Welcome to our new website!
Aug. 15, 2023

How to Overcome Cybersecurity Fatigue | Interview with Ashley Woodhall, Founder of Practical Infosec

How to Overcome Cybersecurity Fatigue | Interview with Ashley Woodhall, Founder of Practical Infosec
Apple Podcasts podcast player badge
Spotify podcast player badge
Amazon Music podcast player badge
Overcast podcast player badge
Castro podcast player badge
PocketCasts podcast player badge
TuneIn podcast player badge
Deezer podcast player badge
RadioPublic podcast player badge
YouTube Channel podcast player badge
RSS Feed podcast player badge
Apple Podcasts podcast player icon Spotify podcast player icon Amazon Music podcast player icon Overcast podcast player icon Castro podcast player icon PocketCasts podcast player icon TuneIn podcast player icon Deezer podcast player icon RadioPublic podcast player icon YouTube Channel podcast player icon RSS Feed podcast player icon
Season 6

This week, Ryan speaks with Ashley Woodhall, founder of Practical Infosec, about the delicate balance between a seamless end-user experience and effective cybersecurity practices. During the discussion, Ashley shares practical tips on how to secure your organization without overwhelming employees. Later in the episode, Ryan and Ashley examine the rise of sophisticated deepfakes and the need to adapt to an ever-evolving threat landscape.


Meet Our Guest
After 10 years in cyber security, Ashley Woodhall has seen a lot of change but crucially, he's learned that good security is just doing a couple of things consistently, and doing them very well. Practical Infosec helps purpose-led organisations do those things very well, so they can do the good in the world they want while being protected.​ Ashley started the business after making himself a promise in 2019: If the next full-time employment role didn’t work out for any reason, he would build something myself which had meaning. He's now finding meaning through his work, helping purpose-led organisations. ​In addition to a BSc in cyber security, Ashley is certified to GCIH (ability to identify and respond to cyber attacks) and GCCC (ability to carry out audits against the Critical Security Controls). He has worked in technical, risk management and strategic roles and for the last two years has been running Practical Infosec. Ashley is a mentor to students both privately and through organisations such as CAPSLOCK and the North East Business Resilience Centre (NEBRC). He has also served on a board of directors for 3 years. Outside of work, Ashley can be found (out of place) in Barcelona's hipster cafes, watching Liverpool FC, laughing out loud at Bill Bryson's travel books or getting lost in the city.

★ Support this podcast on Patreon ★

Transcript

Ryan Purvis 00:49:36
Hello and welcome to the digital workspace works Podcast. I'm Ryan Purvis, your host supported by producer Heather Bicknell. In this series, you'll hear stories and opinions from experts in the field story from the frontlines, the problems they face, how they solve them. The areas they're focused on from technology, people and processes to the approaches they took that will help you to get to grips with a digital workspace inner workings.

Welcome Ashley, to the digital workplace works podcast. Do you want to give us a brief introduction to who you are and what you're doing?

Ashley Woodhall 00:50:12
Sure, Thanks, Ryan. So my name is Ashley Woodhall. I've been in and around the cybersecurity space for around 10 years now. Started from university days where I was bored at school and a kind of interest, I found some interest in messing around with computers. And it kind of went from there, I grew gradually more interested in security, and worked my way through quite a few different jobs in financial services and retail, a couple of other spaces, and mostly focusing on the risk side of cybersecurity. So understanding or helping organizations tackle, what are the biggest gaps, the biggest risks that could perhaps cause problems for them when it comes to things like data breaches. And couple of years ago, I started my own consulting company called Practical InfoSec, which is currently undergoing a name change, because that was something I thought about overnight, almost. As we feel and what we're focusing on a little bit more now is helping organizations that are in that purposeful space, to they're doing something good for the people and planet and trying to make those secure through a couple of different services.

Ryan Purvis 00:51:30
Great. Great. I mean, your your switchover to consulting, I mean, was that based on just the opportunity presented itself, or, you know, you just you always wanted to be on your own and build your own thing.

Ashley Woodhall 00:51:42
Yeah, good question. There's a bit of a story there. So I had a kind of a bit of an itch for a couple of years. In fact, it all started when I went traveling, I went travelling around South America when I was about 26, I think it was, yeah. And during that trip, I had some time to reflect for the first time in my adult life. And I realized that I had this itch to start something. And cybersecurity was the thing that I knew and loved. So it was just kind of a snowball effect. From there, let's say and consulting was the obvious way to go. But what actually happened was, after I came back from that trip, I took a job. I worked in a security operation center, actually, for a while for the first time to see what that side of things look like,

Ryan Purvis 00:52:27
yeah.

Ashley Woodhall 00:52:29
A crew kind of got repetitive for me. I grew tired quite fast. So I said, right. Okay, we'll take one more job. And if the next job doesn't work, for any reason at all, I'm going to start my own gig. And that's exactly what I did. So I took the next job, then I ended up working for a big financial firm, working in cyber strategy didn't quite work out high planned. So perfectly COVID landed, and it was kind of beneficial to me in some ways that it gave me that space. I think you had a very similar story, actually. Yeah. So I had the space and the time to figure out what I wanted to do. So consulting, to me, allowed me to do cybersecurity and the way that I think makes the most sense, and helping more of the smaller organizations rather than the corporates. And that way, having a bit more impact and having closer relationships with the leadership teams, and kind of helping give them peace of mind really, when it comes to it in security. So that was something I couldn't do, I fell in a corporate job. So yes, that's why consulting was the path for me.

Ryan Purvis 00:53:34
Pretty similar. I mean, I don't I don't miss. I don't always miss being in corporate, I can't like from the corporate stuff. But I think having that flexibility sometimes to to go deep on something, or being involved in someone else's stuff, and then exit or come back later. And a lighter touch is a nice thing to have this sort of role of being a consultant. I mean, you're not nearly in the weeds every day. And then in the corporate world, you know, you can find different projects and different things to do. I think there's pros and cons. I mean, personally, I think if I didn't have a corporate background, I don't think a lot of stuff that I learned would be as useful because I've you know, worked in place where you learn a lot because it's a big, complicated place, which helps in going into smaller places. Whereas if I think I stayed outside of it, I would never have learned, you know, there wouldn't be as well skilled as I am now. I think it's probably my unreviewable saying.

Ashley Woodhall 00:54:27
Absolutely. No, I fully agree. I think having that. Having that time on the inside allows you to get if anything, I think empathy for how long organizations operate an understanding that it's not quite as you learned at university, let's say, Yeah, that's very true. But it definitely helps. And especially when you've been working in larger organizations, you can see what their mature, whatever it is looks like whether it's security, or it or HR, or whatever it is. And then you can scale that down when you start working with smaller companies and just focus on those basics and do them well. And that's what I quite like about it as well.

Ryan Purvis 00:55:05
Yeah, you mentioned, there was one of things that I really appreciated me working in banks, you automatically had this appreciation, because it's drilled into you that the data is important kind of protected, its customers stuff, you know, everything you do is got a, a attend to that, what is the risk of doing this? How could you know, could I bring down the organization, you know, all those sorts of things. And when you go to other organizations, I'll never forget going to another company that wasn't in, in financial services. And I got Kendall laptop, and the drive was an encrypted as like, Excuse me, like what's going on here? Was this drive non encrypted? Oh, no, we, you know, we haven't got that, you know, it's not, it's not important. I was like, well, it's important, because, you know, I'm going to be having company data on here, and I can get on the laptop, I'm gonna travel if you'd lost. And it just couldn't get that get through certain people. It was just a frustrating experience. And ironically, at about the same time that Ico came into play, as an organization for data protection, and the the GDPR regulations were put into place. And all of a sudden, people sort of came by that kind of stuff, because it was the tangible, fine, that was associated for losing data. One way or another.

Ashley Woodhall 00:56:17
Right. Now, that definitely helped. I think GDPR did what it needed to be. It was it I think it did what it was brought in to do. Yeah. Which is, which is interesting, actually, because, in reality, very few firms have been fined when it comes to security, at least I think it's 10 or 15, maybe a few more now, you have to be negligible, let's say I think, yeah, to get those fines, but on the compliance side of things, I think it's a bit different, particularly with marketing, and if you will, and a few other areas, but GDPR definitely helps people realize that there's, there's a reason this is here, and there is there is something that we need to do. To stay on the right side of the law. Let's say.

Ryan Purvis 00:57:03
You shared a story on your on your profile of this year CEO that was breached twice, I think, and how he tried to hide it. I can't remember exactly all the details of the story. But you know that that was happening probably a lot more often prior to some of these regulations coming in. And you do see I mean, I think Facebook or meta but fine now are all around the launch some finally and British Airways with one trying to think who else has been been fined. But there's been a few definitely noticeable ones in the press for the breaches.

Ashley Woodhall 00:57:34
Yeah. British Airways comes to mind. I think they had one of the biggest fines because of a security breach. Yeah. But the one I shared recently was no less than glad you brought that up plus are super interesting example. And I think you've got to look at it in a lens of these types of things don't happen very often. So I wasn't intending to scare anybody by posting about that. But it's such an interesting story. That I think it had to be shared. Yeah. And what happened there in a nutshell was, we're talking about a firm, I think, in Norway, not relevant. They are a psychotherapy company. So they do online psychotherapy sessions. And they'd become quite successful doing that. I think they did have 10s of 1000s of patients. At one point, they suffered a data breach. Yeah. Details of that are a little bit unclear. The CEO at the time was also responsible for IT. So everything IT and security related went through him. So he was the only person that knew about this breach. And this breach appear to disclose the details of patients therapy notes, personal data, of course, super sensitive stuff, when you think about it. He covered that up a couple of years later, there was a new breach. And this time, the criminals communicate with the CEO and asked for a ransom. They said if you don't pay us this much money, it was 100 a few 100,000. I think I can't remember exactly how much it was not but it was

Ryan Purvis 00:59:09
for 400,000 for the one but this one was

Ashley Woodhall 00:59:14
so 400k And this I think this is a company turning over quite a few million at this point. So not not outrageous sums but relatively depending how you look at it. CEO said no cybercriminals said okay, we need to change our tactics here. Let's go after the patients. So they went after the patients giving them smaller ransoms in demand for not basically putting their information online. And obviously at that point, the news got out what had happened. And the board of directors of this company, were obviously shocked that this even happened in the first place. The CEO got fired at that point that the damage has already been done by them. And the company actually went bankrupt. Not long after that second bridge was public. And this is all quite some time ago, I think it's was maybe 2018 2019. And the CEO has just been put in, I don't think he's been put in prison, he's been given a suspended suspended sentence, I think for the cover up, basically. So you've got a really interesting combination. There are events where the CEO that perhaps if you did on the right thing in the first place, that wouldn't have been so severe the consequences for everybody involved. There's some other interesting angles about the cybercriminal. Behind it, he was a wanted hacker. And he actually published he copied and pasted his desktop by accident online as part of this as part of this bridge, and that allowed him to be identified ultimately. So there's a lot of people that making lots of mistakes in the story. Yeah. But sadly, lots of vulnerable sensitive people had their, their therapy notes published online, which is just the scariest thing I can imagine. I mean, brutal outcome.

Ryan Purvis 01:01:05
Yeah. I mean, if you think about, I mean, you can see this even without it being that sensitive. I mean, you know, the stories of people being fired because of social media that they've posted, you know, things on Facebook or Twitter, that that we used as a way, I mean, we had to hire, we had to fire someone, because if you have something you posted on Facebook, about the business, and they're just very unpleasant. But they will I mean, then suddenly, they deliberately put into the public eye. So now you've got stuff that wasn't meant to go into the public domain that's been put out there that could affect somebody's life, you know, download down the road. I mean, that's frightening, to be affirming. You know, he's lucky, he's lucky to get off with just a suspended state. But to be honest, because it's, it's obviously the hubris of the first time anyone called the second time as opposed to just taking the knock, or being caught the first time and then just doing the right thing, which is, you know, securing the business and realizing your and your depth. Because, I mean, who can you know, if you're not specializing in this stuff, you're gonna be out of your depth. Because the guys that are attacking are specializing.

Ashley Woodhall 01:02:09
Right, exactly. And it's, it's kind of sad, because when you're a small business, you do have to wear all of the hats, you do have to wear the IT hat, the marketing hat, the HR hat. But there should be a degree in which you take those hats off when you give them to somebody else shows a bit more capable. That the reason for one of the breaches, I think it might have been the second one was a default database password. So the password that was published, sorry, the database was published online, or collating all of the personal details and the notes that was publicly accessible, that the credentials there were some passwords on there, but the password was the default password for that database system. So the hackers had no problem whatsoever getting getting into that, of course. So when you're talking about those kinds of errors, I mean, they're easily made when when you start a company, but if you're then taking revenue of the millions, and you're talking 1000s of customer records, then you would have expected that to be a prompt to review security at some point during that journey.

Ryan Purvis 01:03:19
Yeah, I mean, there's no standards for them. I mean, there's the ISO 27k. And there's the NIST standards as you just have to follow it not say follow, but if you're dealing with data, you should be doing that compliance. I mean, it's it's a no brainer, but it's a minimum nowadays. I mean, in a pen test, as part of that, I mean, just have a basic pen test. I mean, you can automate pen tests and absolutely even have to pay fortunes to have someone come and just run the usual scans, and then point out the usual problems. So it is it is criminal to extend to not do that stuff. So negligent is the right word. It's sad. Yeah, to learn it that way. You think it'd be a little more of a proactiveness. But what can we do can only only teach others I guess, or make sure we don't do the same the same mistake.

Ashley Woodhall 01:04:06
Right, exactly. It does. And this is why these stories as sad as they are they have to be published because they're, they're absolutely there to be learned from.

Ryan Purvis 01:04:14
Yeah, ya no, for sure. And, and we were talking before this around the fatigue of some of the things that we have to deal with multifactorial, the multi factor fatigue. That's a mouthful. I mean, what are your thoughts on that sort of stuff, and how are you coaching around it?

Ashley Woodhall 01:04:32
No, good question. There's there's really into interesting topic there in itself, I think about that the user experience side when it comes to digital security. MFA fatigue is a big one, we have, on average, we all have around 100 accounts. Now, they're mostly personal accounts. That if you're talking about having MFA, that second factor set up on every one of those, that's going to slow you down exponentially, it's going to slow you down to the point where you don't want to use the internet anymore. So I think, for me, what I was talking about earlier is when I go into an organization, and I help them understand this stuff, it's about the risk based approach and turning on MFA for the applications that they have some credit Calicut credit category around them, so that maybe this database we were just talking about, perhaps which has all of these customer records. And that's the kind of thing you would want to set an MFA token up for. But it's not everything. I think that's the key difference. Moving on to passwords, which is kind of looking at the same problem. We've got a statistic came out, let me do some research. Just at the end of last year, we found a very interesting one. Supposedly, the average amount of time people spend entering passwords, and clicking I forgot my password is 11 minutes per week, which is, it's not a huge figure. But when you add that up, that's, that's around 10 hours a year. Yeah, spent, spent saving passwords or spent resetting passwords. And passwords are slowly dying, which is good news. And there are other solutions, thankfully, finally coming to replace them, because they've been around for a long, long time. But that was never a sustainable model either. Particularly when you have websites, which have which have their own level of requirements, uppercase, lowercase symbols, numbers, 15, long, 20 long. So the the key takeaway from the fatigue side of things and user experience side of things, is two things, one to use single sign on wherever possible. So the employee signs in once, and they get access to things like the HR their training system, they don't have to keep logging in. And for everything else, having a password manager. And that was really our, for me, that's been a lifesaver. I mean, it's definitely saved me there was 11 minutes every week having a password manager this setup? Well, yeah, that's will when whenever I go to netflix, it's not that I'm working. Of course, whenever I go to netflix, it will just fill it in straight for me without me having to think about it. That is, for me, it's a game changer. And password managers have their own flaws. But I think they have they save time. And they're efficient. And they're secure if they sort of right. So that's another thing that I would always recommend organizations do.

Ryan Purvis 01:07:33
Yeah, I was at LastPass clients and now moved to bit warden. And I have found that usability to be very different, in some odd ways that that one works for stuff, but it better definitely has been good. And I use the apple built in password manager as well. Which I find quite good. And you're right, I think that ability to not have to memorize a lot of passwords is important because you end up, people end up using the same ones, which is all versions of the same one with with just additional letters added ordinal numbers, mostly numbers. I think that's a good thing to be away from. And I haven't looked at I mean, towards streaming services, I have noticed that a few of them have become quite intelligent, in the sense that, like in Disney, if you're on the same network, Wi Fi network, and you're inside the app on your phone, which you've logged into, it'll automatically sign in on the device, you don't have to actually do too much. And then the other ones I think you had, I think I think it was in prime, you have to enter a four digit code on your device, and then it'll it'll link up and I think the other one, which I thought was quite novel as well was you scan the QR code. And it used that to authenticate you through the app as well. Because I mean, all my passwords generated so that they're never short and to top data with it with a good remote control. TV remote and you know, uppercase lowercase characters, I'd be honest refused to do it. But I think that's it. That's the sort of non enterprise place to get the sort of commercial when everyone's getting used to as the end user. The companies have to do something similar. So your viewpoint around single sign on. Any product you bring into your environment should have an MFA capability and be able to tie into your new authentication provider. At least modern one, there are some that will probably have to catch up. But it does make life easier.

Ashley Woodhall 01:09:30
Absolutely, absolutely. Those two things can save employees a lot of time There's a couple of interesting things about that. So single sign on usually comes at additional cost when you're looking at things like SAS tools. Yeah. So we call this the security poverty line, usually, the cheapest version of the product doesn't have the security built in, which is not helpful in many ways. The good thing about single sign on is that I'm trying to kind of give this holistic picture a little bit here. But it's perfect for the convenience side of things, of course, because you're just logging into your work system once and you get access to a lot of stuff, great. But this is where the maybe the rest of comes back in again, if cybercriminal gets access to your single sign on, they also get access to everything else, by default. So there's that angle as well to think about, which is maybe when you think about a dish, additionally, enabling an extra step for various systems that are important. So perhaps that database, for example, you go back to that one. So it was great having single sign on, but don't apply it broadly to everything. It wouldn't be the recommendation, think about what, what systems are more critical and sensitive. And who needs access to them? Not everybody probably. Yeah, doing it that way.

Ryan Purvis 01:10:56
Yeah. I mean, yeah, I agree with it. You know, there's, there's a, it's funny, you say that, because we you know, we're building this product at the moment. And Single Sign On is part of the design. But we haven't, we haven't put it in the first version, because we couldn't get it to work right away, which it'll come quite quickly afterwards. But my intention always was to move away from a password, username password model to a, you know, tie in with with Microsoft or Google or, or one of those guys who who will enforce, you know, not enforced, but they will already have users on there, that have already been securely logged into other places. So you already know, there's a certain level of validation and verification that's happened. Plus, if someone's logging in to those interfaces, they're typically going to get someone that is really trained on or comfortable with the multifactor steps that they have to go through. But one frustration with Microsoft recently, and I actually need to find how to turn this off, I'm very happy with with I was very happy with the way that the authenticator app worked, where it would pop up a notification for you to approve. And that you would try to log into the application you're logging into. And that's all you have to do. Now that what they've added is an extra step, we have to enter input, the number that's on the screen. So if the number is 24, you're gonna go find the notification, and then type in 24, and then submit it. Why that's a pain for me is that often, when I'm signing into something, I was literally tapping approval, my watch. But now I get the approval notification, and I have to still go back to my phone to unlock it to go and fill in the number. And I don't think it's adding that much more validation to the exercise. I just feel like it's a it's a bell and whistle not a functional improvement. I don't What do you think about that, but that kind of leads me to the fatigue Point. Point. Myself, I'm going well, I don't want this anymore. I wanted the simple thing.

Ashley Woodhall 01:12:46
Hmm. That's a really interesting point, isn't it? Because it comes back again to that those weighing scales of you can't have security and convenience at the same time. It's always one or the other, or a balance. Because the the interesting thing there is I think there was some report, it must have been a good year ago now that I read about the the MFA or two step verification, whatever you want to call that via a accept or decline notification. And they are fantastic because they're fast. Yeah, the issue that that companies found that was that again, it comes back to fatigue that employees are receiving so many that they just click Accept, without even thinking if it was them. So that's one side of the coin. I think the other one is is again, if it's a cyber criminal logging in, you can't just accept anymore, because then you need to write the code, but there's nowhere to put the code. Because it's not your session. Yeah. Yeah. So I think it adds an extra layer but does it I think he may be right, is it too much? Is it going to make people turn it off? Because that's what that's the enemy in the end is when people think, Okay, I'm gonna turn that off now because it's a pain in the ass. I can't do it through my watch anymore. I got used to that. And now security is slowing me down. That's when it becomes the enemy. And that's the worst case scenario ultimately.

Ryan Purvis 01:14:12
Yeah. And then the reason why irritates me to be to be you know, more, explore expand a little bit more is that I need my phone downstairs away from me on purpose, so that I don't want to lose my phone and then I go outside and I'm busy on my iPad with my kids or something and I need to do something and navigate to my phone, because it's all set up there. And it's just that it's made more friction and you We've had I mean, I've heard stories anecdotally of people that have been, you know, held up mud or whatever. And they've had to open their phone up at the moment, you know, face recognition anyway, and had money transfer out of the banking app, because it's all facial recognition. So there's that type in business second factor, or the sector fact, the second agent on your phone anyway, so how secure is it, and then have it secured, because by that point, it's already lost, you know, so it just doesn't feel like it's really making any difference.

Ashley Woodhall 01:15:08
Now, that first one you made reminded me of something, because I also am trying to use my phone less. And I think many people are trying to use their phones less because, as you know, and as many people know, we're more addicted to them than than we ever have been in society. And this is has its pros, and its cons. So for me, personally, I'm trying to not let my phone distract me when I'm working. So I will put it out of the way and have it on, Do Not Disturb mode. But it's still there, it's still reachable for me to type in my code. But if you're trying to really get rid of it, and you're really trying to get in and out in another room so that it's on purpose, difficult to go and get the phone, which I think many people are doing now. It's it's hard to do that now. I mean, I remember when I lost my phone a couple of years ago, and I ended up with this, I still have it and I use it in some for some things. There's tiny little Nokia almost like a 3310 kind of thing. Oh, yes, yeah. Actually. And I was using that for as a work phone. And what started getting annoying was I think Amazon but a few other companies, when you sign in, they don't send you a code, they send you a link, you just didn't have the ability to browse any website. So I couldn't sign into Amazon for a long time and some other things. But it's just this kind of assumption that because everybody has a smartphone that companies think they can introduce these changes, despite perhaps the fact that there are going to be some people that are not going to be able to use those services anymore.

Ryan Purvis 01:16:42
Yeah. I mean, it's a real problem, because, you know, if you look at what was it was a banking thing, actually, someone was talking to me the other day about I was actually in the bank. And someone was, was in front of me trying to do something. And I mean, he must have been, you know, in fairness, early 70s. But they were trying to explain to him that he couldn't actually come into the bank anymore. For the services, he had to use the app on his phone. And he was trying to explain to them that he didn't care about the app on the phone, he wants to come to the bank, because he likes to come to the bank. And they were like, well, we don't have the staff to IRS like this complete, like, disconnect between what the customer expects, and customer wants to what the business is doing to be efficient and effective, and whatever. And he's like, I've been at this bank 50 years, you're basically telling me that after that, if that I can't bank with you how, you know, how we started our relationship early was a long thing I you know, I didn't stay for the whole thing. But it made me think like I take for granted that I can just transfer money in an app. And you know, my, my father in law is still uses checks. And I keep saying some checks are not secure. And he goes, do I send a check? Someone will phoned me to confirm that? And I said, yes. But who says the person phone you confirmed that actually works for the bank? Oh, and I didn't think about that. And I said, you know, checks as much as I accepted there. They're a dying thing. And, and this is the constant problem you have, I think with with any new thing is you got to we've got to remember the people that are not in the sweet spot of where it's aimed to, you know, you know, because obviously, it's aimed to be where it's going that sort of the target market, and they always have the leg odds behind that that have to be counted for as well. And it's tough. And I don't think it's an easy answer. But today will be for one.

Ashley Woodhall 01:18:34
Absolutely. No, I worked in a building society for some time. And they had the What the what time I spent in that company out. So obviously, my focus was security. But it was interesting to do that wider scope and understand those relationships between they called the members not customers, the members and why they go to a building society and billing societies are a couple of a couple of them aside, they're kind of like banks, but 10 years ago in most cases. So it was all about that exact thing. It was all about that relationship. They they look they would look forward to some of these members to going to the bank and having a conversation not just with the cashier, but also all the people that are in the back. And they would I think there was even at some point you you could come in and have a cup of tea and a biscuit whilst you're having you're doing your transactions taking your pension out. And they and the building society that I worked for were very, they wanted to keep that side of things. And of course, a lot of their members at the time were quite old. Although I think they were, they had quite an, an old member base point, and they were trying to also work out how to attract younger people. But that was super important to them. And I think they kept it. But I'm very, very happy if that's the case, I don't know what's happened since I left, but they still open branches. The funny thing about that as well is I live in Spain now, as you know, and in Spain, I could not believe how hard it was to access a bank. So not only do you have to do most things online, but the problem gets worse. If you want to visit a bank or Visit a branch, and this applies to all of the changes in Spain, while certainly in Barcelona, where I'm living, yeah, you have to go between the hours of I think is, it may be nine, but it's, it's certainly, it may be a bit, it's certainly from nine to 11am. So you have a two or three hour window. Sure. If you want to go in and close your bank account or make a payment or do anything that requires the cashier's desk. Yeah. Which is a it's a three hour window and be most people are working in that window. Yeah, if you go 10 plus 11, you can't do it. You can hardly do anything inside of a branch. They say, oh, sorry, we closed our cache yesterday. And then the bank anyways closes at like three. So it's very difficult to get anything done in Spain, when it when it comes to the old fashioned way of doing banking.

Ryan Purvis 01:21:00
That's crazy. I mean, yeah, that's the thing. I mean, it becomes the friction becomes so high. And then you only have the only choice is to use the apps or online services, which, which I guess for most people just fine. But again, it comes back to security. You know, I'm on the phone, in trying to do some stuff at the moment, my wife needs to be involved. So now it's a case of, I'll talk to somebody that said, Well, nobody talk to your wife. She's not here with me. I'll carry on until you ask me to you. So now I've got to bring her into the phone conversation somehow either dial in or away from home, phone back. And all that all they want to hear is a woman's voice. And they're even asked like really, you know, trying questions. But you know, who's to say that they thought that the cleaner or my neighbor, this is talking enough to just pretend to be your wife for five seconds.

Ashley Woodhall 01:21:53
That's the that's the next wave. I'm sure you've come across, at some point, some of the advancements in deep fakes and how now, how easy is soon going to be to replicate someone's voice. They're not just not just somebody who's famous and on TV a lot, but any person that has some content out there that you can use to base your deep fake on? Well, that's happened already. And it's definitely going to be happening a lot more.

Ryan Purvis 01:22:23
Yeah.I mean, I was I was reading a series of books. And they, they had deep fakes in their home almost, I mean, the books, there's about nine or 10 books in the series. And, you know, it's really worth reading and the stuff that we're doing, I think it's completely possible, but like, you know, not only the sort of situation where, and let's use that example today, of deep fake of Putin, and Donald Trump having coffee in New York City, right now, you know, completely not going to happen, but they can, they can fake it to the level that it's real. There was another thing I saw of a bomb going off in the US city. And they were saying, Oh, this is a deep fake, but you couldn't tell the difference. It looked like a real explosion. I mean, you know, we see everything on TV all the time movies and films, and the news don't look that different anymore. Which is, which is a problem. And then as you say, I mean, creating someone's voice. There's a there was that there was a woman that had a model of herself created. And she was basically selling it for $1 a minute, this AI model of her to go and interact with people she made like 70 grand in a day or something. And she said it, I think there was something along the lines of that away from being like a normal interaction to be like a completely brutal light conversation, like within an hour have been used. But you know, that that created entity look just like her talk just like her but it was completely, you know, systemic wasn't it wasn't a real person was who was in silicone person, not the carbon person. But it's frightening. But it's, you know, I don't think you can put the genie back in the bottle. So I think there's there's other stuff that needs to happen, the regulation. You know, whatever it is.

Ashley Woodhall 01:24:17
Absolutely. It's it's an especial industry because it moves so fast. I mean, I can't keep up with it. Many times. I hear about things that are happening. technology advancements, preachers, I hear them through other people. I can't. I can't always keep up with this stuff, but that the deep fakes especially The voices I think it's I mean, it's definitely already happened now. And your story is a nice one, because people were able to access that and use it in their own way, which is interesting story I heard was a guy was fat, I'd found some AI software to generate deep fake voices, and he has his own voice is the model. And the way he did that was to try and defeat an online banking security question process so that he could change his address or do something that you needed to get through the security check before? Yeah. And he trained his voice. And answered the questions with a with a human agent on the phone, using a deep fake voice. Nothing was interesting. So that's a real life application of something that we were talking about, right? This is the this is the banking and the security side. And how technology can be used now to bypass that.

Ryan Purvis 01:25:30
Yeah, I mean, you give me a great idea, because so the biggest difference that we notice, coming back to the UK, from South Africa, is if you need to speak to a doctor, in South Africa, you phone, your GP pretty much get an appointment within an hour, and you're being treated. In UK, you could me on the phone for an hour, and still not get through to anybody, and then you might, if you do get three might get a phone call that day, but you're not being seen by anybody. And your treatment could take you basically 10 days. Whereas an SA, it can be that, you know, you could have your treatment in two hours. Now, I'm just thinking, while you're talking about that, you know, having having an auto GTP sort of thing that that sits on phones in since you've given it the symptoms of your problem, it waits for the answer, and you've now deep faked the voice so that so that they, you know, they think it's you, and they can have the AI can have the conversation with the doctor, to an extent to book the appointment, the follow up, whatever it is, and you don't have to wait it out. You know, it's completely and that's where I find that the GP service to be very archaic, it's kind of very backwards. But the amount of times that that is useful, like like, like, you're gonna go buy a car. So you got to tell the AI what car you want to buy, it goes and does all the searching, it does all the phone calls, talks, all the dealers, books, and all the stuffs got access to your diary. You know, it knows which insurance history is like it knows what your income is. And it can ask all those questions because it's like, we have to pay for a car now. And and it's it's all black, you got to budget like two hours to go do this, because it's not just driving there and driving back, it's driving there, then you got to talk to the person is gonna ask all the same questions, you're gonna answer all the same questions, then they're going to make small talk while they get the car ready, then you're going to drive the car, then you're going to, you know, get back, they're going to pump you for more information. And then by the time you're done with that, you don't want to do the next call, because you're exhausted from all that stuff. Go to the next guy that does the same thing. But if you could just short circuit the whole thing by just pre empting, all those questions with all the answers, and just going to drive the car. And yeah, I mean, I deepfake for that would be actually very helpful. For the most part.

Ashley Woodhall 01:27:41
I think it's coming along, isn't it? I think there's now a chat GPT assistant, which is pretty much this, it's connected. I'm not sure if there's chat, GPT was one of the the AI components that is doing this now. But chatbot GPT becomes your assistant, you give it all the information about you, you connect it to your diary, you connect it to your bank account, you connect it to Amazon, and it just does everything that you ask it to do with all the access it needs. Without, as you say, having to wait those two hours on a phone or having to go into a branch. That certainly is the next the next level. I think there are some useful applications already that I can that I can think off of that but we're already there. Essentially he'll we're very close to being there. And it's still just the beginning.

Ryan Purvis 01:28:31
I don't know if you remember the whole smart fridges thing I think Samsung was trying to do years ago. And I mean we find that again being back here versus Africa. So South Africa very difficult to get you can do it you can get online shopping and you can have your your local grocery supermarket, deliver your food and all that kind of stuff. But it's typically Gardens by yourself and we can come home but then you're wasting time doing it is the the opposite problem. You mostly do online shopping for everything. But to get the slots to get your local supermarket to deliver is painful. Like it's never the same time. It's always at the merch shop at four different companies to get your food, you know, because of whatever's available stock wise, but and the way these guys protected is they don't actually let their inventory or their slots be accessible publicly. So there's no API's, you can go and call and create your own thing. In fact, this is how Accardo Accardo started. They actually wanted to do that they wanted to be the supermarket aggregator so that you can just provide your list to them and they would go get the food for you and deliver it because no one would do it with them. They became a default supermarket and then they partnered with with Waitrose and then with m&s No. But you know the premises, you could basically train an AI to go log into all your account size which Tesco, Waitrose, etc. And it can go and figure out the slots that are the most suitable for your cadence of buying things, you'll stay on a grocery list. And just order the same things every week for you. Because we don't typically order that much different unless something's happening. Like we're inviting people over or something. But it's pretty much we eat the same things every week. And it's frustrating to the point that because we eat the same thing every week, we shouldn't have the problem of trying to find a site we shouldn't have a problem of having to reorder, it should be automated, you know, for the best products, because you'd want some level of intelligence to say, okay, you know, for cleaning goods, Tesco is better than buying at Waitrose. But for quality of food, you know, Waitrose is probably better or m&s or better or whatever. I mean, I'm not a I'm not saying either or, but at this stage, but I just think that that kind of noise work is perfect for an AI. And if and if Amazon, and I'm surprised Amazon hasn't solved this problem yet, because I'm sure they will. Because they've got the delivery network,

Ashley Woodhall 01:30:54
matter of time, probably just a matter of

Ryan Purvis 01:30:57
probably good. As we close on time. I mean, do you want people to get involved? Have you? And if so, what's the best place to to get in contact?

Ashley Woodhall 01:31:05
Sure. I'm mostly active on LinkedIn. So you can find me Ashley Woodhall on LinkedIn. And in terms of the website, it is changing soon, but for the next couple of months, probably it's going to remain practical-infosec.com, which is where there's a list there of some of the things we're working on some of the services that we're launching, we're just about to launch. And this is the first kind of public reference of it, a security subscription service, which is doing away with the classic consulting model of going in to do an audit or a gap assessment and organization and go and giving them a huge, long, complicated, boring report, which they're probably never going to do anything with that because that's what we've been doing for the last few years. The subscription model, replaces that and makes it a bit of a Netflix approach of kind of Bite Size improvements delivered. Every month, the subscription angle can be cancelled, can be paused, can be turned up and turned down. So you move as fast as you want to move and improve as fast as you want to improve. That is the latest and greatest thing happening for us, but it's not yet on the website. Alright, great. LinkedIn is probably the best way to keep up to date.

Ryan Purvis 01:31:08
Super, we'll put that in the show notes. Great. Thanks for having you on there. We'll come on to the podcast. It's been great to chat.

Ashley Woodhall 01:32:35
Thank you very much been a pleasure.

Ryan Purvis 01:32:38
Thanks, Ashley. Thank you for listening to today's episode. Heather Bickness, is our producer and editor. Thank you, Heather. For your hard work on this episode. Please subscribe to the series and rate us on iTunes or the Google Play Store. Follow us on Twitter at the DWW podcast. The shownotes and transcripts will be available on the website www.digitalworkspace.works. Please also visit our website www.digitalworkspace.works and subscribe to our newsletter. And lastly, if you found this episode useful, please share with your friends or colleagues.

Transcribed by https://otter.ai

Ashley WoodhallProfile Photo

Ashley Woodhall

Cyber-securing purposeful organisations

I try to make a difference. I love using my skills and experience to secure purposeful organisations who are doing good things for people and the planet.

When you boil it down, cyber security is an investment, data breaches cost money. To help organisations in more ways than financial, I support and protect those which are purposeful, enabling them to remain resilient to cyber risks and realise their goals.

If you don't know where to start with your organisation's cybersecurity journey, take 5 mins to complete our security quiz. It's free, contains 0% technical jargon and gives you an immediate security score and improvement areas.
Click "discover your score" on our website: https://practical-infosec.com

Work aside, I love writing, mentoring and helping others get into or excel in cyber security. There is nothing more rewarding than helping others grow, or supporting them through challenges.

At weekends you can find me playing coffee barista at home, watching Liverpool FC (not) win the league or getting my ass kicked at chess.