Why Your Postcode Isn’t a Firewall - Cyber Security Special

This episode discusses the importance of cybersecurity for small to medium businesses in Gippsland, highlighting the misconception that they are not targets for cyber attacks. It emphasises the significance of robust security measures for winning business contracts, especially in light of upcoming investments like the proposed $10 billion AI data center in Morwell. The conversation with cybersecurity expert Daniel Buckton from SurePath Cyber delves into the necessity of cybersecurity assurance for businesses dealing with critical infrastructure, potential threats from automated bots, and the role of cybersecurity in securing supply chains. Daniel's focus on assisting local businesses in navigating cybersecurity challenges and meeting certification requirements is also highlighted. The discussion sheds light on the misconception that small businesses are not at risk of cyber attacks and explains how automated bots target vulnerabilities in security systems. Get ready for the insider's guide to local business stories. Welcome to the Business Huddle, your weekly passport into Gippsland's most inspiring businesses. Real conversations, real challenges, real local legends. Let's look at the game plan and get started. Welcome back to the Business Huddle on 104.7 Gippsland SM. I'm your host Melanie Kehane and thanks for joining us today. Did you know that the Business Huddle is now on demand? You can simply head over to the Gippsland SM website, gippslandsm.org.au, click on the program guide, scroll down to the Business Huddle and that has all of the previous episodes and interviews that have been recorded and that's all thanks to Energy Australia. Now if you're running a business here in Gippsland, it's easy to look at the headlines of global cyber attacks and think that's a big city problem, we're too small to be a target. But the reality of the modern digital landscape is that automated threats don't really care about your postcode or your headcount. But today we're not here to talk about fear, we're here to talk about growth. We're exploring how flipping your digital mindset can turn cyber security from a confusing expense into your biggest competitive advantage. The kind of advantage that helps you land those major local government and industry contacts that now demand ironclad security standards. Joining us in the huddle today is Daniel Buckton, Director at Shorepath Cyber. Daniel is a cyber security expert who specialises in the small to medium business space, helping local business owners navigate the complex world of digital risk without the technical jargon. Today we're going to discuss by being too small is a myth, how robust security can actually help you win more business and the practical steps you can take to move from being a target to being so secure you win those big business contracts. But before we jump in here, we are going to go to a quick song to get us underway, Dr. Pressure by Miami Sound Machine. And we are back on the business huddle. That was Dr. Pressure by Miami Sound Machine. Today we are discussing cyber security, all things with Daniel Buckton from SurePath Cyber. Daniel, welcome to the huddle. Thank you for having me. Excellent. So you've had a pretty impressive career in the high stakes world of cyber security. But you've recently chosen to launch SurePath Cyber right here in Gippsland. In a world where I guess we can work from anywhere, Daniel, why was it so important for you to focus your expertise on helping our local small to medium business communities? Well, again, thanks for having me, Mel. Look, my passion is small to medium business in Gippsland and that they can compete with big city and metro organisations, for tenders, et cetera. So Gippsland is entering a new phase in investment, let's be honest. And I really want to support those opportunities and help small business be competitive in that space. And you're a local. Yes, I've been a local in Gippsland my entire life. I've one short stint in Melbourne, but let's not go there. Let's not go there. So, look, a clear example of what's been happening is the recently announced proposed $10 billion AI data centre. It's coming to Melbourne. I saw that on the news or in somewhere where I'm reading things about the city. That's amazing. It is. That sort of investment in Gippsland is huge. What is it? So it's essentially, I mean, we see on the news all of these massive city-sized data centres. Obviously, it's not going to be that big. But 123 hectares is what they're looking at using near the old Hazelwood power station site. Right. And so does that... Will that bring, like, more local jobs? Something in cables need to be... Yeah. ..data? Cables, the construction of the site itself. Yeah. Ongoing maintenance, you know, power supply, the water supply. And then all of that infrastructure upgrade that comes from that. So... Yeah. ..a data centre like this uses somewhere around the... Sorry, for the tech heads, around 760 megawatts of power. Yeah, OK. Now, in Gippsland's case, that's about a third of what Loyang A currently supplies at its max or peak capacity. Oh, wow. Which means that with that closing, there needs to be a lot of infrastructure in power... Yeah. ..in Gippsland for a data centre to be able to be supported. And why not do it next to the source of the power? Exactly. I mean, we've got power stations here. Why not use that? I mean, your lawn is looking at... The owners of your lawn are looking at redeveloping that site and still generating power to some degree... Yeah. ..out there. And there's obviously talk about that dirty word nuclear and other things in Gippsland. Yeah. That investment is going to bring jobs. Got you. It's going to bring opportunity for small to medium business. Now, the big thing around that is that those large companies that are going to be asking for services from local providers... Yes. ..are going to need some sort of cybersecurity reassurance. Whether it's professional services, trade services, it could be, you know, anyone. Anything. And is that just because that, you know, they are accessible by... Say you're a contractor and you've just, you know, landed the contract of your life out at this massive AI hub and these big contractors are saying, well, we need you to be secure because we don't want hackers hacking you and coming into our system through you. And that's precisely the angle. Yeah. The government is now also pushing critical infrastructure to secure their supply chains. Right. So that means anybody that deals with critical infrastructure such as water, defence, power, medical services like hospitals, et cetera, they all need to prove that their supply chain or have at least comfort in that their supply chain is secure. Yeah. We've seen some major hacks of recently, some major incidents where a third party provider... Yeah. ..is hacked. Yeah. Happened recently with the New Zealand's version of what we do with the record, with the My Health record. Yes. Their provider was hacked which meant that... and it was a back end provider... Yeah. ..which meant that they... Essentially... ..essentially lost a lot of patient data or that just went out to the world wide web. Yeah. So it's...and that's scary. Yeah. And I think for most businesses down here, they might not know this. Like you could be undergoing, you know, that contractual process and I guess that's probably where you come in for those smaller businesses. They're like, well, how the hell do we figure out how to, you know, get this certification? So I guess that's, you know, maybe the market opportunity for SurePath is you being able to help these smaller medium firms bring all of that or make them make sense of it at least. Correct. And working at the...what I'm actually going to be doing is preferably working with whoever looks after their IT. Yeah. If they've got an internal IT person... You mean that lady who sits in the back corner in the dark? Yes. That one. That one. When your email doesn't work, you like send him an email IT at... Yeah. Or call the support desk 1300 because you've got a local managed service provider. Yeah. My aim, my goal is to work alongside both the people that are currently looking after the small business and the small business or if they don't have anyone. I was going to say, why don't they have one? There's a certain point that I can look after. Yeah. And get them to a maturity stage. Yeah. And then hand that back. Yeah. Got you. To them to manage on a day to day basis. Definitely. So once the systems are in place you can... I'm just thinking more small businesses here. There's costs involved there and we'll go into that a little bit later in the episode. But they're thinking, God, I need this. So can you go in and set that up for them? And then they are safe and they can go in and apply for these contracts? Yes. Can they manage it themselves afterwards? Yes. And as you said, we'll get into it later. Yeah. But there are standards now that can be used by small businesses that are designed for small businesses. Perfect. That are built based on large international standards that have been around for decades. Yeah. But it's built at a small business scale. Perfect. Well I guess we often hear local owners, local business owners say, I'm just a small shopping sale or I'm a tradie in Morwell. Why would a hacker halfway across the world care about me? Can you explain the reality of how automated bots work and why Scythe actually doesn't offer the protection people think it does? Well they've hit the nail on the head with bots. And I'll throw it out there. This morning I spoke to a managed service provider and they said, why would anybody target my customers? Wow. That was coming from an IT managed service provider. Yeah. So that maturity is still being grasped even in the industry. Yeah. Okay. The big thing is, the big thing to note is they can still be hacked. So a small business is not targeted for personal reasons. Okay. It's not based on the type of business they are, the type of customers that they have. It's just because they can. Yeah. I think I said in the intro like they don't care about your postcode or your headcount. And like you're saying, they're bots. So they don't have a persona on you. No. They're just looking for gaps in security. Yeah. And once they find that opening, they use that opening to do their nefarious deeds. Yeah. And what sort of deeds can they do? So let's say to the small shop in Sale or the tradie in Morwell. Well the biggest, so there's things like they can get access to or intercept payments, intercept payroll, get to know you, your customers and your suppliers and how they do business. Yeah. And then they can also... Imitate you. ...imitate you. Yeah. So one example that I had a few years ago was a construction firm that was, they weren't attacked themselves. One of their suppliers were in their supply chain and they lost a payment of $22,000. Now that supplier couldn't afford to pay that. So this organisation here in Gippsland was stuck with a $22,000 hole because it was paid to the wrong account and that particular organisation just couldn't pay that money again. Yeah. I mean $22,000 is a business killer. Yeah. Definitely. For small business. A game changer. And I think heading into that sort of the amount of money that you can lose and to sort of really bring this home for our listeners, I did read that the Australian Signals Directorate report shows that the average self-reported cost of a single cyber crime incident for an Australian small business has climbed to almost $50,000. And like that's staggering in itself. But for most local businesses it's not just a setback, it's a potential door closer. So if a business looks at their budget and sees cyber security as a cost, I say that in inverted commas, how do you help them reframe that to an investment in their business longevity instead of potentially rolling the dice on a $50,000 disaster? Well, yeah, that's the million dollar question because it is actually difficult to have that conversation. So as you said in the opening or as you said in the last question, small businesses just don't think that they're going to be targeted. Yes. And they think that they can keep doing business the way that they've been doing it for years. It is unfortunately that's a misconception, a fairly large misconception. So what I'm trying to do is help refine cyber as a resilience investment. So businesses are resilient. So medical clinics, manufacturing firms, others build resiliency around power. Yeah. They'll buy a generator. They'll buy some sort of, in this day and age maybe some sort of battery system that keeps them going for a couple of days. Yeah. Those sorts of things. So they spend that money on that resilience. But what happens if your IT systems die? Oh yeah. And you don't know how to fix it. That's what happens. I mean for a business like manufacturing firms, most of their machines these days run using IT. Yes. So it's what we call operational technology. They use computers built into the machines that create the widgets that then get sold to these larger organisations or used for maintenance or whatever it is. If their IT systems go down, their business stops. Yeah. Okay. So does that mean people like diesel fitters have to learn more about technology now? No. Just sort of thinking about factory work when I was younger like you just call in your fitter and he would come and maybe not diesel fitter but your fitter would come in and fix the problem. He might be out for half an hour but he's there to fix it. But now with all of this technology in these machines, is that still the case do you think? To a degree. Yes it is. But those suppliers hold your information. So if you're a critical infrastructure like Gisland Water for instance and you've got a maintenance company that's coming in that has access to limited access in most cases but access to your client's information, your project's information and how a project is being rolled out, what type of technology is being used, all those sorts of things, if that person that you're using for maintenance is hacked, that hacker gets access to that information. Now they might not use that themselves. They might on-sell it to a state sponsor like another country because that's information that they can get money for or sell it to a – so one thing that started happening a lot in the last couple of years is the on-selling of information of youth within the areas. You're talking about like IP or – I'm talking about things like a – Statistical information. Teenagers' date of birth, you know, before they get a driver's licence so they don't have that ID number already and they create – those things are worth so much money. Now that's obviously not something that Gisland Water looks after but that's just one example of the type of information that they're looking for. Contracts. You know, a payment's about to go through for a particular maintenance contract. Yeah. Okay. Again, I'll use Gisland Water as the example or Waterboard as the example. Maintenance company goes out, does their work, sends an invoice off. They owe that invoice like that construction example that I gave. Yeah. Send that invoice for $22,000. And it gets paid to somebody else. And it gets paid to somebody else's account. Yeah. Now someone like Gisland Water can afford to pay that a second time. Wow. They wouldn't be happy. But they don't want to and you may not have your contract renewed at the end of it because that isn't – Yeah. There's those security breaches. So how do you tell that contractor that sort of investing – well, that, you know, upping their cyber security? And I've heard you talk about maturity before and I really want you to clarify what that actually means. I'm thinking getting old. But, you know, how are you selling that I guess not as a cost but as an investment for these businesses? Well it all comes back to – I was going to get into that further on but it comes back to standards. So there is now a standard that allows small business to do things in stages. You do critical things like multi-factor authentication is something that I always talk about as a first step. Yeah. As annoying as it is for most of us who forgot the password and have to log on to this device and it goes here, there and everywhere, that's your first step? That's the first step. Yeah. Because if somebody – if a threat actor as we call them in the industry or a hacker – Yeah. – gets your password, the first thing that they'll do is try and access your email and get information, those sorts of things. If multi-factor authentication is in place – Yeah. – that stops them. It stops that bot. I was going to say is that a little kid doing that or is that an actual – No. – that's one of these bots? It's one of these AI bots. Yeah. So AI, latest version, I mean we were talking about it earlier in the break. Yeah. Chat GPT was used quite extensively. Yes. But there's examples of those tools that are actually built for hackers. Yes. And they – You can train them. – constantly – all they'll do is they'll constantly look for – look at domain names – Yeah. – and just spam until they get clicks or passwords or information they need and they'll read all that information, gather it – Yeah. – summarise it and use that for another attack on another organisation. So that multi-factor, that first critical step for a business is not necessarily going to prevent that and I can't believe like a lot of businesses still like, you know, businesses that I would use in online transactions still don't have that. I think it's only becoming really like everyone must have that two-step authentication. Don't even talk to me about the authenticator app. But, yeah, I feel like that might be just sort of something in the last couple of years where, you know, even banks and things have only just really been nailing down on that's what they need to put in there. So if that's your first step, you know, that must stop a lot. Yeah, it does. Because the bots will go, okay, there's a multi-factor authentication challenge that's been presented to me. Move on to the next email address or the next domain. Is that like when you've got a website and, you know, you have to click that you're not a robot in there? Yeah, a little bit like that. I guess not the multi-factor part but that's also another security step. So it confuses these bots to say, you know what? It is. But in most cases bots these days can get around those very easily. Can they? Except for the ones where you're supposed to click on the pictures of the buttons in the story. Oh, a bot could read the images. I mean, we've seen what ChatGDT can do. You can give it a, you can give ChatGDT a photo and ask it to describe what the image is. And nine times out of ten it will get it correct. It doesn't get it correct all the time. Yeah. But it does get it correct often. God, that's embarrassing because I've failed some of those image things before. I'm like, oh. I think we all do because, you know, is that little bit of that bike in that square? Yeah, yeah. Well, you're listening to Gippsland FM, the Business Huddle, with our special guest today, Daniel Buckton from Surepath Cyber. And we are talking about all things cyber security bots now that we know what they are. And I guess, you know, we are seeing more local government and big industry tenders requiring this proof of cyber security standards. So, for a business owner who's brilliant at what they do but isn't a techie, which I know lots of people aren't a techie. You're good at what you do, but you don't understand much else. How does Surepath and the framework that you've developed help them meet those big business requirements without getting bogged down in that jargon? So, it's about having that proof. So, an organisation like Surepath will come in, will assess where you're currently at, and that word maturity comes in again. And the standard that we particularly use is SMB 1001. It was developed in 2024. Yeah. And so, it's fairly new. It's only the adoption rate is only just starting to increase now. Do you know what sort of percentage adoption rate it's got? I see it around more and more, obviously. I've talked to you, so maybe that's where I've seen it. It'll be a low percentage at this particular stage. There are a number of associations that have taken it on board. SMB IT professionals, Australian Information Security Association, both of which I'm members of, have that now as part of their, we use the term rhetoric. Yep. And now those are starting to be talked about quite extensively by critical infrastructure which use those organisations as leverages of what's happening or ideas of what's going to be happening in the market moving forward, so over the next 12, 18 months. Okay. And it's only at 1001, so I'm thinking we're about to go through a whole lot of numerical iterations with this framework. No. So, the framework changes a little bit every year, and it's SMB 1001 2026 now. Got you. So, all it does is it changes the year. Yep. So, if you meet SMB 1001 2025, you still meet that for the full 12 months, and it's just an annual check-in to ensure that you're still meeting the standards, and the standard does change based on what the market sees. So, what does the standard involve? Is it that multi-factor authentication? Multi-factor authentication is number two on their list. Yep. Number one is engage a IT professional. Yeah. There's some description. Yeah. You don't need to have a managed service provider, though, in that case. Yeah. Just need somebody to come in and check that certain controls are in place, and then there's other things like backup and cyber security training. Right. So, one thing that you'll find is becoming quite extensive and asked for a lot for even just a standard professional indemnity insurance is, you know, is MFA turned on? Is cyber security training happening? What does that involve? Again, like we're, you know, not exactly techie. We're great at what we do. Ninety percent of attacks start with somebody clicking on something that they shouldn't. Oh, these are those phishing scams. Yeah. And multi-factor authentication, of course, stops part of it, but the thing is if you click on it, then it prompts you for it. Most of them are smart enough to set up a prompt for MFA within that week. Yeah, yeah. You've just given them your multi-factor authentication token anyway. Right. So, that is, apart from multi-factor authentication, that's probably my number two, is cyber security assessment training. Yeah. Yeah, and I think that's really important. I feel like every corporate job I've ever had in my career for the last decade has had that element of training and trying to recognize that, you know, there's, you know, Lance, who's a landscaper, and, you know, I think we're all becoming a little bit more aware of phishing scams and things like that, but might not be too tech savvy or, you know, he's just on the computer to do his invoices or something. He might actually think, like, that's genuine. So, you know, does that wreck him as well? Well, it can do. The training is not actually as complex as what people, a lot of people are worried about. Yeah. So, it can be, you know, it's something as simple as hovering the mouse over the email address to make sure that the email that it actually came from is the email address that's displayed. Yeah. So, it might come from the Daniel Buxton to SurePass. It might say that it's come from Daniel.Buxton at SurePass.com, but underneath it's actually come from Gmail email. Yeah. My partner gets me to check his email all the time. He's like, is that really an ASIC email? I'm like, I don't know. It looks like it. Yeah. A lot of times it's probably not. Yeah. Yeah. Exactly. Daniel, we are going to take a quick break for the news, and for our listeners, you have been listening to Business Huddle with Daniel Buxton from SurePass Cyber. We're talking everything cybersecurity on today's huddle, and we will be back right after the news break. And welcome back to the Business Huddle on Gippsland FM. Today we have been chatting with Daniel Buxton from SurePass Cyber, a cybersecurity company start-up, I guess, or new-ish. I mean, Daniel's been around in Gippsland for his whole life, but his company has just launched in 2026. Great time to launch something like this, Daniel. And we've been talking about cybersecurity, businesses, who it can affect, what are some of the benefits of having good cybersecurity, some of the, I guess, most common risks for small businesses in this space. I know you do see, and welcome back, Daniel, you see a lot of digital backdoors in small businesses that are surprisingly easy to close once you know you're there. For our listeners who wouldn't know what they were, and they don't have a resource like you on hand, what are some of the two or three most common, and how can you help? Okay. All right. Well, yeah, glad you brought that up. So there are, I mean, there's multiple digital backdoors, but there's two to three big hitters. We touched on earlier multi-factor authentication. That's obviously the top that I will always recommend, and it is fairly easy to enforce. It's fairly easy to use now as well. You can set up what they call safe zones. So you don't have to use multi-factor authentication when you're in a known place like your office or a business hub that you regularly go to and their Wi-Fi, those sorts of things. You can set them as safe zones. Now there's certain rules around that, but in most cases you can do that. So that's not as hard as what people think. Yes. Second is, now I'm going to use some terms here and try and explain them, so patching and unmanaged entry points. Okay. So things like your old internet router that you might have sitting there, an old, I'm going to use a brand, Draytec, that is something that I see quite a bit, an old modem that's, you know, 10, 15 years old, sitting at the front of the business and not really protecting anything. Okay. It's not updated because it's been out of warranty for 10 years. But we bought it 10 years ago for like $300 with our phone contract. And it still works. Why break it or why replace it? It still works. Yes. But the challenge is that most hacking attempts, if they're not done via email, are done via a bot that looks for vulnerabilities. Okay. So things, old infrastructure. Yes. So old computers. Now Windows 10 just got made defunct in October last year. That just came out. Every three or four years Microsoft will change their product. Part of it is security. Part of it's obviously from a marketing point of view but we won't go into that. And it's also got to do with the changing hardware. Yes. So the AI requires different hardware so it requires more robust operating systems. Yes. So patching those and making sure that you're running things like things, turning on automatic updates. So that's the second one, part of patching. Making sure that Windows has automatic updates turned on, no exception. And no exception, you're not constantly pushing them out for weeks. Doesn't that like affect your bandwidth or your storage on your computer? No. Traditionally not. Traditionally not. Sometimes it can if it hasn't been set up correctly. Sometimes it can if it's a really old computer I suppose. Yes. But in that case computers should last you five years from a technology point of view and updates generally come out for five years from when they first got released. Yes. Okay. After that, that's when you need to start looking at replacing it. What about your phones? I mean we do a lot of business on our phones these days. Phones are the same. So I'm sure you've got some vulnerabilities and I've constantly got to update your phone now. I just get sick of it. It's almost like I don't see it anymore. Yes. So automatic updates on your phones. Yes. The applications that you use within those phones, whether you use Outlook or whether you use Google Workspace or any of those sorts of applications, making sure that those apps are up to date and at the latest version. Right. So at the very minimum we should be updating those apps that we're using for business on our phones. Yes. Okay. And the third not isn't quite a backdoor but it's something that needs to be looked at is backups. Yes. You'd be surprised how many small businesses do not backup their data. Okay. If they do, it happens once or twice a year and then they never test those backups. Yes. What happens if a hacker, we use that term rather than threat actor, a hacker gets access to your environment and encrypts it? That was traditionally until the last 18 months or so that was the most common type of hack. What does encrypting mean? Copies it? No. Makes it so you can't access the data. Essentially jumbles it up, makes the look like H-E-T or something like that. That's a very simple explanation obviously. Yes. Rather than being 1-2-3, it's 2-3-1 or something like that. So when that happens, because this has happened to someone I know like on his phone, his folders, the names of the folders change within his phone. Does that mean that someone's encrypted his data? Potentially. Yes. Potentially if he's clicked on a link that he shouldn't. Exactly. SMSes come in all the time from Australia Post. Yes. They want you to click a link to... Track your package. To track your package. Yes. What that will do is they'll install some sort of app on your phone and then they've got access to your phone records and your emails and all those sorts of things. Scary stuff. All scary stuff. They may not use your personal information against you, but they'll be interested in who you buy from, how you communicate with other family members. They might be a director of a cyber security business or something like that. Yes. Just use myself as an example there. You don't know what they're going to use it for. Right. So I'll give everybody your phone number and email address on this episode and hopefully the bots will go, right, we don't want to talk to them because they've contacted this director of a cyber security business. Okay. That's, again, it's mind blowing. I never saw it as a big threat. I'm like that. I'm too small. For those of you who are just joining us, we're talking to Daniel Buckton from SurePath Cyber about cyber security today. I think, Daniel, as a marketing strategist I often tell my clients that trust is a valuable currency in their business and once you've helped a business lock down their systems, what are some of the proof points or security standards that they can share with their customers? I guess from a marketing point of view, I might be asking this question for myself. What are some of those security standards that they can share without giving hackers a roadmap into their digital security system because if I'm proud that I've got this sort of certification and we installed this over here and I want to make that known to potential clients of my business, I'm thinking it would probably be a bad idea to put that on the internet and then have potential hackers go, okay, right, we now know all the security systems they're running so let's get around it that way. Yeah, okay. Well, cyber security standards don't ask you to put your actual settings and your infrastructure information within what you present on your website. Right. So SMB 1001, it's five levels, simple, bronze, silver, gold, platinum, diamond. Yeah, but would you advertise that or market that if you're a small business? Like I've got SMB 1001. I'm bronze certified. Here's my little digital certificate. Would you recommend advertising that or putting that on there? Oh, yes, of course. Because they go, right, well we can now, we'll just use silver level hacking to get to you. Well, again, they're not targeting you personally as we discussed at the start. It's bots. Yeah. So as soon as the bot goes, okay, they've got multi-factor authentication. Okay, they've got the latest patches installed. You know, they've obviously got some sort of IT provider talking to them. Yeah. Too hard, move on. Too hard, move on. But they don't worry about anything else. Yeah. There are other levels you can go to. Small business in most cases I wouldn't suggest to go any further than silver. Yeah. If you're someone that deals with personal information, gold is definitely the standard that I would achieve. Yes. Myself, on day one of starting SurePass Cyber, I made sure I was SMB 1001 gold and had that standard documented. Yes. That's the other thing too. All you have to display on your website is, which is a great thing to do, especially if you're trying to deal with these large organisations that you want to get business from that can make a big difference to your small business, is you advertise it and then if you need to have a reference point, what we provide is a document with the evidence on how you have met that and then you can quickly and easily provide that to the people that you are trying to win a tender with or your insurance company because insurance companies more and more now even for, as I mentioned earlier, liability insurance. Yes. I'll be jumping on that one. They all look at cybersecurity questions within that and they're more and more asking for not just a yes answer. Yeah. They're asking for evidence. Evidence of these things. Yeah. I think like in their contracting space, are they asking for evidence as well as part of the tender process? Yes. Yes they are. Not just the certification. A certification like S&B 1001 that asks for that evidence. So a lot might not ask you to show that evidence because they know as part of the process as you're going through that certification that you meet that and you've got that document ready on hand. Ready to go. Yeah. But some will. Yeah. Chris, without naming names, can you or do you have a story of a local business that was perhaps struggling to land a certain level of contract and how getting their digital house in order again in inverted commas maybe changed the conversation with those bigger clients? Yeah. So I'm going to be careful here because I don't want to name names. I'm not even going to give an exact client story here because in this land we all know each other. So I'm going to sort of look at a specific scenario. So this is a scenario that I see quite often. A local supplier is great at delivery. They're great at what they do. So a local manufacturer, they're great or fabricator or builder, they're great at the product that they provide. Great at doing their job. They don't have anybody within their business though because let's be honest, they're too small to look after governance and risk. Those large organisations are looking at – they're big on governance and risk. That's all they talk about. Bullies the hell out of most of us. But small business I guess need to have that level of maturity that they know where they are and know what risks that they have within the organisation. They can then give that information back to a tender in a response saying we have backups. We know that we backup daily. We know that we test the backups every few months. We know that multifactor authentication has been placed and enforced across all accounts, not just email but our finance applications and our CRM and all of those sorts of things. If you would like that information we have it available. In most cases again you don't need to actually give that in a tender. You just need to tell them the certification that you meet that as part of the negotiation they may ask to see the evidence or do an audit themselves in some cases if you don't have a certification. Yeah. But just even knowing – you mentioned that maturity word again. Just even knowing that you've got those things, do you think that that's sort of something that can help those conversations? Like you know that you're backed up. You know that you've got your multifactor – you've done some cyber security training. You know that you've done that sort of stuff. Is that – that would be enough and if you put that within your tender – I know tenders are quite time consuming. They're draining. They are. That could be good enough unless they ask you for evidence and then you would have to provide that evidence. The evidence. Right. And if you've gone through a provider like SurePass for instance, we will have supplied you with that document that you can then either take the parts out of that you need to to show to the potential customer or just hand over a copy of the document if you're comfortable with that. Yeah. It's there ready to go and you do that on an annual basis. Yeah. It's not just a certificate. Yeah. You've actually got the documentation behind it to say yes we've met this. We've met it. Daniel I guess we're coming to the end of our chat today. It's been really cool learning about what you actually do. So if our listeners do one thing when they get back to their desks or back in their vans today, if they only have one thing that they should do to check their digital security, what would that one thing be? I've said it quite a few times during our conversation. Multi-factor authentication. Yeah. You're a fan. Make sure it's turned on everywhere. Yeah I'm a fan. I'm going to call you Daniel Multi-Factor Authentication. I'm not a fan. I'm a religious convert. It is something that it needs to be done as stock standard. Yeah. That those first level bots, the first thing they look for is whether they get a token prompt and if they do and the person isn't silly enough to click yes it's me, they move on to the next person. They're not going to hang around. This is too hard. We can get the next person next door. I like that. The multi-factor authentication, let's go and get it done people in business land. I think that's probably one of those big things. I think for companies or businesses who just sort of want to hit that minimum standard, Daniel, how can people contact you? Just jump on our website or jump on my website at surepathfibre.com or .com.au basically. Either will work. Or give me a phone call and we can go through it. So what I'll start with is a 30 minute discovery, 20 to 30 minute discovery call. Ask a few quick questions about your risk appetite, another term that we like to use in the industry. Your appetite for risk. I mean if you love risk, great. No worries. But if you've got certain levels that you're comfortable with or not comfortable with, we can work through those in that 30 minute call and then I'll provide a recommended path forward. So you have a look at people's, I mean can you tell, knowing what you know as a cyber security expert, how defenceless people are or how robust they might be just by... Usually when you ask the question do you have multi-factor turned on or do you test your backups, the answer is either no or I have no idea what you're talking about. Exactly. Even the backup thing, I don't get prompted to do it if I did, other than my phone maybe. But if I did, it's like where am I backing this up to? Like where does this live and do I need a password to get me into where it's going to back it up to and will I ever find it again? Correct. Correct. Right. Daniel, thank you so much for joining us today on the Business Huddle. I have learnt a lot like I do most times and for anybody who wants to reach out to Daniel and check their cyber maturity I think we're going to roll with, you can reach out to Daniel at shorepathcyber.com. Thanks very much for today Daniel and yeah, we'll see you at the next Business Chamber event. Thank you very much for having me. Okay. Thank you.