Thomas Jreige is a Cyber Security expert. He boasts over 20 years experience in cyber security across a broad range of businesses and industries.
Some of those industries include: National security, critical infrastructure, banking and finance, mining, oil and gas, as well as manufacturing and transportation.
His philosphy aims to ensure a strategic management approach to risk in both business and technology environments.
In our podcast interview for “The Network with Mike Drysdale” Thomas and I discuss a range of topics. Many of which are critical if you own or operate a small business. In this article I’ll reveal his expert insights on Cyber Security and the role it plays within small business.
To listen to our chat in full, simply click play on the SoundCloud players at the bottom or top of this article.
Two Costly Assumptions Small Businesses Make When it Comes to Cyber Security.
- That they’re fine, because they have a managed IT service provider. Many of the compromises that have occurred recently were because these providers tend to take on too many clients. They over commit themselves and fail to provide the same level of protection across their entire client base.
- That they have protection, because the have anti-virus software. Most products like Norton anti-virus are quite basic, when compared to newer software that features artificial intelligence. Modern anti-virus features heuristic based analysis of traffic and attacks designed to detect new and unknown computer viruses. This means new anti-virus software is able to detect an attack, even when it’s never come across that style of attack before. The program behaves as if to say: I don’t know what this is, but I’ll stop it anyway.
Traditional anti-virus does not perform this way. Instead, it operates built on a signature based analysis and detection. This focuses on looking for patterns such as known malicious instruction sequences often used by malware. The issue is, It becomes susceptible if it does not recognise the pattern.
According to Thomas, organisations with good cyber security should have an iron clad understanding of at least three things:
- Where their information is.
- What they’re doing with their information.
- Who is the designated owner of the risk around this information.
“It’s a very traditional discussion and a very old discussion that’s still not being realised within small businesses.” says Thomas. In a climate where privacy has become a heated topic, storing someone’s information can be a lawsuit waiting to happen.
“The federal government have released the mandatory data breach notification.”
Which means the following business types must make mandatory data breach notifications if there is an information breach within their business.
Business types affected by the new “Mandatory Data Breach Notification” laws:
- Finance organisations storing tax file numbers.
- Healthcare organisations storing medicare details.
- Any business storing information that could count as 100 points of identifcation.
These organisations are now subject to large penalties if they have an information breach and fail to notify the information commissioner.
Thomas believes this is a good initiative “Because it’s putting the responsibility back on organisations.” However it begs the question, what happens when you don’t know, what you don’t know?
According to the Office of the Australian Information Commissioner, 107 voluntary data breach notifications were received in 2015-2016. The top five sectors during the year were:
- Australian Government
- Finance (including superannuation)
- Health service providers
- Online services.
Thomas Jreige’s Three Keys to Understanding Risk.
“One of the key things with risk assessments for example, is that we say: I don’t have insurance. Instead of understanding the risk of why we need the insurance. Take professional indemnity for instance. Say you’re a consulting organisation and you go and purchase professional indemnity insurance. Do you understand what you’re actually being protected from?
There’s a new cyber insurance that came in recently. Now, cyber insurance is great, but do you actually understand these three things:
- What’s in your environment?
- What are you protecting?
- What are you trying to stop from occurring?
Understanding the risk in your organisation is very important. Because, that is what allows you to assess the dollar value you actually need to protect your organisation.
If you’re a power station for example, your assets are very critical because if there’s no power in society, you’ll get civil unrest. Therefore there’s a big dollar value around security for protecting a power station.”
Cyber Security Risk Factors for Small Business
Small businesses have information coming in and out of the internet when using Xero and other cloud based applications. The information is probably not as valuable as the power station’s assets. However, as a small business owner you still need to understand:
- Where the information is going.
- The flow the information takes.
- The real threats to the business.
- The risk level of each one of those threats.
With this information, you can assign a cost that equates to the controls you wish to put in place to keep those risks at bay.
This may also indicate to some readers the need to outsource these responsibilities to a subject matter expert. Either to educate you further on the subject or to simply take care of it for you. Thomas likens it to the process of seeing a doctor.
“You go to a doctor to get advice about your health. Yes, you can go on the internet and self diagnose etc. But at the end of the day, doctors have had 10-20 years of training and they understand the symptoms. Even though sometimes the symptoms don’t match the real problem.”
What Do Cyber Security Experts Know That You Don’t?
The same thing goes for cyber security. It’s not merely a case of understanding what’s in front of you. There’s also a lot happening behind the scenes that most people simply aren’t aware of. For example:
- Who’s targeting your industry from a threat perspective?
- What are the 10 latest hacks for your industry?
Above is a video that features security researcher and expert hacker Samy Kamkar. In it, he breaks down a few of the hacking scenes from the recent movie, Ocean’s 8. During my podcast with Thomas Jreige, we discussed the first scene you’re about to see. It’s an all too realistic way of executing what hackers refer to as “a spear fishing attack”. A targeted attack on a very specific person with a very specific email.
“The last two large ransomware viruses that were distributed, one of them was called WannaCry, the other is NotPetya. (You can read more about WannaCry and NotPetya here.) Just from a simple click of an email. A $300m damage bill was given to a large shipping company and it stopped operations for weeks.” Thomas explains.
They were essentially held to ransom. Once the hackers had gained access to the system, they encrypted all the files so that they couldn’t operate. At this point, they told the company if you want to run your business again, pay us the $300m.
Potential Next Steps
Granted the shipping company was a special case. Your business may not have the same target on it’s back that they did. However, every business has vulnerabilities and there are an array of options at your disposal to control them.
One step Thomas recommends is applying for cyber insurance. A good company will ask you to take a questionnaire or fill out a check list. This in turn, will give you some visibility over what you’re comfortable with and still have to learn.
Alternatively, you could book a time to have a chat with someone like Thomas himself. You can get in touch with Thomas via his company’s website Focus Cyber Group or email him at email@example.com for more information. His ask at the end of our podcast was simply to be careful of what you do with your technology. Always feel free to take a step back if your facing a problem you don’t understand. If you still can’t figure it out, make a phone call. You never know the answer you might get back.
To listen to the rest of our in depth chat, check out the Thomas Jreige episode of ‘The Network with Mike Drysdale’ embedded below.