#626 – Susie Jones On Building Your Cyber Fitness/
- March 3, 2020
Susie Jones – Director, Co-founder & CEO of Cynch Security
In 2018, Susie, alongside Adam Selwood, co-founded Cynch Security, a Melbourne-based company that partners with business owners, and continuously profiles their cyber risks, providing them with information on how to improve their Cyber Fitness.
Susie has worked in some of the largest organisations in Australia, heading up Cyber Security Business Services at AusPost, and has won the 2017 Risk Revolution Delegate Award from RiMS Australasia.
On today’s episode of The Daily Talk Show, we discuss:
– Cyber Fitness
– Using a VPN
– What to look for when auditing your cybersecurity
– Starting Cynch Security
– Incubators inside Australia Post
– Managing security with big technology players
– Multi-factor authentication
– What can go wrong when you don’t have your security dialled in
– Accelerator programs and taking investment
Susie on LinkedIn: https://www.linkedin.com/in/susiecynchsecurity/
Cynch Security: https://cynch.com.au/
Email us: email@example.com
Send us mail: PO BOX 400, Abbotsford VIC 3067
The Daily Talk Show is an Australian talk show and daily podcast by Tommy Jackett and Josh Janssen. Tommy and Josh chat about life, creativity, business, and relationships — big questions and banter. Regularly visited by guests and gronks! If you watch the show or listen to the podcast, you’re part of the Gronk Squad.
This podcast is produced by BIG MEDIA COMPANY. Find out more at https://bigmediacompany.com/
It's the daily Talk Show Episode 626. We've got Susie Jones in the studio. Welcome Susie. Kindly connected through God. Mm. Yes, ma'am. Amen. God, what did you said to
him? I was waiting to be corrected.
When we were chatting with God, something sort of got my attention, which was somebody she'd been working with, which was yourself in the cyber security space. Yeah. And if I've seen movies, I know cyber security, or a god, I read a book by Kevin Mitnick. I am social engineering. So I am sort of a, a low level non tech hacker, so I think just dangerous.
Dangerous, we actually are actually hacked once. There was a programme back in the day that you could send somebody a zip file, and then he get into I printed something on the computer. It was all for fun. But I mean, what
What you do with your business?
Seems security most are greater risk than me when I was 14. Yeah, two businesses. Tell us a little bit about what your business is. Yeah, so sim security, we're all about what we call cyber fitness for small business. So making security not just about protecting the tech in your business, but also creating it to be a way to differentiate yourself from your competitors and build resilience, build strength, and make sure that not only will you not get successfully attacked, but you can also then get a ticket to the bigger game with bigger clients and all the rest. It's like being fish and getting a cold and getting over it quicker. That's like yeah, you lazy competitor. Just get sick and it wipes them out pretty much yeah, so they don't come back. So it's Yeah, it's spot on. Do people come to you normally when things have gone wrong? Um, we certainly have a lot of people reach out to us following things that have gone wrong. We don't help with the incident response, but we will repair them to people that can help
That's quite a specialised skill set there. But we certainly get a lot of small businesses calling us saying this has just happened. Can you help? Can you put us on to somebody and we've helped them and then once everything has calmed down and they've dealt with that incident, then they can come back to us and we start working with them. From that point on. We noticed like, about six months ago, all of our bigger clients in their email subject line would start saying external email. What why are they doing that? It's another cue to remind you to say and to stop and think before you click on whatever it is, it's been sent to you.
If you just constantly going through emails, and we all have too many emails these days, if you're just constantly trying to get get that number down to zero, and you're just clicking on everything, forwarding everything, responding to everything. It's very easy to get tricked into clicking into something that you shouldn't like. So that kind of visual reminder, this is external, is it really something you need to click on? It can really help and so
email spoofing, so like the the idea of it looking like so with our business, big media company, we could get an email from what looks like an internal person. From a sophistication point of view, is that like do is it actually going to get more sophisticated? Do you think the mat or we sort of seeing the peak levels, I think it's going to constantly change and evolve, it certainly changes on a daily basis, you're always going to have low level attacks, that they're just copying what somebody else did. Unfortunately, cyber criminals are some of the best collaborators in the world. So once they find something that works, they will tell all their friends. So you're going to say the same things happening over and over as long as people keep clicking on the links, but they're also finding new ways to to trick people and scam and all the rest of it. It's it's going to continue to evolve regularly, unfortunately, when when I spoke to you on the phone last week, I thought I feel like it's one of those things those industry
is where people try and bring in some jokes about the field. You know, it's like fitness industry has this sort of jokes around that and so a cyber security I was you were doing a speech and I was saying, Matt, are you teaching them to take the password off the sticky note off the computer? You know, like that kind of banter, good. banter. Yeah.
Is there anything else? Can I add a few others to my repertoire? If I'm going to be Yes, and saw a show Simon bad. Look, it's fair to say I'm not very good at the cliches but I will say use a password manager just Just do it. Everybody says I don't like them and all the rest of it, but just do it. It's really not that hard. When my mom's got a notepad like a book. Yeah, she keeps all the things in there. Like I mean, this is it's not the worst idea.
There are some passwords where it makes sense for you to write them down and put them in a safe place.
I wouldn't have them written down next to your computer in a co working location. But I'm guessing your mom's home office is a bit more secure. And
so we work to free booze. Yeah, I mean, I would have Yeah.
Yes, you're going to share? I mean, does does the that landscape of CO working spaces change your industry? It does. It adds more about remote working and flexible working with this day and age being able to work from anywhere, whether it be cafes, or hotels or, you know, your lounge room or an office or anything like that. It's it's just different. There's different things you need to think about. You need to think about which network are you connecting to? And do you trust it? And if you don't fully trust it, then what are you going to do about that? You know, there there are plenty of people that will travel around the country around the globe and around Australia. They wouldn't dream of using free Wi Fi but the moment they weren't sitting in Hong Kong, they're like, Well, I'm not gonna pick
Thought, come on, of course, I'm going to use free Wi Fi. So there's some of these behaviours that, you know, in this day and age of CO working and flexible workspace, you just need to have a take a few extra moments to think about is what I'm doing actually making sense for my for me and my business and my risk. Well, is it? It's as right, it's like when you're in Paris, which is me, and I'm on the free Wi Fi at the airport. I'm only using it because it's easy, and it's free. And I needed that then, which is makes sense as the thing that compromises the vulnerability, isn't it? Yeah, that's why they're getting getting the VPNs I had this moment the other day where I was like logging into a VPN. I was like, like, How do I know how can I trust the VPN? Because I was like, Okay, if if we're putting through all this sensitive data through the VPN, shouldn't I know more about the business where it's based? What is it doing? What's What's your purpose?
perspective on using a VPN? And is it? Is there potential for compromise compromise with that sort of thing? Um, certainly, if you're going to be using free Wi Fi, I would definitely use a VPN. So a virtual private network that
stuff that I've since had my account straight.
I mean, I think if you're using a reputable brand, as long as you're not just downloading, from, you know, Google some free VPN that you found that you know, has all of these Russian, Cyrillic down the bottom of the website, then you know, you're probably going to be okay if you're using a reputable brand. But think about it. If you've got a choice between using a free one that you can just download from any website, or paying a few bucks to get one that is a brand that is out there and would be motivated to keep you secure, then pay the fee. Do you think we'll get to a point where everyone's using a VPN all the time, like, Is that is that is there a use case for that? Um, I use, baby
In an extraordinary amount of time, we're running we're in security company. I probably use it more than a lot of people. I mean, it's not it's not a big deal to use a VPN. Plus I find it amusing that when then when I go on to Google Chrome and look something out, but you know, don't take me to the Paris website or whatever, because all of a sudden that thinks that's where I am. You know, it's like, there's nothing wrong with using a VPN more often than not as long as it's reputable one. And for small businesses in there, I guess cyber security threats towards and people might think there's like, I What have I got? I've got nothing. You know, I'm not hiding anything. I've got no much money. You can have our PDFs. You can Yeah, you can have our contracts. What is the reality for small businesses in Australia in terms of cyber security threats towards them? Yeah, I think whilst I might think I don't have anything What are they going to take for me? I don't have any money. You. A lot of small businesses will also be holding data that doesn't belong to them or information on their customers information on this stuff.
They've got bank details. They've got contracts with big companies. You know, some of the biggest cases out there of cybercrime, you know, the target packs banquet through through, you know, a small business, it was a contractor to target. What happened was this one. So this was about five years ago. I believe from memory, that it was like an air conditioning company. But we're involved in that we're contracted to target and I got in through this software and a mobile. So small businesses, if they work with big businesses can be a target simply because they work with big businesses, so everybody has something to lose, and cyber criminals will take it. You're also only as secure as your dumbest mate on Facebook.
I don't have many friends on Facebook anymore.
97 was talking the other day wanting to build out our audience profiles or get a better
sense of who listens to the show and says you were bringing up? How do we make sure that it's secure? How do we make sure it's safe is having these these details in a spreadsheet? Or a spreadsheet within the cloud using something like air table law sheets? Is that like, Is there anything else that we can do to make that sort of data secure? Yeah. So I mean, you can make sure you're limiting who has access to it. So just consciously checking who who can touch it, you can put in things like multi factor authentication, it sounds really boring. It's where you get either the cards sent to your phone, or, you know, you'll have an app on your phone that gives you a card to enter in. So you have to use both the password as well as that card. It adds an extra 20 seconds to logging in, but it's still recommended as one of one of the most effective controls you can have in place so that anything that you're worried about that stuff, look for services that have multi factor authentication, and put that in
Also just be mindful of whether or not you really need to keep that data. Certainly if it has any personally identifiable information, so if you have, you know, just general demographic information of your listeners, that's fine. But if you have that, combined with the name and the phone number and the email and whatever, do you really need all of that stuff to get on to you need that stuff at all? And if not, then get rid of it. I friend of mine, I saw him Ronnie on Facebook, about how he had his identity stolen. And man, it was crazy. It was like, CHANNEL SEVEN, got hacked. They obviously made him take photos of his passport or licence. I don't know why they're doing this, but they had all this info. And they stole his identity, got multiple credit cards in different places. And he only realised like his credit score was like, ruined. And so it took He said it was like the most horrible one month of being
On the phone and just anxiety around it. It's like you don't even think about that. Right? It's like, I just renewed my phone contract and it's the only time that I really checked my credit score because I have to close it. It's fine to get a phone
or your credit score down. It's like man, I don't have a critic you don't ever get a phone I think
it you know, whatever, you can get one but there's that get credit score or whatever.com. Au and you can once a month they let you check it, I trust it.
Can you ask us a few questions that will kind of get an Angeles
he made asked him in a wonder why that doesn't give people the idea of how they could access
or otherwise contact us right now. But he's there any questions that you are that you ask?
to sort of find out the fitness I know you've got the online fitness check. Cyber Security fitness. Is there anything I mean I'm not IRL version of that.
Yeah, if you were to sort of give the like, what are the the three questions that you can determine? Yeah, a company's health? So I mean, the first question we ask is, what tech Are you actually using in your business? So we can see so much from the outside looking in. But you're the only one that knows mostly, whether or not you're using zero MIFA? Or whether or not you're using Dropbox for for any reason, and and the tech that you're using is always going to be really important. The next thing is, okay, what steps have you put in place to actually secure those things? Do you use multifactor? Do you have you got any of the controls and your websites, etc? And then the last thing is and what sort of information do you actually hold on whether it be your customers, your staff, or whatever else? And the combination of those three things mean that using our platform, we can then prioritise all of your risks and then tell you in order what should you be doing about right so we got accounting software, we've got time based, I reckon.
All of where we fall over, is we use too many third party add on. So it's not only zero, where then like, let's try like float, which gives us this like, budgeting thing. It's like a flights not really let's try fathom and that's and so before you know it, you're collecting that. And so you got all these apps, the third party, so it might not be zero, that's the problem. But we might like it. I'm like, just just half an hour ago, we enabled a new app within G Suite, which provides us analytics on how many emails were sending. But that's like another potential vulnerability. Yeah, that's right. And it doesn't hurt to sit down once I don't know a quarter a year however often and go through which apps you granted access to the main services that you use, and disconnect the ones you don't use anymore. We spoke about Facebook before that's the same with that I every now and then I go onto Facebook and I and grant access to all of these things that are connected using Facebook every now and then. So easy rock
Is it also like logging in onto websites through Google for Jeffrey j suede? Is it is there anything there with just you know the instant access by just hitting login with my Google? Well provided you're
protecting your Google account then that's actually a very smart way to go about it. So whenever there is any opportunity for me to connect to a new service using my Google account I do it because I protect my Google account like my life Yeah, um, so at least then on or whatever
it's really hard so
I you know, that's like if you know that you've done the right thing with one service then using that to connect to other services is not a bad idea at all. Um, same with there's nothing wrong with setting a password that you have no intention of ever remembering. And then next time you go login, you just hit the forget my password is one problem with that. Mr. 97 has Mason Lauder on Instagram, but he has
forgotten, he doesn't even know what email address is attached to that account. He gets it, you know, like X's out half and still don't know. It's at V. Route email provider starts with a
custom domain. I don't think I've ever registered a domain show even though he's one of those temp, like, destroyed,
potentially 10 mile. That's a bit annoying, but I don't think I'll do that for my name for username on Instagram, you've done some pretty silly things. Can you tell us how crazy people are actually accessing? So it's like you think about hacking you think man? Are they using some sort of back in you seeing numbers come down the screen like the matrix? How would people how are these, these absolute grogs actually doing this how they gaining access. A lot of the time it is through social engineering just tricking you into giving them access. So there are still so many scams out there where all of a sudden you know Telstra security team is calling you because they've discovered that there's an issue with your connection.
And all Can I just jump on using TeamViewer and get access and all, you know, we'll just, hey, we're going to, you know, do a scan of your computer and make sure that the scan is on on there. And of course, all they're doing is just installing
malicious software onto your computer and taking everything. So you know, the emails, clicking on the emails and giving them access, so download software onto your computer.
They're just using password, username and passwords that have come up in other breaches. So Mark Zuckerberg done a few years ago because he'd used the same password, which was so simple it was da da da da da da. It is the same password on LinkedIn as well as Twitter as well as
LinkedIn had a breach and all of a sudden these Twitter account was was compromised. So you know, this is a bunch of different wise, is this the richest guy one of the richest guys in the world who created the biggest social network is using Dad Dad. What's his problem?
Hi, well, I feel like most people are probably a favourite smarter than Zuckerberg a lot of the time. So I wouldn't put that as
How did you get into all of this? How did I get into it? I have my car found at the blame for that. Sorry. I my background, I was an insurance broker for 10 years and joined us railay price to manage their insurance quickly moved out of that to risk management, commercial management, and then got a random email from a colleague at price that I'd never met before to saying hey, I'm working on this initiative to do with small businesses that have had compromises and I want to explore how do we get cyber insurance involved? Can we have a coffee? Oh, that's just that's a scam.
That's really price is actually in with within the business. He's really good at internal collaboration and that's the thing so you have random people reach out all the time. So had a coffee with him learned that he was working within the incubator programme essentially
Playing a startup founder, I'm working on building a product to help small businesses following a data breach. So that moment before that you were talking about with your friend that had their identity stolen, that can be just as painful, if not far more painful for a small business owner, if they have a similar thing, because then it's not just their identity. It's also a business. It's a livelihood, it's a family. It's been it's there everything, it's it quickly becomes a waste of a lot. So I had this coffee with Adam, and he's telling me what he's doing. And I'm like, that sounds amazing. How can you be getting paid to do this? So I joined him and we spent six months exploring this issue. We built a rough idea of that products within Australia parties. But we quickly realised that whilst helping people following data breach was important. What we actually needed was to help businesses avoid the data breach in the first place. And that wasn't something we were going to be able to do within Australia Post. So we went off and found normal jobs again, within posts and then nights and weekends. We started working on cinch and so basically
He's the ideas guy, he's got the tech background and and built our platform and I figured out how to turn it into a business. What's an incubator, like in a business like ours post, um, it's pretty incredible in terms of you get, like I said, you still get your salary, whatever your salary is, um, to learn all of these new skills to meet interesting people. And to experiment in a way that within the large corporate, you don't usually get to do you know, you have a lot more freedom than what you usually have. But on the flip side than that, you also don't then to go out and go out and see your product, thrive and grow and that sort of thing. So, you know, I think there's both sides of it. That's fairly priced. were terrific at developing really fantastic entrepreneurs as a bunch of us now that are out there doing our own thing. I don't know if that necessarily translated into what they wanted as a company in terms of being able to build new products, but
filmed at the Australian post head office. Is it book straight? Oh, yeah.
Cisco stuff amazing. Like, I think people would probably look at the post as a cake. And it's still the mail, snail mail. But it is like there and the teams that we saw there was it was pretty full on, it's a pretty incredible place to work. You know, there's, there's, they still do deliver mail. They deliver millions and millions of parcels every day. But they also have a whole suite of digital services. So you know, they they employ more developers than most big businesses in this country because they're building things like digital identity platforms, and, you know, they manage your your online passports, processes and stuff. So there's a lot more to post then what there was, but it's still a big corporate, what happens to your wrong when you go in and take on a project like this? Yeah, that was where I was probably a little bit naive about it all. So I had, I'd been given the opportunity to do a series of sick comments and step out of my actual role. So I think at that stage, my Tato with something like
Senior Manager of risk and compliance or something like that, but I hadn't done that role in 12 months prior to stepping into this to comment. And so then by the time our project came to an end, 18 months had gone since I'd been in that role. And the I mean, the role somebody else working in it and had done for 18 months, it really wasn't my role anymore. So I had to go and very quickly find myself another job within Australia Post, otherwise, I would have been redundant. So I wouldn't necessarily recommend to other people, it's pretty scary time. But luckily, I found a role within the security same as they head of cyber security Business Services, so I was able to then take my commercial and risk management experience and apply that to the security team. What does Australia Post get out of having something like an incubator?
Well, I mean, it gets the value of it getting equity in it, or is it
so sorry, all of those things they 100% Alright, so this is what I
When I say play startup found out because we didn't actually found anything that we are in so they talk about like, is the the options for the founders? If you're playing founders? Do you get equity in that? Or is it not saying that one? No, I certainly not it not opposed. I'm sure there are other corporate corporates out there that might give you that opportunity. But that wasn't the case for us. Right. So going from a working with a big company like Australia Post to starting, you know, from scratch with yourself and the founder. What's that process been like? Um, it was scary, really scary. And a lot of hard work. Every day. I'm doing things that I never did before in my corporate career. But I wouldn't go back I don't like if if everything blows up in my face tomorrow. instinct is not a thing. I'm not going to get another job at a corporate. I will go join another startup or found another company because having the control to build a company that you're proud of and fine team members.
That are also passionate about it and help you customers and a mission that is absolutely dedicated to it. Nothing compares to that. And so cinch what is completely separate to that original so I guess the seed of an idea which sort of inspired Yeah, absolutely. So so what we built with impulse was quite different. It was still for small businesses, but it was it was a response service in
working with a not for profit, how to Queensland seems doesn't do responses we spoke about beforehand.
For us, it's about preparing businesses and getting them to build their resilience so that when they have an incident it's not the end of the world. It's not the worst day of their lives it's just makes for a pretty shit day. And what's what's the first thing what's the first phone call law coffee that you have when you decide that you're going all in?
So that decision I went for massage on a random Saturday and was lying on the table thinking what do I even
doing with my life is you know, I can't I can't keep doing this and then by the time I go out, you can keep doing
good things come from vigorous.
And so I started to think about, okay, if I if I go off and work on change, what am I doing is going to be like in comparison to what it is now in my corporate life. So by the time I got off that massage table, I was messaging Adam saying, Yeah, I'm pretty sure I'm going to quit the job and go do this now. And he's like, Okay, I guess this is really a thing. So I went into work, I quit the job. And one month later, left is fairly priced and then immediately joined slow rise, which is a cybersecurity accelerator here in Melbourne. And the sorrows are absolutely fantastic. They only take cyber security companies, early stage startups, but they drive you really, really hard. So first day of that programme, I think I went home in my eyeballs with just about hanging out of my head. Like that's just weird had meetings with 15 different chief information security officer
says we, you know, we've been smashed on how do we pitch we've been smashing their business model. By the end of that first week, I was completely shattered. And then they took us up to Sydney. And we did it all again. The second week. I'm shattered in a good way or shattered confidence, not just in a good way, exhausted and made a mess. I
made a message. I can no longer afford one because now
I'm sorry. Yeah, it's just different. Everything you do is completely different when you're in that world and you don't, no matter what you plan is when you come in in the day, that's not what you end up working on that day. No, no way. What did the sacrifice look like at the beginning for your life? Um, sacrifice was a lot of time. So when you starting a business, I mean, it consumes every moment of your waking hour, so my friends had to hear about what I was working on my family. probably didn't talk to them as much as I should have.
Yeah, my husband, I barely saw him.
For the first few months of starting that business, so there's a lot of sacrifice just in terms of what your lifestyle was like. But at the same time when somebody says, How you doing is everything going? Well, you've also got some pretty awesome stories to tell, like last year, we were in New York. But we've seen that I never expected to be able to do that. And, you know, I've spoken on big stages. I've had interviews in the age, like stuff that I would, I mean, when you're head of cyber security, Business Services, nobody wants to talk to you from the
stuff that we get to do. You know, I get to talk to small business owners every day about what is their biggest challenge, and then help them solve that. Like we've had video calls with clients that have like, you know, chest bumped each other at the end, because it's just, it's awesome. So, you know, it was just about the ultimate step up from a fist bump. We should try one after
the nightmare. Yeah, how do we do the ribbons. It was with a muscly man so nearly took me down, but it
Is it purpose that you because I think about jobs that you don't like or something that you're not really enjoying consumes you, you then go and do a start up. It's all consuming can be really hard really highs and lows or you know extreme. It's just you're choosing one that has a bit more purpose. Absolutely, yeah. So for us, it seems we're completely mission driven. So you know, we're out there to make it so that small businesses can avoid having the worst day of their lives. So the harder we work, the faster we go, the better we are, then the more small businesses are protected from that stuff. And then the more small businesses can also grow their business because all of a sudden there are but to answer the question when they're asked, What are you doing about cyber security? And they can say, Well, I'm a senior member here, here's the here's everything that we're already doing. So for us, it's definitely about that motivation. I'm working harder now than what I think I have ever in my life, but for the right reasons for once, and so it's
SAS product. Yeah? Was that talking business models and working out how to actually do what was that the first iteration? or How did you sort of see it coming in from a business model perspective? Yeah, so we we set out to build it as, as a SaaS business because of our target market being micro in small businesses. So there are over 2 million businesses in Australia with fewer than 2020 staff. There's no way you can build a service consulting model to reach 2 million businesses, let alone it just wouldn't be economically viable. So we build out to we set out to build our business to be completely scalable so that we can service one small business the same way and give them the same experiences we can 2 million small businesses but everything that we give for them is based on their business and the tech that they use. So none of our members cyber fitness programmes at the same with something like that. Do you Is it like at 20 define that
Mikey have, say with us, I feel like we would take the piss with using since because there's so many like there is so many different tools that we're using. We've got like multiple CRM, like multiple sort of like a project management tools, some that are industry specific that no one else would really be using for the outlier sort of case. How does that look from your side from a business perspective? Yeah, so it's definitely the 8020 rule. So I 80% of all small businesses, the tech that they use is 80% the same. So even though we were able to do security analysis on a suite of technologies and get some base information and value into our product pretty quickly, but then we targeted based on industry for that very reason. So we typically work with financial or professional service small businesses because they tend to use the same sorts of technologies. They also i targeted and very similar
So, all accountants or financial planners or all lawyers, use only a limited number of practice management tools. And, you know, the bad guys know that and target them in design wise. So, for us, we're doing that we're then building out our business to different verticals. So we're just now exploring where else we're going to move to next It looks as though ecommerce businesses because whilst everybody takes the Mickey out of e commerce businesses and says that they don't care about cybersecurity, that is not our experience at all. You know, we've had jewellery designers who are members that have been, you know, reconfiguring their whole tech stack. So, for us, that's probably where we'll go next. And then it'll be international expansion. Talking about like the stack side of things. Tommy was what did Where did you hear stack the other day? I was recording a podcast for a client and they'll just software business or whatever. Yeah, they help integrate and seamlessly different stacks of technology.
Microsoft Cloud like the Microsoft stuff, and what is it feels like? So with the eecom thing, it seems like people are doing less bespoke stuff now. And it's just like, you'll go even simpler than that even as stack looking something like Shopify, and be like we're using Shopify, and then we're going to use the Shopify marketplace or whatever they call it to provide add ons. Does that make life easier for a business like cinch? Or? And how much responsibility is there on companies like Shopify to actually look after the security? Um, well, there's a couple of sides to that. So first of all, I mean, us as since we use a lot of those sorts of services. So we we don't run our own server. We are completely service company. So we wouldn't be able to have built a completely scalable business the way that we built it five years ago because they sort of services didn't exist. So the fact that they exist mean that we can exist it also
means that our small businesses, we can understand them faster. And we can get to adding value to them faster. Because if we already know the technology that they're using, then we know how to help them secure it.
In terms of the complexity of the advice that we need to give from our small businesses, it's not about
getting them to record any of these systems. It's about understanding, understanding what are the security features that are already built in there, helping them to utilise them, and then helping them to adjust and change their behaviours within their business to use them properly? Is it safe, so safe, everyone ends up going Shopify and there's a few other businesses but Shopify built their own payment gateway. It's like it's a remove the need to stack stripe into WordPress into a bunch of these things. Is it safer it being all in the one or is it a problem that everyone ends up using this single service like Shopify? That that's where it is and if that gets brought you like one breaks versus four layers,
It's kind of it could go either way. I mean, any of these businesses have been they motivated to keep it secure. But it's also acknowledging that it shared responsibility The minute you as a business owner, it is still your business. It's still your customers that are going to be affected. So you can't say, Well, I use Shopify, that's not my risk anymore. I don't need to think about it. It's still your business. And if you're using somebody else's service, and the responsibility is still on you to understand what risks are involved, and how are you going to manage that and have a plan in place so that if Shopify does go down, that doesn't take out your business forever? You know, there's this understand what security steps Shopify put in place versus what things you still need to have on your system. Yeah. December one, my wife had her Facebook, try to be accessed from some email. It was one that she used to use. And then we found the IP address because Facebook was like, I mean, they're pretty switched on to it gave you the IP address, and we search the IP address and I was in the Philippines. It was my uncle.
But that wasn't it was a hacker but it was like the shit is that automated? Do you think of these somehow being gentle? Like, what's the right terminology? Is it like running a script where it's just entering constantly all these? Yeah, absolutely. I mean, you know, cyber criminals these days. It's a really sophisticated industry, they have entire call centres set up to help you like I hope this so that you can they can teach you how to buy bitcoins so that you can pay the ransom. Like it's an anti industry that they very professional. So they're absolutely your amateurs out there that might just buy some software off the dark web and give it a crack and say where it is. But there are others that are absolutely writing some really sophisticated attacks.
After much if I channel the energy into something productive, like something that you find a power for good instead of evil, some of them are probably really great at coding. Amazing. Just a few screws, looks all that made too much, man. They're like this is too good. Yeah, this is too
Doc, what are some of the things that we can look at when we enter into a new service? Say those lower like so smaller business, like what I think about is like the, we signed up to an industry specific, like SAS product. And they charge more because it's very specific. But at the same time, it's like, you can see where they're missing some of the elements of a polished product like say, a Google Apps or stuff like that. What do you think are the minimum So you talked about two factor authentication? There are other things that we can look at before we decided to sign up with a service to make sure that they have stuffed out in their personal piece of advice for you to select and pull the trigger on or you know, we do we are trying to do we basically got you hit for
that like, yeah, just in that you got to try these different products. I mean, us as a business because we need to understand the security of all the services we foreplay signed up to everything under the
My co founder as positives to 400 different services or something.
Cloud based ice that is storing it all over the world, you want to know where it is? What about policies like so there's obviously the human element as well to this side of things. I feel like a lot of small businesses skimp on the contracts or thought, you know, you have an employee and they might have a very basic contract, but you're not getting them to sign these other things to make sure that they're making stuff safe. Do you have any thoughts or within since you considering those types of policies? Yeah, absolutely. And, in fact, we make it really easy for small businesses to generate those policies. So just by being a member of us, they can then go through a five minute exercise and they end up with an incident response plan that is bespoke for their business at the end. We can help them write an information security policy. We help them build out things like labour checklist so that when a staff member leaves your business, you know exactly what to do in terms of removing their access so that they don't still have access to all of your
Systems after they lost three day deal out in turn from Canada still has a j suede slack and all that sort of thing.
Get him on the show
says loves check who's trying to get into checklist I mean how how much checklist and important element when it comes to security. So I I don't like the idea of checklists in terms of following a checklist of these are the things I should do to protect my business moving forward. Like the idea of just logging onto a service and spending half an hour to fill out a questionnaire to tell them about the things you've done for security. Just, I mean, it sounds so boring to me, and I've run a cyber security company. That's why we don't work that way. So we try and make everything interactive. We certainly focus on the human rather than the rest of it. But things like lleva checklists, having a list of things that you need to do every time somebody leaves at least it means that you don't have to go all Hold on What if they have access to whatever, you know which passwords Do I need to change now you already know it you've got it written down. So it would you
Is the time it takes to do the right thing? What's your fate? I don't know if it's too much of a personal question, but what's your favourite way to get your two factor? authentication because for me with zero I can't be bothered answering my question. It keeps asking me and I got a new phone. And so I I don't have the G like the Google Authenticator on it, like when I got rid of my phone, the authenticator was on that and then I installed it and then all my shits gone. Anyway. So I I prefer to get my secondary email. Is there a Is there a best practice in regards to that in and you know, do you follow a certain not gonna follow a tech I'm going to get text message first or so. So for me personally, I usually use Google Authenticator and it is a pain in the ass when you get a new phone you have to consciously actually switch that to the new find that the pain Yeah, but it's I'm after this to Solomon. what's the what's the deal? Because I think that we should get on to this two factor I use often authy which is
Well, you don't have I was checking slack. Yes, they are the only person who has
free is not receiving, but we don't have it. And so we would go in
and we put it into Can you explain? Can you explain to people what Google Authenticator is? And what two factor actually is? Yeah. So two factor, you think about your username and password. So that's something you know, but that means that if somebody else your hype, you know,
sorry, I'm sorry, if somebody else learns that password that becomes something that they know, as well, I'm sorry, using multi factor or two factor authentication is using something else as well as that thing that you know, so normally, it's something that you are so using either facial recognition on your phone or your fingerprint or something like that to get into your phone as well as a password or or keypad, or something that you have. And this is where the authenticator apps come in, because unless somebody has your phone with that app that has been connected to that service, then they can't get in even if they know your password. What about a key right yeah.
K Rams I saw that years ago was pack. Yep, was Westpac Nyquist.
What do you think about like using one of those because I think I saw a third party product that is the key chain, I almost like that more than the phone. Yeah, there's a, there's a few companies out there. So yubikey and a couple of others that have them now. They're really good, but they're expensive. So it depends, you know, it's it's kind of a risk decision that you need to make, is it worth spending the money on these things? To do it, but some things that you're protecting absolutely worthwhile? You know, on on our corporate bank account, I have one of those little things on my case. And that's, that's my second factor. Can you can you tell us a few war stories? I mean, I'm sure you've probably seen maybe not clients you've worked with, but people that have been affected and sort of the outline the risk, and so it's like, I mean, this could be something that someone's doing that listening that like, back that's me, I gotta stop that or even as an extension on that like things where people think they're doing the right thing.
But they're actually making it worse. So like to using a using something like a LastPass or one password but then having a really easy master password.
I mean, there's definitely plenty of cases of that. But um, one of one of the most emotional calls that I've taken whilst running cinch was one of my good friends, mom. She ran her own mortgage broking business. She'd been chasing up a real estate agent that she worked regularly with awake for this contract hadn't been able to get them on the phone, which was unusual for a real estate agent but hadn't been able to get hold of them. Finally, she gets the email here's the contracts the waiting for double clicks on it. It pops up and asked for a username a password, but she'd been waiting for this email from this company or awake didn't think anything about throwing a username or password and then phone call rang and she went off into something else for another hour and a half. She came back and to a computer and took another phone call from a customer saying you're sending me some really strange emails What is going on? and turns out that that real estate agent had been compromised, so
By the email had been taken over, and they were using that email address to then they'd obviously been watching what was going on for a few weeks, they knew that these mortgage broker had been chasing them for a contract. And they use that opportunity to then target that, target her and send that out. What that meant is it was two hours before she even discovered there was an issue when she got that phone call from the customer to say that was something wrong. And then took her another four hours of sorry to get somebody to help her lock that person back out again. So that was six hours where these criminal had access to all of the emails, all of her attachments, all of that confidential information from anybody that had been to that mortgage banker before. So that made for what was easily the worst day of her waking life. And not long after that. She took early retirement from a business and is now no longer a mortgage broker because this sort of stuff really can devastate you. And that was something so simple as just trusting that an email that came through from a trusted person, but the thing is, it's not usual.
That they would send through contracts as an attachment on an email that then asked you for your username and password. If it stopped and thought about it for three seconds, she would have gone Hold on What the hell do they need that for? Sorry. You know, they be all of these scams they set out to target people that are tired. These things work quite often on Friday afternoons because people are rushing to get everything done at the moment.
But you know that these sort of there's so many of these stories around and it's, it's really heartbreaking. It's the whole reason why we set out to build cinch in the first place because at the moment, well, prior to us existing there really wasn't anybody out there that was helping small businesses, everything was you know, industry was focused at the top end of town. That's where all of the talent was going was working in large corporates. It's where all the money was going. And yet there's 2 million small businesses in Australia that needed help. So since at the moment, accountants like find it like financial professionals, anyone else that you think would be
You know, would be a great fit. Yeah. So now for us it's about it's not so much the industry, it's more about the the, I guess
forgotten the word. The traits of the company itself sorry, businesses that have fewer than 20 staff. They weren't have in house it they usually rely on an external IT support provider that we can then collaborate with within the platform. So it's about businesses that are relying heavily on technology now and realise that they need some help. That the exactly who were built up Business School, how do they know if they need help? If unless they've been compromised?
Their early assigned? Yeah. So when you start relying on all of these cloud services, I mean, you guys have asked a bunch of questions today about what what do I need to worry about slack or we've signed up to all of these apps, small business owners have exactly the same feelings of discomfort. So when they're at that point where they're just uncomfortable with
How much tech they're relying on? And do they know enough about it? That's the time to take action. There are other clients that work in industries that are now seeing more and more compliance obligations come on to them. So if they are working with any large AP or regulated businesses, the banks, etc. They're now required to look at their supply chain. And even if you're a small business in that supply chain, you can start getting question is asking you 150 different questions about what you're doing about security. That's going to be a pretty big trigger for them to jump on top of this stuff. So you know, it's going to be different for every business. But for every business, if they're relying on tech, it's something that they should get across. It seems like people are becoming more aware even our new accountant.
He asked for our text phone number, he said, Call me with your text phone number. And the funny thing was for me to look find my text phone number. I looked through my email from the last a mass at my other account.
This is interesting. Yeah.
And the thing is, though, is that that sort of behaviour in the not too distant future will really help your new accounts and to differentiate themselves from people like your own account. You know, they're they're going to be able to answer the question when customers say, Well, how do I trust that you're going to do the right thing by me, they can say, Well, actually, this is how and I do all of these things.
This is why we talk about it being cyber fitness because it's not just about protecting and stopping the bad things. It's also about building strength and growing your company and being able to differentiate is so loose like especially even when I I did four months travelling a few years ago, and just the hospitality like a hotel industry. There is so much like bad practices going where it's like just a mouse you credit cat Oh, we need confirmation of your passport. We need these things to secure staff. Are they photocopying shit. Yeah, yeah, I just think they grow. Yeah, but I think like it's it's even to your
point where it's like you're in Hong Kong and it's like, I just want Wi Fi. It's like travelling, you're in that vulnerable state. And I feel like that is always where it's like, okay, I want to go on a hot air balloon in Turkey. Are they asking for the passport? What? Like, what else are we gonna do? Yeah, but I think like when you put the lens of it of being a director of a company, all of a sudden, that then affects everything else. Yeah, it's not just your it's not just the skin on your back anymore. It's about your customers. It's about your staff. It's about you know, your family and the legacy of your business. If that gets wiped out tomorrow, all of everything that you've worked on for your whole life can can be gone. And that's it's just devastating to face that. Particularly when you realise that if you just spent five minutes a day for a couple of weeks, you could be in a completely different position. And so you're still part of the accelerator programme. How so? You You You started the business within that, is that right? No, I know. So we had to wade spent nights and weekends when we were still working full time building it up.
We couldn't we got to a point where we had a very rough MVP of our products. We had an even rough our go to market strategy and a whole bunch of enthusiasm. And that's basically what we took into the accelerator. So that lasted for six months. We finished that in April last year, the enthusiasm, although
the accelerator so we launched our product at the end of that accelerator, and that's also when we launched our investment capital raising process as well. So we've been on our own I guess it's a for about nine months there abouts. Yeah, and we, I mean, the first customer, I mean, these startup some, some don't even see a customer until a year or two down the track, which seems crazy, but it's just what's happening there building tech or whatever it is. Those first moments of getting people that are actually excited about what you're doing or maybe not excited. You just get them as a customer and then you get them excited. And what's that? What was that feeling like that that first dollar in the bank account was pretty exciting. So my my co founder, his family, live
In regional Victoria, gone back up to back up to home for a long weekend or whatever. And on the Monday, he'd stayed over the weekend. And on the Monday, he went out to a couple of small business owners that he knew in that town and was talking to them about what they were doing, and sold them a membership. And he messaged me, and I was like, so bummed that he wasn't there, because I just wanted to go out for it.
But then, you know, so that was a short trial. And then the first time we actually had somebody sign up for an annual membership with cinch again, it would be a time it was it was euphoric. But then you realise you need to do that a million more times, and it gets a bit harder. But you know that those those firsts in your own business are pretty incredible. You've got a Yeah. Before you have 1000 of them. Yeah, you need to make sure you can do it for one person. Yeah. Wait. So what was that process of the learnings that came from first customer or 10 customers that have shifted now to where you are today? Yeah, we were we were pretty good at making sure that we spoke to a lot of stuff
Small business owners and potential customers before we actually launched our product. So we had a very good idea of what we thought they wanted. What we took too long doing was actually asking somebody to pay for it. So, you know, we, as part of the accelerator, Scott hand, Sacra, who's the CEO of syros, the accelerator would ask us every week for about the last three months of that accelerator, have you asked, I'm going to pay yet. And we were like, well, we nearly did.
So it took us too long. But then once we once we did it that one time we also had a lot of confidence as to what what it was that got them to pay, what was it that they were interested in? And what did we need to do to deliver on the promise to the customer? So whilst it took us too long to start asking from there, we also had pretty good confidence over what it was that we were selling and why so
you know, it's it's still never easy to continue to get new business through the door, particularly when you're a completely digital access platform. But, you know, we're we're certainly getting our name out there now. Who should who should look at an accelerator
The programme I find it fascinating. There seems to be more and more popping up.
Yeah, who should consider it and what what are the terms for an accelerator programme? So the terms are different for each and every one which blows my mind. My research, there was some consistency. And like any business out there, there are some good accelerators and there are some crappy ones out there. sorrows for us was completely transformative. Our business wouldn't be where it is. Now without them. They were absolutely fantastic. But we had considered joining them the year before, which would have been their first year, their first quarter cohort, and we decided that not only were we not quite ready for it, but they went sorry, it wasn't until we knew that we were willing to throw ourselves into cinch 100% full time that it was worth joining an accelerator because you get out of those things, what you put in. So if you're willing to just experiment if you're willing to learn and if you're willing to change, then accelerate as
As long as it's good, if you're really determined that you've built this product, and nobody's going to tell you how to how to change it and how to run it and all the rest of it, then an accelerator is not going to be able to help you because they're all about helping you change and grow. Talking about like, getting the first dollar and the struggle of asking people in the world of accelerators, I guess there's also valuations of businesses and things like that. How much have you learned about that side of this? Yeah. It was a bit of a baptism of fire. I mean, when we when we signed up to the accelerator, we did it under what's called a safe note. So we didn't have a valuation of our company at that point, because it was early stage startup. So it was basically they gave us some money and they got basically a promise of future equity. When we raise capital down the track. We signed that safe note. I had a vague idea of how they worked and all the rest of it, but it wasn't until we were halfway through the accelerator that went right
Okay, that's that's how that thing is going to actually be triggered, um, but a few working with reputable people, then they're not going to rip you off, I would not recommend that being the process that anybody undertakes. And they really should understand they should probably ask a lawyer, which I did not do. And I guess it's also specific with that accelerator. So much of investment is about what they have to offer rather than just cash. It sounds like they're the fact that it's industry specific, is super powerful. Absolutely. So for us, we definitely got more far more value out of it than just the cash that they gave us. But I've also I've been approached about other accelerators before where you look at the equity that they're expecting to take for the cash that they put in. And I'm like, Yeah, you're valuing your programme there at a million bucks. And I'm sorry, but you're not going to give me a million bucks value out of this. So you know, this is what I mean by there are plenty of bad accelerators out there or ones that are not in it for the founders. And so you just need to be careful about that. Well, if you're entering into their own business model
Then, right? Yes, I guess that's the school system and all that other stuff. Raising money moving forward has has that process but um, yeah, so we we spent six months raising capital last year it was summer, it created some of the most valuable and interesting conversations that have ever had in my life. When you're out there asking for money, you meet some really random people along the way that just have a lot of money for whatever reason, they tend to ask triggering question or questions that you need to have the answer for that you didn't quite know that you needed to have the answer. Um, certainly, early on, early on, I had no idea how to answer any other questions when you having your first investor conversations as a first time founder. You don't know how any of this stuff works, but we had just come through an accelerator and had spent six months answering tough questions about our business. So we had a lot of answers. For a lot of questions that businesses of our early stage might not have. But it's also pretty you can usually tell pretty quickly
A potential investor is somebody that you actually want to invest with. They talk about, you know, relationships with investments lasting longer than most marriages these days. So you don't want to take money from anybody that you don't actually want to sit in a room with or have dinner with at some point, because you're going to be doing that, you know, every year for the next seven years, eight years, whatever it is. So, you know, we were really careful about how we took investment from we were lucky that on the last day of the accelerator, they have a demo day and you know, big pitch and all the rest of it. So I got off the stage. And then that night, somebody that we knew quite well didn't know that they had a lot of money, you know, said to us, we want to invest in your company. So we had an investor from the first day, but then it took six months to find the rest of it. And it was only through having scale investors who are an angel syndicate that specifically invest in female founder companies. And that's how we found that the the rest of the money so yeah, it was it was interesting. Very glad that it
Done, because now we can just get back to growing our business and and helping more customers.
But at the same time, we also didn't raise as much as what we had hoped. So I might be back out there asking a lot. So you know,
how much of the conversation is about finance and money when it comes to speaking to investors because I guess, security
potentially close it sits closer to finance versus something like media, where there's a bit more rah rah are involved when you're having a conversation, and they just asking about business model stuff, or are they asking bigger questions or what they want to understand how you're going to make money? So you know, they were asked for what's our forecast, and I mean, that has an early stage company that had just launched our product in it and 3000 bucks, anything on the spreadsheet was going to be completely fantastical. My spreadsheet was really impressive. It was
you know, it's still just it's still too
a spreadsheet. But you know, as I get that and like is that? Obviously, you've got to rationalise things. Because like at the beginning, if you don't have, like how much of working at a valuation of the business is it's like I you know what, like, I know we haven't done 100,000 a month, but I think in six months we caught if we had all of this. And so let's value it on this. Is that how it works? It depends what stage your company is at. So when when we were raising, we were just launching our first product, super early stage sorry, none of the investors that we spoke to expected us to have all the answers. They were they were investing in us as founders, they were investing in our business model ideas, I'll go to market strategy and the customer feedback that we had from very early stage. So it was I wouldn't call it blind faith but it was blind to each bikes them put in us as founders. Whereas if waker and rights for capital later on this year, after having been out in business for over a year
It'll be a different conversation, it'll be about what is our gross profit look like? What is our pathway to profitability? You know, what is our pricing strategy and diversification going to look like? There will be very different conversations because our business will be 18 months older.
How much you telling them what you're going to do with the money? Do you have a good sense of, we're going to hire these people. Yeah, we knew exactly what we were going to do with the money. And it was also a really important way for us to filter out who was the right investor for us, right? So we're a SaaS platform, it costs us very, very little to actually run our tech. But what we need is really good people. We need people to do the development work. We need security analysts, we need, you know, products, people. And so there are some investors that absolutely hates when a founder turns around and says, I'm just going to hire people. And you know what they're not they're not the investors that we want as a SaaS company because that's always what we're going to be spending out of I wanted I would like if that's the
So what are they wanting you to do with the money? I don't know. I didn't get
So yeah, we were really specific and have been a long week quite intentional about what we do certainly with our money. And now that we have other people's money were far more particular about how we spending it would. What about the accountability to the people how consistently you needing to update them and way, and I think this is probably just because it's more my personality type, I probably
have a lot more regular contact with them and most so I provide monthly updates to all shareholders on what it is that we've done, what it is that we're doing, etc. I just built that routine through that that accelerated process that anybody that was interested in simply started sending out monthly updates almost like a newsletter. It's slightly different bent when its shareholders that you're updating, but you know, we also do that for future investors because there are plenty of people that are sitting back and watching what we're doing and
You know, way, way too early stage for what they usually invest in. So I send them a monthly update. So hopefully when I go capital raising in six months, 12 months time, I can hook them up and say, Hey, you know, Surely you're pretty happy with what we've been doing. Can we have a chat? So cool? Yeah, it's so inspiring hearing, like, from that early stage to where it's going, and it seemed so
like, within startup world, especially, I guess more in the US, they can be a level of rah rah and VCs and all that sort of shit. But it sounds like
especially being small business owners ourselves is something nice about hearing it in the language of small business rather than the sort of crazy startup absolutely like that. The whole startup world is there's so much hype around it, but it's also really bloody hot. There's nothing easy about doing this. You know, I don't know how I'm going to be able to pay payroll in 12 months time if we don't hit our targets. That's terrifying. Now that we have to
It's really terrifying. It wasn't so bad, but it was just Adam and I, although I would have felt bad if people
got wife and kids, that would have been bad. But you know, when it's just yourself, you can do it. But you can get sucked into this whole startup conversation. And you know, I've done plenty of, you know, presentations and that sort of thing, pointing out that, yes, for all of the glamour and all of that, whatever it is, you're also need to be in there for an actual purpose to build a business. And so for us, dealing with small business owners every day that kind of keeps us grounded, pretty good. I think. I think it's nice when you have a purpose behind the business. There's a lot of people that probably don't absolutely have some product, it's just sending snaps. Yes. And the email, you know, just what's a fixing a problem, too. I think like whenever you're in the business of like, actually solving a problem, and the fact that we can talk about it and have 10 questions for you. All right. Like, before we even find out about you. We want to know like what did we do with that last pass? Like I think that that, you know, demonstrates that how important
Security is for every, you know, size business in 2020. And for being being mission driven, also makes some parts of our business a hell of a lot easier for us than it is for other startup founders. So, you know, I know other cybersecurity founders out there that are in it, because they wanted to build this really cool tech, they'd found an issue that they thought they could probably figure out how to solve it, and they've solved it, now they're trying to go out and sell it. And that just, it feels a bit empty to me. You know, the, the other founders that I know when I spend a lot of time with they're all very much mission driven, like what way are they completely different problems that they're solving. But you know, there's a there's a bunch of others that I speak to on a regular basis that are in it for the right reasons, and it makes all of the hard work worthwhile. Mostly, I'm changing my LastPass Master Password today. Yeah. Yeah, I think it's a good thing to do. I haven't done it in a while.
But the other problem is that it's when you use Chrome, the Chrome extension or whatever you can get away with a long time.
Been a couple of times I'm caught out an offer even remember it? Yeah, because this is an auto filled. Yeah. So thanks for coming on the show. Thank you. It's a daily talk show. If you enjoyed the show, leave us a review on Apple podcast. Also you can subscribe there or wherever you get good podcasts otherwise said Mr. Guys