To withstand a cyberattack, you need more than just a good plan

Clayton Utz Cyber Principal Lead Brenton Steenkamp says no matter how well-prepared organizations think they are for a cyberattack, in reality they are far from it. And when the attack comes, they are caught like a rabbit in the headlights.

In this wide-ranging episode, Steenkamp explores how to overcome this threat.

One key measure is to embed cybersecurity across the organization, from the governance level to the operational level, he says. Organizations should be discussing cybersecurity at every meeting, akin to how industries such as mining make safety a central part of their culture.

They also discuss:

• Brenton’s background and war stories from his time in the cybersecurity industry

• What organizations need to do to ensure they are prepared for a cyber attack

• The important role of governance in resilience

• What cybersecurity professionals can learn from the mining industry’s approach to safety culture

• The convergence of law with cybersecurity

• What organizations must focus on to ensure cyber resilience

Resources

• 🎧 FILED S2E7: Cybersecurity has moved beyond protecting the perimeter with Scott McCrady

• 🎧 FILED S2E8: Special Edition: What went wrong at Medibank?

• 📨 FILED Newsletter: The data privacy regulation floodgates have opened. Time to catch up.  

• 📏 Benchmark: How much PII does the average organization store?

Transcript

Anthony: Welcome to FILED, a monthly conversation with those at the convergence of data privacy, data security, data governance, data regulations, records, and governance. I'm Anthony Woodward, CEO of RecordPoint. And with me today is my cohost, Kris Brown, RecordPoint's VP of product management. How are you, Kris?  

Kris: I'm excellent, Anthony.

It sounds like I'm a little bit better than you are, a little bit under the weather.  

Anthony: Yeah, and a little bit croaky today. Sorry, everybody, but soldiering through. We also have Brenton Steenkamp with us, who is a partner a law firm in Australia, Clayton Utz, and you're heading up the cybersecurity practice there, Brenton.

Brenton: Yeah, Anthony just by starting off.  So, I hope you feel better and thanks for this opportunity and I'm lovely to meet you, Kris, as well. Yeah, I took on this role end of last year, coming from the Netherlands where I spent the last seven years with EY, managing our forensic and cybercrime practice across Western Europe.

And very privileged to, to come back to Australia, being home and to lead Cyber and data governance practice across Australia, so exciting new role aligning to the strategy or should I say that the new embark digital strategy or the firm and obviously cyber being a hot topic with not only within the nation, but also within our clients and hopefully we can bring some form of normality back to the process of good governance and remediating this constant threat.

Kris: Awesome, there Bretton. Like, and look, thank you so much. And look, I'd love to dive a little bit further into your background there, especially as it's sort of the some of the travels and things that you've done and what you've actually done in the past, some of the major projects, where there are those, those war stories.

Do you want to share sort of how you came to be? I know you've just sort of said you've come in out of the Netherlands and GDPR comes to mind when I start to talk about governance and other things there.  

Brenton: So, yeah, Kris thanks for that. By heart, I'm probably a very astute investigator of any wrongdoing.

So, when you look at the aspect of digital crime or, or cyber, if you put it in that bracket, it's really, what are we dealing with? It's, it's really a different type of tool being utilized either by known elements in society, be it criminals or for that matter, unknown elements to really manipulate organizations.

And, and as we've seen of late now in Australia, holding organizations at ransom for the purposes of gaining some form of benefit. But my career really started off many years ago and within the police services, you probably can hear from my accent. I did my national service within South Africa and then embarked on a career within EY where I actually encountered a few, I would say in its genesis matters around cyber.

Prior to the law being really equipped to actually deal with digital crime at that level. And with that in my blood, so to speak, ended up in EY in Australia, then had the opportunity to work abroad in the Netherlands. But to your point around GDPR, Kris, it's really in the last couple of years since GDPR really came into effect, the regulations around the whole aspect of how individuals deal with their personal information.

That's deemed to be sensitive for that matter. And then, you know, if you transfer that to the operational world of commerce, how organizations deal with data deemed to be sensitive to the organization, but all importantly, you know, at the end of the road, people are involved and how is people's personal information for that matter being dealt with by third parties?

And I think as you would rightly have identified that much is needed to be done to mitigate that risk and let's call it close the delta, so to speak around, how is data being managed, not only privately, but also by corporations on behalf of, of their customers, but also more importantly, the end users at the end of the day. So, exciting times and the luxury of working across Europe on a number of matters that hopefully we can touch on that just gave a different vantage point around how data should be treated and what we need to be doing here in Australia. And I think there's much to be done.  

Kris: Yeah, look, I think there's a great opportunity to learn with the EU. Obviously, they, I tend to find that they are a little bit more forward thinking in some of these elements as it relates to their citizenship.

Sometimes that can be seen to be a bad thing, but I think in the cases of privacy and sensitive information, they've done a good thing. I'd love to dive in. You've made the offer, but let's grab some of those, those war stories. Talk us through some of the interesting parts of that journey.  

Brenton: Well, if you unpack the psychology around why people do something, be it out of a criminal mindset or for that matter, at a personal gain level, why do people engage in this?

And I found it fun, quite fascinating. My first encounter was with an IT administrator of a large retail organization who used the, let's call it the motive intent to actually commit wrongdoing because he was not promoted within the organization. And this individual decided to, to create a malicious code of kind and within this retail environment, embedded this code on the point of sales of the organization.

So, when the organization started up the next day, no one could trade because there was a disablement on their point of sales. And as a result, 653 stores nationwide could not trade. And you could just imagine the financial ramifications of that deliberate, intentional wrongdoing. And the reason or the motive was, well, you didn't promote me.

So, I'm, this is my way of, justice and repaying the debt, so to speak. And that drew me into a fascinating world of actually doing my post grad in cyber law at one of the universities at that point in time and getting understand, well, how do you actually bring into fold something that was not reported in, in, in history from a legal perspective in law books, because digital crime has taken on a whole new life of its own.

The needed regulations at that point in time were not in place across the world. To deal with that. So, much needed to be done and obviously embarked on a fascinating study and obviously career in the space. So, that being the one aspect, but moving into our current age, we've seen post some of the major events in the US, Sony and going into following Maersk.

We've seen a very much of an uptick in, I would say a more malicious and intentional orchestrated crime around ransomware attacks so where there's been a more sophisticated process around how organizations can be manipulated and can be exposed through very smart individuals using that for personal monetary gain and that also is a fascinating study on its own why do they do what they do.

And we don't have to go into the psychology of that but obviously monetary gain at the end of the day is interesting as a key motivator.  

Kris: Yeah, thanks for that.  

Anthony: It's such an interesting topic with so many broad areas to drill into. I'd be interested, as we think of the present day, you're a partner now at Clayton Utz.

Clayton Utz is a big law firm, as I said earlier, in Australia. What are the projects you're deep diving into now? And what are the challenges you're seeing out there, Brendan?  

Brenton: Anthony, from my experience, just dealing with some of the larger matters in Europe, and I've had the privilege of, of dealing with ransomware attacks involving multinationals in terms of revenue, multi-billion-dollar organizations, and the last being the National Health Executive in Ireland. And what we see coming through these types of large events is that there's definitely a need. Within organizations to help them understand and prepare, how do you deal with significant cyber and for that matter, data breach events and the common thread throughout this whole process is because it touches on issues around reputational and potential legal risks is involving legal counsel in that process.

So, not only need you to understand what those legal concerns are to the board, to operations, but also how to manage the associated regulatory compliance and litigation and potential litigation that follows. So, I think my role within Clayton Utz is really well suited but also aligned to help organizations respond to these major events.

And as we know, Anthony, also going forward, particularly in Australia, how do we actually deal with the concerns around data and particularly around data that to Kris's point relates to individuals. So, with the privacy reforms coming into play, there's going to be a much greater onus, not only on individuals, but also on organizations to appropriately

understand what that means for the organization from a risk perspective, but also in terms of mitigating that risk. And I think we were all positioned to go along a journey with our clients and partners to not only mitigate, but also build resilience in the process.  

Kris: Brenton, what are you seeing there though?

Like I said, so very, very much touching the, the edges there. And I, I am going to try and tease you into, into drilling a little bit further, but yeah, what's the real rubber hits the road piece here that this is a better mousetrap situation for me. Cybersecurity is constantly chasing the hacker who's constantly chasing a better mousetrap, you know, to beat the mousetrap that the cybersecurity teams are betting.

And I know I've oversimplified what cyber is there, but what's the real challenges? What are the things that from a Clayton Utz perspective, what are you helping your organizations to do?  

Brenton: The talk of town, obviously, particularly from an Australian context is cyber and the, you know, some of the events that we've seen over the last two, two years.

So, there's been these major press events around some of these serious attacks and data breaches we've seen with some of our corporates within, but the reality being Kris, is that clients, no matter how well they think they are prepared, are not prepared at times of crises.  So, a very good saying that we've applied across the interface was, well, in the event of a crisis taking place, how well are you prepared to remediate the situation effectively and within a proportionate way? And without the proper governance and training and preparation in that regard, you're not going to respond as you think you are going to respond. And I loved one of my clients referring to the fact that well, you know, everyone is like a rabbit in the headlights, the time, how long you spend in front of the headlights is dependent on your governance procedures set in play and how long have you taken to prepare.

And really flex the muscle, so to speak, in terms of your resilience ability. So, that is one key area that we are focusing on. The other is also understanding and we've, we're closely also with the likes of Anthony to understand and help our clients to really appreciate that whatever information and data holdings you do have within your organization that poses a potential risk factor as well.

And is that risk factor fully understood? On all fronts, one being not only in terms of daily use, but also secondary from a potential reputational and more severely from a litigious perspective.  So, it's really bringing into house all of the aspects around what can go wrong. And you would have seen this with some of the past matters you've dealt with, is that clients are really you.

Surprised that what they thought or ought to have around what their data holdings was to what it really is when the onion was peeled to the third layer is at times, not only surprising, but it's also shocking to realize that, well, why did we have this type of data within the organization? And if I tie this back to the mindset of our threat actors that we are dealing with is that, you know, we know that's a deliberate intentional

process that they're looking for the weakest link to, to get information to either hold that at ransom to the organization or for that matter, to cause harm. But that's the external factor. And I have a big view on internally our organizations need to be and need to take a much more onerous view on what is the threat within and as we build the resilience

around the organization and as we improve the security holdings, we negate to think about, well, what about that threat actor, be it unknown within the organization, be it deliberate or unintentional type behavior that may bring the organization to harm or disrepute. So, that is something that we are constantly seeing and that we also reminding not only the operations, but also the, the board of, these are your risks.

Do you understand how to act? And how to respond when they actually come to the surface?  

Kris: I'm going to put a pin in that piece. I do want to come back to the, what do you do in that event? And I think that'll be great to pick your brain there. But I want to just come back to the piece that you sort of said, very much the rabbit in the hair lights.

How long will you stay there? Probably determines whether you get run over or not. Yeah, I think you try, you were sort of angling that's very much and I do like that analogy. I like to call it the, and having moved internationally and you've obviously done it yourself a few times, it's the people are surprised and I don't know why, and maybe it's they haven't moved overseas like this, but people are surprised of what's there when they go looking and I like to look at it like the boxes that you have when you move and I've very much now, I've done it enough times that If I don't open a box for six months after we return to where we are, it's, it's, you know, you rip the box open, you pour it out on the floor, you decide whether you're chucking it away or not, and you move on because you clearly didn't need it day to day for the last six months.

And when you do that, I'm always surprised by what's in that box. And why did we even bother packing that and bringing it home? More recently, I think there was six boxes of, you know, Half used containers of Kleenex, the used tissues weren't there, just, just the, just the good ones, but, but it's like, what, why did we bother to pack that and bring that back from in this instance that we were coming back from the UK?

And I, I don't know why that was there. And it's sort of a, it's the same as true in an organization. People put things in places. You don't know why they're doing it. It's there for a particular purpose at the time. Organizations. aren't constant and aren't static and therefore they are moving all the time.

And this is where even accidental internal threats come from. It's, people aren't potentially running around deliberately doing the wrong thing, but at the same time their unintentional actions will lead to a gap or to leverage that, that, that internal threat actor can have. But I do want to come back to where I put that pin.

So, I'll pull that pin out now and go, you did say a couple of times there that organizations struggle to understand what to do in the event that post crisis type element. Do you have any wisdom, advice, the pieces that organizations should be looking at? What, what are the things that they should know that they would need to do in the event of that crisis?

Because I'm a genuine believer this is a when, not an if situation for every organization.  

Brenton: I think we need to take our learnings from those who do it every day well and understand that well. And I think the industry that we really can understand it well from is, yeah, right here in Australia, who are experts in mining, mining and energy.

And if you are embedded into a culture of safety first, when you step onto a mine site or an energy operator, the first meeting that takes place of the day is what is the safety moment you spoke about, Kris, that you encountered this morning when you came into the property, when you walked down the staircase, did you walk down with a cup of coffee?

If you did, you would have been told, you put your hand on the rail and your coffee would have been covered with some form of covering and to ensure that there's an appreciation of the safety moment. And that is not a once a month or once a week event. It's an everyday event. When a meeting is commenced, there's a safety briefing from the manager, from the managing director.

And when there's an internal meeting, there's a safety thought that has been echoed within that environment. Now, if I turn that into the world of building resilience in terms of our data world, and if I roll the scroll, so to speak, back in terms of how threat actors look at this, we all know that threat actors are looking at the weakest link.

We all know that they are seeking data, which is effectively the liquid gold they're looking for, for the intention of, you know, ransomware or for that matter, as we know, cyber being on the one scale. But if you look at business email compromise, and if you look at where digital crime is going to, you can speak to the FBI and you can speak to the, AFP and you can speak to the FBI is digital crime in terms of information or the information holdings is feeling organized crime in a bigger scale.

So, a different discussion on its own, but just to bring it into context to how do we prepare locally?  So, I'm not saying that we have to talk cyber at every meeting, but the point being is, is that if organizations aren't appreciating this on a more frequent scale and not in talk, not only at the governance level, but at an operational level, at an enacting level, then we are not going to move into a position of true resilience of truly understand what our risks are. If we know what our data holdings hold, and if we know what our, let's call it the crown jewels are embedded in a certain area, and we've done the necessary to it mitigate the risk, be it from an external or internal threat, it changes the behavior that follows when an organization is faced with a potential ransomware event, or for that matter, a serious data breach or leakage event, it changes the response process, it changes the remediation process, and it changes the potential outfall from a reputational litigation process

aspect as well, and that brings in a holistic approach around how we, as an organization, as individuals, but also as a state react to these events.  So, I don't know if I'm hitting the mark in terms of what you’re aiming towards, but if we get that right, it goes a long way. A good example I want to give to you is, well, you've got a fantastic blueprint and around your data governance process, around your incident response plans and your communications plans, but show me that they're working.

Show me that everyone understands who is part of the team, who's stating what and when. And that simple process is sometimes very complicated, or it becomes very complicated in a real time event, because there's no time to think you have to act. And that's where the wheels fall off. And I've seen that taking place where if that's not in place and it's not a natural causation of process that takes place, then it's too late.

Kris: I love that example. And having had the opportunity to be at client sites where this is what they do the first time around, it seems a little bit strange. But again, when you go down the path of the reason why they do these things is because mistakes can cost lives. They're repeating this thing because it is genuinely something that the business wants to avoid, and I think the seriousness of what we're talking about now with cyber and with data breaches and these things sort of echoes that seriousness and I do love that link.

Exactly. I do love that link. Yeah. Thank you so much for that Brenton.  

Brenton: Yeah. And, and let me turn that upside down as well. One of the reasons why organizations, be it energy or minerals or mining follow a very compliant, but also very stringent adherence to these processes is because there's a severe ramification at the end of the road.

One is they lose their operating license to operate and secondly, the directors of the company could be liable personally for that. I always call it the tone at the top. Well, we all speak about the tone of the top, but what about the tune in the middle and that's where it's lived.

And that's where we need to get it right. Because the tune in the middle is the key thing to make it work. And I think if we reverse those roles into the cyber domain or cyber risk world or data world is well, when I do send that email, or when I do copy that information, it's still resident on my computer.

What are the safety processes around that? How often do I understand when I do Complete my tax information on my personal computer. I'm using the work computer for that reason, because I believe there's potential security measures in place that safeguard potential harm on my personal information. It's not related to my organization, but by default, the organization is now storing your PII or for that matter, third parties' information on their behalf.

Does the organization know that? Is that part of their risk radar when they look at PII?  So, unknowingly, they're already capturing third-party information on their environment. Does the policy talk to it? Does the risk process talk about it? Does that maturity assessment around their data holdings talk about it?

Is it incorporated? And what is done about it if there is a potential breach? These are some of the common pitfalls that organizations are sometimes aware of or may even not have thought about in terms of how they deal with that when it takes place.  

Kris: That's absolutely my new thought, right? I've got a number of customers that we have to do this with, but my new meeting thought is going to be, have you done your taxes on your work computer and does your business know that? I love that.  

Anthony: I think you've really raised a, a really interesting area, I'm just going to switch slightly though.

I mean, you're in a large traditional law firm now talking about these things around cyber, and we spent a lot of time on this podcast and RecordPoint talking about the convergence between cybersecurity data and regulations ultimately, that underpin this. Are you seeing the lawyers in this transition, are they really starting to become more technical to get underneath these problems and then bring.

You know, these complex cyber areas to the legislative and compliance mandates that lawyers come with, because those worlds don't naturally go together.  

Brenton: Anthony, that's a very interesting question that you've posed, because I think it's a convergence of different worlds. And I would say, you know, similar to some rave party, it's, we're in the mosh pit of this convergence.

And I suppose if I look at cyber, it's probably the external threat on the fringes. But the disruptive element in this environment now is, is this whole digital, let's call it organism moving around and it's been made more complex through the introduction of AI and we see a introduction of, you know, some of the larger legal search engines, be it Thomson Reuters or LexisNexis and, and others besides the, the known Open AI sources that are disrupting that.

So, if lawyers are stuck in the old ways of relying on this is the information that I thought to be the legal president type of legal matters, I look back to that is now again to be even more so disrupted going forward in terms of what sources are you drawing on? What? What is the material that you're relying on in terms of matters?

And information that has been posed to you via your clients, or even the environment you're working in, brings a whole new dimension in terms of how we see that. So, I think for the legal fraternity is really to upskill themselves around what, what are those risks, but also what are the benefits of obviously using the digital tools available. But yes, it is going to be an interesting point around how the legal fraternity embraces this aspect around digital.  

Anthony: Yeah, and it makes sense. I think it's there. The question is, how do you take what was traditional advice and potentially policy to implementation?

So, what is that traceability that you would talk about in the system that shows? And I think that that's a really good question. Conversation about safety at the mine site is the, is a great analogy because it, it does talk to, you know zero deaths on site and those sorts of things. But what are the same drivers that we're seeing where there's that traceability of metrics that drive both the legal folk on one side of this conversation and then the, the, the users and the others that are out having to do these things on the other side of the conversation.

Brenton: Yeah, I may not have all the answers to that question because it's such a deep and I would say ongoing process. But one thing is that from what I can personally see is that there has to be a new acute appreciation around data and where it comes from and how that will be used, particularly through the funnel of digital via through AI or other types of sources we're dealing with.

Because they are going to be new, let's call it pockets or fields of data that may not traditionally come from the sources that were in the past relied on by organizations or for their better legal in the legal fraternity.  So, I think it'll be an interesting journey to see how this unfolds going forward.

I'll be definitely on the sideline watching that and to see how it is used in a positive way. But also, we've seen in the past, and I think there was one case in the US where there was a reliance on, let's call it rapid digital information that was acquired from one of the, the Open AI sources.

And the attorney at hand was found wanting in the U. S. because there was a reliance on information that was not effectively truthful, or for that matter, based on a past legal precedent.  

Kris: Brenton, I have you know, started to have a bit of a habit here as we sort of start to get towards the end of the podcast to look into a crystal ball.

And so, it's future predictions time. But as a bit of context, last month, Claire O'Neill, so Minister for Cybersecurity here in Australia. You know, said that cyber was the fastest growing national security threat. Those are some pretty strong words. This is an evolving battlefield.  So, on the predictions front, you know, where do you see the cyber industry going so, you know, three to five years, you know, what are the types of issues you think we'll be dealing with as we move closer to 2030?

Like where, where are we here?  

Brenton: I would think, and I'm referencing some of the sources that I can refer to, which is open in the public domain. I think if you look at it through the eyes of the threat actors or organized crime is, is that stolen identity or stolen data or information is a key, but also very valuable commodity for these organizations that want to cause harm.

So, the whole issue around confidential information or personal PII type information has been or is being used for the likes of committing and we see this now with the increase in business email type compromise types, frauds, identity theft taking place. If there is not enough effort being put in to mitigate this type of risk-taking place, then obviously this will grow into a major issue in the future.

We see in the States that if you just look around, not only cyber from a ransomware attack perspective, but the broader aspect around digital crime, the FBI has introduced a complaints center. I don't know where it's based, if it's in, in, in Dallas or in the West or the East, but it's definitely shown a substantial increase in terms of digital crime taking place.

And that leads me to think from a mitigation perspective, from an investigation perspective, there is, there is a lax daisy ness around how confidential data is being treated or currently managed by individuals at large. And for that matter, more needs to be done around mitigating this risk going forward.

We're always looking at the threat actors to understand their modus operandi. But I think we should also be looking at not only corporations, but also at individuals. What are we doing? Why are we doing what we're doing when it comes to either releasing information that is not supposed to be needed to be released where we are negligent or not aware of the risks.

When this information is exposed, what are some of those root causes? So, it's a, a reverse of just looking at the threat actors where they're finding the weakest link. But what are we doing to enable that process? And I think that's part of the education journey that all, you know, individuals, but also organizations need to embark on in terms of building that the government to sit out this 2030 strategy to make us more resilient.

Well, is this all working together to achieve that? Besides just embedding that at the regulatory level and a good governance level, we need to enact that as that health and safety example I've given on a daily basis.  

Kris: Yeah. I said, I do love that. And certainly, it's the takeaway for me. And when I do go to site and visit with customers, especially in those spaces, they're always there.

Oh, it's your turn. You haven't been at the last hundred meetings. It's your turn to do the moment of the day. And I absolutely. The safety moment. I'm going to start using those and make it a digital safety moment. I think it's a, it's a really good practice that we could put in for that.

And look, I think on the cyber side, it's interesting also on, on the privacy side government, not only here in Australia, but obviously elsewhere, the EU and in the North America as well. Trying to keep up as always, you were seeing more privacy legislation, and that's very much linked to that same mentality of we need to do better governance.

I think across the board, there's a better understanding of the outcomes from the cyber side, what could happen, a better understanding of what is sensitive and what are we capturing and where are we capturing, which is that privacy side. And then having a better understanding of controls, which is the governance and the regulatory side.

I think that convergence and certainly it's great to hear from my perspective that someone who's very much focused on that cyber side is seeing the same challenges.  So, I thank you for taking that time to share that with us.  

Anthony: Absolutely a pleasure. Thanks, Kris. Yeah. Thanks again for making time Brenton, some amazing stories there and some really deep thoughts, and I'm sure again, we could probably have these conversations for another hour and drill into a whole bunch of areas, but really want to thank you for your time and making some time to join us here on the podcast.

Thanks all for listening. I'm Anthony Woodward.  

Kris: And I'm Kris Brown. We'll see you next time on FILED. Thank you.

‍