#Hustlechat Episode 2 : Cybersecurity- inside the mind of hackers

Fireside chat with Raymond Simpson, Managing Director for APAC at Foregenix.

Naby Mariyam: Welcome to another episode of hustle chat. I thought it would be very interesting and valuable for startups and various other companies to get an insight around why cybersecurity is so important at the moment.  I have my guest, Raymond Simpson, who is the managing director of ForGenX which is a global company that works with a whole range of companies like Visa and MasterCard so... it is my absolute pleasure to invite Raymond for this session.  

“Hi Ray! How's it going?

Ray Simpson: Naby, it is going great Friday!  Happy Friday.  How are you?

Naby Mariyam: I'm really well thank you.  It's been a big super hectic week.  How's your week been so far? 

Ray Simpson: It's actually been surprisingly busy the past month. I suppose the criminals don't go on holiday. They may isolate themselves but that's business as usual stuff for them… so it's actually been fairly busy for this time of the year but we're surviving.

Naby Mariyam: Well that's good I hope you're keeping safe and your family's doing well in our global collective lockdown. 

Ray Simpson: Yeah indeed it's the word unprecedented that has been used in an unprecedented amount of times but yes certainly is an interesting period we live in but as we say there are certain things that do not change and I think we're going to be chatting about one of them today at least 

Naby Mariyam: Yeah definitely. Let's jump straight into the topic.  We've got a few people are joining in our live session today which is really amazing. First of all, why is cybersecurity so important and especially now?

Ray Simpson: Well, it's an interesting one I think. Criminals tend to follow the money so if we look at certainly the history of just even cybersecurity we find that to a large degree they attack certain industries and certain exploits at certain industries in a way to maximise and capitalize on certainly vulnerabilities but also on what they can take away from it so I think what we see is that right now and certainly for the past few years that's a very hot topic.  Why is it a hot topic? because you have at times a falling minimal investment that you need to put in to actually maximize a return.  It's quite interesting somebody put it from a cybersecurity perspective ...a company needs to have their top game 365 days a year whereas if they have one day that they are not in top form that basically is a bad thing for them.  Whereas the criminals - they only need to have one good day out of the year and can maximize it, flip it upside down. It is from a cybersecurity industry, from the companies and entities that have sensitive data, we need to be in top form every single day and we need that defence-in-depth strategy or else we can be taken off guard.

Naby Mariyam: When it comes to cybersecurity. I don't think that's the first thing that businesses and companies and definitely startups think of amongst all of the other things that we have to juggle. Let's go a little bit more into the threat landscape.  What does the threat landscape look like across industries around the globe?  4:04

Ray Simpson: We've got statistics all over the show so I don't want to kind of bring a lot of statistics to the table today but certainly if we do look at certain fields running across the globe we do find that there are a lot of compromises happening at any given time. For example, we can on a monthly basis around seven million websites. When I talk about scanning, and our software's non-intrusive it's like visiting a website, so we visit seven million websites a month to check up on whether we see any indicators of compromise running in the HTML.  If you want to put it that way and at any given time there's probably a good couple thousand that are actively compromised and the card order data, for instance, is being skimmed.  Then there's just an absolutely massive amount of websites that are at high risk.  Where the basic security, or hygiene as it's called, isn't being done and I think it's if that's that's certainly what we see from our vantage point. It's a lot of times the basics that are not being done that causes a lot of the knock-on effects and that we then see.  At this point in time we see in the media we do see a lot of information about compromises but it does have the feeling that the message that is coming across is almost like the fear-uncertainty-doubt type messaging and it and in what we try and do and is we want to make it more constructive.  It shouldn't be something that's completely overwhelming and when you embark on the security thing there are a few basics that can be done that can stand companies in really good stead to get them just better than the next guy down the road because ultimately from a criminal perspective you’re going to go where the easiest opportunity in front of you.

Naby Mariyam: Yeah very interesting.  There are some staggering numbers you just mentioned... blows my mind. Let's go deeper into the motivational aspects of the cybercrime industry.  It's a huge industry. What do you reckon is the motivation behind these bad actors and why do they do these attacks? 

Ray Simpson: I think there are a number if we categorize attacks.  We have state-sponsored advanced persistent threats if you like and for the most part that's not something that we're going to address because there is a completely different driver.  What is the typical driver for the rest, or certainly the majority of the Delta, it's all financial.  Ultimately you want to put something in and you want to get money back and you want to get as much money as possible back, from a criminals perspective. I always have this little bit of a chuckle because we hear the term big data being thrown around, I think the criminals have a big data conundrum because there are so many things that they can attack and there's so much information out there that they can get their hands on where do they start?  Right, so they're going to start literally with what can they turn into money the quickest. We often see the payment card industry being hit because credit card numbers certainly have a definitive value and you can immediately turn them into money.  So ultimately, companies that have anything to do with storing, processing, transmitting card or data immediately   - they are on the radar for these malicious actors.  

I think certainly from what we see very few and far between would it be anything other than getting card numbers, getting sensitive information that they can then on-sell, whether it be intellectual property or whatever the case.  Ultimately the driver is different than it was maybe a decade or two ago.  Today very much and for many many years, that's been purely financial. 

Naby Mariyam: Right fascinating what are some of the common types of attacks that happen that you've had to deal with?

Ray Simpson: There's quite a number in their portfolio if you want to put it that way.  There's a number of attacks ...let me kind of start from the perspective of where the compromises happen and by virtue of starting there you'll see where it goes in terms of the types of attacks.  Ultimately a lot of the attacks and or certainly the reconnaissance that's done is often done in a fairly shotgun approach.  Let's just blast a lot of stuff and see what comes back. So we'll see many companies actually pick up that they are being scanned with certain programs that basically provide details in terms of services and ports open and what is being served up from their websites on their websites etc.  Once they determine that, they can then get a good understanding of what is running there and how they can exploit it. That, in essence, is what a penetration test does as well.  Now obviously a penetration test is done by people with good intent.   They try to help companies understand what is running on their environment and where are the risk items that they need to address because they are vulnerable to an attack.  Now once these bad actors have actually determined what's running and what they can exploit then they can determine what is the best attack vector in terms of getting my piece of malware over there. We hear about ransomware very often and it's a big one.  It's one of those ones that once you’re hit with it it's too late.  Typically, you need to do what you do before you get hit because once you've been hit it's really bad news for the most part. That's what we try to get across.  

There's a lot that can be done that wouldn't necessarily have to mean that you need this massive outlay of investment.  There are basics that will really stand you in good stead if you just get them implemented.

Naby Mariyam: Wow that is really, really fascinating.  Ransomware I think it's one of the scariest things that a company faces for the founders, CEOs and for the board...depending on the size of the company.  Have you got any examples or stories that you could share with our audience on an event and how the company, or working with your team, responded to a ransomware attack?

Ray Simpson: There's your playbook if you want to coin a phrase, of dealing with ransomware tech, is fairly limited if you didn't have the appropriate controls in place beforehand.  Ultimately if they succeed to the degree that certainly they aim to succeed, your data is encrypted with a key that no one has- there's no way of decrypting that. So what we try and do is help companies in that scenario to salvage maybe what’s on backups and the like.  What we need to do though for companies that haven't been hit firstly, count your blessings if you've not been hit.  Secondly, there's a number of things that you absolutely have to do because this, for the most part, it’s not if, it's when it happens.  You need to have this little playbook on your side in terms of “These are the steps that you need to take”.  If you don't have that playbook then very often the first thing you do is, typically, the wrong thing.  Just a case in point, we often get companies that contact us for a forensic investigation and one of the first questions we ask is “Did you leave everything as it was when you discovered the attack and just contacted us?”  More often they're not the first thing they say is no they switched everything off which is honestly the worst thing that you can do.  You don't want to switch it off because a lot of the attacks are memory resident only. It is file lists. If you switch off the system it's gone there's no trace of it so when you go in and try and do your forensics afterwards you'll find nothing.  

Ultimately one of the first steps is to keep the system on.  You can disconnect it but keep it on.  Then try and make a snapshot of that system and the memory and then you can contact the forensics provider and if you don't know how to do that capturing then basically contact the forensics provider and have them guide you through the process.

Naby Mariyam: Do you ever end up paying the ransom have there been companies where they have paid and if they do pay then what happens?

Ray Simpson: Well yeah, I suppose this is one of those decisions that is made at the board level of the company being hit. I think the bad part of it is if we keep on paying then these guys have a business model and they just perpetuate the business model.  If you don't pay from a company's perspective you stand to lose all data.  In many instances, surprisingly the companies don't have adequate backups.  It literally will close down the company so what are you to do in that situation?  It’s a very, very difficult situation to be in.  Once again it gets back to the point, there are a few things that you can do to really really manage and mitigate that risk quite dramatically for minimal investment.  It just gives you a little bit more breathing space so when those types of things happen - it may be a disruption but ultimately you'll get through it.  

Naby Mariyam: I don't think anybody wants to wake up to that news that they've been attacked by ransomware.  That would be an absolute nightmare.  In terms of preparing proactively for all these kinds of attacks from a company perspective, or from a strategic thinking perspective, what would be the top five things that you would recommend companies do and implement?

Ray Simpson: It's a difficult one from the perspective of which one is more important than the other one? There's certainly a number of elements that really are very important and I think that gets to the defence-in-depth perspective some of the elements may not really be necessarily more important than the other ones but you want to get as many of those controls in place because controls do fail, and when these fail you need other controls to be in a position where the risk is appropriately managed.  One of the key risks that need to be appropriately addressed is the managing of third parties. Very often companies would just put everything on the cloud hypothetically and then say job done.  We’re fine.  We are PCI compliance or our security is in place because it's on the cloud and they do security.  It can’t really be further from the truth.  There are certain aspects certainly that the cloud provider does and there are certain other aspects that they can do as an add-on as well but for the most part., in our experience, very often those things haven’t been done by the cloud provider.  They've got a basic subscription and it's easy to instance whatever the case may be.  It's running their system and they think they should be fine.  I would say, get an understanding of what your third party does and what they are supposed to do.  Then get an understanding of the rest and that typically falls on the company.  Another one of the top five if you like would be the basic hygiene of systems, whether it's in the cloud or whatever the case may be, you should make sure the systems are appropriately patched.  Certainly, in certain instances when you do outsource that it is taken care of, but in some instances not.  Make sure that it is patched. Make sure that the hardening happens on the system and if you don't know how to do that, you can find a lot of information out there or get a third party that can assist you with it.  

Getting an understanding of what you need to do, what your system is running, if it's presenting a service.  A lot of the software that has helped us over the past few decades, comes with challenges in the sense that everything is open by default. When we talk about hardening systems - you close down what you don't need because the more things you have opened the more attack vectors there are.  You want to make sure that you only present your system with the number of services etc that runs on that specific platform and in that way secure that system.  Lock it down and when they come in to have a poke at it they see that it's kind of locked up … so let's go to the next one. Other elements are backup.  From a ransomware perspective, that's absolutely paramount, that the integrity of your backups is adequate but also the confidentiality and the availability. That means that you've got to be in a position where if your main systems are compromised, ransomware, will typically look to encrypt your backups as well, so you want to be in a position where you manage that appropriately. So backups are very very important from an availability perspective. 

Other things - multi-factor authentication! Simple control.  Not really expensive to get implemented, but a massive, massive value that it brings from a managing risk perspective so definitely something that and you'll see a lot of other banks and certainly and although all the main providers they typically throw that into the equation that you can actually get that implemented fairly trivially.

Phishing is an immensely successful vector of attack.  People click on links and by no means am I pointing fingers… it has happened to me!  I was mentioning to somebody the other day that sometimes you, in our world of multitasking, maybe busy reading one email, drafting another email at the same time, checking the text, a WhatsApp, whatever the case may be, and something pops in.  If it's appropriately worded and addressed and it looks real, your brain almost automatically just clicks on it.  That's just a natural thing.  It happens and that's the challenge that we, as security professionals, have…to get that awareness element, the importance of it, across, for companies to get that culture instilled. 

You can't only think that as long as I tell my employees, everything will be fine.  There are other controls, once again the defence-in-depth that you need to put a few things in place, so that when that security and awareness does fail, for some other reason, that you've got a few other controls in place to help mitigate that.

Naby Mariyam: very interesting and are these measures extremely expensive? If you are a bootstrap startup, or if you're an early-stage startup, and you don't have a lot of capital and you're trying to decide where you deploy your capital in terms of all of the millions of things that that you have to do, what is the one thing that you would recommend founders think about from early on to implement from a security perspective and then try and build from that point?

Ray Simpson: Very good question and one that obviously often crops up by virtue of the fact that everybody has this idea that security is really expensive.  Security can be expensive and certainly if you forget about security and you try and retrofit, very often it is.  If you are a start-up and you have the right approach in terms of okay you know Rome wasn't built in a day - we're going to have a security strategy.  We're gonna start here by doing an external penetration test, make sure that there's nothing that's being advertised and that shouldn't be advertised.  

From an internal perspective as I said there's a lot of information that you can actually get from the internet in terms of basic policies and I'm not talking about just having a bunch of policies on the table somewhere I'm actually talking about living and breathing those policies and processes because they literally can save the organization.  

Companies often have this conundrum where they’ll go out to the internet and they're like okay security policy or security standard and then they get a million things thrown back at them and that's overwhelming and then you look through and there's overlap and some standards deal with certain things and other standards don't deal with it and which one is the best to follow?

One thing I like to point to is the payment card industry data security standard.  The reason is quite simple.  The standard is written for companies that have one server, one person and they are scaled to enterprises that are multinational. They provide the actual intent of the standard, of the requirement. They provide prescriptive detail in how to do it so that helps companies to just say “okay I don't have card data but it really doesn't matter because what I want to do is I want to take a standard and I want to map it to my environment.  As long as I adhere to that standard then I want to be able to sleep at night and certainly that standard does it. From our perspective it's a very mature standard,  a lot of investment goes into it. There's a lot of companies globally that contribute towards it and I would just really like to put it out there.  

I've been 15 years in the payment card industry and we have not done one investigation of a company that was actually PCI compliant at the time of the compromise.  It goes to show that if you try and adhere to the intent and the rigour of that standard you will probably be in good stead because it's got a defence-in-depth methodology. 

Once again, to your question, your companies don't want to invest a massive amount because they don't have it, get a strategy together. Do what you can maybe by yourself and then kind of leverage resources and third parties where you need for specialized testing and those types of things.  It’s typically not something that the average person has experience of.  

For those types of things certainly there's a lot that can be done by these third parties.  It's getting that strategy right and then doing it over a period of time I think that will add a lot of value and make it affordable.

Naby Mariyam: There are so many things that need to be considered from the top in terms of the executive team prioritizing the security because as you said before when an attack happens it's way too late.  I want to look at internal attack environment - bad actors within an organization in terms of security.  We've touched upon external threats, what are some of the internal threats within an organization and the executives, or the team, should be mindful of in terms of preventing or protecting against internal threats within organizations?

Ray Simpson: That’s a good segue from a point or two ago in terms of phishing because even though that's an external threat, the actual vulnerability, is certainly the internal person.  Very often you may have an internal risk that, whether it is malicious or not, is responsible for causing a lot of the challenges.  Once again that education and awareness of getting the internal folk up to speed with what are the policies, what is acceptable, how to do it, when to ask questions.  In smaller companies, fortunately, that's a lot easier than certainly the bigger companies.  Having the appropriate plans in place to cater for when things go wrong certainly will both help from an external perspective and definitely from an internal perspective, as well. 

The other core element that is very often forgotten is actually doing a risk assessment to understand an impact analysis, to understand what data is important.  Very often companies start off by having no classification - everything's important or not- they share things. We've seen many things like Zoom and how that got exploited.  It's partly because people put a lot of details out there that they shouldn't put out there.  It's the education piece but making sure that there are plans in place that can address certain elements that are exploited. If you understand the importance of the various elements of your data and what the impact is, you can then put plans and strategies in place in terms of who needs access to this data.  It's surprising how often that isn't happening right at the start.  Before anything is done and we try and certainly advocate that people look at the data.  If you want to protect everything that's fine; if you just want to protect card data that's fine as well.  In the case of card data and companies oftentimes they just look at that environment in isolation and they get compromised in a different part of the environment that overflows into the card all environment. It’s just kind of getting an understanding, to start off with, of what is important to me and in the playbook in terms of how am I going to trace my strategy to address the various risks 

Naby Mariyam: Fascinating! We could go into quite a discussion step by step around the measures that can be put in place but I don't think we have time today.  I want to jump quickly into the current environment, where we are all in remote working.  Before we went into the office and there were certain security measures that enterprises put in place to protect their systems and people etc. Now we're working from home and accessing the networks that are at home,  how vulnerable is it? Does it compromise the integrity of the work environment and what are some benchmark practices that can be adopted, or have been adopted, in response to this global remote working environment? 

Ray Simpson: It's definitely an interesting environment we find ourselves in from a risk perspective.  In companies, certainly the big companies for one, they have always realized that one of the biggest risks they need to address is the remote working risk.  Obviously, if you're a smaller company, you've got a handful of people, it's easier to manage the risks. If you've got ten thousand people working from home it's a completely different ballgame in terms of ensuring that all those endpoints are up to date with all patching and the configurations are done appropriately. Ultimately it gets back to the basic security fundamentals which is the patching, which is the configuration of the systems.  If you've got software that you can use to take care of analyzing endpoints as they come online, and many endpoint protection solutions have antivirus type solutions/anti-malware solutions they've got that functionality and capability, as do the VPN solutions out there.  There's a lot of things at the disposal of the average company in terms of addressing their risk but it definitely opens up your attack platform quite significantly and exponentially and. Companies are working hard and a lot of our clients have been absolutely swamped over the past couple of months to make that happen. In the case of banks, to have thousands of employees working from home. That is a massive feat and it's something that takes all of their attention. That is its own risk by virtue of the fact that so many people are focusing on dealing with that risk and trying to manage it that their attention is not on a lot of other things.

I just have to weave in something which basically covers a lot of what we discussed - it's what we refer to as the signal-to-noise ratio.  The more technologies you have, the more information you have to process.  With that amount of information that you've got a process to get what you are actually after - the anomalies of the real threats.  You’ve got to sift through the noise and often time you've got this drinking from a firehose perspective.  There's just too much coming. You cannot deal with everything and I think that's what a lot of companies are struggling with at this stage because exponentially the number of events that they need to analyze and digest and act on it's exponentially increased. From their perspective, they're really struggling to make sense of it all.  

Oftentimes companies think they haven't been breached and we hear that all the time whenever you have an initial discussion, even with a compromised client when the cards schemes tell them you've lost card data …” you're a common point of purchase.  All indications point that your environment’s been compromised.”  They don't believe it.  They never do!  That's an interesting one because they may have the details of the attack that took place, but they just haven't acted on them.  They haven't seen it because there's too much information to digest and work through. No one's immune to this. The more technologies you have, the more functionality you have in your organization in terms of systems or locations you work from, everybody working from home, the more events and the harder it is for people to make sense of it all and act on things. So that's a huge risk - that signal-to-noise ratio 

Naby Mariyam: Wow that must be a very challenging time for organizations to currently deal with, especially if they're not set up for a massive explosion of a powering remote workforce and then having to think about security; protecting and enabling people to work.  We are definitely in a very challenging time and, as you said, it cuts through the noise of realizing how important it is to protect the data; to protect the systems, and to protect the integrity of the companies that are in the cloud.  Does being in the cloud mean that the security threats are more or why is it important for now?


Ray Simpson: Cloud is one of those things where it probably means different things to different people and, specifically from a security perspective, the cloud does bring an immense amount of value and makes life easy in so many aspects.  Once you've gone cloud you very seldom go back to on-framed type solutions but with that is that false sense of security. Pay it and the cloud should be okay whereas very often the cloud provider will provide a certain number of services in terms of whether it be availability, it could mean that they keep the patching of the system's up-to-date and those types of things which is fantastic, but there's always a delta.  In all instances, there is a certain amount that the company in question will have a responsibility for.  It's imperative that they find out what that is and then how to get that addressed.  With a cloud environment obviously I think the ability to keep up to date with a lot of the security basics is much easier in many instances but it definitely isn't the Silver Bullet that makes all problems go away.  It does not do that. 


Naby Mariyam: I think any kind of decision that we make has different trade-offs and understanding those trade-offs and preparing proactively would perhaps be the way to go. I want you to talk a little bit more about war stories... I'm sure you have plenty of war stories with the work that you do with various clients, of different sizes around the world.  Would you like to share some stories with our audience today of maybe data breach or any kind of attack and how your team responded to it and what was put in place?

Ray Simpson: Typically when companies find out that they were breached the first reaction, it's kind of the natural response, is to deny.   “It cannot be!”  It's the same as the loss psychology when you go through a traumatic event and you've got a number of emotions that you run through. There's a very neat correlation with a data compromise as well. There’s anger.  There's just dismissal, then there's trying to negotiate, kind of trying to make sense of it all and eventually there's acceptance.  Now what we try and tell people that are in a situation...before you actually get compromised, get a playbook together where you actually work through those emotions before you do anything else. So literally your playbook should leapfrog you to the acceptance stage. If somebody tells you, like a bank or a card scheme or the law enforcement, that you have been attacked, accept it.   It's a given. Don’t try and do anything other than doing the right thing. The next step on your playbook, your response plan, is getting a forensics provider or an incident response provider that can assist you.  Then give them what they need.  Don’t try to withhold things.  Those are just critical things.

A few anecdotes from our experience. We've had an occasion where the provider,  it’s actually kind of humorous because the company that got attacked and breached ...they phoned us and said they were forced to go through a forensics investigation.  They'd like to use us but they just want to get their systems ready for us.  That means only one thing.  They're gonna try and get rid of all detail, but that defeats the purpose of the investigation.  We want to help them so the first thing that the companies need to do is actually get to that point of acceptance and help the process.  


We had an instance with a fairly large company where they got compromised. It was quite interesting they were actually at the time PCI compliant, no certified. I just want to say there's a difference between having a certificate and being compliant.  So they were certified as compliant but from the outset, it was apparent that they didn’t meet the intended rigour of the standard. The interesting thing is they got compromised in their environment, not in the card all environment, but in the corporate environment.  Now, why is this important?  It's because people sometimes say “Hey I've got my card all the data.  It's encrypted. it's in its own little world. I'm good to go! and they forget about the rest. But very often the rest, the corporate network, is the beachhead.  So they land on the beachhead and they use that as their base of operations because that system could be a public-facing system .. a web server or FTP server or whatever the case may be.  That system is not secured appropriately so it's easy to compromise the system. Once they get on what we find more often than not is it's not a smash-and-grab activity. The period of the malicious actors being on the network, certainly investigations that we've done, is two to three years with large organizations.  They get domain-level access.  Once they have that you virtually have to rebuild your entire network.  If you can imagine for a big corporate or multinational that's virtually impossible. For this specific company, they had this beachhead in the corporate environment, it overflowed to the Carbonite environment.  From there they just started compromising different systems under their domain level control. I think it was eighteen months later they were told that there was an issue by the card schemes and then they started the investigation process.  You start finding malicious actors are everywhere.  That is the worst-case scenario in terms of where you can be as a company. To this day that company is a client of ours and we monitor these systems on a 24/7 basis to suppress attacks as they happen because they haven't managed to rebuild the environment. Those are the types of scenarios that we want to stay as far away as possible.  

In some instances, it's fairly straightforward.  If you follow the basics, the security fundamentals, I don't call it best practice security, I call it essential practice security because it's stuff that you can't live without.  It's just basics that you need to address and get incorporated into your environment and culture and then just live by them.  When you get to that point you are actually in a point where the business-as-usual operational element is a lot easier.  

Naby Mariyam: Lots of things to be mindful of.  I don't think any company would want to be in that situation and the trauma, the initial anger and the denial and negotiating and then sinking into that feeling of “I wish we had thought about this before but it's a little bit too late!”  and then you become even more cautious.  I think human beings are inherently designed to think that the worst is not going to happen and often do not think about those things at all but I think that it is a time to think about those things because the vulnerabilities are much more and people have higher exposure at the moment because of the way we are set up.

I want to ask you a quick question on the various industries and the different types of attacks on different industries. Are there certain industries that are more susceptible to different kinds of attacks than others in your experience? 


Ray Simpson: I think that probably goes back to can companies make money out of what you have?  If you've got intellectual property or a lot of privacy data.   It's harder to potentially monetize that than say credit card information.  If you have anything to do with credit card information I think you are definitely on the radar in no uncertain terms.  There are a lot of these scans that happen.  They try to look for vulnerabilities and they can run the scan every single day of the year, as it only takes that one day where your systems weren't patched that they can then jump on it.  For them it's automated.  It's not a problem.  From the average attack and the malicious actors out there, they're looking for money.  If you have something that basically can be transformed into or monetized then it's something that you need to pay attention to.  

The other important thing is from a regulatory perspective.  Very often there are some significant penalties for breaches of privacy type information.  More often than not there's this scenario, maybe in Australia and certainly in some other parts of the world, up until now probably it hasn't been enforced that rigorously.  That’s changing now.  It's a different world we live in at this point in time and that the laws are there.  It's definitely worthwhile to ensure, as part of your exercise in terms of risk analysis or risk assessment of your environment and impact analysis ...get a determination of what data you have and, from a regulatory perspective, what is your exposure. Then take it from there because that's one that falls off the radar a little bit more.

Naby Mariyam: Too often yeah fascinating. I think fintech companies handling really important data around transactions and other kinds of data have to make sure it is handled appropriately.  There might not be such rigorous regulatory requirements for other industries.  

One of the audience members has a question for you.  “With this long history in this private security space do you have any insights into the primary threats and primary risk exposures facing state and local government agencies?”  What are your thoughts on that? 

Ray Simpson: Certainly state and local government agencies in many aspects have in some way, shape or form, have credit card data.  So obviously there's a direct challenge for those companies to ensure that it's appropriately protected. I think another element that's very important for companies to consider is the fact that it doesn't really matter what type of data you have.  If a breach occurs it's bad news.  There is such a thing as bad publicity.  It really is something that everybody should take care of because your credibility as a company, your brand is really significantly impacted.  The statistics are out there to what degree,  The cost to deal with the breach is quite significant as opposed to doing something proactive.  From a state local government perspective, we've worked with a bunch of them, more often than not they do have credit card data.  But the personal data they hold, if that gets compromised it's a huge thing because people trust them and losing that is a big deal for them. 

Naby Mariyam: I think when it comes to the government and technology,  those two things together a lot of people do not have a lot of trust around that due to various different reasons that we don't have time to get into.  Outside of FinTech or outside of government agencies let's say e-commerce, there are a lot of business owners that start an e-commerce business and use platforms like eCommerce and Shopify, where does the responsibility lie in terms of making sure they have secure practices?   Is it the platform provider’s responsibility or is it the business owner’s responsibility?

Ray Simpson: Great question and it does get back to that determination similar to if you outsource stuff to the cloud.  There's a Delta and you can't outsource liability.  That kind of stays inherent.  That stays with you and when you use platforms like Shopify there's a lot that they do take care of but there is still that element that every single company is responsible for.  It's very important to just determine what that is and you can hold that third-party to certain service level arrangements that you may have in place with them, but ultimately you've got to understand firstly what your responsibilities are.  In a lot of the investigations we do with breaches, the first thing that happens is the third party gets blamed, but when you've started looking at it you realize that the company didn't actually know they had these responsibilities.  They didn't deal with them because they thought the third party was going to take care of it.  So it's getting that understanding of what we are dealing with.

Naby Mariyam: I think that customer education and awareness is such a critical part because we are all users of technology at various levels, even outside of business as individuals we might be faced with some sort of attack.  People love doing random quizzes on Facebook and click on things and these are opportunities for different kinds of breaches, The public, let alone companies do not have enough information or the awareness around basic principles of protecting against the bad actors in our environment and it is something that is totally unavoidable.  

I think we're getting close to finishing. It's been such an amazing conversation with you Ray and I really appreciate you taking the time and sharing so openly around this topic and something that I would love to talk in further detail with you at another time. Before we finish off, if you were to give one piece of advice to our audience, the general public outside of companies, anyone that's watching this video, if you're a user of any kind of digital platform or just using the internet, what is that one thing that you would advise people to be mindful of?

Ray Simpson: I think if there's one thing that everyone should consider is the fact that we need to plan and prepare as if things will happen… things will go wrong.  It's just the nature of the beast.  Don't think that from an individual perspective, a company is immune or they've done what they thought about outsourcing whatever the case may be.  Make sure that you've got everything planned and prepared as the saying goes…” if you fail to plan, you plan to fail!” and literally that is it.  You have to plan and make sure that if anything happens then without having to put thought and emotion into the equation you can literally take out a document and follow the document and everything's a step by step.  That's where we want to be from a security perspective as well as from a response perspective.


Naby Mariyam: Excellent before we finish up I have one last question from David Fraser “Do you have any experience in terms of exposure to the airline industry in relation to public safety data? Is there anything that you can share on that topic?

Ray Simpson: Yes... the airline industry is typically regulated by the International Air Travel Association IATA and there's a lot of regulatory requirements in place in terms of the securing of the data and the way that they need to operate.  It gets back to that point of the need to understand what the risk is.  If you are dealing in an industry, hypothetically whether it be insurance, whether it be an airline, you need to get an understanding of what your exposure is.  What data you have, the regulatory requirements of the various regulating bodies.  Then get your plans in place to address and deal with those.  It goes without saying but so often we find that that's not actually done to start off with and it's really very important.


Naby Mariyam: Thank you so much for sharing such great insights around this very important topic for individuals, companies and startups across the board.  Thanks to our audience for tuning in and engaging in this conversation.  Have a really lovely rest of your Friday afternoon and a great weekend to me.