Keynote: Emerging Cyber Trends - Gergana Winzer

[Music] so I can start by introducing myself but I think one of the things that I wanted to set the stage for you today is that this industry is an evolving and expanding industry and since I've been in Industry since 2013 in Australia it has literally boomed from having about 200 to 300 people in the National Australian information security Association to having thousands of people across the country and actually joining the industry and doing a whole heap of different important things I guess the message here is we are on ecosystem we are a family and we all have different skill sets that we need to bring to the table in order for us to be effective to combat cyber crime and

to be able to combat the advanced threats that we think in our world so by way of introduction I'm gonna Windsor and I'm the national lead for the mid Market at KPMG for Cyborg and what that means is I work very consistently with a lot of small medium organizations and most of those organizations are in different Industries and they do have a lot of issues when it comes down to cybomb one of the things that has striked me over the last year or so is how many of those businesses actually do not have the right controls in place in order to for them to be able to respond and then ultimately recover from a cyber incident

and that is why what I do I feel is extremely important and we've seen some crazy stuff in the media recently with medibank and Optus and few others having incredible tough time as cyber professionals to be able to recover from what's been happening again a lot of stress so let's take a moment to acknowledge that our industry is not all great and fantastic there's a lot of stress around being actually a cyber professional today so let me check in with you how many of you here are technical cyber people put your hand up if you are a technical cyber person and what that means is Network architecture anything else right and how many of you are in

governance risk and compliance put your hand up if you are in governance system so so I can say awesome great awesome so this topic is going to be very relevant to you from multiple aspects and what I'm bringing to you today is experience on the ground with a number of organizations over the last 10 and so years so what I'm showing here to you is a bit of a busy slide many of you may have seen it some may have not but what is showing is basically how persistent and how terrible the cyber attacks in our countries have been over the years and how there have been significantly increasing year on here and as you can see the biggest victims

of cyber attacks in our country are not the high profile organizations it's not you know the big Banks or the big tocos and you know insurance companies that we've been seeing recently being compromised it's actually the small medium organizations and what that means for our economy is that those organizations have a lot less ability to combat and to recover and to respond to cyber attacks and so they succumb to a number of different things some in some instances they pay ransomware which they which they should not be paying but because they don't have other means they actually end up paying it and those organizations end up also not being able to recover properly some of them

close shop people lose their jobs right so if you look at some of these numbers here 33 percent of businesses in Australia have actually experienced the cyber crime of some sort of some shape and form and then the average time currently to resolve an attack is about 23 days and it's not me saying that it's data that we've been collecting over the last few years together with home Affairs and you know the smart smart online say smart online Australia but what really um interesting number for me is that 53 of the cost is on detection and recovery of the cyber attacks and what that tells me is that number one we are not good at

detecting cyber attacks when we should be able to detect them and number two we actually not very efficient when we recover our organizations from cyber attacks and that can be can have multitude of different reasons one of those being the lack of policies and procedures the lack of connecting people to technology and to processes and so from that perspective there's a lot of work to be done in all those three domains of what cyber really means today

well average cost per attack here and one of the bigger ones as you can see is a malicious Insider and so what that means is that we have more and more people being actually targeted and being able to suffer not being able to like suffering a cyber talk because there's somebody from the inside who is doing something they should not be doing and that actually when we talk about inside the threads we talk about the fact that inside the thread can be two types one is a malicious Insider threat which is somebody who is maliciously you know targeting the organization from within for different reasons they may be bitter because they had a disagreement with

their boss and they have enough data to actually exfiltrate and sell that data or to do something else or they may actually be being targeted via social you know channels and social engineering and become that way a Target and then all of a sudden from the inside someone has taken over their credentials and I actually have a great example of that I was working with a portfolio of VC companies recently and one of them had a very senior Finance person uh credentials being actually compromised and what happened was the attackers went and changed the bank details of a very big transfer of money and basically the money went into the wrong account now when they found that out few days

later they actually went back to the bank and said well that's a fraud like somebody did this fraudulent transaction but when the bank went back they actually saw that there was a log which that particular person have changed the details of so they couldn't do anything about it so you can imagine for a small medium organization what that means they have lost all of a sudden a huge amount of money they may not be able to pay their salaries of their people and they can't actually prove that they have been really attacked now obviously we were able to look at that and investigate it and prove it but you can imagine the stress they need to go through in order

for them to get on the other side so some really real examples let me see show her hand if you guys are working in a small medium organization put your hands up right and if you're working for a very large organization that has a lot of small medium organizations helping them with something and providing services to them put your hand up so you understand how important that is because it's not about that one organization it's about the ecosystem moving forward one of the things that I wanted to talk to you about is the threat actors and who they really are and there's a bit of a definition um around them because I think it's important to understand who are we

really dealing with and why our profession is so important of course we have people who have malicious intent and those are the ruthless entrepreneurs or the Cyber criminals we have people who are activists and they stand for political cause in some instances a very valid one but executed in the wrong way so the activists then we have nation states and those ones are extremely interesting nowadays because we have friends and we have Frenemies and then we have enemies in Australia and you know we've been seeing a lot of the attackers coming also from countries that we would have never suspected would actually be attacking us so these are the so-called Frenemies and then you have insiders which we just spoke about

a little bit but the the thing that I feel is really relevant to the conversation today is that in the context of an organization what really matters is really three things and those three things are is my data secure am I people safe and am I able to do business can I be disrupted if something was to happen we're going to unplug that a little bit more but let me take you through some of the Cyber threat actors and I have taken a sample there's many of them 13 pregnantly across the world that are making a lot of and creating a lot of issues for organizations and entire countries for that matter but let me

kind of give you a bit of um a breakdown and I'm not going to stay here for long because I want to focus on other topics but Lazarus who here have heard of Lazarus yeah exactly they're very famous I'm not going to go in length in covering them but yeah extremely interesting type of organization that has been doing a lot of different terrible things and it's particularly famous with the big Bangladesh Bangkok that happened I think in 2016. then we have Dark Hollow Rebellion silverfish you name it those guys are also interesting characters and they've been also creating a lot of issues around the globe for a very long time now and then ultimately we have the equation Group

which no one really knows if it's a real group or if it's a togetherness of tools but bottom line they've been creating some pretty crazy things such as installing a dark um you know part dark Vault inside your firmware and then being able to reinfect your computer even if you have formatted completely so really interesting kind of situation there right and now let me take you back to that ecosystem that we spoke about at the beginning of this session and why is that so important because we have a huge interesting landscape happening and that is only bound to grow so far we have no idea what's going to happen in the future but one thing is for sure we're

still going to have you know multiple new technologies emerging we're looking now at Quantum Computing and and Ai and we're looking at so many new things emerging that will be making the difference to how we as cyber professionals approach our profession and approach our duties of care but interestingly we have still Legacy iot environments and if you talk about Legacy art environments there are they're actually still there lots of organizations do not have the means the money they don't have the appetite or even the maturity to understand that they need to be doing something about those like these systems but in some instances they can't do anything because those systems simply are so old they

cannot be converted in any meaningful way into a new system so we have to protect them we have to do something about it right then you've got your operational Technologies you have obviously internet of things and it's all bound to grow multiple folds I'm sure you have seen a lot of statistics on this topic particularly then we have the threat land Skype that I spoke about which is ever expanding and the things that are that I have listed here are basically the ones that really are bothering Australian organizations in particular and I have a large sample because I work with them my team is on the ground working with hundreds of those on a yearly basis and what has

emerged is because we've done a bit of a research around what is the likelihood and the impact if any of those threat scenarios was to occur and to eventuate and we're looking at about 38 in some instances to 40 percent of likelihood in 12 months of those organizations being hit on such a large sample that is actually tremendous and it's a little bit warring and scary but be honest with you then on the other side we have our risks and the risks we encounter in the small medium organizations but across the economy are always the same is the financial loss which I gave an example about before we have the data loss and we've been seeing that in the media over

the last few months going absolutely crazy because of what everything that's been happening reputation or damage it's absolutely incredible have you guys heard the new ads that Optus is putting out there who has heard like their radio ads yeah exactly right then then we have the biggest one which I think is um some of those that people don't really realize it does the operational disruption and the oppression disruption I recently had an organization that had to move a server like a physical server because they didn't have they were not on the cloud they had everything on-prem got hacked so they had to move their backup server from Melbourne to the Gold Coast and what that meant was they had to disrupt

their operations for quite a few days in order for them to then be able to plug it back on and be able to operate but if we put that to hospitals if we put that to critical infrastructure we can imagine what that means for many people who receive vital and important Services right then we have the health and safety and um I'm not going to speak at length of that but we've been seeing more and more issues around that and indeed the hospitals is a great example of it now let me speak a little bit about the regulatory environment in Australia we are doing we are as a country waking up to that reality and we are doing more

and more and there's some enhancement coming from the Privacy commissioner on the Privacy principles there's enhancement on the critical infrastructure act and there's an expansion happening as we speak there's a risk management um you know consultation going on at the moment and we also have a number of different things that are happening across different Industries in order for them to uplift the maturity of their cyber posture and uplift them the maturity of the cyber security capabilities and that's happening as we speak I personally feel that many of those organizations are not necessarily equipped with enough time and money for them to be able to really do something that really matters and so that is the

quest I personally am on and I invite you all to consider how we as an industry can really enable and help organization is a small size that are part of our supply chain for them to be actually empowered to deal with cyber risk and cyber attacks and be able to recover or in other words how can they be resilient I think the biggest trends that we are facing as industry is not how many threat actors are out there it's not how many bridges we're going to have because we're going to have many let me tell you that how many of you doubt that there will be many bridges nobody right but the biggest thing is to focus on

what really matters and that's resilience how quickly can we bounce back how quickly can we do something about it how quickly can we get out of there foreign a few questions that if you were a cyber professional you should be asking your organization but even if you're not a cyber professional you should be asking your management team and your cyber professionals that work for you and those are to what extent am I aware of my critical processes my critical and important data and obviously my systems my critical systems to what extent do I have a cyber security plan or roadmap to meet the challenges right and when we talk about roadmap let me take a step

back because one thing I personally have been seeing missing in the small medium organizations but also at some large end of town organization is actually having the strategy and having a strategy that makes and cyber security specific strategy that makes sense and it's actually connected to the organization overall strategy because if I don't know what I'm trying to achieve how am I going to ever achieve it how am I ever going to be able to get there so strategy is definitely missing we are still seeing cyber as a tactical like them somewhere in the I.T bucket right and many organizations I would say I would dare to say probably 75 to 80 percent of the organizations in

Australia are still using it budgets for cyber security and that's not okay they're two different competing priorities in many instances and they do have different outcomes right number three how confident am I that I know when I have been bridged again we have so many cyber security services out there managed Security Services security operations centers that organizations can either do themselves or build themselves or acquire as a service and we still yet are not cracking that particular nut it's one of those that will need some more time to be cracked uh manage detection and response is one of those extent detection and response could be another one that we need to start focusing a bit more on but I'm

sure you'll be hearing a lot about those exciting things today how quickly can I restore my organization's critical process we spoke about that at lent and then am I aware of my regulatory obligations and those regulatory obligations can they kill me or can they give me something that I can become competitive with can I commercialize my obligations can I become really aware that whatever I'm putting in terms of budgets and energy to become compliant or to become aligned to a framework can have some sort of a return on investment and that's from me thank you so much for having me it's been a pleasure and the one thing I wanted to leave you with is

we are an ecosystem together we can do so little it's actually alone we can do so little and together we can do so much so thank you [Music]