In Pursuit of The Secure Board: Interview with Dr Alana Maurushat


Dr. Alana Maurushat, professor of Cybersecurity and Behaviour at Western Sydney University, joins Anna in this episode to discuss her upcoming Cyber Incident Response Centre, her research on the topic of cyber, the fear and complexity around jargon associated with cyber, and the impact of COVID-19 on the number of cyber incidents.

Dr. Alana Maurushat is currently researching payment diversion fraud and ransomware, tracking money laundering through Bitcoin blenders, distributed extreme edge computing for micro-clustered satellites, and ethical hacking. She is the cyber ambassador for the New South Wales cybersecurity network. And Alana is also on the board of directors for the Cybercrime investigation company called IFW Global. She lectures and researches cybersecurity, privacy, and security by design, cyber risk management, and artificial intelligence across the disciplines of law, criminology, business, political science, and information communication technology.


We acknowledge the traditional custodians of the land on which we are recording this podcast today and pay our respects to their elders past and present.

AL: Hello, I’m Anna Leibel. In Pursuit of The Secure Board today, we welcome Dr. Alana Maurushat to the podcast. Alana is professor of cybersecurity and behaviour at Western Sydney University. She is currently researching on payment diversion fraud and ransomware, tracking money laundering through Bitcoin blenders, distributed extreme edge computing for micro clustered satellites and ethical hacking. Alana is the cyber ambassador for the New South Wales cybersecurity network. And she is also on the board of directors for the Cybercrime investigation company called IFW Global. She lectures and researchers in cybersecurity, privacy and security by design, cyber risk management and artificial intelligence across the disciplines of law, criminology, business, political science, and information communication technology. Alana, it’s great to have you on the podcast today. Thank you for joining us, you have a number of exciting projects underway. One of them in particular piqued my interest, can you share with our listeners about the Cyber Incident Response centre that you are building?

AM: Yes, thanks. So, we received funding from the federal government last April. And we’ve been working quite heavily with industry to open what will be known as Western case or my case to get online. And what we’ll be doing is training up anywhere from 40 to 100 students every year with professional supervision from industry, and we’ll be helping small businesses with cyber incident response. So, all for free, and most specifically in the areas of ransomware, business fraud and data breach.

AL: So, if a small business did have a cyber event, they would contact you for assistance in what aspects of the incident trying to identify the breach or?

AM: So, what we typically I think what’s going to have happen is small businesses are going to just call for anything. And so even if we’re not able to help them within our remit, we’ll be able to point them in the direction of other organisations that deal exactly with what their problem is. And so that will be one of the aspects but for people will help and stay online with that will be anywhere from setting up your cyber incident response plan. So even if you haven’t been hit, we’ll help you set up the things before you’re hit. And then of course, once you are actually hit unfortunately, with some sort of cyber-attack, we will help you navigate and direct you to what needs to be done to mitigate your damage, and if possible, recover your assets. And so, in particular, we’ll be focusing on the areas in which we find small business being hit the most with, and that’s ransomware, business fraud, so in particular payment diversion fraud, and data breach.

AL: And would you help the organisation’s negotiate a ransomware outcome? Would that be part of the scope of the centre?

AM: Absolutely not. So, we will not be doing that. But we work with companies and law enforcement who do that. And we will help to coordinate that and get everything ready so that you don’t stuff up the first three most important steps.

AL: And what are they Alana?

AM: Well, it would depend on the variant of the ransomware coming in and what’s already been done. And so, with any kind of incident response, it works quite similarly to how you would in a hospital when you arrive in emergency room. That’s why it’s called emergency cyber incident response. And that will do a triage. So, we’ll assess what has been done, what hasn’t been done, the information coming in, and then based on that information will give you the first three steps. So, for example, if it’s, you know, a business fraud, right, obviously, contacting your bank is the first step. If it’s ransomware, it might be immediately ascertaining whether or not your backup files have been affected. And if they haven’t, you don’t have to pay the ransom. So, like there’s all of these different things that factor into a different attack. And it’s not the same advice that you would give for every attack, because while there’s a lot of similarity, sometimes the differences are really important and have to be analysed.

AL: Yeah, I completely agree with that. So, when is the centre due to open?

AM: February the 28th. 

AL: Oh, wow. That’s terrific.

AM: Yes. So, the students are very nervous at the moment because they’ve been training really hard with industry, but it’s completely different thing to be training on dummy data sets and quite another when you’re responded in helping a real company under attack in real time.

AL: I can imagine. So, how many students are looking to join the centre you mentioned that you’ll be Training between 40 and 100 per year.

AM: Per year yes. So, it’s part of our program. And so, we’ve set up what we think is the first unit in Australia for Cyber Incident Response at a university. So, they’re going to be training with that unit as part of their, you know, graduation. And then they work in community service, which the centre is before they graduated. So probably 80 students a year and our first intake are 35 students. So, we have 35 qualified students coming through the programme. And at the same time, they’ll learn how to deal with people. So, we often find a lot of computer scientists don’t get the opportunities to have human reactions and learn that super valuable how do you talk to humans who don’t understand cyber, and so it’s, it’s not just, you know, skill sets on complex cyber-attacks, malware, analytics, and other incidents. It’s very much important to ascertain the humans in the loop when you’re responding to these, because what we find in the past, because all of our students go out to industry after they work at the centre, as part of their education. And what they learn rather quickly is that when people call you out, they’ve been hit with a cyber-attack. It’s a very emotional experience for them. And so, the students really don’t have any idea how emotional that is. And some sometimes there’s anger, sometimes it’s frustration, sometimes they want to fire people. Sometimes they’re sad, sometimes they’re deeply embarrassed. I think that’s probably one of the most common things at the moment is that deep sense of embarrassment when they’ve been hit by cyber-attack, and there shouldn’t be and so the students are going to be trained to walk them through why they shouldn’t be embarrassed because it happens to everyone, whether you’re a large corporation, a small one, someone with a CEO with a background, even CEOs with backgrounds in cyber still get scammed and hit, it’s not like you can overcome this, the only thing you can do is mitigate your risk.

AL: Empathy is such an important part of all business interactions, I think. That’s being the ability to put yourself in the shoes of the other people that you’re working with.

AM: Absolutely, absolutely.

AL: Now moving on to your research that you do. You have been researching into testing theories that are highlighted the most effective ways to engage non-technical leaders, including a board and the CEO, across the topic of cyber, what did your research find?

AM: Well, it wasn’t our research, so it’s emerging research out of the United States, we thought it was really interesting because it’s one of the first pieces to come in that space of behavioural economics. And so behavioural economics is basically what we want to get people to do this, what types of incentives or what components work the best in order to achieve that result. And so, what they did is they tested CEO decision making across a range of cyberattacks for a lengthy period of time to discover that while evidence is great, and data and analytics and everything else to give a CEO a clearer picture, case studies and emotions mattered far more in activating a CEO to spend money and actually finally be convinced that the switch needed to be flicked in order to fully activate their security journey. And so, what we’re focusing on the centre is we’re calling it security activation research. And it’s going to be the behavioural economic components of how to get small businesses to go from some awareness of cybersecurity, to feeling empowered and confident enough to make that first change in their practices. And that first change might literally be picking up the phone to call my centre to ask for help. Like, I’m not asking for major steps, but then we take it one step at a time, and we’re going to have different, we’ve got some theories, and we’re going to test different methodologies. So, at the end of it, we’ll have the research to say this is the best way you engage small business to activate. And at the moment that research doesn’t exist globally.

AL: Can you also talk to the listeners around the jargon associated with cyber, which often leads to confusion, a lot of complexity and fear.

AM: Yeah, fear mongering. I mean, it’s a tactic as old as time. I mean, certainly there’s things to be fearful for but I mean, it’s no more fearful than you know, securing your house or your business from physical assailants, right, and we, we all go to sleep every night. Right? Knowing that our house is mostly secure, we know there’s always a risk, but the reason why we’re able to sleep at night is because we’ve probably mitigated most of those risks with, you know, our house. We lock our doors, we have windows that close, you know, we support each other as a community and as neighbours but because that’s not as well-known of how to do that in the cyberspace, it becomes a bit more fearful. Now the jargon does my head in to.

AL: Same.

AM: Like honestly there is like a new term every three and a half seconds, and it means the same thing as something else. So, while behavioural economics sounds like the super complex thing. It really isn’t. It’s just how to motivate like your child to eat vegetables, same kind of thing. How do you motivate a small business to put on a control? Now, the only term that really does my head in is the term, hacking. Because hacking isn’t criminal, always. Okay? Most hackers are actually, I would say good. They’re out of curiosity and not to break into your systems. Criminal hackers are a different matter altogether. And so, the media confuses and can funds that quite a bit. At the end of the day, what the listeners should know is that, you know, look, there’s a bunch of kids learning how to hack onto systems, and they might break into your system by accident. But those aren’t the people in your system on a daily basis trying to steal your money, your funds and your assets. That is highly organised crime, highly organised crime, as organised in some instances as technology businesses, very successful technology businesses. We’ve done some investigations and in one area of Makati like the whole online scam occupied four floors of like a 40-tower building. It’s a company. When we say organised criminal, we mean organised criminal enterprise. And it’s as organised behind the scene online as it is even like to go to the actual premises where they have physical premises where these things operate out of. And they do as much research as we do on this. And it’s not like they’re not the only that they’re employing all the same behavioural economic components when they go to scam you or rip you off. And so, it goes both ways.

AL: How do you say that playing out locally, we’ve seen an increase in cyber-attacks. If we just look at ANU, the Nine Network, we look at JBS meats just to name a few even TOLL. Is it those sorts of local case studies so that the experiences we’re having with organisations based locally in Australia that’s actually helping that emotive response you just talked about with CEOs making decisions and investing in cyber?

AM: Well, it isn’t it isn’t. So, it is right. So, the more we talk about it, the more CEOs that okay, I really need to, you know, pay a bit more attention to this. But it’s not an Australian problem. It’s a global problem. It’s not unique to Australia by any stretch of the imagination. But what is unique is maybe the, so I see American firms at the moment. I’m not from America, but I see them gearing up and ramping up really, really in a serious way right now, because of the situation with retro on the Ukraine border. And because of the China situation with boats being deployed across all sorts of islands, they’re gearing up for major incidences, and there’s no reason to think that Australia won’t also be hit with the same stuff. Because we’re an ally, like da, figure it out. If you’re a CEO listening right now, your part of that doesn’t matter if you don’t contract to defence, if you supply to anyone in the supply chain, and any of its related to critical infrastructure or other. You’re the weak link, and that’s where they’re going for, they’re not going to try and break into the defence system, it’s you and you will suffer damage regardless, even if you’re not the target directly for stealing assets or other.

AL: And that’s where my question was coming from, I think we do sometimes have a mindset here in Australia, that it’s not going to happen to us. And I do think it’s different reading in the papers about what’s going on overseas, to actually reading about things that are happening here on our shores, and the implications to business.

AM: So, it’s really hard if you’re journalists, to get companies to come on air and talk about it. So, when companies do that, right, like they almost deserve bravery metals, because they’re really worried about public perception. And of course, that makes sense if you run a business. But honestly, it’s far more important now that you get out there and you tell the story so that others realised, they are just as prone to be attacked, there’s no business that isn’t going to be a subject of a cyberattack. And the other irony is that a lot of businesses we’ve spoken to said they never been hit. And we had a look in their systems with one company in particular. And they had they just didn’t know.

AL: They didn’t know that they had been.

AM: They don’t have any expertise to look at it. So, they don’t even know when they’ve been hit. There was another company hit by ransomware all their data tied up and you know, they were contacted, and they’re like, Yeah, we’re not going to do anything about it. And we were just like, Okay, well, maybe that’s your business model. And then a few weeks later, right, like a month after they let it lapse, they’re filing for bankruptcy now. The lack of awareness of the types of damage that a cyber-attack can do is, you know, it’s a little bit mind boggling at the moment.

AL: And not limited to the actual incident, it’s that that’s 12 months, 24 months even longer sometimes post the incident where the business is still, I suppose recovering from that.

AM: Because they have to switch a lot of systems over, they have to switch practices like there’s a long journey after you’ve been hit. So, the smartest strategy is to start to take a shorter journey every week, in order to mitigate your, you know, eventual losses when you are hit with one of these. For me, that’s really important research lies how do we activate a whole nation to flip the switch to know that Australia is an island far away from the maddening crowd. But in cyber, there’s no physical distance, you don’t have any advantage being here like zero advantage if anything is just the opposite. Because we’re not as tuned in with what’s happening overseas.

AL: So, leading on from that, really around the case studies and the emotive response to I suppose action to be taken. I know that you also work globally on cybercrime investigations. And as someone who loves variety, one thing I envy is you have loads of it, which is fantastic. You mainly do work in investigations around online fraud and money laundering. Based on what you’ve seen, are you able to share, and you don’t need to name the details of the organisation but share a few stories with us about what some businesses have actually experienced to help our listeners really understand those as case studies.

AM: So sometimes we’re contracted by someone who’s lost funds. And that could be someone you know, with a small amount, but they quickly realise they can’t afford the services. But if we find another 200 people have been hit by the same scam, and everybody puts in a bit of money, then it gives us enough money to go and fuel the investigation. And then in other instances, we have very wealthy clients who just really want to know who has scammed them, because they’re really upset about it. Sure. And getting the money back is great. But what we uncover is it honestly, sometimes it’s surprising, but often it’s the same thing. I’ll give you three examples. So, one is organised criminal syndicates, operating in different parts of Southeast Asia, but it’s never a Southeast Asian person running the syndicate. They’re all highly educated people from the West running their organised criminal syndicates in countries that allow for cheap labour. And the ability to buy to pay feast is to say, corrupt for officials and other. So, that’s not really going to come as a big surprise to people, right, that’s been happening for a long time. But the second one will. So, there are whole economies right now as a nation states who a third of their economic assets come from the proceeds of cybercrime, now just take a seat, a third of their economy, runs on cybercrime. It’s the product and the service that they’re delivering. And it’s how they stay afloat. And its often countries that are being sanctioned globally, by our political systems, and I’m not going to comment whether that’s fair or not, I’m just going to say that that is what’s happening at the moment. And so, they take the money where they can, and that’s what they’re doing. And in the third instance, oh, look, it’s also probably not going to surprise you. It’s, you know, corruption, funnelling terrorism, so terrorism at the moment isn’t being funnelled by, you know, the kind of investments that it has in the past, a lot of it’s being funnelled through online scams and cybercrime again. So, in addition to terrorism, what we often find, though, however, is that when we do, we did one case, and I won’t say the country, I’ll just say that a government agency hired give us a contract to try and ascertain who was behind this particular incident. And we had a hypothesis going in, and it couldn’t have been any more incorrect if we tried. It was actually the hand of the whole of the governmental agency who hired us he was running the whole show.

AL: It’s like a TV show.

AM: It is, which is why, you know, this area is, you know, TV starting to want to do programmes on it, a lot of them.

AL: Alana, I’d love to get your views on, I suppose the impact that COVID had on the number of cyber incidents. And I’m really just reflecting on those three points you’ve just shared with us. Was this always going to happen anyway, or as COVID just accelerated the volume, I suppose, and the severity.

AM: It was always severe. It’s just accelerated it because you have additional people now who haven’t been able to make a living, so they have to do it somehow. So, they’re going to get into anything that they can to do it. And so really, it’s what’s the accelerated more or what I call the dumbass scams. Really. I mean, there’s been more ransomware attacks for sure. But the dumbass scams have really gone through the roof. And so, the dumbass scams don’t even target companies and CEOs. They’re far more targeted at individuals. So, all of us have things that we do all the time. I mean, I can’t go a day without getting some stupid notification telling me my parcel needs to be picked up, or I’ve got something to do here or there. And so, or the ATO or or, or or like it’s, you know, you’re inundated with those emails and texts every day. And now most of listeners are like, Yeah, of course, everybody knows that. Well, you’d be surprised, right? Like, that’s the only reason why you’re getting them just because clearly, they still work. If they didn’t work, they move on in their scams, and they and they put it aside. So, what I’m constantly surprised, and is that you think, right, you think all of the elderly are being targeted and for sure the elderly is definitely being targeted. And what we’re seeing here is because of COVID, and families haven’t been able to physically be with their elderly parents, or uncles and aunts more, and have a better gauge of what’s happening in their life. scamsters are taking a really, really, really disgusting view of that, and you know, phoning people up, and taking advantage of their loneliness during COVID. Now, that’s always happened pre COVID. But COVID is really exasperated the loneliness of vulnerable people. And that’s been very sad to see.

AL: It really is. So, you’ve got a big year ahead, you’ve got the centre opening. And what else is on your radar for this year?

AM: There’s negotiations happening around a range of things, but I can’t discuss what those negotiations are other than, yeah, I don’t know. I mean, I’ll always stay with the university. Because, for me, what makes me wake up in the morning is inspiring the next generation and preparing them to solve really hard problems, not the easy ones. And so, I’ll stay with that. But there’s certainly no shortage of really interesting offers coming through possibly TV, I don’t know, possibly radio, possibly CEO of a company, possibly, you know, spending part of the year in another country. And I got to say, that’s probably the most appealing to me, maybe in the next two years. As much as I love Australia and will always be my base. I’m ready to see a little bit more of the world. I’m someone who deeply loves to travel and meet new people and try new things and learn new things. And I find a lot of the discussions in cyber requires knowledge of other cultures and peoples and what motivates them and what doesn’t. And you can’t do that sitting from home.

AL: Alana, it’s been an absolute pleasure to have you on our podcast today. And the work that you’re doing is so important in making sure that organisations are prepared for a cyber event. And I really look forward to the centre opening. Key takeaway for me today is helping CEOs understand the decisions that need to be made to prepare for a cyber-attack. And that’s through case studies and really putting yourself in the shoes of the organisations that have suffered a cyber incident and reflecting on how you would feel in the same situation. Thank you for joining the podcast today. I look forward to having you join us next time. Thank you.