Essential cybersecurity insights for small business

Garreth Hanley:
This is With Interest, a business, finance, and accounting news podcast, brought to you by CPA Australia.

Gavan Ord:
Hello, welcome to With Interest. I'm Gavan Ord from CPA Australia. In this podcast, we'll be discussing the cybersecurity insights from CPA Australia's latest business technology report. Joining me to share his thoughts and recommendations on cybersecurity is Tyler Wise. Tyler is at CPA with over two decades of experience in the fields of public practise accounting, cybersecurity, and digital forensics.

Tyler's focus areas include forensic accounting, digital forensics, and OSINT investigations, or open source intelligence for those not in the know. Tyler's background includes being an owner of an accounting practise, and he recently founded a firm called Cyberwise. I'm not sure where the wise came from there, Tyler. And in Cyberwise, he helps clients with cybersecurity, data integrity and forensic accounting. Welcome Tyler.

Tyler Wise:
Thanks, Gavan. Thanks for having me.

Gavan Ord:
First of all, I wanted to discuss some common cybersecurity mistakes that you see. What are the most common cybersecurity mistakes companies make, and how can these mistakes be avoided or at least managed?

Tyler Wise:
Yeah, the most common ones that we see are really not even technical mistakes. So there's the approach that it just won't happen to me, and I think that's because of what we see in the media. There's also the other approach, it's just too hard. So they don't necessarily take the right approaches, or that with the proliferation of these cloud solutions or software as a service that they've sort abdicated responsibility and can hide behind the security of those providers.

So none of those really hold water from a cybersecurity perspective, and they're also failing to undertake environmental scans of what they've got. So not necessarily of the larger environment, but of their own network. So thinking that the vulnerabilities might exist strictly into computers, laptops rather, workstations, when we see that printers are still a risk, modems are a risk, and the bring your own devices are a significant risk.

So we try and get them to have an understanding of that and just take some small steps. Cybersecurity isn't a journey that's going to be finished overnight, so we encourage them to use some of the free resources that are out there, really familiarise themselves with the Essential Eight is a really good place to start. So that's from the Australian Signals Director on cyber.gov.au, and they can see at that point that the solutions they can introduce, they can do themselves. So again, low barrier to entry from a cost perspective, but does have a really positive cybersecurity impact.

Gavan Ord:
And you mentioned about the media. Do you think that some people go, oh look, it's just too hard to manage, I'm just not going to touch it. Is that the sense you get sometimes when you come across some issues?

Tyler Wise:
Definitely. It just looks like it's quite catastrophic when something happens. And so people think they need to be a cybersecurity expert in their own right in order to prevent it from occurring or secure their systems, when really, again, the media is designed to entertaining, I guess.

And so it's difficult for them to distinguish between the reality, and some of those big attacks, they are entertaining and sophisticated, but what we see on the smaller spectrum is just really simple social engineering. Phishing and ransomware are still super prevalent, which can be easily circumvented with just some education training and governance solutions, really.

Gavan Ord:
Moving on to AI safety, our business technology survey results show that there's been a jump in the number of businesses using AI over the past 12 months, although most of them are only using AI some of the time. What cyber risks are emerging in the AI space?

Tyler Wise:
So the cyber attacks that AI is helping is in the proficiency. So we start back with the large language models, that has caused a really increased strike rate of success for phishing, smishing, phishing, all those sorts of -ishing things, because the language is now improved. So before you used to be able to laugh it off, it was written so poorly, now it's drastically improved.

AI is also writing some pretty useful code. Now, you can't ask AI to simply write you malware, as an example, but if you're struggling with a particular element of code, and again, this is how programmers use these sorts of tools, sometimes, when they just can't get something to work efficiently, they might put snips of that code in and get these large language, or these AI tools to assist them in that regard.

So the cyber attackers are doing the same. So that's where AI sort of has a cybersecurity risk without the human interaction, but we also have to be really mindful of the privacy risks that exist when we're putting in information into artificial intelligence. Where's that data residing, where's it travelling, and how's it being used and managed? So we've got to get to the answers to these questions, which I do think a lot of people in the industry do take that seriously and do obtain that information where they can.

And then we also have to be really careful of data poisoning, which again is something that we haven't seen hugely yet. But as these AI engines start to obtain more information, there's the fact that you can put in incorrect information and train the model to give you inaccurate answers as well.

So where you might see that is in local evidences of AI, so you might be putting in the wrong information and relying on it to get, for an output that is also going to be inaccurate. So you've got risks regarding that sense as well. So the first two are genuine, those cyber attacks, the others are risks that we need to navigate from a user point of view.

Gavan Ord:
And just on the data poisoning, do you have any tips on how businesses can mitigate that risk of someone coming in and poisoning the data-well?

Tyler Wise:
Yeah, if it's a local version of a GPT as an example, we want to make sure that you know what the output should be before you actually rely on the AI. So again, it's just standard accounting practice, really, is auditing that information and verifying it. You need to also have really strong policies and procedures in regard to what information you can go into and train the model.

So in some instances, if you don't have that, you could have a junior staff as an example, potentially feeding it information trying to obtain an output, not realising at the same time they're training the model, unbeknown to them. So that's one of the risks that you can mitigate with that. And just really, again, having a really good understanding about where that information comes from.

We know with those large language models, they're at a point in time if you know that you can check to see if it's accurate, and then you don't want these AI tools to be replacing your ability to think and problem solve. You want it to compliment it, so you should be able to identify if something isn't quite accurate. Again, we're looking for it to compliment what we're doing, not replace us at this point.

Gavan Ord:
Moving on to cyber security and how that compares with other tech initiatives that the business might be undertaking. The survey results show that cyber security is one of the most popular technology initiatives for businesses over the last 12 months. Are you seeing examples where organisations might be prioritising cyber security over other tech initiatives? And if so, do you have any tips on how businesses can strike a balance between security and other tech projects?

Tyler Wise:
Yeah, we probably don't see cyber security being placed as the priority over other technology initiatives, unless, sadly, they've suffered an attack, in which case then it becomes the number one priority. But when people are making decisions for their business, what we're seeing is that it's not being prioritised, but it's certainly being considered now, when historically it was not worried at all because it was, again, we had that abdication of responsibility mindset where if I use this service provider, they're handling security and the notifiable data breach regime is where it's keeping a lot of people in check, because we are ultimately responsible for that.

So we're definitely seeing a lot of instances where people are considering it, which is really encouraging. And then sometimes some of those initiatives where they are just introducing technology are really simple technology things such as password managers and multifactor authentication, those sorts of authentication approaches are really, really important. What we try and encourage, because budgets are finite, so we don't want, we'd love everyone to spend their money on cyber security, but we're realistic about that.

We're saying when you're evaluating other technology initiatives, is to consider and look for these solutions that are secure by design or secure by default, which means that they come embedded with these security features out of the box, which then means that, again, you're not having to worry about how's it going to be secured? Do we need to change policies or procedures? You certainly need to have a good understanding about what that looks like from that software point of view.

But secure by design, secure by default really mean that you can hang your hat on that there is some security mechanisms in place. We've been speaking with some vendors, when you ask them about what kind of security they've got in place, they kind of just freeze and don't want to answer the call because they're worried about being exposed when it's not about that. It's just being able to answer those questions.

Gavan Ord:
Because you'll find out anyway, so might as well tell you upfront, I assume that's the case anyway.

Tyler Wise:
That's right. If they just said, oh, we don't have that, you'd be like, oh, that's fine. We'll make sure we put something in place locally to deal with that. And then at the same time we do ask them if it's on their roadmap or something along those lines. But yeah, it's not a witch hunt, but people feel like it is.

Gavan Ord:
Just going on to SMEs and cybersecurity. So the survey results show that concerns over cybersecurity and data privacy are some of the top barriers to technology adoption with SMEs, top barrier being cost. How can SMEs who have limited resources adopt digital technologies while also addressing the cyber security challenges?

Tyler Wise:
You want to do with that is, again, it's a time investment is what we suggest, and which is difficult, because everybody's time poor, but if you can take the time to have an awareness of what is going on and what you need, it really can help you understand the risks that you're undertaking. So data privacy is a hugely policed area at the moment. The OAIC release really regular reports and they just released another one this week.

And we're seeing that the breaches that are occurring in regards to data privacy going up month to month effectively from the reporting periods. So we just need to make sure that we are answering those questions internally, because if we rely on those outside solutions, again, we don't have that understanding about what they're doing. And then it's possible as well that you're going to be leaking information without even knowing that you are doing it.

So having a really good understanding of your requirements, the legislation as well, can help mitigate some of those. And then you come at your cyber security initiatives from a place of knowledge, which is the best place to come from, as opposed to just being blindly led to introduce a tool that you don't know how it works or why it works. Just that you've got it.

Gavan Ord:
Great advice. Another question on cyber threats. What do you see as the emerging cyber threats that businesses should be concerned about? And are there steps that businesses can take to mitigate or manage those emerging risks?

Tyler Wise:
Yeah, the risks that we're sort of seeing, I wish I had something exciting to add, but it's almost like the same old, same old. We're seeing ransomware still just so prevalent on the Australian shores. Recently though, stealer logs have become very, very prolific, and even the ASD has released information on that. So initially, these are programmes, malware, that people willingly download a lot of the time, but can also be put on your computer by accident or maliciously, and it's designed to obtain personal information. So passwords, usernames, and initially we were able to pass this information locally ourselves just from the resources we had.

It has far exceeded now our time and resource capability to do that on a daily basis. So these are really significant risks. And so this is username and password combinations often that are available. There's also spyware, there's a whole bunch of things that happen with these stealer malware, but the risk where that we're seeing that mostly come to play is unfortunately from the bring your own device, because you can't control what people will put on that.

And a lot of times, the people who are falling victim to this are downloading something not untoward. They're trying to download something to help them do their job, unbeknown to them that it is obviously malware in its inner sense. So we're seeing that as a really big risk, and something that is taking a lot of time and keeping us up at night. Alternatively, as well. With the proliferation of hardware devices, we're seeing a lot of internet of things risks, which comes back to this that if we had that security by design or secure by default approach, you can mitigate some of these, but cameras are a pretty good example.

Some of those ship with the admin, admin username password combination, which then means that these become a very strong attack vector point. So we just have to address our hardware introduction. And again, just some really simple hygiene to make sure that we're updating the username and passwords to something unique, long and complex is what we say a password should be. So changing those default credentials, and we don't want to be stopping people from deploying technology and driving business efficiencies. We just want them to take a couple of minutes longer and just add some security safeguards in place.

Gavan Ord:
You mentioned bring your own device being an issue. Is there any sort of general observation you want to end the podcast on which our listeners can take away and apply in their business?

Tyler Wise:
Yeah, I've been a really big exponent of bring your own device and the vulnerabilities that it brings. Most people don't like hearing it because you're just adding to their budget costs when they're saying everyone needs a work computer and a work phone. So in that instance, we just really encourage people to familiarise themselves with the Essential Eight, because again, it's just a free resource from the Australian government that can help you increase your awareness and understanding of the risks.

And also, I think most people that have a stereotype think cyber security is really exciting, and I've shared a couple of videos of people just showing them how boring it can be. I do that so that they can understand that they can go and start this journey themselves as well. So I certainly find it exciting, but generally speaking, people think that you have to be a programmer in order to be able to put some defences in place, but there's a whole plethora of free resources out there.

And again, just start the journey, and then we find a lot of people get momentum going, and their protections really, really ramp up. So get some awareness and education, improve your governance, and again, then you can start deploying tools when the budget allows.

Gavan Ord:
It's not all about technology. A lot of it's about the human element as well, isn't it?

Tyler Wise:
Yeah. Social engineering is still the way attacks are most commonly commenced. So unless you're a specific target, so again, a person of high wealth or high interest might suffer an attack without them knowing it. But when we think about smaller businesses and just normal everyday people as well, they're often receiving something that they're engaging with that then causes them to have that oh no moment.

So you click on an email you wish you didn't, and then we also see some people put their head in the sand and pretend it didn't happen because of the stigma that goes with the responsibility of saying, I caused a cyber security incident. We all make mistakes. I've suffered a cyber security incident myself back 10 years ago. No one's infallible. So we just need to let people know that you will make mistakes and it's okay if you do.

Gavan Ord:
Thank you, Tyler, it was great to have you on the show.

Tyler Wise:
Thank you very much. It was enjoyable. I had a great time.

Gavan Ord:
For more information about the topics we've discussed in this episode and a link to CPA Australia's 2024 Business Technology Report, and the essential aid I think we'll include in the show notes, please refer to the show notes for this episode. With interest as a regular podcast, if you like today's show, you can subscribe on your favourite podcast app by searching for CPA Australia's With Interest. I'm Gavan Ord. Until next time, thanks for listening.

Garreth Hanley:
You've been listening to With Interest, the CPA Australia podcast. If you've enjoyed this episode, help others discover With Interest by leaving us a review and sharing this episode with colleagues, clients, or anyone else interested in the latest finance, business, and accounting news. To find out more about our other podcasts and CPA Australia, check the show notes for this episode, and we hope you can join us again for another episode of With Interest.