Logging in to the rapid growth cybersecurity business.

According to founder John Burgess, new franchise system Cybercillin is at the cutting edge of the cybersecurity space — the only system in Australia offering IT peace of mind as a service.

John Burgess

If you run a small to medium business and you haven’t already evaluated your IT security, then you’re just not paying attention. Cybercrime is one of the biggest risks SMEs are facing as business moves into the third decade of the 21st century.

Whether it’s identity theft, malware, phishing, hacking, scamming or ransomware, most businesses that have abandoned the world of pen and paper for the digital age have already had a few close encounters of a data breach kind. Such encounters can interrupt business flow, put intellectual property at risk and seriously damage the reputation of a business.

In 2017, cybercrime was estimated to have cost Australian businesses about $7 billion. Worldwide, the figure was more than $200 billion. And about 70 per cent of all cyber attacks target SMEs — which are usually not particularly prepared to deal with a sophisticated cyber attack.

That’s where Cybercillin steps in. The brainchild of one-time accountant turned IT guru John Burgess, he explains that Cybercillin is the only franchise system in Australia that targets cybersecurity as its primary focus — and has the support network and R&D component to back it up.

John was national IT manager for intellectual property specialist law firm Davies Collison Cave when he decided to set up his own IT business. Established in 2005, the Gamut Group specialised in automated document and knowledge management systems. From there it was a logical step into managed IT services. Gamut would eventually become Cybercillin’s parent company.

“We acquired a Melbourne-based software development company that added to both our technological and client base,” says John. “We soon began to provide IT services on a proactive, preventative basis for a monthly fee — as opposed to the old ‘fix it when it breaks’ model. We’d make sure all of an organisation’s IT systems continued to run optimally.”

The Silicon Valley of Eastern Europe

The next big step was all the way to Europe where Gamut opened an operations centre in Skopje, capital of the Republic of Macedonia, a country that had focused a lot of its resources on developing information technology research and education.

“About five years ago, we decided to increase our technical depth and opened the subsidiary in Macedonia,” says John. “It directly employs technicians who range from database and software developers to network administrators and cybersecurity experts. We’re helping to make it the Silicon Valley of Eastern Europe!”

John says the choice of location — on the other side of the world and in an opposing time zone — was a pragmatic decision. “I was at a conference in the US where the prime minister of Macedonia was a keynote speaker. It was obvious that setting up in Macedonia would give us access to a very skilled labour market and the advantage of a physical presence in Europe. The truth is, it’s a global marketplace and things like Skype and encrypted messaging make it easy to straddle those time and distance barriers.” Organisation in place, John became aware that cybersecurity was rapidly becoming a front- of-mind issue in the IT managed services space. He decided that’s where his company should focus its resources and effort.

Taking The Lead From A Call For Working With Skilled Labour Across The Globe

“Over recent years, we noticed a big increase in enquiries, from new and existing clients, revolving around the cybersecurity field,” says John. “And obviously we also saw a great opportunity for further expansion, but it was beyond our immediate ability to do that organically. The idea came to us about 18 months ago that this would be an excellent model for franchising — and we formed Cybercillin to specialise in this area.”

A holistic approach

Cybercillin takes a holistic approach, which means you don’t have to be an IT specialist to get on board. The Cybercillin process assesses various factors like management, HR, staff awareness training and procedural controls to determine an organisation’s “risk surface”. “We don’t see cybersecurity as specifically a technical issue,” says John. “A lot of the factors contributing to data breach and cybersecurity risk are actually human factors. Organisations are spending on sophisticated antivirus software and firewalls, but neglecting to take care of the ‘soft’ factors.”

One example of an area in which many organisations let themselves down is “password hygiene” according to John. “It’s very common for people to re-use credentials in multiple websites and online accounts, often the same ones they set up in their internal work systems. Unfortunately, when you do that you trust your access rights to the security of the organisation you create the account with. You don’t even have to have your own system hacked for that information to be lost.”

To illustrate the point, John mentions the work of the Cybercillin security research team, who are constantly trawling the “dark web” looking for evidence of lost, stolen or compromised credentials. “We’ve accumulated a database of well over a billion plain text passwords stolen by hackers. Statistically, a large percentage of those passwords would still be valid.”

Using the recent Facebook hacking, which affected about 100 million users, as an example, John notes that a month after being notified of the breach, around 50 per cent of users still hadn’t bothered to change their passwords.

“On an individual level you can accept the risk, but from an organisational perspective, if your passwords are compromised, their systems can be accessed so you’re also putting them at risk,” he says. “People often don’t understand the consequences of their decisions, and part of our process is to help organisations put in place policies and awareness training to ensure those risks are minimised.”

John says the SME sector is seen as a soft target by cybercriminals. “They’re least equipped to deal with the problem. They don’t have the time, resources or in-house expertise that the bigger end of town has. Our franchisees help them through the process of doing an internal audit of their information security, which produces a risk analysis report.”

The audit, completed with Cybercillin’s custom software platform, allows the client company to develop a training program and policies to address its information security needs. Tech support is available 24/7 through Cybercillin’s security operations centre — whether it be via online chat or support request, or through direct personal contact.

Recognition Of The Need For More Robust Cyber Security Is Rapidly Growing With Every Breach

“We deliver cybersecurity as a service,” says John. “We’re not just going out trying to sell firewalls and antivirus software because none of these things remain useful for very long unless they’re proactively managed to take account of all the new threat techniques that are emerging as attackers respond to the techniques companies put in place. It’s like locking the front door and leaving all the windows open.”

Speed and complexity of change

The biggest challenges in the cybersecurity space relate to the speed and complexity of change. The types of cyber risk happening today will always be different to those happening a year ago. John uses “cryptojacking” — the process of stealing computer resources to mine bitcoin or other virtual currencies — as an example.

“There’s was a big spike in cryptojacking in 2018,” he says. “Unlike ransomware, which is a direct attempt to extort money by corrupting your files, you might not even realise cryptojacking is occurring until you start to see bigger bills for your internet connectivity or your staff complains their computers are running slow. It’s warfare, there’s no other word for it. You create a defensive position, attackers respond in new ways and you have to adjust your defences accordingly.”

Aside from business and reputational costs, new data breach reporting regulations also mean businesses can be penalised for being too lax with cybersecurity. John says that in Australia, until the introduction of mandatory data breach reporting earlier this year, this was a risk that only applied to large corporations. “It’s a really big issue from a regulatory perspective. Companies can incur multimillion-dollar penalties for breaches if they don’t comply with the scheme,” he says. “Even operators and executives can be held personally responsible and fined.”

The penalties can be even stiffer when companies are trading offshore. The European Union’s stringent General Data Protection Regulation (GDPR) for example, applies to any companies trading within the EU. “There was an example recently where British and Dutch regulators fined Uber more than US$1 million in relation to a data breach that had happened in 2016,” John says. “Even though US law didn’t require Uber to do anything about it, because some of the affected records were those of European Uber users, the company was penalised.”

Franchise operation

The Cybercillin franchise operation was launched at the Melbourne Franchising Expo later last year and initial interest has been impressive. John says they fielded more than 100 enquiries in the first three months and have already established four fully paid-up franchises with another couple in the pipeline. Cybercillin have identified 60 promising territories in Australia and expect to fill them within two to three years.

The Cybercillin Franchise Offer Was Launched At The 2018 Melbourne Franchising Expo

“We’re expecting a steady inflow of people interested in becoming cybersecurity specialists,” John says. “We’ll provide the necessary tech training for them to understand the risks their clients are facing, but they don’t have to become IT experts because we’ll also supply all the tech support they’ll need. Our franchisees can concentrate on providing business consulting and relationship management services, confident that we’ve got the resources and geographical reach to deal with any problems.”

Given that organised crime is now operating just as enthusiastically in the virtual world as it does in the real one, John sees no shortage of opportunity for Cybercillin going forward. “Until now, SMEs have had to rely on their local IT company to help them with these issues, but taking that approach is no longer efficient and organisations are realising they need to work with specialist brands that understand the extent of the problem. It’s an exciting space, but at the end of the day, it’s simply good risk management.”

Interested to know more about John? www.franchisebuyer.com.au/fran...