00:00Breaches overall are expensive. The average cost of a breach here was $4.2 million, which is quite a lot for a mid market company. That's, you know, I guess, survivable, but for a small business, that could be the end of business. And, you know, when you think about, you know, some of the experiences that we've seen, we had a law firm, 30 employees, crypto lock attack, this is many years ago now, didn't have backups in place, didn't have the adequate backups in
00:29place. And the whole business stopped three weeks, and immediately hundreds of thousands of dollars a day was impacted for their business. And, you know, not only is the internal ability to deliver work impacted, but for organisations that are in the mid market or larger, very quickly, these can now turn into a media issue, as we are seeing. And so it's not only the big companies anymore, it's now mid tier companies that are being splashed across the media, when there's a
00:59problem. There's big fines on the way as well for businesses. And I don't know if they're going to throw any CTOs in jail, but the businesses themselves are going to receive pretty hefty fines. These have not yet been implemented. So they're not yet enforced. But there is basically, you know, pretty serious fine structure coming in place for larger, larger fines to be imposed for organisations that are not protecting data. And, you know, the real reason for that is that we're becoming a
01:29more privacy focused culture. And when we're a privacy focused culture, you know, the end users, whether that be our customers, or other people's personal information that we're holding, they basically don't want to have that breach. And so they're putting pressure on the government to get more serious about this. And, you know, that trickles down to us, as organisations, you can see here that the fine is up to 30% of your annual revenue for a year. And with most organisations not running anywhere near 30%
01:58of net margin, that's, you know, pretty darn, pretty darn impactful. Without cash reserves, that could also mean the end of a business, even for a large organisation. You also end up on the naughty list, which is public, which you don't want. So how do we approach, how do we approach this strategically? How do we avoid this risk? And how do we approach this, you know, internally as technology leaders? The Australian government has brought out a really great
02:28framework called essential eight. And this really gives you a guide on what are the different areas for you to be focusing on, as you build out your security strategy, and as you protect your users and protect your customers as well. And this is actually pretty easy to understand. It's been released recently. So if you haven't already had a read of it and checked it out and started modelling some of your strategy around it, this would be a great time to do that. What we deploy for our customers
02:58in strategy is all aligned to the essential eight principles. So even if you're outside Australia, you know, you may have your own specific guidelines. You know, Europe are obviously extremely privacy focused. You know, the US also have some, some guidelines as well, if you're in North America. But these are the fundamental principles that we rely on. And there's some, yeah, there's some pretty cool things with essential eight. One of those being, if you're rolling out Chromebooks, or Chrome devices to your users, two or three of these
03:28principles don't actually apply like Microsoft Office macro settings, because they just don't exist on Chrome devices. And so this is a really great framework. We use this as a guide, and you'll see some of these concepts kind of sprinkled into the technical delivery of what we're, of what we're sharing today.
03:44So there's different levels to Essential 8.
03:49It's effectively like different levels of compliance.
03:51So you would start at getting to compliance with level one,
03:54then you would move to compliance at level two.
03:56Finally, you would move to compliance at level three.
03:59And as Adrian said, as you implement security processes
04:04and security controls,
04:05you can then report those back to your insurer
04:08and hashtag I'm not a lawyer.
04:10So I can't officially give you advice,
04:12but what that allows you to do
04:14is potentially negotiate with your insurers
04:17to demonstrate your compliance with security principles
04:21and good security practices.
04:23And that will potentially help the business cost-wise.
04:27Adrian, did I miss anything on this slide?
04:28Cause I know this one is a bit technical
04:30with Essential 8.
04:32No, I think it's just, it's good to explain that
04:34it's a bit of a journey as well.
04:36So it's not only about getting to compliance,
04:38but it's also ongoing maintenance of that.
04:42So there's quite a few things around.
04:44First, you need to get to that compliance with audits
04:47and so forth, and then implementation,
04:49then ongoing maintenance to stay compliant as well.
04:52And this journey can take, to get to level three,
04:55it could be anywhere in that field.
04:57Business is on the small end,
05:00could be within six months,
05:01but generally speaking with the mid-market,
05:05it should be probably six to up to 24 months
05:07to get all the way through to level three compliance,
05:10so it's a bit of a journey, but we'll work it in the end.
05:15The security controls are very tight
05:16when you get to level three.
05:18Yeah, and that's using,
05:21once you get to those upper levels,
05:23obviously you're using the enterprise skew
05:25of Google Workspace because you're using features
05:28like end-to-end encryption on emails,
05:31you're locking down accounts with advanced protection
05:34for key people in the organization,
05:36IT administrators, chief executives,
05:39those kinds of people who may have additional access.
05:43It's using some of the specific features
05:45of the enterprise skew to lock those down.
05:48If you're more of a smaller business,
05:50so like you've got less than 20 employees in the business,
05:54then starting with the basics
05:55is still a really great place to start
05:57and very important as well.
06:00Even small businesses are being attacked,
06:03even not just accidentally,
06:06but very deliberately by third-party actors.
06:10And unfortunately, we're seeing pretty high instances
06:13of people stealing mobile phone numbers
06:15and porting them to other carriers.
06:18Once they have your identity, they steal the phone number,
06:21then they've got two-factor backup access to your account.
06:25If you've shared a password, and many people still do that,
06:28they're sharing passwords between accounts,
06:30and then, hey presto,
06:31they're into a Google account pretty easily.
06:34And you may think, oh, well,
06:38the risk of just getting into my Google account.
06:40And unfortunately, we're seeing
06:41very, very commonly happening,
06:43someone impersonating a staff member, that old scam.
06:47They email the director of the business and say,
06:49hey, I need this urgent shipment payment made.
06:52So the shipment can be released for XYZ supplier.
06:54They're using the supplier name that you recognize.
06:56They're using a process that you recognize.
06:58They're using invoice amounts that you recognize,
07:00but it's going to a bank account number
07:02that is not your usual number
07:04that you would be sending it to.
07:06So even for small businesses, this is important,
07:09and at least aiming to get to something like
07:11the level one of compliance is a good move for everyone.
