Recorded live at WatchGuard’s APAC Partner Conference in Bali, Indonesia, this episode of 443 – Security Simplified features Brett Chalmers joining Marc Laliberte and Corey Nachreiner to discuss the evolving cybersecurity landscape across APAC. The conversation covers emerging threats, security challenges facing organizations, and how MSPs can help customers build resilience and strengthen their security posture in an increasingly complex threat environment.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 Security Simplified. I'm your host, Mark Laliberte, and joining me today is Cory "the Pool Bum" Nachreiner.
Corey Nachreiner 0:08
Where's my cocktail, man? We should be out at the pool.
Marc Laliberte 0:10
I think someone's had one too many cocktails on me this morning, that's why he started off laughing, exactly.
Marc Laliberte 0:16
But we're coming to you from WatchGuard's Impact Conference in Bali, Indonesia, and the beautiful chapel here alongside Brett Chalmers. Thank you so much for joining us today.
Brett Chalmers 0:27
Thanks for having me.
Marc Laliberte 0:27
Yeah, really excited to have you on to hear from your perspective about cybersecurity and SMBs and MSPs like you in Australia as a region. And I guess with that, we can go and, I don't know, pop our way in again. We can't use the kangaroo theme, that kangaroo and kangaroo theme.
Corey Nachreiner 0:46
It's a wallaby this time, it's a wallaby hop, right?
Brett Chalmers 0:49
They do hop
Marc Laliberte 0:51
there we go, all right, let's get rolling. So, Brett, to start with, I want to do just a few rapid fire questions, just to like get us in the mood before we jump into some more for your perspective from what you see down in Australia. So, first name,
Speaker 1 1:05
so Brett Chalmers.
Marc Laliberte 1:07
Job title,
Speaker 1 1:07
CEO.
Marc Laliberte 1:09
What comes
Brett Chalmers 1:09
Nuclear IT
Marc Laliberte 1:10
Nuclear IT. How long have you been a WatchGuard partner?
Speaker 1 1:14
15 years.
Marc Laliberte 1:15
Wow, thank you. When was your first job in cybersecurity?
Brett Chalmers 1:19
So, this, this is my first job in cybersecurity, so I started the business 30 years ago, 30 years this year, so still in high school, and that was there, that was the start, but back then it was your IT consultant.
Corey Nachreiner 1:31
Do you know Watchcard celebrating our 30th year anniversary of this to be like nuclear, IT, and us
Marc Laliberte 1:37
twins?
Marc Laliberte 1:38
Yeah, what's your favorite password?
Brett Chalmers 1:41
I can't tell you that. Good answer.
Corey Nachreiner 1:43
Favorite Australian Rules football team. I'm
Brett Chalmers 1:46
gonna go against the grain and not have one.
Marc Laliberte 1:49
Ooh, not a sports ball.
Marc Laliberte 1:51
Yeah, what's your favorite hacking movie or movie with hacking in it?
Brett Chalmers 1:56
Hackers,
Marc Laliberte 1:57
good choice. What's the worst thing one of your clients could do?
Brett Chalmers 2:05
Ignore our advice or go against our advice.
Marc Laliberte 2:08
That's even worse.
Speaker 2 2:09
That's probably that's probably the worst.
Marc Laliberte 2:11
There is a difference between ignoring and then just straight up, say the
Speaker 1 2:13
opposite.
Marc Laliberte 2:14
Yeah, yeah. How about the best thing one of your customers can do?
Speaker 1 2:20
Well, I guess agree to our advice, but understand what they're agreeing to, not just say yes because we said so.
Marc Laliberte 2:30
Understand the problem,
Speaker 1 2:32
not the not the technical side, but enough to understand and say yes, we agree, and yes, we, we know what we're actually agreeing to.
Marc Laliberte 2:39
Yeah. Last question was gonna be dream job, but you've been in here for 30 years, so
Corey Nachreiner 2:44
yeah, you're living it. I have one more. How many Americans have you convinced to fear drop bears?
Speaker 1 2:50
Three.
Corey Nachreiner 2:51
Maybe we can make Mark one later.
Speaker 1 2:53
Eight Vegemite. I
Marc Laliberte 2:55
am not a Vegemite fan. Yeah, nothing will ever change that. You got
Corey Nachreiner 2:59
to watch out for the drop bears, though, man. They're more they're more in the Gold Coast, not Perth, as much
Speaker 1 3:05
East Coast thing.
Marc Laliberte 3:06
I'll be sure to wear a helmet next time I go visit. So, Brett, I want to start with just really an overview about you, and we call this our hacker origin story, which is like what really got you into cybersecurity, or it mentioned 30 years ago you started nuclear, it or
Speaker 1 3:25
started, yep,
Marc Laliberte 3:26
you want to maybe expand on like what got you interested in computers or it and led you on this journey.
Speaker 1 3:32
So my father's a geologist, so very, very Australian thing, being involved in mining and in the mining industry, they do use it a lot, and technology a lot. So I was lucky enough to be introduced to tech at an early age, and quickly learned that I was also good at it.
Corey Nachreiner 3:52
Yeah,
Speaker 1 3:52
so yeah, opportunity came up to kind of start, and yeah, in my parents were both involved in their own businesses, so in my world, you didn't get a job, you started a business. Yeah, went and started a business. Started off initially doing it and web design. This is now 1996 So, imagine 1996 internet and web, very HTML and tables, very different to today's world.
Corey Nachreiner 4:18
Geocities,
Speaker 1 4:20
probably even
Corey Nachreiner 4:23
AOL was probably still a thing,
Speaker 1 4:26
so that was the start. And then in 99 yeah, it was doing just doing the web design, and a client kind of came to me and said, 'Oh, we, we can't upload, you know, can't upload our website to our web server, our IT variety doesn't, doesn't know, and they kind of said, "Oh, can you help it out? And that was the kind of the move into it, and eventually cyber was
Marc Laliberte 4:47
it cyber security become like a would you say a bigger part or a big part of the pie for you,
Speaker 1 4:54
probably 10 years ago when it moved from, you know. Just av to everything beyond av, I think that's the, that was probably the big shift.
Corey Nachreiner 5:07
I'm going to back up a little bit, then I want to continue on that one. But just because I'm a nerd, maybe we're all nerds here. What was the first computer you had at home?
Speaker 1 5:14
An Olivetti M 24
Corey Nachreiner 5:16
Oh, that seems very UK or Australian. I've not heard of that.
Speaker 1 5:20
Olivetti was a big, was a big brand in Australia, for whatever reason. Was
Corey Nachreiner 5:25
it comparable to like Atari ST or a Trash 80 or
Speaker 1 5:30
IBM? Like, so 8086
Corey Nachreiner 5:32
machine back then. Yep, IBM
Speaker 1 5:34
compatible PC back in
Corey Nachreiner 5:35
cool. Sorry, like
Marc Laliberte 5:37
mine was a Pentium two, so a bit.
Corey Nachreiner 5:39
Yes, I was the original 8086
Speaker 1 5:43
and then back I went backwards. My first, that was the family computer. My first computer was an IBM XT.
Corey Nachreiner 5:49
Oh yeah, big
Speaker 1 5:50
box with a big red switch.
Corey Nachreiner 5:52
Yeah, exactly. I even remember Amber and Chrome monitor, orange monitor, screen monitors.
Speaker 1 5:58
The
Corey Nachreiner 5:59
follow up to that is, you said 10 years ago, you started in cyber security. What really, or you started being more serious about it? What prompted it? Was it attacks happening in Australia, change in the local market, or just opportunity for more services?
Speaker 1 6:13
Just understanding that AV was not enough, like we done, you know, AV had been compulsory for probably five to 10 years, and okay, this is, we need more than this, and that was probably the start of, I think, email security was probably the first step into that, you know, more than AV world, and you know, as the cloud started to kick in more, it was, you know, how do we protect that environment as well? Cool,
Marc Laliberte 6:38
so from your perspective, and Perth, right.
Speaker 1 6:40
Yeah,
Marc Laliberte 6:41
working with your customers, I'm sure you work with a lot of like small, mid-sized businesses. What cybersecurity concerns are you hearing from them right now, or are you hearing any? Is it you coming to address it, or anything that they're bringing up?
Speaker 1 6:54
It's quite 5050 We're lucky we've got our client base is quite kind of cyber savvy, I would say we're lucky that they have some understanding of the world, but they, they're concerned by supply chain risk, which is really the, because that's the, they can't control that, you can control it, will try to prevent it impacting you, and control once it's happened, but often you're just a passenger in that event,
Corey Nachreiner 7:20
it
Speaker 1 7:20
just happens, and just business disruption from it could be cyber, could just be just outright, just system failure, whether that's cloud or on premises.
Marc Laliberte 7:30
Do you, maybe not. Well, I'm curious, what level of maturity would you say that your customers have with, like, supplier management with that, and like third-party risk management? If it's a concern, is it something they're trying to address, or the
Speaker 1 7:42
larger ones are seeing it and doing something about it, and the small, you know, the S of SME is just reacting, you know, they are truly a passenger, so where we can, we try to educate them and say this is not, you know, it can help you so far, but there's there's people and process to do the real estate,
Marc Laliberte 8:03
because I'd say that's a trend that even goes beyond Australia. Like, we as a vendor get a lot of questionnaires from folks that are doing third-party risk management with us and trying to make sure that we won't introduce the supply chain, and just like that, the volume we've been getting in the last couple of years is just skyrocketing. It seems to be a very complex. We
Corey Nachreiner 8:22
don't, as long as they're decent questions, we don't mind, because we, we focus on our trust center, and we do a lot for compliance. I'm curious, as you take on new customers, I'm sure your old customers have a trust relationship. Are they extending security questionnaires to you? Are they starting to make sure you know your security enough to provide their security service, they,
Speaker 1 8:40
yeah, they will ask us, and often they, depending on their own compliance requirements, they'll come to us and say, well, here's, here's what we need to know about you. Cool,
Corey Nachreiner 8:50
yeah. Is
Marc Laliberte 8:50
it? Do you feel like it's mostly driven from, like, compliance or regulatory or insurance? Insurance, yeah, the
Speaker 1 8:57
driver, and yeah, we're seeing, you know, five years ago, a questionnaire would be one to two pages. I did one the other day. It was an Excel sheet, Excel document with sheets.
Corey Nachreiner 9:10
Have you found, have they found, I think it's called Stig Standard something? They have 1024 question version, which sometimes irritates me, because, like, if you already, I'm curious, do you do any compliance yourself? Is it like we do ISO 2701
Speaker 1 9:27
will outsource that side of that? We don't, and my opinion is that you, if we were looking after our client systems, we can't audit what, oh yeah, we do, so yeah, we will, but you
Corey Nachreiner 9:38
can pick vendors like us that do it,
Speaker 1 9:40
correct,
Corey Nachreiner 9:40
but I'm hoping that if we have that 90% of those questions you don't have to ask because the complete auditor checks those, so I wish they would at least pick the questions that the compliance doesn't already cover.
Speaker 1 9:53
Yeah, exactly. And we just, we just train our clients, we can help you with answers, you know, but we don't know everything. You know, if you've got zero free accounting, we probably have zero visibility of that, so you know you're going to have to answer that part of the questionnaire, and and you have to own the questionnaire. It's not, it's not ours, it's it's yours, you're the data owner.
Marc Laliberte 10:13
We've definitely seen like the like insurance providers get more rigorous on like validating the responses too, like it used to be 510 years ago, it'd be, hey, do you have MFA, yes or no? Yeah, now it is like an entire section on that. Where does it apply? Where is it not applied on every remote
Corey Nachreiner 10:30
access? And if not, well, either no coverage or why not.
Speaker 1 10:35
Yeah, we just train our clients, unless it's 100% do not tick yes,
Marc Laliberte 10:39
because they will just deny your claim or claw it back if something happens.
Speaker 1 10:42
Yeah, so we haven't seen any that are asking for proof yet, but it's definitely.. I've heard other colleagues in the industry saying, you know, people are saying we want an API into your Microsoft environment so we can see your secure score
Marc Laliberte 10:55
live. Yep, I
Corey Nachreiner 10:56
think to Mark's point, though, like maybe they don't even care for the proof if they can find out later and deny the claim,
Marc Laliberte 11:03
it's true, but we're like at Watch Guard, we get like penetration tests from our insurance providers to validate it too, like it seems to be they're they're tired of hemorrhaging money from cybersecurity events, and so now insurance providers are getting more strict. Having said
Speaker 1 11:18
that, though, the premiums have actually dropped. Yeah, oh,
Corey Nachreiner 11:20
they've dropped
Speaker 1 11:21
in the last two years, that's good, dropped, which is, which is tighten those questionnaires, and then understanding of the risk, they have been able to then decrease premiums, which is nice, because
Corey Nachreiner 11:32
long term, they're good, I mean, insurers, no actuary tables, so as long as they use it to both sides, as long as they know if you have these things, I'm not going to have to pay as much, so I will extend that savings to you. It can work in your benefit exactly,
Marc Laliberte 11:45
and it's good. I'm sure from an MSP space, like if you look back 10 years ago, it was probably a lot of like you going to your customers advocating, hey, we really need you to adopt this because it'll overall improve your risk management, and now there's probably a bit of a shift from them saying our insurance providers are mandating we implement MFA and patch management and stuff like that, that probably makes the conversation a bit easier for you.
Speaker 1 12:10
It certainly does. Yeah, because they kind of say, well, we need to be compliant with this. How can you help us? Or that's right, you spoke to us about that a few years ago, let's do it.
Marc Laliberte 12:20
That's got to be a little rewarding when that conversation exactly.
Speaker 1 12:23
Yeah, definitely
Marc Laliberte 12:24
better late than never. I guess
Speaker 1 12:26
that's right.
Marc Laliberte 12:27
What, um, what do you think separates the companies that are doing security well from the ones that are maybe like struggling a little bit? I
Speaker 1 12:35
guess when they've got that support from the board or management, they're the ones that do well, because then it kind of, it flows down to the rest of the organization, and you know when, when the CEO is, you know, in the security awareness training and doing it, not just, you know, ordering from the top kind of thing, and and you just get that support from the top, that's important.
Marc Laliberte 12:57
It is massively important, like even speaking from experience, Joe, our CEO, came up from the trenches on the operations and IT side, and it's great having that, like, champion in your corner at the very top of the pyramid, because otherwise it's a - I'm not saying, like, even at WatchGuard, but seeing other organizations, like, when you have to try and fight for advocacy like that, I imagine it can be a bit of a challenge if they're not already bought in,
Speaker 1 13:21
yeah, some of our larger customers are ASX listed, so the stock market, so they have risk compliance that comes on them, but it's good that most of them, they'll have someone on the board or on the risk committee that owns cyber and has a true interest. The
Corey Nachreiner 13:36
board has been a change in the last decade, like before, the board only wanted to see the PLL, and didn't really care about a cost center, but there's been enough breaches, even to vendors that private equity or venture capital is owned, that boards are now proactively asking the leaders about risk is
Speaker 1 13:53
everything for them. It's an I've actually found it, it's an easy discussion to have, because boards and management inherently understand risk, so you can just talk to that,
Corey Nachreiner 14:05
although you have to get rid of the technical talk and get straight to risk management and the cost of the cost or benefit of doing it right.
Speaker 1 14:12
Exactly,
Marc Laliberte 14:13
so one of the topics that's to get into the weeds now that's been really top of mind, at least for us at Watch guard, and clearly the whole industry is artificial intelligence, like it is. It feels like we're on a roller coaster that's just like continuing to shoot down the tracks right now. Just throw
Corey Nachreiner 14:30
your hands up and enjoy the ride, Mars.
Marc Laliberte 14:32
I mean, that's at the point where I'm at right now. Just,
Speaker 1 14:34
yeah, just dip sawing away, and yeah, enjoy the ride.
Marc Laliberte 14:38
Just hope for the best, but I has it from your perspective in Australia, from your customers, has it changed the conversation at all that you're having with them? Has AI come up at all now?
Speaker 1 14:48
It comes up, but they're all looking for actual opportunity to use AI in their business before, you know, besides just writing a nice email, or you know. Summarizing a document or something like that, then I go, How can AI actually help us? You know, my, my pet hate line is, I hope this email finds you well, which is just a classic Chat GBT line. I'm like, you know, I think we can all, you know, if we're in that professional office worker space, we can all write email. We just need to, we need to continue doing that, so something
Corey Nachreiner 15:22
that has real ROI, rather
Speaker 1 15:24
exactly, we're lucky that a lot of our clients have been with us for 10 to 15 years, so we actually have some understanding of their business actual process, not just the IT side, so that helps us find opportunity to where we can use AI to actually help their business. Yeah, but it was, it's still in its infancy to truly, truly see a, you know, a return on that investment.
Marc Laliberte 15:47
It definitely feels like, definitely in its infancy, but going at such a fast pace that it's not going to be very long before the companies that aren't adopting AI are probably going to be left behind, at least from some of the productivity gains you can get from it, but then there's a big risk trade off too, of if you lean in too hard, are you opening yourself up to like data security concerns or like operational resiliency concerns? From your perspective, do you see AI as more of a opportunity or more of a threat, or maybe like a little bit of both.
Speaker 1 16:21
It's definitely both. I would say right now it's probably a 75% threat, 25% opportunity. The just watching, like, say the last six months, watching the speed of vulnerabilities being released is just flying, like it's across, you know, all vendors, all software, it's just you're watching it, you know, the pace is just picking up, and yeah, you know, we're all between us and vendors, we're all trying to make sure we keep on top of things, but the pace is fast, and I feel it right now that the AI, offensive AI, is on the catch up, we're trying to catch up,
Marc Laliberte 17:00
I just read an article this morning that summarized like a 30 page report from India's computer emergency response team, so Cert IM, and they're trying to advocate for all companies need to have a 12 hour patch response time for internet exposed systems,
Speaker 1 17:20
that is,
Marc Laliberte 17:21
like, I mean, if you even if you didn't have to test to make sure there wasn't going to be like an operational disruption from the patch.
Speaker 1 17:28
Yeah,
Marc Laliberte 17:28
12 hours is very short time by
Corey Nachreiner 17:31
definition. Internet exposed means production, so it's like their critical assets that they have to patch
Speaker 1 17:37
balance, like operational availability versus the risk of impacting the business versus the risk of
Corey Nachreiner 17:44
that's right. I think that's important, like we forget in security in our ivory white tower that sometimes it's worth taking the risk of attack because the biz that you're making hundreds of 1000s of dollars a minute from a production server, you know, yes, the chance of getting hacked will cost you, but you lose more by taking it down.
Speaker 1 18:07
Yeah, we look after a number of OT environments when availability does often outweigh the risk, which is a different world again, but you have to consider
Marc Laliberte 18:18
it. I imagine that's a big challenge to try and to try and secure in like the modern age now, with things moving so quickly, and like operational technology maybe not moving as quickly, but still becoming internet connected and network connected. I
Corey Nachreiner 18:31
think the thing they can, I mean, it's the easy equation: if the cost of security is more than the cost of business, you don't do it, but I think they don't really know the true cost of that, like you could have a chain effect in OT that you know, if you paid for security, yes, you would have an hour outage, which cost money, but the actual event causes a week long outage. I mean, we've seen the ransomware, like Asani, but what was the one that took a week, that was supply chain meat companies, all of them had weeks of downtime,
Speaker 1 19:01
oil pipelines, like it's, it's, it's weeks,
Corey Nachreiner 19:05
yeah, and that's a big for an operational technology company, that is a huge cost, wasn't
Marc Laliberte 19:10
it, like Jaguar Land Rover, this last year were on the brink of potentially having to consider like bankruptcy proceedings because of their outages, they were,
Corey Nachreiner 19:19
they were out for a long time,
Speaker 1 19:22
so yeah, so right now I would say still more on the threat, that's
Marc Laliberte 19:27
fair, and I mean, we're you mentioned from the vendor side that we're seeing it too, and unfortunately it's like as the volume of reports come in, the quality of them is coming down too, because it's not like the actual experienced research are going to find and report issues. It's the person that ran, you know, Chat GPT over something didn't, doesn't know how to interpret the results, and like tries to submit it to our bug bounty program, and it just wastes everyone's time involved.
Speaker 1 19:54
Did you read the article from mr. Linux Linus, saying exactly that, that all these bug reports are just pouring. And that are all AI generated, and the quality is decreased, and then you know it's almost impossible to actually..
Corey Nachreiner 20:07
sad thing is, there could be in some of them there could be a legitimate vulnerability there, but it takes you, the interpreter, longer because the analyst hasn't given you the real information to figure
Speaker 1 20:18
it out,
Corey Nachreiner 20:18
and if you have India C cert saying you have to do all this in 12 hours to figure it out and fix it. Whoa,
Marc Laliberte 20:25
yeah, yeah. I like that you mentioned Linus in that article. I do remember reading that, and I've got like a little bit of hope and optimism from that, because the last time Linus got really ticked off over like managing software within Linux, we got Git as an application, which maybe
Corey Nachreiner 20:40
he'll make, yeah,
Speaker 1 20:43
he knows what the next, what will spawn out of the out of the rage,
Marc Laliberte 20:47
out of his annoyance, yeah, but yeah, that, and it's not even just like the volume of vulnerabilities that's a concern, it's like the time to exploit between when a vulnerability is disclosed and when like it is weaponized into something is shrinking as well, too.
Speaker 1 21:02
Correct.
Marc Laliberte 21:03
So I see where, like, cert India is coming from, where, like, they, we need to be fast about it, but it's a tough problem to solve, because you can't just pull something offline every four days to update, like, you need other forms of resiliency and, like, defense and depth, correct, to maybe be able to absorb like some form of attack against that edge exposed system without impacting data,
Speaker 1 21:25
and it really comes down to the business. They have to, you have to go to the business, like it's us, we have to go to the business to say, here's your choice, like, do you want to take the risk of being exposed for two days, or do you take the outage now, but that's that's not our decision,
Corey Nachreiner 21:39
that's
Speaker 1 21:40
theirs, so we can just give them the information. You
Corey Nachreiner 21:42
just have to find the accurate information for the cost, both sides, which is all the work, by the way. It takes and
Speaker 1 21:49
let them, then they have to make that business decision.
Marc Laliberte 21:51
Yeah, that is definitely the most difficult part of the equation. It's easy just to say, oh, they'll patch it, but
Speaker 1 21:57
yeah, it will fix it exactly.
Marc Laliberte 22:00
So we've talked a lot about like SMBs and some of the threats, but like you as a service provider, like you're an important piece of the puzzle as well too, and MSPs around the world are under attack from threat actors that realize if they pop you they can spider web out into away
Speaker 1 22:18
they go. Exactly, so from your perspective, like, what are some of the biggest challenges or like concerns you have when it comes to cybersecurity for MSPs, and either you or others of the space, still the human side of things, because you know, again, you can see all that you say for us, you know, we had a client had a red team come in, and they, they rang up our client and said, "Oh, this is, you know, so and so from nuclear IT, but they didn't do their research on which country they were from, so the accent and everything was completely off, but it was like, if they had done a little bit better at their research and job, they would have, you know, they would have got in, so it's that human element, and that was a decline, but same to us, like you know, probably things like the whole fishing now, like who's going to ring up, you know, say, you know, say I'm away right now, ring up new coaching head office, I'd spread, I need, you know, $10,000 transferred to this account for my travel, just do it.
Marc Laliberte 23:22
Yeah, or I got my account locked out here in Bali. Can you reset my password?
Speaker 1 23:26
Fine, I'm a matches voice matches.
Corey Nachreiner 23:28
Yeah, deep fakes now with AI makes it easy to fake you as Fred.
Speaker 1 23:32
Oh, easy.
Corey Nachreiner 23:33
We have a demo of that in a booth, by the way. Video and voice fake
Marc Laliberte 23:36
scares the crap out of me. Cora's got a perfect video and voice replication of me, he's done me
Corey Nachreiner 23:42
before. I mean, he started the
Marc Laliberte 23:44
battle.
Speaker 1 23:45
It's a long way to the bottom, but yeah, that's that's probably the risk is that human side is
Corey Nachreiner 23:50
interesting. It's still the pepcact problem, because it's between keyboard to share, it's a lyric problem,
Speaker 1 23:56
and I guess educating even the greater new crate team about how serious this is, we
Corey Nachreiner 24:02
talk about a lot. We are a technology security company, so there's technical controls you can use, but at the end of the day, if we perfected technical security, you'd still be able to trick humans, and this part of the equation would never change. But
Speaker 1 24:15
that's the defense in depth, that's you have your technical layers, and then you've got to have your, you know, your training, and that sort of thing, but to me that's
Corey Nachreiner 24:23
also the value of you, a true MSP, versus like a traditional VAR who just tries to sell a security product, check a box, maybe help you set it up, and then they go away, that's going to have a little value, but when the human, like having policies, having a strategy, the SMEs in Perth probably like they want to focus on whatever it they're doing, not all of this, and you can help actually bring the service and rigor to helping them solve the human problem and their services together,
Speaker 1 24:51
because otherwise we can tick boxes on an insurance form and go, yeah, you've got MFA and you've got EDR and you've got in. The hour sock, and you know, job done, that's
Corey Nachreiner 25:02
important, but it's not going to cover
Speaker 1 25:03
everything. Yeah,
Marc Laliberte 25:05
what would you say, like the level of engagement is with your clients when it comes to that last mile, like the human training sort of piece? Are people more interested now in, like, learning about security? Definitely,
Speaker 1 25:15
you know, we did a recent exercise with one of our clients, and we, we did a real targeted phishing email that replicated a notification they got, and they had 15% Wow, that's
Marc Laliberte 25:32
high
Speaker 1 25:32
compromise for
Corey Nachreiner 25:33
fishing, because it was,
Speaker 1 25:34
it was, it was not even like
Marc Laliberte 25:37
the click rate, but the actual compromise. Oh man, yeah,
Corey Nachreiner 25:40
it's crazy. It was,
Speaker 1 25:40
you know, it was a literal copy and paste,
Corey Nachreiner 25:42
yeah,
Speaker 1 25:42
into the into the security awareness system, and that is terrifying,
Marc Laliberte 25:48
especially because that was probably like more on the manual side still. But now it's like it can be totally automated with AI,
Speaker 1 25:54
exactly.
Corey Nachreiner 25:54
And by automated, we mean even look up Brent on social media, learn everything you can about him, and write an email specifically for him, exactly.
Speaker 1 26:03
Yeah, so we see that, and you know, I guess probably even five years ago, even inside new car t internally, people like, "Oh, I have to do this annoying, you know, cyber security awareness training, and are we already know all this stuff? I'm like, "Well, are you sure? Like, how confident are you, kind of thing,
Marc Laliberte 26:22
I'm pretty confident myself too, but so my our red team internally at Watchgard has been leaning very heavily into more advanced social engineering campaigns to try and just test us, and they've been guinea pigging with me lately, and man, they've come pretty close a couple of times, even convincing me with something just by having like the perfect template, the perfect timing, the perfect, I
Corey Nachreiner 26:44
mean, is everything they know something about you, and they get you when you're waiting for just the right package that you happen to get a real UPS. I've
Speaker 1 26:53
seen, you know, because of the listed on the stock market, there's public announcements, so they, you know, there's just been perfect timing of emails, and you know the client's kind of been one click away from.. I
Corey Nachreiner 27:06
don't.. I will usually admit that I think anyone, including the CSO, can be spearfished. You can have great.. you know, what did they call it.. opsec, operational security. You may understand the problem, but you can never let go your vigilance, because it's so easy, saying
Speaker 1 27:24
it for years, you know. You would get the fake, the phishing emails, and you, the Microsoft lot, you know, the Microsoft would be missing a letter, or whatever, and you thinking it's only time when someone just goes copy paste, change a link, and we're all doomed, and we're kind of, we're here,
Marc Laliberte 27:40
yeah, and here in accelerating and automated, it's like now is the time we really need to be focusing on that, like human-centric training
Speaker 1 27:49
to catch
Marc Laliberte 27:50
the stuff that our technical controls are just going to start missing left and right as threat actors really ramp it up. Yep, I'd say so from your view within Australia, like maybe taking a step back and looking at, I'm sure you like read global news sometimes, and maybe like interact in other regions sometimes, but do you think there's anything unique about Australia that you're facing in cyber security between like versus other countries around the world or in the region?
Speaker 1 28:21
I wouldn't say so, to be honest. I kind of feel like, you know, we're pretty similar to other Western countries, you know. We've got, you know, we've got compliant, you know, there's the standard government compliance that's there, you know, and some
Marc Laliberte 28:32
forward-thinking government compliance, like the essential aid was kind of like industry leading when that came out from Australia. And
Speaker 1 28:39
then there's just. it's a matter of like EA is now to make sure it's kept up to date, because it's starting to, you know, they just went through a while ago and updated it to this current, and now they're gonna have to do it again. Just
Corey Nachreiner 28:52
what I like about the Essential Eight is, I think their standard there is a bigger one that has the normal 30 some control, and it's, is it the ASC ASCS?
Speaker 1 29:02
ascs
Corey Nachreiner 29:03
or acsc, that does it. You probably said it right. But I love the essential aid, especially if you focus on sm b, because it's rather than looking at the full framework a mature company should eventually get to these are the eight things that will solve about 85% of the threats out there, and sure you want to have the whole stack, but if you at least do these ones, you'll have a lot of the problem.
Speaker 1 29:28
85 is better than zero.
Corey Nachreiner 29:30
Absolutely, and it's the big ones, I mean, it's things like identity and it's the ones that I think have the best return and investment.
Speaker 1 29:37
Yeah, definitely.
Corey Nachreiner 29:38
And it's a good, I assume it's a decent conversation started,
Speaker 1 29:41
absolutely, because it's, and because it is public, and if you are, you know, if you've got clients or clients interacting with government organizations, it's, it's not negotiable.
Corey Nachreiner 29:52
Yeah, I guess the only problem, and I'm asking this as a question, it doesn't really have teeth, it's more volley. Are there any us? Trillion laws, like we mentioned earlier, insurance is more the driver, because there's financial teeth there, not so much in fines, but in potential loss coverage. Are there any teeth to push some of these to certain industries? So,
Speaker 1 30:11
the Australian government has a critical industries list, so if you're in that list, you, there are, there is mandated compliance.
Marc Laliberte 30:19
Okay, and I assume usual,
Speaker 1 30:21
like power banks, that kind of thing.
Corey Nachreiner 30:23
Nuclear, it do you have a vertical you focus on? Is it more regional, like if you're in Perth, I imagine you'd have more than normal OT networks, just because of the businesses. But do you have a vertical in business that you cover more than? Yeah,
Speaker 1 30:36
we do a lot of mining, do a lot of engineering, financial services, and professional services, lawyers, I
Corey Nachreiner 30:42
guess all of those are good because they do have strong teeth for their regulation,
Speaker 1 30:46
exactly. So, yeah, all of them generally do, especially all the professional services that you know, the lawyers and the accountants have. They care about
Corey Nachreiner 30:54
their data and
Speaker 1 30:56
their clients' data too.
Corey Nachreiner 30:57
That's so important. Yeah,
Marc Laliberte 31:00
so I guess to wrap up, is there any advice you'd give to other people in your space, maybe other leaders on like how they can stay ahead of cyber risk within Australia, or just in general?
Speaker 1 31:13
I would say it's all about that defense in depth, it's the whole cliche, but the onion, you've got to have the layers and get out there and get in front of, you know, the decision maker and the business owners, because they're the ones, and, and sometimes you, you know, but don't, my advice is try not to use FUD, yeah, fear
Corey Nachreiner 31:33
uncertainty, and don't
Speaker 1 31:34
you know, it'll, it might work initially, but it will probably come back to bite you, you know, it's just talk about risk, that's what. If you're a business owner, you're going to have a pretty good understanding about risk. Talk about the risk, don't talk about the tech.
Corey Nachreiner 31:48
If I were to add some advice, I would say come talk to you to Brent at Nuclear IT. Like you want to run your business, definitely get your board and executive staff on for security, but get someone like you who cares about their business, will listen to what their concerns are, and then can cater something for them, so they can focus on what they do.
Speaker 1 32:09
Right now, thanks, Cory. Be holistic, I guess, not just, not just sell, you know, just EDR, for example. That's one piece of the pie.
Marc Laliberte 32:18
Yeah, and it's, I mean, you say it's a cliche, but at the end of the day, it's only a cliche, because it's basically expected at this point, you have to, or you are going to fail,
Speaker 1 32:28
the risk goes up, yeah, if you have one layer, you might not get compromised, but the risk will be higher,
Marc Laliberte 32:34
yeah, 100% yeah. Well, thank you, Brett, this has been really great, I appreciate you taking time and skipping the beach for a few hours, come hang out with us here.
Unknown Speaker 32:43
Awesome, thanks, Marc. Thanks, Corey.
Marc Laliberte 32:45
Thank you for sure. So, hey everyone, thanks again for listening, as always. If you enjoyed today's episode, don't forget to rate, review, and subscribe. Five stars, five stars. If you have any questions on today's topics, or suggestions for future episode topics, can reach out to us on Blue Sky, and that it's Mark.me, Cori is at sec.Adept. We're also both on Instagram at WatchGuard underscore Technologies. Thanks again for listening, and you will hear from us next week.
Corey Nachreiner 33:10
We're page me. I still have my pager,
Marc Laliberte 33:13
do you?
Corey Nachreiner 33:13
I'm old.
