In this episode of Modern Cyber, Jeremy is joined by Adam Pilton, a cybersecurity expert with a background of 15 years in law enforcement, where his final role was as a Detective Sergeant leading the Covert Operations and Cybercrimes team.
All right, welcome back to another episode of Modern Cyber. I am really excited for today's conversation because we are getting a chance to talk to somebody who has not only a wealth of experience, but a very specific kind of experience that we have not talked about on the show before. And that is actual hands on experience with cybercrime. Lots of our guests have experienced it at their organizations, but very few of them have worked on the law enforcement side of it. I think none of them, if I'm not wrong, but we are delighted to be joined today by Adam Pilton. Adam has a very, very long, long background and it was really funny. I was trying to look at his certifications to cherry pick one or two to talk about, but the list is way too long. Adam spent fifteen years in law enforcement, with his final role being as a detective sergeant leading the Covert Operations and Cybercrimes team. Since then, he's worked in cybersecurity since twenty sixteen across various roles, various companies. He's got a really broad understanding, having looked at both law enforcement side, industry side and also looking at consumer side, individual side, just your standard citizen side. So we're going to get into a lot of it. Adam, thank you so much for taking the time to join us here today.
Thank you for having me. That was that was very flattering, very flattering.
Well, you're certainly deserving of it, but I want to start with just a very basic background. You know, without going too deep into it, I guess my first question, and probably our audience's first question is like, what is the world of cybercrime look like today as far as you've seen?
Yeah. So I think the sad reality is that cyber criminals are continuing to get better and stronger and wiser in the moves that they're taking. And we as individuals and businesses, to be fair, we're not keeping up if we ever were keeping up. So the gap is just getting bigger and AI is only increasing that gap. I think the biggest threats that we we often see is particularly for small businesses who quite often still believe that they're not going to be a potential victim for cyber criminals. Yeah, they're too small. So for me, the gap is increasing.
Yeah. That that point that you raised there about the small businesses who think, oh, you know, nobody's going to come after us. We're not worthy of being pursued. And to be fair, you know, we at Firetail, we're a small company too. And if we had that attitude and maybe, you know, we're a little different because we are a cyber security company. So we've got the kind of mindset around it. But what I think that ignores to your point is that AI and then things like cloud and automation, nobody is specifically targeted. Like everybody's targeted. Right. It's really kind of a broad targeting exercise of like, let's just spray the internet with phishing or, you know, vulnerability exploits or whatnot. And then we see who we get in the end. I mean, is that accurate?
Yeah, I would say that's exactly accurate. It's like that whole thing of, uh, phishing, isn't it? If you go in with a fishing rod, you're going to you're going to get a couple of fish. But if you chuck a net in, you're going to get loads. And that's exactly what cybercrime is like they're not concerned about who they hit. And we see that because we see some terrible victims, things like hospitals and the impacts that follow from that. But but yeah, the reality is they don't care who they hit. Obviously they want to hit the the big boys and girls and make a load of money. But the reality is certainly something I saw in the day to day life of frontline policing when it comes to cybercrime, is that they hit small businesses all day long, and they take small amounts of money all day long. And I think most of us, if we were told you're going to have a job and you're going to earn less than ten thousand pounds per day, um, you do take that all day long. And that's exactly what cyber criminals are doing. A few thousand pounds here, a few thousand pounds there, no real effort. And, uh. And you're walking away with the money each time. So. So. Yeah. That. Yeah.
And is it the case that the most kind of prevalent cybercrime that we see really is the kind of, you know, individual data theft or data ransom or data encryption, whether that's like on an individual basis or whether that's a small business hit by something like ransomware? Is that still the vast majority or is it identity theft or some combination? What have you seen?
I think the stats point to the fact that it's ransomware as the most predominant, the largest crime type. I think from my experience, um, I would say it's, um, moving more and I guess it's slightly categorized differently, but into the fraud aspect of things. So being effectively socially engineered to willingly obviously being tricked, but but hand over money. Put money into the incorrect account, the cybercriminals bank account. That's predominantly what I see a lot of. But but equally, as I say, ransomware is most definitely out there and on the rise.
To the extent that you can. Can you walk us through how, you know, let's say it happens to us and now we want to turn to law enforcement. How does that process typically play out and how should it maybe play out better?
Yeah, sure, sure. So I'm speaking from a UK perspective here then. Yeah, sure. In the UK we have something called Action Fraud. So if you were to report a cybercrime to to your police force, they direct you to action. For what action for essentially um, the, the hub where all these reports go. And then from that Action Fraud review, all the cyber cybercrimes if they believe there is a chance that the suspect can be identified from the information that we've got, or an investigation could identify that suspect, it then gets handed to the force where the victim lives. So from that, an investigation would then be conducted and then hopefully the cyber criminal identified, arrested, interviewed, um, and then and then taken hopefully again through the criminal justice system. I think the reality is on a lot of occasions is that with the use of VPNs, with the use of, uh, well, with the reality of cybercrime being something that can be conducted anywhere around the world. Like we were talking, weren't we? Like, if if I want to assault you, I have to be stood next to you. But if I want to steal your money over the internet, we can be in completely different countries. Completely different. Yeah, it really doesn't matter.
Geography. And so does that make it really challenging from a law enforcement perspective? Because even if you can identify the perpetrator, you may have no recourse effectively?
Yeah. Exactly that. And lots of the inquiries that we would conduct if the offenders in the UK, then we have UK based laws and the businesses and internet service providers, for example, they have to operate by UK laws. But if the offender is living in a different country, they operate under different laws and they may not cooperate with UK law enforcement. So that then is another hurdle which nine times out of ten, you're not overcoming.
Yeah. And it's really interesting because there's this this like kind of fundamental mismatch between let's call it physical law and cyber law. Right. So to your point, if you assault me, even if you're a UK citizen, so you come over here to the US, you assault me, you fly back home. Well, we have laws that cover this and there are extradition treaties and there are, let's say like some standards or some norms that both countries would kind of recognize or adhere to. And, you know, if there's a enough evidence for this government to request the extradition, like all of that, there's processes in place. But when it comes to cybercrime, there really isn't.
So there is. There is to a certain degree, it depends on the country. So in the in the UK, US example, the first thing to to highlight is as the say I'm the cyber criminal and you're the victim. I'm in the UK when I'm committing the crime, so I'm governed by UK law. You're in the US when I'm committing the crime. So you're governed by US law. So that's the first, first issue. If I was to if I was to assault you, I'd be stood on American soil. So it was nice. Nice. Right. The second point is that. Yeah. Say, say that has happened. I'm in the UK, you're in the US and US law enforcement identify me or someone in the UK. As you found out, we would work together. There's something called the Cloud Act. I believe it is. Um, okay. We can share information with each other in terms of, um, businesses in the US, internet service providers can share information with UK law enforcement and vice versa as well. So UK and US, they do work well together. I'm thinking more the likes of Russia, China, other countries. They will not work with the UK when it comes to cyber crime like that.
Got it, got it. Another analogy that I often kind of draw is that like if you think about public spaces, again, physical public spaces, we have a governing law, whether it's US, UK or wherever in the world you happen to be. But on the internet there is no kind of prevailing governing law. I mean, one, it's multinational and, you know, IP addresses are everywhere and people are everywhere. But it is this kind of virtual space that we all inhabit to do our work. And yet, like, it feels like we get very little kind of protection from a governing body of some kind. You know, if I'm in a physical space, there's the police of whatever jurisdiction that I'm in. But when I'm on the internet, there is no kind of internet police as such. Right. And it feels like that's a little bit of a gap or an oversight. And, you know, obviously it creates opportunity for cybersecurity companies like ours to provide our services and our offerings to customers who choose to invest in them. But there's not even like a basic level of kind of minimal guaranteed protection.
Yeah. So again, it comes down to the country. Country you're in, in terms of the rules and regulations that surround surround your use of the internet. But yeah, the reality is when you're on the internet, it's very difficult to a prove who you are and b what you're what you're doing. Um, and particularly if that's wrong or right, and there's ways to hide that or certainly mask it. So it is exceptionally difficult. And I think the reality as well is when you then think about the way that the use of devices, the internet, even bringing AI into that equation has evolved. It evolved so quickly, and creating law that is acceptable and goes through the relevant processes takes time. And that time means the internet has moved on and changed again. So we look at things like the Computer Misuse Act, it's from the nineteen nineties and you think time had passed since then. It's completely irrelevant almost. Now it's changed so much. But yeah, if we were to update it today, we see every every single week something changes within AI, the products, the services. Yeah, yeah that we've got changing. So it's a real difficult one. And if I'm frank I don't know what the answer is because you want laws that are truly and deeply considered before they're implemented. And I don't know if we can do that in a, in a society that's evolving so quickly.
I mean, this point about things changing so quickly is is super relevant. And exactly as you said. You know, I've been working in it since the late nineties, and I've gone through the shift from kind of desktop computing to, you know, web applications and e-commerce. You know, e-commerce came about during my lifetime, right? You know, the first kind of online credit card transaction came about during my professional lifetime. Even, you know, during the years that I've been working in IT and cybersecurity. And then we moved online and, you know, SaaS applications and cloud platforms and what have you. But the current pace of change is the most rapid that I've ever experienced. And to your point, I think if even if I, you and I could magically create a set of internet, let's say, security laws or, or criminal laws today, they would likely be outdated a year from now, or at least superseded by by the pace of technology change. So when you talk to, let's say, when you were in your role in law enforcement and you would talk to, let's say, like small businesses about some of the risks, how did you guide them through understanding the actual state of things? Is it storytelling? Is it analogies? Is it, you know, guidelines and legal regulations? What works?
Yeah, certainly. So it's definitely not guidelines and legal regulations. Okay. For me, for storytelling, it has to be the way forward. If you if you look at the way we all live our personal lives and what's successful, Netflix is probably in most homes in. Well, okay. Um, and that's because storytelling is successful. Most people have televisions. And if you look at what's on the televisions, what's successful, whether it be films or TV programs itself, it's always related to to crime, criminality, whether you're looking at it from the detectives perspective or whether you're looking at it from the bank robbers perspective. And that's because stories are interesting. We engage with stories and we remember pieces of those stories. So for me, and the way I do it is to embed stories into what you're telling. And it could be as simple as looking at cases that have gone past.
So, for example, I spoke about the British Library hack, and that's because the British Library publicly released their findings, their their report following the attack. So I was able to read through that and understand what happened in their words and then see their, um, lessons learned from the attack and then tell that story, which is then so much more engaging. People, particularly here in the UK, will have that connection with the British Library because they probably visited their local library and understand and reflect and feel a bit of themselves in that story.
Yeah, so that makes total sense. And I think that's a great way to think about it when it comes again to, you know, let's say like small or medium sized businesses who are trying to get better at their own defenses and their own cybersecurity practices when it comes to, you know, that unfortunate situation where they do have to come to law enforcement. Are there any guidelines that you would give around, let's say, like logging or, you know, best practices that they should all be thinking about so that if they do have to come to you, they can actually cooperate with law enforcement effectively?
Yes. So the first thing I would say is, is don't hesitate and make that contact straight away. The sooner you do it, the better, because you then start getting the advice. And depending on what's happening with the attacks ongoing, the support that you that you may need. Um, so yeah, contact law enforcement straight away. And then it depends on the attack that's happening and the situation you're in. But the reality is, is you need to be collecting the data as soon as possible. And one of the things we talk about, particularly in cybercrime, is the fact that you've got volatile data. So data that could change by simply performing one action. It could alter or delete data that's already existed. So by clicking a button you're changing the evidence. So law enforcement want to get in there quickly sharply so that we can capture the data, capture your environment in the way it was in that moment in time. So we can then work with it so that it's legally accepted when it then comes to hopefully to court.
Okay. Okay. So we've got some logging going on. We're collecting the data. We're trying to do our best to make sure that things don't change. So that to your point it can stand up in court. Also I guess for forensic purposes, if we do need to investigate, you know, having kind of the best, most intact and kind of what's the word I'm looking for like a fungible data is probably like really relevant in that scenario. What do you think are the things that are kind of least well understood by most companies around preparing for this? Is it that hesitation to make that call? Is it that they don't know who to call? What is it?
I think the reality for most businesses is they don't appreciate that this is going to take potentially significant amount of time in order to, to get back to where you were . and we're so used to being able to click reset or back undo, etc. and then go back to where you were in that word document or whatever it may be. That isn't the case when it comes to cybercrime. You can't just click a few buttons and then go back to to where you were. There's a process. Even if you are going to restore from backups, it's still going to take time. So I think the reality expect downtime. Be prepared for that downtime. Can your business still operate during that downtime, during that period where you're not going to be functioning fully?
Yeah, yeah. It's interesting you bring up this point and I'm just thinking through something. We're recently going through our annual Soc2 audit, and we as we've gone through that, one of the things that we do every year is we do a series of kind of tabletop exercises. And for those who aren't familiar, that's basically just kind of a we talk out a simulated scenario. What if X happened to us? And one of those things is, what if we got ransomware or hit by ransomware? And we always kind of realize and we try to do our best when we go through this every year. We then estimate the volume of data that we have on our SaaS platform. And then to your point, we think about, well, how, how how close to real time or to the point in time that we need to recover is our last good backup that we can trust with high fidelity? And then how long would it take for that many gigabytes of data to be restored and then checked, and make sure we're good and everything down to the level of if I was really concerned that my laptop had been infected, how long would it take me to wipe and restore my laptop and then multiply that by the number of employees in the company? And to your point, like that very quickly becomes a pretty time consuming exercise.
Definitely, definitely. And I'm a huge fan of tabletop exercises for exactly what you said, because it makes people think , because quite often when it comes to businesses, they'll focus on their particular industry, their particular niche, and essentially making money because that's what the business is all about. And they assume because they've got, for example, you say backups in place. That's good. We can restore. But if you're not testing restoration from those backups. Yeah, yeah. And it's corrupt and it doesn't work. Well, now you've got a new dilemma. And understanding that that's a possibility is is huge. And that's why tabletop exercise is so good. Because not only is it an opportunity to practice your incident response procedure, run through it, make sure it all works. But it's finding those little gaps, the little assumptions that people make about that process and how their business operates, which then helps you then improve. And communication is a massive one. We all assume we can communicate freely now. That's fantastic. We've always got access to teams, for example, or slack, whatever it may be. But in the reality of an attack that then takes that communication platform down, can the relevant people all speak to each other? And nine times out of ten, that hasn't been considered and they can't. There'll be a few people that have got a telephone number, but it might be an old one. So that first barrier they come across, whereas if you run a tabletop exercise, you've come across that issue when everything's fine, you can arrange it. You can prepare ahead of time for that and have whatever it may be, a WhatsApp channel set up, whatever it may be, but you can plan for it and deal with it before it happens.
Yeah, this is such a great point. Recently, I was talking to a CISO of a large telecommunications provider and, you know, their service level agreements and their, um, let's say recovery requirements are really, really high. And one of the things that he pointed out to me, to your point about communication, so when they run their annual exercises, to your point, they make sure that they've got, uh, I think theirs is three communication methods. One of them obviously being telephone and their own phone network, but then they've got two backups in case their phone network is down for whatever reason. Uh, two backup methodologies to communicate, including having people's like personal email addresses and personal contact information and having home addresses for key individuals. And then he raised the second thing for me, which is, you know, in a large organization, there's a high probability that some of the key people are going to be out on vacation or maternity or paternity or whatever the case may be. So he says, for every role involved in their incident response plans, they need to have two or three people who are trained on filling that role, because you don't know if one or two of them might be out at that point in time.
Yeah, and that's a really good point, because the reality, and particularly for smaller businesses that don't have the resources, don't have all these people and numbers of teams dotted around here, then everywhere, the reality is they have an IT guy or girl and they depend on them. They don't know what they do. Yeah. Exactly that. Yeah. You do some magic, don't you? And everything works again and everyone's happy. But if you're not available because you're on holiday or for whatever reason, and they can't, they can't get hold of you, then they're very stuck very quickly. And if they don't have anyone to turn to, that's got your knowledge, then that's a serious problem. So that's exactly why tabletops are so good, because it makes you think about those little things that aren't a problem today. But you can guarantee come the cyber attack, they'll all arrive at once, and you're not in the right frame of mind to be able to make sensible decisions. Nor are you equipped to, because half your computer systems aren't running and you can't speak to the people that you need to. Yeah. I mean, it's such a good point. Such a good point.
I wanted to change gears for a second, and there was something that you shared with me before the show that I wanted to kind of dig into. And you said you believe that cybersecurity has a motivation problem. Talk to me about that. What do you what do you mean by that? What is the problem? What is the wrong or the misaligned motivation?
Yeah. So my my belief here is that I think the majority of people now are coming to the conclusion that cybersecurity is a problem. It's a threat to their businesses. It's a threat to them as individuals. However, assuming that that first bit is right, that lots of people know about it, my belief then is the motivation isn't there to do anything about it. People go, yeah, I accept that this is an issue. Cybersecurity is an issue. I need to do something about it, but I'm not going to do anything about it. Today I'll put it on my list and I will address it this month. This month turns into next month. And so on, so forth. People don't do anything about it because they don't know where to start. And it's difficult. It's expensive. And then you've got that element of almost embarrassment because that people see cybersecurity and computers as heavily technical. And yes, obviously it can be you can go down that route and go very deep into it, but it doesn't have to be like that. And I think people are embarrassed to say, I don't know how to do something on a computer, whether that be setting up MFA, resetting your password, whatever it may be. So rather than own that, people put their head in the sand for all those reasons and ultimately nothing gets done about cyber security. The can just gets kicked down the road. And I often compare it to diet. I know I need to eat healthier, and I tell you what, I'm going to do that tomorrow. I'm always going to start the diet tomorrow. But then the reality is tomorrow arrives and there's a lovely breakfast cooked up, and I'm going to eat that breakfast. So I'll start again tomorrow. And it goes on forever. And I think, um, across society everyone can recognise that one for sure. And I think cybersecurity is very much the same.
It's so it really resonates with me. You know, I used to work for a company that was one of the leaders in vulnerability management, and we had long discussions about why, for instance, one of the statistics around vulnerability management is the mean time to patch. And that had been around one hundred and eighty days, and it's been that number for about twenty years. And this is for a vulnerability living on a production server. And it's still about six months from the time that the vulnerability is identified to the time that it's patched. And, you know, we talked about all kinds of reasons for why that is. And, you know, it very often comes down to Jeremy's the cyber guy who identifies the vulnerability, but Adam is the IT guy who's responsible for actually applying the patch to the server in production. And, you know, we have a disconnect on schedules and a disconnect on prioritization. And I want that thing patched today because that's a critical severity vulnerability, internet exposed application, whatever the case may be. And you're like, yeah, but that brings down downtime. And as an IT person, my SLA, my KPI that I got my bonus on is uptime. And so like we have these kind of like mismatches of what's important to us. And then we often have different concerns. I'm concerned about the attacker. You're concerned that when you apply the patch to the server is not going to come back up properly, and then it's going to be an even longer downtime. And so some of these kind of like misalignments, I think, have a way of presenting themselves without you really realizing that that's what the fundamental problem is. And I can imagine that's the case for a lot of organizations that you've talked to.
Yeah, certainly. And I think, um, quite often the smaller organizations, Is the IT guy is responsible for running the scan and then applying those patches. And I've experienced that multiple occasions. One of the businesses I worked with before, when I was asking them to to show me their latest scan, they showed me the latest scan. Fantastic. Looking good. And then I saw the date and it was months and months and months before the moment in time we were then and I was like, you haven't ran a scan recently? Why is that? And the answer was because if I run a scan, I know there's going to be loads of vulnerabilities that come back and I'm dealing with everything else. I haven't got time to deal with that. So I don't want to press that button and then highlight that I'm behind in my work. And that was there. Yeah. It had so much work to do. They were the sole person running it. And yeah, the reality is, is by pressing that button would expose them as not keeping up to date. Whereas if they didn't click that button, only the IT guy would know.
Yeah, but I do feel like this ignorance is bliss. Attitude is really misplaced going back to something we said earlier in the conversation. It's not that you're a target. Everybody's a target and you know, you kind of choosing not to go identify that as a real problem and especially on this vulnerability point, just to kind of like hammer this home. We did our earlier this year, we released our kind of state of AI and state of API security. Those are the two areas that we focus on with with our own software. But we draw data points from lots of different sources. And one that I read every year is the Verizon Dbir, and I can't remember what that stands for, but I think it's the data breach index report or something like that. And one of the things that they pointed out is that historically, over the last several years, um, phishing and kind of like identity or credential theft has been the number one way that attackers get into organizations. And they're only looking at businesses, not so much at individuals. But what they found was that, uh, this past year that actually shifted into vulnerability exploits. And there's a lot of talk in there. And I do recommend the Verizon Dbir to anybody who's really interested in kind of understanding root causes. And because they go pretty deep on some of this stuff.
And one of the things that they said a little bit to, to a point that you raised earlier in today's discussion, is in the age of AI, from the time that you know that there's a vulnerability, it is very easy to figure out a way to, you know, even vibe code or use an AI assistant to build an exploit for that vulnerability. And then just, you know, use automation, spray it across as many potential IP addresses and DNS names as possible, and you're going to breach some organizations. And so vulnerability exploit finally overtook credential theft as the number one way to get into organizations. And so like it's just really on the one hand kind of disheartening. But on the other hand, it should be a wake up call to the people who are working on this stuff that like finding vulnerabilities is not enough anymore. It has to be. Find and fix vulnerabilities.
Yeah, yeah. And like you say, we've gone from the idea of vulnerabilities existing for for months and maybe not being exploited to to now it's minutes isn't it. And the reality is there's a tool. The other day it was called Hex Strike. I think it's been taken out but ultimately it was created for red teamers. So the whole thing is hex strike AI is AI that will help you find vulnerabilities. So it conduct the scan for you and then find the the exploit that you could then use against those vulnerabilities and then go ahead and do it for you. But unfortunately cybercriminals saw this and they adopted the tool and they started using the tool. So the tools that we're creating for ultimately for defenders to improve our security, they can be adopted and used by cybercriminals. But the reverse can't happen. We're not going to see defenders taking cybercriminals tools and using those on our own networks. So again cybercriminals have that advantage on that front.
There may be the one spot that I would push back on. That is, I have seen a little bit of an uptick in organizations hiring, you know, quote unquote red teams or ethical hackers to kind of get a little bit better awareness of what they look like to an attacker, like what they're presenting to the outside world and what some of those, you know, weak points could be on their their kind of internet exposed applications. And I think that's a positive thing. I think that can only serve to inform these, these organizations better.
I want to change gears for a little bit and talk about kind of what you've been doing post law enforcement. This has been super informative for me, and I'm sure it will be for our audience as well. What have you been focusing on since you left law enforcement? What kinds of areas have you been trying to help organizations get better with?
So yeah, so after law enforcement, I moved into consultancy. So cybersecurity consultancy, and I work with multinational businesses and small businesses to to help them improve their security, whether that be through the cybersecurity framework, which I use quite a lot, or say more likely with smaller businesses, simply just getting the basics in place. And often that was working towards Cyber Essentials, which we have here in the UK. So I did that for a period of time. Then I moved across to um, a company called Cybersmart, who are the largest certification body for Cyber Essentials. And ultimately with them I was an auditor, so I worked making sure organisations were achieving the standards of cyber essentials and then auditing them on Cyber Essentials, plus conducting vulnerability management like we just spoke about to make sure they reach reach those standards.
And again, through that, that was a very interesting and really good opportunity as well to to sit down to work and see the inner workings of hundreds of businesses across the UK and how they vary so much , some, some businesses completely on top of things and flew through any of the auditing process we conducted, whereas other businesses not so much and needed a lot of handholding and and support in order to get them to that level , and also because you get to speak to these people as well, one on one, through the Cyber Essentials Plus assessment piece, you get to understand the reality of their day in terms of how the business views cyber security. So for me, speaking to those various businesses is a fantastic opportunity. And it was nice to speak to businesses, say before the attack, before any attack had or may ever happen. Whereas with being in the police, I always spoke to businesses after the attack had happened. I had no reason to speak to them otherwise. So seeing them, yeah, side of the spectrum.
And I mean, it really is the case in cybersecurity that the, the proverbial ounce of prevention is better than the pound of cure. And, you know, everything that you can do on that, let's call it the ounces that you could do around making sure multi-factor authentication is turned on for all the users in your organization to password management, to whatever the case may be . good password standards and hygiene like. And, you know, even just like basic visibility of all the things that you have or all the places that your data is like, all of these are super helpful and position you much better than trying to scramble to recover post-event.
Certainly, certainly. And I'd also add I'm a I'm a big fan of of awareness in terms of the organization getting behind cybersecurity and and actively trying to change their culture , because so many we have all these tools and they cost lots of money and and of course, they're very much needed. I'm not saying they're not needed for a second, but they're very much needed. But the reality is, if you've got an organization with a number of people all sitting on their devices, all using these different devices, they're going to be the eyes and ears. So when something is slightly off, if it's not picked up by the tools, the people are the ones that are going to be raising those red flags and highlighting that whether it be a phishing email or whether it be an actual physical person trying to enter, enter the building, whatever it may be, the people of the eyes and ears. And for me, I think we need to be pushing more, leaning more into culture now, because certainly the tools we've got and do a great job.
Yeah, I think this push is actually really important, and it's one of the things that I think is often overlooked. Everybody, let's say, like most people who work in a business, let's let's call it a technical business, that's the vast majority of our audience. So whether they're in a bank or healthcare or whatever, but they're typically like our audience works with it and IT systems on a regular basis. We get very fixated on exactly to your point, the technical controls and the fact that, you know, we do, let's say from a user perspective, you're doing your annual cybersecurity awareness training and your anti-phishing testing and blah, blah, blah, blah, blah. But the actual let's say I need to keep my eyes and ears open and I need to react when I do see something is actually just a really important point. I think a lot of people, it's very easy to get heads down, focused on the task at hand, and lose sight of the fact that you're part of an organization. And it really, you know, to the extent that you can help that organization be more secure or respond in a timely manner. All of those things are going to be good for the organization, which is ultimately good for your paycheck, right?
Exactly that. And that's the that's the reality. We all want to receive our paycheck at the end of the month. And equally, in the months to come, we still want to have a business, a job to come to, don't we? And by doing those basic things with cyber security and doing what we should, should be doing, that's going to maintain, at least on the cybersecurity front, that's going to maintain that job and that business going forward. So I think it's a it's a massive thing. And the communication of cyber, something which we touched on before, is can be very technical, simplifying that it doesn't have to make perfect sense in terms of it doesn't have to match the realities of the technical world. But if we can simplify something down, like hacking an account is the same as a burglary. And and here's why and draw some sort of parallels. That's exactly what we should be doing. Because as an end user, you don't need to be a technical person. You just need to know this isn't right, and this is the person that I need to speak to when it isn't right.
Yeah. I think those points that you raised there around, let's say, like storytelling and clarity, making it relatable and very easily understandable for the user are super important. I know we've only got a couple of minutes left here, and I know one of the other areas that you focus on a lot in your work is trust. What you know. Trust means a ton of different things. Everything from I trust my IT systems to I trust the other users in my organization. What are some of the things that you focus on when you're talking to organizations about the importance of trust in keeping their organization secure?
Yeah. So I think the in the time that we're at at the moment where you watch whatever you watch on the internet and you never know if it's true or not. So, for example, the other day, um, there was a quite impressive deepfake. There was are elections going on in Ireland and there was a fake TV broadcast put out which showed the RTE news that the Irish News, um media company over there showed a news report from them, and then it cut to a clip of one of the candidates who then ultimately got elected, won the election, saying they were standing down. They were no longer running, running for to be elected. And then it cut back to the newsroom again. So now that means the election is cancelled and this person is in fact one. And it was fantastically done. It was very, very good. The experts in over in Ireland were saying, yeah, this, this is ticking all the boxes. It looks like the news report and it sounds like the people involved as well , because of that, trust is something that we are all more and more finding hard to to apply.
So ultimately, whether you're the IT team, the security team, MSP, whatever your connection is within this cybersecurity journey for for businesses, you need to have that that trust and that trust is something that is built over time. You can't just apply it to some marketing material you've got and say we're trustworthy, etc. it has to be earned over time , and that trust is given by showing and acting and doing the right things, demonstrating your integrity, which includes making sure that when you're, for example, selling services or giving services, you make sure they're relevant and the right ones for the business, and you're applying the controls and you're not overstating what they do or what they don't do. So for me, trust is is hugely important. And I say whatever part of the journey you're on within cybersecurity, there'll be multiple relationships there and they need to be built up over time. It's not something you could just turn up on the day and instantly be be trusted.
Going back to that whole tabletop idea again , yeah, yeah, it's a muscle that you've got to build. You've got to train it. You've got to review it from time to time, make sure it isn't outdated. It. Yeah. All those things. Definitely, definitely. So it's all about relationships. It's all about having those relationships and having that knowledge and being able to being able to share it and communicate effectively to to gain and build that trust over time.
Awesome. Adam, thank you so much for taking the time to join us today and sharing your perspective, both on the cybercrime and on the work that you've been doing since. It's been super interesting and compelling for me and for the audience as well. For people who are looking to learn more, maybe get in touch with you. What's the best place for them to go?
LinkedIn. LinkedIn for me. Um, so yeah, I try and post pretty much every day. I got my own webinar series, which runs every every month, as well as the weekly cyber snapshot, a couple of minute updates, the news that's, uh, that's running. That's important for people to know in the cybersecurity world. So if you follow me on LinkedIn, you'll see all that information plus more.
Awesome, awesome. And we'll have a link to Adam's profile from the show notes for today's episode. Adam, thank you so much for taking the time to join us on Modern Cyber.
Thank you.
Bye bye.