James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: Security awareness campaigns are essential for educating staff on security behaviours. However without staff engagement, these campaigns can fail to change behaviour – and behavioural change is the only outcome that really matters. Instead of continually focusing on security for the work environment, start focusing on esafety and educate staff on how to protect themselves in their online lives outside work. This has the benefit of informing staff on many of the risks that they can face personally, as well as educating them on practices and technologies that can help. Training staff on esafety also has the additional benefit of being the right thing to do and demonstrates corporate social responsibility.


Read more


NewsThousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or technology problems, according to local industry experts and recently conducted research.

Mandatory data breach reporting laws come into effect in Australia in February, years after they were introduced in other countries, such as the US, but a new study by cyber security provider CyberArk has found 44 per cent of Australian businesses are not fully prepared.

While it is predictable enough for a security vendor to warn that businesses need to worry more about security, independent Australian cyber security expert James Turner, of IBRS and CISO Lens, said small businesses were "absolutely not" prepared for the new laws.

Full Story

Cyber security experts have warned the long-term implications of chip vulnerabilities nicknamed Spectre and Meltdown discovered by researchers this week are still unknown, despite it appearing that cyber criminals were unaware of the flaws.

Australian cyber security expert James Turner, of IBRS and CISO Lens, told The Australian Financial Review just because these flaws were unlikely to have already been exploited, does not mean they could not be in the future.

"This is the exact reason why the security industry was screaming all through the last few years about the importance of security for the internet of things. The internet of things is billions of different devices, growing in size every month, all based substantially on hardware," he said

"It simply won't be economically viable to get everyone to replace the CPU on their TV, fridge, Alexa, lightbulb, thermostat, electric lock, and so on, just because we've found another hardware flaw that impacts billions of devices that are all hyper-connected."

Full Story

Conclusion: Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.


Read more


Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.


Read more


 

The adults in the lives of young people need to know more about security and safety in an online world and they could be learning this at work

The Office of the eSafety Commissioner deals with some of the most confronting aspects of abusive behaviour on the Internet: child exploitation material, image-based abuse, and cyber bullying, to name a few.

Julie Inman Grant, the eSafety Commissioner, is dedicated to helping ensure young people have positive experiences online.

To this goal, in the first week of November, the Office of the eSafety Commissioner, in conjunction with its New Zealand equivalent NetSafe, hosted Australia's first online safety conference.

About 400 delegates from around the world came to share ideas, approaches and research in the area of cyber safety.

 Full Story

Conclusion: Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.


Read more


Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.


Read more


Commonwealth Bank of Australia has admitted it is culling the number of technology partners it works with as part of a cost cutting drive that has some industry observers concerned it is stepping back from its previous leadership position on cyber security.

CBA has been the subject of ongoing rumours in IT circles that it is taking the knife to its celebrated technology operations, and chief information officer David Whiteing confirmed to The Australian Financial Review that changes were under way, including some cyber security work going offshore.

However, Mr Whiteing rejected suggestions that any of the changes would compromise the quality of work or the bank's resilience, and insisted that the bank had not retreated from the national cyber security arena since the departure through ill health of its well respected chief information security officer, Ben Heyes, last year.

"The reality is this is a very competitive space and we have a global perspective around talent," Mr Whiteing said.

 Full Story

When was the last time you had a delightful customer experience with insurance? Well, we need to talk about cyber insurance.

In 2013, the Financial Ombudsman Service penned a circular titled "Queensland floods – lessons learnt" and there are useful ideas for us to bring to the cyber insurance discussion.

The Financial Ombudsman Service noted that among the improvements between the experience of Queenslanders claiming on flood insurance in 2011, and then 2013, was the standardised definition from the government of what a flood is. Words matter.

It's easy when we're dealing with fire, theft and flood. Well, at least in theory it's easy. We've been dealing with natural disasters for millennia. But the cyber domain and the risks that come with it are comparatively new, and evolving rapidly. A year is a long time on the internet.

Full Story

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.


Read more


Telstra has taken a high-profile step in its bid to establish itself as a significant player in the booming global cyber security market, with the official opening of the first of a string of new security operations centres, aimed at increasing the work it wins with government and corporate clients.

The multimillion-dollar Sydney centre was unveiled by chief executive Andy Penn alongside federal Cyber Security Minister Dan Tehan on Thursday afternoon, as the company continues its mission to prove to investors it has a solid post-NBN plan.

Telstra shares were hit hard after its annual results, led largely by Mr Penn announcing the company's much-loved dividend would be slashed by 30 per cent. Investors are now looking to the CEO to demonstrate that the company is on the front foot in establishing business lines in growing sectors.

Full Story

Conclusion: The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.


Read more


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more