It’s Just Plain Cyber: Information Security, Cyber Security, and Risk Management
It’s Just Plain Cyber discusses on various topics related to information security, cyber security, and risk management. Key points include:
- Information Security vs. Cyber Security: Terry begins by differentiating between information security and cyber security. Information security involves protecting personal and company data, including sensitive information like bank details, while cyber security focuses on safeguarding internet access and protecting against online threats, such as malware and phishing.
- Careers in the Security Field: The conversation then shifts to discussing the various career opportunities within the security industry. They emphasise that it’s not just about technical roles but also includes roles related to risk management, compliance, and auditing.
- GRC (Governance, Risk, and Compliance): GRC involves setting policies and standards to ensure that data is secure and compliant with regulations like ISO 27001.
- Third-Party Risk Management: The discussion touches upon the importance of managing third-party risk, especially in the context of supply chains. They highlight the need for companies to assess the security measures of the third-party organisations they work with to prevent data breaches.
- MGM Casino Data Breach: The conversation brings up the recent data breach at the MGM casino. Steve shares his perspective on how the breach occurred due to stolen credentials and how it could have been preventable through security training and awareness.
- Phishing and User Awareness: They talk about the increasing sophistication of phishing attacks and the challenges faced by employees in recognising them. The importance of user awareness and training is emphasised.
- Balancing Security and Usability: It’s just plain cyber underscores the need to strike a balance between strong security measures and user-friendliness, especially for companies with non-technical employees.
About Terry & Steve
Terry German, Group Head of Information Security at Mawdsleys
Let me tell you a little about myself. Now I’m not going to copy and paste my CV/Resume as I wouldn’t want you to fall asleep even before you hear the podcast.
I started my passion of Cyber/Information Security whilst working in I.T which I started way back in 1994. Bored and fed-up of working 24/7, not weekends off and being on-call, I had a young family at the time and not seeing them a lot made me feel really low. I was given the opportunity to move into the security team at the company I worked at in 2000. From there my love of security grew and grew along with my career and of course my knowledge. All this has put me in the great position I’m today as the Group Head of Information Security at my current company.
What about outside of security Terry? Well, its hard to not thinking about security in our everyday life but I try my best. I have the same love for security as I do for my football team Liverpool Football Club. I’m season ticket holder and go to most of the home games I can get to, which is sometimes hard when you have a loving family to take care of. I play a lot of golf and enjoy leaving the real world and playing on my Xbox, yes, even adult play computer games.
Steve Arnold, Senior Consultant at Via Resource
Steve joined Via Resource two years ago, having spent the previous 4 years working solely in the Information/Cyber Security sector recruiting roles such as Information Security Manager, Security Architect, Security Engineers and Security Analysts.
Steve now solely focuses on GRC positions for Via Resource and has experience managing the end-to-end recruitment process for organisations nationwide with roles covering all facets of Governance, Risk & Compliance both contract and permanent.
As well as this Steve gained a National Diploma Level 2 and NVQ Level 3 in Recruitment and is CertRP certified.
Transcript:
Terry 00:04
Good morning, good afternoon, good evening, and welcome to. It’s just plain cyber. Welcome to episode two, and I hope you’ll enjoy this episode as we have joined the last few episodes or the last episode. Sorry in the future ones. But before we get started, let’s do the little disclaimer. So protect ourselves. So our my views and Steve’s views during this episode or any future episodes are our views entirely and has no relation or connection to our current company or our past companies. So. That’s that out of the way. Steve, I get all the difficult job formalities out of the way. Yeah, I’ll have to change that around. So it’s so it’s different. Um, so let’s start this one. So what are we going to talk about in this episode?
Terry 00:52
Steve, can you can you remember what we said we were going to talk about?
Steve 00:55
Yeah, I think we’ll so the first one if anybody’s checked out, we just did a slight brief introduction in terms of what the format will be this week. This month, um, will be a bit of a roundup of what we’ve been doing from our personal lives. Um, because we also do want to connect with people on a personal level. Be good to hear what other people get up to in their personal lives. We’re going to we’re going to look at the differences between information security and cyber security, which I think is always a big misconception. Um, then we’re going to look at some hot topics, um, some recent news. There’s a there’s a.
Steve 01:32
Relatively big issue with one of the slightly larger casinos in Vegas we’re going to touch on. And then. Shall we say? And then, um, yeah, just a couple of other bits as well. But, um, yeah, I think, yeah, mainly it’s, uh, it’s kind of we’ll just ease everybody in.
Terry 01:48
Yeah. It’s like teaching people to swim. I’m not going to put them in the deep end yet. We’ll just let them know. Well, please don’t paddle around.
Steve 01:56
Don’t do it to me either.
Terry 01:57
No, no. Okay then. So I’ll make a start on this.
Steve 02:01
So how Terry, how is your week been?
Terry 02:04
Oh my week weeks. Should I say it’s been busy at work. Which is. Which is good. Um, I went to I think it was last, last Thursday. I think it was the 19th. I went to an e-crime conference in London.
Terry 02:16
Um, it’s the mid the mid year one, even though it’s towards the end of the year. Um, and it’s all different cyber security, information security, people with all the expert knowledge talking about different topics such as cloud security and jobs in, in, in the industry, um, people, the companies, how they’ve dealt with different cyber attacks and things like that. And there’s also little education sessions where you can go and do little workshops. That was really interesting. So I went down on the Wednesday. Wednesday night came back on the Friday morning. Full day on the Thursday.
Terry 02:52
But that was good. What else did I do? Oh yes I had a we had a Peaky Blinders theme night at our golf club on Saturday.
Steve 03:00 Nice.
Terry 03:01
Yes, it was good and I well not going to get we’re not going to brag about it but I won best dressed male.
Steve 03:08 Oh, here we go.
Terry 03:08
Yeah, I went as Alfie Solomons. Alfie Solomons and I had to try and grow some kind of a stubbly beard to make me look a little bit more like him.
Steve 03:18
I’ll lend you some if you want, mate.
Terry 03:19
No, I think after a week I got a little bit of stubble, but it was. But it was all right. Um, didn’t play any golf this weekend. Which is. Which is a pity, because it was a partners weekend, as I call it, you know, giving all your time to your partner. Well, that was it. Um, kids still playing in the backside, but we got to carry on.
Terry 03:39
We got to we got to carry on and enjoy our world in this. Slightly colder as it gets colder now. What about yourself, Steve? Did you anything interesting?
Steve 03:48
Probably not quite as interesting as dressing up as Miss Solomons from Peaky Blinders. Um, from my side. Uh, I mean, in my personal life, I’m. I’m a big fan of mixed martial arts, so I’ve been looking forward to. There was a big UFC event this weekend which was in Abu Dhabi. Normally I have to get up at 3:00 in the morning to watch the ones that are over in Vegas, but because Abu Dhabi are the other side of the world, it was, um, a nice change actually, because it started at 5:00. I am also an Arsenal fan for my sins football.
Terry 04:20
Um, oh, last correction there. That bit. Maybe we’ll have to edit that part out of the podcast.
Steve 04:25
Oh, I thought you were being serious. Um, yeah. No, um, the less said about that, the better, albeit we’ll take a draw and then, um. Yeah, I know, but I also do like rugby. So I did catch the last half an hour of the rugby on Saturday after the, um, after UFC and then, uh, Friday night it was my eldest niece’s 19th birthday. So I went out for a nice family meal with her. And Sunday I cooked a nice roast dinner for my lovely fiance.
Steve 04:53
So a bit of a best of both worlds, I think. Really.
Terry 04:57
But yeah, that’s a that’s a that’s a question there. And the more you cook for family on larger family is do you feel a Sunday roast is roughly the same as a Christmas dinner? Just more people?
Steve 05:13
100%, honestly. Well, I’m not sure what angle you’re coming from on that yet, but I, I don’t know why people over. Get over, over egg cooking, Christmas dinner. It’s literally the exact same thing. You’re just cooking. More like it really is. It’s really.
Steve 05:30
I cook a roast dinner every weekend without fail for my fiance, and cooking a Christmas dinner is no different at all. It’s just more people that like, I don’t know why people make a big deal out of it, to be honest.
Terry 05:43
Yeah, well that’ll be, that’ll be. We’ll save them Christmas topics for the next.
Steve 05:49 Yeah. We’ll do.
Terry 05:50
Yeah 100%. It’s a little bit early at the moment so.
Steve 05:54
Oh do you know what last night. So I also play for a pool team. And last night it’s a Tuesday today for those depending on what they listening. I play for a pool team on a Monday and not only well they’ve got their Halloween decorations up already, which is fair enough. But they started putting their Christmas decorations up last night. I’m not sure how I feel about that. We’re we’re still in October now.
Terry 06:16
I think last year, last year I lost the bet with my stepdaughter. I said if she because she was a university, I said, if you don’t come here the first weekend in November, we’re not putting the Christmas decorations up until the 10th of December. And she got here for the first weekend in November. So we had the Christmas decorations up the first week in November last year. So I wasn’t happy about that. But anyway, that’s all the boring life stuff. Let’s let’s get let’s get on to what we’re going to talk about today.
Terry 06:43
So, um, let’s talk about, uh, information security. Cyber security first.
Steve 06:50 Yeah, sure.
Terry 06:50
So I’ll give you my brief view and you can come from it from a from a career agency’s point of view. Yeah. Now. People who aren’t in the business of information security or cyber security can see the both exactly the same. But we could also sit here and says it says exactly what it does on the tin. Um, information security is protecting the company or your personal data. So my bank details my children’s names, my gender, my religion.
Terry 07:32
Um, if I have any special needs, that’s all information. So that’s all information that we need to keep protected. So, um, your your your wife’s details, your kids details, all personal data. When they’re linked together, they link to to our person. So that’s in brief, what information security is. And that’s also around data protection and things like that. So in a business you will hear information security more than you will hear cyber security.
Terry 08:04
Now cyber security. Is. What we all deal with in day in and day out the internet. We can’t get away from the internet. You can’t get away from your phones. So cyber security is protecting. Protecting of your internet access.
Terry 08:21
So your your again you could look at it going to your bank details, but it’s protecting you from losing that ability to go to your bank or clicking on an email you shouldn’t be clicking on. And all these all these silly links you have in an email and making sure you you are protected to do that. That’s why you when you see companies doing cyber awareness training, that’s some company. The company I work for do it in two ways. So you have your cyber training and you have your information security or your data protection. And it’s making sure that when you get an email, you look at it, you you assess the email, you make sure it’s great. And if it’s if it’s not, then you move away.
Terry 09:03
And this also goes and then this and this is where in the, in the, in the radio term this is a good Segway. Is, is that the right way. We’re using it Steve. Segway. Yeah.
Steve 09:11
We’ll go with that 100%.
Terry 09:13
This is a good Segway is as well as um, you personally protecting your data and protecting your company’s data, by which it’s also on the career side. Now, there is loads of careers in the security world, if we call it the security world as a whole. There’s loads of careers. It’s not just as we briefly mentioned in the first episode, it’s not just your kids that hang around in the basement doing all the funky stuff with their code. It’s your it’s your analysts, your, your business security people. So if I go over to you, Steve, and what do you see from a, from a recruitment agency of the different roles within the two areas or security as a whole?
Steve 09:57
Well, I’ve got a couple of quick questions for you, if you don’t mind, just off the back of what you were asking there, just in terms of going back, which is obviously going to make things a little bit clearer. If we take two, I’ll pull two roles out of thin air here now. So if you take a security engineer, that’s gonna be hands on with firewalls, VPNs, malware, things like that, would you class that as cyber security or information security?
Terry 10:24
And well, in the business, it’ll be called information security. So that person will be part of the information security team.
Steve 10:30 Yeah.
Terry 10:30
And they will be looking at the firewalls protecting of the business.
Steve 10:35 Yeah.
Terry 10:35
So they, they, they will be seeing. So if I’m employing as group head of information security, someone in the department, I’ll be employing them as an engineer and analyst.
Steve 10:47 Yeah.
Terry 10:47
And their job is to analyse our current environment and make sure it’s fine. When it comes to the cyber side, you’re looking at people that may be in between it and information security. And cyber is you. You could you could say as it’s, it’s the new funky word for for the security outside of your business. Yeah, that’s what I see. So from what you’re saying, that person would be in information security, but he could also be seen as someone who works in the cyber, which is just the internet.
Steve 11:27
And the other role I had in mind, just a little bit of clarity, because again, there are are 70 different facets to the information or cybersecurity world, which again, we’ll touch on in a minute. Penetration testers. Now, they could be internal or external. They could be working for you via an external source or you can I mean, the larger companies sometimes have internal penetration testers. Would you consider them information security or cybersecurity?
Terry 11:51
They’re definitely not. Well, when I say they’re definitely not, they’re not information security because penetration test, you could put them if you were creating a cyber team, then your penetration testers or your auditors or people like that, they would most probably fall into that team. And majority of companies have outsourced penetration testers because you don’t want that phrase of marking your own homework.
Steve 12:18 Yeah, there is that.
Terry 12:21
There’s that part. So. As in my position, I wouldn’t employ someone to be a pen tester. I would do that completely outside of it.
Steve 12:33
It does tend to only be the really large companies have internal because they’ll have so many different probably offices and hubs or external companies they work with that they’ll probably be working with there. But, yeah, going back to your I’ve totally gone off topic from what you initially asked me. So what was your question initially to me in terms of from a career perspective? Sorry?
Terry 12:55
What roles, what different types of roles do you see in the GRC world? Now, you’re going to explain what GRC is, because I’ve said that to my missus and she said, what does that mean? I told it’s government risk and control, so you can elaborate. I like using these big words, elaborate on your GRC recruitment, because that’s another area of security, and that’s information security, not cyber.
Steve 13:20
Yeah, for sure. It’s always one of those conversations I have with people. I’m kind of reticent to use the word nontechnical, because there are technical abilities and you do need an underlying knowledge of the technical infrastructure, but it tends to be a lot more policy based. If you look at Hadn’t. For example, a lot of the well, most UK companies are aligned to a framework called ISO 27,001, which, depending on the level of people that are listening to this, it’s basically a policy, is basically people’s data secure, making sure the framework yeah, but it kind of covers the entire company. So there’s obviously a risk register involved, there are controls involved, but they will also talk to the more technical guys, the engineers, the analysts, things like that. It’s kind of an overarching, high level, enterprise level framework, which helps should do, at least in theory, keep the company secure.
Steve 14:22
That’s kind of the area that I work in. Prior to that, I worked in architecture. And again, architecture is kind of almost a sidestep to it because, again, they have the high level and low level.
Terry 14:34
When I went in, I worked for a company four or five years ago, maybe a little bit longer than that, a company called CGI. And they’re not graphics, they’re not a graphic designing company. They’re a consultancy generated images. Yeah, and I worked them for a few years and the first consultancy role I got with them was working as a security architect. And nice and it was way over my head. It was so deep and technical that I found it really hard. You had to do it anyway.
Terry 15:11
It’s part of the consultancy. But I found that part of security, so you could even say security then. Security covers information, security and cybersecurity, it’s all security, so so I’m kind of just completely just written off what I’ve just said in the front then, haven’t I, in the first two?
Steve 15:32
So going back to what we were saying. I’ve lost what I was saying. Yeah. Obviously ISO, if we construct on UK firms, obviously ISO is the new one. There was a new update of it introduced in 2022. I think the previous one to that was 2013, I think it’s kind of been a long time for an update. Yeah.
Steve 15:57
Really, there’s not a huge amount of difference between the two from what understand, other than it’s just moving with the times a little bit. There’s some more controls and stuff like that. Then obviously companies, if they’ve got more overseas, particularly America, they might align to things like NIST. The difference between NIST and ISO, other than the controls and things involved, is a company can get ISO certified. You don’t get NIST certified. I don’t want to use the word tick box. It’s not a tick box, because if anything, it’s more in depth than ISO.
Steve 16:28
But the company I work for is ISO certified. You can’t get NIST certified, but either way, there are other countries around the world that will align to different frameworks. And then if you want to go down the mod route, you’ve got Hmvspf and there’s loads and loads of things. And I’ve worked with aviation companies that have. CAA Caf. There’s so many different frameworks, but the main one in the UK for sure is ISO 27,001, which, again, if we go back to where we started in terms of the careers, you’ll often find particularly through the GRC market, whether it’s people that are coming out of university or people that are coming from another area of technology that want to move into GRC, they’ll probably start looking at things like ISO 27,001 Lead Auditor or Lead Implementer Certification, things like that. Gives you a good idea of how infrastructures work, the way to look into them.
Steve 17:22
What are you looking for? There’s a phrase that’s used all the time in information security, and it’s what looks good that’s been able to look at a dashboard or a risk register and say, look, the information we’re receiving from these guys, is this is this what we should be seeing? And is it not what looks good from the company looking at the risk appetite for the company? Because, again, that changes as well, and you’ll be able to probably talk about that bit more than I will. A company’s risk appetite will probably change. What needs to be done in terms of an audit and implementation. The changes that things happen with the company.
Steve 18:00
Maybe that’s something you could touch on in terms of risk, appetite, things like that. Because, again, that could be. Compared to a real world scenario as well.
Terry 18:07
Yeah, we could, and I could, but I’d be taking up another 35, 40 minutes. And we don’t want people to fall asleep yet. We want people to get a flavour of security or information cybersecurity or security as a whole before we go into deeper and based on what people feel or give us feedback. And we can go deeper into things like that, because you just brought up another thing which, okay, it’s along with careers, but it may be another topic we can talk about later, is about the different kinds of qualifications you get within security. Yeah, you talked about the auditor and all that. That could be something we can look about.
Steve 18:48
But two very different certifications as well.
Terry 18:52
The auditor and implementer are very but that gives people a little flavour of the differences, but depending on who you speak to and again, this is just mine and Steve’s view. It’s not the official law bible of what is right or wrong, it’s just mine and Steve’s view.
Steve 19:09
I’m certainly not an expert.
Terry 19:11
No, we don’t want to be an expert. I like trying to find things out and working through mistakes and things like that. So, next topic, risk management and third party risk.
Steve 19:22
Yes. Now, big thing in a minute.
Terry 19:26
So if we were to ask the world what is a risk and what is a third party risk, I think people would know what a risk is. And again, without going into too much detail, people know what a risk, but maybe not familiar what a third party risk is. I don’t know if you want to kick off this one, Steve.
Steve 19:51
It? Yeah. I mean, this is something I mentioned to yourself in terms of this seems to be a hot topic in information security at the moment. A lot of people looking at their supply chain and third party risk management. Again, it comes through. There’s a lot of companies, okay, so I deal with a lot of companies who then deal with other companies that are either supplying them things or you’re supplying them things. And there’s a transaction between the two whereby there has to be a risk analysis in terms of who’s keeping the data that you are sharing with each other secure.
Steve 20:31
Now, it’s kind of strange that I’m kind of doing the information security side of things. And you’re going to make it.
Terry 20:38
This is the whole part of it.
Steve 20:40
And my view no, of course, it’s that exchange of data in a very high level overview, the exchange of data and who is keeping that secure and what parameters you put in in place to make sure that any data you are sharing with each other is secure, and are the products you’re using secure? How are you doing that? And then how do those two come together? That’s my view of it.
Terry 21:04
And if we look at it because I like doing this and I’ll do this throughout all the podcasts, if we put it in the average Joe’s mind what a third party is. So I buy a car, car breaks down. I send the garage, garage fix part of it, and then they can’t fix a certain area. So they send that car away. It to somebody else to fix. Now, there’s the third party. One, two, three.
Terry 21:31
There’s the third party now. As as a consumer, I would hope that the garage, whoever I took my car to and who’s sending it off to get fixed is respectable garage that I can rely on. So I’ve got to be comfortable that that process is something I’m happy with. So in the real world, that’s what a kind of third party risk is. In the business world, a third party risk is something that I, as a company, cannot control. So when I sign up to, say, somebody’s, I’m a construction, and I sign up for this company to build a bridge for me, right, I’ve done my due diligence on that company. They’ve got the requirements I want.
Terry 22:27
Now, that company now I think they call it, subcontract that to another company to do now, you’ve got to be in a position that you’ve got to feel comfortable that third party is going to do exactly the same as in risk management as you’ve got with this other company. And that is a hard thing to do with a spreadsheet. It is a hard thing to do. And there are companies out there now and there are people with the knowledge out there now that can help you follow that whole chain and then help you with it, because that also facts. If that third party has a data breach or loses data, or is hacked and has malware in their system, you’ve got to be comfortable enough that they’ve got a defence in place that’ll stop it feeding back towards you.
Steve 23:18 Yeah, exactly.
Terry 23:19
So there’s the managing of third parties. As soon as you send it off to Fred Blogs company to deal with it, you need to know that Fred Bloggs is dealing with it. And then if Fred Bloggs decides to go and put it over to Susan, then you need to be made aware that they’re dealing with that.
Steve 23:38
So not coming back to you. Yeah, exactly that. But it. Why has that become, all of a sudden a big thing in the industry? I’m kind of just throwing this at you out of nowhere, but it does seem like all of a sudden companies are saying, right, we need to look at our supply chain, we need to look at our third party risk. It would seem like a very standard Practise to put in place, but all of a sudden, a lot of the clients I’m working at, working with are looking at third party risk. Supply chain operational, which is another area we can touch on another time.
Terry 24:10
Yeah, but I think it’s mainly down to the cost. If you can spread the work out to different companies, it reduces the cost. So if I pay you X amount to sort out my bridge and then you go, okay, then I’m going to third party it to other companies to spread the cost out. Now, back in the olden days, it was me dealing with you, and that was it. In fact, to be honest with you, my view is in the olden days, I dealed with you, and I didn’t have a clue what you did. Yeah. My attitude there was, as long as you come back and tell me you’ve done my job, I don’t care what you do with who you outsource it to, as long as you come back and do that.
Terry 24:55
But now, because there’s been so many problems with third parties, the company that starts the process needs to be in a position where they’re comfortable the whole way through. And not just say not do blinkers and just say, right. As long as you do what I ask you to do, I don’t care what you do with how you do it, just do it. And that’s where the worry comes from.
Steve 25:18
Yeah. And then if you know that there is a standard that is holding everybody that you’re working with in place, it’s not in the lapse of the god, so to speak, but you understand that if everybody’s following the same standard protocols, it means that we all should would, in theory, be safe. However, that probably brings up onto our last topic.
Terry 25:41 There’s another segue.
Steve 25:43
I was yeah, that was a good segue. I’m going to take credit for that. But it was something I wanted to talk about because it was something that I had been following when it happened. It was a few weeks ago now, to be fair. If we’re not going to talk about it now, we’re not going to talk about it at big. Well, MGM wasn’t the only casino that got hacked with Ransomware Say. Hacked got breached.
Steve 26:08
There was a number of reasons why I was following it, for a start. One, my old employers are some of the senior managers at said casino or rather the nightclub that’s part of the casino.
Terry 26:23
Hang on, Steve. You’ve just said casino, but you actually released the name of it before we started the right.
Steve 26:34
It was the MGM. I wasn’t trying to hide their secrecy. It’s all open source. But then also, it was just intriguing to me because the more I read about it, it seemed that it very much came from a very preventable situation that was essentially I mean, it wasn’t even phishing, was it? Or would you call it phishing? It was credentials, wasn’t it, essentially, wasn’t it?
Terry 27:04 Stolen credentials.
Steve 27:07
I wanted to really get your thoughts on that because, again, we touched on it on the first episode when I said, I’m always telling my dad, don’t click this link, don’t click that link. That’s essentially where it came from. And that’s a huge gap in someone’s network if somebody can steal someone’s credentials that easily from a company that big.
Terry 27:30
Yeah. And most a good 80% of breaches start from a human. Now, in reference to the MGM one. What I believed happened. And again, this is just my view is credentials were stolen. Now, whether this was stolen via the Dark Web or someone had left a posted note on a train or something like that, it was stolen. Now.
Terry 28:07
You could say the way they stolen it was via efficient. So they may have got an email that’s saying that your account has expired, please enter your details. And they’ve gone in there, we’ve all had them. Yeah. Or what could have happened is and when I say I’ve seen it, I’ve seen. Not to the level of that, but I’ve seen it. Where user will get an email.
Terry 28:29
It’ll say, click on this link, you click on it, enter your credentials, and then the screen will say not found, or the page will say not found. That person innocently will say, I’ll send this over to one of my colleagues and ask them, could you have a go and see if you do it? And what happens then is you get this old fashioned chain mail that goes through where somebody can’t get the right thing to work. So they pass it on and sooner or later the right credentials will be evade available. So a director will have it or someone who has admin privileges, and then they get it and then all the floodgates open and it starts with something so small as that as someone doing something innocently. And I guarantee that that person who started it didn’t even know what they were doing or was just so innocent. And this is why we do training and this is why we do security training and things like that to get people aware and to people to understand and.
Terry 29:33
We all know casinos exist. It’s not something that it’s hiding away. And we don’t know if somebody says, oh, I do this business, and people go, I’ve never heard of that. Everybody knows a casino. Everybody knows what money is involved in a casino. So if casinos can have a breach and anybody can have a breach, there was nothing that happened there that couldn’t have happened to a company had five employees, 100%. Nothing can happen.
Terry 30:02
So this is why I in my role and in my business. I try and. To really force and promote security and being aware of what’s going on. And I could sit here and say, oh, they should have done this, you should have done that. Well, I could have told them they should have done something and they would have got through still. So there’s no difference, it’s just how that company react and how they deal with it and we all make mistakes, but if they picked up themselves selves and said, right, okay, we’ve got to correct this, then they’ll be in a better place, but it’s happened, so we can’t really dwell on it too much.
Steve 30:40
No. And they are getting more and more sophisticated as well. I’ve seen a couple of instances online where they’ve spoken about people within a company have received an email saying that they’ve failed a phishing exercise. But that email was the phishing exercise. It was the email saying they’d failed a phishing exercise.
Terry 31:08
Sometimes feel sorry for employees or even just your person on the end of the other end of the internet is because they’re getting so tough and so, so hard to recognise to the person without any knowledge. You’re more likely going to click on something that you shouldn’t have clicked on and it’s hard. So I’m running phishing campaigns in my current company, but I’m trying to make the email. Not be so secretive. Yeah. You want them to click on it and then go, silly idiot. I knew that.
Terry 31:54
Rather than, well, I have no idea. That just looked and you can only go to a certain level with people. You can’t expect them to be techie wizards on the internet. So if you’re working for a company that just owns a warehouse and has three or four staff, you can’t really go too deep because it’s pointless. You’ve got to keep it relevant to what your business is.
Steve 32:17
No. And as an employer, you can’t really be seen to be trying to catch your staff out constantly because it’s not going to build morale.
Terry 32:24
I do, I try to get a job, especially directors. If you can get a direct wrecked a name on that list of who’s clicked, then that’s it, that’s your pride, you go home.
Steve 32:36
No. Yeah. It’s crazy. The more you delve into it, and there’s evidences every single day, whenever I’m looking at the news and stuff, of things going like and like I said.
Terry 32:47
But again, Steve, this is the topic we can just rabbit in on about forever.
Steve 32:51 Forever.
Terry 32:52
But, yeah, this is what we want to do. We want to make it just a nice little banter between ourselves. I don’t want people come and say, oh, Terry, that was wrong. That was completely wrong, or, Steve, you don’t know what you’re talking about.
Steve 33:04
It’s all opinions. It’s all opinions. I’m a recruiter. I’m certainly not an expert on these things. I just talk to people about them. It’s fine. Terry.
Steve 33:16
And I am throwing this at you a little bit at the end, and I’m happy to go first, but just because I wanted to end on a little bit of a humorous note. Are you a fan of random facts?
Terry 33:27
It depends how random they are. Well, I’ve got a stepdaughter that constantly comes in and gives me random facts that I have.
Steve 33:35
I do it to my misses all the time. I just thought we’d end on just a relatively humorous random fact. Crocodiles have been around longer than trees. There you go.
Terry 33:49
Is that it? That was it. You don’t get out.
Steve 33:52
Do you know what? And I’ve actually messed it up. It’s actually sharks. I’ve messed up. Sharks have been around longer than trees.
Terry 34:00
Right? There’s one little quote for me. Passwords are like underwear. You would never share it with anybody else. You constantly changing it and you wouldn’t show it to the public.
Steve 34:13 Wow.
Terry 34:14 There you go.
Steve 34:16
That’s a way to end the episode. Don’t mess up a fact like I did.
Terry 34:23
Don’t do your stand up comedian role, Steve.
Steve 34:25
No, I wouldn’t do a very good job in that.
Terry 34:31
I think we’ll end it there.
Steve 34:33
Yeah, I think so. I think so. But I hope everyone enjoyed it. It’s been pretty good. We’ll build up from there. Any comments from anybody online? Anyone that watches it, listens to it, LinkedIn, Spotify, anything like that, let us know.
Steve 34:46
Any topics you want to discuss, give us a shout. Obviously, Terry’s available as well.
Terry 34:50
Anything you want to sign off on, terry yeah, I’ve got a few people, a few experts other than me and Steve, because we are experts, a few experts that have said they’re happy to come on and join us in a future episode, so they will all be happy as well in the near future. Amazing, everyone. Thank you very much for joining us, and we’ll see you very soon. Thanks very much.
Steve 35:17
Cheers, guys. See you later.
