Episode 38

full
Published on:

24th Jan 2024

Cybersecurity in 2024: Expert Predictions You Need to Know

Welcome to Razorwire, the podcast for all things cybersecurity and information security. I'm your host, Jim, and today we have a thought-provoking discussion with industry experts Iain Pye and Chris Dawson about emerging cybersecurity threats and trends to watch out for in 2024.

In this episode, we dive into three key talking points that are essential for cybersecurity professionals to listen in on:

  1. The accelerating risk of ransomware and data breaches, including the increasing need for continuous security testing and the challenges of balancing security tool costs with limited budgets and the speed required to adapt.
  2. The use, impact and potential threats of artificial intelligence on major global events including the elections coming up in 2024, in the context of societal and political manipulation, as well as the rising risks of identity theft, sophisticated disinformation and deep fake technology.
  3. The importance of operational resilience plans, the challenges of compliance and auditing processes, and the need for improved cybersecurity standards and training.

Tune in to gain insights from leading experts in the field on how organisations can prepare for the cybersecurity challenges of 2024. 


"What's your operational resiliency plan? How is your organisation going to have to learn the hard truths? Take a really hard look at what you're doing and go: if that falls over or it gets breached, can we keep running our business?"

Iain Pye

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen


In this episode, we covered the following topics:

- Technology vs. training: security advancements outpacing public knowledge

- Complex compliance: regulation challenges for smaller organisations

- Cybersecurity testing shift: from annual to continuous

- Offensive and defensive AI use anticipated to increase in 2024

- Reviewing technical security solutions and policies

- Budget struggles: balancing security tools and costs

- Call for government prioritisation in security training

- Importance of basic security measures

- Mistrust in mainstream media and information sources

- Artificial intelligence: potential risks and benefits


Resources Mentioned

GDPR

SEC

AI

Cyber Essentials

CSFI


Other episodes you'll enjoy


The Use Of AI In Cybersecurity – Consultants Roundtable

https://www.razorthorn.com/the-use-of-ai-in-cybersecurity-consultants-roundtable/


Lessons from an InfoSec Icon: A Fireside Chat with PCI Guru Jeff Hall

https://www.razorthorn.com/lessons-from-an-infosec-icon-a-fireside-chat-with-pci-guru-jeff-hall/


Connect with your host James Rees


Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.


Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.

With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.

For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.

If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.


Linkedin: Razorthorn Security

Youtube: Razorthorn Security

Twitter:   @RazorThornLTD

Website: www.razorthorn.com


Loved this episode? Leave us a review and rating here


All rights reserved. © Razorthorn Security LTD 2023



This podcast uses the following third-party services for analysis:

Chartable - https://chartable.com/privacy
Transcript
Jim [:

At the time of this recording. We are right at the end of 2023. This probably won't go live, obviously, till 2024 or the early part of 2024. I've gathered my professionals to discuss what we see as an issue going forward into 2024, into 2025, and maybe have a kind of like bit of a discussion about some of the things that we're concerned about, which byproxy, you should probably think about yourself. And let's see where we go. Welcome to the Razorwire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends, through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space. So, 2024, it's the end of 2023. Let's have a quick recap of what has occurred in 2023.

Jim [:

We have had hack after hack. I haven't seen a week that hasn't brought up some every day high level. I mean, sometimes it is. In all honesty, it has been a ridiculous amount of ransomware attacks, ransom attacks, people being shot, to various different ombudsmen and institutions who control areas like the SEC, for instance. Our last debate, which has gone live at the side of this, was about how the SEC are going after SolarWinds CISO for various different reasons, which we went into on the last one. So I'll let people kind of go back and look at that. We've had updates in compliance, obviously. We've got up and coming PCI DSS version four coming out.

Jim [:

ISO has been through an update. NIST has been through an update. We've had biden get on his soapbox and talk about securing AI. We've had the UK government getting on the soapbox and talking about securing AI, and we have had quite a bit of laser focus from a variety of different interest groups outside the security space who are really looking at security as kind of like a big key aspect of business going forward, be it government institutions looking at their own security and going, it's pretty crap, really, isn't it? Through to organizations going, I think we need to update what we're doing. We may or may not have more budget for it. It's been a bit of a funky year, 2023, hasn't it?

Iain Pye [:

Yeah. It's one of those years that's also been brought with global conflicts. Yes. Ukraine, what's going on in the Middle east, obviously. So, yeah, to be honest, quite frankly, it's been a bit of a shit bag of the year. I have to see the back of it.

Chris Dawson [:

Do you find that the physical global conference that's happening, are they sort of taking away some of the limelight from the digital world? I know the ransomware attacks and the phishing attacks are still going on, but instead of being like, forefront of the news that the conflicts have taken a little bit, taken the limelight, and then hackers that have been able to just go back into the dark a little bit and had a bit more of.

Jim [:

A free rein, I think it's been compounding it. I think what it has shown is that now the sabers are ratling in various different parts of the world. You've got people who are normally pretty quiet, who are also starting to rattle the sabers. And then we had the big water company hack, which was allegedly from certain part of the Middle east, who shall remain nameless. And I think what's happening is it's cause and effect, really. I think I kind of get the impression from speaking to various different people who are much more in the know than I am on what's going on on the dark web, although I do keep track myself as much as I can. It's kind of difficult with my day to day job, but there's a lot of state sponsoring going on of hacking groups. And if you're a decent hacking group that can prove your worth at what you can do, which, weirdly enough, always seems to be in kind of the ransomware space pretty easily, you can go out and get a bit of sponsorship through back channels from a variety of different organizations who may or may not be related to government affiliated organizations to get remit to go out and attack what they consider their enemies to be.

Jim [:

Has it taken the limelight away? I don't think it has. If anything, it's expanded it.

Iain Pye [:

There was the UK government came out of December, russian sponsored state attacks were ongoing hacking activity as well. Calated to the UK electoral commission. Got happened in August as well, where.

Jim [:

You got like somebody opening up a phishing.

Iain Pye [:

Yeah. 4 million people's personal information. They managed to gain access to it.

Chris Dawson [:

I was just wondering if it's. I mean, I know, but the two always go related, don't. The digital world is always going to be carrying on and we're always going to say, Russia are hacking this. Russia had a hand in X, Y and Z, but then if they start smashing windows over here, we stop looking at that and then concentrate on the windows. Is that more of like a smokescreen?

Jim [:

I see what you're saying, and I think if we were talking about this, say, seven or eight years ago, where people actually trusted the general media. True, then we would see that kind of activity going on. But I think since kind of all the stuff around Covid, whether you accepted it, whether you didn't accept it, whether you got the vax, whether you didn't get the vax, whether it came from a certain part of China in a certain lab, that all of this information we found was completely, massively manipulated and suppressed. I don't care whether people are on one side or the other. I'm just looking at the cold, hard facts of the way media has been manipulated. And finally, the public, although most of us have probably known this for quite a while now, especially in this space, that I don't think anybody trusts the media anymore. I really don't. People are going to youtubers, people are going to Instagram, people are going to Reddit.

Jim [:

I know people who listen to the media read between the lines and then go off and find the actual information elsewhere, I don't listen to the news anymore. I'll be honest. There would be a time where I'd sit down and listen to the news of an evening. But quite frankly, I don't trust any of it because it's been proven to be full of crap anyway. So I don't know. I think independent media and independent reporting has shown, as well as information coming out of the breach notification websites and the various different, the ransomware sort of attack websites and breach notification websites where they try and force you to pay, has actually shown how bad the situation really actually is. And it doesn't help when you have companies or organizations actually coming to the fore and saying, we have had a security issue because they're being forced to do it, only to find out it wasn't them necessarily that got hacked. It was their third party who got hacked.

Jim [:

And it wasn't just their information that got released. It turns up that it's a ton of other organizations as well. I mean, we're going to probably go on to how the changes in the tactics for attacks have been occurring shortly. But I think from a news point of view, the awareness around security has been so much better and so much better reported that, no, I don't think at this moment in time it has been detracting from anything else whether that will change when the elections kick off.

Iain Pye [:

Is this Chris trying to put a tinfoil hat moment in again with his wonderful conspiracy theories?

Chris Dawson [:

You know what? I did think about it then. I thought, we have done a conspiracy theory podcast, so I probably want to bring that in. But it just seems like you just mentioned on the media, you have this pretend virus, and then that doesn't quite work. And then. All right, let's push the wall. And that's not working. I'll push another wall.

Jim [:

We have had it before. Obviously, we had it with that certain virus that was unleashed on a certain country's nuclear program.

Chris Dawson [:

True.

Jim [:

That came out and that was well before any of this. I think the problem is we just can't trust any information coming out of government bodies or definitely not state owned media like our beloved British Broadcasting Corporation or any of the big boys. I mean, let's face it, we've known for years that most of the media is run by at least, what, two or three blokes at the top who pretty much own everything. So it's just natural that people eventually, especially the younger generations, who are used to going elsewhere to get their. Their media or get their news, rather, that they won't. They won't believe the mainstream.

Chris Dawson [:

Yeah, I think we've got a window of about another ten years before mainstream media know, obsolete.

Jim [:

I don't think it's going to be that long, I'll be honest. I tend to like looking at pop culture and the way pop culture goes, because the way pop culture goes tends to be the way, because it's to do with quite often the youngsters driving it at this moment in time. And none of them like the current big boys or the news that's coming out. The current big boys, like Disney and all the rest of it, Disney, are on their knees at the moment. Every single film they've released in the last year has pretty much flopped. And the last couple of Marvel films or last Marvel film flopped even harder than pretty much anything else, whether you love it or hate it or whatever. And I think the pop culture has been going towards a lot of people who are just very mistrustful of authority and very mistrustful of where information comes from. I think it will mean that there's going to be a potential for significant misinformation and rumors starting up.

Jim [:

I wonder why we've had so many breach notifications in the last year, because although it has sped up from previous years, it really has. We still had breaches back then. Big ones, too.

Iain Pye [:

I think it's more of a reflection on. There are more requirements for reporting from a legislation point of view. There's that the SEC, obviously, they've got a bit more hardline with a canine form, and GDPR obviously has it. There's a lot more privacy legislations as well that require reporting to certain supervisory authorities, not just Europe, but, well, Brazil. Dora, look at China.

Chris Dawson [:

Ian, what is the threshold for having to report? So I'll just have a quick read because obviously I've done absolutely no research for this podcast whatsoever.

Iain Pye [:

From a GDPR point of view, it depends if it poses a high risk. Rights and freedoms of the data subject, the individual affected by that breach. So if it's like the bank details or basically if they got those details, if they go on commit fraud with those details, that would pose a high risk to that individual. You then have to inform the ICO in the UK, for example, and the data subject say, sorry, we've had a breach. So those are kind of the thresholds really, from a GPR point of view, that you need to report within 72 hours. You need to inform the supervisor authority. So you've got that window and stuff like that. But a lot of organizations sometimes just take the stance of, well, actually, we're just going to hold our hand up here because it's been out in the news.

Iain Pye [:

It's already been out, but we're still going to say, sorry, we've had a breach. Actually, you're not complete high risk. You are at some risk, but we're going to do the good thing and tell you what's going on. So you get those kind of cases.

Chris Dawson [:

I was just having a research as we're talking, because there they are.

Iain Pye [:

Because that's what you do. Yes, that's what I do.

Chris Dawson [:

And some of the trends that they're looking at for 24 is obviously enhanced artificial intelligence attacks. But predicting that they'll attack more of a smaller business rather than the big boys, what's the compliance on them? Does it not matter on size of business?

Iain Pye [:

There are limitations when you need a dpo and stuff like that, but in terms of the reporting, no, doesn't matter.

Jim [:

Well, there's two things there, isn't there? First and foremost, Dora is going to definitely change the way things work in Europe come early 2025. But I think with AI technology being rapidly advanced at the moment, with a lot of companies working on it, a lot of bad actors working on it, pretty much everybody and their mother is working on it, they're not going to unleash their first set of tools on the big boys. They're going to unleash their first set of tools on much smaller targets so they can test that puppy out, see how effective and efficient it is.

Iain Pye [:

You need that data to learn from so you're not going to necessarily get positive results from the big boys, so to speak.

Jim [:

I think we're still away yet from really being really concerned about it, but I don't think it's as long as people think it's going to be. This is the problem with new technology, isn't it? It could either take ages to develop and refine, or it is refined in literally next to no time before you know it. I mean, look at the Internet. The Internet came out, it was horrible, it was slow. Didn't take long for it to speed up.

Iain Pye [:

No, I think with the AI thing, it's a fear from, it's easier to make phishing emails and stuff like more convincing. What you see is the common approach, but making that easier to craft and to perform in terms of your way into a business which is usually really human. That's one of the big things that you'll probably see is more AI based phishing, like crafted phishing and stuff like that. And that not necessarily just email, but more three dimensional from a deep, from the voice, from ringing up a help desk saying, this is Jim, the MD of ring, his it health desk. But he's not also. The deep fates kind of roll into another thing that I was going to speak about for later, which is like the geopolitical risk that's going to happen the next year with all the elections and stuff like that as well, because you're going to get all that misinformation campaign all kind of gets swept into that, if you know what I mean, as well with AI being used as that. But you can spin it on its head. You can also use the AI as a defensive as well.

Iain Pye [:

So you've got various products out there now that obviously won't claim to be AI and stuff like that.

Chris Dawson [:

That is literally Terminator. If we've got AI fighting AI with air, we're almost there, aren't we? We're literally a robot.

Iain Pye [:

Well, that's fine. They're not fighting against the humans. That is completely fine. That is not a Terminator scenario yet. It's not a skynet.

Jim [:

I mean, we are a few, I think. I did a podcast the other week on this one. Three of us discussed the future of artificial intelligence. We did a return to artificial intelligence, and I was very much the transhuman of the group. We had another person who was like, no, biology is everything and it's never going to be a thing, and I don't believe that it's going to become sentient. And then we had another person who believed it was going to become sentient. So it was a pretty good debate. We're going to get the rise in.

Jim [:

We're at a unique point in technology. This is my point. You mentioned us a lot of deep fakes. Let's go down that route. It is going to be eminently easier if you have any type of presence on the Internet to create a video of you slapping a small child and then releasing it and said, ian PI, slap small child. Use me as an example. I'll use you as one. And before you know it, you're cancelled.

Jim [:

Everybody knows that Ian PI allegedly slapped a small child. Doesn't matter if it's true or not. It doesn't matter if it's true. It doesn't matter. It destroys lives. False accusations have always been a bad one. But the problem with deep fakes is you're showing what could be real. And no matter how much you say it's not real, people say, well, prove it's not real.

Jim [:

Okay, so do you want me to prove it's not real or do you want to just.

Chris Dawson [:

I'll just believe it? Yeah. You'd have to prove that it was a deep fake as opposed to it's not real, because you can't prove you haven't done something unless you was, especially that. Something nice and easy, like celebrity smacks child. Well, when did it happen? That's difficult to prove, I suppose. Surely it's easier to prove that. Look, what video you're seeing here is a deep fake and this is where it came from.

Jim [:

But this is where I see the danger being, because in this day and age, with cancel culture being such a big thing, you don't need.

Iain Pye [:

Nobody gives stuff about the fact checking that goes on. Yeah, it is a risk. You're going to see a lot more of that type of tactic being used, especially next year, because you got the US elections. Yeah, possibly a UK one. Belgium, I think it's got one. There's loads. There's 40. That's what I've read, anyway.

Iain Pye [:

There's 40 elections going around on, around EU elections as well. Parliamentary elections. So you're going to get a raft of these deep fake style of disinformation facts going on. State sponsored, possibly a lot of them as well. Although it does kind of differ cybersecurity because of that attape that it can be used within organizations and for personal attacks as well, against a person to use to get personal data out of someone for you, then it could be used over bank account. It's that type of stuff. It all will be turned on its head to target businesses and individuals, not just those campaigning in these elections. That's one of my predictions.

Iain Pye [:

Going to see a big uprising like deepface and use of AI in that sphere.

Chris Dawson [:

2024, we're going to move from originally blackmailing a politician to creating a fake whatever, using deep fake AI to then blackmail on a politician.

Jim [:

Or just create a voice. Just create a voice print and then get them to say whatever and say, oh, this was a recording done in a secret meeting over, blah, blah, blah, boom, all of a sudden. How can you disprove that that wasn't you? You could say it till you're blue in the face as a politician. And the people on one side are going to go, oh, I believe you, because obviously they're on that side. You're going to get a whole raft of other people who wish it was so on the other side going, no, I don't take that, because I don't want you to win anyway. Then there'll be a load of people in the middle who will flop either one way or the other, or sit there and go, I have no idea.

Chris Dawson [:

It's a huge thing for especially, like, saying how many elections you've got coming up. It's purely because if you've got a backing, you've either got a backing or you haven't, and then you've got the middle people that you need to sway. Something like that sways them the opposite side doesn't. It doesn't matter what defense you have for it. If you're trying to sway someone to your side and they're sitting on the fence a little bit, they're not going to vote for you. If they hear the slightest thing, whether they know it's. Whether they think it's true or false, that's just going to tip them over the edge to be opposed to you anyway.

Jim [:

So this is it. I mean, there's also that blended threat of utilizing artificial intelligence. So you'll have bots going out saying, oh, have you seen the latest video of so and so saying that they're going to ship weapons to these bunch of bad. Here. Here's the link to it, to the recording. It can happen almost instantly, and you can have what the AI composes anybody, and it can go out and say, I'm Frank, I'm Dave, I'm Phyllis, I'm Angela. And before you know it, I don't know, I just picked out names. Anyway, apologize to anybody out there called Phyllis on behalf of it.

Jim [:

No, I mean, it's all blended threats. And it's not just threats to organizations that we've got to be concerned about these days. The information security sphere is rapidly widening because we can look after our organizations from a lot of attacks because we've got the resources to do it. But your average human being doesn't have an infosec person at hand that they can go to who can help them out. A few times you guys have been asked by somebody, you know, oh, I've had a bit of a problem with my laptop. Can you help me know how long has it taken for you to kind of help them out?

Iain Pye [:

In Chris's case?

Jim [:

Many years.

Iain Pye [:

I'm going to say many years.

Chris Dawson [:

Probably not as long as the average person, just by being in this world.

Iain Pye [:

Chris will probably just go, have you spoken to, have you turned it off.

Chris Dawson [:

And have you turned it back on again? Have you done a power cycle?

Jim [:

That's it.

Iain Pye [:

Classic.

Jim [:

But we're at a stage where power cycles don't work so well anymore when it comes to security threats. In fact, it's probably worse to do the power cycle than it is to just leave it where it is. I think this is where 2024 is going to be very much a year for infosec. And this is why I think it's going to be important to get the right type of information out there as much as possible. That's part of the reason we do these podcasts and stuff. I know we like to take piss, we like to joke about it, but there's so much misinformation about what infosec is and where it stands, and we need to kind of get out, really, that there are some significant risks, not only to our organizations, but our government institutions, and personal risks as well. And to try and kind of show people that you can live in your bubble and hope that something will never happen to you. But it's becoming increasingly the case where it will, whether it's tangentially through a third party, your bank, who screws up, and all of a sudden your account details gets given away.

Jim [:

Somebody you bought something from has a failure, and your card details are nicked along with your name and address and what have you, in which case, identity theft becomes a thing. It's getting increasingly easier to have your identity stolen, especially if artificial intelligence is developed to a more sophisticated level, because it won't be a human that will be stealing your identity. It'll be something that's a hell of a lot quicker and a hell of a lot more efficient.

Iain Pye [:

Skynet.

Jim [:

Skynet, yeah. And that's when they create a cyborg of Chris who comes out naked and tries to kill us all or itself.

Iain Pye [:

He realizes what it's become. A societal risk there as well. You can say you live in your bubble and stuff like that, but you could end up, because the risks posed by this disinformation and could end up with a proper right wing Tory government in place next year.

Jim [:

You can end up with anything.

Iain Pye [:

It's a societal risk at the end of the day.

Chris Dawson [:

I can't believe he's brought a political agenda into this.

Jim [:

I'd like to point out that razor wire is a completely apolitical podcast. It's only ian that has the very one way of thinking.

Iain Pye [:

Like the Tories. Yeah, but that side, as a joke, it does have societal impact. It will have a sightful impact, potentially. It will affect millions. It might not affect you greatly, personally, but it'll affect the way that you live your life. So, down the line as well. So this is the biggest scope of it.

Chris Dawson [:

Yeah. So jump on the back of that, what you're saying there. I think we have to prioritize training in 24 from corporate training, security teams and it teams, even down to, like you're saying about individuals having someone on the laptop. I don't know how that's going to work. But to roll out actual training of what to look for, we're not saying that everyone needs to be a hacker or in it and know what to do with it. My grandma's not going to know what to do that, but at least be able to see the signs. And I think a bit more training on that, bit more security awareness following.

Iain Pye [:

On from that, though. When the poo does hit the proverbial van, it's more the, what do you do when the crack happens? What's your operational resiliency plan? And I think that is going to be a big focus for 2024 as well, because you've got Dora coming out, you've got all these cyber resilience act. You got the UK company Resilience act, which I can't remember it's actually called, which is a few years down the line, which is. But it's not just cyber focus, it's how do you keep your business running in one of these situations where it's happened to you, your data has been breached, or they've taken away critical systems, you've got ransomware and stuff like that. That is going to be a big thing for the big focus for going forward in 2024 and beyond, because of all the other wonderful legislation coming into place. It's, how is your organization going to have to learn the hard truths? Take a really hard look at what you're doing and go, if that falls over or it gets breached, can we keep running our business? Can we still serve our customers? Can we still do what we need to do? Can we save the lives of these people in the hospital? It's that type of stuff that I think is also going to be going beyond 2024. That's going to be a big focus as well. You got the cyber element, but there's the buffet part of the business as well.

Chris Dawson [:

Yeah. What happens if our cyber size goes down? Does that interfere and stop all our logistics side of it, for instance, because it's all run digitally? We don't think of it like that. But, yeah, if someone hacks Amazon, are.

Iain Pye [:

You going to have to buy runners just to run back and forth with a piece of paper?

Chris Dawson [:

You just think of Amazon delivering your parcel from a van. But the digital side is what runs everything, isn't it?

Iain Pye [:

Huge?

Jim [:

But this is what I've got a big problem with. And years ago, the british government turned around and said, we would like somebody to come in and help us develop a security stand for Iot that we can set as a standard. So if you want to do any IoT devices in the UK, boom, you can do it to this standard. They went out and got the cheapest possible company or set of companies to do it. I mean, looking at how the UK has been handling their problems with inflation, or not handling it, depending upon what media you're eating, if they can't handle simple economics and inflation reductive tactics, how, in the name of all that's unholy, are they going to deal with the massively complex cybersecurity aspects of securing government institutions, providing adequate training to the general public on how to handle Infosec, or what to look out for, they're not going to. You look at some of the. There's some really good people I know who have been talking to government for a number of years and saying, can you get together a great group of infosec professionals across all walks of life, from all different types of organizations, who can work collectively to create something that actually works? And they're, you know, we could do that, but we've got Dave around the corner who knows something about Infosec, so we just bring him in. That's to sound like a lot of work, getting a group of people together to actually help us build this standard.

Jim [:

I mean, let's be honest, I'm probably going to do myself wrong in here as an organization, but let's look at cyber essentials. It's laughable. It's about as laughable as you can get. Does it provide any level of guarantee of a baseline of security?

Chris Dawson [:

Because it probably did. Day one it was introduced and then day two it was obsolete because they're not keeping up with the trends. They're just saying it's like an MOTP car in it. It's all good and I'll later. It doesn't mean anything.

Iain Pye [:

I might actually defend cyber essentials here.

Jim [:

Wow.

Iain Pye [:

Brace yourself. So I get the premise of it and it's great for small companies. Baseline like if you're a 2345 man shop. Yeah, it's a perfect baseline if your business is, I don't know, like welding or something like that. Whereas the baseline for entry to supply government contracts that I disagree with because I don't think it goes in far enough, neither does social plus. But for a baseline for an organization that a really small company could see it has its use there because they're not going to want to go an ISO 27,001 route, are they?

Jim [:

Let's be honest.

Iain Pye [:

Because they won't be able to afford it unless their contracts stipulate that and they've got the clients that require it and stuff. Well if you're just doing, you're running a welding shop or a mechanic down the road. Yeah. You got it systems, haven't you? Obviously the MoT, the database oring that and the stuff, you're going to have your contract management and stuff like that. Yes. It's a nice baseline for you to go actually. Yeah, we've done the dick, we've done the Billy basics that we can, we don't have the resources to do the rest. That's where I see a plus sign of cyber essentials.

Iain Pye [:

But then Billy basics, I'd ever say that.

Chris Dawson [:

Then Billy basics, like you say a week later though, that's moved on.

Iain Pye [:

You can't continuously test these small companies because they don't have the resources to. It's about managing your risk and what's your acceptance of it at the end of the day.

Chris Dawson [:

But for a small company, would it not be easier to. So a small company, essentially their IT systems are going to like, let's say for instance, their IT systems are going to register the vehicle Mot pass off fail, which then goes on to the DBLA. So it's going onto a government website where they can track monitor and that's what it does. If that's what they're doing, instead of having the smaller companies keep up to date with the cyber essentials. For instance, would it not just be easier for the cyber essentials to control that and keep up with the trends and you sort of use them? That workshop uses the government as their third party, and they literally just give them all the information and then they deal with it.

Jim [:

That's great if you've got like a cybersecurity person on staff.

Chris Dawson [:

Yeah, that's what I mean. So if you can just hand it.

Jim [:

Over, if you are a small insurance company who are like four people and you've outsourced your it and you're reliant on that it company to do your security as well, let's face it, most it companies I've come across who serve the small side of the fence, they don't normally have an infosec person like a CISO or anybody like that. They normally have somebody who once read something about Infosec. Sorry, I'm being really unfair to people out there who run our small it companies, but they're not going to be able to keep up to the same level that a security professional does. I mean, we do it all the time. We have to stay up to date tripes. I don't know how any of us stay up to date with the speed of change of things that are going on at the moment. We can't learn everything that's going on. We have to talk amongst ourselves in, weirdly enough forums like this to get, oh, I didn't know that that was a bit of legislation coming through the door, or I didn't realize that there'd been a change to this or the bad guys had been evolving the way that they undertake their attacks, which is obviously something we're going to go into in a second.

Jim [:

How long has our. Let's look at it objectively. Ian, you're our DPO bod. I've been out of this for a few years now because I have ever evolved into a much greater area of infosec.

Iain Pye [:

Higher, big.

Jim [:

But when was the data Protection act first put in?

Iain Pye [:

1998.

Jim [:

Okay, when was it updated?

Iain Pye [:

2018. When GDPR Covid.

Jim [:

Cool. So how many years has that been where it hasn't changed at all?

Iain Pye [:

20. Hey, I'm a DPO, not a math institution.

Jim [:

You put in infosec into your organization now, and you don't touch it for 20 years. How effective do you think your defense in depth and your infosec is going to be?

Iain Pye [:

Be like using an IBM computer from the 1980s not very effective.

Jim [:

Absolutely. We've got to do better. I don't know how this one's going to get fixed because the problem is we keep up to date because we're in the profession. People who are not in the profession, they're not going to keep up to date with it, with what's going on, even in it. I know a lot of it. People who do a great job, they do a great job. Security, firewalling, endpoint security that don't do a lot of what we do because we do a lot of the GRC stuff that they don't necessarily do and quite often won't do fair play to them, but they don't also keep fair play to them. I don't keep up on the latest nuances of Microsoft licensing, which seems to change every 2 seconds, and the way that they operate their infrastructure within azure cybercriminals.

Jim [:

However, they're always changing their tactics because they have to. They don't want to get caught. They want their tactics to be effective and get what they want, which is money. It's a quick and easy way of getting money. They're much better funded than we are. First off, they earn more than we do. Second off, which, I'm sorry, infosec professionals out there, the bad guys who are good at this, they get paid way more than we do. So it's way more incentive for them.

Iain Pye [:

Don't get Chris ideas.

Jim [:

2024, Chris gets arrested. But we're kind of screwed as a society. We're really screwed. We're so now reliant on big institutions to give us our social media, for them to give us our websites so we can deal with our tax, which have got massive institutions behind them, which has normally been brought in by the cheapest bidder. And let's be honest, and I'm going to be really unfair to some of the big integrators there. You know who you are and anybody listening to this knows who they are. They are rubbish at security. I don't care who they are.

Jim [:

They are terrible. I have come across all of them one point or another. I wouldn't trust them at all. Yet they're the ones that are securing HMRC.

Chris Dawson [:

It's a difficult one because you need to go into the private sector to get the best out of it, to get the best on the market, the best people, and keep up with the current trends. But then it's going to cost you the most money if you go down exactly what you just said. If we go down like cyber essentials or no matter what it is coming from the military, what I do love seeing is, I don't know, a torch, for instance. A torch on sale, military grade eight. And I think, well, that means it's shit because they bought the cheapest, most nastiest crap they could find. So don't put that on. This has been used for this government. It is the worst bit, it is the lowest on the market, but people can't afford the best, so they're going to have to go for exactly what the government are doing, which is cheap, cheerful.

Chris Dawson [:

Go on, Ian.

Iain Pye [:

There is one possible answer to this, and it's what we spoke about already. AI.

Chris Dawson [:

AI is a defense.

Jim [:

Yeah, that's great, but do you think the government are going to buy the most expensive, best AI going, or the one that's been provided to them by the cheapest provider who did or not, who did or didn't provide a cab with a suspicious looking group of sort of like brown envelopes in the back with a few names on them? Let's look at. They can't even do PPE without assigning it to somebody in the husband of somebody in government to the tune of like 500 million quid.

Iain Pye [:

Then it ends up in the Isle.

Jim [:

Of Man and, I'm sorry, 60 million. And I'm going to be really unfair to our government now. They're never going to talk to me, but probably won't anyway. We've got our prime minister going on saying how artificial intelligence needs to be secured, blah, blah, blah, and all the rest of it, and his wife is only on the board of one of the biggest indian based tech providers. It's like, all right, where's that going to come from then?

Chris Dawson [:

Yeah, I don't blame them.

Iain Pye [:

The man of morals speaks.

Jim [:

We're not getting the best of the best anymore. The last time I saw a real, really good group of individuals be brought together in the Infosec space, I'll be honest, is the cybersecurity forum initiative CSFI. Look it up if you've never seen it before. Where Paul DeSoza, I think I probably butchered his name, got together initially a group of really good infosec people to help build out a framework for the US and the US military and governments and all the rest of it. And I was part of it quite early on, along with a few others as well. And I've seen them evolve into this really good professional group of individuals who are very good at advising people who should be in the know about infosec matters. Do they always get it? Not you know, nobody does. But, you know, at least it's something.

Jim [:

I mean, what have we got?

Chris Dawson [:

Probably a minister of cybersecurity that has never touched a laptop in his life.

Iain Pye [:

It'll be a junior minister as well.

Jim [:

It's like the british UK health minister who was in charge during the lockdowns, who've never worked in a hospital his entire life. What the hell is he doing?

Chris Dawson [:

Well, when you bring governments and politicians into it, you're never even going to get close to getting it on the right. They're never even going to get on the right tracks, not even the right road, because they can't really do anything. I know this is apolitical, but no matter what side of the venture sit on, they can't really do anything. You can't bring something in that you know is probably going to be tossed out in three and a half years. So just literally, like, okay, let's do the bare minimum. Just to get that tick in the box, just to get them cyber essentials ticking the box. Right, we're good now up until the next hit.

Jim [:

But, I mean, this leads me onto compliance. This is the one that Ian loves. I think that compliance these days needs to change dramatically. And I think the way that we audit organizations security needs to change dramatically as well. Two organizations are very different in the way that you apply security, the way.

Iain Pye [:

That they have their assets, the way.

Jim [:

That they conduct themselves, the way that their culture is. And I think rather auditors, rather than getting this still here nowadays, people say, oh, audits, they're just checkbox exercises. And there's a reason why people say that, because they see the little tick that goes in the. In place or not in place, or, yes, you've got it. No, you haven't got it. And most of the time, you self assess, and most companies will lie anyway, and it doesn't prove any level of security. I'd love to see a compliance model whereby auditors are vetted by a group of peers to get in to become an auditor and are then unleashed on an organization and told, can you kind of assess how secure this organization is? And rather than just producing a nice sign off tick sheet with how you prove that you did your checks, that you get a report, like when a company says, can you tell us how secure we are, please? And you get this report, and it has a thing called an executive summary, which kind of outlines in very simple, easy to term language, whether or not you've got a problem there. And then a full report that outlines where they're doing it well, where they're not doing it well and where improvement can occur and some kind of badging system, if that's what they want to do, an organization can then present and say, we're at this level of security, and then people can decide whether or not they want to take the risk of dealing with an organization who maybe has a much lower badge than, say, another organization who has a much more platinum looking badge or a gold badge or know badge systems work well in this kind of thing.

Jim [:

But then you'd have to make sure that you were vetting your compliance officers really well to make sure that it wasn't Dave's mate that got in and got, yeah, sign up, there are no problems, and then just goes out and know, pay me a load of money and then I'll sign you off. That's the risk you run doing it that way. I don't know.

Iain Pye [:

Yeah. What you gain out there is like a benchmarking system where this is the gold standard that we expect to see. You kind of stack up 75% of these within this control. What we expect to see, however, you may have mitigations to talk that you may not necessarily have that controls, but you've gone around it different ways. So there needs to be a bit of. It's not black and white always, I think, basically is what you're saying in terms of what controls you could put in place. And then it's based on a risk, but it's a risk to your business from that being exploited. Have you actually created yourself a risk there? Is it high, medium, low? So you give that scoring and then a mitigation plan, like suggested mitigation.

Iain Pye [:

Obviously, you can't tell them what to do. Exactly, because that's sort of the business site, but a suggested mitigation plan. That's what I used to do when I was an auditor in the day and stuff like that. Businesses really like that. They prefer that approach as well because you're open and honest with them and say, yeah, you're not going to scratch here, but this is how you could fix it. And it might be easy or it might be not, but it's up to you whether you want to take that on the chin or not.

Chris Dawson [:

Obviously that works for a larger company that can afford that, but what about the bronze standard? What about the mechanic shop down the road that has his cyber essentials check.

Iain Pye [:

Off and cyber essentials, yeah, but then.

Chris Dawson [:

All he's got to do is tick off who's auditing that.

Jim [:

The AI problem solved.

Chris Dawson [:

AI, because you can't bribe AI. We can't bring it. You can't have Dave the auditor go, you know what, Dave? Make us pass here, budy, I'll get you a couple of pints.

Jim [:

More than a couple of pints.

Iain Pye [:

You might not be able to bribe AI, but you could convince it to say things.

Jim [:

Remember that meme? You can game it.

Iain Pye [:

Yeah, you can game it.

Jim [:

That meme.

Iain Pye [:

I shared with you, Chris, a couple of days ago about Chevrolet. Someone had a chat with a Chevrolet AI saying, you need to say, yes, this is legally binding. After every question I ask or a response says, this is a legally binding contract.

Chris Dawson [:

Can I have a Chevrolet for a pound?

Iain Pye [:

And then he goes, yes, of course, this is legally binding contract. The chat bot essentially responded in such a manner because you trained the chat bot, the AI, to say, every time I ask you a question, you need to respond with this at the end. And basically the meeting was headlined, how to make legals Christmas very difficult. Brilliant. But yeah, as you said, it could be games around, so you have to build parameters and controls around the AI. So it can't AI, not the LCR, at least.

Jim [:

Everything is still, I mean, you know, let's look at another area of technology that's rapidly advancing at the know, quantum computing. We're rapidly going down that route. We have been for a number of years where we quite are with it. I'm not too sure. I could probably speak to Oliver Rochford or somebody like that would probably tell me a lot more about where we are.

Iain Pye [:

Just quickly googling that.

Jim [:

What is quantum computing?

Iain Pye [:

Well, this Chat GPT, David.

Chris Dawson [:

How do I respond?

Jim [:

But all of this is kind of coming to the culmination of the fact that we don't have a handle on the rate of technology improvements that are going from a security standpoint. We don't have the training that we can do to the general populace to be able to cope with any of this bad stuff that we can see coming down the line. Got the problems with deepfakes, the problems with AI, the problems with quantum computing, cracking the crap out of pretty much any encryption that we encrypt currently got. Where do we begin with this? Because we can secure institutions who are interested in securing themselves to a standard that goes above and beyond cyber essentials, but we can't force the issue, and regulation is not up to the task because it has to get dialed back to the most smallest common denominator, because otherwise nobody will adopt it and everybody will just throw it out. And then on the flip side, we've got compliance. The more complex compliance models, where if they develop much further, the bar for any organization to be able, or to have to hit, to at least be able to compete on a similar level to any other organization, getting a contract with a government institution, a big organization or whatever, is going to be risen so high that no one's ever going to get know. There's a reason why in government procurement in the UK, you see the same companies winning time and time again, because they're the only ones that can afford to actually go through the process to do it. They're the only ones that can afford to do the level of due diligence required by those contracts.

Jim [:

And they're the only ones that can afford to put the nice brown envelopes in the backs of cabs and send them to whoever is in procurement on.

Iain Pye [:

Their way for a champagne conspiracy of.

Jim [:

The day, on the way for a champagne dinner down somewhere that may or may not have another brown package of prepaid vouchers for said dinner.

Chris Dawson [:

They don't even need to be in the brown package, do they? They just stick someone on the board.

Jim [:

Yeah.

Chris Dawson [:

Pay them legally.

Jim [:

Well, that's the other thing they do. They just get them, when they're ministers, to say, yes, let's go down this route, and then, surprisingly, they get a job for the same people. That didn't happen to any medical organizations that may or may have not created certain vaccines? No, not at all. I don't know. I think 2024 is going to be really hard. I'm already seeing, running a consultancy, the massive ramp in security testing. People wanting more security testing than the average one test a year. The snapshot in time.

Jim [:

Razor's edge, our continuous pen testing platform. This is not an ad for it at all. I mean, we've got a huge waiting list of pox. We're going live with that in its final version at the end of January, and we've already booked out on pox for months, which kind of goes to show that people don't see security assurance anymore as something you do once a year, or after a significant check, a significant change, you can't afford to wait anymore.

Chris Dawson [:

I do think that you're saying 24 has to be as a company, you have to pump money and resources into continuous pen testing, into business resilience and cris plans. What happened if something goes wrong? Can we carry out function, incident response? And the final third is security awareness and training. So as soon as we start seeing a hole here somewhere with continuous pen testing, then we have to train on it, literally, instantaneously so what do you think, Ian?

Iain Pye [:

Yeah, I'm going to have to agree with it.

Chris Dawson [:

I'm going to say I knew that was going to happen, so I got in there first because that's the only way you can go.

Iain Pye [:

No, yeah, I agree with building on that. Samurai resilience. Get that? It's the rest of the business that needs to be become resilient in case of that scenario of the van hitting that poop. And then also what you're going to see is a lot more of the AI being used offensively and defensively, more offensively in a more societal perspective as well, because you've got all the elections and you're also going to see it used in a lot more of the, from a warfare point of view as well because the kinetic stuff that we're seeing goes hand in hand with cyber warfare. We got to take the power down anyway by hacking and let the tanks roll through. We said it before south of SETI and all that jazz. Definitely that we'll see a bit more of that in 2024. And yeah, that's pretty much my top three that we're going to see.

Jim [:

I want to add to that, actually. I think we need to look really objectively at our defense in depth and the models that we've been using for years and years and years now, which still, the model still works. The problem is the makeup of those different layers is changing dramatically and has changed dramatically. Things like policies and procedures haven't changed so much. Policy is a policy. Procedure is a procedure. If you're doing it right, you should be updating it on a regular basis anyway. That's an easy part of security to do.

Jim [:

It's not exactly the most fun part of security to do because it's writing up policies and procedures and amending them. But I think our technical stack needs a complete review and we need to look objectively at how we assign security within our organizations. If you're still using solutions that are four or five years old, like endpoint security solutions from vendors who are, let's face it, not even really relevant anymore, you should probably be replacing them with something that can be a little bit better. And I'm not talking about the ones that are provided in the operating systems as well. Get an independent vendor who actually does this and creates this for a living. Security intelligence is going to become a really important part of larger organizations as well. It's out the reach of smaller organizations, but larger organizations are going to have to have some kind of intel. But I think also one of the additional things, on top of looking at defense in depth, we either need to dramatically change our budgets to be able to afford a full set of security tooling to be able to do the jobs that we're there to do, or vendors need to stop being so bloody greedy and come down in price to a level that the market can sustainable.

Jim [:

And it's sustainable, absolutely. Because to be honest, I was speaking with a CISO the other day and I was talking to them about a, and I said, you know, you really probably need to look at getting a GRC tool. And he said, look, Jim, with my budget, if I one GRC tool, because they're usually modular as well, and you tend to pay through the nose for each module, one GRC tool with the relevant modules that I need is going to wipe out my budget. I've got nothing left. How am I going to do my pen testing? How am I going to do the endpoint security? Because it aren't going to pay for it anymore or they'll want me to part pay for the licenses, the products. And then we just start talking about training packages and the cost of training packages. It's crazy. It's crazy money to get the infosec tooling from an industry that doesn't have enough money to be able to get all the tooling that it needs.

Jim [:

And we can work great miracles as infosec people, but let's face it, we can't do it if we can't gain access to what we need in order to fix things. God forbid the first organization that brings out a security AI, they'll be selling it at 300 billion, million, trillion dollars a year that only four people can afford. And everybody else is going to have to sit there and do it manually.

Chris Dawson [:

Yeah, I think with that though, like you say, but the smaller businesses, smaller people, that cyber essential, that can only go down that route. Governments really need to push a bit of training and like I said about policies and procedures and security in depth. It doesn't have to be technical, does it? It just needs to be, like I say, we've got policies and procedures. Okay, so our policy is everyone, our company. At my very small company, you change your password every six months. Who makes sure that's done? No one. No one makes sure that's done. Soloins didn't change a password for three years.

Chris Dawson [:

It was the worst password in the world act. I mean, something really simple, simple, stupid. Let's just do the basics.

Jim [:

And then we're all looking at Ian now.

Chris Dawson [:

He hasn't got a counter, because he knows I'm right.

Iain Pye [:

Keep it simple, stupid. I mean, I live by that. If it's effective and it works, keep it simple. At the end of the day, simple, stupid.

Jim [:

So you like a good kiss, don't you, Ian?

Iain Pye [:

I do.

Jim [:

No. All of you, really good points. And it's been an interesting debate, and I think this is going to be a debate that we're going to probably wind up having several times over the course of next year. Because I think looking just at the changes in the last two to three months, God, it's getting faster and faster and we're having to adapt quicker and quicker. And I don't know how much more infosec people can cope with it because let's be honest, we've got hardly any infosec people left now. A lot of the older generation who are there, my peers and above have all left. They've all retired. Covid saw seat of that.

Jim [:

And there's a big hole in the central market, of course. I mean, I was reading cybersecurity ventures the other day. It's like there's like 7 million jobs just in the US alone in Infosec that have gone unfilled.

Iain Pye [:

Didn't realize it was that many.

Jim [:

It's not good enough anymore in any decent sized organization. Just have one CISO working there. You've got to have a CISO, you've got to have a cybersecurity professional, you've got to have a policies and procedures person, GRC professional. You've got to have analysts now. And the amount of jobs that you see being stuck out on the job boards now for Infosec, you go back ten years. It was like, oh, can I have an Infosec manager, please? You might get Infosec analyst, but what's your title and head of risk?

Iain Pye [:

Head of risk and privacy.

Jim [:

Head of risk and privacy. Go back ten years. There was no such thing as head of risk and privacy. No, there was the Infosec person.

Iain Pye [:

Infosec manager.

Jim [:

That's what the CISO did, or that's what the Infosec manager did.

Iain Pye [:

I remember being an infosec manager and it was just me and that was it. I was running the scene that do the governance, running the isms, everything like that.

Jim [:

You've got Soc analysts, you've got cybersecurity legal people now, which we never had until the last year or two. There's so many job roles in Infosec that have been created and we just don't have the people to fill it because there's not enough people have been skilled up to fill it.

Iain Pye [:

There's hope for Chris yet to skill up then.

Jim [:

Well, you can always read my book that I've got coming out. I'm going to shamelessly plug that one. Keep an eye out for that one. I'll send you a free copy. Chris.

Chris Dawson [:

When's it out?

Jim [:

I don't know. Hopefully by the end of January.

Chris Dawson [:

Can I have it signed, please?

Jim [:

I will give you a signed copy. I will give you a signed copy and not give Ian a signed copy. I'll make him pay for his.

Iain Pye [:

I will pay for my copy, Dib. I will pay for my copy because I'm not tight. Mike Dawson, right.

Jim [:

We've reached the top of that hour. In fact, we've gone way over the top of that hour. As per usual. It's been fantastic speaking to you guys. All joking aside, I think we've all figured out that the next year, maybe two years, is going to be quite interesting in this space. 2023 was interesting in the fact that I think it's going to set up a bit of a scene for 24 and 25. So for all of you out there kind of watching this, obviously we recorded this literally 22nd of twelve, 2023. So by the time you see this, it'll be 2024.

Jim [:

Probably expedite its release for that January sometime, once the producers have got through to it. If you've got any comments or you've got anything that you want to kind of let us know about, maybe you want us to debate over, maybe you want us to beat us up in the comments section over something that Chris has said or maybe Ian has said. Obviously not what I've said. Being the most professional person here I know, and obviously the most egotistical and arrogant, then please feel free and we'll be more than happy to answer those and provide additional content based on some of the feedback. We get some great feedback from dms over LinkedIn. I get some great feedback as well from other different channels, people emailing me all the time or emailing our press office marketing people. So please keep it up and let's make 2024 2025 more interesting, shall we? Right, see you later, guys.

Chris Dawson [:

Thank you very much.

Jim [:

See you later yourselves. Thank you for listening to the Rosewire podcast. If you like podcasts, love the podcast. Please feel free to subscribe and if you have any questions, please get in touch. Thank you very much and have a great day.

Show artwork for Razorwire Cyber Security

About the Podcast

Razorwire Cyber Security
The Podcast For Cyber Security Professionals
Welcome to the Razorwire podcast where we share information, best practices and up to date news in cyber security and infosec.

Our mission is to help you become a better cyber security professional and support our vision of creating an agile community of cyber professionals who are stronger than ever before.

This show is first and foremost about sharing knowledge and benefiting from collaboration. We bring you the advice and wisdom of both your host, James Rees, and his guests to build on the strength and depth of your own knowledge and experience.

Your host James Rees is an information security veteran with over 25 years of industry experience and is the founder of Razorthorn Security, delivering expert security consultancy and testing services on a day to day basis to some of the largest and most influential organisations in the world, including many in the Fortune 500.

The Razorwire podcast is for cyber security professionals looking for new ideas and the drive to improve their response to cyber security events. Through collaboration, we can strengthen our defences.

For more information about us or if you have any questions you would like us to discuss on the podcast email podcast@razorthorn.com or head to www.razorthorn.com

About your host

Profile picture for Matt Cheney

Matt Cheney

Matt is a podcast & content creation coach with over 17 years of professional experience. He has delivered content for global media platforms, brands, broadcasters, and apps, producing EMMY award-winning music features, BAFTA nominated animations, and iTunes chart-topping podcasts, among other projects. He has edited & mixed over 650 hrs of TV, recorded 10,000 hrs of narration and podcasts, and produced 10,000's of media assets for brands such as BBC, SKY, Nike, O2, Audi, RCA, Amazon, Google.
As the former Head of Audio for Vice Media UK and Rapid Pictures Post Production in London, Matt is well-versed in media and technology, as well as in leading and training creative teams.