1
00:00:05,680 --> 00:00:08,000
Speaker 1: Welcome to the Fear and Greed Business Interview. I'm sure

2
00:00:08,039 --> 00:00:11,920
Speaker 1: al nam. Nearly ninety percent of Australian business leaders expect

3
00:00:12,039 --> 00:00:14,840
Speaker 1: risk and security issues to get worse in the next

4
00:00:14,840 --> 00:00:18,239
Speaker 1: twelve months. It's the alarming headline of the new Risk

5
00:00:18,320 --> 00:00:21,759
Speaker 1: and Security Report from mcgrar nickel Advisory. Building on last

6
00:00:21,840 --> 00:00:25,560
Speaker 1: year's findings, the report explores exactly what local business leaders

7
00:00:25,600 --> 00:00:30,040
Speaker 1: think about risks including geo political threats, insider risk, cybersecurity

8
00:00:30,120 --> 00:00:33,560
Speaker 1: and more. I'm joined today by mcgrah nickel partner and

9
00:00:33,640 --> 00:00:37,120
Speaker 1: head of Advisory, Matt Fee and am morning Matt, Good

10
00:00:37,120 --> 00:00:40,599
Speaker 1: morning Sean. Also we've got Sarah de Ed, partner forensic

11
00:00:40,640 --> 00:00:44,640
Speaker 1: at mcgrarnickel. Good morning, Sarah good mane Sean Mcgarnichol's a

12
00:00:44,640 --> 00:00:48,919
Speaker 1: great supporter of this podcast. Matt, Sarah start with you.

13
00:00:48,960 --> 00:00:51,280
Speaker 1: Matt talk us through some of the headline results. I

14
00:00:51,320 --> 00:00:53,479
Speaker 1: mentioned eighty nine percent or I said ninety percent, not

15
00:00:53,479 --> 00:00:56,880
Speaker 1: eighty nine percent of executives expect risk and security issues

16
00:00:56,880 --> 00:00:59,560
Speaker 1: to worsen in severity over the next year. That's up

17
00:00:59,680 --> 00:01:01,840
Speaker 1: significantly since last year. I think it was about fifty

18
00:01:01,880 --> 00:01:05,800
Speaker 1: eight percent last year. How has the business risk landscape changed?

19
00:01:05,920 --> 00:01:07,280
Speaker 1: In the past twelve months.

20
00:01:07,800 --> 00:01:09,880
Speaker 2: Thanks Sean, and thanks for the opportunity to share the

21
00:01:09,920 --> 00:01:13,880
Speaker 2: results of the survey. I also the outset the survey

22
00:01:13,959 --> 00:01:18,240
Speaker 2: we conducted with you, galv. The survey that they facilitated

23
00:01:18,680 --> 00:01:23,760
Speaker 2: contacted over three hundred board members or senior executives of

24
00:01:23,880 --> 00:01:28,840
Speaker 2: organizations that have over fifty plus employees. But the fact

25
00:01:28,880 --> 00:01:32,640
Speaker 2: that what you've highlighted there around risk and security issues worsening,

26
00:01:32,920 --> 00:01:36,880
Speaker 2: I think only goes to reflect the growing concern around

27
00:01:36,880 --> 00:01:41,280
Speaker 2: the geo political environment. Last year our survey touched on

28
00:01:41,360 --> 00:01:44,399
Speaker 2: and one of the more revealing issues for me from

29
00:01:44,440 --> 00:01:49,800
Speaker 2: a cyber attack perspective was ninety one percent of organizations

30
00:01:49,800 --> 00:01:52,120
Speaker 2: the year before said that they would think worse of

31
00:01:52,200 --> 00:01:56,279
Speaker 2: a supply or counterparty should they have a cyber attack.

32
00:01:57,040 --> 00:01:59,880
Speaker 2: Last year that reduced down to sixty eight percent. So

33
00:02:00,120 --> 00:02:03,160
Speaker 2: that's telling me that people are expecting more cyber attacks

34
00:02:03,200 --> 00:02:06,640
Speaker 2: to occur either upon them or within their supply chain,

35
00:02:07,320 --> 00:02:10,400
Speaker 2: and that's now being reflected in risk and security concerns,

36
00:02:10,440 --> 00:02:14,440
Speaker 2: and as we say, the various geopolitical perceptions that leaders

37
00:02:14,560 --> 00:02:17,960
Speaker 2: business leaders are experiencing or expecting to see.

38
00:02:18,280 --> 00:02:21,880
Speaker 1: In a sense what you just said, then perhaps it's

39
00:02:21,919 --> 00:02:25,040
Speaker 1: a bit worrying that people think less of third parties

40
00:02:25,120 --> 00:02:27,399
Speaker 1: if they have a cyber risk, but it also suggests

41
00:02:27,520 --> 00:02:30,440
Speaker 1: that it's become the norm matt or people expect it now.

42
00:02:31,040 --> 00:02:33,080
Speaker 2: It is expected, and you know, I think what is

43
00:02:33,120 --> 00:02:38,360
Speaker 2: expected both from an emerging regulatory perspective, but also counterparties,

44
00:02:38,400 --> 00:02:42,120
Speaker 2: They're expecting organizations to do a lot more within their

45
00:02:42,160 --> 00:02:45,880
Speaker 2: supply chain, and in particular, I think they're now expecting

46
00:02:46,120 --> 00:02:49,800
Speaker 2: organizations to understand where the risks may lay within this

47
00:02:50,480 --> 00:02:56,000
Speaker 2: supply chain, doing proper due diligence on counterparty or suppliers

48
00:02:56,680 --> 00:03:00,960
Speaker 2: cyber risk frameworks, and understanding how they're busy. Like I

49
00:03:01,000 --> 00:03:05,360
Speaker 2: think more than three quarters of the respondent said in

50
00:03:05,360 --> 00:03:09,359
Speaker 2: this survey that they don't have mandatory requirements by their

51
00:03:09,360 --> 00:03:11,680
Speaker 2: suppliers to report to them if they have a data

52
00:03:11,800 --> 00:03:14,680
Speaker 2: or cyber breach and that could be their critical information

53
00:03:14,800 --> 00:03:18,120
Speaker 2: that has been leaked, but there's no mandatory reporting back

54
00:03:18,160 --> 00:03:20,920
Speaker 2: to them should it happen within their supply chain, which

55
00:03:20,960 --> 00:03:22,639
Speaker 2: is really critical.

56
00:03:22,639 --> 00:03:22,919
Speaker 3: I think.

57
00:03:22,919 --> 00:03:26,360
Speaker 2: The other thing is a large number of the respondents

58
00:03:26,480 --> 00:03:29,480
Speaker 2: over seventy five percent, said that you know, they have

59
00:03:29,560 --> 00:03:33,880
Speaker 2: competing priorities within their resources. They don't have a person

60
00:03:33,880 --> 00:03:37,960
Speaker 2: who's nominated to manage this and then insufficient data or

61
00:03:38,160 --> 00:03:42,160
Speaker 2: a shortage of experience to tackle how they address these

62
00:03:42,240 --> 00:03:43,560
Speaker 2: risks in their supply chain.

63
00:03:44,320 --> 00:03:46,720
Speaker 1: Is this a journey that they're going on. So it

64
00:03:46,840 --> 00:03:48,720
Speaker 1: sounds like it's improving, but there's still a long way

65
00:03:48,720 --> 00:03:48,920
Speaker 1: to go.

66
00:03:49,000 --> 00:03:53,000
Speaker 2: Basically, yeah, and I think that's right. You know, cyber

67
00:03:53,080 --> 00:03:55,560
Speaker 2: risk being the number one risk, and it was in

68
00:03:55,600 --> 00:04:00,320
Speaker 2: the survey the number one risk. Within the top five

69
00:04:00,920 --> 00:04:03,640
Speaker 2: risks that were identified by the respondents, sixty eight percent

70
00:04:03,760 --> 00:04:06,880
Speaker 2: had cyber up there. I do know from our experience

71
00:04:06,960 --> 00:04:10,160
Speaker 2: many organizations have cyber as number one risks these days.

72
00:04:10,600 --> 00:04:12,360
Speaker 2: But I think when you look at it more broadly,

73
00:04:12,440 --> 00:04:15,480
Speaker 2: cyber is just one aspect of security within an organization

74
00:04:16,160 --> 00:04:20,720
Speaker 2: and where you know, state based actors or other organized

75
00:04:20,960 --> 00:04:25,680
Speaker 2: criminals or cyber criminals seek to access. We've seen the

76
00:04:25,760 --> 00:04:28,600
Speaker 2: uplift in cyber resilience programs, but there is now an

77
00:04:28,600 --> 00:04:32,440
Speaker 2: emerging understanding of the broader security defenses that need to

78
00:04:32,480 --> 00:04:35,240
Speaker 2: be put in place, and it's slowly being uptaken.

79
00:04:36,080 --> 00:04:38,680
Speaker 1: Sarah bringing you into this. When I read the report,

80
00:04:38,960 --> 00:04:41,400
Speaker 1: the one risk which I suppose I hadn't thought a

81
00:04:41,400 --> 00:04:45,919
Speaker 1: lot about was insider risk, What is it and is

82
00:04:45,960 --> 00:04:48,240
Speaker 1: it considered it? Is it a human problem?

83
00:04:48,480 --> 00:04:50,719
Speaker 3: Yeah? Interesting, Sean, I don't think you're the only one,

84
00:04:50,920 --> 00:04:53,120
Speaker 3: the only one that thinks that way. I think as

85
00:04:53,160 --> 00:04:55,719
Speaker 3: we were saying, I think there's pretty now widespread acceptance

86
00:04:55,760 --> 00:04:58,800
Speaker 3: from organizations that know it's a matter of when and

87
00:04:58,880 --> 00:05:00,719
Speaker 3: not if. When it comes to cide, we're attacks within

88
00:05:00,760 --> 00:05:02,840
Speaker 3: their business. And if we use that analogy of a house,

89
00:05:02,880 --> 00:05:04,320
Speaker 3: we know we've got to lock the doors. We know

90
00:05:04,360 --> 00:05:06,120
Speaker 3: I've got to change the locks regularly, and we've got

91
00:05:06,160 --> 00:05:08,240
Speaker 3: to put the a larms on. But what is just

92
00:05:08,279 --> 00:05:11,520
Speaker 3: as important is considering the threat that's posed by your

93
00:05:11,520 --> 00:05:13,800
Speaker 3: people within your business. The ones you've actually got to

94
00:05:13,839 --> 00:05:16,919
Speaker 3: give those cat house keys to. Those people are the

95
00:05:16,920 --> 00:05:19,560
Speaker 3: ones that they know you systems, they know you weaknesses,

96
00:05:19,680 --> 00:05:23,120
Speaker 3: they know your vulnerabilities, and they also know the value,

97
00:05:23,160 --> 00:05:26,880
Speaker 3: that real value that lies in your assets. The difficulty

98
00:05:27,279 --> 00:05:29,840
Speaker 3: in really managing that insider risk is that you've got

99
00:05:29,839 --> 00:05:31,839
Speaker 3: to give the keys to somebody, which makes it so

100
00:05:31,960 --> 00:05:35,799
Speaker 3: crucial for organizations to ensure that they provide the access,

101
00:05:35,839 --> 00:05:38,320
Speaker 3: the information and the control to the right people, which

102
00:05:38,360 --> 00:05:41,480
Speaker 3: can be a real challenge for organizations. The other thing

103
00:05:41,520 --> 00:05:43,480
Speaker 3: I think that ties it in and why it is

104
00:05:43,520 --> 00:05:45,520
Speaker 3: such a human problem. At the end of the day,

105
00:05:45,560 --> 00:05:47,719
Speaker 3: we've got people at the end of keyboards and they're

106
00:05:47,760 --> 00:05:51,320
Speaker 3: your insiders. The motivations of those insiders can be pretty

107
00:05:51,320 --> 00:05:54,120
Speaker 3: difficult and complex to spot the threat. It can be

108
00:05:54,400 --> 00:05:57,520
Speaker 3: a malicious attack, a self motivated attack, or in some

109
00:05:57,640 --> 00:06:00,960
Speaker 3: cases we also see where it involves coer with an

110
00:06:00,960 --> 00:06:04,119
Speaker 3: outsider and a reliance on an outsider. So as such

111
00:06:04,200 --> 00:06:06,240
Speaker 3: it being such a human problem, there's that real need

112
00:06:06,240 --> 00:06:10,080
Speaker 3: to understand that psychological and situational factors that may drive

113
00:06:10,120 --> 00:06:13,560
Speaker 3: an employee to become an insider risk threat. And I

114
00:06:13,560 --> 00:06:17,000
Speaker 3: think also as we talk to I think the environment

115
00:06:17,040 --> 00:06:19,320
Speaker 3: that we're in at the moment and that link to

116
00:06:19,400 --> 00:06:23,599
Speaker 3: insider risk. We've certainly seen a pretty volatile employment market

117
00:06:23,600 --> 00:06:27,000
Speaker 3: in the last few years, the great resignation, quiet liquiding,

118
00:06:27,040 --> 00:06:28,720
Speaker 3: and all these other things. And now I think as

119
00:06:28,720 --> 00:06:32,480
Speaker 3: we're moving in through this cycle of pretty tough economic conditions,

120
00:06:32,760 --> 00:06:37,280
Speaker 3: we've seen significant restructures and redundancies across industries. I think

121
00:06:37,320 --> 00:06:40,360
Speaker 3: with that volatility, there is that greater risk of these

122
00:06:40,360 --> 00:06:43,600
Speaker 3: insider threats coming to the fore. We are certainly seeing

123
00:06:43,600 --> 00:06:46,600
Speaker 3: them and working with some clients around the challenge that

124
00:06:46,640 --> 00:06:51,080
Speaker 3: they present. And I think also just reflecting on my experience,

125
00:06:51,080 --> 00:06:53,240
Speaker 3: I've worked in this space of sort of financial crime

126
00:06:53,279 --> 00:06:56,400
Speaker 3: forensic for a long time and working in those matters

127
00:06:56,400 --> 00:06:59,960
Speaker 3: that involve trusted insiders. What we see time and time

128
00:07:00,000 --> 00:07:02,200
Speaker 3: time again is that when people are under any form

129
00:07:02,240 --> 00:07:06,080
Speaker 3: of pressure, they do do unusual and strange, strange things.

130
00:07:07,000 --> 00:07:09,000
Speaker 1: Stay with me, Matt and Sarah, we'll be back in

131
00:07:09,040 --> 00:07:18,560
Speaker 1: a minute. I'm talking to Matt them and Sarah did

132
00:07:18,760 --> 00:07:22,920
Speaker 1: from mcgrad Nickel. The survey says that eighty seven percent

133
00:07:22,920 --> 00:07:25,760
Speaker 1: of surveyed executives were confident their business had a comprehensive

134
00:07:25,760 --> 00:07:29,920
Speaker 1: insider risk management program in place. Fine, However, less than

135
00:07:29,920 --> 00:07:34,760
Speaker 1: a third actually implemented fundamental insider risk controls. How do

136
00:07:34,760 --> 00:07:37,240
Speaker 1: you do that? What are the basic controls that you

137
00:07:37,280 --> 00:07:38,760
Speaker 1: should be implementing.

138
00:07:39,440 --> 00:07:41,880
Speaker 3: Yeah, it's interesting, Sean, They are pretty interesting results from

139
00:07:41,880 --> 00:07:44,120
Speaker 3: the survey. I mean, I think more broadly, we're certainly

140
00:07:44,120 --> 00:07:47,800
Speaker 3: seeing an increased focus on insider risks. We personally Mcgranicle

141
00:07:47,840 --> 00:07:50,680
Speaker 3: have partnered with the Strain and Insider Risk Center of Excellence,

142
00:07:50,680 --> 00:07:53,040
Speaker 3: and there's some really important work going on more broadly

143
00:07:53,080 --> 00:07:57,920
Speaker 3: around education awareness of these risks. From that regulatory perspective,

144
00:07:58,320 --> 00:08:01,920
Speaker 3: the amendments to the Security of Critical Infrastructure Act now

145
00:08:01,960 --> 00:08:06,679
Speaker 3: demand that owners of critical infrastructure assets identify those critical workers,

146
00:08:06,680 --> 00:08:09,080
Speaker 3: assess their suitability and the level of risk they pose.

147
00:08:09,160 --> 00:08:11,960
Speaker 3: So I think the awareness piece is there, which I

148
00:08:12,000 --> 00:08:14,240
Speaker 3: think is where you see that that eighty seven percent

149
00:08:14,360 --> 00:08:17,320
Speaker 3: do you come through. But in a sense, as you said, Sean,

150
00:08:17,320 --> 00:08:19,640
Speaker 3: we've got organizations that are confident they have in place

151
00:08:19,680 --> 00:08:22,520
Speaker 3: a comprehensive program, and yet when we start to dig

152
00:08:22,560 --> 00:08:25,160
Speaker 3: beneath the service of that and start to explore what

153
00:08:25,280 --> 00:08:29,040
Speaker 3: controls organizations have in place to actually mitigate the threats,

154
00:08:29,520 --> 00:08:32,559
Speaker 3: we can see that some of those human centric controls

155
00:08:32,600 --> 00:08:34,760
Speaker 3: are being overlooked. At the end of the day, as

156
00:08:34,760 --> 00:08:37,440
Speaker 3: we've said, we're talking about humans. So whilst technology is

157
00:08:37,520 --> 00:08:40,240
Speaker 3: such a key part of this issue, at the center

158
00:08:40,280 --> 00:08:42,640
Speaker 3: of every attack is a person and so as a result,

159
00:08:42,679 --> 00:08:44,320
Speaker 3: you've really got to come at it with those human

160
00:08:44,360 --> 00:08:46,800
Speaker 3: based controls in place. A couple of key ones that

161
00:08:46,840 --> 00:08:50,280
Speaker 3: sort of stand out for us. Risk based due diligence

162
00:08:50,480 --> 00:08:53,360
Speaker 3: is really fundamental for critical roles. Do you know who

163
00:08:53,400 --> 00:08:55,520
Speaker 3: it is that you're doing business with, do you know

164
00:08:55,559 --> 00:08:58,720
Speaker 3: what information and access those key people and key roles.

165
00:08:58,760 --> 00:09:03,040
Speaker 3: Have really highlighted that only twenty percent of organizations actually

166
00:09:03,160 --> 00:09:06,280
Speaker 3: have that risk based due diligence in place for key roles.

167
00:09:06,800 --> 00:09:09,240
Speaker 3: Another one which again ties into that human peace is

168
00:09:09,280 --> 00:09:12,040
Speaker 3: training and awareness. Again, results out of the survey show

169
00:09:12,080 --> 00:09:15,920
Speaker 3: that only twenty seven percent have an insider education and

170
00:09:16,000 --> 00:09:19,040
Speaker 3: awareness program in place, And I think it's important to

171
00:09:19,080 --> 00:09:22,360
Speaker 3: note that this is part of a broader framework and program.

172
00:09:22,400 --> 00:09:26,720
Speaker 3: So a truly effective insider program really does incorporate all

173
00:09:26,800 --> 00:09:29,240
Speaker 3: functions of an organization. And I think that's a real

174
00:09:29,360 --> 00:09:33,000
Speaker 3: challenge for some organizations, particularly in that small and medium

175
00:09:33,120 --> 00:09:37,120
Speaker 3: enterprise space, because the risk area is broad. There's that

176
00:09:37,160 --> 00:09:39,320
Speaker 3: real need to understand who should own it and how

177
00:09:39,360 --> 00:09:41,719
Speaker 3: should resources be prioritized, and there's that real need for

178
00:09:41,800 --> 00:09:45,760
Speaker 3: organizations to have those critical conversations around how to manage

179
00:09:45,880 --> 00:09:46,400
Speaker 3: this risk.

180
00:09:47,640 --> 00:09:50,000
Speaker 1: Okay, Matt, at the very top, you talked about geo

181
00:09:50,320 --> 00:09:55,200
Speaker 1: politics and geopolitical risk. Should business leaders be worried about

182
00:09:55,240 --> 00:09:59,600
Speaker 1: the upcoming US election? What happens if a second Trump

183
00:09:59,600 --> 00:10:02,280
Speaker 1: ad minutes stration is voted in Sean?

184
00:10:02,360 --> 00:10:08,360
Speaker 2: I think from a geopolitical perspective and US politics, many organizations, large,

185
00:10:08,360 --> 00:10:11,960
Speaker 2: medium or small do reflect on what impact, if any,

186
00:10:12,200 --> 00:10:15,040
Speaker 2: I think many think it would have on their operations.

187
00:10:15,800 --> 00:10:19,960
Speaker 2: Trump's already indicated that he would impose tariffs on certain imports,

188
00:10:20,240 --> 00:10:24,640
Speaker 2: and I think that's alarming to some. But I think

189
00:10:24,640 --> 00:10:27,320
Speaker 2: the way we look at it is you, under your

190
00:10:27,480 --> 00:10:31,440
Speaker 2: risk management and risk management framework, are you assessing the

191
00:10:31,520 --> 00:10:36,559
Speaker 2: possibility of disruption in your supply chain? So those tariffs

192
00:10:36,840 --> 00:10:39,160
Speaker 2: and looking at you know, what does that mean to

193
00:10:39,280 --> 00:10:43,600
Speaker 2: the trade flows or the flows of cargo and disruption

194
00:10:43,679 --> 00:10:46,839
Speaker 2: to your supply chain? What are the consequential impacts, What

195
00:10:46,960 --> 00:10:51,000
Speaker 2: are there any retalitory steps that other nations may take,

196
00:10:51,120 --> 00:10:53,880
Speaker 2: and therefore does that pose a risk in as far

197
00:10:53,960 --> 00:10:57,600
Speaker 2: as say, sanctions that may emerge. So I think what

198
00:10:57,720 --> 00:11:01,319
Speaker 2: may be predictable or in many cases a little unpredictable

199
00:11:01,800 --> 00:11:06,640
Speaker 2: from a new Trump office. I think it's running scenarios,

200
00:11:06,880 --> 00:11:10,840
Speaker 2: which is what we suggest to clients. But the geo

201
00:11:10,840 --> 00:11:13,640
Speaker 2: political risks when you look at that by itself a

202
00:11:13,760 --> 00:11:18,400
Speaker 2: Trump administration, We've also got broader issues such as what

203
00:11:18,400 --> 00:11:21,200
Speaker 2: we've seen over the last week with Israel and Humas

204
00:11:21,280 --> 00:11:25,240
Speaker 2: are now conflict escalating and how that may disrupt supply chain.

205
00:11:25,600 --> 00:11:28,600
Speaker 2: Let alone, if there is any disruption within our region.

206
00:11:29,160 --> 00:11:33,719
Speaker 2: I think it's more important that organizations consider what may

207
00:11:33,760 --> 00:11:39,200
Speaker 2: impact their business and take appropriate steps to run the

208
00:11:39,200 --> 00:11:42,200
Speaker 2: scenarios and understand how they would respond or what they

209
00:11:42,320 --> 00:11:45,440
Speaker 2: need to do within their supply chain. But more importantly

210
00:11:45,440 --> 00:11:46,760
Speaker 2: from a security perspective.

211
00:11:47,520 --> 00:11:51,439
Speaker 1: Okay, Sarah, there is positive news out of the survey.

212
00:11:52,360 --> 00:11:55,680
Speaker 1: Most enterprise risk management programs now include supply chain risk

213
00:11:55,720 --> 00:11:59,600
Speaker 1: as a core pillar. That's good news. What leads me

214
00:11:59,640 --> 00:12:02,560
Speaker 1: to ask, well, attacks on critical infrastructure and critical supply

215
00:12:02,679 --> 00:12:05,040
Speaker 1: chains become more common? Do you think?

216
00:12:06,000 --> 00:12:08,760
Speaker 3: I don't think there's any doubt we continue to see

217
00:12:08,800 --> 00:12:11,880
Speaker 3: these attacks increase in both number and severity. Sean, I

218
00:12:11,880 --> 00:12:15,120
Speaker 3: think we're seeing it more broadly across all sectors and

219
00:12:15,200 --> 00:12:18,120
Speaker 3: industries year on year. These attacks continue to come our way,

220
00:12:18,400 --> 00:12:21,840
Speaker 3: both domestically and also internationally as well. In answering that,

221
00:12:21,880 --> 00:12:23,600
Speaker 3: I think we really have to remember where these attacks

222
00:12:23,600 --> 00:12:27,120
Speaker 3: are coming from. We're talking about incredibly well resourced and

223
00:12:27,160 --> 00:12:31,120
Speaker 3: sophisticated threat actors. Whether their motivations are financial, if we're

224
00:12:31,120 --> 00:12:34,280
Speaker 3: talking about a ransom, or whether it's just to disrupt,

225
00:12:34,559 --> 00:12:37,800
Speaker 3: these are big and lucrative enterprises. I think if we're

226
00:12:37,800 --> 00:12:42,480
Speaker 3: talking about infrastructure, and critical supply chain specifically, whether we're

227
00:12:42,520 --> 00:12:45,520
Speaker 3: talking about attacks from nation states or just well resourced

228
00:12:45,559 --> 00:12:49,880
Speaker 3: cybercriminal groups, these groups and organizations are intent on causing

229
00:12:49,920 --> 00:12:54,000
Speaker 3: disruption and accessing information when we're talking about critical infrastructure,

230
00:12:54,360 --> 00:12:57,319
Speaker 3: whether that be for now and sort of immediate attacks,

231
00:12:57,760 --> 00:13:00,520
Speaker 3: or whether it's to serve their best purpose at a

232
00:13:00,520 --> 00:13:03,760
Speaker 3: point in time that they choose to sort of launch

233
00:13:03,800 --> 00:13:07,040
Speaker 3: these attacks. I think when we talk about critical infrastructure

234
00:13:07,160 --> 00:13:10,439
Speaker 3: entities and the supply chains that resource them, they hold

235
00:13:10,480 --> 00:13:13,760
Speaker 3: significant valuable knowledge and data, and it is that knowledge

236
00:13:13,800 --> 00:13:18,800
Speaker 3: and information that these actors are intent on either disrupting,

237
00:13:19,320 --> 00:13:21,760
Speaker 3: learning from, or even stealing. And I think that's why

238
00:13:21,760 --> 00:13:24,439
Speaker 3: we're going to continue to see both nation states and

239
00:13:24,480 --> 00:13:27,880
Speaker 3: cyber criminals continue to breach critical infrastructure and those critical

240
00:13:27,920 --> 00:13:30,640
Speaker 3: supply chains that support them. At the end of the day,

241
00:13:30,640 --> 00:13:33,040
Speaker 3: I think when it comes to these there's a lot

242
00:13:33,080 --> 00:13:36,280
Speaker 3: at state for both the attack and also the attackers

243
00:13:36,400 --> 00:13:36,880
Speaker 3: as well.

244
00:13:38,120 --> 00:13:41,400
Speaker 1: Matt. There is legislation coming in around this. It's Security

245
00:13:41,440 --> 00:13:45,280
Speaker 1: of Critical Infrastructure Legislation. It requires critical infrastructure assets and

246
00:13:45,360 --> 00:13:50,480
Speaker 1: organizations to have and submit a risk management program plenty

247
00:13:50,480 --> 00:13:53,640
Speaker 1: of detail in that it includes things like protections against

248
00:13:53,679 --> 00:13:57,880
Speaker 1: supply chain issues, cyber attacks, insider risk. The deadline's fast approaching.

249
00:13:57,880 --> 00:14:00,000
Speaker 1: It is the end of next month, applies to certain

250
00:14:00,080 --> 00:14:03,920
Speaker 1: businesses operating across different sectors. Matter how prepared you think

251
00:14:03,960 --> 00:14:07,800
Speaker 1: Australian organizations are for this, and if they're not prepared now,

252
00:14:07,840 --> 00:14:09,160
Speaker 1: what should they be doing?

253
00:14:09,880 --> 00:14:12,360
Speaker 2: Thank sure, and I think when the legislation came in

254
00:14:12,520 --> 00:14:16,680
Speaker 2: twenty twenty two, certainly the reporting deadline now to understand

255
00:14:16,720 --> 00:14:18,360
Speaker 2: what they've got in place by way of a rest

256
00:14:18,360 --> 00:14:22,720
Speaker 2: management program, critical infrastructure rest management program. That first reporting

257
00:14:22,800 --> 00:14:25,760
Speaker 2: date on the twenty eighth of September is fast approaching,

258
00:14:25,800 --> 00:14:29,640
Speaker 2: probably fast approaching for a number of organizations. I think

259
00:14:29,640 --> 00:14:34,240
Speaker 2: from our experience it's clear those that are resourced have

260
00:14:34,440 --> 00:14:38,960
Speaker 2: responded or are responding and being prepared to report, but

261
00:14:39,160 --> 00:14:44,240
Speaker 2: many organizations at various sizes are not yet ready. I

262
00:14:44,280 --> 00:14:47,080
Speaker 2: think we're going to see a range of organizations really

263
00:14:47,760 --> 00:14:50,440
Speaker 2: try and rush to meet the deadline as it approaches.

264
00:14:50,480 --> 00:14:54,880
Speaker 2: But as with many of these new pieces of reporting requirements,

265
00:14:55,640 --> 00:14:57,760
Speaker 2: it's probably going to be unfortunate where we're going to

266
00:14:57,800 --> 00:15:02,280
Speaker 2: see enforcement or or a number of organizations held to account.

267
00:15:02,320 --> 00:15:04,840
Speaker 2: And once that's made public, I think we start to

268
00:15:04,840 --> 00:15:09,880
Speaker 2: see others then react when they see either penalty or

269
00:15:09,920 --> 00:15:14,680
Speaker 2: some form of discipline imposed on an organization. If I

270
00:15:14,680 --> 00:15:17,360
Speaker 2: put it that way, I think that the key for

271
00:15:17,440 --> 00:15:21,160
Speaker 2: directors to understand and management is really this could be

272
00:15:21,320 --> 00:15:26,040
Speaker 2: your license to operate and your supply chain. Your counterparties

273
00:15:26,600 --> 00:15:28,840
Speaker 2: will be inquiring as to what you have in place,

274
00:15:28,920 --> 00:15:32,160
Speaker 2: and the government expects that that is there, so it

275
00:15:32,200 --> 00:15:35,600
Speaker 2: will be plausible for an organization to ask what you

276
00:15:35,680 --> 00:15:39,480
Speaker 2: have in place. Equally, if it's then publicized that you

277
00:15:39,840 --> 00:15:43,880
Speaker 2: have not met the reporting requirements, that's where I think

278
00:15:43,920 --> 00:15:48,200
Speaker 2: there becomes a real issue around your continuity or your

279
00:15:48,240 --> 00:15:53,200
Speaker 2: ability to continue to engage with certain counterparties, be they government,

280
00:15:54,000 --> 00:15:57,280
Speaker 2: some of the high risk or prime contractors. It can

281
00:15:57,320 --> 00:16:01,160
Speaker 2: be a significant reputational piece if you don't get it organized,

282
00:16:01,240 --> 00:16:03,240
Speaker 2: and I think that's where management need to ensure that

283
00:16:03,240 --> 00:16:07,200
Speaker 2: they're putting appropriate time and resources to ensuring that they're

284
00:16:07,240 --> 00:16:09,680
Speaker 2: able to meet the deadline as it approaches on the

285
00:16:09,680 --> 00:16:10,840
Speaker 2: twenty eighth of September.

286
00:16:11,560 --> 00:16:14,720
Speaker 1: I suppose it's very quickly, Matt. Are most organizations who

287
00:16:14,920 --> 00:16:19,160
Speaker 1: need to meet this reporting deadline, They're fully aware that

288
00:16:19,160 --> 00:16:20,760
Speaker 1: they need to do it.

289
00:16:20,760 --> 00:16:25,320
Speaker 2: It's a really good question, because most organizations should be aware.

290
00:16:25,800 --> 00:16:30,040
Speaker 2: And really, where I hear surprises from organizations, it's where

291
00:16:30,080 --> 00:16:32,040
Speaker 2: they think they should be covered, but when they actually

292
00:16:32,080 --> 00:16:35,600
Speaker 2: do look into it, they aren't right. They aren't obliged

293
00:16:35,640 --> 00:16:39,720
Speaker 2: to comply, and they were surprised by that. So, yes,

294
00:16:40,080 --> 00:16:43,760
Speaker 2: organizations need to understand. I would like to think that

295
00:16:44,440 --> 00:16:47,840
Speaker 2: most are fully aware of the Security Critical Infrastructure legislation

296
00:16:47,960 --> 00:16:51,480
Speaker 2: now it's two years in and have been focused on

297
00:16:51,520 --> 00:16:56,520
Speaker 2: the reporting guidelines, but I think it needs immediate action

298
00:16:57,320 --> 00:17:00,400
Speaker 2: with US now about a month out from that report date.

299
00:17:01,200 --> 00:17:03,400
Speaker 1: Matt Sarah, thank you both for talking to Fear and Greed.

300
00:17:04,119 --> 00:17:05,560
Speaker 2: Thanks Sean, Thanks Sean.

301
00:17:06,080 --> 00:17:08,359
Speaker 1: That was a mcgrah nickel partner and head of Advisory,

302
00:17:08,440 --> 00:17:11,600
Speaker 1: Matt Fee and Am and partner Forensick. Sarah Deedey mcgart

303
00:17:11,680 --> 00:17:13,879
Speaker 1: nichols is a great supporter of this podcast. This is

304
00:17:13,920 --> 00:17:16,359
Speaker 1: the Fear and Greed Business Interview. Join us every morning

305
00:17:16,359 --> 00:17:18,679
Speaker 1: for the full episode of Fear and Greed. Daily business

306
00:17:18,680 --> 00:17:21,080
Speaker 1: news for people who make their own decisions. I'm Sean

307
00:17:21,080 --> 00:17:22,440
Speaker 1: elle Mon. Enjoy your day.