Cyber Security
um so look folks um countries of time it's a lunch and learn and uh we're delighted to have you uh with us here this afternoon we're recording this session from a gdpr point of view so just to keep you advised if there's any issue please feel free to step off I'd ask you to mute your microphones as well for those of you who are stepping on and I'll keep an eye on the the links in terms of progressing over the next half an hour or so so really excited uh to be taking the super State out again in terms of the IMCA lunch and learn modules um we've had a really powerful uh series over the last couple of years and we take a little break for the summer uh do some fly fishing do some r r um watch the rugby and so forth and so on but now we're back in the saddle and we're taking it out with a bang today with uh our colleague um Lawrence Belcher and Lawrence uh you clearly tell from his accent is born and bred Irish uh or his mom is and he was In fairness so we were just discussing earlier he's he's a Dublin origin so we're a yin and yang even though I was born in London uh I'm living in Dublin and conversely Lawrence uh was was uh the converse of that so we're we're like a mirror only our mothers can tell us apart really um so the Institute um is is excited as I said to be partnering with um uh diligent on this particular issue and we have a series of speakers coming up over the next period and and again it's been a very fruitful one in terms of knowledge sharing and best practice in the the respective Fields particularly those related to uh corporate governance and the whole area of manager and consultancy and what we're looking at today is really cyber security and um you know we're going to have a chat and we look for your own kind of uh input and if I could ask him maybe just to fill in any questions you have in the chat box um and we'll bring them up to um Lawrence later on but I mean what we've seen Lawrence over the period I mean it's been an extraordinary growth phase over the last 36 months particularly as we've gone into covert and you're looking at the you know even in the last six months the rise of you know AI enhanced attacks and and kind of that escalation there and that whole race and the sophistication that space has really kind of been being kind of evolving at a rate or not so unprecedented I would say AI is really ramping up the the confusion in the space particularly for Boards of directors and management consultants in terms of threats and opportunities and and that space of zero trust in architecture and where we're going in that space as well and what that means for people and to understand that kind of that zero trust and kind of architecture space and again we've seen supply chain attacks coming down the the lines and the applications for that and we you know it's been extraordinary uh the the uh the overall Reliance we have in particular kind of areas and and once those Supply chains are attacked and they go down and we're seeing them more regularly and indeed in the last week or two we've seen somebody saw on the news last night with another supply chain attack and we're seeing that as well Quantum Computing Trends and threats uh escalating at a rare nuts I know this is kind of like you know um you know meat and veg to Lawrence but for a lot of our members this is kind of new terminology that's coming into the space at a rate of knots privacy regulations gdpr CSI Rd and so on they're also coming down Cloud security and implications for cloud security I guess is is prevalent all over the place and a lot of us have although reluctance at first have embraced the cloud and a lot of our our data is up in the cloud and you know whether it be in the European context or in the American context or here in Ireland where a lot of data is actually um maintained with huge data centers here uh in the Irish context so the implications of that in terms of cyber security as well and you know ultimately the whole thing kind of is based on the human engagement as well and and the the whole area of the short supply in terms of cyber security Workforce there's a huge issue there as well I would imagine in terms of getting Specialists such as yourself Lawrence I mean you must be hence teach in terms of availability you'd be very popular in the recruitment Market from that perspective so I hope they're looking after you well and diligent there so I mean it's it's that sort of area that we'd like to maybe kind of get your thoughts on in terms of just hitting it with a bang and giving us a few snapshots and what's your sense of where the market is and where the big threat Sarah at the moment but you know we will we'll take it out from there perhaps if that's okay yeah sure thanks very much Patrick that's a a very uh honest introduction to me and as you said well I think my actor betrays some of my family Roots unfortunately which are certain members of my family may not be too pleased when I go when I go back over and see them at Christmas but um as it says a quick quick sort of reinstruction myself as I said I'm over here at diligent I look after the uh I.T cyber security compliance element of of diligent uh if for those of you who aren't aware of diligent diligent was uh founded in 1994 and have worked their way over the last 29 years my math is correct close enough I think that's wrong actually um uh in terms of being the largest GLC organization uh in the world and what I mean by that is very much in the depth and breadth of the organization so things like 25 000 clients across the world uh over 2 000 employees have 89 of the ftse 250 and pretty much similar to the ftse uh ftse 500 as well uh all across uh 130 130 countries with or with uh organizational operational uh elements based in in Galway we've got a very large presence over in our Galway office which I'm due over in September I think actually it's gone kind of have a flying visit um I will be in Dublin as well at some point for the Osaka conference if any of you guys are also attending that of course we've got um offices in likes of New York Budapest London and and across uh the globe as well um but back to your question uh Patrick in terms of what we're seeing in in the trends especially for 22 coming into 23 and of course moving over into 2024. there's been obviously the advances of technology and and I think unfortunately uh as as such as the way is that the the bad guys in terms of their technology and how they develop it is probably faster than the way that you can develop either counteracts or even legal legislation to to operate amongst that you obviously made the point about uh about AI we've recently we've recently come out and seen the I think he was the head of Google AI his name surpasses me I think he actually has a a twang of regret um being such a spearhead in that market as we've seen with chat gbt and all these other offices yeah in terms of all of that nature and that lends to as as we've all seen supply chain attacks supply chain attacks is probably the most prevalent one whether that's um your internal processes and and how you rank your vendors and also making sure that they're they're at a certain level of of security that your organization is is willing to partner with them whether it's a whether it's based on location I mean I don't need to get anyone to understand if some red flags that might be raised if if their head office is in Moscow for example and and you're in a different part of the world so all of these things are really coming together in terms of what is the best way and what's what's trending and I think that leans into where organizations can be categorized as one look into um restructure approach I think is probably the best way to consolidate the phrase that can be that's that's we've seen has been done by a number of ways whether that's leveraging technology there's a huge amount of tech uh of software out there for various things such as firewall attacks penetration testing vulnerability scanning of course the widest Suite of GLC whether that's your governance your risk of your compliance third party vendors privacy all of these wide things but I think one thing that now we've learned over the last couple years and especially due to covert due to the um fractured nature of how we work in terms of lots more people being remote having things such as bring your own device if I use my phone for example to hotspot because my Wi-Fi is a bit iffy at home what's the threat there because I've just got an open network here so vpns has become more prevalent and closed networks and things of that nature as as I've had many many conversations over the last six months where organizations have now implemented technology and what they deem as safe technology through their own due diligence the key thing I think lots of people are understanding is that the more platforms that you have for certain areas of risk and compliance and all of these things it actually creates a larger risk for the organization because eventually all of these Technologies are going to have to link together because they all eventually flow up to whether it's the CSO or even higher up into the c-suite and and ultimately the boards and the CEO so we're seeing a very big Trend in terms of can we consolidate all of our platforms under a singular roof because one you've got the the safety aspect because you've only got you've got fewer contracts and fewer vendors therefore the likelihood of a supply chain attacks is drastically reduced but also the ability to have a consistent approach across your whole organization so if you're using a platform that reports in in a certain way for um let's call it your your quantitative risk analysis your operational risk team and then someone's got a vendor risk tool which which consolidates in a completely different fashion and the CSO just wants One Singular report to have that single source of Truth it becomes it just it becomes almost a headache and it really is a difficulty so one of the key phrases that someone in a government Department once told me when I was when I was speaking to them about doing the very same thing is they want everyone's taking off the same hymn sheet which I thought was a really good simplistic way to understand the unification of platforms across your your cyber I.T to make sure that you're doing things across the right way um is a is a is a key theme that we're seeing in sort of 23 24 25 because unfortunately in the world that we live in lots of the organizations tend to be a lot more reactive than proactive and what I mean by that is it it takes a a cyber right a Cyber attack can go oh that happens those guys it can happen to us we've seen it in the real life world unfortunately with different legislations I'm sure we're all aware of uh the Manchester attacks um a few years ago unfortunately obviously they they had they looked into their risk assessment profile and their cyber it and things of that nature and I apologize you're going to be off topic here but it turns out they were using three different platforms doing three different Frameworks and now there's a there's a new law coming in that essentially says if you're doing it this way you essentially have to use a platform and communicate in all these kind of ways but and it took for that to happen for the likes of Wembley Arena and all of these huge Global uh event organizers to actually say right we need to be doing better and that works and also obviously we've seen what happens I know it was a few years ago obviously the Bank of Ireland had a had a big breach uh and and obviously the fine that came out there I think it was 1.75 million it was it was yeah I mean they've had a few breaches more recently as well whether there were breaches or not I'm in the HSE which is our um uh the um your National um the NSA or whatever you call it over there the the National Health um yeah we've just changed up we call it UK HSA now I think okay well we have a HSE which had a huge hack here in tusla and I mean I suppose what what the the viewers generally speaking is not uh if but when you get hit I mean we seem to be in a constant threat landscape at the moment it's it's an evolution from you know as you say people are kind of a reactive to a proactive kind of get your attack in first posture I mean everyone is kind of very aware and uh you know looking at data breach risks and kind of all the implications of what that means in terms of the cost of those things um and the war for cyber security Talent as well as I mentioned earlier uh compliance and regulations are escalating at a rate of knots on top of that and equally in terms of reporting to you know the SEC or whatever it is in terms of the stock markets there is an expectation there within that context as well personal privacy is a huge issue but that's closure to third-party risks and it says multiple platforms Lawrence I mean it's it's a very very difficult one with the bigger organizations particularly where they've got a lot of Affiliates or subsets in terms of you know companies in different countries and so forth so I mean that that whole kind of I suppose what you know what's your feeling on user awareness and training to get people up or what's you know the path of least resistance to get to that golden egg it's this is a very topical question actually it's something that I've spoken with other organizations at webinars previously of that balance of Technology awareness and training um there has been a trend recently of investment into the future slash younger generation I think we can all I think it's fair to say that when we talk to cyber security it tends to be obviously we'll fall into that category there are Lawrence oh it's fancy you ask Mike uh yeah I'm probably over the hill a bit and I think we'll all agree that uh this world ages that's a lot faster than others in other in other areas but in terms of obviously leveraging that technology the younger generation have grown up with technology so they tend to get their head around it far quicker so apprenticeship schemes for cyber security uh practices security awareness officers and things of that nature even it's just a compliance officer or a risk analyst coming out of University or even grad schemes and things of these of this nature they're far quicker to pick up the technology than than myself I'm no genius at the excels or the words I'm constantly calling uh people internally to help me out with with certain technology uh that we leverage here so the awareness is is critical and it has to be part of the the company culture where we see organizations dramatically improve their company culture is when they actually get their their policies and procedures in place whether that's leveraging technology clearer policies and procedures in plain English for one for a better word that people easily understand it and that's what you're saying and kind of get them when they're young for you know the Jesuit term but it really at induction point of induction Lawrence is that that's what you're kind of saying exactly and if everyone's doing it in the same way so if we're just talking about a standard cyber let's just say you've lost your laptop and everyone's aware at training right if you lose your laptop you email this person and here's the procedure that follows because you'll need to turn off their their laptop you need to shut them out lock them out transfer over all of their files if you're in the cloud or things of this nature if you're using SharePoint Microsoft Office all of those things and those clear policies and procedures when people understand what they're doing it increases buy-in because if people are doing it a certain way they don't quite understand it's quite easy to say not not don't get it I'll I'll go back to my day job and do you see any role there for maybe incentives and kind of recognition or you know for employees who for instance you know contributed to a secure environment or enhanced environment or kind of making them kind of cyber heroes or something like that within the organization or recognition or I mean you know I I'm a great believer in simulated phishing tests that you do blind tests every now and then on the organization and you target a few people and and take a run at them and see if they kind of stick the protocol at the graph you know congratulations you've won the Nigerian Lotto it's kind of you know our feedback mechanism something is old-fashioned as feedback mechanisms from employees just to kind of um you know I mean I'm sure you're the same but the amount of um you know uh false news are kind of um spurious uh emails or texts more more often no texts or whatsapps you would get if not on the daily but certainly a weekly basis you get one or two that they're getting more sophisticated they're looking very if you're having a weak moment you could kind of you know uh Father Ted there was a famous scene that many years ago where do not push the button Google you could actually push the button kind of and go down the rabbit hole I mean what's your kind of sense of of dealing with those sort of things again I think you you did your spots on in terms of the the training and awareness and we've we've had incidents and our former companies considering I've always worked for like a risk management company or a cyber security company where and you and they are getting far more sophisticated I've got a text before saying hi it's X and it'll be my CEO's first name can you double check this PowerPoint for me that's that's quite scary to know that they can do that and get my personal number not in my work phone and so depending on how large your organization could be you might be not obviously be on a first name basis or feel the ability to speak to someone at that seniority so you would do it and of course that leads into things so the constant I think the best policy really is is those constant little bits every so often rather than the right we're going to spend an entire day in a classroom once a year with a consultant to say this is what we're going to do because people will switch off after half an hour if it's a lunch and learn about okay here's what a phishing email looks like here's what you should do here's how you report it to that's fine get your head around it and go and whether it's a monthly thing or buy a bi-monthly thing all of these things can be implemented to make sure that it is top of mind because it is really in terms of what can harm the business and your own organizations the most and can be quite critical it can be a very scary source of failure for anyone in the organization to give access I mean it's catastrophic I saw it within the hate to see that through a locked out of their own laptops for six months I mean it was a crazy scenario and you know maybe I think it remains to be seen it could have been done to updating softer and inappropriate fashion I don't know uh the ins and outs of it but I mean what are the takeaways from some of the ones you've seen recently some of the bigger hacks are you know what would you say are the key two or three takeaways that you you know front of mind I think yeah I think the scariest thing for me is in terms of some of the size of the organizations that we've seen hit the hardest so Banks massive social media organizations is uh I mean we're talking sort of Revenue of over 500 million pounds here quite easily and and Beyond I've never heard Lawrence yeah yeah it's it's more the the outdated procedures and Technology you'll talk to these people about okay let's let's sort of review about where we went wrong and you'll see that they've got 30 000 assets all in a spreadsheet that lives on someone's on-premise laptop and it's okay what happens if they lose their laptop yeah I don't know and and that idea of obviously having that huge amount of responsibility is a single source of failure everyone I think assumes that because they're so Global and the technology that they give to the world in terms of social media and responsibilities and and service that they apply everyone I think assumes that they have very strict procedures when it comes to these kind of protection and things of that nature the honest truth is most organizations that I speak to are on spreadsheets and it's probably got to the point where they think okay we we should probably start investing in this part of our organization as well so that is probably the scariest thing in terms of single source of failure and these very easy things that can go wrong very quickly and I think it is funny I mean there's an assumption that there's a couple of bathrooms in a room somewhere whatever that is you know kind of who are gurus black belts in I.T and
they can kind of work their magic and stuff like that and everyone always assumes that that's there that's not necessarily the case I mean you know what are you seeing yourself in terms of uh I guess uh that whole area in terms of emerging best practice or our Technologies you know what are you seeing that you know what are people using to stay ahead of the ahead of the ahead of the you know the whole threat environment yeah so I think now this becomes on this comes falls under what I'd call re-establish good practice internally and the reason this is now coming around in terms of one it's got come from the very top um because they essentially hold the purse strings and they obviously can assign the budget for these very these very uh topics so we're now seeing boards allocate budget for technology for this very purpose because board oversight is now becoming far more prevalent back I'm sure a few years ago and obviously way back when it was very much like you said they're in a room I'm sure they're doing a good job if I don't hear from them that's a good week for us now they've got risk and audit committees and panels and now what we're seeing as well is that previously Auditors would come round or maybe vendors and say all right what's your I.T security practice and organizations will be able to say we're ISO 27001 certified and that would be enough now that's not enough they actually now go that's great show me and prove to me how you got certified and what your practices were so in terms of where the sort of push is coming from we're seeing more of it of the very much a top-down approach to being able to be aware of the threats I think that's a critical part of where can we be hit where are we vulnerable and off the basis of this awareness and and uh view across the organization from a holistic 360 degree view where do we need to allocate these resources for that very reason and and I mean Lawrence does an old adage that ships were not built to stay in Port they need to go out onto the Seas and trade you know and I mean how do organizations strike that balance between usability and and Commercial Endeavor and engagement with consumers in the in the world out there you know by definition you have to go out to meet people and sell them stuff and get their checks back in and security you know when you're implementing best practices how do you get the balance right what is the balance we looked like monks in a Trappist Monk and a you know in a monastery and don't communication take about silence or how do we get around that digitally yeah I mean technology is always the way because the technology the levels of automation that that is that can be uh manipulated and and used efficiently now for for all platforms we're seeing across the world in terms of AI and how and how machine learning works for for the good reasons let's learn the bad reasons it's very much that okay setting thresholds internally there's always going to be an element of threat and an elemental risk across your organization understanding what level you're happy with is critical and and understanding okay what are we doing to obviously continue reducing it what people need to understand I think it is becoming more understood across organizations and when I say across organizations I also mean not just in their cyber security team it's that risk is not something that you do on December 31st to send out an annual report of here's what we're doing it has to be a continual production across the organization not just for those like you said this stuff in their room yeah exactly everyone has to buy into this and the best way that organizations I've seen have been able to get buy-in and really mature their their risk profile across your organization is having a consistent approach being making sure that everyone's aware of their roles and what happens in terms of their procedures and workflows that are put in place for for these very incidents and I mean if you're you know a lot of our members would be Professional Services to a large degree in that particular space so I mean would there be industry specific cyber security risks that you know Professional Service organizations should pay particular attention to yeah I think the critical ones of and where organizations of course because most these organizations unless they're known for profit will be commercially minded It's what hurts them the most so what would it mean to an organization if they failed their ISO 27001 certification well in reality all of their vendors might start looking looking at them as a bit of an unsafe organization to partner with and we've already spoken about supply chain attacks so given that level of um accreditation is very important within that context I think accreditation is very important to to a degree we see organizations because of the cost it can take to get certified we've seen organizations use it as a guideline but whether they go get fully certified is a very different topic due to the the cost of it whether it's internal or external so making sure that you're abiding by industry standard Frameworks to make sure that everyone's uh working in the same fashion because it has to be a community buy-in if if you think you're doing best practice and someone else in your industry is doing it completely different someone's probably wrong that goes back to your original theory that everyone needs to be singing off the same with him sheet to allowance people one of our colleagues on the you know asked the question what advice would you give to medium-sized businesses who want strong security policies to ensure they pass their customer supplier due diligence that you mentioned earlier but again I think it would be um one having a an in-house team an expert whether that's an external consultant um to understand the procedures and then clear evidence I think evidencing here is the strongest um element where organizations exactly because it's all very well saying okay I've got all these policies in place but if you can very coherently and and effectively show that okay here's how we got ISO certified because we're conscious we're consistently updating and and reviewing the effectiveness of all of our controls here's the scoring we got and here's the evidence that's a very quick way for a medium-sized organization to get the trust of a much larger organization that they wish to partner with and obviously for the commercial reasons that can be a very uh lucrative relationship that they that they can then build okay and another question that's come in there is how is the remote work Trend affected the landscape of cyber security risks particularly over the last 36 months and ultimately what steps can organizations take to address these challenges you know one two three what would you reckon so it's been a it's been a very fast learning curve for I think everyone in in this world so the the organizations that probably leveraged it the best were probably already obviously software companies because you practice what you preach being able to um effectively communicate across the organization and again I think the real benefits of that is because obviously we're all remote and it's a lot harder to reach out to the head of it for help if you're sat in your own room rather than sitting across the hallway and talking to someone else is it's those policies and procedures so if you've got that single source of truth of here's if this happens here's the next six stages that you do and therefore the automated workflow would then trigger depending on severity of the incident would trigger the correct person and it flows very consistently if everyone's doing it very ad hoc it's probably going to end up in the wrong person's inbox who will then ignore it and then when it comes to review you'll understand that actually it's now turned into a major incident whereas if you had a consistent approach across the organization which at training and at induction of that employee was very much written in paper and they had the correct training it wouldn't be it very much mitigate um the risks and obviously risk is is okay and it's manageable because it hasn't happened yet but once it starts elevating into incidents that's when things like fines and and restructuring organizations takes place okay I mean it's very much kind of uh in the Zeitgeist and I think that's the general experience that a lot of the mid to larger scale organizations that we deal with are finding and I mean in your own experience uh you know when and I suppose to paraphrase a question that come in I mean how of these um you know when you're seeing major instance at the moment of the evolved over the last kind of couple of years and you know what sort of tactics or techniques um are you seeing more prevalent in the last six months or are there any particular Uber trends that you're saying hear a red flag keep an eye out for these guys yes and no I think there's far more communication within uh sectors and verticals now I think I think that's critical and there's and that's been spearheaded by I I'd like I'd like to think the government whether that's because of a major incident has happened to one of the big guys and then they all get together in a room and say right we've all got to be doing better here because we don't want to be the guys on the front page of the news saying that okay Bach obviously Barclays lost 35 000 customer data that's an example I don't know if they did I've just off the top of my head so things of these nations obviously we've seen of con Regulators there's new there's constantly new regulations coming in but when these new regulations are coming in there tends to be a element of um discussion and opportunity to write and review within the organ within this within the sector the the Telecom industry has got a new uh a new act coming out called the Telecom Security Act in 2024. that went through a huge review and the likes of BT Vodafone O2 Virgin Media all has an input of what was best practice and how they can leverage all of these things automation's always key because that really reduces human error as well so if you've got a really good automated workflow the level of Automation and again it has to be correct automation it has to be correct technology and has to be done for the right purposes there's no point just chucking technology at it if it's not the right if it's not the right fit but when we see automation using the correct way we tend to see human error reduce which obviously reduces risk and by Nature compliance increases which increases confidence across not just the organization but the industry and most importantly probably your customer base um I'm reminded of of uh the uh you know the the rise of AI in terms of uh poor Arnold Schwarzenegger all those years ago and uh he certainly come back with a bang but in terms of security budget constraints you know that's clearly one that cisos are having a struggle with and I'm going to ask you uh one of our colleagues just asked the six million dollar question Lawrence so in the old days there would have been kind of metrics in terms of say you know percentile a budget that you should uh you know equate towards marketing say it was 10 our advertising might be X you know maybe 10 or whatever it was so you'd have different cost socks or cost buckets or whatever silos what's you know what's the metric what's the ratio for cyber security that's a very good question I think it's one very bespoke to each organization I actually went through this that's that's an opt-in and that's that's uh it's not um your hospital so so what I mean by that is I actually went through this this conversation a few days ago with an organization and it's very much in terms of what's the most important and why why are you leveraging this technology what are you guessing out to it what what challenges is it solving for you guys so whether that's most especially the mid-tier organizations tend to be understaffed and and over and overworked so if that means they're spending I mean the example I can give is I was talking to an organization and they and one guy added up we added up he spent about 300 hours a year just doing reporting for his weekly reports monthly reports coursely reports and annual report 300 times his weekly salary and whatever it was it added up to a huge amount of money that they're spending where he should be doing other things if the technology can come in and automate that entire process he gets 300 hours back a year to do something else whether that's endpoint descriptions vulnerabilities uh firewalls and things of that nature so being able to quantify in that nature is is critical whether you want to start leveraging things such as your gdpr fine which is what two percent of Revenue I'm gonna put you on the spot Lawrence give us a an average percentile somewhere between five percent is probably a good a good starting point um depending where you're coming from because if you're using a spreadsheet it's very hard to go to the board and ask for a huge amount of money when there's no spend already so being able to understand that what the threats are or if you're already leveraging technology that's probably a more uh you're a stronger perch for for a discussion there because if you have never had a breach before and you've been doing a great job but you've been working everywhere Under the Sun and you're a single source of failure you go to your CSO or the CEO say actually I'm overworked I need a technology that's going to cost 50 000 pounds to do what you're doing now he's probably going to turn around and say but you I'm not spending any money right now on technology and and there's been no threats so being able to obviously get the buy-in from from the top down in terms of being proactive and what could happen and it's not about scaring the board it's about making them aware of Lawrence good and at equally said there is there hasn't been any security threats it's probably because the software has been working so we need to keep investing in it as an aside I mean as a management consultancy profession I suppose we we're always kind of in that space of um the evolution of of uh I suppose costs in terms of um being mindful of offering value and so on so that's why I you know we could ask that question what what sort of price metric are you looking at for a particular area so that five percent uh 10 uh kind of that sort of metric sounds about right maybe even a little bit low because of the the you know the complete Reliance that organizations have now in terms of Technology there's you know the paper-based kind of system doesn't exist anymore even from an invoicing point of view everything is invoice digitally now so um I suppose conscious of time and another question that's come in as we're coming to the end of the session here but I mean if I was to ask you one two three what are the the three top current cyber security risks that you're seeing at the moment supply chain risk is probably the top one okay um one because of I think it's the volume uh is probably the key thing here and because of the nature of of supply chain where it'll go through so many different teams so the Cyber guys in the third party and the vendorous teams will have a conversation about it procurement are probably going to get involved as well as legal that's three different if you're on a spreadsheet here or we're all talking over Word documents which can't be evidence or anything like that you don't know what changes are being made being able to evidence it that's a real problem internally um so that's probably the key thing here um data breaches that's always going to be a huge concern um yeah and the cost of dealing with them yeah the cost of it and it's not just obviously the fines and the cost of dealing with it it's the the reputational damage that it can cause yeah um and of course data data breaches tend to involve personal data whether it's just my name and my email all the way down to of course my bank account details um and things of that nature and that's that goes far beyond whatever fine that might be leveraged because once you've lost your your reputational damages people will go elsewhere and it's really hard to get that to get that trust back or even worse the embarrassment of being kind of outed as a Manchester United cities where you know order or something like that exactly education involved exactly um and then I'd probably say non-compliance and what I mean by that is again these are very top of Mind things so you hear about organizations failure to comply to gdpr and I and I appreciate that my overlap with data breaches but gdpr is personal data people are very aware of it and it's very much top of mind right now so any sort of um if you've seen the news that this organization has got a huge gdpr fine you do you really want to sign up to their newsletter or give them any of your personal information you probably don't and it's probably really again it's probably very very difficult to to re-establish that trust in the public in the public site okay and one final question from one of our colleagues there is to come in and what are what's the you know what's keeping um CEOs cisos um directors awake at night that's a really good question actually especially because those tend to be the ones fighting it at the at the very top level uh and it's probably one of the newest c-suite roles that we've come about um fear of the unknowns a very big one if if you can't go to your CSO and say what's our top 10 risk this week and he's spluttering and doing things of that nature that can be something very scary because ultimately somewhere in there is going to be resulting a breach or an incident and then someone's going to ask the question of why didn't you know because it will fall under him and so that's probably uh one fear of the unknown and that that accounts to visibility and that accounts of accountability so I want to know if if I'm the CSO which team's looking off to what who's who's looking after that's interesting these base of controls is there a deadline yes why did you miss that why wasn't I notified so all of these things which are coming in and that speaks to preparedness what we've started seeing and it's I don't think there's what we will see I think in the next if we're going to look ahead for the next five years is there's been a massive spike in cyber security insurance for obvious reasons an escalating cost exactly what we will probably start seeing and I and this is something that I've I've listened to at certain speeches in America and in Europe actually is that cyber security insurance will probably stop paying out if you're on a spreadsheet because if you're handling that amount of data they're going to start considering it as recklessness slash you didn't do your end of the bargain because you wouldn't you might have fire insurance but if I leave my oven on with foil in it and it sets on fire they're probably not paying out because that's actually on me so there has to be a level of responsibility from both parties here so having cyber insurance is fantastic and we're seeing a huge spike in it but we've seen it and I think it's going to probably start in America but as things do because of the nature for insurance companies and things of that nature but for cyber Assurance companies to really start hammering into what were you doing to prevent the breach and why should I pay out gosh that'll be a huge tectonic plate movement there in terms of spreadsheets and and you know that'll be an evolution in terms of how we go about our our business wow as a single takeaway that's extraordinary kind of potent because if we see that and it will inevitably follow because once there's a one or two big Insurance payouts as there will be that will you know we see that in the car industry so it'll follow us night follows day and you know the other takeaway I would take from that is I suppose unlike wine um you know bad news in terms of the Cyber hacking and all that doesn't improve with age people need to know quicker and and the reactive time and response it's 24 7. you really need to
get ahead of it as quickly as possible and uh I suppose advise all your stakeholders of the of the issue outside of the 36-hour rule uh in terms of gdpr in terms of that space which in of itself is quite daunting but I think you're looking at a you know a two to a four hour window at this stage in terms of you know effective response and get note ahead of it which is very very very challenging Lawrence this has been really interesting and I suppose I'm kind to the time we said people would have them out in 40 minutes so that they could have a bowl of soup or a sandwich um I don't know um how to thank you it's been exciting you've shared an awful lot of knowledge with us you're really good I know a lot of people are going to be watching this later on in YouTube when we put it up and maybe uh you know if you're so disposed we might have your back again later on in the year tell us put the fear of God in us and tell us what's happening you know further down the line uh and we can all put our hands up and say who hasn't been hacked at this stage it'll be like getting covered but in the meantime I wish that you know you have every success in your journey along the Cyber career that you've chosen thank you for sharing your knowledge with us today it's really been lovely to speak with you and I hope you enjoy the rest of your day I think we've covered all the questions that have come in conscious of people's time we're banging on the nose for uh uh 140 so people will be able to get that bowl of soup and sandwich and thank you for joining us for the institution um lunch and learn and we look forward to seeing you all at the next one and thank you to board match and diligence for sponsoring this event oh absolute pleasure thank you very much Patrick bye-bye
2023-09-20 03:40