Recorded live at WatchGuard’s Impact Partner Conference in Bali, Indonesia, this episode features Henson Yem, CIO and Technical Services Director at Tang Technology. Henson joins Marc Laliberte and Corey Nachreiner to discuss the evolving cybersecurity landscape across Australia and APAC, including emerging threats, the growing impact of AI, and the challenges organizations face in strengthening their security posture. The conversation also explores how MSPs can help customers build resilience, improve security maturity, and navigate an increasingly complex threat environment.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 Security Simplified. I'm your host, Marc Laliberte, and joining me today is
Corey Nachreiner 0:06
Corey the Bride Nachreiner. Marc, why did you bring me to a chapel?
Marc Laliberte 0:11
Because it's beautiful, Cory, and I love you.
Corey Nachreiner 0:13
Oh no, that's a first. You heard it here, folks.
Marc Laliberte 0:17
Yeah, we're gonna have to edit that one out. But anyway, on today's episode, we are coming to you from Bali, Indonesia, at Watch Guards Impact Conference for the APAC region, and joining us is Henson Yem from the great Down Under. Oh God, please don' t murder me. But where we're going to get some interesting takes on cybersecurity for SMBs and MSPs in your neck of the word woods. So, Henson, thank you for hopping on.
Henson Yem 0:42
Thank you for having me.
Marc Laliberte 0:43
Yeah,
Corey Nachreiner 0:44
world woods all the same. Yeah,
Marc Laliberte 0:46
exactly. Let's anyways, let's go ahead and hop on in
Corey Nachreiner 0:50
like a kangaroo, like Australia,
Marc Laliberte 0:52
like a kangaroo. So Henson, we're gonna switch things up from how we normally do it, and I want to start with some like rapid fire questions to you to just kind of set the pace before we dive into really your view of cybersecurity. So, I guess first we'll start with Name
Henson Yem 1:08
Henson Yem .
Marc Laliberte 1:09
Job
Henson Yem 1:10
Technical Services Director slash networking cybersecurity
Marc Laliberte 1:13
company,
Henson Yem 1:14
Tang Technology in Perth, Western Australia.
Marc Laliberte 1:16
What was your first job in cybersecurity?
Henson Yem 1:19
Fixing an Apple Two computer got infected on a floppy disk.
Marc Laliberte 1:22
Pretty sure that's older than me.
Corey Nachreiner 1:24
Yeah, I started on a trash 80, but I used to have trash 80 as well. Yeah, we'll talk about it. How
Marc Laliberte 1:30
long have you been a WatchGuard partner?
Henson Yem 1:31
Three to four years.
Marc Laliberte 1:32
Okay, good deal. What's your favorite password?
Henson Yem 1:36
Oh, can't give me that information. Don't
Corey Nachreiner 1:38
forget the credit card number. Good answer.
Marc Laliberte 1:42
Gene. favorite
Henson Yem 1:44
pet dog. Okay,
Corey Nachreiner 1:47
favorite Australian Rules football,
Henson Yem 1:48
Hollywood.
Corey Nachreiner 1:49
Hollywood, okay?
Henson Yem 1:51
Favorite,
Corey Nachreiner 1:51
oh, sorry,
Marc Laliberte 1:52
no, go ahead. How
Corey Nachreiner 1:52
are they doing?
Henson Yem 1:56
Could be better.
Marc Laliberte 1:57
That's fair. Favorite hacking movie,
Henson Yem 1:59
antitrust.
Corey Nachreiner 2:00
Wow, that's a new one. Mark, we always get the typical hackers or war games, which good movies,
Henson Yem 2:07
very good, but antitrust antitrust,
Marc Laliberte 2:11
but it's entertaining, right? Worst thing that a client can do as a client of an MSP:
Henson Yem 2:18
underestimate the total cost of the project to implement cybersecurity correctly from birth to death, and the ongoings of it. It is not a one size fits all. I feel like a lot of companies don't realize that as well, too, until it bites them at some point.
Corey Nachreiner 2:35
The follow-up, though, is it might be a higher cost than they think, but I assume it's actually a much lower cost than suffering the actual threat.
Henson Yem 2:43
Unfortunately, cybersecurity falls into the category of insurance. People always say it's a cost, and does it really work, and do I need it when you get burned? Yeah, you realize to be retrospective. Yeah,
Marc Laliberte 2:57
so how about the best thing a customer can do?
Henson Yem 3:00
Yeah, except that they don't know everything, and seek good advice, that is
Marc Laliberte 3:05
like sage advice for like everyone, even outside of cyber security, be
Henson Yem 3:11
prepared to offer, and except you don't know everything, yeah,
Marc Laliberte 3:14
man. And how about dream job?
Henson Yem 3:16
As I said, probably a carpenter,
Corey Nachreiner 3:19
yeah, making carpenters awesome. Yeah, I watch a lot of YouTube videos where they do nice, and I think the actual blacksmith parts, oh yeah, but when they get to lathing the handle and the carpentry, there is pretty cool. So
Henson Yem 3:30
they're things I watch on YouTube, the kids going, "What are you looking at? Oh, we're making a fishing hook or make a table.
Corey Nachreiner 3:36
Perfecting a craft is something you do by hand,
Marc Laliberte 3:39
that's something I would love to do, but I'm the clumsiest person on the face of the earth, and I feel like I would just lose fingers over time if I tried to pick up, like, carpentry or anything. With
Corey Nachreiner 3:48
he says that, but he's a great soccer player, he's really shattered
Marc Laliberte 3:52
my collarbone playing soccer. This is case in point here, but anyways, Henson, let's go ahead and jump in, and so we get to talk to a lot of partners around the world, but like being based in the US, we mostly speak to like American partners, sometimes European, and so our kind of worldview for cybersecurity tends to get focused up in that part of the world, and I'm really interested in reshifting and seeing like what it's like for you down on the in the southern hemisphere, and specifically within Australia, because I'm willing to bet there's a lot of similarities, but still some pretty big differences between what you and your customers deal with versus the rest of us up in the US or across the planet, and I guess the first question I want to get into is, when it comes to discussions with your customers and SMBs, what are some of the big cybersecurity concerns that you hear from them that maybe we don't get elsewhere or maybe we do?
Henson Yem 4:48
I, you know, I have traveled and I've seen there are common complaints or issues. The first one is they're overwhelmed, you know, nobody really can deal with the whole magnitude of. The security problem, and the people we talked to at different levels in the management structure, CSOs, ICSOs, CEOs, CFOs, they're all in it, they all have a component to play, and then just the small to medium business owner goes, "Look, how do I deal with this? At that level, they just say, "I know I've got to do something, just fix it, and it does transverse right through the corporate structure, the same thing. They are overwhelmed, they know they have to be compliant with security. There's a million frameworks out there now, which is really bizarre. Australia
Corey Nachreiner 5:31
has some big ones, even for the SME. The essential aid is the essential aid, yeah, the
Henson Yem 5:36
essential aid is floating around, and now we've got other ones that are floating around, and then it's.. it's not uncommon to have a client will come to you and say, can you just give me something that matches this framework and this other one as well. Oh, I said, you can't have both. Oh, and this third one as well, can we be GDPR? And I'm going, okay, you really don't get this. It's not like buying a photocopier or putting in a dishwasher and air conditioner. They do really see it as a isn't this just this thing I do, much like they purchase software licenses, you know. We can digress and go into other areas, but they, the market is a bit confused at the moment. Too many people are just looking for one fix, apply it, and I've done my job.
Corey Nachreiner 6:16
Product, they can turn on and throw in a lot. Obviously, now we
Henson Yem 6:19
have other legislative and legal accountability boards are accountable now for cybersecurity, and obviously when there's a breach that happens, you see the ambulance chasers running along, suing people and trying to get damages. Well, that I disagree with that. I think finding is not a solution to the problem. I think education is defined frameworks are comp compliancy framework to measure against, will allow people to achieve what they want. Let's
Marc Laliberte 6:48
say this is like a, like, devil's advocate, a good problem to be having, because it means they're actually like interested and coming to you with questions. I think about, like, 1015 years ago, where maybe you weren't even having those discussions with people, you were trying to tell them, hey, here's what we need to do to help secure business, like, here's some frameworks we could try and follow, and, like, without the, I don't know, the, like,
Corey Nachreiner 7:11
the awareness, they wouldn't come to you.
Henson Yem 7:14
There's been a shift in the way the business in the SMB and the MSP market works, in that you have less sales people involved, you have more engineering people involved, so you're correct. The clients come to you. So, what did the sales person do? They just do the paperwork. The engineering team are now working with the client to understand the problem, to learn their workflow, to learn their organization, to then build them a solution or a cybersecurity stack, and being a customized solution for cybersecurity tends to be the winning outcome, not just, okay, this is the product you need,
Corey Nachreiner 7:50
yeah,
Henson Yem 7:51
yeah, and that only comes from a lot of
Corey Nachreiner 7:52
that's your value. If I were to ask a follow-up in Australia, how many SMEs actually have a CISO? Not many, yeah, and I, to me, I mean, and you're talking about what SME, they're worried about cybersecurity, but overwhelm, but I imagine they don't even want, like, they want to be in their business, and I think that's where MSPs like you are so fantastic, because they will outsource, you'll often obviously help them with product, I think you can be a VCISO. All the services you can put around them, so they don't have to worry about it. You can have a full strategy to go along with the products. You might also
Henson Yem 8:30
successful MSPs have worked it out that they offer that as a service, because a security officer doesn't need to be there all the time.
Corey Nachreiner 8:40
No,
Henson Yem 8:42
don't tell Joe. If they were, it's like visiting a doctor. You go for your routine health check, that's what's changing in our market. You know, there used to be thinking, okay, we've done it now, we'll see you when you've got a problem. No, I've got cancer, sorry too late, my heart's playing up. You know, you should have been here six months ago, make some adjustments, a lot more proactive than reactive, and that's been a change as well in the industry, and security is that constantly evolving issue that needs to be constantly monitored and reviewed, and businesses grow,
Corey Nachreiner 9:14
they're constantly monitored, you do need a sock running 24/7 behind the scenes, even if the customer doesn't manage it, so that's where you can wear
Henson Yem 9:21
Watchgard, dovetails into that quite nicely, because obviously you know you, you can't single-handedly can't do it, nobody can.
Corey Nachreiner 9:26
Yep,
Marc Laliberte 9:27
so I'm curious, from your perspective, what separates, like, the good companies or the companies doing security well from the ones that maybe aren't? Yeah,
Henson Yem 9:35
that one's a very easy answer. You tend to find if security is, and the application and the business process is understood well, they can implement the security correctly. If they just say, "Okay, this is what you need, without any regard to what the business does, it kind of goes in, and yeah, tick the box, but it actually doesn't work, and when I say it doesn't. Work. I'll tell you where it hits the bottom line. We've seen security implemented in organizations where it's counterproductive to the business processes and the productivity, ultimately the bottom line. They've applied a draconian security model from a top-down perspective. You will have this, and this complies, but then the people at the coalface can't deliver the outcomes of the customer, can't complete their work. It actually becomes a hindrance. So, what happens then is very clever humans inside that organization work a way around the security to do their job, because they've got to get paid and they've got their outcomes. So, that's where the two clash, and that's when you're asking that question, has it been secure? It hasn't. They've implemented security, and they're smiling, and they've got the certificate, but productivity keeps
Corey Nachreiner 10:46
the security, though, because really it sounds like you're also adding friction to the wrong places. Correct? I think a lot of people forget, and that's where a good MSP can come in, that security is actually not about an ivory tower of doing things perfect to a framework, it's risk management, correct, a retailer with point of sale systems would secure their data, where their important data is, is completely different than a manufacturing organization, correct. And you like being able to understand their business before you start to implement a solution is critical. I think the
Henson Yem 11:18
landscape has changed very, every day it's changing every day, but we've got a myriad of new problems now. We're no longer centric to an office, we're no longer single device, we're omnipresent, omniplace everywhere, and the data is leaking out everywhere. And now we've got this new wave where we're moving away from apps to software as a service, where we don't control anything, users will turn up in this lovely hotel and jump on and access all of our corporate data, and we have to zero trust and verify, and then I'll just plug it into this other public network, because they can
Corey Nachreiner 11:52
wait, everything's in 365 anyway. Yeah,
Henson Yem 11:54
you know, and
Corey Nachreiner 11:55
I have news for you. Yeah, a
Henson Yem 11:57
single vendor, I'm not a fan of that, but you know we do see where that's going, so yeah, there is - it's quite a challenging market. So, yes, successful security is where the MSP and all key stakeholders understand the business model and also understand what the outcome of the business is. Yeah, whether it be a business or even a non-for-profit or any organization has certain outcomes. The security can't be a frictional standpoint to get that outcome, and a lot of times it's not understood. We've been brought into projects to fix up a security platform. Never
Corey Nachreiner 12:33
asked the question, they never
Henson Yem 12:34
asked the question, you know, what is your outcome?
Marc Laliberte 12:36
So, you already hit on, like, a couple of big trends with, you know, workers, remote, hybrid, whatever. All of our data and apps moving into the cloud. The big trend on top of mind, like at least in the last couple of years, is AI specifically seen a lot of activity from both defenders that have been using AI but improving it even more to attackers leveraging AI for all sorts of different stages, the cyber kill chain. I'm curious, from your perspective, like, how is AI changing the conversation? At least in cybersecurity, it's probably been a
Henson Yem 13:08
catalyst to ask more about cybersecurity, because they're understanding that we've all heard it. There are incidences where data has somehow got out, and it wasn't maliciously
Marc Laliberte 13:20
uploaded it to Chat GPT,
Henson Yem 13:23
and obviously we're now starting to discover this kid called Chat GPT, or any AI learning model. We really didn't understand how smart it was and who it was talking to, and it's actually three AO models back in Utah somewhere. They're all talking to each other, so yeah, it's a runaway train at the moment. Trying to put the genie back into the bottle is not happening, we've all seen the whole Microsoft Copilot thing, and when they joined GitHub, and how all that data got leaked out, so there's a lot going on at the moment. Yeah, AI, I don't think anybody's really got a full handle on how we're going to control that, police it, monitor it, and moving
Corey Nachreiner 14:00
quickly.
Henson Yem 14:01
The one thing about AI, how do you make it unlearn something you can't forget anything that's happened in your life. So, how can we expect AI to do the same? So, if it learns something and it's got something, no, no, don't ever do that again. Don't ever learn that again. Don't regurgitate that again. You can't. Yeah, it's an
Marc Laliberte 14:20
interesting problem. I mean,
Corey Nachreiner 14:22
they put guardrails to your point. I mean, the AI already knows how to make a nuclear bomb, and it could tell you in detail they put guardrails trying to get the AI, but they have to jump through a million hoops to do that. To your point, it still knows deep down, and if you can figure out how to ask it in a really weird way, you can still get that information out of it,
Henson Yem 14:41
it's still, it's learned it, it's, it can't be unlearned, and then it'll share it with other models, so you do have the, I suppose, the offensive hackers at the world using that knowledge to find, well, what are the weak points, and it's learning it, how to build a better widget, a better mousetrap.
Marc Laliberte 14:56
I've listened to a podcast recently of. Um, where they interviewed someone that was working on a an AI model that was only trained on data up until like the 1920s or 1940s or something, and so they were using like books that were written prior to then and like journals that were written prior to them, things like that, but even with trying to put those constraints on it, every once in a while something modern would leak into the training set, and kind of like you were saying, they're actually finding it really difficult to prevent it from like, like modern training from tainting the older data set, and I can see that kind of parallel here, where like once something's in there, it is very difficult for it to like not use that knowledge or whatever,
Henson Yem 15:39
so you obviously hurt, you know, the term hallucination, where it runs well. We've seen AI learning from its hallucinations, so now it's a very dangerous world we're in, where AI can learn from its own mistakes and then form its own conclusions. So it's an interesting.. we're
Corey Nachreiner 15:56
currently in a world where disinformation, like human-made disinformation, is already hard, and then AI can help that with fake videos, but to your point, AI can also hallucinate and be the disinformation without humans. So, how are we going to be able to tell reality from
Henson Yem 16:13
To Shad?
Marc Laliberte 16:13
I will say Chat GPT is my favorite product manager, because if a feature doesn't exist on something where I'm trying to figure out how to configure it, it'll just make that feature up. Yeah, totally hallucinate. How good at marketing? Yeah, it's really good. So, I'm from your perspective, then do you see AI as more of a threat or an opportunity in our space?
Henson Yem 16:32
It's equal. Anybody would put one or the other's crazy. No, it's equal. You have to understand the potential and the risk in both situations, and I don't believe we have the tools to control it at the moment. We don't. Anybody say, you know, we've figured it out. No, they don't.
Marc Laliberte 16:50
Definitely not figured it out. It's like the maturity level that we want in this place.
Henson Yem 16:54
And how do we control, because you've got two parts of the problem: security exists in perimeter managed control and access, but the data naturally leaks itself out, so once it's gone, well, there's the accountability of it. Well, if it learned that data, how did it get it? And then you start doing the finger pointing. Well, we don't know, we're not sure, but there's
Corey Nachreiner 17:13
often not a lot of transparency with how the model's making decisions.
Henson Yem 17:16
Most outcomes where AI has got to somebody or made an inference or made a decision, it's usually a human. A human has been involved somewhere along the line,
Marc Laliberte 17:25
and it's such a fast-moving environment where the target that we're even trying to aim for is moving to, like, three years ago, four years ago, we were trying to figure out how to secure, like, the actual, like, let's say ChatGPT, like, just stop people from uploading stuff into there, and then now we're trying to secure like MCP servers, and like it's connected. Yeah, now we're trying to secure AI agents, like next year. Who knows what's going to pop out that we're going to have to try and figure out a way to secure, because like the pace that's just moving and innovating seems to be increasing. So
Henson Yem 17:55
to digress with that question, clients are asking us, yes, How do I secure this AI thing? And I'm sitting there, you know, the best MSP will say, honestly, we don't know, because to say you do know, that's delusional.
Corey Nachreiner 18:09
I will say the first thing I recommend is visibility, like at the very least, you need to, even if you don't know the solution, you need to see it, like nowadays anyone can go to any sort of LLM online, whether it's DeepSeek or something else, and maybe some of your clients, they want to use AI, so they've sanctioned, we use Anthropic Cloud, I have a data agreement, I've paid them money, so they're not going to train on my data, but that doesn't prevent someone from just spinning up DeepSeek, so at least having tools that show you the AI being used in your client is probably valuable as a visibility, because then you can decide if you want to at least hard block it or not.
Henson Yem 18:48
Yeah, that's very cool.
Marc Laliberte 18:49
And governance too, because at the end of the day, most employees don't want to try and screw the business. Mostly it's like ignorance.
Henson Yem 18:56
Yes, correct. I would say ignorance is bliss, and unfortunately we're making an assumption that purpose and we employ understands the problem, and training now, front and center, is probably the first victim of technology. It's gone, you just learn yourself, but you can't. Security almost is getting baked in now to some organizations that do do it well, where there is a security induction, where they teach them about the tools we use, and how, and sometimes it's a light bulb moment. Those employees go, I didn't know I wasn't supposed to take that entire hard drive home and work on it at home, and
Corey Nachreiner 19:33
no, I was not supposed to update the finance P and L sheet into deep seek.
Henson Yem 19:37
So we do inductions for safety and onboarding, and all things like that. We don't do,
Corey Nachreiner 19:43
you mentioned before that it's human centric, and we like, like, we love MSPs. We make technology, so we have technological controls, but I think the awareness part, and policy, to Mark's point, with governance, like the first thing a business should do is just have a human policy. Here's what you should. Regardless of technical control, what you should and shouldn't do. I've
Henson Yem 20:02
probably only seen two in my entire..
Corey Nachreiner 20:04
Do you help them with that, though? Yeah, because that's the first thing they should
Henson Yem 20:08
do. Organizations go.. why do we need one? And then you start to explain it. The second you
Corey Nachreiner 20:13
have a compliance framework, that's the first step. Yes,
Henson Yem 20:16
so the human element.. it's been a big issue.
Marc Laliberte 20:19
So, we've talked a lot about, like, your customers, SMBs, SMEs, but another piece of the puzzle is you yourself, and like the managed service provider, and we've seen, like, time and time and again, like MSPs are being targeted because you have a lot of capabilities and access that if a threat actor can get a hold of that, they can spider web out their victims. So, from your perspective, what are some of the biggest challenges that, like, you and other MSPs in your region are facing right now in cybersecurity?
Henson Yem 20:48
You've hit the nail on the head. We hold the keys to so many organizations, and we have to adhere almost to a higher level as to how we manage our data. I've seen some MSPs that are run well, ones that are not run as well, where they leak data and they lose data. Staff come in and go out and they lose information. Yeah, you've really got to have an understanding of where your data is, because the value of an MSP is not the people and the pro, it's the data that you collect, we've almost become a digital compendium of businesses, stuff, their domains, their security keys, their break glass accounts, their managed services, their SaaS, everything. We are responsible for them, and they pay us for that, but with that, that's the holy grail. So I do know that there's been specific areas of hackers looking at MSPs, because getting into that gets them to everybody else. It's no longer about just hitting a bank or a hospital or a finance guy, that's low hanging.
Marc Laliberte 21:51
Go after the MSP, and you can hit all of those at once, correct?
Henson Yem 21:54
So, as you've heard, you know, we're a 40 year old company. There are staff in there, you know? I've been there 35 years, and there's many of us that have been around long enough to have a very, very simple way of, we do things, and we just block everything down. We don't connect it to the interview, we don't have to, and zero trust is a living, breathing thing we do. So, even though I'm here. The amount of things I do, it hasn't been a hindrance to what I do, but the zero trust framework makes sure that I open the way, so I can function safely. There's no data leakage, it's not intercepted, it's not traveling over any unsecure networks. We've done all the VPNs, we've done everything we needed to do, and we onsell that sort of model and those solutions to our clients, so we practice what we preach.
Corey Nachreiner 22:42
Yeah, I think that's the important part. It's good learning. I mean, you do it, and that's why you can help them. We
Henson Yem 22:47
hate it. Check that out.
Corey Nachreiner 22:50
I like that you point out, like I think I'm old school. He'll just call me old, but we forget that.
Henson Yem 22:56
Mature with experience,
Corey Nachreiner 23:01
but we forget we call it cyber security now, but it's information security. This business has always been information security centered on information. The reality is the servers, wherever they are, the cloud, none of that matters. It's the access to the actual data. Does the right person have access, and is it available when the business needs it? Correct, and everything else is just not that important.
Henson Yem 23:27
It should be transparent to the user and not intimate, so don't have friction, but still somebody has to understand the model, and if the model is done correctly, it's very easy to draw around. If it's done poorly, it's kind of like we think this could be the problem with the security, we're not really sure. It's
Corey Nachreiner 23:44
crazy that they weren't asking the business question, because the first thing any CISO has to know is where is the important, what is the data and information your business needs to be critical, where is that? And then I will help you design security, because it will completely differ depending on where you put your data and what is critical or not. The
Henson Yem 24:06
most powerful person in many boards now is the CSO. He has a current branch to access money. He's directly connected to the CFO, and everybody's going, "You just protect us, whatever you need to do. And the danger with that is there are opportunistic vendors that will go in and say, well, that's a blank check, let's cash it in. I said, no, that doesn't work, and the results are, well, we spent the money, but we still got breach, that's not a good outcome.
Marc Laliberte 24:34
So, I'm curious, do you think there's anything, have you seen anything unique within, like, Australia, or maybe your region as a whole, when it comes to cyber security, that
Henson Yem 24:43
culturally there's an issue. I visit China quite regularly. Their understanding of security compared to other parts of Asia and Australia is quite different. They don't worry about it at all. So security in China is, you know, it's kind of an interesting.. they will great fight. A lot of China, the government takes care of it. We don't really have to worry, and they don't run a myriad of applications we run. Then you go to Singapore, I think that's a very unique economy and a very advanced network. It's financed by their government, here's a lot of rules and regulations, and we do look closely to how Singapore does it, because their frameworks are quite mature within the region, that is a good benchmark to measure against.
Marc Laliberte 25:25
They've got a lot of like lead on like regulatory requirements in there around cybersecurity, given the
Henson Yem 25:32
finance, and you know, obviously their economy revolves around that. They've done a very, very good job, and so that I would say is an asset in the region to look at how to apply to other countries, so we go and look at how other countries are doing it. China is an old way that then students double
Corey Nachreiner 25:49
click into China, just because it's.. I'm surprising, I would have thought the opposite, but then you mentioned the government. I feel like the Chinese government would be among the top to understand and implement technical security. Oh, they do, and it's because, because I believe they're also one of the most advanced state-sponsored red team at, like, offensive actors. Yes, they leverage cyber security or cyber attacks, by the way. Every country does. America is not blameless either. There, no,
Henson Yem 26:17
no, we just
Corey Nachreiner 26:19
stuck in it. If you're on
Henson Yem 26:20
offensive, you also have to be, you have to get, you
Corey Nachreiner 26:23
know, specifically why you need defensive, yeah. So, I think your twist was, it sounds like private businesses don't think about it, but that's because they know the government, I mean, one, they're being, you know, blocked from anything anyways, but they know the government is doing a really good job of it,
Henson Yem 26:41
correct. Yeah, and that's a very.. and when you talk to them, they just go, "Well, why do you have this problem? You know, don't have this. It's.. whereas in other parts of Australia, we are left to fend for our own devices. The government regulatory layers of framework, and we work towards it, and it's our best job to implement it. And probably wouldn't
Corey Nachreiner 26:58
work in China, but I would argue with the private business, yeah, the government's taking it, but they're also paying attention to every single thing you do, and they're probably taking your data. You should protect yourself.
Marc Laliberte 27:08
Meanwhile, in the US, we've got the worst of both worlds, where they're paying attention to everything you do, and they're not doing anything to protect exactly,
Corey Nachreiner 27:14
they're taking our data and they're leaving us wide open.
Henson Yem 27:18
So that would be in the region is something different. We're also noticing generational change. The younger generation lack of it are very woke and are very relaxed about security. Case in point, I have a 24 year old son whose Google account was under attack for weeks. Every night I hear this beep, beep, beep, beep beep. What is that noise? I go into his room and his phone has Google alerts popping up. Do you authorize access to your account? No, no. And I said, What are you doing? He goes, Oh, the hacker's trying to get in, I'm annoying you. Just sits no, change
Marc Laliberte 27:57
your password, change
Henson Yem 27:58
the password. So he had the two factor and everything on, but he was just hitting no. Although I like his
Corey Nachreiner 28:03
trolling, that's a good attitude for hackers against hackers. His
Henson Yem 28:06
attitude was, I'll just know, I said, it's a bot, okay? It's not a human, it's probably a robot, but we're seeing generationally they just accept, well, the security is taken care of by somebody else, I don't have to worry about it, whereas maybe the generation behind, we were concerned about secure our data, but that's going to be a big issue to face. It
Marc Laliberte 28:24
isn't like that's so I look at it from like repairing a computer standpoint. Like I grew up, if I had had an issue, I had to figure out how to fix it myself. Like the internet barely existed, I didn't like hardware on the computer go fix it, like random games wouldn't load after to go fix it, whereas like modern generation, like, your smartphone generally works perfectly, 100% of the time, your tablets work, like, there's not a lot of troubleshooting that goes on, and that does feel like it tampers down some of the, like, troubleshooting and, like, thinking capabilities,
Henson Yem 28:56
or security, there, it's somebody set the program on, it should just do it, even to the point where we get alert fatigue. They just ignore it. They're going well. I don't know what it means. Isn't it doing its thing? Well, you know, I feel
Corey Nachreiner 29:09
like the generation might be smart to social engineering attacks, though, because they're used to online relationships being catfished. A lot of the scams of trying to get money start with social media, so I hear that you know they may not know all the technical stuff in the weeds, but I feel like if you're a digital native, even as a tiny kid on a multiplayer game, you've had someone try to scam you at least once, and you learn pretty quickly. So, I don't know, man, I go both ways on the younger generation, these millennials,
Henson Yem 29:40
well, they're now taking on those roles, so we'll see where it goes.
Marc Laliberte 29:44
Millennials know how to fix stuff, and the ones even younger than me.
Corey Nachreiner 29:48
I started a generation war.
Marc Laliberte 29:50
Yeah, man, come on.
Henson Yem 29:52
But as a MSP, you need to understand that and evaluate it, because your market pitch and solution changes.
Corey Nachreiner 29:59
Onion, and who you're talking to,
Marc Laliberte 30:01
so I want to wrap up with just an open-ended question. Like, do you have any advice that you give other leaders in your space when it comes to, like, staying ahead of cyber risk in the region?
Henson Yem 30:12
It's not really a cyber risk tool or rule or anything to learn. You have to be a listener. Communication is everything. The fundamental success of anything in cybersecurity is being able to communicate very, very well, listen to what the outcome is and the problem, and design a solution around that. So, that's my best advice to everybody, because there's a lot that just don't communicate well, and then they end up with no solution that really works. So, it's nothing to do with cybersecurity person that
Corey Nachreiner 30:42
almost works with a lot, like you do have to listen to what your client's problem, you know their problem before pitching a solution.
Henson Yem 30:49
Yeah, 100% and that's the take home for any person in the cybersecurity seat. Please listen to what the problem is, because there's always take homes in the information you get, which will allow you to build something around the solution. Yeah,
Marc Laliberte 31:04
really good advice. Thanks.
Corey Nachreiner 31:05
This
Marc Laliberte 31:06
has been great.
Corey Nachreiner 31:07
Yeah, thanks for
Marc Laliberte 31:08
taking time out of your day to join us here. I know you could have been down on the beach, and that's where we're going
Henson Yem 31:14
next. There you go.
Marc Laliberte 31:16
Appreciate it. Thank you for hanging out in the chapel with us. Fantastic.
Henson Yem 31:19
Thank you for having me.
Marc Laliberte 31:20
Well, hey everyone. Thanks again for listening, as always. If you enjoyed today's episode, don't forget to rate, review, and subscribe. If you have any questions on today's topics or suggestions for future episode topics, we're both on Blue Sky. I'm at It's mark.me Corey is at SecAdept. We're also on Instagram, of all places, at WatchGuard underscore Technologies. Still looking for those cooking recipes sent to us there, and whatever else kids use Instagram for these days. But thanks again for listening, and you will hear from us next week.
