Cybersecurity Insights with Peter Buckley

Show Notes

Former HSBC Canada CISO Peter Buckley shares practical cybersecurity advice for small and medium enterprises. Despite having fewer resources, SMEs face the same cyber threats as large corporations, ransomware and data breaches.

Peter breaks down how organizations can manage 80% of their cyber risk through smart planning and leveraging existing tools, without requiring massive budgets or dedicated security teams. We explore how cybersecurity extends beyond technology into HR practices, organizational culture, and the power of community collaboration.

Three Key Takeaways:

1. Have a Plan: Create and regularly test an incident response plan that outlines what to do when things go wrong, who to call, and how to communicate with stakeholders.
2. Make It Collaborative: Use tabletop exercises and casual team conversations about "what if" scenarios to build risk awareness while fostering team building.
3. Build Community: Connect with industry peers to create a network of contacts you can call during a crisis and share resources with non-competing organizations.

Chapters

• 0:04: Welcome and Guest Introduction
• 2:13: Top Cybersecurity Priorities for SMEs
• 7:38: Testing Your Incident Response Plan
• 12:36: Risk Assessment and Resource Allocation
• 16:41: Cyber Risk as Organizational Culture
• 21:26: Community Collaboration and Key Takeaways

Transcript

Peter M: 0:04 Welcome to Definitely Maybe Agile, the podcast where Peter Madison and David Shorrock discuss the complexities of adopting new ways of working at scale. Hello everyone, it's wonderful to be here again, and we've got a special guest today. I'm Peter and this is Peter, so that should be a little bit confusing, as this has already been pointed out by some. Peter, why don't you go ahead and introduce yourself?

Peter B: 0:26 Hi everybody, and Peter, thanks for the introduction. My name is Peter Buckley and I am the former CISO at HSBC Canada, the Hong Kong Shanghai Banking Corporation of Canada, where I worked for 17 years. I have 25 years of experience in the IT sector and I've predominantly spent most of my time working on resilience risk, technology risk, cybersecurity, information security and all of the things around that.

Dave: 0:55 I'm really excited today to talk a little bit about enterprise risk, cyber risk, operational risk, wherever we go. I'm looking forward to this and, Peter, this is so confusing but I've had the pleasure of working with both Peters in a number of different capacities. I'm looking forward to being more of an observer, because I know both of you have a lot of passion and energy to bring to this topic as we go forward. Maybe I'll just kick things off with a bit of a leading question from our preparation conversation around small medium enterprise and what cybersecurity might look like through the lens of being a small medium organization.

Peter B: 1:14 Small and medium organizations are just as attacked as anybody else and they have the same sort of risk - ransomware, nation state actors stealing intellectual property, accidental, non-malicious activities that basically have a data leakage as a result or some sort of breach as a result. Things like accidental transferring of information or data or things along those lines. And you have limited capacity in terms of either budget or people, so it's a struggle to make sure that you're doing the basics right.

Peter B: 2:13 But if you do the basics right, you can manage the risk appropriately, and there are some good recommendations for making sure that you've got proper hygiene, making sure that you have a patching strategy, making sure that you have somebody that's responsible - even if it's part of their day job - responsible for the cyber program itself. And having some sort of awareness of all of the staff so that they know what the controls are and what needs to be done.

Peter M: 2:38 Do you have your top three things that these small and medium organizations should be looking at?

Peter B: 2:44 I think basically the number one - and this is not just my thing, but also from the Canadian Center for Cybersecurity - is have an incident response plan. So that is the number one thing in terms of making sure that you know what it is that you're going to do if the alarm is pulled. You know where you're going, you know what vendors you're going to speak to, you know who you're going to call to basically help you get out of the sticky situation and you've done some preparation to think about what is most important to your organization from either an intellectual property perspective, a data perspective, and included in all of that is some sort of communication strategy. So communication strategy to your fellow staff and colleagues, but also to your customers, your shareholders and any other key stakeholders that may need to be involved, regulators or others that might be involved. So that's number one for sure - having an incident response plan.

Peter B: 3:40 The second, basically, is to have key controls in place. So the key controls are proper access, having a firewall to basically keep out malicious traffic, and 90% of the activity that's going to be coming at you is going to just be random stuff. You're basically managing the access, managing the controls that you may already have in place and take advantage of them. If you're using a tool like Microsoft 365 or Google Docs, use the controls that are in there as well. So turn on whatever controls that you can automatically use and manage for free or as part of the service subscriptions that you are already paying for, and you don't need to necessarily go out and find a new tool or find a magic bullet. You just need to use the locks on your door and things along those lines. So I would suggest that those would be the three key things - have a plan, put in your controls and use the existing capabilities of the tools that you are currently using.

Peter M: 4:43 That makes an awful lot of sense. And for your first one there, I think one of the key pieces around that too is ensuring that you don't just come up with an incident response plan and write it down on a piece of paper and then file it away in a cabinet over in the corner, but you also remember to take it out, dust it off and test that it works and that everybody knows what's in it.

Peter B: 5:09 Absolutely, Peter. And the other component of that is make sure that you have multiple copies of it. Don't only have it on the device that could be compromised, or in the facility that may have an operational issue and you can't get access to it. So make sure there are multiple copies and make sure that everybody knows what it is that they're responsible for.

Peter M: 5:20 I remember from very early in my career where there were two different branches of the same part of the organization and we had a resiliency plan, a disaster recovery test. We ran this on an annual basis and we validated we could fail over systems and the folks in the other division down below - their plan basically consisted of run back into the building, pull the hard drives out of the machine and run back out again.

Peter B: 5:46 That's not as far fetched as it sounds, Peter. I've had some conversations with some people that have been in some really significant breaches where they needed to go all the way back down to the iron. So basically, they needed to rebuild all of their equipment right from brand new servers, because they just could not - they had no confidence that they would be able to eradicate the threat, and so what they did is they basically found that was all fantastic. They had backups. They had not been corrupted, they had been properly removed.

Peter B: 6:33 What they found was that, while they were putting a fire hose worth of data onto these backup and recovery systems, they only had a small garden hose worth of ability to get the information back onto new systems, and so they spent a fair amount of time modifying the disaster and recovery or backup and recovery systems in order to be able to repopulate the entire large global environment in a timely manner.

Peter B: 6:45 So it didn't take a decade to do, but basically they could be able to do it in a few weeks, because they had not ever tested what it would be like to go back and recover to brand new equipment as opposed to just taking an instance of it. So you discover a lot when you go through an incident response and you do a proper test or when you actually have a breach. Never leave a good breach unused, either your own or someone else's. Take whatever lessons you can and that would be another key recommendation. Join some sort of community group and share experiences about what people are doing, and that gives a real opportunity to leverage the team that you may not have by using other people's experience.

Dave: 7:36 I just wanted to add in - the experience that we've certainly seen is small medium businesses always have way more work to do than time and capacity and resources to get that work done.

Dave: 7:49 So it's a case of how can they do the minimum amount of effort, not because it's not important, but because they've got many, many urgent things that draw their attention. Do you have some sort of guidance or experience around what you think a reasonable amount of contribution, time or investment is required? Almost certainly nowadays I can go get an incident response plan off of the internet in some form or other with lots of bells and whistles on it saying that it's this perfect incident response plan. Is that a viable option?

Peter B: 8:19 It's not a bad starting spot. I think it's always harder to create something from scratch than it is to basically modify something that you already have. So having a template or some sort of tool guideline that you can use is always a really good starting point. In terms of the timing, Dave, it's kind of hard to basically give a reasonable expectation of that. What I will say is generally the rule of thumb is your cybersecurity spend will be a percentage - 5%, 3%, depending upon the size of the organization - of your total technology spend. So you should be spending some amount of money orienting towards the security of that environment as opposed to simply the growth and maintenance of that environment. So there is something to be said from that perspective and there are some metrics that might be appropriate for individual industries that would be more reasonable than others.

Peter B: 9:13 The other thing I would say is there's this whole 80-20 rule that everybody uses for all sorts of processes, but the same holds true in cybersecurity. So if you take care of 80% of the risk - that is the easiest part to do in terms of making sure that you update your laptops and your equipment, your phones on a regular basis, your servers on a regular basis, monitoring what the cloud provider is telling you in terms of what the security provisions are.

Peter B: 9:44 If you get a security alert, taking that seriously and addressing it in a timely manner, making sure you know who's getting access to systems and who isn't. Those kinds of things. Having a process for the data so it's not just on one device, but on multiple devices in case something goes wrong and you have to isolate it. So if you do those basic things, you're taking care of 80% of the risk and that last 20% - that's when it starts to get tougher. That's when you need to have more dedicated resource, or maybe even a dedicated budget and resource and responsibility to just continue to drive that further, to continue to reduce the risk.

Peter B: 10:22 But you make a decision as to what is your risk appetite. So what are you prepared to accept? Are you going to spend $100 to build a fence for a horse that's only valued at $10? Or are you going to basically say you know what, we're not going to build that fence because the horse is only worth $10. And if it breaks free, then I'm only out $10. And that basically - you make that risk-based decision. It's a silly analogy, but you make a risk-based decision that will help guide you in terms of how much time and energy you need to spend. And that thinking part is probably the hardest part, the longest part, the part that you need to get the crew around the table to basically really work that out. What does a bad day look like and what are we prepared to do about it?

Peter M: 11:06 Well, and there are many models and frameworks out there to help you figure out how do I identify risk, how do I categorize risk, how do I assess it and then how do I mitigate. So I've got different frameworks and there are many different ways of doing that, which then can help you think through that process of what am I going to do. But to your early point, when we're discussing it, there's the running the actual tabletop exercise, doing the working through the plans, thinking about what happens if I've written this document or taken this template and I've modified it to my needs. I need to go through and make sure that this actually functions. If I follow this, does it work?

Peter B: 11:45 And let people challenge it. Let people ask the question well, why is that service more important than the other? Are we all in agreement that that is the most critical service for what it is that we're doing for our business? And developers will have a different view of the world than executives, who have a different view of the world than salespeople. And so having a diverse group of people around the table gives a better outcome and a better sense of what is truly important. Now just one other note, Peter, on the frameworks. So there are lots of good frameworks and you know, choose one that's suitable for your own organization. But, as a baseline, the Canadian Centre for Cybersecurity also has a really good number of good resources for small and medium-sized business that are a good starting point to at least start to take a look. And, of course, when you run into questions and concerns, that's when you should reach out to folks to basically get a better sense of something that's more specific to your own organization.

Dave: 12:47 I think one of the things that I find I'm always reminded of when I get into conversations around cybersecurity is how pervasive these things are. So, as you're describing controls and you're describing who has access to what systems, what data, and so on, what I'm hearing as you're going through that is how quickly a conversation around cybersecurity becomes a conversation around how we work and administer people's work environments, access to different bits and pieces within the systems that we operate in, how we onboard people. What's the difference between onboarding employees versus subcontractors and all these things which are often considered to be either administrative or logistically oriented or HR oriented, and even delivery oriented, but they're all tied to that incident response plan and how things are connected. So cyber security is a lot broader than that conversation of are we protected from some nefarious actor coming in from the outside and stealing something or other? There's a lot more connectivity.

Peter B: 13:55 It's a really good point, Dave, because I mean we talk about cyber security and cyber crime. Cyber crime is essentially anything that is using a computer to commit what would be a traditional crime, like a fraud or a confidence scheme, an impersonation, anything along those lines, and that's not truly cybersecurity. But you can see how adjacent it is to - if you're using and securing systems as your cybersecurity and then you basically are moving into cyber enabled crime and you're dealing with business email compromise, where somebody is impersonating a senior executive to try and get the finance people to move money out of the organization or to send it to a particular account. Or we're seeing a lot more artificial intelligence being used to impersonate key figures of state or other individuals, and that's increasingly a concern that somebody would come up and purport to be a senior executive and tell everybody that they have the day off so that they can then take the day and, with few controls in place and few people watching them, potentially perpetuate an attack against the organization. But also the HR systems are where bad guys and girls will learn about how an organization is oriented, what are the controls that they're using, what is the hierarchy, who reports to whom?

Peter B: 15:19 And that interview process is increasingly fraught with peril as well, with the use of artificial intelligence - incompetent candidates that are basically being coached by technology, people whose only aim is to get that individual placed within an organization in order for them to be able to have access to the intellectual property or any of the other valuable things around what that company is doing.

Peter B: 15:43 So that's yet another orientation of the kind of security thought process and awareness that organizations need to be mindful of. And I would sum it up, Dave, by saying it really is a risk awareness. When you start thinking about cybersecurity, you're also thinking about fire risk in your facility. You're also thinking about what would happen if there was another pandemic. You're thinking about is there a possibility for a forest fire knocking out transit systems that I'm dependent on for getting my product across the country, or anything else? And you start to think about it and you educate the whole organization towards thinking about risks differently and maybe even more top of mind than they would otherwise.

Peter M: 16:30 And this ties in very nicely to what we very often end up talking about here, which is topics like systems thinking, alignment, behaviors, culture, the processes and practices that make up the organization, which are very much impacted by a lot of the pieces that you're describing. Creating the culture where these types of issues are raised, where people understand that risk has to be first and foremost one of the things that people are thinking about as they're building and designing and modifying the systems that they're working within and the data that they have access to, to ensure that they don't end up accidentally exposing something that may not seem that critical to them but may actually end up causing some kind of damage to the organization as a consequence.

Peter B: 17:17 And Peter, that's often where the first signs that something is going wrong will manifest themselves. You get a help desk call or you get a trouble ticket that's raised that basically says this thing that was working perfectly yesterday is not working perfectly today, and that may be the first inclination that something is running in the background or somebody is manipulating something or things along those lines. And so not only is it just the awareness and the thinking and the bubbling up of the things that you are doing as part of your day-to-day job, but also being aware that these things that you're working on could also be manifesting as actually either a systems outage, which is a different operational risk, or a cyber attack of some kind or anything in between, because there's lots and lots of other things that could be causing concern within an organization.

Peter M: 18:10 So as a fourth item on our list here, then - the risk awareness of the organization.

Peter B: 18:18 Yes absolutely, and the risk awareness of an organization. I think it can also be a playful thing. It sounds a little counterintuitive, but the idea that you are taking your individual team - depending upon the size of the organizations, of course - but you're taking your individual team out for lunch or coffee and you just throw out a scenario. What would happen if there were no more trucks that were able to get to our facility? Or what would happen if artificial intelligence completely disrupted the HR department? Some people might cheer, but also, I think some people would potentially start to think through what some of those consequences are. And you're not necessarily driving towards having everyone man the walls of your castle each time.

Peter B: 19:00 You're just getting people thinking about what could happen that is outside of the day-to-day that they're normally responsible for - driving to work, working, picking up the kids, having dinner, going to bed.

Peter B: 19:13 Now you're asking them to think about what would happen if there was an interruption between the Chinese and the Taiwanese and chips were no longer available. How fast does the technology start to slow down and things along those lines? They may not have any answers, but if you get somebody that's willing to go and do some research and say, hey, wait a second, we're really really dependent on some of this technology, and we should be thinking about stockpiling something, now you have just changed the whole stance and operational thought of the organization because you've now started to think about risk in a different way. And that just started with a coffee conversation. So there are lots of different ways to do it and, of course, a formal workshop with basically going through and talking about the risks is also really quite important and has its place for making sure that everybody's on the same page, that you're prepared for whatever might come down the road.

Peter M: 20:11 It's also a business enabler potentially, too, as you go to your customers, and it's a way of intrinsically building trust because you can say okay, these are our risk practices. This is how we ensure that we're providing you with a safe and secure service that you can trust us.

Peter B: 20:26 I worked for an organization that basically had a quite resilient program and some of our competitors had an outage, and one of the things as we were convening - because they had an outage we wanted to make sure that we were appropriately secured and that we understood the consequences. And one of the things that was kicked around at the table - it was too late at that time, but if we had thought about it earlier - was could we do something to support our competitors so that their really bad day is not as bad and we would be contributing to the community by enabling services to some of our competitors, and not in a monopoly sort of perspective, but helping out people who really were struggling to be able to get the essential services that they were responsible for?

Peter B: 21:16 So if you think about some of those things in advance, you could potentially think about a business enabler that says you know what, we could offer this extra service we could provide in the event of an emergency. We could be selling umbrellas in very short order, or hand sanitizer, or whatever it might be.

Dave: 21:36 I'm just thinking of a cyber security advisory roundtable that we were involved with recently and you're just mentioning, Peter, this sort of how can we help one another? The community feel that came out of that conversation where literally in the coffee breaks they began coming together to say, hey, if something happens to your business, we're in the same business, a different part of the island, as it happened to be on Vancouver island, but you're looking at just those connections being built so that all of a sudden there are people who can get on the phone and say you know this is happening, is it happening to you? No, great, is there any way you can help out?

Dave: 22:14 And that really became very obvious, very clear, very quickly - just that act of having a couple of those phone numbers in your contact list that you can reach out to when the bad day is beginning to go in the wrong direction.

Peter B: 22:29 There was recently an all day event where they basically were practicing a system and cyber outage in BC and they were using a regional telecommunications organization that was having problems. And it struck me from that scenario that if you were dependent on one of the regional telecommunications organizations and you're starting to see a degradation in your services that look mysterious or very suspicious and you're able to reach out to one of your peers and say, hey, are you facing the same thing? And they're saying, yes, we are facing the same thing, you can start to look for a common cause, because it may not just be - it's unlikely that all of your competitors and yourself are all being attacked at the same time simultaneously. It's more likely that it's something that is a common service that's being used, and then it might help with troubleshooting, where you need to be focused on who you want to be contacting to try and get that service back and running. So there's definitely lots of - the community component is really important having some of that as part of your contact, but also having that in terms of best practices. If somebody's already done a really good training and they had a really fantastic scenario, you may be able to borrow that. Municipalities is a great example, because they're non-competitive.

Peter B: 23:46 They're geographically located. They don't move, they grow, but they don't ever compete against each other, and so there's a real opportunity for community sharing and community mutual assistance, mutual aid.

Peter M: 24:02 I think at this point in our conversation - it's been a great conversation, Peter. I really enjoyed what we've been talking through today. We look to try and sum things up in three points for our audience, and this could be a little tricky because we've gone all over the place, but hopefully you've thought of a few things. So, with three of us here, I'll give each of us one thing that we can talk about. And, Peter, would you like to go first? What would you like the audience to take away from this conversation?

Peter B: 24:25 I think what I would really like the audience to take away from the conversation is you should think about and plan for an adverse activity, an adverse day, a bad day. I'd really like the audience to basically take the time to think about a plan. What would they do? Start personally, what would you do in the event that you needed to evacuate your home and that might give you some thoughts in terms of what you might do for your place of work, your place of business? What might you do in the event that you have a cyber outage or there is some sort of operational disruption? You should have a plan.

Dave: 25:01 I'm going to say two things, because the first one was coming into this conversation, I thought it was going to get very confusing, as I said right at the outset, and actually I think it's gone pretty well. I've been able to follow the conversation as we've bounced backwards and forwards between the three of us. Here's the interesting key takeaway that I really took out, because there's a lot of - not doom and gloom, but there's a lot of homework and preparation and so on that comes through this.

Dave: 25:29 However both of you have talked about tabletop exercises and that going out for lunch and just throwing ideas out, and that really stands out to me in the sense that they're a little bit more on the fun side. It's an element of team building in there as well as much as anything else, and also an intellectual exercise of just what if that is quite interesting. I'm really intrigued by that one because I think that's really pretty easy to do - something that people would want to be a part of or get something out of, because you kind of learn how everything works in a sense. So that tabletop exercise, the lunch conversation that was mentioned really stood out to me as great activities that are ideal for smaller organizations because they're not resource heavy. That is something that we can just go and try things out and see how well prepared we are.

Peter M: 26:22 For my part, I think I would talk about the community piece of it. I like the concept that you look at your peers and your others in the marketplace and start to reach out and find out who else is there so you've got some names that you can call. And I loved your idea, Peter, around, especially for municipalities where obviously you've all got the geographical piece, you're not competing against each other and you're very much in a situation where knowing other CISOs in other similarly sized cities could be very valuable in the event that there is something. So well, thank you very much, Peter and Dave.

Peter M: 26:58 It's been wonderful having you here and, as always, I look forward to next time. We'll talk soon. Thanks again. You've been listening to Definitely Maybe Agile, the podcast where your hosts, Peter Madison and David Sharrock, focus on the art and science of digital agile and DevOps at scale.