If big businesses think the storied information-security skills gap is hitting them hard, they should spare a thought for David Rudduck’s clientele.

As managing director of Gold Coast-based Insane Technologies, Rudduck has long provided technology consulting and security capabilities that the region’s largely small business community simply can’t afford or manage.

With more than 20 years of technology and security consulting under his belt, he has had time to build those capabilities internally.

“We’ve always been very careful about security,” he says. “It’s just the way we are wired.”

Long-term investment in security capabilities has particularly paid off over the past seven years, with increasing levels of cyber security attacks raising awareness – and exposure.

Recognising the looming demand for security capabilities, Rudduck has been investing heavily in his own staff.

The firm laid down a concerted program of training and certification, which has proven immensely popular with its employees and boosted staff retention as well as customer satisfaction.

“This path for new hires takes them through a series of information security courses and certifications that I wanted them to achieve,” Rudduck says. “And it has been working.”

Helping small businesses with big problems

The investment in staff certifications has meant helping a broad range of Gold Coast-based small businesses – particularly in industries flooded with sensitive information such as healthcare, legal services, financial services, and the like.

Increasing legal and governance requirements are pushing those firms to better consider the exposure of their information, and Insane Technologies’ investments in focused security capabilities have been just the answer.

“It was never our intention to focus in this space, but when you’re looking at who is likely to use your services, it’s clear that they see value in it,” Rudduck says.

“Because we were so particular about the fact that these companies had certain records they didn’t want leaked – and that we took certain steps to prevent that – our approach resonated with these types of clients.”

That approach included not only developing internal skills that positioned Insane Technologies as a centre of cyber security excellence, but in regularly engaging with small businesses that often only realised their security exposure after what Rudduck calls “‘oh shit’ moments’.”

“These companies have certain records that they don’t want leaked,” he explains, “and you can see it on their faces when all of a sudden they realise that this whole cyber thing is actually quite scary – and that they are just as likely to be a target as anyone else.”

Directing the cyber insurance industry

Cyber security remains a nascent area within Australia’s insurance sector, but growing awareness of cyber risk has created opportunities for security consultancies with the proven skills to deal with cyber incidents head on.

For the team at Insane Technologies, this opportunity has rapidly turned into a significant new business after a small insurance-industry project led to an introduction which eventually saw Insane’s skilled security team tapped to provide on-call incident-response services on behalf of a cyber insurance provider.

Providing a rapid and effective security response is something most small businesses absolutely struggle to do, Rudduck says, but those businesses can significantly improve their chances with the financial backing of progressive insurance companies backed by the forensic security skills of a firm like Insane Technologies.

The partnership had created new opportunities for underwriters that have struggled to engage proactively with small businesses that sit off the radar of the conventional enterprise consulting giants.

“Insurance underwriters are used to dealing with the Big 4 for their incident response capabilities,” Rudduck explains, “but the only thing more expensive than lawyers is digital forensics.”

“Underwriters were concerned that the Big 4 are very expensive, and the SMB market struggles to justify the expense – so after we did a small job for an underwriter, we ended up becoming one of three global response centres that provide follow-the-sun response.”

A measured response

Although that sort of contract is a significant win for a security provider, it also requires a higher level of commitment.

Amongst the terms of the partnership, for example, is a requirement that Insane Technologies be ready to respond and triage new incidents within 15 minutes of their being reported.

Particularly in the context of Australia’s new notifiable data breaches (NDB) legislation, Rudduck says, rapid triage has become especially important.

“I see a lot of IT providers calling themselves cyber experts and just panicking when an incident is reported,” he explains.

“They cause panic, particularly with SMBs, by saying ‘you had a breach and you need to report it’. But I don’t think that’s the way to approach it.”

While companies “definitely” need to notify customers if there has been a security breach, Rudduck says, careful analysis and remediation of security incidents is an essential first step.

Despite years of repeated warnings, that analysis phase all too often turns up the same old “really basic things” – “low-hanging fruit” such as remote access servers sitting open to the public Internet; users setting simple passwords, or “really poor” credential reuse that exposes multiple systems when users use the same credentials across business and personal services.

Users habituated to sloppy password habits continue to create challenges for security providers and companies alike, but over time Rudduck has learned that giving users regular ear-bashings about password habits can be counter-productive.

“Whenever we do a cyber security awareness talk, we make a joke about people who have ‘holiday1’ as their password,” he explains. “There are always smirks in the audience. But if you force them to change their passwords regularly, that password just becomes ‘holiday2’.”

As an alternative, Rudduck’s team recommends teaching users to take alternative password approaches, with 12 characters as a minimum and passphrases used to help users remember them.

“If it’s long, you have a better chance of remembering it,” he explains. “And it’s complex.”

Ongoing cyber health

Regular exposure to small businesses’ routine issues around cyber security have helped Rudduck and his team build a reputation serving niche Gold Coast markets such as film production.

One interesting engagement, for example, saw the firm charged with securing the digital workflow of the nine-month production of the film The Chronicles of Narnia: Voyage of The Dawn Treader.

Regardless of the product or service they provide, Rudduck says, small businesses share many common cyber security requirements and there are many opportunities for those that can provide them quickly and cost-effectively.

“Cyber is just the marketing name for information security and governance,“ Rudduck says. “But it’s something that had to happen, because as incidents occur there is real damage happening.”

Growing engagement with cyber insurance providers has reinforced the importance of regular network security health checks, which Insane Technologies conducts for its customers as part of a holistic approach to cyber security defences and effective response.

“You can put in all the technical controls you want, but at the end of the day you’re dealing with people,” Rudduck says. “And if the controls slow them down, they will find a way around them. You have to look at it from the user’s perspective first, then find controls that will work for the business.”

David Rudduck is an ACS Certified Professional (Cyber Security).

In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.