Martin Hinton (00:02)
Welcome to Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton, and your host today. Joining us today is Glen Williams, the CEO of Cyberfort, a cybersecurity firm out of the UK. So without any further ado, we're going to introduce Glen. Glen, thanks so much for having us. I join, pardon me. Thanks so much for joining us today. ⁓ I want to dive right in. When we did the pre-interview call for this, we talked in a lot of

very simple terms and you told a really, really great story about the perhaps ease with which a cyber attack can occur and it required the use of a high vis jacket. So when you talk about the high vis jacket attack, what is that? What's that all about?

Glen Williams (00:37)
Yes.

Well, thanks Martin and thanks for giving me the opportunity to join the podcast today. So the high vis jacket, most people know what one of those is, hopefully kind of the fluorescent green jacket that people wear that building workers typically wear or people who look like they're in a position of authority wear when they're on a building site or actually if they're in an office or wherever they go. And just by putting that jacket on, it's amazing psychologically what happens to people when they see somebody in a high vis jacket walking into an office. Suddenly they become people that they want to let in.

Martin Hinton (01:10)
you

Glen Williams (01:14)
They will happily let them walk around the office. I'll let them go and do whatever they need to do just by simply putting this high vis jacket on. And culturally, the UK, we tend to be very, very polite. So somebody puts a high vis jacket on, they walk up to the desk or however they want to get into an office block. And they'll just say to somebody, I forgot my pass. Can you let me in? you've got a high vis jacket on. Mentally is what they're thinking. You look like you know what you're doing. I'm going to let you straight through.

And a good example is people, I've seen people, or we've done this with people where you end up with a guy with a high vis jet vest sitting in the CEO's office at his laptop, just to prove what you could actually do by just putting a high vis jet vest on. So I think it's the fact that we're naturally trusting people. Culturally in the UK, we're very trusting in terms of our approach to people. And we don't want to appear to be rude and challenge someone and say, you've forgotten your pass. know, tough luck, you have to go and get your pass.

We would not say that. We don't have problem, but I'll let you through. So the high business is a really good example of just how simple it can be to get into the depths of a company really easily.

Martin Hinton (02:18)
And when you talk about that, the ease and the human factor will get into this. A lot of that plays into the reality with cybersecurity. I think a lot of people perhaps might think it's a more technical thing, but the human element, as we'll discuss, is paramount because it's all about people, right? So what that anecdote gets us into is the idea that you're not really a cyber guru. You're not a tech CEO despite running this company.

Glen Williams (02:36)
Absolutely.

Martin Hinton (02:46)
Cyberfort that is a cybersecurity firm. tell me a little bit about your background and how you got into this position and then tell me a little more about Cyberfort and the customers it has and the services it provides.

Glen Williams (02:58)
Sure, no problem at all. Yeah, so my background, I'm not a cyber guru, you're absolutely right. I've worked in technology businesses for a long time now. So I sort of spent my formative years working for Dell and then Lenovo, kind of big multinational organizations. And in the last 12 years or so, I've been CEO of private equity backed technology companies, unified communications, like phone systems, IoT and networking and engineering. So I've done kind of different roles. Cyber, I came across a couple of years ago because

I saw a marketplace that looked fragmented, lots of small suppliers, bit of a lack of expertise. I thought something could be done in this space in terms of a mid-market supplier, a mid-sized business supplying to the mid-market in the UK, delivering services that they would want to take on. So I saw an opportunity and funnily enough, it just coincided with Cyberfort looking for a new CEO. So I had the conversation and I started a couple of years ago. So that's my background, always in tech businesses, but not cyber.

I'm not some cyber expert. And so that's why people, when I joined Cyberfort, the first thing I said is why would somebody buy from Cyberfort? Because somebody has to convince me, the layman person, why somebody would buy from us and what the market's about and what the challenges are. So I had to go through that educational process myself, which is what I've done over the past couple of years. So I think I'm quite well positioned to have good enough understanding about what goes on without being too technical, hopefully.

Martin Hinton (04:22)
You touched on before, but I want to get a little more about cyber for it, but you touched on something now, which is really the hallmark of business, right? You see a problem or you see something that, you know, I think the phrase or the word you use might be broken or needs repairing. And you step in with a solution that is something people are willing to pay for. And, and I, I wonder whether going back several years when you sort of rolled into the cyber for world, what were you seeing in the landscape? You mentioned segmented smaller companies.

Can you provide a little more detail about the of the things you saw that you thought, hey, you know what, I can fix that.

Glen Williams (04:57)
Yeah, I mean, you would use the term manpower shops maybe in the US. There were lots of small providers in the marketplace, all very big guys. The very big guys are the very... There was nobody kind of a size and scale that could give the of the capabilities of a big guy, but the service of a small guy. ⁓ And that's really where I saw the opportunity for Cyberfort for us to go and thrive. It's this kind of big enough to live a small enough to care type of approach that customers want.

You know, think, you know, I would say to companies, some big organizations, do you want to be, you you're to be one of our top five customers, or you want to be number 300 on that big companies list? Of course, they to be one of our top five, but we have to make sure we've got the capability, the credentials and all that stuff to go and deliver. So that's what I saw in the market. The other thing I saw, if you look at the companies I've worked at, you know, the commoditization curve that Gartner always talks about, you know, when I joined Dell, way back in the 90s, late 90s,

and you know a server was not a commodity product, know a desktop wasn't even there. But through the commoditization curve, people like Dell and other people driving that commoditization of a technology, that's what happened. hasn't commoditized yet. When I look through the companies I've worked for, telecoms businesses, telecoms commoditized, unified communication the same, networking the same, cyber is still not a commoditized business. So that's why I also could see there was opportunity in the market itself where you could

be successful and companies can make money.

Martin Hinton (06:26)
You touched on something that's the same on this side of the pond, We'll quickly pass the fact that we use cybersecurity as a single word and you use it as two words, but it's the same thing. The other thing that's quite similar in the UK to the US is the number of companies that exist sort of in the middle, not the huge ones you might hear about and the ones that make news every time they have an earnings report and not like you said, the...

that maybe the single proprietor or actual mom and pop owns the corner store. But this sort of small and medium sized space ⁓ that is a fuel or energy center for the economy. And obviously as a result of that somewhat subject to cyber crime and the sorts of problems that cyber criminals bring with ransomware and any other number of sort of attack types. ⁓ You provide to that

Is that the cyberfort's sort of sweet spot, if you will?

Glen Williams (07:27)
Yeah, predominantly you would call it mid-market, I guess is what you would say. That's our sweet spot. Having said that, you know, we provide some of our services to some large public sector and banking organizations as well. What they won't do is they won't take an end-to-end solution. So if you're a mid-market organization or an SME, you don't want to have 25 suppliers for cybersecurity. You just can't afford to have that. If you're a big bank,

I know, JP Morgan, they probably do want at least five or six suppliers because they need to have five or six suppliers because the size and scale of their business and also to de-risk the company. But if you look at a mid-market organization, if you're an IT director in a company with 400 employees, you can't manage multiple suppliers. So for you actually having one guy who's capable of delivering an end-to-end cybersecurity service is what you want. And that's what CyberFort does. So when we talk about end-to-end, what do we mean by that? What do I mean by that?

It's the life cycle of where you go into an organization. So you first go in and do something, you do consultancy. So that's what we do. We've got a number of consultants that'll go in and look at the organization and do some assessments as to how, you know, how secure, safe and secure they are. A lot of that will be at an accreditation level. So could be ISO accreditation. It could be all that kind of stuff is that you're going to do. It can also be some report, do something called a virtual CISO. So virtual Chief Information Security Officer will put in.

to go and do some work and just sort of assess how they are. So it's all kind of like assessing these consultants are going in and going, okay, we're doing an assessment, we're gonna get you in the right place from an ISO or BSI perspective, we'll do that. But we're also gonna show you where some of your risks are and what your challenges are. So we do that as a first step. We're then gonna do the next step of that, which is then typical penetration testing, pen testing. It's much broader than that. What we do purple team, red team, people are here with these expressions. That's what we do.

So again, we're testing people's applications and infrastructure. We're trying to see if we can get into it basically. So we've got a consultant who said, these are where your problems are. We've then got, for want of better term, ethical hackers trying to figure out how they can go and get into these organizations. So at the end of all of that, we turn around to the company and say, look, here's all your problems. Now some companies would stop there and then pass it on to someone else to go and deliver. But what we deliver, which is different to other companies, is really they're going to deliver a managed service.

called Manage, Detect and Respond, MDR, which is known in the industry. And what we do is we detect issues and respond to them. So we're monitoring everything that's going on in that organization's environment, monitoring it, detecting if there's an issue, seeing if there's something that doesn't look quite right, and responding to it and protecting them. So in essence, that's what we do. We find where the problem is, in both through consulting and pen testing, and then we go and we give you the cure, basically. So here's the virus and here's the cure.

Martin Hinton (10:11)
So

it sounds to me like if you want to put this in an individual terms, it's a bit like you haven't had a visit to your doctor in 10 years. You show up and you get all your blood work done and they check all your other vitals and they discover that maybe your cholesterol is a little high or your blood sugar is a little high. And then you set out to come up with a plan to create a healthy cyber environment like a doctor might create a healthy human environment. Is that sort of a broad sort of simplistic?

Glen Williams (10:39)
That's exactly right.

A lot of people get worried about your analogy around the doctor is a good thing. It's like going, some people will say that you can't do both. Offensive and defensive, well you know this from American football, offensive and defensive. So there's offensive cybersecurity and defensive cybersecurity. You do both. What I've just described is that offensive and defensive. But if you go to a doctor, you wouldn't want to go to a doctor and he tells you all your problems. And then he says, okay, what are you going to give me for it? And you just, well, that's not my job.

So you want them to give you, here's your prescription, here's what's going to get you healthy again, and here's your solution to get you fixed. So that's kind of, some companies don't do both things, we do both. Some people, big organizations want to keep them separate for various reasons, and that's fine if you're a big organization, but these mid-market companies really just want one organization that can go deliver all of this.

Martin Hinton (11:30)
I mean, there's the obvious simplicity of one stop shopping. One of the things that you touched on is, and I wonder whether this is true, is how often do you arrive in these situations and companies have, there's one of the things we discussed is the misconception that IT and cybersecurity are similar, they're the same. And that perhaps their IT provider has been providing some level of cyber as well, but it's not at the level needed given the threats in the threat landscape right now. Talk to me a bit.

about that misconception because one of the things I think it's important to remember is that a lot of small businesses and even with a couple of hundred employees, there's an enormous amount just to run the business, right? And this is a new layer on top. It's another thing, another compliance, another benefit. There's a lot to understand here, which is, you know, in my opinion, it seems that the value of companies like yours to come in and give people a sort of, you know, a comprehensive.

look at an end to end look at their situation so that they can make informed decisions about how to improve it and become more resilient against cyber attacks and crimes. Is that something you encounter more now, less? Is it still sort of an ongoing reality where people think they're okay and then they realize, wait a second, I'm not okay?

Glen Williams (12:32)
Yes.

Yeah, we had, so there's a couple of points to this, I guess. It all comes down to IT. And so there's two parts, I guess. The first is IT often in these mid-market organizations, not being disparaging, but obviously the IT director or IT manager, he's not a cyber security expert. He might have come from an infrastructure background or an application background. His expertise is in running IT. And just because cyber is a threat that has cybersecurity is something that happens through technology.

it doesn't necessarily mean it's where it sits. Cybersecurity is a risk issue more so than anything else. So the challenge really for some of these organizations, they've got an IT guy there. He's an infrastructure guy. He thinks he knows what he's doing, but he doesn't. And then worse than that, he's got a supplier who delivers all of his IT stuff. He's buying his laptops, desktops, he's buying his Microsoft licenses and all that stuff and getting even maybe a managed service from them. So he's got this kind of generalist IT supplier. He says, don't worry about that.

I can take care of your cybersecurity. And they go, OK, well, you say what you what you're talking about. You talk about vulnerability scanning. That sounds great. Why don't we do some of that? So you've got an IT guy there who's sitting there thinking, I'm covered. I know enough about this. And secondly, I've got my supplier who seems to know what he's talking about. So surely I'm OK. And that's what we've seen quite a lot of. Then we go into an organization, do something like a threat model. We'll go and start actually modeling where the real vulnerabilities are in the company.

and suddenly they don't, you know, it's a completely different ball game. And that's where you need experts who can come in and do that.

Martin Hinton (14:18)
Yeah, I mean, you touch on something that I hear quite frequently and it's this misconception that, you know, IT and cybersecurity can be done by the same sort of people with the same backgrounds and skill sets. And perhaps sometimes they can, and there's certainly overlap, which is where I think that you get a lot of that misconception. But the example I've used is that, you know, IT is a bit like the employee who fixes the fence or repairs the door at your warehouse.

And cyber security is the person that makes sure that the fence is the right kind of fence to keep people out. And the lock on the door is one that can't be picked very quickly, or there's a security camera. this idea that one is a little more infrastructure and the other is a little more complex and a little more holistic. Because security is, it changes as the threats change. that idea that with cyber crime, it's evolving is something that the mindset's catching up with, it seems you've touched on.

You mentioned end to end and one of the things in some of your literature for the company is the great expression 24 7 365, which means all the time. And I wonder if you could touch on that element of end to end, because one of the things that I've said to some people recently and has been said to me is that cyber crime, you're at a company and suddenly it's a Monday morning or even the middle of the night on the weekend,

Glen Williams (15:18)
Yes.

Yes.

Martin Hinton (15:43)
and you can't access any of your company systems and orders aren't being fulfilled or whatever might be the problem. That's a problem like your warehouse is on fire. You need someone to call right then like 999 or in America 911 and begin to deal with the emergency right away. Is that the level of urgency that exists in this space?

Glen Williams (16:05)
Yeah, and again, you touch on something that some of these general society suppliers don't do. So they'll talk about a service, but it's often not 24, 7, 3, 6, 5. And so what is the 24? It's always monitoring, always monitoring something to see what's going on. I'll give you an example. I won't say which retailer it was, but this was an out company that did it. I was talking to CEO of another cybersecurity company. And one of the guys they knew normally worked in Tenerife, so in the Canary Islands, and he would normally log in.

And so they were used to seeing this login happen normally when they were monitoring things. But he logged in at 4 a.m. in the morning in a pub that he normally wouldn't log in from. And somebody spotted that as an anomaly. And kind of that was the trigger for them stopping enabling somebody to basically breach the company, which is what they would have done. This guy was going to find a way through. So what these guys are looking for is anomalies. And they're using some software to do that. They're using their own skills. A lot of our...

People are SOC analysts, are neurodivergent and or neurodiverse. And so that means that they've got incredible skills in being able to spot patterns, see things that shouldn't necessarily be there. And that's the skill of our SOC analyst, sorry, SOC is our security operations center. That's the 24 seven service. These people are almost geniuses in what they can see and what they can spot. It's almost like, you know, the air traffic control guys, you know, that the people are looking for things and things that.

This is what these guys are doing all the time, always on, looking for something that doesn't look right and monitoring it and using software to them to do it. And now using AI to help them as well, because obviously the other guys on the other side are using them. So 24, 7, 3, 6, 5 means that we're always looking, always looking and always checking and seeing what could be an anomaly, what could be a potential breach.

Martin Hinton (17:53)
It's very, very interesting to use that you mentioned neurodivergent and pattern recognition and the idea that so much of what a company does most of the time is the same in some respects, depending on how you look at it. Maybe, maybe electronically it looks the same. There's this many emails a day, this many logons a day, this many fail logons a day. And, and you know, that's, that's so, and so they always take two and a half times to log on or whatever it might be. But the geolocation part of it is another one where, you know, if this doesn't fit,

That's a red flag or something to call it pause. those things can come, as we've said, 24 hours a day, seven days a week, every day of the year. You talk about the, I mean, would you put, one of the interesting ideas here is you've got human beings, you've got the existing technology, and now you have the AI technology, which is yet another layer. Do you find yourself with...

Glen Williams (18:33)
Yes, exactly. Exactly.

Martin Hinton (18:52)
a greater value of any one of those in particular? Which one those matters most in this space?

Glen Williams (18:59)
People still, 100 % people still. The layers of it, eventually what you'll get in a security operation center, you'll probably get five or six incredibly smart people and then a load of LLMs working for those very five or six very smart people. That's where it eventually will get to, but we're not at that point yet. We still require more humans and we do the, because the AI hasn't quite caught up with that yet. It's going to be a matter of time. I don't know how long.

but it'll be a transition between the AI being able to spot these quicker than a human being can. Of course it can because the amount of data it can just look at is far more than any human being can, but they'll still miss things that the experience of a security analyst would see. So yeah, as we go and grow our business, we'll be investing more and more in AI. And as I say, the skill of the SOC analyst, the analysts will be how they manage the AI almost.

You're going to find that these guys managing their own bots and their own agents will be almost like an HR role to a point. They're going to be looking at policies and other things. But in essence, the key to this in our MDR service and our SOC and this monitoring service will be its people. It's people first and foremost today. And we have to go and build that solution over time.

Martin Hinton (20:21)
I'm imagining an auto mechanic with five amazing mechanics and the scenario you're describing is they've got the greatest tools, but if they're not great mechanics, the tools can't be used properly and they can't be, the idea that there's again, like a symbiotic relationship. You need skilled, intelligent people who think and see that maybe in ways that you don't and then machines to augment and compliment that and then also provide them methods and ways to.

to fix things is an interesting scenario. One of the things that is the case here in the States is that the small and medium sized mid market space is hit pretty hard, but we don't hear a lot about it. A lot of them fall outside the reporting requirements and because they're smaller companies, even if the payment were big, it's not huge news like an MGM or even a... ⁓

technical outage like say the AWS outage that occurred recently. What kind of misconception and do we have it in the UK like we have it here, this teenager mentality where we're young and we're dumb and we just think that's going to happen to someone else. It won't happen to me. yeah, no, ⁓ that's only Marks and Spencer's and Land Rover and that kind of thing.

Glen Williams (21:38)
think that's part of it. think it is part of it. I think the bigger chat. So I think there's a few things. The first is the cost. Some of these guys look at cyber as a cost. You know, the bigger organizations know they have to go on tech and so on. they see a cost. The second thing is, if you're an SME, it's what's your impact in the wider marketplace? And why don't we hear about it? Now, we there is one happened in the UK to an SME organization, because that an impact on people buying and selling houses.

in the UK, people couldn't actually do it for like six weeks because this piece of software that these guys have produced, their company had been breached and it made the BBC News because it stopped people being able to do something. More often than not, it doesn't have that much of an impact on wider society so they don't necessarily see it. I think that's part of the challenge is that unless you physically see it like an ⁓ &S where the shelves were half full, you couldn't use your credit card to buy things.

When those things happen, people realize this is having an impact. I think other than that, unless there's a personal impact on someone, it almost doesn't happen. It doesn't feel like it's happening. So I think that's part of the reason that people, it's just, and also a lot of these SMEs are actually into the supply chain of the bigger organizations. In fact, if you look at Jaguar Land Rover, one of the big challenges in the UK was our GDP fell off a cliff in Q3 last year, simply because we couldn't manufacture any cars.

from check your Land Rover. And part of that, and what the government had to do was step in and actually help facilitate payments to the SMEs, to the supply chain into them. Because if they didn't do that, these guys were potentially going to go out of business. So it's a different issue from SMEs. They weren't the ones breached. They still had an impact on them, with the big guys being breached. I think it's more that it's not that it's not important. I think it's just more the case of the fact that it just doesn't have as much of an impact on people's lives on a day-to-day basis.

Martin Hinton (23:33)
You touched on the ⁓ purchasing of homes idea, which is reminiscent of the CDK hack here, which is the software provider for auto dealers and a similar situation. You couldn't buy cars the normal way, all the electronic software that was required. And the Land Rover Jaguar, just to inform the audience, one of the things that happened is that a lot of the people supplying parts to manufacture those cars only supplied parts to Land Rover and Jag.

And so when they weren't able to build cars, they stopped buying parts, which meant that these companies had no one to sell to. And this is a moment where you had what people have talked about a lot in the cybersecurity and cyber insurance spaces, the government backstop and the government stepped in to avoid, I think it might be fair to say companies going out of business and lots of people losing their jobs. Is that overstating the sort of impact that hack had?

Glen Williams (24:24)
That's what happened. I can't remember if it was a billion or something like that. was a fair amount of money that had to be put to go and make sure these organizations can keep moving. Yeah.

Martin Hinton (24:32)
Yeah,

this is, know, ⁓ one of the things that we know is that the big brands can often survive these breaches, right? They've got cash flow, they've got revenue, even if they have a huge hit like &S has, they had, in the case of M&S, had some cyber insurance, but they're legacy brands with, you know, ⁓ a lot of support, if you will, which it comes in the form of customers, and then also the government not wanting a massive major brand to, you know, go away, which does happen, right?

Glen Williams (24:54)
Yes.

Martin Hinton (25:01)
When that occurs, do think that that creates a misconception amongst others that, well, you know, they can endure it, I can too, and that smaller firms are sort of lulled into a false sense of confidence?

Glen Williams (25:12)
Possibly. think again all roads for me lead to a board level and in the six months after the the breaches that happened with Jag Land Rover, M &S, etc. Every chairman CEO that I spoke to was all what we're going to do. How can we make sure this doesn't happen to us? They were all really focused on it. The problem is it's not complacency. It's not knowing what the answer is. So if you're chairman or a CEO of company

you rely on your CIO, your IT director, your IT manager. So of course the board will go and say, are we safe? They bring the IT guy into a board meeting and say, yeah, it's perfectly fine. Everything's taken care of. I've got my supplier here who also supplies my desktops and laptops. He's doing a great job for me. And that's the same challenge. Every board takes it seriously. The problem is they don't know what the right answer is. They don't know what needs to be done.

If you said to a board you need to £100,000 a year to keep you safe and secure, they'd go fine. Where do I sign? And you can almost guarantee my safety. You can never guarantee it because there's always something that can happen. But as near as dammit, you can do that. I think they would all sign up to it. I met one private equity company and I met a partner and he said they own 80 technology companies around the world. And they said our budget is limitless for cyber because they know if one of their companies gets breached, they're

the valuation of that business is almost gone. So I think people do put value on it. I don't think it's complacency. I think it's that they don't know what to do.

Martin Hinton (26:44)
Yeah, you you make a really good point. And I think that this is something that, you know, not that CEOs need a ton of our sympathy, but we're only all back to our earlier point about human beings. There is an enormous amount of a even the brightest person, the technology that exists that allows electrons to play every movie in existence on the phone in my hand, almost anywhere I am in the world is certainly lost on me. Like it would not exist if I were the only person left. But that idea that it's

It is a bit hard to understand. This landscape is, there's no shortage of acronyms in the cybersecurity world. And insurance is a bit complicated from a financial point of view as well. And I think that there is that idea that, I know I've got a problem, but I'm not sure what to do. And even when you hear about companies having done the right thing, they seem to still deal with things. There's a bit of a fog around the path forward in this space. Do you think that some of the bigger breaches that have occurred

in the UK are helping clear that up. The other factor in the UK obviously is, and it's largely Russia, the interference of nation states sort of hacking in the operation of society, right? Like we put it very, very broadly. Do you think that, and then also for our audience that doesn't know, in the UK, there seems in my estimation to be a quite aggressive governmental level of... ⁓

effort to raise the awareness and then also the expectations as laws exist to raise expectations or create compliance. Do you think that sort of thing is, you know, as you look at the landscape outside of the UK, more aggressive in the UK or is it just something that is a frequency sort of syndrome and I'm seeing a lot of it? What do you think about that?

Glen Williams (28:29)
I think that I know we can compare to places in Europe predominantly. And that's why if you look at cybersecurity businesses that typically in the UK, that are owned by private equity, the private equity companies are looking for them to expand into mainland Europe because they talk about mainland Europe not being quite as advanced. I don't mean that in a derogatory way. They're just not. So places like Germany, Germany's got some really interesting data protection laws, some really interesting stuff.

So I think people say that the UK is an advance of Germany in terms of where it is. And the government does take it seriously here. You're right, the Cyber Resilience Act is just coming into force. So that was brought out. And that basically is saying to organizations, to the board of an organization, you need to prove that you're being resilient. And these are the things you need to do. Because you're going to get breached at some point in time. This is going to happen. But you need to prove that you've got the right level of resilience no matter what happens. And if you don't,

Martin Hinton (29:28)
Yeah.

Glen Williams (29:28)
And if you can't prove that, there's some liabilities for the company and potentially for the board if they can't prove that. So they're putting some teeth to it.

Martin Hinton (29:34)
⁓

yeah, and it's interesting, know, words matter. And I think in some of the, I don't know if they're white papers or governmental ministerial papers that are put out about and around this subject matter, the language for government seems quite strong to me. The idea that, you know, this is a national security issue, the idea that our economy is essential for our national security, and that if our economy and our companies that make up our economy aren't resilient against cyber attack, then.

our very national security is a jeopardy. That theme seems to be consistently raised in this. Am I right or is that just me seeing only a bit of it?

Glen Williams (30:13)
No, think, so they understand that they need to do something. I'm trying to think of your doctor, going back to your doctor analogy here if I can come up with the right analogy. So the government feels that they need to get, know, put the right amount of teeth in there and the right amount of effort and focus to make sure people are being cyber resilient. However, I'd say, so it's like going to the doctor and the doctor knows you need to do certain things to keep you fit and healthy, but it's also the nose that you can drink.

20 cans of Coke a day and you're not looking after yourself. He knows that, but he's not done enough about that. So what do I mean by that? lot of our infrastructure in the UK, IT infrastructure, particularly in government, and particularly in some of the places like the NHS and other places, is quite old fashioned and legacy to be candid, which makes it relatively easy for people to go and do stuff with. So...

I think the modern story today around cyber, they get it. They want us to be secure. But the infrastructure that sometimes sits underneath that, they need to spend money on improving that to ensure that people are safe. Companies, they're encouraging to get Cyber Essentials and Cyber Essentials plus. If you supply the government, you have to demonstrate your view secure by design in the heart of what you do. And also the government for anything that they go and deploy or do has to have secure by design at the heart. What does that mean? It means that you don't...

Martin Hinton (31:17)
Yeah. Yeah.

Glen Williams (31:37)
design a network and then go, what about the security element of it? Security element comes first. So you have, there's a methodology with secure by design. So that kind of stuff has been driven by the government. I think they could do more. think, so there's something called the NCSC, the National Cybersecurity Council. There's about, I think it's about 2000 organizations that certified as part of it. I think what they need to do is kind of make it a bit narrower.

about who can actually be those suppliers, who are those experts in that space. I think they should mandate, of course I would say this because I run a company that's part of that, but I think going back to the point I made earlier about using experts, that's what you want to know. You want to know if you're going to go and get your Porsche or BMW fixed, know, user BMW certified engineer is going to be fixing it. You could go and use your friend around the corner, he's also a mechanic and he'll charge you a lot less, but he just invalidates your warranty the minute you do it.

And it's kind of that mentality, sometimes in life you just have to spend a bit more money on things and you have to use the experts.

Martin Hinton (32:34)
Yeah.

You touched on Cyber Essentials. That's capital C, capital E. Tell me a little more about that. Because one of the things I want to get into is the idea that you can create compliance lists and a list of things and boxes to check. That's not the same. And the analogy you used when we first spoke was that you can get a gas safety certificate for your home. It's not going to stop your house from burning down. There's a difference between compliance and then actually being secure.

Glen Williams (32:43)
Yeah.

Martin Hinton (33:10)
And the misconception that, look, we've got all these things in place and we've checked all our boxes, we're fine. That can create a misconception. So tell me a little more about Cyber Essentials. And then that idea that, that, that in this space, and the, ⁓ I think that one of the big things to take away is that it's exactly like being healthy in your own personal space, like your own body, right? You don't go to the gym for January and then not go for the 11 months for the rest of the year, right? That's not healthy.

Lifestyle and that with regard to cyber and cyber security because of the dynamic nature of the attacks and the threats there is this need to be and it's annoying it's a frustration to be constantly on we know there's 300 365 24 7 sort of Monitoring but this idea that this is a constant subject matter It should be on the the itinerary of every board meeting that you have is so what's going on in the cyber security world with regard to us is that

You know, so again, I've asked you a lot just then. So Cyber Essentials, start with that. Just tell me a little more about that.

Glen Williams (34:09)
Yeah, no problem. So just go back to your point there. The interesting thing is you've only ever got to make one mistake. That's the point. It doesn't matter how brilliant you are, you've only got to make one mistake and somebody can get in. That's why you always have to be always on. Going back to cyber Essentials, you know, I was a CEO of a business six, seven years ago, and I was checking governance. said, look, we've got cyber Essentials. Yeah, we've got that. Have we got cyber insurance? Yeah, that was it. I moved on. That was seven, eight years ago, you know, so times have moved on.

I was working in a technology business and that was what I was thinking. I'm sure most CEOs of companies are thinking exactly the same thing. We're covered by this. But Cyber Essentials is the bare minimum. don't think it's a gas safety certificate. It's also probably the bare minimum as well. It's the minimum you could get in terms of accreditation. pretty, it's not expensive. It's the minimum checklist you could possibly get. But the bare minimum won't keep you safe. And to your point, around gas safety certificates or any of certifications.

It's all great to have a certificate, but you've got to test these things. Are you actually resilient to testing it? And that's what the cyber resilience act is going to bring in, make people make sure they're actually testing to see if they are resilient or not. Cyber Essentials and Cyber Essentials Plus, we pay a little bit more for. It's just a checklist. And also when you go down to the questionnaire, this is a questionnaire. You're answering a questionnaire. I'm not saying people don't tell the top truth, but as far as they know, they might think that's the right answer. They answer it.

It's not being tested properly. So that's what needs to happen. So again, a company we're talking to recently, they're an online company, I can't say what they do, but they're retail space with consumers. And they're worried about what happened to &S. They said, we've got Cyber Essentials, we've got all these things in place, surely we're okay. So we went and did a threat model. And in the threat modeling, found just as a real bait, the first thing we found was that they didn't have a backup for their website.

So the website went down. And this is an online business. So they think they've got the certificates and they've got the stuff. But just by doing a threat model or doing things like that, a cyber maturity assessment, it doesn't take long. It doesn't take much effort. And suddenly on the back of that you go, I actually had no idea. I guess it's the equivalent. You go into somebody's house and you're walking around there and you're doing an assessment about, you got locks on the doors?

You know, it's only so you've got a lock on the door. Half the doors aren't locked, haven't got locks on. They think that they've got a lock on there that's not up to standard. They just haven't bothered checking it. That's kind of what it is. they've had someone go around the house and go, yeah, every house has got a lock on every door. Not checking that, some of work? So that's kind of the best example of what happens. At Cyber Essentials, although it's a good starting place, it is the bare minimum of what someone should do.

Martin Hinton (36:56)
As you were talking, the idea that if you're going to train for a marathon, you want to really test the level of your training by running the marathon. And what you were describing was this area where someone's only ever training. They never actually run the race to test whether or not they've trained properly, whether their body can achieve what they've been working toward. And this idea, you you just touched on it now that, look, we've got locks on every door, but we don't lock for them.

They've never been locked. We don't use the lock. That idea that, you yeah, I've got all these things, but we didn't turn them on. I mean, the example I read recently is how often people buy some sort of piece of hardware and they never change the default password. Louvre123, hello. Right? So that idea that there is this, there's a difference between having the right Gymshark outfit and then actually being healthy and being fit. Yeah.

Glen Williams (37:39)
Yeah.

Yes.

But also to give an example of other things that people do is they will then go in at the other end, they think, well, we need to be super secure and super safe. So they buy everything. They buy all these different things. And you find some particularly big organizations have got a plethora of stuff of just every kind of security tool you could ever want to buy. But because it's not being embedded properly or set up in the right way, I can't think of the right analogy for it. But in essence, they've just kind of spent a lot of money and it isn't really working and keeping them safe.

because they've just, it's almost like the next IT director comes in and oh, I need to go and buy this, or I need to go and buy that. And they just go and spend a lot of money on stuff, but they're still equally vulnerable.

Martin Hinton (38:30)
You remind me of the general human condition where we add to solve problems. We don't subtract. we want to do something to our home. It's an addition, not a subtraction, right? This idea that more is always better is, you know, is one we've, it's a pit we fall into. And you make a good point because one of the things about a lot of the technology you can employ, whether it's, you know, whatever layer it is, it needs to work together properly, back to your analogy with the sock and the idea that you've got

Glen Williams (38:39)
Yeah.

Martin Hinton (38:58)
human beings and you've got some software, you've got technology, you've got even now AI. This idea that there needs to be a much more, what is the right word, holistic kind of interaction between all these parts that ⁓ they pull off what they're supposed to, if you will, like a team should, right? A well-oiled machine, if you will, to use that analogy. One of the things that we discussed when we spoke on the phone was the sort of broader awareness ⁓ in the general population.

Glen Williams (39:19)
Yes. Yeah.

Martin Hinton (39:29)
And you might think I'm getting to the question about what the general population knows, but what I'm kind of thinking about now is that the general population are the employees of companies that become the victims of cyber attacks. And there is a sort of mindset about why would anyone break into me and does anyone really want my password? I wonder whether, I think you use the analogy about QR codes that we see everywhere now and became sort of the way you ordered at a restaurant. If you, if you remember going out in the sort of wake of COVID and that sort of thing.

Glen Williams (39:51)
Yeah.

Martin Hinton (39:58)
I wonder whether you might be sort of come back to that point in the UK about politeness and I think that there's a similar vein in American culture where the idea is particularly in a customer sort of service in a business environment, you want to be able to help, you want to make sure that the process occurs, things flow rather than be friction in that process. And I guess that's akin to politeness. And I wonder whether or not you might sort of touch on that because back to the example we've touched on.

Glen Williams (40:18)
Yes.

Martin Hinton (40:25)
The M&S hack was what Archie Norman, their chairman, called a sophisticated impersonation. So what we're led to believe based on that and the other reporting is that someone called an IT desk and was able to convince a human being to reset a password and that was it. And I wonder whether you might sort of, you know, touch more about the high-vis psychology of this and the fact that, you know, these cyber criminals are highly, highly organized.

They benefit from all the information that you or I or any corporation might have about behavioral psychology and the way our minds work and the way we're vulnerable to certain tricks and cons. I mean, the street level cons exist for a long, long, long, long, long time. And it's now moved into a digital world where it's incredibly profitable, incredibly well organized, nation state backed. Do think people get that and that there are, you know,

Glen Williams (41:10)
Correct.

Martin Hinton (41:14)
There's great value in what we put into all our digital spaces, whether it's at work or in our personal lives, and that we need to be protecting that with a little more, or even a lot more ⁓ awareness about the threat.

Glen Williams (41:26)
I think people who know, so people who work in cyber security companies or people who work in big organisations or work in the defence space or places like that understand you have to be safe. Let give you an example of somebody, they told me how they would do through social profiling would basically get to a senior guy in a defence contractor as an example. So he showed me what he would go.

So it's not that he's locked solid. You're not going to get into a defense contractor. You're not, but he's there. You're not going to get into him. He's locked in. So they then give it a social profile and LinkedIn or Facebook or whatever it might be. And he's married. Okay. Goes online. ⁓ married. And she mentions in a post the girls or who are the girls. This guy's been using multiple ways to look at the different and the girls are two daughters. Okay. Then finds out one of the daughters getting married. That's a big, big ⁓ green flag for a hacker.

getting married, getting divorced, all these sorts of things is when you kind of are not fully focused on what you should be focused on. Found out that the bride-to-be wanted to get her family a gym membership and get them all fit for the wedding. So what he did through two different places, he went and put one thing he posted about this gym membership on, I don't know, say LinkedIn. You get your whole family on for whatever. Then posted on another thing, maybe on Facebook, he just mentioned, did this amazing thing with this gym and my whole family, because my daughter was getting married.

we all did this amazing thing, it was incredible. Now the daughter's looked at this, she's got two things, she's got this gym membership, it's only there, and this other guy is a dad who's done it for the wedding. And she goes, this looks amazing. It's exactly what I want. Clicks on it, he's into the daughter, then into the mother, then into the defense contractor. And that's all through social profiling, basically. You know, when you talk about what information did that person put on there, not a lot, really, other than she was getting married.

You know, it's you have to be, I mean, otherwise you put nothing on these things. So you have to put, but you've just got to be conscious of what's going on. That's all. It was the clicking on the gym voucher. That was the problem. It wasn't necessarily the data that you'd expose that as soon as she clicked on that voucher, that looks good. He was in. ⁓ So it's those sorts of things is that if something looks too good to be true or something looks, that's interesting. Isn't that strange at the same thing that I want, want, you know, people don't take that second just to think about it and go.

Actually, that does seem a bit of a coincidence.

Martin Hinton (43:51)
You know, it's really interesting. you, was having a conversation about business email compromise and we have, you know, one of the brilliant things about technologies is made all layers of business more efficient. And I think we touched on the idea that, you know, at least I'm old enough to have had to use things like mailing letters for business correspondence, FedEx, faxing, all of that takes a little bit longer. There's a little more friction. And as I started to think about it, what had occurred to me is that that allows time for your subconscious to.

Shake your conscious and go wait is like this doesn't seem quite right Maybe we should slow down and that in some respects the way you get that phone call now if you're transferring money and the bank has to verbally verify it creates moments of friction or choke points where Everyone involved has a moment to go. Wait a second. Is this the way it's supposed to be occurring? Do you think that one of the consequences of all of this sort of speed with which we can do things now is that we need to find ways to Slow the process down at those key points, know, like when you hit return on the

the button to transfer a payment or we know this happens, right? We get the business email compromise where someone will fake an email from a client with a new bank account and you send the money to what you think is their new bank account. But in fact, it's some bad guys bank account that there needs to be a real, ⁓ you know, don't get mad at people when they slow the process down, particularly when it involves money leaving and or you sending money or you receiving money because that is you're never getting a wire transfer back. mean,

It can happen, but it's very, very unlikely. Is that something that when it comes to culture and awareness should be more present in people? Like if you have any doubt, know, the old line was trust would verify. And I think it might have been you who said, no, now we are in the world of don't trust and verify. Is that mindset one that for now as we seek maybe technical solutions to this, ⁓ one that needs to be more prevalent?

Glen Williams (45:36)
Yeah.

100 % well you think about it driving your car speed versus safety So there is a there's an optimum point where you can drive at a safe speed and a safe speed you know, but What is the optimum point? And I think when you've got a car that can go as fast as you want it to go You may be thinking I just want to go as fast as I want to go and you put the safety out the window Which is basically what happens here people, you know, they kind of offsetting speed to safety or security for one of a better term, so

I think that's exactly what human nature does. And because we're moving so quickly, it's in our nature to want to get things done faster and faster. I'm very conscious that when I get phone calls, I'm just naturally suspicious. I think that's just what the way I am. And so I think I've always been like that. And so it actually doesn't mean that somebody wouldn't compromise me at some point in time, but it's a lot harder if people are very trusting and very open. And typically you find this can be a generational thing as well. So think about this, Martin.

When I go and see a doctor, going back to a doctor analogy, if I go and see a doctor, I've Googled all my symptoms already before I walked in the door. I know it's one of three things, pretty much, what's wrong with me. And because I don't entirely trust the doctor, and I'm thinking, I've got this other data and this other information, I would want to make sure I've got this data information. If my mum goes into a doctor, she entirely trusts, and she's 78, she entirely trusts everything the doctor tells her.

She believes in what the doctor tells. She would never think about going online and even questioning the doctor about what they would do. So that's why you tend to see things like fraud and that kind of stuff happens more to the elderly than people who are slightly younger. So I think it's just adopting that. I don't know how you do it, but that's a generational thing. think that people are trusting of certain people. If somebody is going to send something to you, oh, of course, why would they be trying to hack? Why would they be trying to take my money? I think you've got to apply the other way around.

and think of it, these people are all going to try and take my money and I've got to make sure that they don't. But we don't think like that as humans. We're too trusting. It's just that I'm ancient.

Martin Hinton (47:47)
Yeah,

yeah, I mean, I don't want to dismiss the value of trust and honesty and believing in people, but you're right. I mean, gets me to the sort of the follow up question is, and the UK and Europe are famous for this, the far more blunt, say, anti-smoking ads where you've got the photo of a cancerous lung on the pack of cigarettes. Do you think that there is the need to raise the awareness within the adult population? And then moving to

The other end of the spectrum, not the elderly who we know have always been historically subject to the victimization as a result of scams and cons and that sort of thing. But I think of my 11-year-old niece who's here in public school in New York City and part of her health curriculum, if I'm remembering correctly, is cybersecurity. So she lectured me on the value of MFA and complex passwords. But the other thing she really got into was the mindset that you're touching on. it's the work to remember, we have put things that we.

value immensely, even if it's just our money into a digital space, right? And I know it sounds silly, but that's where my money is now, right? It's in an app, it's in Venmo, it's in Revolut. And if we thought about it, we would protect it way, way more than if, let's say you were putting on, let's say your phone had $1,000 cash slipped in the back of it. You would really, really watch your phone. That's the way it is, right? Because if someone can tap your credit card, like we know that, right? Tap and go, there's a limit of.

I think 50 euro in the case of one of the banks I use in Ireland. You don't need to prove that this is your card. You don't need to justify it to anybody. Again, the ease with which we can let money go for legitimate reasons is there. You think we need to sort of ⁓ have a, I don't know, an almost sort of societal level of awareness about the fact that we've got this amazing reality we've created via technology over the last several decades. But now there's a sort of middle-aged moment where, okay, now you need to maybe...

stop going out every night and cut back on the red meat and go to the gym a little bit more, at least walk, don't take the stairs, don't take the lift. Do you think that there is sort of a much more grand effort needed here to sort of reduce? Because I think it's important for people to know that the high estimate for cybercrime last year globally is that it cost the global economy $10.5 trillion, which would put it third in GDP after America, then China.

Glen Williams (50:05)
Yeah.

Martin Hinton (50:09)
This is a massive amount of money. And a lot of that money goes to people who are providing revenue to the very nations in the case of America that we have sanctions against, that in the case of Iran we bomb, you know, North Korea. These are adversaries that we are helping maintain their efforts, which we have judged at a governmental level as against our own. And I don't know if people quite comprehend the,

Glen Williams (50:31)
Yeah.

Martin Hinton (50:34)
the web of reality here and them clicking a QR code or them not having a good password, they're helping this continue to be the case.

Glen Williams (50:45)
think you're right, cause and effect is what you're talking about here, is that people don't realise, they don't play the game out and go, actually, that's going to have an impact on my country at end of the day because of this. They don't realise that. And I think you touched on another good point as well around education. I'm not aware in the UK yet. So people teach stuff, have an IT curriculum and things like that. know, cyber security should be part of this. know, it should be part of, you know, every, they do elements of it, but I don't know how much it's done.

So I think at the education space, the whole generation of people coming through that should be taught how do you make yourself cyber secure. We teach people about how to make themselves secure and children, if you're alone at night or whatever, we teach them all these various different things, but we don't teach them about cyber security as far as I'm concerned to any great degree. I think education's a really important part of it. We need to do more in the education space. So that would be the first society, from a societal perspective, I'd do that.

So the next generation coming through are much more cyber security aware. From an elderly perspective, which is also a big group of people in the UK and across the world, how do we protect them? It's harder because they're just much more vulnerable and ⁓ it's really tricky to do. That piece I'm not sure.

Martin Hinton (52:07)
No, I,

yeah, I'm not sure either. And I think it touches on the sort of to your point earlier about Boris saying I've got a budget, but I don't know what to buy. The thing I would say to you and to the audience is that the last time I looked into it, the silent and boomer generation, so the elderly globally have almost $2 trillion in retirement assets or assets of some kind. And the only thing you need to know about human beings is that if someone has that much value,

someone's gonna try and steal part of it. It's that simple, right? And if the person is older, and we hear about this in the States quite regularly about people being conned and withdrawing elements of their, in our case, 401ks and IRAs and that sort of thing, and the consequences is devastating because these are people on fixed incomes and it totally upends their lives and there's almost no way to get this money back. The protection against this that we haven't really gotten into and obviously is a core to...

Glen Williams (52:39)
Absolutely.

Absolutely.

Martin Hinton (53:05)
to our coverage is the cyber insurance part of this. And I wonder whether you might tell me a little bit about your role in that space to begin with.

Glen Williams (53:14)
Yeah, so I think the US is probably further advanced than the UK is in the cyber insurance world. And what do I mean by that? The analogy again, we've used a few analogies here, is that in the UK, if you put a black box, if you just pass a driving test, you put a black box recorder in your car, your insurance premium goes down because it's tracking how fast you drive and what you do, et cetera, et cetera. That principle applies in the US with cyber insurance companies.

So if you use an accredited thing, you've done all the right stuff you should have done, your cyber insurance premium goes down. That hasn't been the case until recently in the UK. So it's starting to happen now. by using companies like Cyberfort, there are certain insurers that will work and say, if a company is using us, their insurance premium goes down. So I think it's slowly starting to happen. But the US is further ahead of us in this space than we are.

It's an obvious thing to do. you mentioned, one of the big retail issues this year with M &S, they had cyber insurance, but I'm not sure whether it covered the full piece. So the other thing around cyber insurance is you need to show, again, it's like your car. You disclose what's happened to your car. If you say, you go and do your renewal for your car insurance and say you've had a crash that year or you've been caught speeding 10 times, if you don't disclose that, your policy is invalid.

And it's a similar type of thing with cyber insurance. You need to have done certain things, otherwise your policy could be invalidated. So it's not just about the cyber insurance, it's not just about the value you get and the reduction in cost you get from using somebody like cyber for, but you also got to have something in place because your cyber insurance could be invalid if you haven't gone and done the right types of things.

Martin Hinton (55:01)
You touched on something now that I bring up when I do these podcasts, because I'm curious what people would think. And it's the idea that there's a real buyer's opportunity for companies here, where you can go to a company that provides the sort of services you do, and it benefits you and saves you money somewhere else, where you also create a layer of protection for your company that insurance is inherently there for. And I think that there's a real market for

you know, if you go to an insurance company and you don't or you're not sure about your cyber policy, because there's a, you know, the policies and the questionnaires are becoming more more dense and the exclusions are growing. you know, they suddenly realized that someone was, you know, not employing MFA right at one part of the company or whatever it might be, or they hadn't updated some software on something. And then the policy is void. And I think that that's where, you know, having that 24 seven monitoring or, you know, awareness of what

what you're supposed to be doing, what you've claimed is your situation. And as a result, regardless of what the threat might be, the policy stays valid in the wake of a breach of some kind. That that is, again, like, it's not a once, we do insurance once a year, right? You renew your policy, maybe you pay a little more, you get a little more coverage, or, you know, in America, homeowners is under a lot of pressure in various places because of the weather and that sort of thing, and some big storms that have occurred. But there's this idea that it is,

a living, breathing part of your everyday, just like locking the doors and making sure your security system and alarm work at your office. And that mindset is there are companies like Cyberfort there to provide that service. Is that a, you know, from the point of view of a middle or small medium sized business owner, is that something to keep in mind that there's a bit of a buyer's market here? can, you know, there's a lot of companies looking to grow in this space and that makes for potential deals to be had.

Glen Williams (56:46)
Yeah.

Yeah, think absolutely. It's not all just seen as a cost. There is a benefit. you know, and using the right types of providers should be seen as a benefit. A lot of these medium sized businesses want to be bought at some point in time. Not all of them, but some of them do want to be bought. And they'll have to go through due diligence. And that due diligence process now always includes a part of cybersecurity in it. So if you haven't done it, it's going to cost you anyway.

You need to look at the cost of not doing it, i.e. I could be breached. The cost of not doing it, my cyber insurance policy premium could be higher than it would be otherwise. The cost of not doing something is the fact that your due diligence might fall over if you're trying to sell the business. So there are all these multiple reasons as to why you should do something. And these are not just all costs. It's actually an enabler. Because if you've got a good cybersecurity policy versus a private equity company's got an option to buy two different companies.

One without cyber security policy is full of holes, one that's really robust. They might look at it go, all things being equal are the same. They're going to go for the company that's got the right cyber security posture.

Martin Hinton (58:02)
Yeah, that's, mean, that's a really, again, your example of a company looking to sell itself, like a lot of smaller, medium sized companies look to do, they create something and that someone gobbles it up, if you will, to use the slang. The idea that if you don't look like you've got all your ducks in a row, like, ⁓ I mean, not having this now is akin to having books that aren't clear or, you know, an irregular supply chain for certain raw materials that are essential for building whatever it is you sell, that kind of thing.

There is, it's, I mean, you said it.

Glen Williams (58:33)
Well, your accounts,

Martin, your accounts have to be audited. Your accounts are audited. So your company, Cybert, needs to be audited. So it's the same principle. Same principle.

Martin Hinton (58:43)
Yeah, yeah.

One of the things that we touched on, we're coming up on an hour now, so we'll press through the next couple of topics, I wanted to touch on was AI and shadow AI. we see this, at least in the States, we've gone all in economically into the AI race and data centers are being built everywhere. And companies are saying, we're employing AI, we're becoming more efficient. And I think a lot of people don't know what that means, but you've got to start saying it.

because you want to sound like the CEO who knows what's going on or the board that's got their thumb on the pulse of modern business and how things get done. One of the big things is AI gets used in a variety of ways. And it is a bit like a black hole. You put something, depending on your situation, in the chat GPT or any other LLMs, and it's gone. It's out there. This idea that you could put a contract in there for analysis, and then the contract is not private in the same respects anymore.

That creates liability because there might be client privilege there or liability because now you have information that's out there that you don't want to be. Tell me about the idea of policy first and then the tools being employed.

Glen Williams (59:53)
Yeah, so the symbol says that again, there's some AI legislation that's out in the UK and in Europe about what you should and shouldn't do. So every company should have an AI policy. Because otherwise people would just run riot and do whatever they want to go and do. So there needs to be some guardrails about how people use it in any organization. Now, specifically with what we do, because of what we do and the customers we engage with, we have built our own LLMs. We've got 48 LLMs.

two SLMs, we've built our own, we've got diode technology that goes out into the web. So we don't enable this to go out to the web. It only goes through one way technology. anything that we're doing or putting into our own bots, which is our own IP, is fully secure. We wouldn't let it go with, whereas unfortunately some of the names you mentioned there, the AI agent, or AI is learning as you send this stuff out. ⁓

It's learning and this data is out there somewhere. Even if you might think you've just put it into chat GPT or whatever you've done, whatever you've done, it will help it learn. Now they'll talk about having private solutions for this or whatever. It's still not quite the same. So I think you've got to get the right policy. You've got to make sure that the right guardrails on there, make sure people aren't using it because when you put it out there, it is out there. ⁓ And so we've adopted a completely different policy to that. It's not that we're not using AI because we are.

but we built it ourselves and put a big motor around it and secure.

Martin Hinton (1:01:25)
You touched on the wedding analogy earlier as a way people could use what we might put on social media to engineer a cyber attack or a breach against you and then people you're connected to, to your point about the defense contractor and the wedding. One of the things I think that in this space, you might think, what is my little thing? What is, I was drafting an email to someone and I use ChatGP to help. There's little bits that theoretically, if someone really is interested in your company that they could use to piece together.

the jigsaw puzzle of where you're weak or what day of the week is the best day to preach you. And I think that that is, again, you alone may not matter, but you plus five other things. It's a bit like them knowing every password I've ever used. Well, with that in an LLM, they can probably come up with every iteration I'd ever use again, based on my first pet, my mom's maiden name and date of birth or childhood phone number or whatever it might be. And that very quickly could generate a list of potential passwords that...

you know, invariably one of them might be right if you fall into that pattern, right? Is that something that is important to keep in mind?

Glen Williams (1:02:29)
100%. You know, you've got to be, you've got to be vigilant at all times. I think, and AI is only, yeah, it's going to be trickier. It's going to be, it's going to get much harder. So that's why we've adopted AI and what we're doing, because you have to, you know, because the bad guys have got it. So the good guys have got to use it as well.

Martin Hinton (1:02:47)
Yeah, I mean, again, one of the things we do, and I think it's brilliant as human beings is we tend to see something or see an opportunity and we invariably, we rush headlong into it. And the idea that you need some guardrails around this because of the pace with which it can create a problem is something really, really important for really companies of every size. I mean, we get small accounting firms or a tiny law firm. You know, the information you have is extremely important. And again, back to the real world analogies, mean,

Glen Williams (1:03:14)
Absolutely.

Martin Hinton (1:03:16)
If you had a document and you want to have ChatGPT mark it up or something like that and you put it into the worldwide web, if you will, ⁓ you wouldn't leave that document on a train and go to the table of a restaurant and go to the bathroom. The idea that you're exposing yourself in a way, again, this is where it gets complicated for me and I think a lot of people is the abstract nature of digital is just like the real world. There's no separation.

Digital crime is just crime. Cybercrime is just crime. It has victims. They're not cyber victims. It costs real money, not some made up cyber dollars. And again, I think that that's something that, know, back to our point about public awareness and education needs to be driven home. I wonder whether or not you think that overstates it, that that's too aggressive.

Glen Williams (1:04:05)
No, it's not. I I was on a radio station in the UK. I did a calling because the actual radio host was, he was getting quite frustrated by the fact that nobody was taking any of this stuff seriously as far as he was concerned. said, if somebody went into Jaguar Landry's manufacturing plant with sledgehammers and smashed it up, it'd be front page of every newspaper if they couldn't manufacture for six weeks. But yet, because it's been done virtually, no one's even looking at it. And yeah, I think.

Martin Hinton (1:04:31)
No.

Glen Williams (1:04:34)
know, was this, Sky News had this chart which showed the GDP in the UK literally, it was like a straight vertical drop, completely down to the Jagged Land Rover hack and breach.

Martin Hinton (1:04:48)
Yeah, I'm

like making the cost of this clear to people because the other problem with a lot of cyber breaches is there's a real long tail of recovery where you like realize a year or two later that there's a whole other class of people that now you have to provide credit monitoring to because you didn't realize that they that idea that there is, know, again, like if your house burns down, that's only the beginning of the problem. You've got to clean it up. You've got to find a way to rebuild it. You've got to decide to rebuild. You've got to hire someone. You got to

Glen Williams (1:05:11)
Yeah, exactly.

Martin Hinton (1:05:16)
pick new tile, like you gotta do all the things you've gotta do and that is, it's not sexy. We know this, right? The cover of the newspaper is something visual typically, whether it's a catchy phrase or a photograph or something that they know is gonna evoke emotion. And this is, there's something very cold about the ones and zeros of cyber crime that betrays how genuinely bad it is for people on a much more intense level. ⁓

Glen Williams (1:05:42)
Exactly

Martin. And one of the things is your house analogy is good one because your house burns down, say because there's a faulty electrical thing that was planted in there, you rebuild your house, they've still made sure there's a faulty electrical thing planted in there. That's what happens. So you get breached, you think you're all clear, but they've left something in there so they can go back and burn your house down again.

Martin Hinton (1:06:04)
Yeah, yeah, the underlying cause has not been remedied. And that's something that happens a lot with digital as well, isn't it? So I want to move, I want to move to sort of wrapping up. And one of the things we talked about is, is three moves that actually matter. The idea that, you if you were going to, if you had the ear of a board or a corporation or CEO, what would be the top three controls for say mid-market company that you would, would, would encourage or insist if you were in a position.

Glen Williams (1:06:33)
Yeah, the first thing you've to do training. You've got to train your staff. I know it sounds quite basic, phishing alerts and all that, but you have to, it's more sophisticated than that, you need to train them, but you need to train your staff to make them aware for anything that could occur. The second thing, there might be a longer list than just three. The second thing is that multi-factor authentication. I think you need to make sure that you've got that in place, the wide level authentication across the company.

You just need to make sure that happens. The third thing is you need to have an analog backup solution. What do I mean by that? Companies are sort of chairman of another business. They got breached and although they didn't have anyone's phone numbers, everything was on Teams. So they couldn't connect to each other. And they were going, well, how do we phone each other? So what they did as a backup now is they've got every director is a safe in their home.

in that safe is the phone numbers of every single person that they need to get hold of as an example. So that's an analog solution for a digital world. So when I have an analog backup.

Martin Hinton (1:07:39)
You touched on the, is it the Cyber Resilience Act that requires companies to have an incident response plan? And I remember thinking, okay, that's fine. Does it have to be printed on paper and everyone has to have a copy of it somewhere secure because you can't just leave that lying around. Like that's all well and good, but if you can't read the plan or you don't know it off the top of your head, you're, no one knows any phone numbers anymore, right? That's a good one.

Glen Williams (1:07:50)
Yes.

Exactly,

they didn't have anybody's phone number. So they spent two weeks trying to figure out who they could even speak to because they couldn't get hold of anybody. I think you need to have an, part of your resilience plan needs to be an analog, one for better term plan, a non-digital plan that you can go back to. It's almost like going in some of these films where you watch and they go back to Morse code. I'm not suggesting as you do that, you don't have to go that far, but you need to have more of an analog solution ready. So if the worst ever does happen, then you're there.

The fourth thing I would say is you've got to have an expert. Sorry, I've got to use four words. You've got to have experts who know what they're doing to work with you. So train your people, have a multi-factor authentication solution, make sure that's in place. Make sure you've got an analogue backup to anything you do, whatever that looks like. It could be stuff in a safe or whatever it is. And choose an expert. Don't just choose a jack of all trades. You wouldn't go and choose a cowboy builder to go and build a conservatory. You're going to choose a highly professional.

person to go and do that. That's what you want to do. You need experts.

Martin Hinton (1:09:02)
Yeah, I mean, mean, you touch on it, right? You don't call a plumber when your house is on fire, right? You need someone who knows, right? I mean, again, it seems silly and, listen, hindsight is a hill from which the view is perfect, right? So we've both read and in your case, you've experienced the situations like breaches and it's very, very easy to talk about this. But in the moment of stress and the moment of panic, the best thing to have is a plan you could put into place that isn't going to be perfect, but it is something.

Glen Williams (1:09:06)
Yeah.

Martin Hinton (1:09:32)
to your point, you have access to the plan. You can read it, you can share it. you I mean, you made a bit of a joke about, you know, not going back. But pen and paper is quite reliable, you know. So ⁓ it's something to keep in mind, the idea that redundancy. And we see it, right? The Amazon warehouse, the crowd Crowdstrike outage. When everything stops working because of the way that we sort of rely on these choke points with technology, we're in bit of a loss. So imagine that on a very small level, just your company.

You come in on Monday morning, every screen is blue. You can't do payroll. You can't fulfill orders. What do you do? Who do you call? If you don't know, you don't have a beginning of an answer to that plan, you should probably start working on that today. ⁓ So we've been talking a little over an hour. And as promised, we didn't get to everything, which is fine. We can do this again. But I want to offer you the opportunity. Is there anything we didn't get to that you thought we would or anything that we did discuss that you want to say a little bit more about?

Glen Williams (1:10:14)
Absolutely.

I think we covered an awful lot of ground to be fair. think maybe for next time, what I'd be interested in I think is differences we see between the US and the UK and differences that I think the challenge is still the challenge. It is what it is across the globe. I think it's more I'd be interested in saying the cultural differences between different places about how people approach it because I'm talking through a UK lens how trusting we are and how.

It might be different in other places. So maybe that's something to look at next time. Maybe we can get some people on and get different views of different places.

Martin Hinton (1:11:04)
Yeah,

know, that's Glen, I don't know you want to be an intern this summer at the Cyber Insurance News website, but that's a great idea. Well, you touch on it and we'll just end on this. One of the things that people need to remember is that this is global. We've heard about ghost workers in Pyongyang. There is no geographic barrier to this, yet we do have geographic barriers with regard to how we approach security and resilience and the laws and policies about even data collection and data and

Glen Williams (1:11:09)
What's your pay like?

Martin Hinton (1:11:34)
you know, in their examples, certainly in history of global agreement about things. ⁓ And that is, I mean, again, the global economy is, it relies on the internet. And if you turn that off, you know, to put it very, very simply, we're in the dark. And I think that that is something that, you know, on a very small level as individuals, you think about if your Wi-Fi goes out or your phone's not working, or you didn't top up your phone plan, and you've suddenly got to make a phone call, that five minutes to top it up again and get it all working.

This is ⁓ unnecessary frustration and we're all very, very vulnerable to it. So yeah, that's a good thought. So thanks for that. Anything else you want to say?

Glen Williams (1:12:14)
No, think we covered a lot, know, like I said, I think we've gone through kind of the virtual, the fact that people see this as, they don't take it seriously enough. Individuals, consumers, individual people don't take it as serious because it's a virtual crime, not a real one. Boards do take it seriously, but they don't have the answers. IT says they've got the answers, but often they don't because they're not using experts. So all roads lead to using experts.

Martin Hinton (1:12:16)
Right.

Well put, well put. Well, Glen, thank you so much for the time. I really, really appreciate it. Glen Williams, the CEO of Cyberfort, a UK-based cybersecurity firm. Again, thanks so much for the time. I really appreciate it. There'll be links in the show notes here about how to find Glen and how to find Cyberfort. So if you've got questions or anything like that, drop them in the comments, reach out. If I can't answer them, I'll get them to Glen and hopefully we'll be able to get an answer to you.

I'm Martin Hinton. This is the Cyber Insurance News and Information Podcast. Thank you so very much for your time. If you could like and subscribe, share, we really appreciate that help. And again, if not, just enjoy the rest of your day. Thanks very much.