Fail Fast, Recover Faster: Lessons from the CrowdStrike Outage
Be the first to hear about new releases!
Episode Summary
In this first episode Adam Cliffe will be joined by Simon Petie, Crisis Response and Business Resilience expert, who assisted most mainstream media in helping them understand one of the major technology outages in history - CrowdStrike. The pair discuss all things resilience, from responsibilities to preparedness, analysing what happened on July 19, 2024 and what lessons we can take from it.
Highlights
- Introduction
- Overview
- Regarding CrowdStrike, can you give us just a brief overview of what happened?
- There was confusion regarding a possible Microsoft outage, is that what you saw as well?
- What are the key takeaways from the CrowdStrike thing?
- Is CrowdStrike just a case of being underprepared for a crisis and not having a plan?
- Why is perspective important in crisis management?
- What would be the top 3 things you would have done as their consultant?
- What are some thing to avoid or pitfalls in crisis management?
- What are the key components of a business continuity plan? And what separates it from a disaster recovery?
- How often should you test a Business Continuity Plan?
- What are the cyber security threats facing businesses today? How do you deal with cyber security threats?
- What do you foresee in the Crisis Management/Business Resilience space over the next 12 months?
- AI - good, bad or neutral?
Transcript
Introduction
Simon Petie: You need to be very aware of what that is that they contribute to in terms of your business processes and you need to be prepared for the potential that it is going to fail and just think about that for a second if your entire business is reliant on that one piece and you haven't considered what would happen if that fails.
[Music]Sky News: Joining me live now is crisis response and business resilience expert Simon Petie who is currently advising Australian businesses impacted by the global Cloud Strike outage.
Simon Petie: You need to be preparing for when things go wrong.
[Music]
Overview
Adam Cliffe: Thanks for joining me today on ADITS unplugged. You're the founder of Escalate Consulting, a business resilience firm with over 20 years of experience you specialise in helping organisations handle crises and ensure business continuity. You've worked with some of the top companies and governments worldwide guiding them through really tough situations and building their resilience.
So, I've got to ask what inspired you to get into business resilience and crisis management consulting?Simon Petie: Adam, thanks for having me. It's great to be on at ADITS Unplugged. Business resilience. Resilience is a buzzword but at its, heart it's about solving problems. I've got a Services background. Some of my staff have Service background but for me, personally, that sense of service is what really drew me to this profession and this element of Professional Services. I find that we help so many businesses when they are facing disruption or preparing for what would be their worst day. I fell into this coming out of out of defence and I would say that for anyone that's in a combat or combat support role, crisis management is second nature. Probably what we take for granted in the Veteran Community is how much training you actually do. So we had done we had completed formal risk management qualifications and training under military risk management and that was for some fairly intense situations as you can imagine. But that concept of planning training and exercising response procedures was exactly what we would do on a day-to-day basis.
Translating that into the civilian world often doesn't come easy. But I found in this particular aspect of work when we're talking about understanding what is important, protecting those capabilities and protecting those vulnerabilities of an organisation, to be able to then process information quickly and communicate clearly, they were absolutely skills that came out of my military training. Where I think I had a specific advantage coming into this was through my military training I also was an instructor. Not only was I conducting these activities as a practitioner but I was having to train other people on how to do it. That was one of the really interesting parts about me leaving Defence was going through that process of what did I enjoy. What did I think I was good at? What could I offer? That concept of planning training exercising was probably something that I really was gravitating towards. I found this, I latched on to it. Yes, it's a risk. Yes, it's resilience but at its heart, it's about response, it's about communication and it's about problem-solving.Adam Cliffe: Yeah, makes a lot of sense. I can see the natural sort of progression and transition there, from military to civilian, so makes a lot of sense. So just speaking on crisis and obviously what's transpired with CrowdStrike, I noticed you were actually quite heavily involved in the Australian media and were sought after by a few outlets around the whole incident.
Regarding CrowdStrike, can you give us just a brief overview of what happened?
Simon Petie: The Friday afternoon, so it was on a Friday afternoon. I think the first thing to articulate and, this is something that obviously plays into your area as well, Adam. The first thing that we need to make sure is clear, is it wasn't a cyber-attack. However, you've got to remember, that we find that this is the problem in crisis management and business continuity. With anything to do with technology, there are people that understand technology and then there are the rest of us that understand that, when I press the button on a computer, it should work and I'm used to it working. Ultimately with the CrowdStrike issue, the first thing that businesses saw and our customers saw was that their computer system was offline. And it was either their entire system with the blue screen of death. I love that terminology, that everyone now understands with the frowny face sitting there telling you essentially, the computer says “no”. The reason why CrowdStrike, I think, was concerning for a lot of businesses is: if you think about the crisis and the events that we see more frequently here in Australia, so severe weather, bushfires, even the pandemic, in terms of what we're experiencing, there you can see it, you can touch it, you can taste it.
Adam Cliffe: Tangible.
Simon Petie: Yeah, absolutely! As I said, for us mere mortals that aren't ADITS, and aren't in your world, ultimately I go back to that Owen Wilson/Ben Stiller scene from Zoolander. Where they're staring going, “it's in the computer.” So we know there's something wrong, but ultimately if you don't, and I was reflecting on CrowdStrike saying, “I don't even know how to start a computer in Safe Mode anymore because of how fast technology is gone.” So if I can go back to what we saw, we saw businesses immediately impacted by a disruption. As a result of that, we saw core service offerings unable to go, to operate, in the way that they would as part of business-as-usual. What that does from our side, from a crisis management, business continuity sense, ‘crisis management' is about the stabilisation of the viability, reputation or strategic processes of a business in the market. ‘Incident management' is about stabilising those operations. We had businesses struggling to even understand what was broken and that's why we saw such concern over those first hours of the CrowdStrike event.
Adam Cliffe: Yeah, it's an interesting thing because when I started talking to everyday people, they were very confused about what the actual issue was. And there was a lot of talk around it being a Microsoft issue and there was a lot of confusion, conflation and I know there was some talk about a Microsoft outage, you know, either prior or as it was happening, and it was getting a bit confused. Is that what you saw as well?
There was confusion regarding a possible Microsoft outage, is that what you saw as well?
Simon Petie: Yeah, we saw that. So earlier in the day, so if you think about CrowdStrike in a timeline being about that 1-2 o'clock period. At about 10:30, 11, we're already getting reports of there being some type of Microsoft impact and ultimately that's why I think a lot of IT teams - and well, I think that's worth coming back to is an IT team in Australian business - but that concept of an IT team already responding to an event, and as you say, starting to confuse some of the reports that may be coming through their network of, we're seeing another impact, is it Microsoft? And as we've learned yes CrowdStrike is an absolute supplier to Microsoft, but it wasn't a Microsoft outage, it was actually the CrowdStrike and their operating system outage.
Adam Cliffe: I definitely saw that as well. So just from that experience just I got like a bit of a two-part sort of question for you is like, what are the key sort of takeaways from the CrowdStrike thing like obviously it's the biggest sort of outage we've faced maybe ever or for quite some time. The other question that I get a lot is how do businesses actually better prepare for such an incident? I get that question a lot, like, “Oh well, if I can't use my computer, well then I just can't run my business.” So, is that like acceptable? Like, is that I know that's a bit of an open term.
What are the key takeaways from the CrowdStrike thing?
Simon Petie: It's a great question. I think it does come back into a single response there, which is, it is not acceptable for a business to - you can outsource your services but you will never outsource your risk or you should not. And I would always encourage businesses to acknowledge they cannot outsource their risk. So even though you may require other resources and external support to enable your business to be efficient and drive profitability within your business, with each of those decisions comes an element of risk. Now, so is it good enough for Australian businesses or businesses in general to have one of those resources be disrupted and then blame that resource on the fact that they can't do business? No, it's not, and I think that's one of the key takeaways that we've seen. That businesses were not prepared because again, Microsoft is too big and ultimately when you start to dig into the CrowdStrike outage, CrowdStrike being the leader and one of the leaders...
Adam Cliffe: They're one of the biggest.
Simon Petie: Absolutely. It is not expected that that those type of businesses have outage. However, I've heard people talk about this being a wakeup call, Adam.
Adam Cliffe: Covid was a wakeup call.
Simon Petie: Correct. Ultimately when you actually look at this outage and what it did not - don't think about the cause, think about the consequence. So, the consequence to businesses was that essentially that their operating system was offline. We saw an identical consequence as a result of the Optus Network outage. Where businesses couldn't use their pay points because they didn't have internet. Businesses couldn't use their phones. They couldn't use some of their systems. Their customers couldn't access services in the same way because of that outage. I see this as very, very similar in terms of Optus was just another supplier. CrowdStrike, Microsoft, your technology provider is a supplier. You need to be very aware of what that is that they contribute to in terms of your business processes and you need to be prepared for the potential that it is going to fail and if it is that crucial to you - and just think about that for a second, if your entire business is reliant on that one piece and you haven't considered what would happen if that fails, you haven't done any risk planning at all. And that's where we would suggest going through, not just an identification of the importance of your core activities, what do you rely on, but then starting to go through that process of - do we have resources? Or do we have workarounds that could be put in place if we have a disruption?
Adam Cliffe: Yeah, it's a really good point because when I talk to businesses I get met with, “well, we're all in the same boat.” Like, “if I can't do business because my computers are down and my competitors and everyone else is down, well it's just the way it is!” And I think it's because they don't know what they don't know…
Simon Petie: Yes.
Adam Cliffe: Or they just accept it because, “oh what else is there?” And they don't know what other workarounds or what other, or they haven't put enough thought into how we would do alternate ways of working.
Simon Petie: And it is a weird way of thinking, and I would admit that to you. No one goes into a business immediately thinking that it's going to fail or it's going to go badly. It is a unique skill set of always looking at the world in terms of crisis management and disaster response and recovery, but it is one that isn't rocket science. It just takes concerted effort as you say, and it takes a thought process to really get to that point of saying, “Well, do I actually have the resources? Do I have the capabilities? If I lose this integral component of my process, do I have another way of doing it?” Now, the answer may be “no” and that's one of the points that I again think hasn't been discussed. Here in Australia, we expect stuff to work. We are used to everything working all the time. With where the world is going to, not just the reliance on technology but also the disruptions that we're starting to see, and the scale of those disruptions that we're starting to see. The reality Adam, unfortunately, is yes, this occurred. Yes, we will see another outage in a technology world that will be of similar scale or bigger into the future and we know that Australian businesses potentially, like essentially have a 100% reliance on Microsoft.
Adam Cliffe: Oh, absolutely.
Simon Petie: So, we know that that is a vulnerability. We know that is a concentration point. And so if you think about - that is if you are treating this as a wakeup call and not an immediate call to action, you really need to be thinking right now about where this goes for you. And the simple answer is if you woke up or if you finish work on Friday and your business immediately went back into the 1970's, that's a really simple question - well, how would we have done this in the 1970's? And maybe I do need that extra part-time staff member, maybe I do need to cross-train. Maybe I need to have that particular form, that is, all I need my computer for is to fill out that form, maybe I need to have three or four of those printed out in a drawer somewhere, or at least on a Remarkable or something else that you can fill out, that isn't directly linked to your primary operating system. That enables you to, at least, take that first step and get through that first 6 to 12 hours.
Adam Cliffe: Yeah, no. That makes a lot of sense. Just thinking about the CrowdStrike crisis as a whole and, for the businesses out there that provide, let's just say, critical or important things to their customer base - if they are going through a crisis, or even just relating it back to the CrowdStrike, what are those critical elements affecting that? Managing that crisis properly? Like I've heard a lot of commentary around CrowdStrike and their lack of communication.
Simon Petie: Yeah
Adam Cliffe: For me I feel like communication is pretty critical in a crisis. Is it a case of being underprepared for a crisis and not having a plan?
Is CrowdStrike just a case of being underprepared for a crisis and not having a plan?
Simon Petie: I think we can absolutely be critical. And I've been careful as a practitioner because it wasn't a cyber-attack and that wasn't their core service offering. But they're still a technology provider and they still had a failure in their technology. So, the piece that I would say is for a business that has a service offering of running cyber security exercising, their response to an IT event was poor.
Adam Cliffe: Yeah
Simon Petie: The fact that, when their first official response came out, it was in blog form. The fact that some of their staff were communicating via social media: via X, via Reddit, and via some of others, it was not the controlled, coordinated response that you would expect from a market leader and I think, I do believe that people can be critical about that.
Adam Cliffe: That kind of, makes it a bit worse too doesn't it? When you have different messaging going out, on different platforms, via probably unsanctioned, or unapproved forms and staff, you know, especially with Reddit and X and stuff like that, so it probably turns that crisis even into a more of a…
Simon Petie: Yeah, and I think because of who CrowdStrike is, and when we found out that it was a CrowdStrike issue, I think the anxiety and the uncertainty around the fact of, “was it a cyber-attack?” really added to the stress and the ability of businesses to actually want to respond quickly. So, I know of businesses that, even when CrowdStrike put out the official patch, that they were waiting for, not just verification but they didn't want to be the first business to put that patch in place in case it was cyber-related and there was some type of cover-up. So I know of major and critical infrastructure businesses in this country that were, the rumour mill had gone off because of the lack of communication and, they were treating it, despite the official messaging of: ‘This is an IT issue' and it was essentially an update issue, they were treating it as a cyber-attack until essentially, the government came out at about 6 o'clock following the emergency management meeting and the cyber security coordinator publicly stating that it is not a cyber-attack, that was the only fact that they trusted.
Adam Cliffe: Which is interesting because, I don't want to get into conspiracy theories too much, but one of the leading ones was that, ‘you're very quick to say it's not a cyber-attack' which makes people wonder, “Would you even know if it was?” but you know it's something to…
Simon Petie: This is again, we talk about the cause versus the consequence, and I think that becomes really important in response. And you talked about what is important in crisis management. I would say ‘perspective' is probably the most important piece.
Adam Cliffe: What do you mean by that?
Why is perspective important in crisis management?
Simon Petie: So, what I mean by perspective is taking a breath and saying, “What do we own? What can we control?” So, CrowdStrike was huge it. It was on the front page of every major media agency in the world. It was across every form of media. So, you had small up to enterprise businesses trying to wade through all of this noise. Whereas being able to have the ability, the processes, the controls to then say, “All right, who's our team? What's the impact? And what is the impact that we own? And what is within our resources, capability, and authority to start to resolve?” Because you're not going to solve CrowdStrike as a small business here in Brisbane or Australia. You can't solve that problem. What you can solve is the fact that you can't use your EFTPOS machine so you can take cash or another form of payment and this is the fascinating part about if you can't use that, and again, I'm not asking people to jump straight to cash but do you have an alternate method to be able to take that electronic payment?
Adam Cliffe: So, you've spoken about it quite at length already but if you were their crisis management expert and you were embedded or they called you and said, “Simon, look this is what's happening.” What would be your, let's just say, top 3 things you would have done as their consultant?
What would be the top 3 things you would have done as their consultant?
Simon Petie: Essentially, conducting an impact assessment to say, “okay, what has been impacted in terms of priority?” And then the second component that we would very quickly move to is, “how are we communicating effectively internally to our organisation, and then, externally to our key stakeholders?” The interesting part about the response is: prior preparation is really important in crisis management. The worst time to learn how to manage a crisis is during a crisis. So if you think about why we put such emphasis on planning, if you're going into that response knowing exactly who your response team is, knowing exactly who your stakeholders are, and from a business continuity perspective, understanding very clearly what are the priority services, activities, and your own processes that you need to be able to respond to, it gives you that information, gives you clarity in terms of your response prioritisation.
So, the first thing that, if I would have gone in, the first thing that I would have tried to have made sure is, “Are our staff currently working through, are they okay?” And it is that old adage of put your own oxygen mask on before helping others because if CrowdStrike is not okay, if they're not safe, if they're not in a position to respond, no one else is getting anything. So, the first thing that I would have I would have done is, where do we sit? What is our current position? And then I would have started to work through the impact with others, and then I would have finished with the communication strategy, and then I would have got people out of the room. This is critical, Adam, and I see this so often. I've seen organisations get into this concept of having a 24/7 war room. Their operational level, their IT major Incident Management team or equivalent response team, who was working through that problem, they are on. They are in it, they are on, and they are working forward. The leadership of that business, if they are trying to work through that same problem, at a rate where they are not being able to communicate effectively, understand the impacts, and that's what I why I suspect it took so long, is that entire business shrunk very quickly. And everybody within that business, because you read through who their leadership are, they are very technologically minded, and I guarantee that that strategic team probably crunched down on the operational team and was in in the mix, trying to understand the root cause rather than being able to gain perspective of, “We own the strategic piece. We own the communication. We own the ability to manage our stakeholders, our expectation, and obligations from here.” And then being able to get on with the strategic response versus the operational response.Adam Cliffe: That's actually a really interesting point, because I'm pretty sure I read something very similar about the Optus scenario, where they had a 24x7 war room, and I think it was very much that, you know, senior executives meddling in the operational and doing exactly what you say. So, just off the back of that, obviously that's one of the key mistakes, what other mistakes do you see organisations make? Let's say, for our listeners out there that are listening going, “this is great, you know, we're going to go and do some planning and some crisis management”. What are some things to avoid, like pitfalls?
What are some thing to avoid or pitfalls in crisis management?
Simon Petie: Yeah. So, probably the biggest pitfall that we see is siloing of information. And we, just because you do have plans and you do have the structures, we don't want to take away from the responsibility of lower-level teams to deal with everyday events. So we don't want to, like, even though good practice would state prudent over escalation followed by rapid de-escalation, we still want to get to a point where if it's within the resources, the capability, and the authority - and I've said that before, but that's kind of the trinity at the moment - if it's within the resources, capability, and authority of a lower team, the expectation is that you deal with it. The reason it should escalate, pardon the pun, but escalate from a team up through the levels is it breaches one of those. So, even if you put that into the CrowdStrike, I guarantee that IT team probably had the capability and the resources to identify the fault and patch. What they didn't have was the resources, capability, and authority to communicate to the entire stakeholder network of CrowdStrike across the world. So that was the piece that needed to be extracted from them. So, what I would say to organisations is the pitfalls that we see teams going into is the challenge of when do you trigger from one team to another and not taking away from the experience and the capability of teams to deal with it at a lower level. So, plans become important to make sure that we know what the ownership of each of those different tiers within your business and those different response streams or response levels can actually handle. If you can understand that, then you can start to build confidence in terms of your response saying, ‘Okay, where are we sitting? We know that that that lower-level team is now dealing with something there. Do we need to activate a high team? No, they've got it.' I've got confidence to allow them to do that.
Adam Cliffe: Right, yeah, that makes a lot of sense. So, just on the planning part, and I want to talk like business continuity, like what are the really key, I guess, components of a robust business continuity plan? I think a lot of businesses also confuse or conflate business continuity with disaster recovery and what actually separates the two.
What are the key components of a business continuity plan? And what separates it from a disaster recovery plan?
Simon Petie: I'm so glad that you've raised this because it is a bug bear of mine. So, disaster recovery, as you and I both understand it, is very much an IT function, and it is about the ability to recover the applications and systems, and usually that involves data recovery as well, back to a recovery point or time as you're going. So, business continuity is very much about the recovery of critical business function.
Adam Cliffe: So, it is about business function.
Simon Petie: It's business function. So, it's your processes, your activities, so the critical components, and you talked about that people do confuse these, there's a reason and I'm going to be critical again, the business continuity plans that are available on Australian Government websites are crap, and when I mean that they are bad they do not meet any international standards they are trying to condense emergency management, incident management, crisis management, all into…
Adam Cliffe: Trying to do too much.
Simon Petie: Trying to do too much, and the other thing it does is it limits the amount of information that a business tries to put in there because they are trying to do three different things rather than just focusing on what happens if something breaks, and that's the simplification, oversimplification of it. So the best part about business continuity and the key part about business continuity is actually data, because if somebody talks about, “well I my business continuity is just getting the right people in the room and I'm sure we'll make it up as we go”. I can tell you that under stress and pressure, that's not how your brain works. And you really do require those control measures, and that information set to be able to move through efficiently, because there isn't that many people in the world that can operate under that level of stress of a really genuine disruption and make sound decisions with good prioritisation, that's a skill. But if you've got a really good data set of understanding what are those core processes of your business and what are the dependencies of that process, that way you can identify if something breaks, what does it actually impact, and you can actually start to follow that thread through.
Adam Cliffe: Yeah, I completely agree. So, off the back of that, and this is probably one of my bug bears, is you'll walk in, you'll talk to a customer, a potential customer, and you'll ask them about business continuity. “Yep, we've got that plan.” I have a look at it, and it was updated four years ago, and they've never once tested it. So, how crucial is it that you know, not only are these plans created but they're also kept up-to-date and actually tested? Like, how often would you test a BC plan?
How often should you test a Business Continuity Plan?
Simon Petie: Yeah. So, good practice it's really easy: good practice is annually, but in terms of updating your plan and, you and I have talked at length about my clients and even you at it supporting us as one of your clients about how fast we have changed over the last couple of years. So, for business continuity plans, annually, or if there is a significant or a strategic change within your business, that could be a structural change, it could be a supplier change, it could be anything that's going to change the way that you would conduct one of those processes, you should at least do a review of what that looks like. Now, testing is something that's a little bit more interesting because I would, and this is probably a little bit controversial in my world, because you could say annually, but I would say annually if you have not activated it within that time, because if you've activated your plan you should be then conducting a review to see whether or not the plan actually worked. So if you're using your plan regularly there is no requirement to continually test it. Now, the only caution there is unless you're in a regulated industry where, by regulation you must conduct an independent exercise, and we're seeing that not only within critical infrastructure, finance, etc., but we're also seeing that for suppliers into those industries as well, so make sure that you understand what your obligations are, I would say.
Adam Cliffe: Yeah, I think we are seeing a lot more scrutiny around that supply chain too, just by nature of, I guess, you know, the attacks that are coming out these days, which leads me to my next thing is, and we spoke a little bit just before the podcast around a particular scenario you faced around cyber security in an incident. And I just want to get your take on, I guess, what you see from your end as some of the biggest sort of cyber security threats facing businesses today, like what are you seeing out there with your customers and how are you dealing with that?
What are the cyber security threats facing businesses today? How do you deal with cyber security threats?
Simon Petie: So probably the first thing I would say is there's a gap now occurring in Australian business, and I'm going to use Australian business as the real driver here, where we're seeing larger businesses invest heavily into cyber security and data protection. What we're seeing on the opposite end is the third parties, fourth parties of those businesses, the small to medium enterprises, not being able to keep up with the requirements of cyber security and are allowing that to lapse. So, what we're now seeing is you will have a business spending millions of dollars at the top end, and you will have a business who is one of their suppliers just doing, like having no active cyber security and doing basic data management, pretty much just to tick the box of governance under the due diligence of the contract, that is all. So, the first problem I would see in cyber security is now the divide between top-tier businesses and smaller businesses in the country. The second thing we would see there is just how fast that space is evolving, like we hear all the time about phishing, we hear all the time about extortion or encryption, but when we actually say, you know, what does that physically look like to I would say the majority of businesses in this country, no one like if you haven't seen it firsthand, it's actually really difficult to understand what it could physically look like. And if you're not employing the monitoring software, either through your own personal devices or through a supplier, you actually have no idea whether or not you've been compromised already, and so they would be the biggest problems I would see: the divide, but also the actual currency and understanding where you stand in terms of your own security.
Adam Cliffe: Yeah, you've touched on a lot of things, and I think it's 100% accurate. I think, you know the small, medium enterprises are, you know, they don't know what they don't know. They're one of the most targeted out of all of them. I think most breaches are through SMEs. You know, there's some things coming down, you know, very, very soon through the Privacy Act and the reforms coming through there, and there's talks about, you know, potentially scrapping the $3 million threshold. So, what's that going to mean to these small, medium enterprises? And I noticed in a lot of these civil suits with the OAIC, and bear in mind they are the top of 10, they're the Medibank's, the Australian Clinical Labs and stuff like that. They are looking at a business's overall revenue and then asking what their expenditure is on IT, and then cyber, and if there is a massive, you know, disparity between them, they class that as not taking reasonable steps amongst other things. So, it's a really multifaceted problem we have.
Simon Petie: I know of at least one client, when I called and said, “Hey, are you impacted?” They went, “No, we went cheap. So, we didn't, we got a quote from CrowdStrike, we couldn't afford it, so we went with a cheaper option. That's the only reason we're not impacted.” And so, when you then think about, as you say this, how can small to medium enterprise keep up? And I think this is where, please, and I'm just going to give the free plug here mate, this is where talking to IT providers like ADITS and saying, “How can you help? Like what does that look like?” And trying to really work with your IT provider, whoever that may be, to be able to still understand what is the threat like, where are my vulnerabilities? What are the things that I really need to cover?
Adam Cliffe: Yeah, and I think, you know, speaking about plugs and stuff, but I think we've done a pretty good job of understanding where SMEs need to be, and there's been some really good work too, like I know in the early days the government and the ACSC brought out the Essential Eight, and that, you know, that was a good start. I think, you know, eight sort of technical controls, you have great, but there's other things coming out now like the CSCAU, and I've spoken about this ad nauseam before, around th SMB1001 framework. I think that is like a really, really good framework for these SMEs to undertake because it's tangible, it covers not just technical, it does the process, the policy, and the people aspect of it, which is often overlooked, you know, this old days of go throw some lights in a cupboard, and are you protected, they're long gone because all it takes is someone putting in their password and getting multifactor fatigue, even if they have multifactor enabled, which not enough have, you know, that's still becoming a thing. I mean, look at, you know, Medibank. It was through a third-party IT provider who didn't have MFA, and then you talk about not even knowing if you're compromised, and I think the average dwell time is over 200 days, you know, before it's even discovered.
Simon Petie: And then you add to this. So, I think I want to reinforce back for you here that concept of, if I can take it back to that trinity of resources, capability, the authority, you have the authority to make a decision, but we're talking about resources and capabilities that are very niche. Again, if you think about a small to medium business, let's just take a manufacturing business, the ability to employ enough resources to do this properly is not feasible for them. I was on a call with a school this morning, and we're talking about data to do with kids, with all of this piece, and there's one, two, a cyber security manager, an IT manager, that's essentially it. So, they are so reliant on the service providers who have those additional resources to be able to support them. So, I think that becomes really important. You don't, the analogy that I would put forward here is, you don't go to a mechanic to paint your house, right? If you're going to do something properly, go to someone who can actually talk with confidence, who has the resources, has the knowledge, has the capability to be able to give you some solutions.
Adam Cliffe: Absolutely, I think the capability is the big piece, and I think you know not enough IT providers out there are talking about privacy as well. You know, like one of the biggest things about data breaches is, you know, breaches to privacy, and that's what you're actually being held accountable for, and around that, that sort of data that you hold. So I'd like to see a bit of a mental shift too in providers, not just throwing out the Essential Eight just because it's the only framework they know. And actually understanding what they're trying to protect, what those biggest things are like, and that will depend on the industry, you know, medical, healthcare, not-for-profit, stuff like that, all these ones that need to comply with the Privacy Act. I really think there needs to be more conversation from IT providers around privacy. So yeah, so I just want to, before we close out, I just want to get sort of your predictions for the next 12 months, what does it look like in the in the crisis management and business resiliency space, do you foresee any more big outages, do you think this is going to be a common occurrence? I know it's not overly common at this stage, but as technology sort of advances, is it…
What do you foresee in the Crisis Management/Business Resilience space over the next 12 months?
Simon Petie: I think we've got an over-reliance on technology, but that's not going away. The technology has built efficiency, and it's built profitability into business. We're able to do so much more, we're so much more interconnected with the world, it's shrunk the world so much, so that's not changing. So, we live in a world that is uncertain and changing. The World Economic Forum puts out the Global Risk Report, they talk about the outlook being stormy, it is ominous. And what always makes me the most interested is when Australia pops its head out and just and starts to kind of throw stones from our little island down here in the South Pacific, kind of sit there and realistically the Australian public has not lived in a in a time of conflict in our generation. The rest of the world has, and I even mean that going into North America through to South America, there's this instability at both of civil level and geopolitical level is real for the rest of the world. The ability for that to impact us is absolutely real and present. Be that through foreign interference, be that through direct targeting of our critical infrastructure. So, if you think about CrowdStrike being the recent piece, you just have to then take that one tiny step further into our power grid, our water grid, our critical infrastructure.
Adam Cliffe: AI - good bad or neutral?
AI - good, bad or neutral?
Simon Petie: Bad now, good in the future. And what I mean by that is, I think it's outweighed, and especially in your space around IT, I think, favours the attacker at the moment. It favours those that are looking to use it for malicious intent. I don't think it's going to take long for that to play catchup.
Adam Cliffe: Is that because businesses really struggle about how they would see AI helping their business to do good, whereas attackers are like, "I know how I can use this to craft my next phishing email or train my large language model to read a bunch of emails to prepare for my next attack"? Is that sort of...
Simon Petie: I think absolutely, and I also think there's just that uncertainty about what's safe to use in that AI space. Can I upload a file? Can I upload personal information? Because the vast majority of warnings is, “no, no, no”.
Adam Cliffe: They should watch my webinar. [Laughs]
Simon Petie: And it is that concept, Adam, of where can you take it and what can you use it for safely, in a responsible manner. Again, it's here to stay. It's now about understanding what is the opportunity but meeting the risk, so doing your risk assessment, not shying back from that but stepping right up to the plate and going, “this is where I'm prepared to go. This is where I'm going to seek opportunity,” and not passing that threshold of putting yourself in at risk and in danger.
Adam Cliffe: Yeah, no, yeah, I agree. I think it's definitely here to stay. I think there's going to be some good things coming. I don't think it's going to take too long until we see some real tangible benefits from it, and I kind of relate it to the internet. You know, when the internet first came out and people were like, trying to do online banking, and they are like, “oh no, you just get scammed,” and all, and now it's like an everyday thing, like we just have our bank apps on our phone and we transfer money like no dramas at all, but you know, 20 years ago it was a ‘no way'.
Simon Petie: That's right. Tt was this concept of, maybe it was because it was slower, when you and I…
Adam Cliffe: Potentially! [Laughs] I'm keen to see how this unravels.
Simon Petie: Yeah, and I think it's exciting, but understanding, having confidence in your position, having confidence in what you're prepared to do and what you're prepared to weather, gives you that opportunity to really embrace change and really move forward with confidence. So yeah, I'm excited as well.
Adam Cliffe: Me too, and on that note, thank you so much for joining us today, mate. It's been an absolute pleasure, really enjoyed this conversation. And I know you actually also have your own podcast.
Simon Petie: Yeah, pardon the pun, but That Escalated Quickly. Available on kind of podcast services. We're just doing our next round, so we did a few last year, now next round coming up soon.
Adam Cliffe: Excellent, awesome, look forward to listening to them. So thanks so much, mate, really appreciate it. Thank you. [Music]