July 31, 2025 • 33 mins
Cybersecurity with Naveed Islam, CISO at Dojo
In this special edition of the Tech on Toast Podcast, host Chris Fletcher sits down with Naveed Islam, Chief Information Security Officer at Dojo, to unpack the state of cybersecurity in today’s AI-powered, hyper-digital world.
From phishing scams and data breaches to quantum threats and ransomware-as-a-service, this episode breaks it all down in a way every operator – whether you’re running a single site or leading a national brand – can understand and action.
🎯 Topics Covered:
• What does a CISO actually do?
• The rise in high-profile breaches (M&S, Co-op etc.)
• Why small businesses are especially vulnerable
• Common attack vectors: phishing, credential theft, outdated software
• AI in cybersecurity – the good and the bad
• The dark SaaS world of “Ransomware-as-a-Service”
• Why card data is digital gold
• PCI compliance made simple
• The hygiene basics every business should master
• Why cybersecurity needs to be on the boardroom agenda
• What the future holds: Agentic AI, identity as the new perimeter, and post-quantum risk
🔮 3 Cybersecurity Trends to Watch:
Agentic AI – AI that defends autonomously, without human input
Identity is the new perimeter – verifying who is accessing systems is now more critical than where they’re doing it
Post-Quantum Risk – data stolen today could be decrypted tomorrow. Some attackers are already harvesting.
🔐 Key Takeaways:
• Cybercrime is getting slicker and cheaper – anyone can launch an attack
• AI is a double-edged sword – it’s being used by both defenders and attackers
• Security hygiene matters – MFA, strong passwords, regular updates
• Only 27% of UK boards prioritise cyber – that needs to change
• Payments are prime targets – card data can fetch up to $30 per record
🛡️ How Dojo Protects Its Customers:
• Point-to-point encryption
• Hosted payment pages
• AI-powered threat detection
• Light-touch PCI support for SMEs
🎧 Listen now
📱 Available on Spotify, Apple Podcasts & everywhere you get your podcasts.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Welcome to a very special episode of Tech on Toast
podcast. And today I'm delighted to be
joined by Naveed Islam, Chief Information Security Officer.
Naveed, how are you? I'm well, thanks.
Welcome to your office. Thank you.
So we're here and there looking over the London skyline today
and I think it's going to be another beautiful day.
Tell me a little bit about you and your role in Dojo because I
think your title is very grandiose.
So, but kind of break it down for us.
(00:22):
Tell us what you actually do. You're so thanks for having me
on, I said. I'm the Chief Information
Security Officer, Dojo. Ultimately, I'm responsible for
protecting all of Dojo's information and digital assets
from malicious actors, so to speak.
We are protecting all of the information that we generate,
(00:42):
card data, vessel data, etcetera.
So it's the whole remit of protecting the systems as well
as protecting the data. And it's very relevant right at
the moment in the, in the headlines is that a lot of I was
in Marks and Spencer's in Cornwall myself on holiday the
other week and I went to pay andI couldn't pay because it was
the start of their security issue.
And it's becoming, I think, moreand more common as as data
becomes more and more wide across the industry.
(01:04):
Do you think it matters now morethan ever than how we're, I
mean, obviously you're here doing that for Dojo, but do you
think that other businesses are taking more seriously than they
ever should be now around how weprotect?
Our data, in short, yes. Probably not as much as I, I,
security professionals would saythat it should be.
But the, the awareness has improved.
A lot has come along, especiallywith larger organisations,
especially when there's high profile cases.
(01:27):
And I feel for the MNSS and Copsof the world because I've lived
through something similar in my previous life.
But when these high profile cases come out, it focuses the
mind. Yeah.
And organisations start introspectively again, what are
we doing? What would we do if something
similar happens which ultimatelyraises awareness?
The other thing is the UK Government, EU, etcetera and EU
(01:50):
lawmakers have come up with different regulations which are
either going through Parliament currently or are actually acts
which help to elevate this topicof security, privacy and just
digital resilience. Yeah.
I do think there was an understanding, I suppose of
digital resilience prior to the last, I mean really the last two
years, three years. Do you think that people are
(02:11):
finally starting to join on thatmission?
I think definitely since COVID, yeah, what COVID did was make
everything pretty much digital because we had to, we, we all
locked them across, across the globe.
It wasn't just a phenomenon in one region.
It basically was a global event,which meant we went digital very
quickly. And a lot of organizations had
to think on their feet how to adapt and become firstly digital
(02:36):
and then shortly followed by theresilient around there.
Resilience, a lot of it still isaround making sure things are up
and running. So when you hear about
resilience, if you think about Marks and Spencer's argument's
sake, because it's very topical that the website is up and
running, that's what's considered resilience.
But over time, it's now becoming, it's not just the
things like websites or systems,it's business processes in the
(02:56):
background. They also have to be resilient.
There's to to your point where you said you went to do a store
and the the shelves are not stopped.
That's a supply chain issue, right?
The whole piece from start to end is Switzerland, not just
there. I say things like websites or
very prominent systems. And there's a stat here, the
Cybersecurity Breaches Survey reported that 43% of UK
businesses experienced a breach in the last 12 months.
(03:18):
That's over the 600,000 companies.
It's quite shocking. What What do you make of those
numbers and how they represent what you're seeing actually
happening on the ground? It's about right because but so
there's a lot of incidents that happen on a daily basis.
Just today for example, I've just read in the BBC News that
illegal date Eagle Aid database has been breached, which may
(03:39):
have gone back all the way down as information all the way back
to 2010. There's certain breaches or
incidents, I'll call them, whichmake the news and they get our
attention on a daily basis. There's a lot of lower level
things which are happening. It's this e-mail compromise
whereby someone may lose 10,000 lbs.
For example. They don't get reported.
But when the government does service like this or other
(04:01):
organizations, Verizon do a databreach report on a yearly basis.
They highlight a lot of the lower level things that are
happening which don't always make the news, but that number
doesn't really surprise me. And the smaller businesses we
presume are being attacked less.I said that maybe it's
happening, we're just not aware of it.
But the financial impact that that when they are attacked is
(04:21):
almost double, you know, becausethey're obviously they're a
smaller town over the smaller, smaller base.
Why are micro and small businesses being hit harder when
it comes to cost? Guess it's, it's a multitude of
things. It's small.
So they don't have the resourcesat times, especially micro's or
maybe one or two people running the business.
And the day job is the health job is to just make sure that
(04:43):
they are running the business. They are, they're taking the
payments, they're doing whateveris needed to fulfil customer and
consumer orders. They don't have the
sophistication in terms of systems.
They're often outsource it to maybe IT family members, IT
providers etcetera. They don't have the financial
means to recover as well. So for argument's sake, we in in
(05:06):
enterprises or in large organization, you kind of lost
£10,000. It's bad, but it's not the end
of the world or micro £10,000 would mean losing that money and
then spending time and resourceson recovering would mean they go
out of business. So as such, micros are
disproportionately impact, not because the attacks are more
sophisticated, it's just the cost to them of not just the
(05:29):
attack, the recovery process, and they don't have the means to
recover. But ultimately they end up in
this almost Whirlpool of being attacked and now can't trust our
systems. Will it happen again?
And it just goes around in circles.
Self fulfilling prophecy, Yeah. And what could I suppose and the
enterprise businesses that cost,I mean I've got a quote here,
the costs are down by 69%. In that scenario, what are they
(05:51):
doing? I suppose that whilst obviously
they have larger resources, whatare they doing that the smaller
guys could look at and say, do you know what?
And you talked a bit about thereabout third parties and how
they're investing in IT support,but what could they do more that
could help them? The enterprises of the world
just have more resources. Yeah, they have more money and
they can partner with more reputable organisations or more
(06:12):
experienced organisations who dothis on a day-to-day basis.
They have resilience plans, recovery plans, insurance,
etcetera. Now Micros can't do that.
There are some hygiene factors there are said the micros can
invest in things like strong password and multi factor
authentication, keeping softwareup to date, doing some level of
(06:33):
awareness or having some level of awareness what social
engineering looks like and things like having the
capability of being able to recover whatever that means for
an organization. Now it's simply said than done
right. So if it's a someone encrypts
your system, can you recover from a backup versus if someone
scammed you out of £10,000, whatdo you do?
It's having kind of three or four areas they can look at,
(06:55):
especially if, as I say, I'm considering micros right now.
Yeah, it is. There's not that much they're
going to be able to invest in, but some almost like hygiene
factors that they can look at which will make them slightly
high harder targets than others.I think that's The thing is it's
the, it's the awareness piece. Plus actually doing something as
in having as in a hygiene factoris the best way to put it.
And, and in terms of what peopleare being attacked by the
phishing and that's not what most people think about, it's
(07:18):
the pH phishing it's hitting. It says here 85% of businesses.
Could you break down what what amodern fishing attack would look
like to a business? How they might experience it?
I will class some more, so I'll go expand that question to or
answer to social engineering. Fishing is a form of social
engineering. Now social engineering has been
around since dawn of time. Ultimately, what's happened with
(07:40):
the digitalization, I can get that word out, is social
engineering has become very digital.
So e-mail is the most common one, which is phishing the pH.
We're sending an e-mail to be able to get the desired action.
So fraudsters, as I will call them all by actors, whichever
the terminology we want to use, send phishing emails to get a
(08:03):
certain action or certain reaction from the recipient,
whether it's clicking a link to steal credentials, clicking a
link to download malware or clicking a link to install
malware type thing. The other types of social
engineering that is quite prevalent right now and the
national cybersecurity agencies mentioned this is telephone
(08:23):
social engineering whereby calling things like IT help desk
or contact centres and social engineering them into giving
information, resetting passwords, getting in kind
information. A lot of that, as I said, has
become more prevalent in the last 10 years, but last
definitely last five years because of the digitalization
(08:43):
that I mentioned before. Yes, it's manipulation of
people, isn't it, which is now used to be in the playground
potentially or or or a business transaction.
Now it's on the WhatsApp or. On your phone, exactly.
We are so used to being on emails, WhatsApp, instant
messaging, etcetera. That message that come through
are are the norm. And for us to just piggyback on
the back of that and they make that communication channel the
(09:06):
norm to are to con people out ofwhatever they're trying to do.
It it, it's very, I mean, it's daily, right?
It's happening at every day, andI suppose that that's the kind
of the the larger phishing groups.
What about other other ways of what?
How are people being targeted inother ways to.
Criminally, I'll reference a Verizon date breach report.
They do this on a yearly basis and they do a very comprehensive
(09:28):
job. So essentially they flagged 3
main things currently happening.Social engineering is definitely
one of them and specific phishing, e-mail based phishing
or yeah e-mail based phishing software vulnerabilities being
exploited. Especially stuff which is
available across the Internet, so your websites for example, if
they're not up to date, fraudsters will look to see if
they can act them in quotation marks.
(09:50):
And the other one is credential theft.
There's a lot of focus by fraudsters attack attackers on
stealing credentials to be able to do whatever they need to do.
So it's not everything's throughphishing.
So I'll give you an example. Stealing credentials are enough
information to send an e-mail toan accounts team to change a
bank account for where a paymentshould go.
(10:12):
It's considered the technical term for his business, e-mail
compromise. It's a form of social
engineering. It just takes a different method
to phishing. But those are the three main
things that Verizon say are happening right now talking
about. Being digital and more advanced
AI now becoming part of the conversation.
I think every day for us in our role, what we're doing every
day, talk about it. And there's a, there's a start
here. 67% of people think they can spot an AI generated scam.
(10:35):
You're smiling, but most of themactually can't, can they?
Because the reality that's getting, it's becoming so close
to reality, it's becoming hard to track right.
The reason I smile is because the start before you said
something about 85% of attacks are through phishing, right?
Yeah. The reason I smiled is because
people find normal phishing difficult to sport.
And the reason for that is it's a talk I had a few years ago
(10:57):
which talked about the almost the impulsive side of your brain
versus the rational side is they're called the Homer versus
Spock. The Homer side of our brain is
what we normally act with. Impulsive emails come in, we've
clicked it, read that, read that, done that, etcetera,
versus driving me. But yes, we all do it right.
As I said, versus the Spock sideof things, which is if you have
(11:18):
to make a large purchase, for example, you need to spend
£10,000, you're not just going to be, yes, your brain, you take
even 5 minutes to think about it.
The attackers are leveraging, leveraging.
They're counting on the fact that people are very impulsive,
especially when it's in request,which doesn't mean much.
Oh, I need this doing. Can you click this link?
(11:40):
There's nothing obvious there, right?
That they click with impulse. Now that's just a traditional
phishing e-mail and traditional giveaway signs.
Used to be there's a sense of urgency, there's spelling
mistakes, there's grammar, grammatical issues, etcetera.
What AI is helping do is get ridof a lot of that.
Now emails have become more realistic because this sound
(12:03):
cloakial. So it's like someone I know
sending the e-mail automatically, they're correct,
all of the links, etcetera will look very good.
There's one factor that remains the same.
There's a level of urgency. What the attackers don't want
you to do is sit there considering whether the e-mail
is correct or not. They kind of, they will say
something like we need you to dothis urgently, otherwise
something bad will happen and the AII don't know the right
(12:26):
terminology. The AI LED phishing can't change
that back, which is the attackers need the recipients to
act with urgency. They can't like you have 30 days
to comply because 30 days is a long time and human.
We will do this later. They will say something like if
you don't this now you will get fine, we need to do this in the
(12:46):
next 10 minutes blah blah blah. In a roundabout way, I smile
because people can't spot them. Now what AI is doing is making
it some of the telltale signs more difficult almost.
Humanizing it a bit more. It is humanizing very much.
Everybody's using it right? I was in the room, they would
ask to put the hand up actually.Everybody is, everyone does it.
Looks and it's becoming commonplace and people are
finding it hard to spot when you've written A blog by
(13:07):
ChatGPT, let alone in a in a phishing scam.
And I said the the telltale signis the the sorry, the urgency,
urgency, time sensitive. The time sensitive thing is the
one thing that doesn't change AIor no AI.
Yeah. We need your money now.
Yeah. Yeah.
And, And there's a stat here about 90% of C-Suite executives
are claiming they can spot AI LED fishing.
(13:30):
But do you think that potentially there's
overconfidence creeping into theboardroom potentially some of
these larger, particularly when you look at M&S and some of
these guys recently and, and I know restaurant chains have been
through it as well. Do you think there's some
overconfidence creeping into the, the board where really
there isn't an, a level of expertise there?
It's kind of a self-taught understanding.
Do you think the the potentiallyoverlooking what could be a
(13:52):
really problem? With respect, yes, all the
reasons I said previously, whichis I've seen enough execs being
compromised through the it's fishing, which is the general
thing everyone gets. And then there's a
terminological whaling, which isyou go after the really big and
(14:12):
the C-Suite people because if you can compromise them somehow,
then you can do whatever you want in the organization.
Imagine if I can compromise our CFO and assume his identity
somehow or his e-mail for example, I can then start
emailing the right people to do whatever one and because they
think it's ACFO, they are more likely to do it.
And a lot of organizations in the last 10 years, and I'm aware
(14:34):
I've worked on some of these cases have lost money because of
that way by CEO says I am working on a very confidential M
and a deal with an accounts payable team somewhere.
And you make this payment of say50,000 to this legal team, but
don't tell anyone about it. That counts payable person says
the CEO, of course I'm going to make it.
(14:54):
And I've been told not to say anything, right?
So where I'm getting with go with this.
So this is what traditionally has been happening.
Now if AI is making it more human, I can't see how the board
members and execs are more confident, especially because
the industry security industry hasn't done that much work on
doing AI fishing awareness training that are generated by
(15:18):
AI if that makes sense. Yeah, it, it totally makes
sense. I was at colleges as a director
there about 10 years ago and we had we were getting emails off
the founder saying can Chris, can you just send me £500
because I need, need to do a transaction in the opening we're
doing. And I'm and it does take a
double check. You are reading it thinking,
well, Simon's asking me probablydo it.
So I and I think that, as you said, is becoming more digital,
(15:40):
less easy to spot and more humanised.
So it becomes this. And the scary thing is we're
only just getting going right with AII think it's where, where
do you think it can go in terms of how advanced can these guys
get in terms of kind of manipulating?
So this there's different levelsto it, right.
So the, the No2 attackers are the same.
So you've got the really sophisticated nation LED state
(16:02):
and nation state LED things which are country to country
warfare, Russia, China versus the US and UK and things like
that. That's very sophisticated.
They they operate in a manner that's basically beyond most
enterprises. But again, they are going after
nation, nation LED things like critical infrastructure etcetera
(16:23):
as opposed to consumer data because that's not their game.
Criminals, special criminals or cyber criminals if you want to
call it, they are going after this.
Now sophistication will vary. Cyber crimes almost democratize
democratize in the last five years whereby you've got really
entry level attackers coming in because they can buy things as a
(16:45):
service. It's really interesting because
the the the criminal world is mimicking the and the
professional world. We have software as a service
are. You telling me these guys are
with their own software? No.
So we have ransomware as a service.
As an example, the reader ban attacked the other day whereby a
lower level, lower sophisticatedattack group bought a service
(17:08):
from a more sophisticated group and then targeted and then
company. Now to to your point around how
sophisticating you can get, verysophisticated organised
criminals are not going to spendtime and resources doing a lot
of this AI training their own LLM models, etcetera.
They'll either try to purchase it or they will basically go
(17:29):
after the lower end through because ultimately they want to
have the lowest lowest effort for the maximum yield.
Yeah, and not a large footprint,I imagine.
Exactly. So now the scary bit gets if I
if I think out is the offer as aservice, they may be able to buy
LLMS as a service in the future,which would change the game.
However, the positive part of methinks all the security
(17:51):
community and the big tech organizations are building AI
for good and we'll get into thisbattle of it.
Like now as humans versus humans, you'll get machines
versus machines and we spot enough of it to be able to make
ourselves a harder target than the next.
But that's kind of, I don't wantto say 10 years out, it's
probably sooner than that because we're seeing a lot of
advancements in that place. But I will I still expect
(18:14):
organized criminals to not spendthat much time and money because
they want they want to basicallyget in, get out as soon as
possible and make the most amount of.
Money, but not being too layman's to it's like a robbery,
you know, it is a literally go in, go out.
You know, I'm from Liverpool, I understand this stuff so.
Nobody. You, you mentioned that this is
actually really interesting bankrobberies, right?
You don't often hear about bank robberies anymore.
(18:34):
The last one I remember was a hat and garden heist and that
took a lot of planning and they got caught in the end because
there was physical things that left behind.
Now organised criminals in the last 10 years have worked out.
You don't need to drill through diamond shops and banks etcetera
to get the money. You can get it out other ways
and you leave it a little footprint.
But again, it's they want low effort, high yield.
(18:55):
They don't want to spend 6 months taking something out
because it's too long because. It's an impatience isn't around
the nature of the job of the work they're in.
There's an impatience to make some money and.
Move on to the exactly. I mean, we'll talk about this.
I mean the, the defensive strategy for a business, where
do you start? And I suppose what can you
actually, we talked a little bitbefore about hygiene, where do
you actually start to kind of bend yourself against our, I
(19:17):
suppose there's two different conversations besides that if we
talk about enterprise business. A lot of it starts with hygiene.
As I said, a lot of the attacks start off as a lower level and
what you often get is either thethe more motivated attackers
will keep trying until they get in, but the lower level
attackers essentially are that looking to get in and get out to
(19:39):
where they find any type of resistance.
They kind of get too hard. We'll just move on.
A lot of it starts with hygiene,but then it's making sure one of
the things that you I was at a conference a month or so ago, we
talked about identity. Identity has become crucial just
like we care a lot about our passports, our violence,
(20:00):
etcetera, because that can our identity to allow us to do a lot
of things and digital identity has become very crucial.
So identity has become a perimeter, but rather than
having an outside work organization and inside.
If you think about a Moat, a castle and a Moat, they don't
have that anymore because of theproliferation of digitalisation,
SAS service, etcetera. When you log into your online
(20:23):
bank, it's your identity that proves it's you.
There is nothing else in between.
The identities become really crucial and a lot of
organisations have started looking at that go how do we
make that as hard as possible becompromised and.
There's a study which has surprised me.
I don't, you know, I'm slightly going over all ground, but 20%,
twenty 7% of survey businesses said cybersecurity was a
priority at board level. But that's a, that's a hell of a
(20:44):
lot considering what we just talked about the last five
minutes. It's a really low number.
And having been on some boardrooms in, in the hostility
industry, I kind of understand it and I don't agree with it,
but I understand why they're notthere yet sometimes.
But what do you think that that that it's not?
Is that numbers not at least 50%?
It's this optimistic side of anybusiness, which is it won't
happen to us. And just as humans we're
(21:06):
optimistic, right. Otherwise we've probably wiped
out as a race. And I noticed saying COVID,
everyone basically around you may have go COVID, but UK it
won't happen to me. But businesses also have though,
which is, yeah, it may have happened to an unnamed dropped
Amanda, but M&S, it won't happento us.
So there's a level of ignorance.Secondly, some industries are
(21:28):
just not regulated. So the financial industry is
regulated, the telecoms industryis regulated.
We have the national infrastructure that is very much
regulated. But there are, say, retail,
hospitality, not so much. So there's no driver there,
whereas the driver is obviously too many businesses to be
profitable, right? And often security is, it has a
(21:48):
historical connotation. It's a cost, not a value add.
Now a lot of his security industry has to do a better job
of showing how it adds value. But if you think about it just
from just accounting perspective, it's just a cost.
There's no value to be attributed.
What's so I'm not surprised by that.
By the way. There are some things in the
pipeline so to speak. So I know that the US has become
(22:09):
very big on it because some highlight high profile breaches
to the US Security Exchange Commission has made a few things
mandatory, which is all public organizations have to do breach
disclosure on hide it on a yearly basis.
They have to report on the risk and governance and they have to
show within that yearly report that someone on the board level
has enough experience of doing cyber or being able to question
(22:32):
it and that they're managing it just like any other financial.
Where I can see cyber going in the US, by the way, that's why
the UKI should mention it's got an act which is going through.
It's a bill, sorry, going through Parliament at the
moment, cybersecurity Bill, which is looking to something
like that, which is mandatory reporting, especially around
some of the more high profile industries.
(22:52):
Where I can see this going eventually is a bit like the
annual accounts an organization has to do where our financial
audits come in and kind of get everything checked out whereby
everything checks out because eventually the cyber risk will
become that material. The organization would have to
show some way, shape or form that they are taking this
seriously and they're testing against it.
And it will probably start with the financial institution
(23:15):
because the the regulators are more hot than that.
How are you guys using AI to, I mean defensively help your
customers and businesses look after themselves and stay ahead
of the threats? Lord, the AI will currently use
this in the defensive posture, have some plans around making it
more into the product side of the world, but that's very much
in this infancy at the moment. But from a defensive
(23:35):
perspective, we leverage a lot of the AI capabilities from our
partners such as Google and others to help us both detect
and mitigate risk as soon as we can.
So as an example, our e-mail system has AI built in which is
trying to fight the AI LED phishing.
As you said before, it's AI versus AI because again, we are
(23:58):
not relying on humans being ableto detect it all the time whilst
we train our people, we need to help the people.
So before it lands in someone's inboxes, going through all of
the, the good AI, if I call it that, versus the bad AI
generated. Yeah, exactly.
We do a lot of for our investigate for our detecting
response, but we're using AI to detect and some malicious
(24:19):
activity both within a wider environment where especially
where our asset crown jewels arein terms of data etcetera, which
is ultimately our customers data.
And we use a lot of machine learning to automate things,
which is we can automate actionsto do it enormous in real time
rather than some human look at it and deliberate over it based
(24:39):
on years and years of machine learning, not just by us but our
partners. We can basically have confidence
levels that if this is looking bad, we have enough confidence
to kill that action, whatever itmay be, to reduce the risk
upfront rather than just alert and then someone has to go and
look at it. So we rely a lot on automation,
machine learning and AI to help us be quicker in addressing
(25:04):
threats. And I think it's that that good
versus bad is it's, it's a superinteresting conversation.
Obviously it's going to get bigger and bigger as we go on.
I want to move on to payments a little bit, which is what you
guys obviously do. What, why, why is payment
security or when we talk about the way people are managing
payments, why has it become sucha high stake business and how we
(25:25):
talked a bit about cybercriminals exploiting it.
Obviously there's a it's a profitable angle for them, but
why has it become such AI? Suppose a high stakes scrap as
it would be. It's because what you just said
it's profitable. Yeah, odd numbers, payment,
payment data as such, specifically payment card data
16, the Japan number, the CVV, etcetera allow but has a value
(25:48):
to criminals. The last time I look at this my
my data is slightly out. It was something along the lines
of a 16 digit card number was worth anywhere between 15 to
$30. And then if you have the CVV,
which is the 3 to 4 digit authentication, it became even
more valuable because that allows you to do a lot more.
So ultimately what you have is digital currency in a manner
(26:11):
which if the fraudsters get it, just like I use my credit card
all the time and I now often don't have my physical credit
card. I have a either on my Google
Wallet or a basically I'm putting into a website that's
just my card dating. So legitimate.
Now if fraudsters get it or cybercriminals get it at scale
en masse, they can either use itto commit major fraud or often
(26:33):
they resell it and it's almost aresale market.
That's the reason they steal it,because someone out there by the
one group or multiple groups want this card data to again do
a lot of financial fraud. But that's what card data
ultimately is, digital currency that allows us to operate
nowadays. And the fraudsters have looked
at how legitimately it works, and they're doing it for the bad
(26:55):
side of things. Yeah, yeah.
And how is Dojo, I suppose keeping it's customers or
keeping them compliant in terms of PCI What what are the main
ways that you help deal with that?
We focus on the in person economy, So what tradition you
should be called bricks and mortar first.
Obviously we do remote payments,e-commerce type of things.
(27:16):
In both instances we try to build as much security in into
the payment offering so the customer doesn't have to do that
much. But as an example for our face
to face payments, the we build all of the security into the
terminal and the communication in a manner that the we take the
responsibility away from the customer.
All of our payments are what's called point for encrypted,
(27:39):
which means that between the terminal and us, no one could
basically hack it. It would have to come after us.
So we're trying to take the consumer and as we do focus a
lot on the micro and SME space, we're trying to not place too
much emphasis on them trying to secure the payments.
We're giving them the secured version.
We do the same thing for remote payments whereby we offer a
(28:03):
payments page which is hosted and managed completely by us.
So the merchant doesn't have to or the customer doesn't have to
worry about the website because the payments are completely and
by us, we do it in in a manner that takes most of the
obligations away from the merchant or customers, I should
say. But then we manage them through
making sure they're following the right guidance from APCR
(28:25):
perspective, the gold standard for payments that's often light
touch for our customers because I said we take most of the
obligations away from them. Well, when?
You've talked about hygiene before you you're doing a lot of
that for them. That right there, right?
We, we try as much as we can nowobviously and the bigger
customers want more bespoke solutions.
But again, we will work with them in a manner to go.
How do we secure this begin withbigger customers, as I
(28:47):
mentioned, they have more resources.
So as such they can take more ofthe burden.
But coming back to earlier conversation, micro SME is not
as much. So we take a lot of burden away
from. Being fascinating before we wrap
up, I suppose what are the threebiggest innovation or trends
that businesses should keep their eye?
Obviously a is on the horizon, which you've mentioned, but are
there, are there another two that you could mention?
I'll expand on the AI one. Actually there are three I've
(29:09):
got in mind. So AI, the industry is calling
something a gentic AI, which is AAI becoming the Rhino AI and
large language models are being used to do a lot of data
analysis and make decisions on it.
The next iteration, and we startseeing some proof of concepts
around it, is allowing the systems to become autonomous and
(29:30):
make decisions and take actions independent of the human.
But when I talked about the goodversus bad, if the attackers are
using AI to attack and if we have enough confidence, the
systems let AI basically detect and mitigate the threat all by
itself. It almost takes some of the
human aspects out of it. Now, within reason, because
(29:52):
argument sake, in this business,I would never want the agentic
AI to do anything with our payments platform because we
have to have extra precautions around that.
But some of the lower level things you can do.
So agentic AI is a big thing right now.
Second one I've already touched on that is identity.
There's a phrase going around inthe security industry which is
identity is the new perimeter. You no longer have that.
(30:14):
I will VPN into work to do work stuff.
And here's my if I sit in my laptop at any given point, I'm
doing some personal stuff, I'm doing work stuff and a lot of it
is browser based off as a service.
So identity is the thing that's proving who I am versus someone
else. Before previous life, I'd have
to VPN into work, do some fiddlythings with tokens, etcetera.
(30:36):
Yeah, some of the younger listeners may not remember those
days, but you have to do a lot of that to prove that you were
inside the work environment. Then you could do work stuff.
That's all gone. But identities become the
perimeter. A lot of work's been doing to be
identity focused, Identity 1st and the last one is a bit of a
stretch one, but the industry has been talking about the tech
(30:58):
industry. We talked about quantum and the
post quantum world. What does that look like?
And there's a lot of concern. Now I'll leave it at that
because it is a gesture concern at the moment that the computer,
quantum computing will enable a lot of the data which is
encrypted at the moment to be decrypted at such a speed.
(31:19):
Because a lot of the data at themoment is encrypted in a manner
that can't be decrypted or can'tbe hacked.
Quantum will make it easier to hack.
So there's a lot of attackers orcriminals who are harvesting
data now to decrypt later to monetize was awaiting for the
quantum world. Now that one is a bit of a
stretch and that one's been around for five years.
(31:40):
But I've seen some a lot of workby Google and some of the other
big tech firms around quantum computing and this fear bit like
the AI PS where there is usage for good, there will be bad
actors who will jump onto that. So those are the three big
trends that the security and tech industries.
I mean, it's brilliant. I mean, fascinating, but also
quite scary sometimes. But but thank you for bringing
(32:01):
it like to us just in a, in a way that actually is consumable
because I think sometimes it's information's hard to
understand. I realise a lot of what I say
can come across with really scary and whilst it can sound
really scary, as I said, if we basically break this down into
what I've mentioned already, hygiene factors etcetera.
A lot of cybersecurity comes down to detecting of cyber
resilience. I'll call it comes out to doing
(32:22):
some what we call basics in the industry, but I'll call it
hygiene, which is things like the strong passwords, the Mfas
keeping software up to date because ultimately as I
mentioned before, Reminos are inare trying to get are trying to
do this with the least amount ofeffort for the Max maximum yield
they and if you can make yourself a harder target by
(32:42):
doing some of the hygiene stuff,it deters them.
Yeah. They're going to move on.
Right. It's like having your front door
locked on, your windows locked and having a burglar alarm at
the top, but the normal criminallooks goes, that's too hard, I'm
going to go somewhere else. Ultimately this, the digital
world is not that dissimilar from the physical world.
It's just we're living in, everything is just anonymous, so
to speak. So as I said, whilst it sounds
(33:02):
really scary, there are some practical steps we can take and
make ourselves a harder target both at the from different
levels, from the micros to the enterprises to the personal
world. We'll be able to make ourselves
harder targets so that the attackers move on somewhere
else. And eventually, if everyone does
that, they will move on to some other scam because ultimately I
said they didn't make money in areally, really low level manner.
(33:24):
That was Naveen Islam, everybodyjoining us on the podcast, you
can go and check out Dojo, Dojo dot Tech and apart from that, we
should see you all next week. Thank you.
Thank you very much for having me.
Welcome to a very special episode of Tech on Toast
podcast. And today I'm delighted to be
joined by Naveed Islam, Chief Information Security Officer.
Naveed, how are you? I'm well, thanks.
Welcome to your office. Thank you.
So we're here and there looking over the London skyline today
and I think it's going to be another beautiful day.
Tell me a little bit about you and your role in Dojo because I
think your title is very grandiose.
So, but kind of break it down for us.
(00:22):
Tell us what you actually do. You're so thanks for having me
on, I said. I'm the Chief Information
Security Officer, Dojo. Ultimately, I'm responsible for
protecting all of Dojo's information and digital assets
from malicious actors, so to speak.
We are protecting all of the information that we generate,
(00:42):
card data, vessel data, etcetera.
So it's the whole remit of protecting the systems as well
as protecting the data. And it's very relevant right at
the moment in the, in the headlines is that a lot of I was
in Marks and Spencer's in Cornwall myself on holiday the
other week and I went to pay andI couldn't pay because it was
the start of their security issue.
And it's becoming, I think, moreand more common as as data
becomes more and more wide across the industry.
(01:04):
Do you think it matters now morethan ever than how we're, I
mean, obviously you're here doing that for Dojo, but do you
think that other businesses are taking more seriously than they
ever should be now around how weprotect?
Our data, in short, yes. Probably not as much as I, I,
security professionals would saythat it should be.
But the, the awareness has improved.
A lot has come along, especiallywith larger organisations,
especially when there's high profile cases.
(01:27):
And I feel for the MNSS and Copsof the world because I've lived
through something similar in my previous life.
But when these high profile cases come out, it focuses the
mind. Yeah.
And organisations start introspectively again, what are
we doing? What would we do if something
similar happens which ultimatelyraises awareness?
The other thing is the UK Government, EU, etcetera and EU
(01:50):
lawmakers have come up with different regulations which are
either going through Parliament currently or are actually acts
which help to elevate this topicof security, privacy and just
digital resilience. Yeah.
I do think there was an understanding, I suppose of
digital resilience prior to the last, I mean really the last two
years, three years. Do you think that people are
(02:11):
finally starting to join on thatmission?
I think definitely since COVID, yeah, what COVID did was make
everything pretty much digital because we had to, we, we all
locked them across, across the globe.
It wasn't just a phenomenon in one region.
It basically was a global event,which meant we went digital very
quickly. And a lot of organizations had
to think on their feet how to adapt and become firstly digital
(02:36):
and then shortly followed by theresilient around there.
Resilience, a lot of it still isaround making sure things are up
and running. So when you hear about
resilience, if you think about Marks and Spencer's argument's
sake, because it's very topical that the website is up and
running, that's what's considered resilience.
But over time, it's now becoming, it's not just the
things like websites or systems,it's business processes in the
(02:56):
background. They also have to be resilient.
There's to to your point where you said you went to do a store
and the the shelves are not stopped.
That's a supply chain issue, right?
The whole piece from start to end is Switzerland, not just
there. I say things like websites or
very prominent systems. And there's a stat here, the
Cybersecurity Breaches Survey reported that 43% of UK
businesses experienced a breach in the last 12 months.
(03:18):
That's over the 600,000 companies.
It's quite shocking. What What do you make of those
numbers and how they represent what you're seeing actually
happening on the ground? It's about right because but so
there's a lot of incidents that happen on a daily basis.
Just today for example, I've just read in the BBC News that
illegal date Eagle Aid database has been breached, which may
(03:39):
have gone back all the way down as information all the way back
to 2010. There's certain breaches or
incidents, I'll call them, whichmake the news and they get our
attention on a daily basis. There's a lot of lower level
things which are happening. It's this e-mail compromise
whereby someone may lose 10,000 lbs.
For example. They don't get reported.
But when the government does service like this or other
(04:01):
organizations, Verizon do a databreach report on a yearly basis.
They highlight a lot of the lower level things that are
happening which don't always make the news, but that number
doesn't really surprise me. And the smaller businesses we
presume are being attacked less.I said that maybe it's
happening, we're just not aware of it.
But the financial impact that that when they are attacked is
(04:21):
almost double, you know, becausethey're obviously they're a
smaller town over the smaller, smaller base.
Why are micro and small businesses being hit harder when
it comes to cost? Guess it's, it's a multitude of
things. It's small.
So they don't have the resourcesat times, especially micro's or
maybe one or two people running the business.
And the day job is the health job is to just make sure that
(04:43):
they are running the business. They are, they're taking the
payments, they're doing whateveris needed to fulfil customer and
consumer orders. They don't have the
sophistication in terms of systems.
They're often outsource it to maybe IT family members, IT
providers etcetera. They don't have the financial
means to recover as well. So for argument's sake, we in in
(05:06):
enterprises or in large organization, you kind of lost
£10,000. It's bad, but it's not the end
of the world or micro £10,000 would mean losing that money and
then spending time and resourceson recovering would mean they go
out of business. So as such, micros are
disproportionately impact, not because the attacks are more
sophisticated, it's just the cost to them of not just the
(05:29):
attack, the recovery process, and they don't have the means to
recover. But ultimately they end up in
this almost Whirlpool of being attacked and now can't trust our
systems. Will it happen again?
And it just goes around in circles.
Self fulfilling prophecy, Yeah. And what could I suppose and the
enterprise businesses that cost,I mean I've got a quote here,
the costs are down by 69%. In that scenario, what are they
(05:51):
doing? I suppose that whilst obviously
they have larger resources, whatare they doing that the smaller
guys could look at and say, do you know what?
And you talked a bit about thereabout third parties and how
they're investing in IT support,but what could they do more that
could help them? The enterprises of the world
just have more resources. Yeah, they have more money and
they can partner with more reputable organisations or more
(06:12):
experienced organisations who dothis on a day-to-day basis.
They have resilience plans, recovery plans, insurance,
etcetera. Now Micros can't do that.
There are some hygiene factors there are said the micros can
invest in things like strong password and multi factor
authentication, keeping softwareup to date, doing some level of
(06:33):
awareness or having some level of awareness what social
engineering looks like and things like having the
capability of being able to recover whatever that means for
an organization. Now it's simply said than done
right. So if it's a someone encrypts
your system, can you recover from a backup versus if someone
scammed you out of £10,000, whatdo you do?
It's having kind of three or four areas they can look at,
(06:55):
especially if, as I say, I'm considering micros right now.
Yeah, it is. There's not that much they're
going to be able to invest in, but some almost like hygiene
factors that they can look at which will make them slightly
high harder targets than others.I think that's The thing is it's
the, it's the awareness piece. Plus actually doing something as
in having as in a hygiene factoris the best way to put it.
And, and in terms of what peopleare being attacked by the
phishing and that's not what most people think about, it's
(07:18):
the pH phishing it's hitting. It says here 85% of businesses.
Could you break down what what amodern fishing attack would look
like to a business? How they might experience it?
I will class some more, so I'll go expand that question to or
answer to social engineering. Fishing is a form of social
engineering. Now social engineering has been
around since dawn of time. Ultimately, what's happened with
(07:40):
the digitalization, I can get that word out, is social
engineering has become very digital.
So e-mail is the most common one, which is phishing the pH.
We're sending an e-mail to be able to get the desired action.
So fraudsters, as I will call them all by actors, whichever
the terminology we want to use, send phishing emails to get a
(08:03):
certain action or certain reaction from the recipient,
whether it's clicking a link to steal credentials, clicking a
link to download malware or clicking a link to install
malware type thing. The other types of social
engineering that is quite prevalent right now and the
national cybersecurity agencies mentioned this is telephone
(08:23):
social engineering whereby calling things like IT help desk
or contact centres and social engineering them into giving
information, resetting passwords, getting in kind
information. A lot of that, as I said, has
become more prevalent in the last 10 years, but last
definitely last five years because of the digitalization
(08:43):
that I mentioned before. Yes, it's manipulation of
people, isn't it, which is now used to be in the playground
potentially or or or a business transaction.
Now it's on the WhatsApp or. On your phone, exactly.
We are so used to being on emails, WhatsApp, instant
messaging, etcetera. That message that come through
are are the norm. And for us to just piggyback on
the back of that and they make that communication channel the
(09:06):
norm to are to con people out ofwhatever they're trying to do.
It it, it's very, I mean, it's daily, right?
It's happening at every day, andI suppose that that's the kind
of the the larger phishing groups.
What about other other ways of what?
How are people being targeted inother ways to.
Criminally, I'll reference a Verizon date breach report.
They do this on a yearly basis and they do a very comprehensive
(09:28):
job. So essentially they flagged 3
main things currently happening.Social engineering is definitely
one of them and specific phishing, e-mail based phishing
or yeah e-mail based phishing software vulnerabilities being
exploited. Especially stuff which is
available across the Internet, so your websites for example, if
they're not up to date, fraudsters will look to see if
they can act them in quotation marks.
(09:50):
And the other one is credential theft.
There's a lot of focus by fraudsters attack attackers on
stealing credentials to be able to do whatever they need to do.
So it's not everything's throughphishing.
So I'll give you an example. Stealing credentials are enough
information to send an e-mail toan accounts team to change a
bank account for where a paymentshould go.
(10:12):
It's considered the technical term for his business, e-mail
compromise. It's a form of social
engineering. It just takes a different method
to phishing. But those are the three main
things that Verizon say are happening right now talking
about. Being digital and more advanced
AI now becoming part of the conversation.
I think every day for us in our role, what we're doing every
day, talk about it. And there's a, there's a start
here. 67% of people think they can spot an AI generated scam.
(10:35):
You're smiling, but most of themactually can't, can they?
Because the reality that's getting, it's becoming so close
to reality, it's becoming hard to track right.
The reason I smile is because the start before you said
something about 85% of attacks are through phishing, right?
Yeah. The reason I smiled is because
people find normal phishing difficult to sport.
And the reason for that is it's a talk I had a few years ago
(10:57):
which talked about the almost the impulsive side of your brain
versus the rational side is they're called the Homer versus
Spock. The Homer side of our brain is
what we normally act with. Impulsive emails come in, we've
clicked it, read that, read that, done that, etcetera,
versus driving me. But yes, we all do it right.
As I said, versus the Spock sideof things, which is if you have
(11:18):
to make a large purchase, for example, you need to spend
£10,000, you're not just going to be, yes, your brain, you take
even 5 minutes to think about it.
The attackers are leveraging, leveraging.
They're counting on the fact that people are very impulsive,
especially when it's in request,which doesn't mean much.
Oh, I need this doing. Can you click this link?
(11:40):
There's nothing obvious there, right?
That they click with impulse. Now that's just a traditional
phishing e-mail and traditional giveaway signs.
Used to be there's a sense of urgency, there's spelling
mistakes, there's grammar, grammatical issues, etcetera.
What AI is helping do is get ridof a lot of that.
Now emails have become more realistic because this sound
(12:03):
cloakial. So it's like someone I know
sending the e-mail automatically, they're correct,
all of the links, etcetera will look very good.
There's one factor that remains the same.
There's a level of urgency. What the attackers don't want
you to do is sit there considering whether the e-mail
is correct or not. They kind of, they will say
something like we need you to dothis urgently, otherwise
something bad will happen and the AII don't know the right
(12:26):
terminology. The AI LED phishing can't change
that back, which is the attackers need the recipients to
act with urgency. They can't like you have 30 days
to comply because 30 days is a long time and human.
We will do this later. They will say something like if
you don't this now you will get fine, we need to do this in the
(12:46):
next 10 minutes blah blah blah. In a roundabout way, I smile
because people can't spot them. Now what AI is doing is making
it some of the telltale signs more difficult almost.
Humanizing it a bit more. It is humanizing very much.
Everybody's using it right? I was in the room, they would
ask to put the hand up actually.Everybody is, everyone does it.
Looks and it's becoming commonplace and people are
finding it hard to spot when you've written A blog by
(13:07):
ChatGPT, let alone in a in a phishing scam.
And I said the the telltale signis the the sorry, the urgency,
urgency, time sensitive. The time sensitive thing is the
one thing that doesn't change AIor no AI.
Yeah. We need your money now.
Yeah. Yeah.
And, And there's a stat here about 90% of C-Suite executives
are claiming they can spot AI LED fishing.
(13:30):
But do you think that potentially there's
overconfidence creeping into theboardroom potentially some of
these larger, particularly when you look at M&S and some of
these guys recently and, and I know restaurant chains have been
through it as well. Do you think there's some
overconfidence creeping into the, the board where really
there isn't an, a level of expertise there?
It's kind of a self-taught understanding.
Do you think the the potentiallyoverlooking what could be a
(13:52):
really problem? With respect, yes, all the
reasons I said previously, whichis I've seen enough execs being
compromised through the it's fishing, which is the general
thing everyone gets. And then there's a
terminological whaling, which isyou go after the really big and
(14:12):
the C-Suite people because if you can compromise them somehow,
then you can do whatever you want in the organization.
Imagine if I can compromise our CFO and assume his identity
somehow or his e-mail for example, I can then start
emailing the right people to do whatever one and because they
think it's ACFO, they are more likely to do it.
And a lot of organizations in the last 10 years, and I'm aware
(14:34):
I've worked on some of these cases have lost money because of
that way by CEO says I am working on a very confidential M
and a deal with an accounts payable team somewhere.
And you make this payment of say50,000 to this legal team, but
don't tell anyone about it. That counts payable person says
the CEO, of course I'm going to make it.
(14:54):
And I've been told not to say anything, right?
So where I'm getting with go with this.
So this is what traditionally has been happening.
Now if AI is making it more human, I can't see how the board
members and execs are more confident, especially because
the industry security industry hasn't done that much work on
doing AI fishing awareness training that are generated by
(15:18):
AI if that makes sense. Yeah, it, it totally makes
sense. I was at colleges as a director
there about 10 years ago and we had we were getting emails off
the founder saying can Chris, can you just send me £500
because I need, need to do a transaction in the opening we're
doing. And I'm and it does take a
double check. You are reading it thinking,
well, Simon's asking me probablydo it.
So I and I think that, as you said, is becoming more digital,
(15:40):
less easy to spot and more humanised.
So it becomes this. And the scary thing is we're
only just getting going right with AII think it's where, where
do you think it can go in terms of how advanced can these guys
get in terms of kind of manipulating?
So this there's different levelsto it, right.
So the, the No2 attackers are the same.
So you've got the really sophisticated nation LED state
(16:02):
and nation state LED things which are country to country
warfare, Russia, China versus the US and UK and things like
that. That's very sophisticated.
They they operate in a manner that's basically beyond most
enterprises. But again, they are going after
nation, nation LED things like critical infrastructure etcetera
(16:23):
as opposed to consumer data because that's not their game.
Criminals, special criminals or cyber criminals if you want to
call it, they are going after this.
Now sophistication will vary. Cyber crimes almost democratize
democratize in the last five years whereby you've got really
entry level attackers coming in because they can buy things as a
(16:45):
service. It's really interesting because
the the the criminal world is mimicking the and the
professional world. We have software as a service
are. You telling me these guys are
with their own software? No.
So we have ransomware as a service.
As an example, the reader ban attacked the other day whereby a
lower level, lower sophisticatedattack group bought a service
(17:08):
from a more sophisticated group and then targeted and then
company. Now to to your point around how
sophisticating you can get, verysophisticated organised
criminals are not going to spendtime and resources doing a lot
of this AI training their own LLM models, etcetera.
They'll either try to purchase it or they will basically go
(17:29):
after the lower end through because ultimately they want to
have the lowest lowest effort for the maximum yield.
Yeah, and not a large footprint,I imagine.
Exactly. So now the scary bit gets if I
if I think out is the offer as aservice, they may be able to buy
LLMS as a service in the future,which would change the game.
However, the positive part of methinks all the security
(17:51):
community and the big tech organizations are building AI
for good and we'll get into thisbattle of it.
Like now as humans versus humans, you'll get machines
versus machines and we spot enough of it to be able to make
ourselves a harder target than the next.
But that's kind of, I don't wantto say 10 years out, it's
probably sooner than that because we're seeing a lot of
advancements in that place. But I will I still expect
(18:14):
organized criminals to not spendthat much time and money because
they want they want to basicallyget in, get out as soon as
possible and make the most amount of.
Money, but not being too layman's to it's like a robbery,
you know, it is a literally go in, go out.
You know, I'm from Liverpool, I understand this stuff so.
Nobody. You, you mentioned that this is
actually really interesting bankrobberies, right?
You don't often hear about bank robberies anymore.
(18:34):
The last one I remember was a hat and garden heist and that
took a lot of planning and they got caught in the end because
there was physical things that left behind.
Now organised criminals in the last 10 years have worked out.
You don't need to drill through diamond shops and banks etcetera
to get the money. You can get it out other ways
and you leave it a little footprint.
But again, it's they want low effort, high yield.
(18:55):
They don't want to spend 6 months taking something out
because it's too long because. It's an impatience isn't around
the nature of the job of the work they're in.
There's an impatience to make some money and.
Move on to the exactly. I mean, we'll talk about this.
I mean the, the defensive strategy for a business, where
do you start? And I suppose what can you
actually, we talked a little bitbefore about hygiene, where do
you actually start to kind of bend yourself against our, I
(19:17):
suppose there's two different conversations besides that if we
talk about enterprise business. A lot of it starts with hygiene.
As I said, a lot of the attacks start off as a lower level and
what you often get is either thethe more motivated attackers
will keep trying until they get in, but the lower level
attackers essentially are that looking to get in and get out to
(19:39):
where they find any type of resistance.
They kind of get too hard. We'll just move on.
A lot of it starts with hygiene,but then it's making sure one of
the things that you I was at a conference a month or so ago, we
talked about identity. Identity has become crucial just
like we care a lot about our passports, our violence,
(20:00):
etcetera, because that can our identity to allow us to do a lot
of things and digital identity has become very crucial.
So identity has become a perimeter, but rather than
having an outside work organization and inside.
If you think about a Moat, a castle and a Moat, they don't
have that anymore because of theproliferation of digitalisation,
SAS service, etcetera. When you log into your online
(20:23):
bank, it's your identity that proves it's you.
There is nothing else in between.
The identities become really crucial and a lot of
organisations have started looking at that go how do we
make that as hard as possible becompromised and.
There's a study which has surprised me.
I don't, you know, I'm slightly going over all ground, but 20%,
twenty 7% of survey businesses said cybersecurity was a
priority at board level. But that's a, that's a hell of a
(20:44):
lot considering what we just talked about the last five
minutes. It's a really low number.
And having been on some boardrooms in, in the hostility
industry, I kind of understand it and I don't agree with it,
but I understand why they're notthere yet sometimes.
But what do you think that that that it's not?
Is that numbers not at least 50%?
It's this optimistic side of anybusiness, which is it won't
happen to us. And just as humans we're
(21:06):
optimistic, right. Otherwise we've probably wiped
out as a race. And I noticed saying COVID,
everyone basically around you may have go COVID, but UK it
won't happen to me. But businesses also have though,
which is, yeah, it may have happened to an unnamed dropped
Amanda, but M&S, it won't happento us.
So there's a level of ignorance.Secondly, some industries are
(21:28):
just not regulated. So the financial industry is
regulated, the telecoms industryis regulated.
We have the national infrastructure that is very much
regulated. But there are, say, retail,
hospitality, not so much. So there's no driver there,
whereas the driver is obviously too many businesses to be
profitable, right? And often security is, it has a
(21:48):
historical connotation. It's a cost, not a value add.
Now a lot of his security industry has to do a better job
of showing how it adds value. But if you think about it just
from just accounting perspective, it's just a cost.
There's no value to be attributed.
What's so I'm not surprised by that.
By the way. There are some things in the
pipeline so to speak. So I know that the US has become
(22:09):
very big on it because some highlight high profile breaches
to the US Security Exchange Commission has made a few things
mandatory, which is all public organizations have to do breach
disclosure on hide it on a yearly basis.
They have to report on the risk and governance and they have to
show within that yearly report that someone on the board level
has enough experience of doing cyber or being able to question
(22:32):
it and that they're managing it just like any other financial.
Where I can see cyber going in the US, by the way, that's why
the UKI should mention it's got an act which is going through.
It's a bill, sorry, going through Parliament at the
moment, cybersecurity Bill, which is looking to something
like that, which is mandatory reporting, especially around
some of the more high profile industries.
(22:52):
Where I can see this going eventually is a bit like the
annual accounts an organization has to do where our financial
audits come in and kind of get everything checked out whereby
everything checks out because eventually the cyber risk will
become that material. The organization would have to
show some way, shape or form that they are taking this
seriously and they're testing against it.
And it will probably start with the financial institution
(23:15):
because the the regulators are more hot than that.
How are you guys using AI to, I mean defensively help your
customers and businesses look after themselves and stay ahead
of the threats? Lord, the AI will currently use
this in the defensive posture, have some plans around making it
more into the product side of the world, but that's very much
in this infancy at the moment. But from a defensive
(23:35):
perspective, we leverage a lot of the AI capabilities from our
partners such as Google and others to help us both detect
and mitigate risk as soon as we can.
So as an example, our e-mail system has AI built in which is
trying to fight the AI LED phishing.
As you said before, it's AI versus AI because again, we are
(23:58):
not relying on humans being ableto detect it all the time whilst
we train our people, we need to help the people.
So before it lands in someone's inboxes, going through all of
the, the good AI, if I call it that, versus the bad AI
generated. Yeah, exactly.
We do a lot of for our investigate for our detecting
response, but we're using AI to detect and some malicious
(24:19):
activity both within a wider environment where especially
where our asset crown jewels arein terms of data etcetera, which
is ultimately our customers data.
And we use a lot of machine learning to automate things,
which is we can automate actionsto do it enormous in real time
rather than some human look at it and deliberate over it based
(24:39):
on years and years of machine learning, not just by us but our
partners. We can basically have confidence
levels that if this is looking bad, we have enough confidence
to kill that action, whatever itmay be, to reduce the risk
upfront rather than just alert and then someone has to go and
look at it. So we rely a lot on automation,
machine learning and AI to help us be quicker in addressing
(25:04):
threats. And I think it's that that good
versus bad is it's, it's a superinteresting conversation.
Obviously it's going to get bigger and bigger as we go on.
I want to move on to payments a little bit, which is what you
guys obviously do. What, why, why is payment
security or when we talk about the way people are managing
payments, why has it become sucha high stake business and how we
(25:25):
talked a bit about cybercriminals exploiting it.
Obviously there's a it's a profitable angle for them, but
why has it become such AI? Suppose a high stakes scrap as
it would be. It's because what you just said
it's profitable. Yeah, odd numbers, payment,
payment data as such, specifically payment card data
16, the Japan number, the CVV, etcetera allow but has a value
(25:48):
to criminals. The last time I look at this my
my data is slightly out. It was something along the lines
of a 16 digit card number was worth anywhere between 15 to
$30. And then if you have the CVV,
which is the 3 to 4 digit authentication, it became even
more valuable because that allows you to do a lot more.
So ultimately what you have is digital currency in a manner
(26:11):
which if the fraudsters get it, just like I use my credit card
all the time and I now often don't have my physical credit
card. I have a either on my Google
Wallet or a basically I'm putting into a website that's
just my card dating. So legitimate.
Now if fraudsters get it or cybercriminals get it at scale
en masse, they can either use itto commit major fraud or often
(26:33):
they resell it and it's almost aresale market.
That's the reason they steal it,because someone out there by the
one group or multiple groups want this card data to again do
a lot of financial fraud. But that's what card data
ultimately is, digital currency that allows us to operate
nowadays. And the fraudsters have looked
at how legitimately it works, and they're doing it for the bad
(26:55):
side of things. Yeah, yeah.
And how is Dojo, I suppose keeping it's customers or
keeping them compliant in terms of PCI What what are the main
ways that you help deal with that?
We focus on the in person economy, So what tradition you
should be called bricks and mortar first.
Obviously we do remote payments,e-commerce type of things.
(27:16):
In both instances we try to build as much security in into
the payment offering so the customer doesn't have to do that
much. But as an example for our face
to face payments, the we build all of the security into the
terminal and the communication in a manner that the we take the
responsibility away from the customer.
All of our payments are what's called point for encrypted,
(27:39):
which means that between the terminal and us, no one could
basically hack it. It would have to come after us.
So we're trying to take the consumer and as we do focus a
lot on the micro and SME space, we're trying to not place too
much emphasis on them trying to secure the payments.
We're giving them the secured version.
We do the same thing for remote payments whereby we offer a
(28:03):
payments page which is hosted and managed completely by us.
So the merchant doesn't have to or the customer doesn't have to
worry about the website because the payments are completely and
by us, we do it in in a manner that takes most of the
obligations away from the merchant or customers, I should
say. But then we manage them through
making sure they're following the right guidance from APCR
(28:25):
perspective, the gold standard for payments that's often light
touch for our customers because I said we take most of the
obligations away from them. Well, when?
You've talked about hygiene before you you're doing a lot of
that for them. That right there, right?
We, we try as much as we can nowobviously and the bigger
customers want more bespoke solutions.
But again, we will work with them in a manner to go.
How do we secure this begin withbigger customers, as I
(28:47):
mentioned, they have more resources.
So as such they can take more ofthe burden.
But coming back to earlier conversation, micro SME is not
as much. So we take a lot of burden away
from. Being fascinating before we wrap
up, I suppose what are the threebiggest innovation or trends
that businesses should keep their eye?
Obviously a is on the horizon, which you've mentioned, but are
there, are there another two that you could mention?
I'll expand on the AI one. Actually there are three I've
(29:09):
got in mind. So AI, the industry is calling
something a gentic AI, which is AAI becoming the Rhino AI and
large language models are being used to do a lot of data
analysis and make decisions on it.
The next iteration, and we startseeing some proof of concepts
around it, is allowing the systems to become autonomous and
(29:30):
make decisions and take actions independent of the human.
But when I talked about the goodversus bad, if the attackers are
using AI to attack and if we have enough confidence, the
systems let AI basically detect and mitigate the threat all by
itself. It almost takes some of the
human aspects out of it. Now, within reason, because
(29:52):
argument sake, in this business,I would never want the agentic
AI to do anything with our payments platform because we
have to have extra precautions around that.
But some of the lower level things you can do.
So agentic AI is a big thing right now.
Second one I've already touched on that is identity.
There's a phrase going around inthe security industry which is
identity is the new perimeter. You no longer have that.
(30:14):
I will VPN into work to do work stuff.
And here's my if I sit in my laptop at any given point, I'm
doing some personal stuff, I'm doing work stuff and a lot of it
is browser based off as a service.
So identity is the thing that's proving who I am versus someone
else. Before previous life, I'd have
to VPN into work, do some fiddlythings with tokens, etcetera.
(30:36):
Yeah, some of the younger listeners may not remember those
days, but you have to do a lot of that to prove that you were
inside the work environment. Then you could do work stuff.
That's all gone. But identities become the
perimeter. A lot of work's been doing to be
identity focused, Identity 1st and the last one is a bit of a
stretch one, but the industry has been talking about the tech
(30:58):
industry. We talked about quantum and the
post quantum world. What does that look like?
And there's a lot of concern. Now I'll leave it at that
because it is a gesture concern at the moment that the computer,
quantum computing will enable a lot of the data which is
encrypted at the moment to be decrypted at such a speed.
(31:19):
Because a lot of the data at themoment is encrypted in a manner
that can't be decrypted or can'tbe hacked.
Quantum will make it easier to hack.
So there's a lot of attackers orcriminals who are harvesting
data now to decrypt later to monetize was awaiting for the
quantum world. Now that one is a bit of a
stretch and that one's been around for five years.
(31:40):
But I've seen some a lot of workby Google and some of the other
big tech firms around quantum computing and this fear bit like
the AI PS where there is usage for good, there will be bad
actors who will jump onto that. So those are the three big
trends that the security and tech industries.
I mean, it's brilliant. I mean, fascinating, but also
quite scary sometimes. But but thank you for bringing
(32:01):
it like to us just in a, in a way that actually is consumable
because I think sometimes it's information's hard to
understand. I realise a lot of what I say
can come across with really scary and whilst it can sound
really scary, as I said, if we basically break this down into
what I've mentioned already, hygiene factors etcetera.
A lot of cybersecurity comes down to detecting of cyber
resilience. I'll call it comes out to doing
(32:22):
some what we call basics in the industry, but I'll call it
hygiene, which is things like the strong passwords, the Mfas
keeping software up to date because ultimately as I
mentioned before, Reminos are inare trying to get are trying to
do this with the least amount ofeffort for the Max maximum yield
they and if you can make yourself a harder target by
(32:42):
doing some of the hygiene stuff,it deters them.
Yeah. They're going to move on.
Right. It's like having your front door
locked on, your windows locked and having a burglar alarm at
the top, but the normal criminallooks goes, that's too hard, I'm
going to go somewhere else. Ultimately this, the digital
world is not that dissimilar from the physical world.
It's just we're living in, everything is just anonymous, so
to speak. So as I said, whilst it sounds
(33:02):
really scary, there are some practical steps we can take and
make ourselves a harder target both at the from different
levels, from the micros to the enterprises to the personal
world. We'll be able to make ourselves
harder targets so that the attackers move on somewhere
else. And eventually, if everyone does
that, they will move on to some other scam because ultimately I
said they didn't make money in areally, really low level manner.
(33:24):
That was Naveen Islam, everybodyjoining us on the podcast, you
can go and check out Dojo, Dojo dot Tech and apart from that, we
should see you all next week. Thank you.
Thank you very much for having me.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!