Threat Intelligence

    Get Cyber Resilient Ep 109 | The cyber risk equation with Fergus Brooks, Executive Manager in Cyber Recover Planning

    On this week’s episode, we hear from Fergus Brooks, Executive Manager in Cyber Recover Planning within the finance industry.


    In this conversation we discuss the best way to approach the risk equation for cyber, we look at how we have gotten to where we are in terms of spend in defensive cyber. Fergus also talks to his time spent in the insurance industry and how that has helped is risk perspective. We finish by examining the understanding of impact when it comes to a successful breach with Foreseeable Maximum Loss.


    The Get Cyber Resilient Show Episode #109 Transcript

    Garrett O'Hara: Welcome to The Get Cyber Resilient Podcast. I'm Garrett O'Hara. I'm very pleased to be in conversation today with Fergus Brooks, Executive Manager in Cyber Resilience and Recovery in the finance industry. This conversation came about because I crossed paths with Fergus in a meeting, and really, really liked his perspective on detect, protect, versus respond, recover. He made a lot of sense to me. We get to cover some of his insights in this interview, including how to approach the risk equation for cyber, how we've gotten to where we are in terms of spend on defensive cyber. We talk about his time in the insurance industry and how that helped his risk perspective, then into approaching the understanding of impact when it comes to a successful breach with foreseeable maximum loss. Over to the conversation.

    Welcome to The Get Cyber Resilient Podcast. I'm Garrett O'Hara. Today, we are joined by Fergus Brooks who's Exec Manager in Sub Resilience and Recovery in Finance. Welcome to the show, Fergus.

    Fergus Brooks: Hi, Garrett. Thanks for having me.

    Garrett O'Hara: Absolute pleasure. We were just chatting off Mike. We actually met [laughs] like five years ago at a conference where you were giving a talk. So this is a long time in the making and very, very glad to have you along today.

    Fergus Brooks: Thank you.

    Garrett O'Hara: So Fergus, it would be great to get a, an understanding, obviously, you're, you know, we're working in finance and part of why I think we clicked on it. We were on a, a meeting recently and I think we were both [laughs] very passionate about this topic, but would be great to hear just how you got to where you are today and your kind of journey into the role you currently have.

    Fergus Brooks: Yeah. So I started out like many of us. I started out, you know, running around fixing printers and, and, and, and my back in the heady days of the '90s and early versions of Windows and those kind of things. And you know when I decided to sort of, you know, stay with my career in IT, then sort of worked up through, you know, various, various areas of tech, of technical support, et cetera, in servers. And then I moved into networks and management systems and those kind of things. And, and like a lot of us once you sort of have, you know, good skills in these areas, then you, you have a part role in security. You have a part role in sort of incident planning. And so I you know, sort of adopted security and got fairly you know, started getting some full-time jobs with security in the title and, and that kind of thing.

    Then you know, multiple different jobs, a few startups, a bit of this, a bit of that, some solution architecture work those kind of things. Then I ended up getting a role here in Australia, in in insurance where essentially I was advising an insurance company. The reason I bring that up is, it was and the clients of the insurance companies on, on cyber risk and cyber insurance. And the reason I bring that up, 'cause that was a bit of a tipping point that's sort of relevant to this conversation, and sort of changed the way I look at changed the way I look at risk and impact, which is some of the things we're gonna talk about today. And and since then have moved into a, you know, an impact-related role working in cyber resilience and recovery yeah, in the financial services industry.

    Garrett O'Hara: Fantastic. Yeah, look, you, you, you know, we're definitely gonna get into kind of risk and, and it does seem like, you know, these days cyber security breaches are basically inevitable. You know, we kind of see it every single day in the news. And, and my sense is we kind of need to work as if they're gonna happen in any organization. But one of the kind of things I want gonna get into is this idea of like a kind of huge over-investment sometimes in technologies and approaches that maybe assume that a higher and stronger wall is gonna keep the attacks out, but, you know, they don't often cater for that inevitable breach. Do you think that we've actually forgotten a key part of this cyber risk equation?

    Fergus Brooks: Yeah, absolutely. And I think, I think you know, the, I heard something very interesting yesterday. I was at a, I was at a conference and a former CISO of the CIA Michael Mestrovich was speaking. And he dropped a statistic that I'm not gonna forget for a while, which is cyber crime is on its way to becoming the third biggest economy in the world.

    Garrett O'Hara: Wow.

    Fergus Brooks: Which is something that I had to ponder. And when you mentioned, you know, these things aren't going away and they're not gonna stop. Of course, they're not gonna stop. It's a, it's a business. It's a huge global business. And and certainly over, over the lifetime of our careers, we've seen that progress from being random acts of vandalism, to being targeted financially based attacks and also nation-based state, state attacks. So, you know, so they're, they're gonna keep happening.

    And the thing is that the news media and, and you know, the general fear that gets propagated around you know, shows us that people are getting attacked all the time and not people, not organizations that are insecure or have lacked security practices, you know, you've had organizations like the NSA in the states actually, get, get breached, which is an interesting one to itself. So yeah, that's consistently it's gonna keep happening. So I guess in terms of the risk equation and I absolutely do think that we've got, so we've been looking at risk a little bit wrong in that, you know, the, the, the, the textbook definition of risk is likelihood times impact. And I think we've spent a lot more time on likelihood than we have on the impact. And let me sort of explain where I think that sort of came from.

    So if we look at if we look at you know, the, the defending ourselves against hackers from getting in, or, or from bad actors to getting into the network sure that will stop attacks. However, as we know the attacks keep getting in, and when we look at impact it was at different lens. So it's a different lens as to you know, what exactly is going to happen to us? And I think, you know the, the evolution of how we look at, at cyber risk and cybersecurity is what sort of is, is what has you know, we're focusing very much on let's keep the bad people out rather than sort of thinking, well, you know, we're not always gonna be able to keep the bad people out. So let's have a look at what happens when they get in.

    And that is sort of a lens once it's, once it's cast over, over use cyber risk and you look at cyber risk properly then I think that you get a more balanced view. And also you can start to look at some of the things that we're gonna talk about in a minute that can help to all sizes of organizations feel you know, that they're in a better position. And that if the worst does happen, that they're going to be able to get through it.

    Whereas, if you focus on the likelihood side of the risk equation and you spend your time blocking likelihood, you're gonna get caught unawares when they do get in. And you're gonna go, "Oh, we didn't think they could get in. We have all the cybersecurity budget in the world. We spent a lot of money on our defenses. We've built beautiful, big castles, but somehow the bad people got in. And now what do we do?" which is, which is a lot of organizations. And I've, I've worked with a lot of companies big and small over the years where it's, it's a very, very trying time when the people do get in and they're like, "Well, you know, we didn't think about this." So.

    Garrett O'Hara: And, and that's the real worry, actually. I think, you know, I've, I've heard many people talk about the emotional stress and the toil it takes as the, as that, you know, the WhatsApp message comes through saying are you aware of the issues? And, and people's kind of worlds fall apart and they don't get any sleep for, you know, four or five days. You know what? It would be right to kind of roll back a little bit here and, and sort of maybe do a little bit of a history lesson to, I suppose, understand how we got to where we are today. And I think it's fair to say, like, you know, attacks arose nearly as soon as IT emerged and, you know, businesses started kind of adopting IT for, for, you know, tool sets and productivity. And I think it's fair to also say that we've seen both the complexity of IT. And then in lockstep the complexity and cost of protection increase as we've kind of rolled through time. But then we also seem to see the risk is increasing at the same time. Right? So it's, it's all kind of counterintuitive. How did we kind of get to where we are today?

    Fergus Brooks: Mm-hmm. Yeah. And it's, it's an interesting evolution. It's similar to the evolution of, you know, i definitely in my career and, and probably somewhat of yours, but you know, it, back in the early nineties you know, the internet wasn't, you know, it was, it was in very nacent stages and it wasn't really used. So, so networks were by default sort of enclave, secure environments, you know, there, there was no getting in or out of the network. You'd have your local area network, you'd have your wide area networks, these are private connections et cetera. So your risks were really largely internal potentially from suppliers and this kind of stuff. But also technology at that stage just wasn't as ubiquitous as it is now. You know, you might have a PC on your desk. If you are one of the lucky few, you might have a laptop with a really bad screen. I don't know how anyone ever used those kind of things. You know what I mean?

    But but then as we moved further into the '90s and the advent of the internet, we started connecting people up willy nilly and and I put my hand up. I, for something I want to come out of the tone of this conversation is that I feel personally responsible here for what we are talking about in that we were running around connecting companies up to the internet for the first time. And I used to joke with customers saying, "Well, you know, you know that what you're connecting up to there is the wild west." And it was like, "Oh, ha, ha. Yeah, it's the wild west out there. Ha, ha." And I was like, "It really is.' But but it wasn't as bad back then for the reasons we talked about before, because there wasn't the organized crime aspect. There wasn't the targeted attacks, you know, except really what we, what I'd refer to as digital graffiti on websites and this kind of stuff.

    But you know, once, you know, the, the, the standard, you know, policy, well, you wanna defend yourself from, from attacks from the internet. Well, of course you don't just connect yourself to the internet. You can connect yourself with a firewall. You might get more advanced, get intrusion detection systems and this kind of stuff. You might add in other things. As things evolved, you know, obviously we started seeing email-borne threats and we started seeing services like like my [inaudible 00:09:42], for example, that, that that look at scanning, look at scanning for malignant traffic, you know, on the way in and bad links and this kind of stuff, which just become essential part of any toolkit any security toolkit. And that seemed to be quite good. Okay, we're blocking all of the traffic that some wanted to come in from the outside, but you know, and, and we also started looking at insider threats and these kind of things. But it was very, very much about keeping the keeping the bad people out.

    The other thing that's happened, which I mentioned briefly before is that, we've had this crazy adoption of technology. So if you look at the, you know, standard attack vectors, if we like, so how are the, how are the bad people getting in? So what they're tending to do is, they're tending to follow this vulnerability exploit chain, if you like, where, you know software in some way, shape or form will have a vulnerability either it's discovered after the fact or it's released with a vulnerability, et cetera, or software, a new version of it will come out, and it will need to be patched in order to get rid of vulnerabilities. And we can see, you know, everyone can see who has an iPhone or an Android phone. Everyone can see the constant security updates as they're getting all the time. And that's because new vulnerabilities are discovered.

    And so these vulnerabilities for a period of time if the exploits released before the antivirus signature or before a fix is released, we have what we call a zero day, or I like to call a zero hour attack. These things, and we've seen a couple recently, we saw the log forge one recently where we literally stopped IT and its tracks globally while everyone run around and fixing it, because for a window there, all of our defensive systems you know, all, everyone's defensive systems couldn't pick up this vulnerability, so I wouldn't see attackers trying to, trying to get to it. So I guess the point that I'm trying to say is that, rather than sort of stop and take a break and say, "Right, let's secure what we've got, and let's make sure that everything that we're running is secure and that we're not in this ridiculous cycle of patching and updates and patching and updates where there's a period of vulnerability." we've just kept adopting new technology.

    And I think that, that's, what's really been driven by end users, but it's also really been driven by, by the needs of businesses. So it's like, "I want that shiny new feature. I'm gonna have that shiny new feature." and that's sort of been attracting us into, into this. And with, and with that, to use your term and lockstep the, the the defensive capabilities have improved. You know, we've gone from firewalls to next generation firewalls. We've got network behavioral analysis. We've got all sorts of other fancy tools, very advanced security operations centers all of these kind of things, but still very, very focused on let's keep the bad people from getting in. And as long as we keep adopting the new technologies and staying in this sort of patch loop then we're gonna keep seeing you know, that, that we have to keep spending on that, on that defensive capability. So that's, I think that's sort of the trajectory is it's come through.

    Garrett O'Hara: And, and it feels kind of like an asymptotic approach right, to, to perfect security, but you'll never ever get there. Right? And you get these diminishing returns, you spend more money. The actual security outcomes get lower and lower as you spend more money, right? To your point, you do the basics really well, sometimes that's enough. And then you see organization spending money on it, really exotic approaches to security, but not really getting the outcomes. And, and this is a true story. I might have even told us on the pod before, but back in the early 2000s, as you were sort of talking through the kind of history there and the, you know, the wild west the results of the human error part. And, and I'll put my hand up and say that I was the guy and I'm embarrassed to say this back when I was a developer who set up [laughs] and this is so bad, an anonymous FTP side.

    So, like no, no creds required to get to it on a company that I was working for because I needed to, to share a data file with one of our customers set it up thinking, you know, "I'll flick it over. They can just get the file, and then, you know, obviously shut down the FTP side." Completely forgot about it. And then the next month, the MD walked into the open office with the the bill from the ISP. And he was red-faced and very, very angry. And I instantly, you know, one of those moments where your stomach just falls away and you realize, "Oh, no. Oh no, oh no." I'd forgot to, obviously, you know, remove the the FTP connection and whoever they were had started to use it to host movies like just sort of pirated movies. And our ISP bill was like ferociously high. So I was that guy, and my apologies to to the world for, for that.

    Fergus Brooks: Congratulations. I think you were early into the streaming media industry [laughs].[inaudible 00:14:30].

    Garrett O'Hara: Oh, like I, I was I was a victim. I didn't [laughs] I, I wasn't an active participant. It was when I went back to look at it, it was like, yeah, I just started looking through the the folders on the, on the the side. I was like, "Oh, this is not good." But anyway, there you go.

    Fergus Brooks: Just on that one, I think another thing is, you know, that's a sign that if something is left vulnerable on the internet, it will be found and it will be exploited. You know, and that's why, you know, some people think that I'm sort of saying, well, you know, like less of a focus on defense. Absolutely, you have to have a focus on defense, but I think there's a part of the equation that we're missing.

    Garrett O'Hara: Yeah. I would definitely agree. I would definitely agree. You know, we, we've sort of talked about it and as you kind walked us through the, the evolution there. I think one of the things that would take from that is there is increased spend and for many organizations, but we're seeing the continued breaches and, like, do you think it's actually possible to stop breaches? Like, is that technically even a possibility?

    Fergus Brooks: It, I, I kind of get asked this question all the time, and I think that no, [laughs], I don't, I don't think it is. I mean there's just too many, there's way, way, way too many variables. So yes, you've got multiple ingress at ingress points. You know, this is the whole reason why the zero trust is another, is another thing that you know, terminology that gets banded route. But you know what it's core, it makes sense. I mean, every single device that connects to your network and everything that you use is a potential ingress point for, for issues. And there's so many different types of them. So you've also got, you know, and, and, you know, people are always like, oh, you know, so people click the wrong link. You know, and still a lot of rents when a lot of cyber attacks, most cyber attacks are coming through in those kind of, in those kind of ways. Someone's accidentally clicked on the wrong link and people will say, "Oh, we, people click on the wrong link, and that, you know, that means that they don't know what they're doing, and they don't have enough user awareness training."

    But we've all been in a situation where we're fully stressed. There's a lot going on. We're trying to manage multiple things. We might be dealing with new systems. I had this happen to me a few years back where I was dealing with the system that I didn't really understand, and, and, and, you know, click, clicked essentially the wrong link. I mean, these things can happen. The other thing is, you know, this is really starting to come to a, to the forefront for a lot of organizations now is, you know, the, the supply landscape. So you've got your staff or potentially could be an Ingress point through doing the wrong thing, but purely by accident, no malicious intent. Then you've got your suppliers who, who have their own problems, their own risks and their own, you know, they, they may be connected or in some way, but, you know but they'll definitely have, you know, your contact details in their email or contact, which means that you are likely to get the, the ransomware emails or whatever that come from them.

    But then you've also got malicious intent on the insiders. You've also got nation state actors. So, and you've also got the third biggest economy or the burgeoning third biggest economy in the world. So I can't, I can't see how the inertia is gonna stop. And as I said earlier, if you don't if you don't draw a line in the sand on systems and you keep adopting new technologies, it's, it's a, it's a ripe playing field for the bad actors to be able to find exploits and vulnerabilities and go looking for looking for things of value which is, which is, you know, which is proven to be a successful business model through extortion and theft of, theft of data, you know.

    Garrett O'Hara: Yeah, absolutely. You, you remind me, and it kind of harks back to what you said at the startup Bruce Schneider's famous quote about, "We're forced to trust everybody, but we can't trust anybody." but everything is so connected. And I see two kind of parts to the supply chain problem, which is that, you know, the human trust connection, which is needed.

    You can't do business without that existing. But it opens up communication channels that are, can be exploited, but then the supply chain, you know, the digital supply chain were, and I think you referred to you love for J is an example of an open source library, but, you know, solar winds, you know, that, or to say anywhere where you can see kind of an upstream attack that gives you one to many sort of breach approach. It's so incredibly complex and, and short of, you know, waiting for the updates, which poses a risk in, in and of itself. You're, you're sort of forced to take the updates at face value that they are secure and that they are safe, but you know, what do you do? So I agree with you, I suppose, is the point there. I, I literally kind of see a way to, you know, fully stop breaches.

    Fergus Brooks: Yeah. I think on that, I think on that solo win one just 'cause I, I just, I just love it. I, I think in terms of, like, an attack, it was so well thought out. But it is really, really scary when you think about this concept of compromising the update servers. So you think you're doing the right thing and then you're also getting an update going in there. But also in terms of the target you know, I spent a lot of my time in networks and network management. Network monitoring tools see all [laughs]. That's what they're designed to do, network in the solar wind suite. They have a packet sniffer as part of that suite, which means that unencrypted traffic could just be picked up in plain texts coming across the networks. So it's like, yeah, I, I think, you know, and, and as long as there's money in it, they're gonna be more creative.

    Garrett O'Hara: Yeah. Yeah, that's it. And, and I think about this all, like you said, it's like an industry, right? It's the third biggest economy in the world. And the way I almost see it is like tech platforms in Silicon valley, which are looking for innovation and new ways to do things. It's a business. They're, they're gonna kind of approach it in exactly the same way. And they've got all the time in the world to figure things out. And, you know, vendors like ourselves, we'll always be slightly behind and that applies to every single vendor because we're waiting for them to think of the new thing.

    And then we have to figure out how to protect against that. So, yeah, I don't know how you fix that problem. Look, we, we, should be talking about breaches here quite a lot. And, and when we think about those and, and definitely in our industry, I feel like we have a tendency to think about cyber security first and then sever resilience kind of comes after that. You know, to your point, you build a castle walls, but you don't really think about what it means if those walls get breached. Here's, here's a bit of a curly one, but, like, before we get into that, how did the, the term cyber actually emerge?

    Fergus Brooks: It is a curly one. It's a very good question. And I, I think I think you know, we've been wondering about this a lot lately, and I think, I think cyber on its own has started to develop a little bit of enmity. You know, it just gets banded around so much. I think that people have sort of been going on cyber this and cyber that. But I think we go back to, back to the start, you know, as I was talking about before. You know, it was information IT. We, we worked in IT. Technology is IT? And then you know, we started to see the advent of IT security. And with IT security, you know, came, you know, this concept of the attackers and the, the hackers in hoodies, if you like, mentality and the whole cyber thing. But to me, I was a little kid sitting in front of the television when I came home from school. Cyber to me was a, was a robot on Dr. Who.

    It was a, it was a silver robot. They were quite nasty if I remember rightly and there was cyber men and this kind of stuff.

    Garrett O'Hara: Nice.

    Fergus Brooks: And then, and then later on in life, and we sort of started to see a creep through, and then later on you know, we also saw, you know, the William Gibson's neuro started to get a lot of airplay and he started coining the term cyberspace. And this is when we really started to consider things like virtual reality and this kind of stuff, and had sort of movies like Tron, you know, casting the, the digital Enemy and all this stuff that was just, you know, fairly unrealistic [laughs] going off in there it's, and, and at some stage it sort of got banded with cyber. I think the, the, I did some work with the company who's gone out of business in, in Korea.

    I was installing firewalls for them amongst other things. And they were called Cyber Patrol. And this, this was way back in like 1999 or something like that, and they were called cyber patrol, and their concept was that they had ideas system outputs in their cars and these little cars that said Cyber Patrol, so they could run around from building to building and see if there were intrusions and all this kind of stuff. It was a great concept. But they decided that they needed to have every type of firewall in their infrastructure, which just made life extremely difficult for all this kind of stuff. But it was, that's the first time I really started to see, you know, cyber become a ton. I think cyber's become synonymous with, with, with the hackers in hoodies, with the bad guys, with the organized criminals, with the APT sets and your fuzzy bears and all, all of that kind of stuff.

    You know what I mean? So, so that's and that's, that's where cyber sits. And I think what that has brought along with it is, is it tangible Badie for the media to latch onto. Yep. And it's something to, you know, we, we all know that fear sells and it's something to, something to, to, to hitch that wagon to, if you like, is the fear of these bad actors gonna come and steal your digital children. And I think that what, you know, and therefore, that's cyber. The other thing is also cyber's allowed us to somewhat disconnect the concept of IT security or components of IT security from the IT component of it, which is the servers, the systems, the, the workstations, the phones, the, the cloud-based systems and all these kind of things that, that we use, the networks, of course from, from the information technology.

    And so, when we start to look at things, like you know, impact, which we'll talk about shortly, when we start to look at things like impact these are technology assets that are being impacted. These are technology assets that are becoming vulnerable. The security of technology assets is as good as the people who manage them and as good as the people who run them. Cyber has become a whole world. And it's a, it's a whole industry unto itself, which I've been a part of for, I think my first title in cyber was about five or six years ago. I had cyber in my title, I was like, "Ah, I've got cyber." Then someone bought me some cyber man socks, and I wasn't, I wasn't sure, I wasn't so sure about it [laughs], if I liked being tagged with the side, with the cyber name. But I think, you know, sometimes I think it can be a little bit of a Fugazi and a little bit of a distraction away from what the core problems are and what the core issues are that are, that are facing people.

    And that sort of goes back with the wow that, you know, they've, they've gotten in and now we're in trouble. And now we've got a situation that we, that, that, that's gonna cost us a lot of money or could potentially un- be unsurvivable. Cyber didn't tell me about that. Cyber told me about keeping the bad people out. So I think that cyber's, cyber is its own world but information in IT security and the, and the security of the IT systems needs to sit along, alongside that, if you like. So it's a, it's a, it's, you know, proper security is a, is a, is a group effort between the cyber teams who are keeping the bad guys out and who are focused on the bad guys and the threats and those people who are focused on, to your point, resilience which is not just a cyber thing.

    Garrett O'Hara: Well, so let's, let's get into that, actually. So, you know, that, that's cyber security versus resilience. Like, what are your thoughts of this? You've mentioned things like the risk equation and, and likelihood time's impact. Like, let's go through that, like from your perspective and get your thoughts on that.

    Fergus Brooks: Yeah. So, so I think you know, like, and I started doing this. So, so what happened when I was when I was at in the insurance industry and it was just really, really steep learning curve. And I had, I had fantastic mentors who were very patient with me in terms of, you know, they wanted to make sure that I had enough insurance knowledge to be dangerous. I think that was the general joke.

    Garrett O'Hara: [laughS].

    Fergus Brooks: But it's, but it's a whole new world you know, coming from IT into cyber. And it was really interesting... sorry, coming from, from, from IT security into insurance 'cause it was a very different way of looking at things. And obviously, we were looking at cyber insurance, and, and the, the term was introduced to me quite early on foreseeable maximum loss. And I really, I really like the term just 'cause it's got a ring to it, but it's very, very, very bad [laughS] what you're calculating when you're looking at.

    And it's like, "All right." Well, so if we take you know, something that can trigger, trigger a policy, so, you know, a ransomware event, for example then we need to start looking at the quantum of loss. So for insurance purposes, they'll look at it so that they, you know, you can work out what sort of, how much insurance you need. How much could we potentially lose if we had this kind of incident. You know, if you've got a building it's pretty easy. If building burns down, cost to repair it or the cost to replace it, that's all quite straightforward. Ship, same thing, ship sinks, which cost to replace it, et cetera. In cyber and, you know, this has always been said, or cyber risk or insurable cyber risk, cyber risk is incredibly hard to quantify.

    And that's because we go back to the, to the, to what we talked about is you gotta go back to the likelihood times the impact. but if we take the likelihood out of the equation and we just look at the impact alone, and there's multiple different things that can go into it. But I would say that in my mind impact's actually easier, probably easier to calculate than likelihood. We, we don't have the data, you know. Insurance depends on data, but we don't have the data. We don't have 100 years of historical data on cyber attack trends and those kind of things to look at likelihood. Could it happen? It could happen anytime. How do you put it probability on that? So that's, that's an interesting one. But if we looked purely at impact, then we can start saying, "All right. Well, so what's gonna happen here?"

    Well, you know, you've got the cost of the cleaner. So you've got incident response costs, you know, incident, response management services, whatever, you've got, you've got the cost of the cleaner investigations, forensics, those kind of things. Then you've got the business interruption. So, you know, in a case of a ransomware attack or something like that ransomware or malware, you're gonna have multiple systems impacted that you're gonna need to rebuild, but you're gonna have a loss of services, services to your, to your organization, to your customers, this kind of stuff. So that's gonna go on for a period of time. How long that goes on for, is, is, is something that we can calculate. You know, the organizations know how much money they turn over a day, you know, so, so, and if that's impacted, they know how much that, that calculates.

    And then you move F-further into the world of, well, there's also some things. You've got legal fees, you need to have lawyers involved, especially if there's data involved and you might need to report to the, to the [inaudible 00:28:22] I call the officers the information commissioner or the privacy commissioner, always get in trouble for using that acronym. But and then you've also got other things like you know, cost to restore data, all of that kind of stuff. Maybe system replacement, et cetera, et cetera. And then you move more into the long tail cost, and long tail costs is where we start looking at fines and penalties. I mentioned a privacy commissioner. If you don't notify within 30 days, you're gonna get a fine. But you've also got, and there's other regulators out there, depending on what industry you are, who can incur their own fines and penalties. ASIC is not afraid of, of of throwing the book at companies who are, who have been negligent and not looking after their cyber affairs, if they're not regulated elsewhere.

    And then you've also got big problem with data breaches. You've got the long tail of of civil action, you know. so, so people, and we see it all the time is class actions. They're getting past 500, 600 million in settlements in the US for some of the larger ones. So so, you know, I mean, that's not all of them. That's just to give an indication. I usually forget a couple, even though I've recited that list about 400 times [laughS], but they once they're bundled all together this is a moment you know, when they do, when an organization doesn't risk profiling or they sum all this stuff up. It's, it's, it's a good time for the CEO and board and maybe the shareholders of just smaller company to sit down before they get told what this number might be.

    [laughs] 'cause it's a, it's a big number. And so, they call that the foreseeable maximum loss. And when you start thinking about foreseeable maximum loss, you start thinking about, "Well, hang on a minute. If they do get in, what are the different, what are the different areas that we can work on in advance? What are the different things that we can do in advance to reduce that impact after the fact?" And often, they're not, it's not that difficult. But one of the things that I will say, and I was gonna mention it before is that it's very, very subjective when you're looking at impact. Ev- every organization's gonna be different. And when you look at the reduction of impact, every organization is gonna be different, different, and, and you know. Certain, certain times in my life, I would've loved it if there was a product out there that could just help you out [laughs] with reducing an organization's impact.

    But it really has to be driven by the organization itself. So the where the, you know, where the IT security industry with, with, you know, software, defensive software, defensive firewalls, IDS systems, and all this kind of stuff. These things are, are products that can be fit to multiple different organizations and can provide a similar service to multiple organizations, and I guess that's why they've proliferated so much. But in terms of looking at impact, this is something that the organizations have to do. But I really like to start with and a lot of, you know, my customers over the years have really started, you know, have really liked this. Let's look at the quantum of Foreseeable Maximum Loss, or just FML for short and see how we can start chipping away at some of those things. And hopefully also become a better, you know, a better organization in the process.

    Garrett O'Hara: Definitely. Is, is is it an accident that FML actually means something else as well? Which, obviously I won't be able to say on this podcast, but once the, once the listeners to Google afterwards.

    Fergus Brooks: It's, it's.

    Garrett O'Hara: No, that's just a happy coincidence.

    Fergus Brooks: It's a happy coincidence, but they're both pretty bad.

    Garrett O'Hara: Yeah, [laughs] they certainly are. Look, as you're talking through that it sounded similar to a lot of things like fair you know, as a way I can do risk analysis and roll up of, you know, that, that sort of quantifiable dollar value of impact for risk. In your industry and in, like, in your experience over the years, like, have you used frameworks like that? Like, is, have you just talked through a framework there or is that something you've just learned through kind of your you know, being in the trenches and, and working through this stuff?

    Fergus Brooks: Yeah. I mean, so, fair, fair, fair is great. And a friend of mine is the I wonder if you're still the chapter head for fair in in Australia. We've had lengthy conversations about the relationship between FML and fair and way insurance industry look at it and, and this kind of stuff. So, yeah, I mean, the frameworks like that are excellent because, you know, they, they allow a scientific approach and they can also allow benchmarking. Yeah, so, so, and, and that is great, and I think it probably a good point to say here, got, the, you know, there's big organizations with big risk management apparatus big, big budgets, deep pockets, this kind of stuff, you know, where they can adopt methodologies like fair. They can adopt all sorts of things. They can look at specific frameworks. They will have insurance calculations done.

    They can drive change through the organization through risk management, through enterprise risk management. You know, there's a clear channel from senior executives down through to the people in the trenches doing the work, et cetera, et cetera, all in the interests of reducing risk and, and reducing this stuff. And, and and, and that, you know, that is, that is, that is underway. I mean, large organizations, insurance companies, I think early on said for the first time back it was about six or seven years and they, when they put cyber risk at the number one risk, right, that they considered for, for all organizations, which, you know, by, by bypassing climate risk bypassing competition risk, you know, the ones that have always been up the top of the list. So, so it's there. So, I mean, so organizations, you know, so what I'm saying is, large organizations, risk-focused organizations are, are, are gonna always working towards getting better and doing what they can, you know, and, and that's, that's gonna be happening.

    I think once you start getting to do what I like to refer to as the big middle, and, you know, in Australia, we've got, I something stupid like 93% of businesses in this country turn less than $3 million a year. That's, I'm pulling out a couple of fancy stats, this [laughs] this conversation. So there's, there's, there's a bigger area of organizations that's not so well-serviced. They don't have access to big four risk consultants and these kind of things where and, but what they do have is the, is the news media, and what's been fed at them about defenses and this kind of stuff. And the things that they see advertised. We need firewalls. We need this. We need that. You know, it always needs to be better antivirus and all that kind of stuff. So they're less likely to have considered impact considered foreseeable maximum loss and considered impact hence why you get from a lot of smaller, smaller organizations when they have an attack it's complete bewilderment.

    Whereas I think, you know, the more mature risk management organizations have have gone further down that path. So I think fair, what, is an excellent framework, but I think probably sits more at the larger end of town for the more risk aware organizations that are trying to get a really accurate quantum which is great. But I think what we're talking about here today, can sort of be used as a, you know, like in a back of your mind approach. What's the impact? What's the reduction on impact that this is gonna have? Where, what, where is that gonna put us in terms of being able to get our business back up and running quickly after we have one of these incidents with minimum amount of damage.

    Garrett O'Hara: Yeah, I get you, do you... sort a couple of questions based on what you've said there? I might start with the, the actuarial data, actually, 'cause I think that's probably a, a quicker one. You, you know, you mentioned that we don't really have the data to understand likelihood which I, I get. Do you see that kind of building up over time where, you know, for any individual organization, you know, it is throwing a dart and, and sort of trying to guess kind of thing based on probabilities. But do you feel like that's getting, we're starting to dial that in a little bit better, you know, based on the organizational profile and maybe some even basic auditing. You could maybe get a sort of rough idea of, of the likelihood of a breach and, you know, then, then impact being a separate thing. But, like, do you see that actuarial data improving?

    Fergus Brooks: Well, It's been a couple of years since I've been outside of insurance now and, and, you know, the act actual data, I wouldn't have understood [laughs] anyway. I have conversations with, with the actuaries and they sort of look at me with this like, "You are a bit of a cowboy, Fergus type look on their face." So, well, I don't understand enough, but you know, the claim, you know, definitely claims data from insurance is definitely increasing 'cause we're saying the claims all the time. Insurance, cyber insurance has become harder to get because of all the claims. So there's definitely a lot more data have come in since I left the insurance industry and that kind of stuff. And I think we're also seeing with initiatives like the ACSC you know, being a central focal point for all sort of breach and cyber attack type information that they're building up quite a lot of data, but the data is improving. So yeah, so understanding and we're also getting better understanding of impact as well.

    Garrett O'Hara: Yes.

    Fergus Brooks: So, so because we're seeing what, what is actually happening and there's some big name, big name events out here. When I talk about those costs of, of, of things coming out, that's coming from actual, that's coming from actual attacks that have happened that are well publicized. Some of which we've had very close to home in the last couple of years. So yeah, I think the data is getting better. But still at the end of the day, cause of the number of variables in there and the fact that every single employee and supplier is a potential, potential and potentially customers are all potential ingress points for cyber attacks, then, and, and, and this stuff never sleeps. It's, it's hard to say seasonal, et cetera. We know for example, that more cyber attacks come around. Things like cyber Monday and Black Friday, cause it's a large online, online festivals. We know that but in terms of, could I get satisfaction as a small business owner? The chances are I'm not gonna get attack between now and the end of the year. I'm not betting any money on that [laughs].

    Garrett O'Hara: Yeah.

    Fergus Brooks: Cause I just, I just don't have the probability right.

    Garrett O'Hara: Do you see a shift 'cause I think there's a, a well-understood problem with SMB and probably even into sort of medium sized enterprises in Australia, where, to your point, they will know about defensive stuff and they'll probably do some AV and Streamer Gateway, et cetera, et cetera. But the impact side of things, the resilience side of things isn't really well understood. Do you feel there's a shift happening there? Like the zeitgeist is, is moving towards a, a direction where impact is being thought about by more organizations?

    Fergus Brooks: Yeah. I mean, I'm, I'm, I'm hoping so. And again, I was, I was at a conference yesterday and I, I've been engaging the waters, you know. COVID didn't really give us a chance to see how, you know, other people are thinking, but certainly in the last 12 months I've seen a lot of shift towards you know, towards recovery, recovery planning this kind of things. How do we get our systems back up and running that kind of stuff.

    And I think, you know, certainly, you know, attendees at this conference were from the, from the bigger end of town. But I am seeing a lot more of that, I haven't necessarily seen it being filtering down to the medium size businesses and the, and small size businesses, the big, the big middle and below at this stage. I think it's very defensive focus, and, you know, as little as I don't know, as little as six months ago, I, I was in some simulation that was being run on a ransomware attack, and you know, the topic came up of, of all the impacts going in, and, and, and the person actually said, actually said, "Well, you know, I dunno why we're going into all this detail, because we wouldn't be having a ransomware attack if they can't, if they can't get in, in the first place."

    I was like, that, and that's taking the conversation back 10 years, I think. So, so there's a bit of work to be done I think in terms of, in terms of awareness. And I think that maybe there's not been enough focus for the, for the SMEs and, you know, it's, it's very easy to go, "Oh, that's, that's a big company. They got attacked and they this and they that." You know, I'd go on the phone, oh, it's bad, seven or eight years ago, you know. From a small manufacturing company, they had their own IP based down in Adelaide. And this guy was the CEO managing director, whatever you wanna call him. And he was, he was in tears on the phone. He had a ransomware attack and but what had happened was, even though he had a fancy backup management system, they hadn't configured it correctly.

    And the directory that had a lot of, a lot of their card drawings and IP was gone, was gone for good, you know. If, and, and he was left for the ultimate choice of paying the ransom or not paying the ransom. Now, now this, and I don't wanna go down that rabbit hole, but this, this that level of duress that, that individual and his management team was put under and the situation circumstances that, that put the company in, he had no idea that that was what was gonna happen to him. And when, and when he found out it was, it was absolutely terrible. And I think, you know, the, the, there has to be a bit more awareness that, you know, it's, it's, yes, it's a bad thing, but with some forward planning and some thinking and, and integrating some of the stuff that we, we've talked about into your security strategy or into your spending strategy that you can soften the blow. If, if that does happen on the provison that this is gonna happen, [laughs] if we go back to where we started.

    Garrett O'Hara: Yeah, definitely. And I mean, it sends me, like, the, what you've called out there is the absolute requirement to test any, you know, plan that you put in place. So, you know, if we did get ran more, do the backups work and at least that way you figure out, okay, it wasn't, it wasn't configured correctly. And you know that before the, the worst thing happens. You, you've sort of started to touch onto the next question. And, you know, Gartner talk about this idea of MVC Minimal Viable security is, is what they describe it. So the idea being that organizations spend enough, but they don't overspend on defensive cyber. And then the idea is that they balance that with cyber resilience and to your point, the, the things that you can do to mitigate the impact you know, respond, recover. How, like, how do you see that playing out?

    Fergus Brooks: Yeah. So, I mean, I, you introduced me to that Gartner report, and I, and I've read it and I've read it and extracted it quite a few times. Garret, thanks for that. And yeah, I mean definitely, I mean, I disagree with one of the tenats in that report in the, in it sort of says, you know, think about slashing your defensive spending, you know, down to a minimum defensive spend, you know, based on the fact that they're gonna get in. I mean, that sounds nice, but at the end of the day, you still want, it's much better if they don't get in. So, you know, I think that everyone should still have a very, very heavy focus on defensive strategies. You know, everything from defensive tools to, you know, to incident response planning, to, to make, to making sure that you are you are ready and you're prepared and the blast radius isn't gonna be too big, and, and all of that kind of stuff I think is, is absolutely important.

    But, you know, if you've got, you know, when you're talking about limited IT budget then yeah, it's, it's, it's a good idea to start looking at how to balance that, you know, rather than sort of shift your spending all the way from over here to over here, because one of the reasons why we've got a gap is cuz you focused all the way on one side here, then focusing all the way on the other side. It's gonna create a gap in the [laughs] other areas, so don't shift your gaps around.

    Garrett O'Hara: Yeah.

    Fergus Brooks: But look at balancing it out. And once you start looking at the lens of impact and you look at what costs you the most money, can cost you the most customers, it can cost you the most reputational damage, like big, long-term, long tail damage to the, to the organization and start factoring in those risk reductions. And you know, but, but definitely having a balance I think is, is, is where organizations should be going and and, and, and at all shapes and sizes.

    Garrett O'Hara: Yeah. Yeah, that absolutely makes sense. Fergus, we basically have hit time which seems bizarre. Feels like we've been talking for only 10 minutes. I'm glad after five years we finally got to record something together. And hopefully it won't be the last time. I think there's probably plenty more to to talk about here. So if you're up for it, maybe we'll get you back on in a couple of months and then sort of go next layer down on this conversation. But thank you so much for joining us today.

    Fergus Brooks: Oh, it's been my pleasure, Garrett. Always great to chat. Thanks very much.

    Garrett O'Hara: Thanks so much to Fergus for joining us. And as always, thank you for listening to The Get Cyber Resilient Podcast. Jump into our back catalog of episodes and like, subscribe and please do leave us a review. For now, stay safe and I'll look forward to catching you on the next episode.


    Back to Top