Customer Roadshow

[Title: Your Business Optimised. Telstra and Telstra Purple logo.  

Intelligent Secure Connectivity] 

John Powell: Welcome, everyone, to the session this afternoon. We're talking about Intelligence Secure Connectivity. That's connectivity that is resilient, that is appropriately secure and is appropriately configured for our modern cloud applications. 

My name is John Powell. I'm the principal cybersecurity consultant for Telstra Purple.  

[Slide: Our Panel, from left to right. Gretchen Cooke, Practice Lead for Secure Adaptive Infrastructure, John Powell, Principal Consultant Security and Chris Mohan, GM, Threat Research and Intelligence & Security Controls.] 

And in the time that I've been consulting, I've worked with a lot of customers and dealt with a lot of customers who have invested a lot of money in cybersecurity technology. Unfortunately, they've struggled with cybersecurity governance. So therein lay the challenge for me, How do I explain cybersecurity risk and governance in a way that is simple, is graphical and is easy to articulate? And that's when I came up with a circle of security. 

[Diagram showing circle of security in the following order. 1. Threats 2. Assets 3. Risks 4. Controls 5. Solutions 6. Measurement] 

So I just wanna step through this briefly. There's six slices here and I'll go through these six slices and how they work together. 

Starting at the top, we've got threats. Now, threats are not always a criminal or a nation-state actor. It could be nature, it could be negligence. It could even be a simple user mistake. Threats will act upon our assets. 

Now we need to understand what our assets are. So we need to create that inventory of what our assets are, particularly what our information assets are. We need to collect that information and get a decent hold of that. 

Once we know what our threats are and we know what our assets are, we can then define what our cyber risks are. And cyber risk or risk is the basis of information management systems or information security management systems more specifically. 

Once we understand what those risks are, we can then define what controls we need to mitigate those risks. Having a clear list of controls gives us a very defined list so that we can select our solutions with confidence because we know what those solutions have to provide. They have to provide the controls that will mitigate the risks that are faced by the assets because of the threats. 

And finally, we move up to the monitoring. We need to understand how those controls are performing, what is the effectiveness of those controls. 

And we're particularly looking for things like control failure, abnormal activity, system breach, those kind of things. Now we then continue around once we know what the control effectiveness is or we've measured how the controls are responding and we've measured how the data is moving through the system, we then feed that back into our threat piece. 

So we're understanding more in detail about the threats and about how they are relevant to us. Better information about threats and more information about assets or new assets means that we need to reevaluate our risks. 

Now, that could be risks that aren't appropriately mitigated, risks that are facing a new threat or risks that are in place because of a new asset. 

All of those are in play, which means that we need to look again at what our controls are. Do we need any new controls or do we need to reconfigure any controls? 

That then leads into solutions. Do we need to change our solutions? Do we need to update our solutions? Do we need to change the configuration of our solutions? 

And then feeding back again into measurement and around we go. And the circle embodies the cyclic and continuous nature of cyber governance and cyber risk. 

Now, that's all good in theory, but what about where the rubber hits the road? To talk about that today, I'm joined by two colleagues from Telstra Purple, from Telstra. That's right. First of all, Gretchen Cooke. 

Gretchen is our practice lead for secure adaptive infrastructure at Telstra Purple. Thanks very much, Gretchen, for your time. 

Gretchen Cooke: Thanks, John. 

John Powell: And also Chris Mohan. 

Chris is the General Manager of Threat Research and Intelligence within our global networks and technology team. So looking at the inside of what we do in Telstra, whereas Gretchen and I are working with customers. So Chris, great to have you along. 

Chris Mohan: Thank you. 

First of all, Gretchen, can I say to you particularly talking about threats, what are we seeing and hearing from our customers in regards to their IT landscape and particularly their threat landscape? 

Gretchen Cooke: Yeah. 

So, John, if we think about sort of three main components there, one being networking, one being security, one being cloud, what we're seeing now is actually there's a merging of the three, and they can't be treated separately. They have to be kind of treated as a single unit. 

[Diagram of the meshing cloud, network and security that transforms IT] 

We do. To research last year with a company called Omdia, and they found that about of the respondents, and they were all kind of CIO level, 60% of them had major projects in the previous year that involve network improvements. 30% of their major projects involved app modernization in order to get ready for a move to public cloud. 

But, sadly, 48% of them had had a major security incident during the preceding 12 months as well. So, what we're seeing at Telstra is that what we're taking to the market to help our customers has to be dynamic, and it's got to be kind of really consumable, and the pieces need to fit together to provide the business outcomes that are required by our customers. 

So from us, we just have to be a whole lot more flexible with the way that we're going to market. And in a really short space of time, so let's talk from pre-COVID to now, and it is a relatively short space of time. 

What we've seen is prior to COVID, there was a centralisation of where our applications were kept and where our data was kept and where people worked. And so there was a whole lot of focus on perimeter control. 

Then when we had COVID overnight, everybody started working from home, and the perimeter essentially became the mobile device that you were connected to. Additionally, we moved from pretty much, you know, everybody working on an MPLS network, which is very secure, to using the Internet as the core carriage, which is less secure. 

So, that really brought into play a whole lot of considerations that a lot of companies had not had to think about before then. 

And if you think about mobile devices, there's about 1.5 times the number of mobile devices as people in the world. And our research that we've had access to suggests that those devices are likely to grow at eight times the size of population growth. 

And if you think that sounds really stupid, when I've been at home, sometimes I'll just have a look on our router at home and just see what's connected. And there's only three of us in our house, and there's often more than 20 devices connected, and I start going through them and I'm thinking, how the hell can we have that many? But, you go through and you start recognising them when you realise, oh yeah, that's that, that, that and that. 

So it's happening now in our homes, and we probably don't even realise that it's happening. 

So it's... 

John Powell: Can I ask a question about that, Gretchen? Is this a case of technology driving the business outcomes, or is it actually there are business requirements driving what technology is doing? 

Gretchen Cooke: I actually think it's both. I think it's a bit circular. Again, going back to the Covid example, what that did for many organisations was drive them to utilise SD-WAN, for example. And yes, there's advantages in that because it's cheaper to use the Internet than MPLS. You get much better real-time visibility within your own environment about what's going on in your network. And so we saw the requirements of what was going on in the business changing the requirements for technology. 

But that then also means that you have to change your business processes as well with that. So it's it is quite circular. 

John Powell: So Chris, is this what we're seeing inside Telstra as well? 

Chris Mohan: I think everybody is seeing the same thing at the moment, right? 

We're in this world where we've got a fast forward button. Most of us have got mobile phones here at this stage, and the iPhone 15 is about to come out. And if you don't have friends and family will want those devices, the business has got new features in it. It's got new capabilities, and it looks sexier. 

The business has gone through the same process where we have to adapt to change job, and Gretchen knows because she has to listen to me whine about this quite frequently. It puts us in this fast forward where things that were built to last, we're putting into corners and just kind of getting rid of. We've got this big pile of junk. 

If people don't have a drawer at home with a phone or a bit of computer or whatever else, right? I'm not sure what you're doing, but you're much better than I am because I've got stuff all over the place, you know. And it's like, that was quite new, remember flip phones. I feel really old now, having a flip phone. 

My kids are doing presentations about PlayStations and how they were built before they were born. And like with CDs and DVDs, right? They're things. They're real things. And they're like, "No, they scare the birds, Dad." Inside Telstra, it's the same kind of conversation. 

We've got customers that demand change, which is very reasonable, but we're trying to keep up with a scale and pace that is almost untenable because things are just rapidly evolving, John. 

And I think that's one of the big problems. And again, when Gretchen wants a new service in place, we have to deliver something that fits those wants. 

But what about the old stuff I've still got? 

John Powell: Absolutely. 

Now, we talked a little bit about securing the environment as well. I just want to touch on something. 

Gretchen you and I worked on and actually, Chris, you worked on it as well. So all three of us have a bit of experience with this, a breach of one of our partners. Chris, you were heavily involved from a threat perspective. My team got involved in managing data and allocating access to data. But Gretchen, you ran the whole show for three months. What did you learn from that particular incident? 

Gretchen Cooke: Well, first of all, can I just say, could everybody ensure that their patching is up to date? This was a known vulnerability. And unfortunately, the threat actors got in because the patching wasn't up to date. 

And when they got in, this particular organization had no idea that they were in there for months and they stole an enormous amount of data. And we were speaking earlier about this, and what surprised us, and Chris in particular, I think because you had a very deep dive, access to what was in there was just the fact they had no idea what data they had and they had no idea how much personal data they had on many, many fronts. 

And so it was really confronting for them on a number of fronts, but also for us, because, frankly, when you work on a breach for a customer, you don't expect to come across so much private information. And I found that pretty amazing in that breach. 

But there are some key things that I would take away from running that breach. It was full-time, full-on for three months. 

First of all, around data encryption and access control, it's super important to understand who's got access to your data and also the fact that all data needs to be encrypted and it doesn't matter if it's at rest or if it's in transit, it should always be encrypted. 

Secondly, employee training and awareness. This particular company had no protocols in place, so their employees were putting data wherever they felt like on a server. So it's important that you have regular training for all of your staff, do phishing tests. We do them at Telstra, and I have been one of those people that did click the button and wore the consequence, but really ensure that your teams understand what is best practice around managing all the different types of data that they come into contact with. 

Thirdly, the threat monitoring and the incident response. Do all your people actually understand what to do if there is a breach? 

Because what's important is that you actually rethink what are the communication protocols that I'm gonna put in place for my employees, for my customers, for any regulator that I might need to contact. It's actually really smart to think about it and document it. So if it happens, people know what has to be done. 

Think about whether or not you've got containment measures in place and really, if the worst came and you did get breached, do you know how you would actually go about conducting a forensic investigation of the breach after the event? 

And also, what do you need to think about when you're doing that post-incident analysis? So, one way to think about this and actually put something into action is to conduct regular breach simulations to test yourself and to test your staff. 

Another one is around vendor management and the due diligence that you should really be thinking about when you engage with a partner or a vendor. 

So really make sure you understand what security measures that that partner or vendor has in place. Are you clear about their infrastructure resilience and what's their data backup protocol and what recovery mechanisms do they have in place? 

And then do you actually know what their DR plans are? And then finally, when you think about the interactions that you're having with those partners or vendors, think about it in terms of what's in your contracts and your SLAs. 

So, your contract should really clarify, for example, who's got accountability if there is a breach in your environment. And just basic stuff, as I was talking about right at the start, who's actually accountable for doing the patching, for example? And that needs to be clearly understood. 

So there's a very, very strong relationship between business process and technology and making sure that they are driving each other. 

John Powell: OK. 

So some great points by Gretchen. 

And all that's about preparation. In that preparation, just going back to the circle of security, we talked about the measurement piece and the data analytics that we're getting from our controls and our solutions. 

So Chris, I want to throw it to you here, particularly in your role in threat intelligence, threat research in Telstra, and leading that group. 

How are we using the enormous amounts of data that we can collect to better inform our threat research, our threat intelligence so that we know what's out there attacking us? And is that important to us? 

Chris Mohan: Sure. 

So disclaimer, I'm great at parties, right? Because I just tell all the horror stories. It's like, what could possibly go wrong with anything, everything in anywhere stage? 

One of the key things that I find to make sure my boss asks my telephone when I ring her up is to give her something that's relevant. 

So Gretchen is my boss, and I've worked with Gretchen on a couple of incidents to tell her things that were relevant. We got a vast amount of data. Anyone picks up the phone with them, right? You can literally find out data about anything on the planet at this stage with the devices you've got. 

Does Gretchen care? Yeah. 

So the way I find that out, and it's not by a crystal ball, it's actually talking to Gretchen and I talk to my boss and say, what do we care about? What does the business care about? I was trying to understand some of what our customers understand and care about. And I sometimes talk to my boss and find out what she cares about. And then I try and merge the two because the data is overwhelming. 

To give you a sense, in any one day, Australians send about 75 million SMS, right? Those things. 

Yeah. Guess how many emails she sent? It's a lot more than that. How many websites you look. It's more than that. So these are all potential threat vectors. 

Yeah. We make about 35,000 decisions a day. So this hair doesn't just grow itself, right? I have to come up with some terrible choices to pick product to do that. 

Yeah, but these are things you do. And it goes back to the amount of data we've got. We want to simplify ourselves. Gretchen's given a fantastic list of those things, but if I go back to Gretchen and the original conversation we have, Gretchen is what do we care about and why? 

Yes, we go back to that starting principle. What's important to you, Gretchen? And in this particular case of this incident, what was important there? Then what we did is we filtered all the noise we have, which is basically my job to come up with horror stories and then say to John, "Hey John, I've got this source of information. Is it useful?" And if John says, "No, get away from me, Chris." I've got a sense that he doesn't want it and it should drive it back. 

And this is the piece where it's really, really important to talk. Who knew talking is critical, and then getting the answers back, listening to what John is saying. So the data we've got back to your threats here, John, we can spend weeks and we just listing everything that's possibly gonna go wrong. 

Yeah. And you be like, "That's lovely, Chris And I'm never speaking to you again. Let me just delete your number and block it. Or let's focus on what's important to me and understand to the threats what they link to and then basically have to deal with the risks. That makes sense so far? 

It does, yes. 

John Powell: So what you're saying then is it's the relevance and how the threats apply to the risks that I face. Not necessarily every threat in the world? 

Chris Mohan: Yeah. 

So it was a really good example. It's not raining in Sydney at the moment, so our washing safe. In Melbourne, I've got no idea if I put it on the line in Melbourne and it’s safe. That's relevant to me. Means nothing to John because it's not his washing and he's not in Sydney. 

Yeah, and that sounds overly simplistic. It's not. When we see a lot of scary stories on the news the moment, if you're not a law enforcement agency or you're not Microsoft, you're not wherever else, and you're getting attacks from certain people, go, that's useful to understand, lets recontextualise it back to what's important to me in my business and what I care about. 

The number one thing most people are worried about losing their phones are, it's not losing their phones. It's losing the pictures of their kids and family and have not been able to be in contact with someone else. Two important things. Have a backup number, have a backup plan to do those ones. 

And John, those kinds of things we find people get overwhelmed by the I must protect against this. This is a horror story. I'll watch another bad movie, Chris, is this possible? 

Well, of course, it is. But not quite in the same way that we think about it. It's not suddenly magically hacked into things. 

John Powell: OK. 

So still looking around this circle, you're coming back to risks. You're saying that what's important to Gretchen is, say, the business leader. 

So to answer that question, Gretchen, you as a business leader, what are the things that are important here? And where I'm headed here is, is it all about technology? 

Gretchen Cooke: No. 

Well, I actually think what's important for me is to understand what's not important as well. So and if I need to have some piece of important data, do I actually need to keep the data or should I have a process in place to purge it? 

And I think that, you know, you think about going forward, Chris, you know, with AI, and I know Microsoft is upstairs talking AI, very sexy. We're just boring infrastructure people that you know what's really important there and it's going to what I'm saying is what data should I purge. Is data around identity. 

So you actually need to have really strong protocols around identity. But then in terms of if you've got customer information, what you don't want to be doing is holding their personal information. 

Chris Mohan: Yeah. 

So, you know, would you like to talk about what we've been doing in Telstra around that? 

Yeah. So you may have heard there's been a couple of incidents in Australia where large amounts of data have got lost. Lost. They've been stolen by criminals, right? These companies have been victims of crime. 

Yeah. It's like someone if you were robbed in the street, the first question we'd ask is, are you okay? When it's digital data, it's not seen that way. It's like it's your fault for being broken into and having stuff stolen too. 

So identity is a really difficult thing If you're a company like Telstra and you've been around for about 100 years or so, right? You've stockpiled all types of information and I'm sure everyone here has got their data categorized into places where they know exactly what it is. 

You don't keep documents in SharePoint, you don't keep them in the back of your phone, you don't keep them in your backups, you don't email them to each other. You've got more nice and secure like everyone does according to the books yeah nah, as I like to say, thank you, Bluey. 

But the piece is how do we start having this conversation with business owners to say you've got data stored in locations? So if we go to John, "Hey, John, sometimes you need help from a friend because there's this bit where it's like these clutter magnets where you just clutter stuff in and you think one day it'll be useful to me. Back to the phones I've got in a drawer that work in 2G, which doesn't exist anymore, but who cares? 

So the conversation in Telstra is work with people like Gretchen in particular and say, "Hey, we've got this data here. Is it important and why have we got it?" Yeah, back to the why. Because there's some bits is like, No, Chris, do not touch that. Get away from me because I need this for my job. 

And then my conversation is the geek here is to say, can we put it in a better way that is safe for you? Yeah, useful to you, but also doesn't basically get me arrested because I'm too pretty to go to jail. Yeah, just no, not going to do it. 

And that's what we're heading towards. We're heading towards a future where it's going to become very little give to hold information. You may not think that the data you've got is important. 

And I was telling there was a story that back in the good old days, the last four digits of your credit card were used as an identifier by one company. And that one was like, Hey, I've got credit cards here. Just type in those four numbers. Those other four numbers were the secret to allow to open the system. 

So somebody saw the credit card details, took the last four numbers and was able to delete everybody's personal data. This small company was called Apple. Yeah, some of the smartest people on the planet worked for their company, and they didn't think that was a problem because they didn't see the data was relevant. 

And the conversation with Gretchen beforehand where data had been stored by this other company, they didn't think it was important. Gretchen took one look at it and said that is incredibly important to a group of other people you do not know or understand. 

And she immediately took steps to work with John in this particular class to containerize that one and talk to the impacted individuals because they just didn't understand what it was. Sometimes we just don't, we don't know what's the most important thing to us. Again, cheeriest person in the room, right? Great at parties.  

John Powell: Thank you very much, Chris. 

Gretchen Cooke: But the other part of that, too, and you touched on it, is actually the importance of having a secure network and also the importance of protecting data when it's in the cloud. And we see a lot of our customers think that, Oh, well, my data is now in Microsoft or my data is now in AWS or whatever, it's safe. Your applications and your data have to be protected at all times. Now we provide an encrypted network, but they're probably also the encryption that you wanna put over the top of that. 

And John, do you want to talk to that as our security person, to customers? 

John Powell: Oh, absolutely. And I come straight back to risk if I look at that data and say it's a sensitive classification of data, what controls do I need to put in place? Well, before I look at controls, I'll look at what are the threats to that. I know the asset being the particular information. I then specify my risk and then my control is I don't want that data to be accessed when it's either transiting my systems, transiting anyone else's systems, or being stored on my systems. 

So immediately I'm gonna look for controls that can encrypt that data both at rest and in transit. Once I've listed all the controls that are necessary to make sure that is applicable and that might be to one type of data within one system. So one application, and then I do it across all of them. Once I've done that, I then start looking for solutions that provide all of those controls that I need. 

And so I just use it as a... we actually use this as a way of decision making as guidance for our customers to, say, follow the process through and look for all of the things that you need because it's very easy to go, let's see, data in transit. 

I could...OK, so we'll encrypt the link. And just doing that random thought pattern going or what might it be, it's very easy to miss some of those things. So by going through a process and saying, am I actually mitigating this risk appropriately by putting this control in, have a controls catalogue, go through them, tick them off. 

Then if you're a government department or federal government department, you might go back against ISM and say, have I included all the right ones? If you're trying to be compliant with ISO 27000, have I included all the right ones there? So yeah, follow the process. 

Gretchen Cooke: And the other part of it too, dare I say it is someone who's been working in your network for many years, if you are doing a migration to the cloud and John, I think most people probably started off with a lift and shift and now we're seeing this move to do modernization of applications and so forth and more and more workloads being put into the cloud. 

Please ensure that you review your network capability and also your security at the same time. Those three things, as I said right at the start, they're super interlinked and shouldn't be treated separately. 

John Powell: I'll ask the audience one question here, Gretchen. 

If you've got modern cloud applications running in a Microsoft or Google or an AWS, what would be the one blocker that you face? Would it be network performance or would it be security issues? Show of hands, network performance? 

Security issues? 

Security. 

When we did the research with Omdia, what did they find out? 

Gretchen Cooke: It was network performance? 

Yep. 

It was absolutely around the fact that if applications weren't working properly, it's because the network hadn't been upgraded or tuned to be able to take the traffic. 

Now, if you were a provider of financial services transactions and you have got to get those transactions done in split-second timing, and if you don't have your network configured the right way and those apps are left hanging, it's a really, really bad customer experience and reputational experience. 

So yeah. 

John Powell: So the summary to all of that is? 

Gretchen Cooke: Don't forget one in, well, don't do one in isolation, do all three at once. 

John Powell: Absolutely. 

Yeah. OK. What we're gonna do now is we're going to open the floor to questions. 

So if you wanna know about intelligent, secure connectivity, you can ask Gretchen If you want a scary story, we can ask Chris. Yeah, he's good at those. So, yeah. Open to the floor. Has anybody got any questions that they want to ask about anything that we've discussed this afternoon? Yeah, fire away. 

Audience: When you talk about network performance optimisation are you referring to a factor as a reward towards a hybrid model, working from home apps in the cloud and not having a single break up out of MPLS lead more towards multiple breakouts, like more SD-WAN, is that what you're referring to? 

Gretchen Cooke: To a point I'll start. 

So when we think about when I was talking about the network perimeter used to be the office building for most organisations, and then all of a sudden with COVID, it moved to someone's house and the mobile device was the perimeter. 

What we did see during that period was a lot of organisations having network problems, not through any, you know, not because of anything they had done, but because purely and simply they hadn't thought about this scenario. 

And the fact that if someone's on, you know, like a 30Mbs or, you know, really small bandwidth pipe and you're expecting them to drive really hardcore applications and processing, you just can't do it. 

So we actually saw that for a number of our customers, we had to try and upgrade their network experience at home. 

So I'll talk about it just from that pure basic, putting things through a pipe from that perspective. 

But also, if you were... Chris, you were talking about Steve Wayne earlier and you might want to take that one. 

Chris Mohan: Sure. 

One of the other fun challenges with any sort of technology is if you get a slightly enthusiastic business person that just buys services, it goes back to John's problem. You get Swiss cheese. There's no consistency in programs. 

I used to work for a particular company and the way we did auditing is we would get our telephone bills and work out who had bought what because they had 3G. They had 4G, they had ISDN connectivity. 

And as a security individual, I would just sit there and chuckle because it's either that or drink heavily. That was the choice because they had created so many different connectivities. 

There was no way to get visibility on it. And back to kind of John's piece here where we get to kind of assess the risks. I couldn't assess the risks. I didn't know what the landscape was. I had no idea what the assets were. 

And I had to do that by going to our accounts team and saying, hey, can you give me a list of those. 

Consistency of what the application does and then consistency of how it connects to it is absolutely critical because if you've gone out and bought a cheaper alternative, I understand why. 

But if you're not telling people you're doing that, it's that bit where you back up a web marketing site and accidentally that connects back to your database and your database connects to your HR system and things go horribly wrong for you. 

Yeah. And Equifax, one of the biggest companies in the world, basically did that. This is a multi-billion dollar company that kind of plugged stuff in by accident. 

Yeah, because they were saving money and they didn't think it through because someone was trying to do something, shadow IT. They were trying to get rid of them quickly. They were going. 

My favourite Australian phrase, she'll be right. They will just plug it in to move forward. 

Or they didn't understand that everything's a hop now. One of the fun things about SD-WAN, so it's software driving it. 

There's if you don't know what that software is, you're trusting someone to provide that security in the first place. 

When I'm told by people if they've set up their Wi-Fi but they've had a friend's cousin's brother sister's child do it right. 

Yeah, you can set up Wi-Fi, right? Let's see how well that goes for you, because it's multiple parts. There's no consistency in that. There's no thought leadership in it. There's no direction I can't go to. Gretchen said, "Hey, I bought this." She'd just take me outside, backhand me and push me under a car because it's just silly. It's really bad practice because it's not repeatable. 

It's a process, and that's always the problem we've had. And this is during one of the incidents I'm explaining to Gretchen, and she's looking at me like I'm speaking in another language because when people say things, it sounds poorly thought through. 

She's like, "That's not possible." Chris, I'm like, "Well, it kind of is." She's like, but until that moment is replayed back to you, you've done all these great things. You built a network, you built a fast network, you made connectivity. 

You thought through what the business processes are, and the outcome is finally, and then managing the damn things are a pain in the backside. 

John Powell: Does that answer the question appropriately? 

I think the other thing it does come back to is talking about the understanding what's traversing the network and making sure that you encrypt from point A to point B and therefore whatever decisions are made by the SD-WAN solution underneath that, you've got an encrypted link over the top, which means that wherever your data goes and you won't know because it's SD-WAN, because it's making decisions on the fly, you don't know where it goes, but at least you've encrypted from point A to point B. 

Chris Mohan: So something that we were chatting about just before you folks came in was identity as a core piece. Gretchen was saying that if I don't know who it belongs to and what it's supposed to do right, I don't understand the identity of the system. So you can put stuff across networks. There is a technical term. It's called sticking crap everywhere. Yeah. 

If you know the identity of the person uploading it, for example, and you understand the identity of the system, you've got two really good waypoints to do that. And then you can also assert a value to it as well, which is really, really critical. 

One of the things we tend to do is we think everybody is equal. Yeah. Give him the CFOs credit card. Yep. I'm sure that we're all equal in how much money I can spend on that. 

And when you see things like business email compromise where they target senior leaders to get because they've got the money, we're not all equal. So understanding there are certain criticalities, and I've worked on some, I've generously handed some work to John. We saw something as a customer. We're not an internal team. We said, Hey, John, they're he had to go and explain the value of what their identity was. 

So your email address, how important is that to you? Why are you giving away for free, right? Your password. For those that haven't seen it, you can basically give it away for a password. A password for a Mars Bar where there were plenty of campaigns. People didn't think it was important to them. Next time you're on a bus or a train and someone's reading out their credit card to you, please don't write it down. But when they talk about their medical details and whatever else, they give away personal details because they think they're anonymous. You're not anonymous. 

And back to the piece about networking. If you don't have a core identity piece, and I'm saying this to Gretchen because she keeps picking up on that identity is absolutely core to understand what's important to your business because then you can start driving outcomes to it and say, "This side of the room here is looking at this bit." So you have a certain level of normalcy. This side of the room is doing other critical pieces. Yeah, but if we just merge into one blob, we take the lowest common denominator. Unfortunately, in most cases, we do. 

Gretchen Cooke: And the other thing is Microsoft's gonna be bringing co-pilot and building it into everything that they have in the market. And yes, it will cost you a bit more, but it'll be very, very attractive as a proposition to many organizations. 

And again, this is why identity is so important because the way that copilot will work is if you haven't got every employee's identity locked down and with that, the access to different data points within your organization, they can put stuff into co-pilot or whatever and ask for some help to write a paper on X, Y, or Z. And what that AI will do is actually scrape all the data that they have access to. So if you haven't locked down the data for each role type in your organization and it's kind of a bit of a free-for-all that is going to open up a really, really big threat area for you as well. 

So just in preparations.  

Chris Mohan: No, no. Let me give you a fun story about that one. So if you're able to scrape data in for the fake AI stuff, right, So the deep fakes, you can use about 100 words to get a facsimile of you. Right? It's not very good, but it's quite fun. A thousand words are much better. If you get really bored, use ChatGPT Donald Trump and it will write your emails as Donald Trump because he's got his language and phrasing. Now that's funny. Until you transpose that into a corporate network and you say, I want to speak like Gretchen because Gretchen has written a whole bunch of work, she's done emails, she's done word documents and she's done presentations and there's certain phrasing language. And if I pretend to be Gretchen go, I can get Gretchen's data and put it into this PowerPoint. Right? I'm a star and then I can get someone to read that out to. I'm Gretchen, for all intensive purposes, right? I'm sending that information. Now, it's worse if Gretchen has written confidential papers and hasn't worked the word confidential, and I accidentally sent that to a friend. This is cool. Look, I can be Gretchen. I can do this stuff. Oops. I probably need a new job at that point and time and legal representation. 

People don't think that thing can happen. If your CEO and your interns are there. Interns are very smart, very driven to not do as much work. Yeah, they'll go, Well, I can copy this because I know the technology. The CEO is not going to understand it because they don't have that concept. And one of the cases I've worked with John, John, compartmentalised information to do the identity piece and the confidential pieces. So we knew who was accessing. Why? John, you wanna talk about that because that's really useful as a kind of context of... 

John Powell: As in how we did...  

Chris Mohan: How we... the thinking behind it and the way that we protected the connection and then the connectivity.  

John Powell: So in that particular case, we had all the data that had come down from a data dump. But what we had to do is we had to go through a lot of data. I think was it 500.  

Gretchen Cooke: 500 plus gigs. 

John Powell: Yeah, we had to go through all that data. A lot of it was PDFs and we had to then determine who the customer of our partner was that owned the data on that. But we couldn't just let everyone look at all of the data because then they were looking at data that didn't apply to them. So we used a need discovery tool that is often used in law firms. And when we do this work now, we actually subcontract a lot of this out to one of our law firm partners where they ingest all the data into that system. And then we set rules in place that we are looking for certain patterns. So we're looking for the patterns and doing searches. And we did a number of searches to try and make sure that we weren't missing any customers and that we weren't overlooking any sort of, you know, two customers being named in the same document. We were then able to set up a user account for that one organisation that they would then have access to these flagged documents. So by filtering those documents and tagging them appropriately, we could then set up a user account. So we had... I can't remember now. 

Probably 70 or 80 different user accounts set up on one side, and on the other side was all the tagging. 

And so the matrix in the middle through the application was allowing the individual login to only view the PDFs that apply to them, and they could view their subset. Quite neat actually. 

Gretchen Cooke: One thing that I learned out of that is if your organization is doing any M&A, make sure you get your data sorted as well as part of the transaction because that can leave you in a world of pain as well. If that's not sorted at the time of the acquisition or the divestment as well. Yeah.  

John Powell: Very good. 

Okay. We're getting close to time. Just quickly, any other questions that we can answer real quick? 

Audience: Do you talk to people generally people or employees about the organization are number 1 risk factor to our process? Where do you start particularly if you're in a non-technical business? So many manufacturing start at the top. 

John Powell: The Chinese have a phrase that says the fish rots from the head down. Your board will set your culture through your CEO. I mean, you've probably seen that as well, Gretchen, in your roles. So start at the very top. 

Make sure that directors are the first ones to say, can you take this password off my iPad? Because it's too hard to get to the board notes. The answer to that is no. I'll help you understand how to do it. So start at the very top and get your education flowing down that way. 

Once the directors say we are going to do this, the CEO is we will do this, the executive leadership team, we will do this. And finally, those of us on the floor, there's only one choice. We do it. 

Chris Mohan: There's one thing to add into that, though. It's really important to get buy-in. And the way we got buy-in is we made password managers free for all our staff. So we said this is what good practice is, and the reason is you can tell your friends and family this is the impact because my father-in-law is always one click away from spending my inheritance. 

Yeah. So make it as safe for them as possible. But just say it's there. Have these kinds of conversations where you've got really clear one to say, This is the business we're leading, right? So we're doing this as a cultural thing, not just to protect the business because, you know, that's an email address, right? 

So my password, it's actually our livelihood to ask the people that sit around you. And if you're able to show them how to do it at home, we found that it's been really good. We've done things with schools and so forth, right? We've had schoolchildren teaching some of our more senior staff. 

Right. Why? It's important. So that kind of back to John's kind of circle bit is really, really important. So yeah, people saying you must do this right has always worked well for me at school, right? 

I followed the rules completely throughout it, but seeing how they're kind of the culture that's actually created actually changes that dramatically. So if you can get buy-in from everyone and they actually care about it because if you say this will protect your friends and family from losing data. 

So your banking account, for example, your online photographs, for example, other critical information you are storing, this is a really simple way to do it. They'll start getting used to it. They'll have a password manager on their phone and they'll tell people to use the same thing. 

Yeah, and if you make it freer and accessible for the one, if you can get rid of the nerd language in the fear of if you don't do it, you'll be fired. Gretchen mentioned the phishing drills we do. We don't tell people off for failing phishing drills. We say this is what could have happened. We changed the conversation. Try and take away fear from it because as soon as you make it scary. Yeah, people don't want to do...Don't do the wrong thing. 

John Powell: Very good. 

Thank you very much, Chris, for your input. 

Gretchen Thank you for your input. 

[Your Business Optimised. Telstra and Telstra Purple logo]