This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GRAHAM CLULEY. I'll probably bleep out actually, but the name is— Keep Labs. Yes, that's—

---

CAROLE THERIAULT. Keep Labs.

---

GRAHAM CLULEY. Yes. You're just going to keep me busy with the bleeper, aren't you? Is that what's going to happen?

---

CAROLE THERIAULT. The entire fucking episode.

---

UNKNOWN. So how do you spell Keep Labs? Smashing Security, episode 182. Space Force, credit card fraud, and beep beep beep with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 182. My name is Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week, Carole, we are joined on the show by, well, someone who's a fellow podcaster. He's been on the show before, but since then his podcast has been relaunched. It's Host Unknown's sole founder, Thom Langford. Hello, Thom.

---

THOM LANGFORD. Hello, hello.

---

CAROLE THERIAULT. Welcome back to the show, Thom.

---

THOM LANGFORD. Thank you very much. Thank you very much. I listened a couple of weeks ago and you said said something about having guests on who are less security-minded and, you know, don't have any expertise in security. And lo and behold, here I am.

---

CAROLE THERIAULT. Well, actually, Thom, that's not the reason we invited you on.

---

THOM LANGFORD. Oh, really?

---

GRAHAM CLULEY. No, no.

---

CAROLE THERIAULT. Graham, I'm gonna hand over to you because you uncovered this little thing, didn't you?

---

GRAHAM CLULEY. Well, yes, I did. You see, since Thom has relaunched his Host Unknown podcast about, I don't know, probably a couple of months ago, I've been listening in each week And there've been a fair few mentions of Carole and myself on the podcast. Although you seem to refer to it as Graham's podcast.

---

THOM LANGFORD. Oh, only once or twice.

---

GRAHAM CLULEY. Wow. And it's always Javad who jumps to Carole's defence.

---

CAROLE THERIAULT. Oh, Javad.

---

THOM LANGFORD. It is Javad, yeah.

---

GRAHAM CLULEY. But more than that, I hear you're really desperate for sponsors. And we—

---

CAROLE THERIAULT. Whoa, whoa, you're not donating one, are you, Graham?

---

GRAHAM CLULEY. Well—

---

THOM LANGFORD. Are you giving us one of your sponsors? Can we pick?

---

GRAHAM CLULEY. Well, specifically on your sponsor page, you say Smashing Security has enough sponsors. And so give your money to us instead.

---

CAROLE THERIAULT. Yeah, I'm a master negotiator. I believe in win-win.

---

THOM LANGFORD. Yes.

---

CAROLE THERIAULT. So if, uh, Smashing Security sponsors an episode, will you take that shit off your site and start saying something nice instead?

---

THOM LANGFORD. I will personally delete that before this recording is over if you're going to sponsor a show.

---

CAROLE THERIAULT. Graham, what do you reckon?

---

GRAHAM CLULEY. Yeah, right, right. We are going to record an ad for Smashing Security on the Host Unknown podcast.

---

THOM LANGFORD. Done.

---

CAROLE THERIAULT. There you go, Thom Langford.

---

THOM LANGFORD. Awesome.

---

CAROLE THERIAULT. Okay, let's get this show on the road.

---

THOM LANGFORD. All right, can I go now?

---

CAROLE THERIAULT. Hey, you sit right there and buckle in.

---

GRAHAM CLULEY. What's coming up this week?

---

CAROLE THERIAULT. First, let's thank this week's sponsors that sponsor Smashing Security: MetaCompliance and LastPass. Their support helps us give you this show for free. Now stay tuned at the end of the show for a special feature interview with Robert O'Brien of MetaCompliance. Not only does he He shares some great info on onboarding staff into better cyber awareness, but he has quite the dreamy voice. He does, let me tell you.

---

ROBERT O'BRIEN. Hello.

---

CAROLE THERIAULT. Now on today's show, Graham tells us what happened when a security firm suffers a security breach. Thom talks about the importance of brand reputation in our new world. And I'm looking into how we can make it harder for credit card hackers to dupe us. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, Chums, I want to talk to you about something which has sort of affected me personally in the time since we last recorded a podcast. I want you to picture this. I want you to imagine this scenario. Imagine that you personally suffered a security breach. Okay? You leaked data in some way. What would you do?

---

CAROLE THERIAULT. That one time I almost replied all an email that would have got me fired, I ripped the cable out of my computer. So this is before Wi-Fi. This is when I still had a manual leap over the desk and almost ripped the machine off the desk.

---

GRAHAM CLULEY. You thought you'd be faster than the Electrons basically.

---

CAROLE THERIAULT. Well, do you know what? I think I made it.

---

GRAHAM CLULEY. Yeah.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. I was lucky.

---

GRAHAM CLULEY. The advantage of having a 286 processor, I guess. Thom, what about you? If you suffered a security breach?

---

THOM LANGFORD. So there's two words spring to mind, honesty and transparency.

---

GRAHAM CLULEY. Oh.

---

THOM LANGFORD. And having done something similar myself, which affected 15,000 people in a company, all getting notifications of my meeting requests for a day, I decided the best bet was to basically email everybody and say, "Sorry, this is what I did." 'Make sure you don't do it.' Oh, good.

---

CAROLE THERIAULT. Just adding to the spam. Excellent.

---

GRAHAM CLULEY. Let's take it one stage further. Imagine you're a security firm. Oh, the pain that must be involved in that. If you suffered some kind of security breach, what would you do then? What's your recommendation? Thom, I guess it's still transparency and honesty.

---

THOM LANGFORD. Honesty. Absolutely.

---

CAROLE THERIAULT. Yeah, I think I would maintain that as well.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Come clean real quick.

---

GRAHAM CLULEY. Let's go even crazier. Imagine you are a popular, and handsome award-winning security blogger. I'm not talking about Thom, who did win a security blogging award.

---

THOM LANGFORD. Damn, I thought you were going to talk about me last week.

---

GRAHAM CLULEY. No, and I said handsome and popular. And imagine you heard that this security firm had a security breach. What would you do if you're a blogger? You're going to write about it, right?

---

THOM LANGFORD. Well, it's interesting public knowledge, right? It's in the public domain.

---

GRAHAM CLULEY. You'd think, well, this will be an interesting story to write about. Now here's final little leaf of the—

---

CAROLE THERIAULT. So who's the handsome guy again?

---

THOM LANGFORD. Apparently not me.

---

GRAHAM CLULEY. Hypothetical one.

---

THOM LANGFORD. Okay.

---

GRAHAM CLULEY. Now imagine you are the security firm that realizes a security blogger has written about your security firm that had the security breach. What would you do? I hope you wouldn't send in the lawyers.

---

CAROLE THERIAULT. Okay, can I ask some questions? Yes, um, did the security blogger say anything that was untrue?

---

GRAHAM CLULEY. I don't think he did.

---

CAROLE THERIAULT. Did the security blogger put the knife in and twist it ridiculously hard?

---

GRAHAM CLULEY. I think I was most—

---

CAROLE THERIAULT. Oh, you're the handsome guy? Oh my God.

---

GRAHAM CLULEY. Yeah, sorry.

---

CAROLE THERIAULT. Geez.

---

GRAHAM CLULEY. I think I was balanced and reasonable in my blog post.

---

THOM LANGFORD. Did you ask them for comment? Oh.

---

GRAHAM CLULEY. I did ask them for comment, yes. I asked them if they would like to comment on the breach. So what happened was this. I wrote about this UK security vendor who I'll probably bleep out, actually. I'll probably redact them from the podcast, but the name is Keeplabs. I wrote about them.

---

THOM LANGFORD. Keeplabs?

---

GRAHAM CLULEY. Yes, that's—

---

CAROLE THERIAULT. Keeplabs?

---

GRAHAM CLULEY. Yes. You're just gonna keep me busy with the bleeper, aren't you? Is that what's gonna happen? The entire fucking episode?

---

CAROLE THERIAULT. So how do you spell Keeplabs?

---

GRAHAM CLULEY. It's spelled K-E-E-P, right? And then N-I-T. Nit.

---

THOM LANGFORD. And then beep, beep, beep.

---

GRAHAM CLULEY. Okay, so I wrote about this incident. In fact, it wasn't me who originally discovered it. Bob Diachenko, who's an extraordinary security researcher, he's always uncovering massive databases that have been left exposed online, unprotected with even the simplest password. He came across a database containing more than 5 billion, with a B-B-B-B, records.

---

CAROLE THERIAULT. Jesus.

---

GRAHAM CLULEY. Which had actually been derived from past security breaches. So what happened is this security firm—

---

CAROLE THERIAULT. Was he just looking at Troy Hunt's collection?

---

GRAHAM CLULEY. No, it wasn't Troy Hunt.

---

CAROLE THERIAULT. Yeah, his personal email collection.

---

GRAHAM CLULEY. It wasn't Troy Hunt's database. Let's not, let's not start another legal fight. Okay. He's much taller than all of us. No, no, but it's similar kind of operation. I imagine they were collecting data about past data breaches, but they then accidentally exposed it in some fashion. Right. So I wrote about them and I named the company. And what I noticed over time was that that company's name, which had been reported in other places on the internet, began to disappear mysteriously. Suddenly no one was naming the company. And then I received an email from this company saying, "Ah, hello. Can you please update your article to remove our name from it because it's inaccurate and it's bad for our image?" You know, Graham, this is not the only time this happened last week. Oh, really?

---

CAROLE THERIAULT. With you.

---

GRAHAM CLULEY. What else happened?

---

THOM LANGFORD. What have I done?

---

GRAHAM CLULEY. Who else have you pissed off, Graham?

---

CAROLE THERIAULT. Do you remember the other email you received suggesting that you change your blog article to reflect a different company point of view than the one that was factual.

---

GRAHAM CLULEY. You're talking about Sophos's PR agency who wanted me to change my article about the Naked Security blog being decimated.

---

THOM LANGFORD. Oh, really?

---

GRAHAM CLULEY. And their staff being made redundant. Yes.

---

THOM LANGFORD. Your old employer was going to sue you?

---

GRAHAM CLULEY. Well, no, no, no, nothing like that. I received a very friendly email from Sophos's PR agency saying that Naked Security would continue to operate And they were unable to answer any questions I might have regarding the editor and the writers being made redundant.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. So interesting. Yes. So that was something else we had last week. But, you know, good luck to them. And let's hope that all gets resolved.

---

CAROLE THERIAULT. Just saying you had a busy week.

---

GRAHAM CLULEY. That's all I'm saying. I had a busy week anyway. So these guys wanted their name removed. And so I said to them, oh, can you tell me what's wrong about my article? Because I would love to fix it. I don't want to have inaccurate information up there. And they said, well, none of our customers were involved in the data breach. And so I said, well, I didn't say any of your customers were involved in the data breach, so I haven't got any words to fix about that. And they said, well, it wasn't really a breach because this was data which had already been breached. And I said, well, I think that's still a security breach because people can find it that didn't have access to it before. Yeah, you facilitated potentially— who knows if it actually happened or not, but potentially other people may have been able to access that data because you handled it. Carelessly in some fashion.

---

CAROLE THERIAULT. Fair, fair point.

---

GRAHAM CLULEY. This carried on for a couple of months, and I wasn't talking about this publicly, but they did say, we are going to have to engage our lawyers to deal with this now. And I said, well, that's fine, but you know, if you've got something to say, please let me know and I will put it up on the thing. Or if you've got any refutation or any statements you'd like to officially make, I will post it up on my article so that you can have your position. And they didn't want to do that. They didn't want to give me any statements whatsoever. But what they did do is they said, oh, and by the way, maybe you'd like to work with us on some business opportunities in future.

---

CAROLE THERIAULT. So what, like bribe you?

---

GRAHAM CLULEY. Well, you might say that, Carole Theriault.

---

CAROLE THERIAULT. So they say basically, hey, work with us, but we'll only think about doing that if you just do a little tweaky tweak tweak on that blog article. Thanks so much.

---

GRAHAM CLULEY. So I said, thank you very much. That's interesting, but let's have that as an entirely separate conversation from the conversation about your blog post. Let's resolve that first. Before we discuss any other sort of business. Next thing I knew, I got a letter from their lawyers telling me to take down their name and redact it and saying it was bad for their company and all the rest of it. Now, I believe I haven't said anything inaccurate in that blog post, right? And I've given them a chance to have their say as well. But what I didn't want was I didn't want to get bogged down in lots of legal arguments and letters where only the lawyers are going to get rich. And this could go on for months and months and months. And who frankly gives a damn about it.

---

THOM LANGFORD. Yeah.

---

GRAHAM CLULEY. So when I got this letter from their lawyers, I thought, you know what, I'm just going to take their name down. And in fact, what I did was I redacted their name, so I replaced it with black blobs.

---

THOM LANGFORD. Mm-hmm.

---

GRAHAM CLULEY. And I thought, having done that, best thing I can do is probably just add a little explanation at the bottom of the article.

---

CAROLE THERIAULT. Okay, so you backed down, but you couldn't do it without, um, taking a dump.

---

GRAHAM CLULEY. Well, people—

---

CAROLE THERIAULT. Yeah, people need to know. People need to know. No, I agree. Well, no, I agree with your stand. Don't get me wrong. I, you know, why should they win if you've done nothing wrong?

---

GRAHAM CLULEY. Well, what I did was I tweeted and I said, following a legal threat from beep beep, and I redacted the name, I've removed their name from this article on my site. And I said, you know, I apologize to readers, but, you know, I can't afford to get into a legal fight. Now, that did have an unforeseen consequence which I couldn't possibly have imagined would happen. There were people on Twitter who were able to determine what the company's name was.

---

CAROLE THERIAULT. Wayback Machine.

---

GRAHAM CLULEY. So it appears, Kroll.

---

CAROLE THERIAULT. Wayback Machine.

---

THOM LANGFORD. I tweeted something similar about Streisand effect and Wayback Machine.

---

GRAHAM CLULEY. Yes. There you go. So there were quite a lot of people who sort of responded to it. In fact, Apparently over 100,000 people saw the tweet and it was— there were lots and lots of comments on it. I haven't commented on my tweet or anyone else's comments regarding it or liked—

---

CAROLE THERIAULT. Oh, that's very mature of you.

---

GRAHAM CLULEY. Well, I thought so too. Well, I just didn't want to— I didn't want to—

---

CAROLE THERIAULT. You poked the bear enough already.

---

GRAHAM CLULEY. I didn't want to—

---

CAROLE THERIAULT. I mean, you know, you don't want to put a bear trap out.

---

GRAHAM CLULEY. I didn't want to pour any— the thing is, Carole, I'm not the only person who was possibly intimidated by this company to reveal their name.

---

CAROLE THERIAULT. Are you intimidated?

---

GRAHAM CLULEY. There was an attempt at intimidation, I think, the legal threat. I do know that Javad Malik of the Host Unknown podcast, because he spoke about it on his latest episode, folded like a pack of cards. He was contacted. He hadn't written about it.

---

THOM LANGFORD. No, that's the best part of it.

---

GRAHAM CLULEY. You explain what happened, Thom.

---

THOM LANGFORD. So quick summary, Javad has been asked for a quote about this breach for an article by another writer. He supplied some quotes. He actually used the term breach because let's face it, nowadays it's kind of a generic term, really, a bit of a catch-all for anything that's been lost or not secured or whatever. He mentioned that, and this particular company in question reached out to him and said, take your comments down. To which, you know, Javad said, I can't, it's not my article. I suggest you contact the, the, um, yeah, the publisher, the owner of the article. And he also said, you know, as a courtesy, I have contacted them to, to ask them to, to review it, but I can't do anything. And then they basically then came back threatening legal action, at which point he said, speak to my lawyers, and left it at that.

---

GRAHAM CLULEY. But the difference is, Jawad has lawyers, whereas I don't.

---

THOM LANGFORD. Yes, exactly. That's the joy of being employed by a company.

---

CAROLE THERIAULT. The only legally thing I can even think of it, and I'm no lawyer, is just the breach. What does a breach mean? You know, how is it defined by the Computer Misuse Act? And how is it used? That's the only—

---

GRAHAM CLULEY. There has been a breach of security.

---

CAROLE THERIAULT. A breach of trust.

---

GRAHAM CLULEY. Oh, careful, Carole, what you say. Who knows what you might get in the post?

---

THOM LANGFORD. It's like saying, well, it's not a breach because it's already been lost. It's ridiculous. It's like sending somebody an email to get it to the top of their inbox. What it is, is putting it out there again in another easy-to-find format on the plain, regular internet. So that even more people can get access to it.

---

CAROLE THERIAULT. But what they should have done instead was, as soon as they were aware of it, they should have contacted the appropriate authorities, contacted anyone affected, and put it up on their website that this happened, this is how they're handling it, and if they have any questions, please see this FAQ. Done.

---

GRAHAM CLULEY. So it's only after one week of Twitter outrage and people sort of going after them with pitchforks. And to be honest, some people, I feel, have gone a little bit too far on Twitter.

---

THOM LANGFORD. No, really? That's not like Twitter at all.

---

CAROLE THERIAULT. On Twitter? Holy God, I didn't realise this was this big.

---

GRAHAM CLULEY. So the security firm, Smashing Security, beepity beep, they have now today, hot off the press, just before we recorded this podcast, they have now published a statement about the exposure on their website where they try and explain what happened and try and excuse what happened.

---

CAROLE THERIAULT. Let me guess, they don't use the word breach anywhere.

---

GRAHAM CLULEY. I'm not going to get into the nitty-gritty of the accuracy of their statement.

---

THOM LANGFORD. But are you named in there?

---

GRAHAM CLULEY. No, I'm not.

---

CAROLE THERIAULT. Well, a special thanks to Graham.

---

THOM LANGFORD. But the thing is, here's the thing about the security industry. It was an Elasticsearch database, I believe, which ships and installs with everything security-wise switched off, as I understand it. And we get it as security professionals. We get it. You know, switching security on is difficult because it limits functionality. It can slow things down in some cases. You know, it's difficult. But if you are a security company, you need to have your shit together. You've got to, you know, you've got to have these processes in place that make sure that anything that faces the internet or anything that contains personal or confidential information needs to go through a hardening script of some kind, be it automatic or manual. And if it doesn't work for some reason and you get found out, then tell us why it didn't work and what you should have done so that we can all learn from it.

---

GRAHAM CLULEY. So I think your advice is absolutely right, Thom, Carole. I think transparency, honesty, prompt response to these kind of incidents means that, you know, when something bad happens, it doesn't have to be as big a deal as you can make it by responding badly.

---

CAROLE THERIAULT. So deep, Graham.

---

GRAHAM CLULEY. Yeah, well, fuck off deep. What's their name? Fuck off keeping it loose. And their lawyers.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. I'll keep an eye on the letterbox.

---

THOM LANGFORD. That's right. And your bank account.

---

GRAHAM CLULEY. Thom, what have you got for us this week?

---

THOM LANGFORD. What have I got? So there was a lovely tweet that I saw the other day about brand reputation and how important it is to control your brand. And we know this because, you know, many of us in security roles have experienced this when other companies register domain names in that are either very close to your company name or they are the same but with a different, you know,.com or.co.uk at the end and start impersonating you. And this is a big deal. And as a result, there's a whole sort of almost a sub-industry of, you know, brand management. And when you register a domain, it will— you can automatically get similar domain names registered. There are services that search out to see if there are domain names that are registered with you know, Cyrillic alphabet characters, but still looking like your domain, et cetera.

---

GRAHAM CLULEY. I think we've actually had this ourselves. I think we had a listener who bought the domain Smashing Security without a G.com to redirect to us, which was very generous of them.

---

THOM LANGFORD. Oh, that was very decent.

---

GRAHAM CLULEY. Yeah, very decent listeners. That's why we love them.

---

THOM LANGFORD. We should have done that and redirected it to host unknown.

---

CAROLE THERIAULT. But, uh, okay. See, you just screwed up again, Thom.

---

THOM LANGFORD. Yeah, well, if you'd listen to the podcast, you'd know that that's regularly what we do. But talking about someone else who screwed up is the US, believe it or not. So the US a couple of years ago, or Mr. Trump, announced Space Force, the fifth wing of the US military.

---

CAROLE THERIAULT. You can totally see that he came up with that name too, right? You can totally tell.

---

THOM LANGFORD. Oh my God, yeah. He's just sitting in the background, "Oh, I want to get the laser guns." I don't know, but bottom line is he watched Moonraker, James Bond's Moonraker, and decided that's for him. So they've yet to get involved in any kind of serious operations. They've yet to launch anything. They've kind of just been bubbling under. They're probably still deciding what sort of camouflage they should have on their uniforms.

---

GRAHAM CLULEY. I think they did actually design a logo, didn't they?

---

THOM LANGFORD. They did.

---

GRAHAM CLULEY. Looks very much like the Star Trek Enterprise logo, the Federation of Planets or whatever they're called. Yeah, exactly. Or Blake Seven.

---

THOM LANGFORD. Blake Seven, now that would have been good.

---

GRAHAM CLULEY. So what's going on with Space Force?

---

THOM LANGFORD. So also, you may have noticed recently on Netflix, there's a new series called Space Force, which is a little spoof on that. And it stars Steve Carell and John Malkovich. Very funny.

---

GRAHAM CLULEY. Oh, cool.

---

THOM LANGFORD. Very funny. I've just watched the first season. It's very good. Very lighthearted. Lots of fun. The problem is Netflix have trademarked Space Force.

---

CAROLE THERIAULT. Well, of course they did. But let me guess, let me guess, the government didn't.

---

THOM LANGFORD. Didn't, that's right. That's right. So maybe we're going to see rockets launched with Netflix on the side of it in order to pay them back for use of their trademark. But it just strikes me that it doesn't matter how big your organisation is or how well-funded it is. And let's face it, the US government has got to be kind of up there, size, complexity, and amount of characters.

---

CAROLE THERIAULT. They could just change the name though, right? Why wouldn't they just change it to something like Space Fork or—

---

THOM LANGFORD. Or Space Farse.

---

CAROLE THERIAULT. Space Farse, exactly.

---

THOM LANGFORD. Yeah, which is roughly the zone around Trump's head at the moment. But yeah, I just find it amazing that such basics like this, it's a bit like when you hear that somebody forgot to renew their certificates for their domains and stuff like that. I find it Just stunning that such basic stuff is not being done. I would imagine US Army is probably trademarked or copyrighted or something.

---

CAROLE THERIAULT. When you brought up this topic, I of course went and searched for Space Force, right?

---

THOM LANGFORD. Oh yeah, found Netflix.

---

CAROLE THERIAULT. Well, yeah, Netflix came in first. And then there's a few IMDb sites, stuff like that. And then there's a review from The Verge saying the title is Astonishingly Bad Show. Really? Yes. Which I'm— because I'm looking at—

---

THOM LANGFORD. Are they talking about the presidency?

---

CAROLE THERIAULT. Oh.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Before we start, can I just ask, credit cards, do you guys have a strong relationship with them? Do you have many or just one?

---

GRAHAM CLULEY. I have a debit card. I don't tend to use a credit card unless it's for— very painful purchases.

---

THOM LANGFORD. Really?

---

CAROLE THERIAULT. Even when you shop online?

---

GRAHAM CLULEY. Well, that's what I'm saying, when it's a painful purchase. In fact, I have someone else in my household who does most of the shopping, so I think they may have a credit card, but I don't.

---

THOM LANGFORD. Damn me.

---

CAROLE THERIAULT. You should use a credit card when you shop online.

---

GRAHAM CLULEY. Well, yes, I know, to get the whatsits. Yes, to get the protection. No, not for that. No, for the protection only.

---

THOM LANGFORD. The toilet rolls.

---

CAROLE THERIAULT. No, it's because the creditors and you share responsibilities. So if you buy something stupid or you don't get it. Yes, protection. I'm trying to explain it to the listeners too, Graham. It's a radio show, right? So it's not just about your knowledge. Sometimes you have to pretend you don't know stuff to make it fun.

---

THOM LANGFORD. Okay.

---

GRAHAM CLULEY. So what would be the benefit of me shopping with a credit card?

---

CAROLE THERIAULT. Oh, very good question, Graham.

---

THOM LANGFORD. It's like poetry in the making.

---

CAROLE THERIAULT. The reason is that if you buy with a debit card, you are 100% responsible for that loss if you don't get the item you've purchased. But with a creditor, you share responsibility and you can say, You can sometimes claw money back from it from your creditor if you can prove it wasn't your fault. So always purchase a credit card.

---

GRAHAM CLULEY. Very cool. Very good advice.

---

CAROLE THERIAULT. Now listen, straight up, credit cards, not a very funny conversation topic to cover, right? Like just seriously, I was thinking—

---

GRAHAM CLULEY. I'm sure you can sort that out.

---

CAROLE THERIAULT. Well, you know, I decided I would, and this is how I've decided to do it. I have peppered my story with a few jokes, which I got off the internet while looking for credit card jokes. Okay? And that is how we're gonna keep this light.

---

GRAHAM CLULEY. Will you signpost them in some fashion?

---

CAROLE THERIAULT. Yeah, yeah, we're gonna start with a joke.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. So what do Trump and maxed-out credit cards have in common?

---

THOM LANGFORD. Nobody likes them?

---

CAROLE THERIAULT. They both deny all charges. Oh, very good.

---

GRAHAM CLULEY. Hey, okay.

---

CAROLE THERIAULT. Bit of science now. So credit cards are powerful tools, right? People are setting up new online accounts, registering their credit card details with them willy-nilly because guess what? They can't go to the bank and they can't go to the stores to buy the things that they require.

---

GRAHAM CLULEY. And people, even if you could pay in cash, people don't really want to receive cash at the moment, do they? Because it's—

---

CAROLE THERIAULT. Dirty. Dirty.

---

GRAHAM CLULEY. Dirty, dirty money.

---

THOM LANGFORD. Filthy lucre.

---

CAROLE THERIAULT. Now, I don't tend to use credit cards either, but I'm kind of glad that I've got one that's all paid up and ready if a bigger emergency hits me directly. But others who are in the eye of the storm, you know, maybe jobless, or, you know, they're out protesting unbelievable injustices, or they're, you know, and they're staving off the bills with credit card payments. Okay, joke time, right?

---

GRAHAM CLULEY. Oh yeah, good.

---

CAROLE THERIAULT. You see? Okay, so why did the dad— this is for you, Graham— why did the dad put the credit card statement on his feet?

---

GRAHAM CLULEY. I don't know why.

---

CAROLE THERIAULT. Because it said New Balance on it. It's a shoe company.

---

GRAHAM CLULEY. Oh, okay.

---

THOM LANGFORD. Such a fucking dad.

---

CAROLE THERIAULT. Such a dad. Set it dead.

---

GRAHAM CLULEY. Did you know that, Thom?

---

THOM LANGFORD. I did, but I didn't get the joke though.

---

CAROLE THERIAULT. Ah, maybe it's my telling. I'm not very good. I'll work on this. I'll work on it.

---

THOM LANGFORD. No, I don't know. I don't know.

---

CAROLE THERIAULT. Okay, so all this to say there's lots of credit card transactions going on right now. Online shopping is up, and April saw a 200% jump in new mobile banking registrations, and mobile banking traffic rose 85%. And we're not surprised by that because people are locked at home. So since the corona shutdown, the US economy, Fidelity National Information Services, they're a fraud monitoring services for banks, have seen a huge jump in credit card scams.

---

THOM LANGFORD. Oh, really?

---

CAROLE THERIAULT. And these have become so pervasive that some executives at a community bank thought they'd been hacked before learning that it was just cardholders were falling victim to these scams. That's how bad the numbers are.

---

GRAHAM CLULEY. Oh, so they saw so many weird transactions happening that they thought there must be someone inside the infrastructure. Oh, crumbs.

---

THOM LANGFORD. But actually it was just the customers.

---

CAROLE THERIAULT. It was just the customers falling for stuff.

---

THOM LANGFORD. Oh my God. Yeah.

---

CAROLE THERIAULT. And in the UK, things aren't better. Victims of scams related to coronavirus outbreak nearly lost a million quid in February. And most of this was focused on the COVID-19 crisis. So phishing, phone, SMS scams, the whole nine yards. And one pundit said, while your day job may have gone up in smoke or become way more difficult, the hackers' day jobs just got a whole lot easier.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. For a number of reasons. One, we're all stuck at home online all the time. And two, we are looking for information.

---

GRAHAM CLULEY. Could you give us another joke? Would that be all right?

---

CAROLE THERIAULT. Yeah, I've already got lined up.

---

GRAHAM CLULEY. Okay, right, good.

---

THOM LANGFORD. Plenty more where they came from.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Because the last one about New Balance didn't really work for me. So—

---

CAROLE THERIAULT. You're such a dad. I'm really good at managing my credit card. My bank keeps sending me letters saying my account is outstanding.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Right. So, types of scams we're seeing. One is a kind of service scam. So a typical one is like they're talking about Netflix. So you might get an SMS or an email that says, hey, free Netflix for a month or 3 months or 6 months. Now, the reason this is hard for people to spot is because Netflix and other service video companies are offering incentives to get more users.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. So it's our job to be able to tell the difference between a real one and a bogus one.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Now, the other one is government info or stimulus checks. So when the States. Oh yeah, there's loads of people that have filed for legitimate stimulus checks coming in from the government. So what if you get a phone call or an email, someone purporting to be a bank or government official, right, saying we need to get some more information to make sure you get your check, or we just want to double-check your postal address, we get the check in the mail for you. Ironically, I saw on Twitter that people are mistaking their stimulus checks for junk mail or a scam because I don't know if you've seen what it looks like. And it also has Donald—

---

THOM LANGFORD. It's been signed by a scam artist.

---

CAROLE THERIAULT. Exactly. I don't know if you've seen the signature, but he doesn't look like I'd rely on him.

---

GRAHAM CLULEY. Oh, so because the check comes with Donald Trump's signature, people think this must be a hoax. Oh my goodness. I wonder if Stormy Daniels has got a check from Donald Trump.

---

THOM LANGFORD. Many checks, I think.

---

CAROLE THERIAULT. Okay, then of course, we don't even have to go into it, but all the COVID stuff, and we know why that's happening.

---

THOM LANGFORD. Well, you were talking about that last week, weren't you, about the track and trace websites and, you know.

---

CAROLE THERIAULT. There's also the banking credit card stuff. This makes it hard again because banks are offering services. I am getting legitimate text messages from my bank saying, "Hey, we're gonna freeze your interest that you owe us during this period." Hmm.

---

THOM LANGFORD. "Get a $500 stimulus check from your bank, just tap here." But here's the thing, you say, "Is that legitimate?" Well, go to their website and find out. Do you know what I mean? You know, click here, please.

---

GRAHAM CLULEY. I guess that's the problem though, isn't it? If the communication includes a link, many people will use the link in the communication or told to them down the phone rather than finding out what the real link is.

---

CAROLE THERIAULT. There's also—

---

THOM LANGFORD. of course, of course.

---

CAROLE THERIAULT. But yeah, and that's so important, that advice. So maybe you should say that again, Graham, just to make sure everyone hears it. Super important.

---

GRAHAM CLULEY. So, so you got— you have to be careful. Don't click on the link which is given to you in the communication, in the email or in the text message or told to you down the phone. Instead, work out what the real link is and go to it directly on your computer.

---

CAROLE THERIAULT. Exactly. One guy on Twitter was saying that he keeps getting calls, and the way they start the call off is, 'Credit card services, how are you doing?' And then they offer to lower your credit card interest.

---

GRAHAM CLULEY. Is it Joey from Friends? How are you doing?

---

CAROLE THERIAULT. Also, be careful of insurance scams. So of course, many of us had plans for the summer, like perhaps we are renting a vacation home or going on a flight or doing something with the family, and some of us have had trouble getting money back from those things. Emails saying, "Here's your Airbnb cancellation. We just need your banking details to refund your card," could also work pretty well. Okay, it's getting bleak. You need a joke, don't you?

---

GRAHAM CLULEY. I think we do.

---

CAROLE THERIAULT. Graham, I don't know if you're going to get this one.

---

GRAHAM CLULEY. I've done so well so far.

---

CAROLE THERIAULT. Let's see how you do. Let's see how you do. A tangent, a tangent applied for a credit card but was denied. He couldn't find anyone willing to co-sign.

---

GRAHAM CLULEY. Oh yeah, okay. That is quite an intellectual joke.

---

CAROLE THERIAULT. A little trig for you there, Graham.

---

THOM LANGFORD. I like that one.

---

GRAHAM CLULEY. Okay, I understand that.

---

CAROLE THERIAULT. Okay, so advice time. Now before I get into advice, the reason I wanted to bring this up today is because you guys are both smart and you will have better advice than the advice that is given on the official FBI credit card fraud site.

---

GRAHAM CLULEY. Oh, okay.

---

THOM LANGFORD. Oh dear.

---

CAROLE THERIAULT. Right? So there's things like, before using the site, check out the security and encryption software it uses.

---

GRAHAM CLULEY. Oh, so see if it has a padlock on the website.

---

CAROLE THERIAULT. Don't judge a person or company by their website. Flashy websites can be set up quickly. And then they say somewhere else, make sure you buy from a reputable source.

---

GRAHAM CLULEY. The Host Unknown podcast website It looks pretty flashy, I have to say, but I wouldn't necessarily— I'm not sure it's entirely reputable.

---

THOM LANGFORD. Oh, it's certainly not reputable, but it is genuine.

---

CAROLE THERIAULT. So, okay, so I'm not saying any of the information here is wrong. I think it's all very difficult to follow. So—

---

THOM LANGFORD. It's a wall of text. You can't give this volume of advice and expect people to follow it. It's gotta be a far simpler, message that people can emotionally attach to. Yeah.

---

GRAHAM CLULEY. You know, I want to hear Carole Theriault's tips. Let's hear them.

---

CAROLE THERIAULT. I think the best one is sign up for alerts. So every time your bank number or credit card is used for a purchase, you get a secondary notification that tells you, hey, your card has just been used.

---

GRAHAM CLULEY. Great idea.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. Right? And that way, at least, it doesn't mean it stops it from happening in the first place, but means you are on to it super quickly.

---

THOM LANGFORD. Smashing Security.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. Limit the number of websites you save your credit card information, right? You don't have to save everything. I know it makes everything a little bit faster, but actually it's much safer not to save it with a bunch of different companies out there. And you can also use things like either PayPal or Apple Pay or Google Pay. These might be a smarter way to be able to manage your money because then you have a kind of an account you can manage.

---

THOM LANGFORD. Also use LastPass to store a credit card and have it automatically fill in the the site.

---

CAROLE THERIAULT. Very good point. Yes, you can.

---

GRAHAM CLULEY. So I like this, I like this idea of using Apple Pay or PayPal or Google Pay and things like that, particularly on sites which you aren't familiar with, you know, for an additional level of protection. That's a great idea. I've also heard some people use, are they called virtual credit cards? What's the, what's the name of these things? Do you know about these, Thom?

---

THOM LANGFORD. I do. Yeah. So you get either a virtual credit card, which is you've got your regular card, but then your app will generate a virtual card, so you don't actually get a physical card, and you can use that for all your purchases, say, at Amazon or John Lewis or wherever. And if something happens to that card, you can just delete that card. You don't have to apply for a new card because you've obviously still got your credit card. But you can also get disposable cards as well, which are good for one shot. So you create a card, use that number for your purchase, and then that card is immediately destroyed.

---

CAROLE THERIAULT. You know where I've heard those are excellent to use? If you're signing up for like a 1-month trial or membership of something and, uh, you know they're not going to let you out easily. And this way, uh, you follow the rules and at the end it just goes poof and they, they can't, you know, hold you for money. I don't know if this will work or not, but this one guy called Deldy on Twitter said he's been getting way more scam calls recently, so he's been opening with the line, "Hi, I was actually wondering if I can share my Social Security number and credit card info before we move any further." And apparently they instantly hang up. So anyone who's inundated with calls, try that one.

---

GRAHAM CLULEY. The folks at MetaCompliance are fabulous, not only because they're sponsoring our podcast this week, but also because they're offering listeners a free Cybersecurity Awareness for Dummies book. In the guide, you will learn what cybersecurity awareness means for your organization, how to implement a cyber risk awareness campaign, the critical role of policies to establish safe baselines, how to maintain momentum and staff engagement, 10 cybersecurity awareness best practices, and oodles, oodles more. Grab a free copy of the Cybersecurity Awareness for Dummies book from MetaCompliance now. More at smashingsecurity.com/cyberaware. smashingsecurity.com/cyberaware.

---

CAROLE THERIAULT. Are you having trouble remembering your plethora of passwords? Maybe it's time you look to get a password manager. LastPass by LogMeIn is a password manager both for consumers and the enterprise. In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multifactor authentication. Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free, so check it out, lastpass.com/smashing. Back to the show.

---

GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

THOM LANGFORD. Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Ooh, you said that weird. Better not be, Mr. Cleverley.

---

GRAHAM CLULEY. Yeah, well, it isn't security-related. It is shoelace-related, because—

---

CAROLE THERIAULT. Oh, you've done this before.

---

GRAHAM CLULEY. No, I haven't. Have I?

---

CAROLE THERIAULT. Okay, go ahead.

---

THOM LANGFORD. Have I? I think you might have. After 182 episodes, he can't remember.

---

CAROLE THERIAULT. Crack on, crack on.

---

GRAHAM CLULEY. Now I'm frightened. A chap called Iain Fegan runs a website called Iain's Shoelace site. He is the inventor of the Iain Knot, which he claims is the world's fastest way of tying your shoelaces. He also has an app for Android and iOS. If you want to learn over 60 different ways of lacing your shoes, then his app is the one that you want. Now, this is an extraordinary website all about shoelaces and how to tie your shoes, which is incredible. What I find particularly astonishing is that Iain admits he doesn't actually give a shit about shoelaces, but he wanted to be the best at something and produce some corner of the internet, which has been there. And that's what he's done. He's built this. His website gets over 9,000 visits per day, which is quite a lot when you consider it's all about shoelaces.

---

CAROLE THERIAULT. Well, shoes are big business, Clue, a billion-dollar industry.

---

THOM LANGFORD. That company New Balance is really big.

---

GRAHAM CLULEY. Anyway, I will put in the link in the show notes.

---

CAROLE THERIAULT. I think he has been your Pick of the Week in the previous week. I would call on to our more avid listeners to see if they remember which episode that came out of, because I don't remember.

---

GRAHAM CLULEY. Are you kidding?

---

CAROLE THERIAULT. But you guys might.

---

GRAHAM CLULEY. Are you serious? You think I've done this before?

---

CAROLE THERIAULT. Yep, I think you have a little pick of the week document with a bunch of links, and maybe perhaps you haven't been doing very good hygiene.

---

GRAHAM CLULEY. No, no, I clear out my old entries.

---

CAROLE THERIAULT. This is what happens when we get to episode 125.

---

GRAHAM CLULEY. Well, look, I'm sure our listeners will give me feedback.

---

CAROLE THERIAULT. It's worth it. It's worth it.

---

GRAHAM CLULEY. It certainly is worth going to. I'm a bit worried now.

---

CAROLE THERIAULT. Don't be worried. It's fine. You're old. You're forgetful. Everyone's understandable.

---

GRAHAM CLULEY. Okay, Thom, what's your pick of the week?

---

THOM LANGFORD. So it was going to be an app called Magnet, which is totally non-security related because I know how much Carole Theriault desires non-security pick of the week. Just a touch. Just a little bit.

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. It's the one thing that stands out every week that I listen. But yeah, this app for Magnet for the Mac, very, very simple app. It just sits in your taskbar. And what it does is it allows you to very quickly and easily resize your windows. Now, you might think that's not very useful, but you can drag a window to the top left-hand corner and it will it will automatically size it to a quarter of the size of the window. You can drag it to the left and it will be half of the window. You can drag it to the very top, it'll be the whole page. And there's also lots of screen— sorry, lots of keyboard shortcuts that allow you to pick it for an eighth or for a third or different locations, etc. And in this age of very high-resolution monitors and all that sort of thing, and I've got, you know, two 5K monitors in front of me now, I can actually end up with 8 different windows of apps open at any one time, all nicely positioned. So some are vertical, so, you know, Twitter and Signal, etc. Some are vertical quarters because they scroll up and down. Others are, you know, regular quarters. So yeah, I was going to choose that as my pick of the week, but instead I thought I would, in a last-minute fit of ego, I thought I'd mention the Host Unknown podcast, which I think everybody— really should be listening to.

---

GRAHAM CLULEY. For goodness' sake, I use— I actually use Magnet. I have to say, I have to endorse this product as well. It's a great little product.

---

CAROLE THERIAULT. Okay, where's their privacy agreement?

---

THOM LANGFORD. Do you know what their privacy agreement says? We do not collect any information at all, period.

---

CAROLE THERIAULT. Okay, I was looking for it and I couldn't find it on their webpage, and I was typing in /agreement, /terms, /privacy, and nothing came up. And then I see a 3FA key.

---

THOM LANGFORD. We can't capture nothing. And that, that in itself is a good lesson in infosec. If you don't need it, don't capture it. You don't have to worry about it.

---

CAROLE THERIAULT. Thom, you have done your homework.

---

THOM LANGFORD. I have, I have, especially on the Host Unknown podcast, which I think everybody should listen to.

---

CAROLE THERIAULT. Graham, hand over to me, please.

---

GRAHAM CLULEY. Bro, bro, talk, talk. What have you got?

---

CAROLE THERIAULT. My pick of the week this week is a TV series from BBC Two, or at least that's where we saw it. It's Alex Garland's. He's the guy who made X Ex Machina? Or Ex Machina?

---

GRAHAM CLULEY. Oh, yes.

---

CAROLE THERIAULT. Did you guys see that? This is his first time dipping his toes into the small screen waters, and it's called Devs. And I say, Alex, baby, dive in. He rocked it. Okay? So, there's— the central character is Lily. She's played by Sonoya Mizuno. She's played in other of Garland's films and works. Basically, she works at a kind of Google-like complex. Her boyfriend works there too. He goes missing. Oh my God, yes! Did you watch it?

---

THOM LANGFORD. I've seen the first episode.

---

CAROLE THERIAULT. Yes, it's got your man from Parks and Recreation, Nick Offerman's in it.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. Yeah, he plays like the main kind of Elon Musk god of the whole Devs Lab. But it's kind of technically, you know, it's sci-fi, but there's some technically sound stuff going on.

---

GRAHAM CLULEY. A bit like Mr. Robot, you know, was obviously in our universe.

---

CAROLE THERIAULT. And what do they do in this DEVS thing? Because it's actually a physically separate lab, and it's a big deal getting into it. And it's kind of crazy. They kind of tease the audience. They tease you, drip feeding you a little bit of information of what's going on in there. Plus, they have the coolest statue ever in the kind of campus, which I just think we should litter the entire planet with them as a reminder of what kind of future we want to build. So, I say watch it. I watched the entire thing in two nights. Loved it, loved it, loved it. Geeky, dark, beautiful, smart. Well acted.

---

GRAHAM CLULEY. How many episodes are there, Carole?

---

CAROLE THERIAULT. I have no idea. I gobbled them up. I don't know, 6 maybe? 6?

---

THOM LANGFORD. Carole still thinks it's Saturday.

---

GRAHAM CLULEY. Isn't it?

---

THOM LANGFORD. Yeah, I saw the first episode of that. I was really impressed. But then I had to finish something else before I started, you know, back on track.

---

CAROLE THERIAULT. It's worth it. It's worth it. Graham, you'll love it. So will Mrs. Cluley.

---

GRAHAM CLULEY. Okay. All right. Well, fantastic. Well, on that note, I think it's just about time time to wrap it up. Thom, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

---

THOM LANGFORD. So I'm on Twitter @ThomLangford. That's Thom with an H because Twitter made me have an H. Thom. And also my website ThomLangford.com and HostUnknown.tv and podcast.HostUnknown.tv.

---

GRAHAM CLULEY. Very cool. And you can follow us on Twitter @Smashing Security. No G, Twitter allows to have a G. And also join us on our Smashing Security subreddit as well. And don't forget, if you want to make sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts. And why not leave us a nice review as well? I always love reading those.

---

CAROLE THERIAULT. Huge thank you for listening and supporting us. It means everything. Also, thank you to our sponsors MetaCompliance and LastPass. Their support helps us give you this show for free. And don't forget, stay tuned after the show for our special interview with Robert O'Brien of MetaCompliance with the smooth voice. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

CAROLE THERIAULT. Later, skaters.

---

THOM LANGFORD. Bye-bye.

---

GRAHAM CLULEY. So, Rob— Robbie's got a smooth voice.

---

CAROLE THERIAULT. Uh, Robbie. No, he's just got that kind of Irish lisp. You know what I should have asked him to say? I should have asked him to say palimpsest. Palimpsest. Because that's how you test— I don't know if people know that, but that's how you test an accent to see if it does anything to your knees or not. Get the person to say palimpsest, and if your knees kind of go a little bit weak, you are a sucker for that accent. So we have a very special guest, a new guest, someone who hasn't been on the show before. I'd like everyone to meet Robert O'Brien from MetaCompliance. Robbie, thank you so much for coming on.

---

ROBERT O'BRIEN. My pleasure, Carole.

---

CAROLE THERIAULT. So maybe you should start by explaining who you are, what you do.

---

ROBERT O'BRIEN. I think, Carole, I've been like a John the Baptist, a voice crying in the wilderness for, oh, I think about 15, 16 years. Was really focused on the people aspect of security and data protection. And it's clearly the hardest piece of the jigsaw. People are difficult. But unfortunately, I've become fascinated with that. And I've worked with a lot of companies who have tried to increase the vigilance of their teams. And really, about 8 years ago, as phishing became prevalent and ransomware ransware, this became a clear and present danger. But I found that there wasn't any guides to how do you go about dealing with the people aspect of it. Where do you start? And it was a surprise to me that when we engaged with organizations, one of the first questions is, well, what do you do? How do you start? They hadn't really taken— cybersecurity awareness or the culture change around security as a business as usual issue before. And that really led me to go and write the Cybersecurity Awareness for Dummies book.

---

CAROLE THERIAULT. That is why we're here today. You have helped write, or did you write the entirety of it?

---

ROBERT O'BRIEN. I wrote the entirety of it. And a colleague thankfully edited out the more crazy things that I was trying to put into the book.

---

CAROLE THERIAULT. So this is the author of the Cybersecurity for Dummies book that has launched from MetaCompliance. And it's totally focused on how a company can help get employees on board to be safer and help protect the company and themselves. Is that fair?

---

ROBERT O'BRIEN. That's fair. And I think we have condensed all the learnings and low-hanging fruit and approaches that we've seen organizations use to move this along and really brought it into an easy-to-use playbook.

---

CAROLE THERIAULT. Now, it is not a tiny playbook. It's like 50 pages. And is this free for anyone to download?

---

ROBERT O'BRIEN. It's available from the MetaCompliance website. And if you reach out to us, we can also send you a physical copy, which interestingly is an excellent way to get those Luddites within your organization to move forward where they have a physical book in front of them and they'll actually, you know, read that more than go and read a PDF.

---

CAROLE THERIAULT. Obviously, we're going to encourage everyone to go download it because I've taken a look at it. I think it's an impressive amount of work that went into that. There's some really, really good information. Maybe we can start with the idea of what motivates a hacker.

---

ROBERT O'BRIEN. I think that there is as many different types of hackers as there are people. And I think that every time the human race has come up with a brand new way of commerce, there has always been piracy. When the Americas were opened and we were transferring goods between the Old World and the New World, you had this blossoming of piracy, Pirates of the Panzans type thing. And hacking is no different than that. It's really a way of people gaining advantage, mainly for money. In my experience, that is the great motivator. There are certainly other issues, political, national players. And so you find that it's a very, very complex issue. Then we have businesses who are going about their mission involved in what they've been doing typically for a very long time. And we have this brand new backdrop, and they find themselves really at a disadvantage. And the hacker spends months possibly thinking about the organization. The organization wouldn't necessarily think be thinking months on awareness or security. The demands of the day, the crises of the day typically distracts them from approaching this problem in a more systemized fashion.

---

CAROLE THERIAULT. Oh, I know it's true, isn't it? I remember when I used to work in the corporate land, even working in cybersecurity, in a cybersecurity company, you could still see plans always fall off for immediate reactionary job that everyone had to be all hands on deck. So do you find that people have good intentions with awareness, but sometimes just don't do their homework or don't actually follow through?

---

ROBERT O'BRIEN. Cybersecurity culture change is a change management project. And I don't think there's any organization out there that hasn't seen change management projects really crash and burn. I think everyone's history is littered with the failures of those things. And the problem is that you really require two things. Number one, you require the leadership team to be 100% behind it and give it the resources that it needs. And the second thing is that the organization is braced for the long term because change takes time. And in my opinion, to move the needle substantively for cybersecurity takes at least 18 months. Possibly 2 years, because you have some real hardened attitudes to change. And the minute that people see a wavering of the commitment from senior management, the whole thing falls apart like a game of cards.

---

CAROLE THERIAULT. I love that you say both those things. I love that you say that it takes 18 months because that's kind of my experience too. And I find a lot of companies kind of say, oh, you can do this overnight. It's not an overnight job trying to change a culture within an organization. And two, you're absolutely right. If you don't have absolute buy-in from the senior management team and if they are kind of cutting corners, that's not a good thing, right?

---

ROBERT O'BRIEN. It's not a good thing. And I also think that unfortunately, so up until now, cybersecurity doesn't make you profit. It doesn't get you revenues. And therefore, it was seen as an IT thing. Now, interestingly, that's changing massively. And I've seen it change really from the introduction of GDPR, where within the supplier contracts that every company uses as an engagement mechanism, you now have a couple of things that have come to the fore. Number one, you have cybersecurity insurance. 10 years ago, that was unheard of. But now, what is the level of liability that is covered by your cybersecurity insurance? The second thing is, where does the liability sit for GDPR? Who is responsible for a data protection failure and who takes the liability? And the third thing then is you get a risk assessment from your potential customer and you have to fill in that risk assessment. Now, before GDPR, that was largely a box-ticking exercise. But now the risk assessment will be called upon to defend and the decision to go with that vendor, that vendor selection as part of an overall privacy lifecycle. And also the lawyers are heavily focused on it. So really having high levels of cyber hygiene, high levels of being able to demonstrate your cyber credentials now becomes a competitive advantage. Having ISO 27001 now becomes a competitive advantage. And I I think going forward, that is going to become more and more a feature of how people look at cybersecurity, the people that they deal with, but more importantly, I think will justify the spend that's needed in these type of projects.

---

CAROLE THERIAULT. I think that's one of the big problems is resources, especially now with COVID-19 happening. Lots of IT teams have been culled or have had to deal with resource issues on that front, plus they're having to manage a whole new workforce working from home, and they want to keep it safe. So obviously, you wrote this before all this happened, but did you touch upon remote working? And do you have any views on that?

---

ROBERT O'BRIEN. In the industry, we have seen the incidence of phishing and cyber activity just go through the roof. And the reason for that is that people involved in cybercriminal activity love change. They love different things happening to us as human beings so they can exploit the moves between working in an office, working from home, people not being within their social circle and things like that. The issue is vigilance. The issue is then having messaging or having a subject on a monthly basis that you address to your audience. So for example, a lot of our clients who take this really seriously immediately switched to secure remote working, immediately began sending out training based on the dangers of working from home, the increased levels of people trying to cajole you to do things that you wouldn't normally do in the office. And they increased their vigilance. Those companies also continued with their simulated phishing attacks. And then some people just killed them off altogether, saying, oh, you know, our staff are dealing with working from home, they're having a bad time, and they stopped. Some people stopped simulated phishing. And my view there was, well, Well, in actual fact, that's what the hacking community is betting on you doing, betting on your change and the fact that everybody is disarranged. And so I think the people that did continue with the phishing attacks actually increased the vigilance in this new environment, which is likely to continue in some form or fashion well beyond COVID.

---

CAROLE THERIAULT. Say I want to try and put a scenario to you just to drive the point home to everyone how important this is, right? So let's say I'm an I'm an IT guy and I really want to get through to my CEO, right? They're just not taking this seriously. They've cut my budget, they've cut my resources, and I really need them to see the importance of cybersecurity. Do you think a better approach is to go in with a bunch of stats to explain how dangerous it is out there? Or do I want to talk more about how the company can grow and make more money and be safer, more secure? Lower risk.

---

ROBERT O'BRIEN. I mean, I really feel for people in that situation.

---

CAROLE THERIAULT. Me too.

---

THOM LANGFORD. Yeah.

---

ROBERT O'BRIEN. There has to be some good come out of this pandemic. And I think there is for cybersecurity because our concept as a society of what's possible has expanded. Now, if someone had told me before Christmas that my entire organization would be working from home, all these controls would have been put into place, I wouldn't have believed them. But now I am prepared to believe much more in terms of change. Change and the world that we lived in. So getting someone to believe that we could have a cyber event that could cripple the organization, I think, is easier to believe. So I think that envelope expanding will help us.

---

CAROLE THERIAULT. Totally. And you know what else, actually? This may be an excellent opportunity for IT people to actually approach their CEOs about investment in this area. Because of the change in environment, there there's inherently a little bit more risk there until they can lock down both security and cyber awareness for home workers. So this might be the time to say, look, the environment's changed. We need to be on top of it to make sure we're safe. I don't know. What do you think about that?

---

ROBERT O'BRIEN. Look, people have gone home. And we implemented one of the biggest changes in organizational working in centuries. We did it in weeks where normally that would take months or maybe years for organization to put it into place and you would train everybody and so on and so forth. But we flicked the switch and we got it done. The other thing is the digital assets that the organization rely upon now exist within those homes, now exist within those firewalls within those homes and rely on people within and indeed rely on their families, not just the people that work for you, to be aware of the dangers and aware that certain things could happen. And the only way to do that is to engage with your staff population and give them the information and give them the resources to actually make the change. Because thinking it'll happen by osmosis is naive. It just won't. And what has happened whilst there are many benefits from homeworking, from a security perspective, our perimeter has just morphed into something that is unrecognizable now.

---

CAROLE THERIAULT. You know, the more I'm thinking about this, I think a lot of different people need to read this book. At first, I was thinking this is really, really good for IT staff to kind of understand what they're facing and how they can kind of get their hands around all the different components. But maybe, maybe, you know, maybe I was blindsided. Maybe C-levels need to read this too, just to understand all the different components and the complexities that need to be understood so that they can be more sensitive when they're budgeting and dealing with IT.

---

ROBERT O'BRIEN. Carl, I mean, you've hit the nail on the head. I mean, when I was writing this book, I sort of had an image in my mind of a CISO at a board meeting with a number of these books and basically handing them, physically handing them. So, you know, I have the power of a gift. Here's a give. And it's a Wiley book that we've all seen, The Dummies Guide. And even if someone dips in and out of it, you've already made an impact. Because I think if you can get the C-level, the executive team on your side, you can change so much. Because the problem I find with cybersecurity is that it isn't user-friendly. It involves implementing controls. And people hate controls and they hate policies and they hate e-learning. So it's not a popular job. But once you get the C-level involved, you get a tone from the top and people never focus on that. What does our organization stand for? Do we have zero tolerance on these things or are we laissez-faire? Where do we fit? And once the people in charge say, this is where we stand, then then your initiatives are not diluted by middle management. Someone who goes, look, don't bother with that e-learning, keep doing your jobs, get around to it whenever. And suddenly your awareness campaign has just died because you have a manager somewhere who is just not supportive. But if the CEO is supporting the actual initiative, you typically get people to buy into it.

---

CAROLE THERIAULT. Well, with this book, you have given a lot of IT people and indeed companies a helping hand. Robert O'Brien from MetaCompliance, thank you so much.

---

ROBERT O'BRIEN. Thank you very much, Carole.

---

CAROLE THERIAULT. There we go. What do you think?

---

ROBERT O'BRIEN. I thought it went very well.

---

CAROLE THERIAULT. Listeners, you can get your free copy of MetaCompliance's Cyber Awareness for Dummies Graham Cluley's book by going to smashingsecurity.com/cyberaware. That's smashingsecurity.com/cyberaware. See you next week.

-- TRANSCRIPT ENDS --