Craig Nielsen, senior director, Channels and Alliances, APAC, McAfee Inc
Sean Richmond, senior technology consultant, Sophos A/NZ
Aviv Abramovich, director of engineering, Check Point A/NZ
Peter Sparkes, director managed services, Symantec A/NZ
Sanjay Mehta, managing director, Trend Micro A/NZ
Neil Cameron, managing consultant, Bridge Point Communications
Aaron Bailey, security practice manager, Dimension Data A/NZ
Keith Price, director, Black Swan Consulting
Part 1 of this roundtable ran in the August issue of CRN. Part 2 starts on page 7.
CRN Small organisations appear oblivious to the fact they have assets of interest to criminals. Intellectual property, money in bank accounts, customer contacts. What do we all see as the key implications for this, in particular the opportunities presenting themselves for resellers to help guide their SMB customers?
Keith I’m trying to understand why we are no more secure today than we were last year or three years ago or five years ago and we’re always one step behind the bad guys. We need to start approaching the problem a little differently. SMBs have increasingly become the victims. Yet many continue to believe attackers aren’t interested in them.
Yet they’ve got bank accounts, they’ve got some intellectual property, they’ve got maybe some credit card debt, depending on who they are and what they do, and they also have computers that can be used as ‘bots’ to attack other people and spread malware, and so that’s a big issue as well. They are definitely a target.
Something I want to talk about later is my concept of the ‘cyber kill chain’, which is all about the importance of security architecture in protecting your information assets, regardless of how big you are.
CRN With the big imminent changes to the privacy laws, clearly there’s going to be a massive compliance challenge. What are we seeing around the table in terms of both that challenge and the opportunities for you as vendors and resellers being trusted advisers to your clients.
Craig We recently surveyed 500 Australian organisations, particularly around the Privacy Act and the changes, and we balanced it. We had a quota for different segments and size of organisation, so we really wanted to get SMB, commercial enterprise and different verticals. Out of that survey 59 percent of Australian organisations said they didn’t fully understand the Privacy Act. That’s quite staggering. We as vendors, and the channel have a massive opportunity and challenge to communicate the impact on to our customers and to start preparing them. When you’re talking specifically around SMB, the threshold in the Act is organisations who do over $3 million annually
That actually cuts into a large portion of the SMB market. The other issue requiring attention is the fact the compulsory notification legislation didn’t get through. That will be important legislation to close the loophole on what you need to do and what happens if you aren’t successful in doing it.
CRN Why do you think then there’s that lack of awareness if it’s been so prominent in the media. Do you think it’s a case of companies being afraid of it, or is it being badly communicated by the government? What do you think is the issue?
Craig Security is a massive issue in organisations and it’s not siloed in one part of the business. If you think of a lot of this personally identifiable information, where it actually sits, a lot of that might sit in a marketing department, not necessarily under the governance of the security team. Internally, the issue companies have is getting a consistent framework and policy framework across the organisation. Generally the breaches and failures don’t sit in the middle, they sit on the edge.
Neil I completely concur. I work in the GIC space on a day to day, minute to minute basis and for a lot of my clients, the challenges they find are just that. Where is the data, where does it sit? When I walk in and say ‘tell me about your environment’, they say ‘well really that’s why you’re here’. And how on earth can I quantify what it means to that organisation? I suppose really educating the organisations in question. And with the Australian legislation where it is, one of the challenges I find is that I get executives turning around to me and saying ‘why should I comply?’
“I don’t have to in the sense that there isn‘t an obligation for me to state that there’s been a breach in my organisation, so I’m good to go, so why should I invest X, Y, Z in going down what sometimes can be an expensive compliance avenue?
CRN Do you think that fact the data disclosure act is yet to be heard in the senate is contributing to complacency within the business community?
Neil Absolutely. I think there needs to be a lot more effort to educate people to say ‘this is important’ and how do we compete globally as well. You know you’ve got other countries who are basically ahead of the game, shouldn’t we be leading from our side as well?
Keith One of the drivers of the legislation was to help get it up for that exact reason. There were three primary reasons and that was the third one to get it up to there, so we could get it up to other OECD countries levels.
Neil Don’t you think Keith that the missing component is that you must release the fact that you’ve had a break. Otherwise we are going to continue in this ‘washing machine’ effect.
Keith The Commissioner clearly said that self-reporting doesn’t work. So they’re going full speed against that.
Sanjay I come from the US which is probably one of the more heavily regulated places, but I can tell you that if you try to compare Australia to other nations, while we may not have the laws and regulations and the breach and notification vocation acts and everything else, the fundamental problems haven’t changed. If you look at the US, there’s all these entities coming down and saying now that cyber risks are a part of a business operation and should be looked at that way. Has the threat really changed or are companies any more secure or small or medium sized business more in tune to dealing with the problems? I’d say that answer is no, because you now have to disclose that you were breached, but nobody is necessarily disclosing how they were breached to try to help other similar sized businesses.