Welcome to our Weekly Wrap, where we cut through the noise to bring you our favourite insights from the technology and startup world.
While in the throes of writing this week's wrap on Friday morning, Prime Minister Scott Morrison appeared on national TV to announce that there is a major cyber attack under way targeting all levels of government and a range of private sectors. Here is an ACSC advisory relating to the Australian attack. It has been out for a couple of weeks, and was updated with Morrison’s announcement.
This was somewhat timely for us, as we’d agreed in our content brainstorming session on Wednesday that we’d cover cybersecurity this week! 🔮 Here we go…
Ransomware and warfare
We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade-craft used.
Scott Morrison press conference, Friday 19 June 2020
As the world shifts online, so too is warfare. Although we (and others) suspect Scott Morrison’s announcement was a veiled warning to [country that shall not be named], rather than disclosing a serious data breach, we’re glad he has brought this topic to the forefront.
We’re constantly under attack - check out this real-time threat map from Kaspersky - we have been for years. In order to efficiently defend against these attacks, everyone needs to start taking cybersecurity more seriously.
State-sponsored hackers commonly target private sector companies (key infrastructure and supply chains, in particular). They’re more vulnerable and easier to infiltrate than military and government platforms - same crippling impact on the country, less hacking effort. Applying that rationale one step further, hackers target smaller suppliers to gain access to the ultimate target organisation. Very quickly, everyone becomes an attractive target.
Whether the attacker is state-sponsored or otherwise motivated by financial gain, the impact of cyberattacks can be catastrophic. But even though cybersecurity has been on the board agenda for many years now, we’re still seeing significant breaches occur. What’s more, it is evident many are ill-prepared to respond to these attacks.
Two recent local examples are Lion (Little Creatures, XXXX, Tooheys, James Squire) and Toll Group (warehousing and logistics). Both have recently been hit with double ransomware attacks and experienced sensitive data breaches. For Toll, this includes its employees’ personal and payroll details, commercial agreements, invoices for drug-screening and reports to the board of directors.
Lion and Toll have both been forced to shut down essential systems as a result of the attacks. Lion has “limited visibility” of (i.e. no ability to keep track of) its products - disrupting beer manufacturing and supply. Meanwhile, Toll’s customers (including Telstra, Optus, Officeworks and Footlocker) experienced huge delays and lost visibility of their packages.
Toll still hasn’t recovered full functionality of its systems, as we personally experienced after shopping online with Officeworks this week - by magic, the package was delivered by Toll before it had been dispatched (according to email updates). With the end of financial year coming up, we really hope no one has to manually stocktake Toll’s distribution warehouses. Spoiler alert: they probably are.
Obviously there’s an immediate business impact to both companies. What remains to be seen is the long-term damage to their respective reputations.
What can we learn from these events?
You need an incident response plan, including a well thought-through plan of how to communicate the breach to customers. Your customers shouldn’t be finding out about a breach on Twitter, as was the case with Toll.
Know where your assets are. Know how your processes work. Then review and test your backup and disaster recovery strategy. No matter how much we advocate for digital transformation, a manual backup plan as a part of your business continuity plan may still be required.
Hold your software and hardware vendors accountable for taking security seriously and ensuring their products are secure by design.
Both Lion and Toll have been asked to pay significant ransoms. It’s worth noting that most security experts (and the FBI) recommend that you don’t pay ransoms because it doesn’t guarantee your data will be returned, that copies will be destroyed, or that they won’t just ask for more money.
This is by no means an exhaustive list, but it is a starting point. If any of the above sounds foreign to you as a leader in the context of your business, do some research and start asking questions.
You are the weakest link
Just as civilians are used as human shields in a physical war, individuals are being exploited and targeted every day as the weakest link in cyberattacks. And the attackers are becoming savvier in their social engineering tactics.
One of our favourite examples: Attackers posed as recruiters on LinkedIn to steal information and money from European military and aerospace executives. They fooled these executives by enticing them with “quite [a] believable job offer, seemingly from a well-known company in a relevant sector”. The attackers sent a OneDrive link with salary information in a PDF document, which when opened, silently deployed malware on the executive’s computer.
This TEDx Talk by Jaya Baloo (currently the Chief Information Security Officer at anti-virus software company, Avast) is a couple of years old now, but is still very relevant and entertaining - watch her hack an audience member’s phone and explain why and how we should take security more seriously.
So what can we, as individuals, do to protect ourselves and our businesses?
Always have your hacker senses ON to avoid phishing and baiting attempts - check email addresses, check spelling, check names, check the tone of voice. Don’t call phone numbers in an error message or alert email. Do your research before you install anything on your phone or computer. Don’t give out your password or account details. Think twice before clicking.
Use this tool to check if your email or password has been breached. You might be surprised. We promise this isn’t a phishing attack… or is it??
2-factor authentication apps are your best friend. This is more secure than 2-factor SMS as your phone number can be hacked fairly easily with SIM swapping.
Keep your software and operating systems up to date.
Train your employees and contractors on cybersecurity risks and hacker tactics. People are your biggest vulnerability.
If only Scott Morrison hadn’t clicked on that pop-up! Only joking. Thanks for the laughs, Betoota Advocate.
Raising capital in a pandemic
On the flip side, with threat comes opportunity. There are some incredibly smart people building some incredibly smart tools to help defend against cybersecurity risks.
Australian startups and VCs have been active in this space for a while.
In the midst of covid lockdowns in April, Bugcrowd (a Startmate alumni) raised US$30M Series D. Late last year, Secure Cloud Warrior raised AU$70M Series B from Goldman Sachs, Cisco, AirTree Ventures and others, and Cloud Conformity had a US$70M exit to Trend Micro.
Just this week:
Melbourne-based cybersecurity accelerator, CyRise, held its cohort 3 Demo Day. Available online here - it’s well worth the watch with awesome production quality thanks to some ex-Masterchef tv production pros.
Square Peg crossed over AU$1B funds under management after raising a new AU$340M fund. Square Peg has been an early investor in cybersecurity, with seed and follow on investments in UpGuard and Bugcrowd. Square Peg was also an investor in Puresec, which exited to Palo Alto Networks last year.
These examples also show that, amongst this covid snowstorm, there clearly is some dry powder out there. But what does it take to raise capital in a pandemic?
Point Nine Capital Managing Partner, Christoph Janz (Berlin-based, but a big supporter of the ANZ startup scene with investments in Vend and Qwilr) provided some useful tips and tricks for capital raising during covid at SaaStr New Venture 2020 last month. A quick summary - Unless you’re in one the industries benefiting from the pandemic, now is not a good time to raise. If you must, then:
Understand how the pandemic has affected your metrics and have a clear plan to address any negative change, eg churn, conversion rates, lead generation, pipeline development, sales cycles, pricing, payment terms, user/customer behaviour, etc.
Have a long list of target investors and disqualify ruthlessly - if they aren’t super excited, you should assume it’s a ‘No’.
Of course, have a killer deck. We love the idea of sending a pitch using video:
Small steps towards positive change
Continuing our focus on making positive change in the world, First Round Review released a great post with help from LifeLabs Learning on the small steps we can take to being more inclusive leaders - start with these four habits:
Invite and display authenticity
Build self-awareness and curiosity
Seek out and respond well to feedback
Lift up other perspectives consistently
This comment from LifeLabs co-CEO Tania Luna, really resonated with us:
The bottom line is that you need to make a plan for how you’re going to show up as a more inclusive leader — otherwise you very likely won’t… if we don’t intentionally include, we will unintentionally exclude. And we simply cannot afford to keep doing that.
Have a read.
That’s a wrap! We hope you enjoyed it.
Watch Gavin live on AusBiz at 2pm on Mondays, when he opens the Startup Hour of Power.
The team at Ignition Lane
p.s. we love feedback - if you have any, please let us know.
p.p.s. please share with your friends and reach out if you want to continue the conversation of any themes in this week’s wrap.