out there are smaller businesses. They don't

258
00:13:58,679 --> 00:14:02,520
Speaker 2: have the funds or support to do enough, and we

259
00:14:02,600 --> 00:14:05,160
Speaker 2: are seeing them for victim and they will make it

260
00:14:05,400 --> 00:14:08,120
Speaker 2: generally a call around what's going to be right for

261
00:14:08,160 --> 00:14:10,320
Speaker 2: their business and it may not be the right thing

262
00:14:10,440 --> 00:14:13,640
Speaker 2: in any event for others, but at the moment they're

263
00:14:13,640 --> 00:14:16,840
Speaker 2: pretty much exempt from these issues. I know, small businesses

264
00:14:16,880 --> 00:14:20,760
Speaker 2: are still exempt from the Privacy Act around notifiable data breaches,

265
00:14:21,240 --> 00:14:23,840
Speaker 2: so you know, it is one of those things that's

266
00:14:23,880 --> 00:14:25,520
Speaker 2: just going to continue to need change.

267
00:14:26,160 --> 00:14:29,600
Speaker 1: Finishing the podcast on an upbeat note, Darren, what are

268
00:14:29,640 --> 00:14:31,040
Speaker 1: the positive trends that have emerged.

269
00:14:31,920 --> 00:14:35,960
Speaker 2: Look, there is certainly some positives that come out. We've

270
00:14:36,000 --> 00:14:40,280
Speaker 2: seen more businesses seeing the insurance to safeguard the business

271
00:14:40,320 --> 00:14:44,120
Speaker 2: is something important. There's something they're put in place. Interestingly enough,

272
00:14:44,160 --> 00:14:46,560
Speaker 2: you know Brendan was suggesting and was talking to the

273
00:14:47,560 --> 00:14:51,480
Speaker 2: planning and the work that businesses are doing to get ready.

274
00:14:51,920 --> 00:14:54,160
Speaker 2: It is and we are seeing some of those trends

275
00:14:54,160 --> 00:14:56,840
Speaker 2: come up, and there's obviously a significant investment in the

276
00:14:56,920 --> 00:15:00,160
Speaker 2: last twelve months businesses have made to be prepared for

277
00:15:00,160 --> 00:15:02,840
Speaker 2: this to happen, and certainly everyone knows of the problem,

278
00:15:03,480 --> 00:15:07,160
Speaker 2: so they're all good things. There's never a real high

279
00:15:07,240 --> 00:15:09,280
Speaker 2: you can end on when we're talking about ransomware. In

280
00:15:09,280 --> 00:15:14,040
Speaker 2: my book, the one thing we would love to see

281
00:15:14,120 --> 00:15:16,960
Speaker 2: is something that really does turn the dial in this

282
00:15:17,080 --> 00:15:20,760
Speaker 2: country and makes it difficult or impossible for us to

283
00:15:20,840 --> 00:15:23,960
Speaker 2: keep supporting organized crime in the way that we are.

284
00:15:24,880 --> 00:15:29,040
Speaker 2: And whilst I understand it completely why this happens and

285
00:15:29,400 --> 00:15:33,720
Speaker 2: how we're protecting individuals and we're protecting businesses, we've just

286
00:15:33,760 --> 00:15:37,000
Speaker 2: got ourselves into this position where it's a business that

287
00:15:37,040 --> 00:15:39,720
Speaker 2: will continue for a very long time unless something really changes.

288
00:15:40,680 --> 00:15:42,720
Speaker 1: Darren Brendan, thank you for talking to Fear and Greed.

289
00:15:43,200 --> 00:15:43,680
Speaker 2: Thanks Sean.

290
00:15:43,880 --> 00:15:48,120
Speaker 1: Thanks that was Darren Hopkins and Brendan Payne cyber partners

291
00:15:48,120 --> 00:15:51,040
Speaker 1: at mcgarnickel Advisory, which is a great supporter of this podcast.

292
00:15:51,320 --> 00:15:53,560
Speaker 1: This is the Fear and Greed, a business interview. Join

293
00:15:53,640 --> 00:15:55,840
Speaker 1: us every morning for the full episode of Fear and Greed.

294
00:15:55,920 --> 00:15:58,479
Speaker 1: Daily business news for people who make their own decisions.

295
00:15:58,680 --> 00:16:05,200
Speaker 1: I'm chanelma are you Diem