95. Build your third party cyber fitness with Susie Jones
We are back with our 10th season of the podcast, and to kick it off Claire is joined by Susie Jones from Cynch Security. Susie and Claire discuss supply chain risk, small business cyber fitness and the recent changes to security legislation. Susie also shared her thoughts on the role of government in securing all businesses.
Susie Jones is an experienced leader and risk manager who spent years specialising in the people and process elements of general and cyber risk management, and is passionate about bringing big solutions to the small business market. Before co-founding Cynch in 2018, Susie's previous roles included Head of Cyber Security Business Services at Australia Post.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: I'm Claire Pales, and welcome to The Security Collective podcast. We're kicking off the season with Susie Jones. Susie is the co founder and CEO of Cynch Security, who are all about how small businesses can improve their cyber resilience by building cyber fitness. Susie and I spoke about the security challenges for small business and how they differ from big corporate. And we covered the question of whether anyone is getting supply chain security right. Susie also shared her thoughts on the role of government in securing all businesses. Susie's work with small business and her sleeves rolled up approach to understanding the challenges they face regarding cyber risk is commendable. Please enjoy my chat with Susie Jones. Susie, it's great to see you, and welcome to The Security Collective.
SJ: Thanks for having me.
CP: So I wanted to start by asking you what's been happening for small business and cyber over the past few years? What are the trends you're seeing for smaller organisations?
SJ: There's a few that really come to mind when I think about this. So for starters, there's a trend in small businesses recognising that they are a target for cyber criminals. When we first set out with Cynch back in sort of 2017/2018, there was only a very small segment of the market that really understood that they were under threat. And that has really started to shift. I think a lot of what has helped this shift is more conversations in the media, or conversations through industry associations, a lot more information out there around just how prevalent cyber attacks are. But also unfortunately, because so many more small businesses have actually fallen victim or have had a near miss that you know, many more businesses are now alert to the risk. Second trend that we've certainly seen come about, particularly over the last 12 months or there abouts as we've sort of come into this new COVID normal phase of the pandemic, is a renewed focus from large corporates and government departments to start scrutinising the small businesses that are in their supply chain. So previously, largely small businesses were excluded from security assurance processes within large corporates. It was just known that they weren't going to be able to answer the question, so let's not waste our time sort of approach. Whereas now with things like new regulation, new expectations when it comes to how a large corporate understands their supply chain risks, they can no longer afford to avoid or ignore the small businesses in their supply chain. And so that's really meaning that more and more small businesses are being asked to demonstrate that they're doing the right thing, and finding themselves on the backfoot if they're not proactively working on their security. And lastly, I guess the growing trend, in terms of business email compromise, invoicing scams, ransomware, all of those have been around for a long time, but just through the roof in terms of a number of successful attack on small businesses. It's easily the most common three types of issues that they face these days.
CP: I want to pick up on the supply chain risk that you just talked about, and thinking about how many people are involved in managing supply chain risk, different people in your organisation, departments, customers, the suppliers. What are some of the risks and challenges that you see for small business in managing cyber risk
SJ: One of the key challenges that small businesses face when they start to be asked questions around how secure are they and how do they meet the requirements of their larger customers is that each and every security assurance team within different corporates and different government departments have their own questions that they want to ask. So as a small business, you might only have 10 people in your business, you've got one person that does business development and answers all of the questions that go through procurement. And each and every time they get to that stage in the process, they get a completely different set of questions. And those questions are written in tech jargon. And quite often, they're pulled together out of just you know what the Security Assurance Manager has used in the past, and then they'll add in a couple of other questions, they might throw in stuff from Essential 8, but it ends up being just this complete mishmash of questions that a small business gets and they're like, well is this even relevant? What is this even asking me? How on earth can I answer this? Plus the language in many of these questions it's you know, it will say something like, do you have multi factor authentication enabled on ALL of your systems? Well, nobody's going to be able to say yes to that, because MFA isn't actually available on all systems. And really, that's not what you need to know anyway. What you want to know is, is it enabled on org critical systems where it is available? So the way that these questions are asked creates all sorts of resourcing challenges for small business in terms of how can I answer this. And if they are proactively managing their security how can they answer a straightforward question where it's just yes or no. How do they demonstrate that? Well, I'm not able to say yes to all of your questions. But that's because we've actually implemented other controls that are more appropriate within our organisation, there's no opportunity for a conversation there. So it really forms a lot of challenges and barriers for small businesses to work with larger organisations, which then leads to all sorts of other troubles within supply chains.
CP: And I think that one of the major challenges is that for small business, obviously, the name suggests they are a lot smaller sometimes than the organisations that they're doing business with. And oftentimes, that wouldn't be their contract that would get signed, it would be the contract of these bigger corporates, do you see value in a small business making sure that there are some information security clauses in those contracts that might protect them if the bigger organisation was to have a breach?
SJ: I think the reality is when it comes to small businesses working with big business, the power imbalance is so large, that those clauses you would need to write them really, really well, in order for them to actually put some power back in the hands of a small business over a big. You know when it comes to any sort of contractual arguments or legal action down the track, the resources at the hand of a big business is just so much larger. That's not to say that I don't think there is any value in making sure that there are security clauses in the contracts. I think every business should be making sure that their contracts are applicable and modernised with the way that we work today. But I would be hesitant to have a small business rely on the fact that they've got security clauses in a contract to make them feel comfortable, that they're managing that contractual risk with their large customers or indeed suppliers. When they're a small business, they really need to be conscious of what that power imbalance means to them, and what can they do on their side that's in their control, to be able to improve that risk overall.
CP: And then, I guess, once you're deciding to do business with an organisation, whether you're big or small, what are some of the challenges that businesses face in assessing and understanding the changes in their cybersecurity maturity in their supply chain? And if you think about data flows, and who's responsible for what, how can businesses be really comfortable that they're getting this right?
SJ: I don't think businesses should be comfortable at all that they're getting it right. I haven't seen anybody that is. You know, when we think about security teams, within large organisations, you know, you're talking dozens, if not hundreds of personnel that are constantly having to change and work with the ebb and flow of all of the evolution within security risks. We all know, Log4J threw up Christmas for so many people within big business. But you also need to be mindful that if you've got small businesses in your supply chains, they have completely different risks that they're facing. So Log4J amongst our customer base was nothing, it was a complete nothing burger, because they're just not using the technology that that affected. But they are using completely different tech that have had many issues over the last sort of six to 12 months. So it's being conscious that the technology that you are managing and the technology risks that you're managing within your large organisation is likely to be completely different within your suppliers. And that's on an individual basis. Some of the challenges then of managing your full supply chain risk is how many suppliers do you have? And how many suppliers did they have as well? So it's not just third party suppliers. It's fourth, it's fifth, it's sixth party, because you might have a number of you know, decent sized contracts, you're pretty comfortable with the security clauses and protection that those suppliers offer you. However, if they're sub-contracting, and just about everybody is in some way, shape, or form these days, then there's a risk there that you're completely blind to. So even if you're able to really wrap your arms around all of the security maturity, at a point in time, in all of your own direct suppliers, you're really kidding yourself if you think that that first of all is applicable even a week later. And second of all, that that's the full picture, because all of your suppliers also have suppliers, everybody is connected. And so that's why I think we need to change the way that we're thinking about this, we need to stop thinking about this as an assurance. As a, you know, I need to know what the number is I need to know how mature it is. And we need to be thinking, Okay, if there's no way for me to ever figure out a number or a score, if there's no way for me to know that on any given day, then let's talk about the trends. Let's talk about how can we gradually support all of our suppliers, whether they're big or small, to improve with us with their security. If there's different things that you're trying within your organisation to improve the security of your organisation, then why not share that with your suppliers and see if they are willing to adopt that control or approach as well. There's still too many silos within security that the information on how we're protecting our organisations is not shared. And unfortunately, cyber criminals are some of the best collaborators in the world. They share everything. And yet us, the good guys, don't share much at all. We share intelligence amongst ourselves, but not necessarily approaches and the steps that we're taking to improve security. And we don't even share that with our own suppliers. So if we can become a lot more collaborative in our approach to security, then the question stops becoming, what is the maturity of our supply chain cyber risk, and starts becoming what activities have we undertaken with our suppliers to support them in improving? And have we seen any evidence that they've been effective in making improvements?
CP: And I think you make a really good point that there is no collaboration. And certainly what I've seen consulting is that lots of organisations are frightened or apprehensive about sharing their maturity, or, you know, some organisations saying, well I want to see your results of your latest pen test. It doesn't actually suggest whether or not they're secure it, it just means as you said, at that point in time, on any given day, that's what their cybersecurity position is. But tomorrow, they might launch a new product, or the next day, they might have a breach. Or, you know, really, these assurance activities are very, you know, on the 25th of May this happened, or this is where we're at. But the next day, all of that changes, and it must be very challenging for smaller organisations to meet the expectations of even other smaller organisations, but also larger ones. Are there more hurdles? What are other hurdles are you seeing that small organisations go through or have to get over to show that they've got some level of cyber maturity?
SJ: One of the big challenges they have is that many of the cybersecurity standards are obviously written with big business in mind and the technology that big business has in place. If you look at Essential 8, it is almost impossible for small businesses to actually meet the definitions they put in terms of controls, because they're not using technology that it's applicable to. So if you're simply saying you must be maturity levels who have Essential 8 to a small business supplier, then they may very well never be able to meet that requirement. And in fact, it defeats the purpose of it. A lot of the issue is that so much of the instruction and the information is assuming that you're using a tech stack that small businesses simply don't use. Most small businesses these days have already transitioned, if not completely, then certainly in a majority way to the cloud. And they're using cloud solutions. They're using software as a service, they're very much serverless organisations. And so many of the controls and expectations that are underlying the questions that get asked through security assurance are simply not applicable. It also means because these supply chain assurance activities are done, it's not one person talking to another person, it's one person sending an email that has an attachment with an excel spreadsheet where they have to go through and answer yes or no. So there's no one to ask questions. And if you do make yourself available, then you end up becoming a pseudo helpdesk, which of course, nobody has the ability to resource that either. So because it's not a conversation, it makes it really, really difficult for a small business to be able to take the time to not only go through and understand all the questions that you're asking, but then to be able to respond in a way that articulates how their business and their technology stack is different to the questions that are being asked, and therefore what are they put in place. I mean, how can you possibly expect a small business owner that works in a completely different industry than not a cybersecurity specialist, how are they ever meant to articulate in a satisfactory way that they've put the right steps in place. And this is where reporting capabilities for small businesses is really lacking. And what we essentially have been trying to replace and build out within our platform is a way to be able to bring an explanation and show trends in time. So sure, they're not able to answer yes to all of your 27 questions today, but they're able to answer yes to 13 of them. And guess what, six months ago, they could only answer yes to six, over the next six months they plan on implementing controls, that means they can answer yes to another six. So you know, being able to show trends, being able to demonstrate it that way, is really valuable. But again, it's a one to one basis. And so this is where some of the challenges come in terms of the way that security assurance teams operate, because they receive back those questionnaires. Most of the time, it ends up sitting just on a shared drive somewhere. It's individuals spreadsheet. And so then you have just hundreds of individual spreadsheets with information, there's no way to query the data, there's no way to identify trends. And unless they actually all go into a single place where you can get a single pane of glass kind of view, how does any organisation really sort of support that improvement and be able to identify which of their suppliers are actually doing the right thing. Because I know for me, I would want to be working with a supplier who is actively working on their security, even if they've still got a way to go. Rather than another supplier that I've been working with for 20 years and sure they can answer yes to 13 of them, but they're the same 13 yeses that they would have had 10 years ago, and they're doing absolutely nothing to improve. So these are kind of some of the trends that you don't get to see in the way that we're managing security assurance these days and some of the challenges I see on both sides of the fence. I would love to see security assurance teams being adequately supported in terms of budget, and in terms of the actual technology that they can use, so that they can actively query and identify trends, hotspots, so that they can work with their small business suppliers on the things that really matter. At the moment, there's really just a complete blind spot when it comes to all of that.
CP: You make an interesting point about being able to query the data and understanding the nature of all the suppliers that you're working with. Because it could be that you're working with 10 suppliers who all have the same gaps in their security maturity, which increases the inherent risk for you, or the residual risk for you as an organisation, no matter what controls you've got in place. If all of your other suppliers have got access to your data, and they're all weak in similar ways. I don't necessarily think that some businesses are thinking that, thinking that through or understanding that.
SJ: It's also offers a really big opportunity, though, because if you're able to identify that 10 of your suppliers are all lacking the same controls, then you can work with people that are supporting them to provide them information on how to implement those controls and why they matter. So you can actually change the conversation turn it into an opportunity rather than, Oh, this is a big issue for us. It's like, okay, sure it's an issue. But there's also an opportunity for us to work collaboratively and improve the security in one fell swoop. But you can't do that if you don't know who's got those weaknesses.
CP: And can you think or share other ways that this collaboration might work and getting greater security and transparency between members of a supply chain.
SJ: In many of the organisations that have seen visibility in terms of the structure of their security teams in large corporates and government departments, there will usually be a security awareness or training team. It's their responsibility to help train staff to initiate better behaviours amongst the staff of that organisation. Why not share that information with your suppliers as well. That information is always internal and it's very rarely is it externalise. I've certainly had conversations with many super passionate security awareness, like absolute guns in our industry, who would love to be able to talk to their customers or their suppliers about what they're doing. But they're pigeon holed by the actual governance of the organisation to say, no, you're an internal team, you only talk internally. We need to kind of flip this on the head, it needs to be an open conversation, because if some of those small businesses could have access to the amazing training and information and insights that are shared internally within a large corporate, they would have absolutely no other way of accessing those kinds of insights. And it's as simple as sending it to them as well as you send it to internal staff. So I think that would be a really important way. Secondly, as well, being really conscious of the questions that you're asking, and making it really clear why you're asking unfortunately, with the security assurance process, because quite often it comes right at the end, if you think about, you know, a customer and a supplier, there's been, they've been going through many, many months, often of negotiation over whatever is product or service that they're going to be purchasing. They've already negotiated price and negotiated, you know, delivery timelines, all the rest of it. And then finally, okay, we want to go with you. Now they go through the supplier approval or vendor approval process. Now we all know what that's like, it finally gets to security, it's right at the end, everybody within their business is already sick to death of this and just wants to get off and running. And then all of a sudden that goes to security and security say, well, hold on, we need to check whether or not we can do business with this organisation or this supplier. And so that security team itself is put at the wrong end of the conversation, they should be in there right up front. They should be part of the selection of any vendor, rather than being positioned as the department of no at the end of the whole process. And so the flow of the information and decision making really inhibits good conversations around security as well. And so being able to include the security team upfront when you're engaging new vendors, can mean that further conversations can be had, even just about these are our expectations of an organisation that's going to have the sort of technical integration that you will have, do you have these in place, if not, well, we're going to be negotiating this over the next couple of months, you've got a couple of months to put them in place, right? If you outline your expectations pretty clearly at the start, then it's going to be a lot easier for them to meet them down the track.
CP: We could have that conversation about security being at the wrong end of the process on any given day about any topic when it comes to security, you know, I think they always felt like they're at the tail end, you know, kind of at the legal or governance end of a process or a project. So I love the idea that as a small business owner, or as anybody really, you could be given fair warning that these security questions are going to come when we get to the pointy end of the engagement or of the negotiations, so here's some things that you really need to start thinking about in order for us to do business.
SJ: And that's not sharing state secrets, right? Like they're going to be given the questionnaire down the track anyway. So it's not like you're sharing information that they wouldn't ordinarily have. You're not giving them anything extra other than time, that's the only thing you're giving them, is time and fair warning. And that really changes the way that a business can be able to meet your expectations, and find a way to be able to pull together a report, so that if they're not able to say yes to all of the questions, they could actually spend time to articulate why it is that they've got other controls instead of that. Time is a really, really valuable resource, particularly within small businesses, the three biggest constraints within small businesses, when it comes to building good cyber fitness is the fact that they don't have time. Everybody's wearing six different hats, they don't have the budget. So some of these big fandangled toys that we can put in place in big businesses are simply not appropriate and completely out of the bounds of a budget that they would have. But thirdly, in terms of their experts, cybersecurity expertise, they simply don't have it. They're experts in whatever it is that their business is, they're not experts in security. And so when you need to talk to them in security language, it really sets them behalf. So giving them more time to be able to understand and wrap their head around the area of security that you're concerned about is really, really valuable for a small business supplier.
CP: So when you think about supply chain, there's really two or three parties involved, as you've said, third, fourth, fifth parties who can be involved in the security maturity of that supply chain. But I'm interested to know your thoughts around if government should be playing a role. Because some of the challenges we're talking about with smaller business could be potentially alleviated if the government were to put in some controls, or it could make matters worse. I'm interested to know your thoughts if governments were more involved or made more mandates or regulations, obviously outside of privacy and those types of things. But small business often fly under the radar of thresholds of legislation that government make or put in place. Do you think that there's a role for governments to play in the supply chain security maturity across the board?
SJ: Absolutely, I think there is a really important part that regulation can play in terms of setting the expectations that everybody needs to meet. So being able to set a minimum level of security, a very clear set of guidelines of this is what you need to implement within your organisation, and this is what happens if you don't. Being able to make sure that there's very clear articulation of what would occur if you don't meet those standards, and then you do have an incident or a breach, how could you be held responsible? There's so many conversations happening right now across the country in boardrooms around how do we know if we've done enough from a security perspective? Have we done enough? How much more do we need to put into this? We keep hearing that we need to invest more, but how much more, like what is the target, what's the end state that we're trying to get to? And how am I meant to know when I've done enough? Particularly when there's things like the ASIC vs RI Advice court case that was decided a couple of weeks ago, that was just based on breaches of the Corporations Act. And that's the first time as far as I'm aware that that has been the case for cybersecurity breaches. And so the government is able to clearly articulate what is the minimum standard, what is the threshold by which until you reach that threshold, you are at risk of breaching your corporate social responsibility, then I think that will make a big difference if they do that. The pessimist in me thinks that in this country there is very little chance of that occurring. Because simply it's pretty hard. Who wants to be the person that says, this is the minimum standard, and then businesses reach that minimum standard, and then we have a huge nationwide cyber attack, which was not mitigated, even though everybody met that minimum standard. That sort of the concern and the fear that sits behind not setting the standards. The reality is, everybody knows that there's going to be, you know, some big huge cyber attack at some point, you know, there's been WannaCry in the past and Notpetya and all of these sorts of things. But that doesn't mean that we can't start setting expectations around minimum security now, and making it easier for people to understand, okay, what's at least my first goal? What's first base when it comes to this game of cybersecurity, and where do I need to go? In terms of other regulation or laws, things like forcing, mandatory notification of ransomware payments, etc, I'm a lot more reticent to support those kinds of policy and legislative changes. Because when it comes to paying ransomware or not paying ransomware, it's not as simple as you know, paying ransomware is bad. They're cyber criminals, you're all of a sudden the funding cyber terrorism, like it's not as simple as that. It needs to be a risk based decision whether or not you pay a ransom or not, because it depends on your system, it depends on the data, it completely depends on the situation at hand. And that should be at the control of a business owner or board. So having a name and shame regulation or approach really, when it comes to ransomware payments is not the right message to be sending.
CP: From a government perspective. And you know, if you think about APRA, who regulate financial services with CPS 234, that was very non prescriptive as a regulation and the idea of setting in place, you know, minimum requirements, exactly what you said, the duty of care around, okay? If you do these 10 things, that's a minimum requirement. But then a really targeted attack comes through, you know, business email compromise or something like that, that it doesn't matter even if you had the Essential 8, you might get targeted. That's such a difficult decision for a government to make, or any institution or body to say, here are the things that you must have as a minimum. Because it's very, very hard to beat these amazing cyber criminals, who, as you said, they run businesses, they collaborate, they know exactly what is needed to get past the controls that organisations have got in place and lay dormant for periods of time. Or target somebody who they can get in through a back door or through invoice, or whatever the case is. So that set of minimum requirements that could potentially change on a daily basis. And the other comment you made about ransomware, it's so interesting. I love asking people that question, you know, what are your thoughts on ransom payments, because everybody has a different idea. And you know, you made the point that it comes down to the systems that you run, the data you've got, whether or not with the ransom payment is it just operational, or is it have they exfiltrated data? I mean, the other thing is, what are the values of your organisation? Do you feel like there's a moral or ethical issue paying ransom, whether or not your ransom payment is the proceeds of crime or not, as a business, you just may have a going in position, that morally you would not pay no matter what the circumstances were. And then, you know, we have religious institutions who don't believe that it's right to pay as well. But then you have healthcare who think these are people's lives that could be impacted. I mean, it's such a minefield. And yeah, I agree with you that there is a balance of do we make people tell us about ransom payments or not. Because potentially others can learn as well from the misfortune of others. And yeah, I'm a bit torn, I guess, on whether or not that type of legislation is the right way.
SJ: I think we could still learn from ransomware incidents, if we had better reporting mechanisms within this country full stop. I was in a conversation just a week ago with Dave Lacey, who's the CEO of IDCARE. And he was saying that they know from their counselling services of working with victims of identity theft and crime, right across the country, that victims within Sydney suffer less harm than victims in Melbourne simply because of the reporting and the response services within governments in those two states being so different. If we change the way that businesses whether they're big or small, can report incidents in this country, and make it so that it is easy and it goes into a central place where we can actually then query the data and identify trends, then we can get those insights without needing to know did they pay the ransom or not? Which obviously brings this cloud of shame at the end of it. If they're actually able to report an incident of ransomware, whether or not they paid it and the outcome, then we can still gain those insights.
CP: Yeah, it's interesting, you talk about the shame, because, you know, as I said, everyone's got an opinion. And so you know, whether or not you agree with ransom payments or not, it becomes about the individual organisation, and whether or not it was the right thing for them to do at the time. And the fallout of paying the ransom might mean financially for that organisation from a reputation standpoint, and then in the community as well, you know, whether or not their shame would come upon them in either way, whether you paid it or you didn't. So it's a really challenging topic. And I think the government are probably grappling with it as much as big and small business as to, you know, what's the right direction to take next. And we could probably look to our peers and other parts of the world and how much they continue to grapple with that as well.
SJ: There's no easy answers to any of this, it's very easy for me to sit here and say that the government should or shouldn't mandate or should or shouldn't legislate. I've never worked in the public service, let alone in any sort of ministerial position, so it's easier for me to say that. It's incredibly difficult to establish one set of regulation to cover the entire population, whether it be big or small businesses or individuals or anyone in between. So it's an enormous challenge. But I think we just we need to be stepping up to the plate and trying to face that challenge, because there's really big things on the line here. And without clear legislation, without clear reporting, we're certainly in a in a lesser position as a nation.
CP: Susie, I want to thank you for the chat today. I think we on the podcast certainly haven't talked enough about small business and certainly haven't talked about supply chain, and we're going to talk about it a bit more this season with a few guests. But I'm really grateful for your time and your reflection on what you've seen with your clients, but also the work that you're doing to help smaller organisations feel much more confident about their cybersecurity maturity. So thank you so much, and thanks for joining The Security Collective today.
SJ: Thanks so much for having me. I really appreciate it.