Unknown
Did she think of sending a Truth Social message to the winner of the inaugural FIFA Peace Prize?
Because he's normally online, and I believe he probably has the mobile phone number of the FIFA president.
Smashing Security, Episode 473: How a Hacker Could Have Rickrolled the Entire World. World Cup with Graham Cluley and special guest Danny Palmer.
Hello, hello, and welcome to Smashing Security episode 473. My name's Graham Cluley.
DANNY PALMER
And I'm Danny Palmer.
GRAHAM CLULEY
Danny, great to have you on the show again. As regular listeners know, you are a cybersecurity journalist. Busy month, isn't it?
I mean, there's lots of events going on and things like that. You must be going from event to event, writing story after story.
DANNY PALMER
It has been busy, of course, as you well know as well. It was Infosecurity Europe this month and you were on stage hosting. I saw you on the stage. I didn't get to see you in person.
I did see you in person at one point, actually. Did you? But—
GRAHAM CLULEY
You should have given me a wave.
DANNY PALMER
Well, this is from behind and you turned into the toilets. So I thought you wouldn't want a tap on the shoulder at that point.
But no, I could have sprinted up, but I doubt it would have been welcomed. But no, it was a good show. It's one of the biggest cybersecurity events in, well, Europe.
But this time I was working at Infosecurity Magazine. So I was covering it from that side. So it was very, very hands-on.
Lots of people seem to enjoy the talks, good feedback from sessions. People like you, obviously, there's always nice things said about you and feedback from the events.
GRAHAM CLULEY
Oh, thank you.
DANNY PALMER
So that's good. But yeah, it was grand.
GRAHAM CLULEY
Well, before we kick off, let's thank this week's wonderful sponsors, Black Kite, ProtonPass, and Vanta. We'll be hearing more about them later on in the podcast.
This week on Smashing Security.
We won't be talking about how Brazil suspended its mobile phone emergency alert system after a hacker sent false warnings to phones across the country.
You'll hear no discussion of how tech site Gizmodo has been caught hitting readers with click-fix malware prompts.
And we won't even mention how two men have pled guilty to the £39 million cyberattack on Transport for London, which impacted 10 million commuters.
So Danny, what are you going to be talking about this week?
DANNY PALMER
I'm going to be talking about a security issue at FIFA which could have got everyone rickrolled.
GRAHAM CLULEY
And I'm going to be talking about a devastating Dutch fraud epidemic that has forced police into a bold response involving motorway billboards.
Plus, don't miss our featured interview with Jeffrey Wheatman, where we'll be looking at Black Kite's report into ransomware and extortion attacks across Europe.
All this and much more coming up on this episode of Smashing Security.
JOE
Graham, what's this about a new report from one of our sponsors?
GRAHAM CLULEY
Yes, Black Kite have just put out their first ever European Cyber Risk Report.
And oh my goodness, they've been looking into ransomware attacks across Europe for the last year and a half or so.
JOE
And let me guess, everything is fine and we have nothing to worry about?
GRAHAM CLULEY
Well, ransomware is up 55% year on year in the first 4 months of 2026 alone.
GRAHAM CLULEY
No, Joe, not fine at all. Nearly 70% of all European ransomware activity is concentrated in just 5 countries.
And this report from Black Kite breaks down exactly where the attacks are hitting hardest and which hacking groups are responsible.
JOE
So is there anything in there beyond the headline numbers?
GRAHAM CLULEY
The bit that really struck me is what they found about third-party risks. A lot of companies aren't being attacked directly.
Instead, they're being caught in the blast radius of an attack on one of their suppliers.
JOE
Right. You're only as secure as the weakest link in your supply chain.
GRAHAM CLULEY
And the report has some real-world examples that illustrate this perfectly.
For instance, there's a Swedish company, it has an unpronounceable name, they got hit and that ended up causing huge problems at hundreds of organisations, exposing the data of over a million people.
JOE
All from one incident.
GRAHAM CLULEY
All from one incident. And the report also covers how regulations like NIS2 and DORA are forcing European businesses to get much more serious about all of this.
JOE
Sounds like essential reading, frankly.
GRAHAM CLULEY
It is, and it's free. Get the full report at blackkite.com/smashing.
JOE
That's Black Kite, B-L-A-C-K-I-T-E.com/smashing. And thanks to Black Kite for supporting the show.
GRAHAM CLULEY
Now, Danny, imagine you're at home. It's maybe a Tuesday afternoon, nothing unusual going on, and your phone rings and it's your bank.
Well, it's someone claiming to be from your bank.
GRAHAM CLULEY
And they're very polite, very professional, and they say, Danny, I'm afraid there's been some suspicious activity on your account.
And they say, there's nothing to worry about, Danny. We don't want you worrying, Danny.
DANNY PALMER
Well, that's reassuring.
GRAHAM CLULEY
Well, it's not that reassuring, is it? Whenever a company says, now, we don't want you to panic, but—
GRAHAM CLULEY
They just want you to verify a few details. Now, your spider sense as a cybersecurity expert is tingling at this point.
You think, oh, hang on, they're going to ask me for a password or they're going to ask me for something like that. They don't do anything like that.
What they do is they say, look, we think you could be having some problems with your account. We think maybe you're having some problems on your computer.
There's lots of hackers about. Tell you what we're going to do, we're going to send someone round to help you.
Now, you might be a little bit suspicious about that, knowing the evil corporations which are financial institutions and the likelihood that they would ever send anyone round.
DANNY PALMER
They only send someone round when they want something from you.
GRAHAM CLULEY
Right, right. But if you were, for instance, a little bit vulnerable or elderly or weren't too tech savvy, you might say, oh, would you do that? Would you come around?
Because I just can't work out what I have to do here. Maybe you would be a little less suspicious.
And because they've been polite, maybe you've been born in a different age where you're more trusting of people. I don't think you, Danny, would say, sure, come on round, would you?
DANNY PALMER
No, no.
It's one of those things where I've not had this particular thing happen to me, but a few years ago, I had an alert from my bank saying my bank card had been used elsewhere in the world.
DANNY PALMER
What I did then was I called my actual bank and did it that way.
GRAHAM CLULEY
Yes. Well, anyway, this particular scam, which has been called bank help desk fraud, has been running rampant across the Netherlands.
And the Netherlands, you just think it's a land of bicycles and Edam cheese and just ostentatiously tall people.
GRAHAM CLULEY
It turns out it's also the home of help desk fraud as well.
DANNY PALMER
Well, it's a tech-savvy country, lots of startups there.
GRAHAM CLULEY
That's very true. And there certainly have been over the years many servers which have been run by the criminals. They've often been hosted in the Netherlands as well.
DANNY PALMER
That is true, yeah.
GRAHAM CLULEY
Anyway, criminals apparently are calling victims pretending to be bank employees with all sorts of COVID stories.
So they say, "We've detected unusual transactions," a bit like that call which you received, or "We need to increase your overdraft limit," or "We're trying to protect your account from some kind of problem." Whatever the script is saying, there's always some urgency.
There's some authority in the voice which they're using. And because, you know, this is mainland Europe we're talking about, so they're still fairly civilised compared to us Brits.
DANNY PALMER
Us all being painted on woad on our island here.
GRAHAM CLULEY
They will go so far as to offer hands-on help.
"If you're unsure what to do." So they're actually sending people to the victims' doors to collect their bank cards, their cash, whatever they can get.
DANNY PALMER
I suppose the Netherlands isn't a huge country. You can quite drive across it in a few hours.
GRAHAM CLULEY
I suppose so.
GRAHAM CLULEY
I bet the public transport's fantastic. Just this week, Dutch police raided an Amsterdam house.
They found 6 people aged between 15 years old and 30, running a makeshift call centre, basically from someone's living room.
They were caught mid-call with a potential victim on the line when the police walked in.
And this is apparently something which is happening a great deal and it's causing all sorts of problems.
Now, there is a companion scam to this one where they send around the bank employee saying, "Oh, you know, we're worried about your money or whatever, so we'll come round, take your money." And put it somewhere safe for you because you can't look at it.
DANNY PALMER
Yeah, we'll take that money from under your bed and store it in a safety deposit box that you don't know where it is.
GRAHAM CLULEY
I mean, we're laughing, but if you are a nonagenarian — and I'm not saying all people who are elderly aren't tech savvy, because obviously some of them are very, very tech savvy — but if you are someone who's maybe a little bit more trusting, a little bit more vulnerable, you might well fall for that kind of thing.
You know, it's people often towards the end of their lives who have a lot of assets. Which makes some rich pickings.
DANNY PALMER
Plus, it's difficult to be assertive when you've got someone who says they're an expert on the other end of the line.
DANNY PALMER
Well, it's social engineering, isn't it? I suppose while you could go on the phone, "Okay, I'm not doing that," if there's someone at your door asking something, it's harder.
GRAHAM CLULEY
So there is a companion scam running alongside this one. And it's perhaps even more brazen. It is called fake police officer fraud.
DANNY PALMER
They've been thoughtful of these names, haven't they?
GRAHAM CLULEY
They have. It's a good name, but it requires a different fancy dress costume.
So rather than dressing up like someone who works at the bank, you know, with a bowler hat and an umbrella and that pinstripe suit, you turn up dressed as a policeman. Now—
DANNY PALMER
Like some sort of criminal Mr. Ben.
GRAHAM CLULEY
You know, I love that analogy, Danny. I'm not sure everyone internationally is going to get it. I'm now going to have to link to Mr.
Ben in the show notes so people can understand what that was about.
But, so if a policeman turns up on my door, I obviously will think, "Oh crumbs, maybe there's some speeding ticket I haven't paid or something." It's going to be that or it's going to be a strippogram.
You don't expect it normally, but apparently they are calling people up, claiming to be a detective, and they say, "Look, there's been a burglary nearby and your valuables could be at risk."
GRAHAM CLULEY
But don't worry, we're going to send one of our colleagues from the police force.
We're going to get them to pop round and keep your valuables safe on your behalf because there's someone going around stealing stuff.
It's like, yes, there's someone going around stealing stuff because it's the person who's dressed up as a policeman pinching all your gear.
DANNY PALMER
It's very old school, isn't it? It's almost like a Wild West element to it as well.
You'd have someone dressed up as a sheriff going around to do that to people, you know, 150 years ago.
GRAHAM CLULEY
Apparently they knock on your door, they flash a warrant card, because that's convincing, isn't it?
You also got to have a little laminated card and it's like, oh well, then you're clearly someone in authority.
DANNY PALMER
Especially if it's laminated.
GRAHAM CLULEY
And they walk off with your jewellery and your savings. In one case, they took the wedding ring of one woman's deceased husband.
GRAHAM CLULEY
It's really horrible. In August last year, apparently an 80-year-old woman was killed during one of these fake police doorstep visits.
So whether that particular woman got suspicious and put up some resistance or what, I mean, it is ghastly to think that these people are effectively being scammed on the phone, tricked into having someone come round, and who knows what's going to happen next.
DANNY PALMER
So their details, I guess their phone number has been involved in some sort of breach.
GRAHAM CLULEY
At the very least, their phone number. But let's think about it. Many data breaches will not just contain your phone number, they will also contain your postal address as well.
DANNY PALMER
Yes, I remember a few years back, I had an ethical hacker sort of do those things where, for an ask, let's see who you can find about me on the internet.
It was really freaky to hear.
GRAHAM CLULEY
Yeah, it is. Now, you might think, well, this seems rather far-fetched. How big a problem is this really?
Well, apparently, last year, there were 13,000 reports of fake police officer scams in the Netherlands alone. 13,000. So, I mean, it's not as though it's that rare.
This is a small country, relatively, with a big problem.
And police said that the impact on elderly victims, who are the most commonly targeted group, is devastating — not just financially, of course, but psychologically as well, because trust is gone.
The Dutch police, Danny, they've decided to do something about all of this.
And what they did was they launched a special operation called Game Over — in fact, it's called Game Over, question mark, exclamation mark.
DANNY PALMER
So are they shouting at, or?
GRAHAM CLULEY
It's not all in capitals. What they did was they collected CCTV images of these ne'er-do-wells who were engaged in this kind of thing. They took video footage from smart doorbells.
They took video taken at ATMs when money was being taken there as well. They got photographs of 100 different suspects, and they published them.
What was unusual about it was they blurred the images.
And they said, here is 100 people, and they put them up on motorway billboards, in supermarkets, at petrol stations, on TikTok, on TV, Instagram, all of that.
But what they did was they said, in two weeks, we're going to unblur the images.
So if you want to hand yourself in now, if you want to go to your local cop shop and say, maybe we should have a little chat about what I've been doing, now is your chance.
DANNY PALMER
That's really interesting. It's almost applying — I'm not saying the police are doing extortion, but it's the same sort of principle as a lot of cybercrime, isn't it?
GRAHAM CLULEY
It's a bit of leverage, isn't it?
DANNY PALMER
Yeah, do as we say, otherwise we'll —
DANNY PALMER
Come and — come back and get you big time.
GRAHAM CLULEY
It's a little bit like one of those data extortion attacks, which we see all the time.
So how many of those 100 suspects do you reckon turned themselves in before the countdown was gone?
DANNY PALMER
You said they're all sort of between 15 and 30, the average demographic of a cybercriminal, young men.
I'd say there's a lot of hubris in there, and it's not going to be that many that turn themselves in because they'll think, "Oh, they'll never get me." Am I on the right track?
GRAHAM CLULEY
Well, I don't know if you'll consider this a small number or a large number. Apparently 21 came forward.
DANNY PALMER
One in five, yeah.
GRAHAM CLULEY
I thought that was quite a lot, considering, you know, their photo hadn't been published. It was just a blurred version.
But they came forward before the deadline, before the images were unblurred. They cycled over to the police station.
They probably leant over a bit as they went through the doorway, because they were ostentatiously tall.
DANNY PALMER
Well, they'll have taller doors though, won't they, to make up for it?
GRAHAM CLULEY
You would think so. That would make sense really, wouldn't it?
DANNY PALMER
I wouldn't know about that. I'm 5 foot 7, so it's—
GRAHAM CLULEY
If there's any listeners out there in the Netherlands, we do have a fair few actually, maybe you can confirm whether your average door height is higher than—
DANNY PALMER
I'm off to the Netherlands in a couple of months, as discussed previously, so I can report back and check.
GRAHAM CLULEY
Take a tape measure with you, Danny. Please find out for us. Anyway, once the photos were unblurred, and the public got involved because this is high profile.
This is on motorway billboards, these pictures. Over 500 tips came in.
DANNY PALMER
I suppose you see it, you go, oh, I recognise that guy.
GRAHAM CLULEY
Yeah, exactly. Oh, hang on, that's my nephew Bertrand or whatever who is over there.
DANNY PALMER
Yeah, trying to think of Dutch names now.
GRAHAM CLULEY
Oh gosh. Joost. Marcel.
DANNY PALMER
I should know this because me and some friends played a multiplayer Football Manager recently and we were in the Belgian and Dutch leagues.
But all the information is gone from me now, unfortunately.
GRAHAM CLULEY
Anyway, the Game Over website has received more than 2 million visits. The ads on social media have racked up 54 million views.
GRAHAM CLULEY
And apparently some detectives had to work overtime just to handle all the tips that are coming in. By last month, 74 of the 100 suspects had been identified.
34 have handed themselves in. 40 were recognised by members of the public, you know, neighbours and school friends, I imagine, possibly family as well. And 6 have been arrested.
And the youngest person identified was just 14 years old.
GRAHAM CLULEY
Now, the thing is, Dutch police have said, look, even though there's lots of young people who are involved in this, they are not the masterminds behind this scheme.
They are not the Mr. Big. What's happening apparently is young kids are basically acting as errand runners. They're doing this for a little bit of pocket money.
They are getting some cash. So they're being sent off to knock on doors and collect the bank cards and take the jewellery, that kind of thing.
DANNY PALMER
The 2026 equivalent of a paper round.
GRAHAM CLULEY
I suppose so. This is the problem. People don't get newspapers delivered anymore. So the kids are having to turn to crime instead.
DANNY PALMER
Newspapers. You established last week you don't have a milkman, so—
GRAHAM CLULEY
Yes. So they're handing everything up the chain. They're pocketing a little slice for themselves for being the face on the camera.
And the organisers, the people actually behind all this criminality, they're the ones making serious money. And they are largely escaping appearing on the billboards.
So the police are keen to get the Mr. Bigs, as it were. So Dutch police are calling this a social problem that requires a social solution.
I think that's probably true of a lot of things to do with our world, isn't it?
DANNY PALMER
Yeah. You can't just stamp down on, let's say, technologies, for example, and sort of hope things will get better.
GRAHAM CLULEY
You could almost draw an analogy with how we're trying to clean up the world of social media by preventing kids from getting on social media.
DANNY PALMER
Indeed, yes.
GRAHAM CLULEY
Rather than why don't we just clean up the social media sites or fine them?
DANNY PALMER
Oh no, that's far too complicated. Children will, if you tell them not to do something, they'll just not do it. Of course, they won't try to do it.
GRAHAM CLULEY
They're very obedient. Anyway, this public shaming campaign, it's been quite clever because it's not just caught 74 people.
It's also made the whole criminal ecosystem feel less safe for everyone involved.
So I think if you are a 17-year-old, and you've been recruited to knock on doors for €50 a time, and you know there's a chance that you might have your photo taken by the doorbell and then appear on a motorway billboard, maybe you'll think twice about what you're doing.
DANNY PALMER
Yeah, it's gonna put you off.
It's gonna sort of make the pool of potential, for want of a better word, employees smaller if they think, okay, what if my friends, family, what if my mum sees I've been part of a criminal group?
GRAHAM CLULEY
Oh yeah, that's always the biggest deterrent of all, isn't it? If your mum finds out what you've been up to.
Now, listeners, as you've already suggested, Danny, there are sensible steps to take if you do get a call which claims to be from your bank.
Obviously, a genuine bank is never going to call you and offer to send someone to your house.
DANNY PALMER
No, I mean, the bank keeps doing the opposite these days. They want everything to go online. So, yes.
GRAHAM CLULEY
And real police aren't going to knock on your door and ask to take all your valuables away for safekeeping. That doesn't really happen either.
So if anything like that is offered to you, put your phone down, find the number yourself, just like you did, Danny.
I imagine, you know, look on the back of your bank card or something like that for a contact phone number.
Don't use the one that's been given to you on the phone and call the bank back directly.
And if you've got elderly relatives or neighbours, you know, have that kind of conversation with them because these operations, these criminal schemes, they are targeting people who grew up trusting institutions, like the banks, like the police, you know, those institutions that we've learned to be a little bit more suspicious of over the years.
Modern-day cybercriminals can be very, very convincing indeed. Well, we've got time now to talk about one of today's sponsors, Vanta.
Joe, what keeps you up at 2 o'clock in the morning?
JOE
The dog next door, mostly.
GRAHAM CLULEY
Oh, right. Well, yeah, but I'm talking professionally. What keeps you up?
JOE
Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.
GRAHAM CLULEY
Exactly. Which is where today's sponsor comes in. It's Vanta.
JOE
Fanta, the fizzy orange drink. How can this possibly be true?
GRAHAM CLULEY
No, no, Joe. It's a Vanta with a V. It's a trust management platform. It's not a drink full of sugar.
It automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
JOE
Lush, I hate questionnaires.
GRAHAM CLULEY
Well, who doesn't? Vanta continuously monitors your systems. It centralises your security data. It keeps your program audit ready all of the time.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
JOE
So basically it handles the boring stuff so we can focus on the interesting stuff.
GRAHAM CLULEY
Exactly. Precisely that. And for a limited time, new customers can get $1,000 off. $1,000? Yep. $1,000.
Head to vanta.com/smashing — that's vanta.com/smashing — and get started today.
JOE
And maybe get a decent night's sleep for once. Oh, and unlike fizzy drinks, Vanta isn't bad for you. That was a fruit twist.
GRAHAM CLULEY
Danny, what's your story for us this week?
DANNY PALMER
Well, Graham, even if you don't follow football, you might have noticed there's quite a big event going on right now. That is the World Cup. Ah! You're familiar with it, I take it?
GRAHAM CLULEY
I am familiar with the World Cup. I think I've heard of it.
GRAHAM CLULEY
This is a football thing, I believe.
DANNY PALMER
It's a football thing. Yeah. Quite a big deal. So it started on June the 12th, and it runs all the way through to the final on July the 19th. So that's just over a month.
It's the biggest World Cup ever, in fact, featuring 48 teams from around the world. I'm a football fan. I'm aware of the World Cup. Wales aren't in it.
DANNY PALMER
I'm used to that over the years. We qualified for the 2021 World Cup. Before that, the previous World Cup was 1958. So it's a rare thing for us, but now I still get to sort of—
GRAHAM CLULEY
Hang on, Danny. There can't have been a 2021 World Cup. Isn't it every 4 years?
DANNY PALMER
It's 2020, but there was something, something happened during 2020, which made them postpone it for a year.
GRAHAM CLULEY
Okay, got it.
DANNY PALMER
That would be a certain pandemic that sort of caused some problems and shenanigans around the world, let's say.
GRAHAM CLULEY
So, okay, there's 2 things I'm aware of, the World Cup and that pandemic thing. I remember that.
DANNY PALMER
Anyway, main point, Wales not good at football. I am just watching as a general fan. So, right.
This biggest World Cup ever happens to be happening in the country that likes to do things big.
It's in the United States of America, which is hosting the tournament alongside Mexico and Canada. So this was decided about a decade ago, right?
When things were a bit smoother diplomatically between those countries, let's say. And admittedly, this hasn't gone without controversy.
There've been accusations of price gouging by FIFA and its official partners.
Fans, a referee, and even players from certain countries were told they weren't allowed into the Land of the Free due to visa issues and restrictions.
GRAHAM CLULEY
Which does prove a bit of a challenge, doesn't it, in having a football game if you're not allowed into the country?
DANNY PALMER
Yeah, it's a bit tricky. I mean, I think some of the teams that are playing in Canada and Mexico are not having these problems there, but in the US, they're having these problems.
And then there's the whole kerfuffle with the winner of the inaugural FIFA Peace Prize, the President of the United States of America, not being that peaceful in his approach to international diplomacy in the run-up to the tournament.
And on top of all that, obviously the key thing for us here is if you're watching it from the UK or Europe, the games are often late at night.
So weird times for us, but despite all that, the World Cup itself appears to be running rather smoothly.
And there's already been a bunch of excellent matches and moments on the pitch.
DANNY PALMER
Ultimately, hundreds of millions of people, and maybe billions, are tuning in to watch these matches.
So you'd expect FIFA to have strong, robust protections in place to ensure that nothing untoward can happen to the live broadcasts.
DANNY PALMER
Well, it turns out that may not have been the case.
DANNY PALMER
Because this week, a security researcher who goes by the name of Bob de Hacker. You might have heard of her older brother, who is a builder.
GRAHAM CLULEY
Yes. But it's a bit strange for siblings to have the same first name.
DANNY PALMER
That is true, yeah.
GRAHAM CLULEY
But anyway, Bob de Hacker, yeah. What's she been up to?
DANNY PALMER
Well, she published a blog post where she claimed she could have hijacked live match feeds and Rickrolled millions of people watching games. Oh boy.
And despite this being the biggest World Cup ever and all that, it appears it was rather trivial for her to gain access because all she needed to start this process was some ID.
So, as detailed on her blog, Bob started with the FIFA agent platform.
So that's a public portal where football agents, that is the managers and advisors of football players, register that they are indeed football agents.
I don't know what paperwork you need to say you are a football agent, I imagine you just need a big fur coat and a huge cigar. Exactly. Yeah.
So to register, she had to upload some personal data and some ID, and there she was in.
She was part of the FIFA agent platform, which runs on Microsoft Entra, which is, I believe, used to be part of Azure previously.
So while she was initially blocked from accessing the FIFA football data platform, she was able to bypass some of the guardrails on this. I mean, these haven't been specified.
And we'll shortly see why, but basically Bob found herself with access to the FIFA streaming management panel, partly hosted by a third-party provider called MediaKind.
And Bob said what she saw made her jaw, and I quote, "hit the floor."
GRAHAM CLULEY
Was she as sick as a parrot?
DANNY PALMER
Hahaha. Well, let's assume yes. For in front of her eyes was the live production streaming management panel for the FIFA World Cup 2026.
She could, through this panel, gain access to every match, every camera angle, every stream. Ultimately, that is live video streams for live matches. And this wasn't just read-only.
She could have played around with the live broadcast.
GRAHAM CLULEY
I thought you were going to say that she could just watch all of these for free, but what you're saying is she could actually alter them as well.
DANNY PALMER
Yes, she could sort of control the feeds, as it were. What would you do if you stumbled upon that sort of power?
GRAHAM CLULEY
If I had that kind of power, what I would do is I would take my phone to the local park where there's a bunch of 7-year-olds having a kick around with a football.
And I would— I would maybe get them to dress up. We'd have one side dressed up in the Portuguese football kit and the other side as Cape Verde. No, I'd have the US versus Iran.
That's what I'd do. I'd get them to dress up in the Iranian football kit and the American football kit, and I would broadcast it. How brilliant would that be?
DANNY PALMER
I thought you'd say you'd go into the park, you can turn it into a Springwatch type of thing. But no, that is a good idea.
Well, what Bob said is that with the access she had, she could have just gone for what she described as the nuclear option and Rickrolled the entire world, which seems like a hacker thing to do, doesn't it?
It does. Because Bob is a responsible ethical hacker, nothing happened.
But it's not hard to imagine that if someone with nefarious intentions had found this lapse in cybersecurity, they could have done something much worse.
They could have shut down the live broadcast of one of the biggest sporting events in the world. People notice that sort of thing.
They could have taken advantage of the ability to choose what to broadcast by unleashing unsavoury content.
An attacker could have got hold of or messed around with data and broadcasts.
Then of course there's all the websites that rely on this platform for, even if they're not showing the actual match itself, updating scores.
If you go to the BBC Live Football page, it'll be through that. There's implications, this security vulnerability, for an event watched by hundreds of millions of people.
But as an ethical hacker, Bob wanted to disclose what she has found. It seems this was more difficult than gaining access to FIFA's live streaming platforms themselves.
She's listed on her blog post, which I'm sure we'll link to in the notes, the 10 steps she had to go through to actually get someone to apparently listen to her.
So prepare yourself. Step 1: First, she tried to disclose the vulnerability directly to FIFA by several publicly available email addresses.
DANNY PALMER
These messages either bounced or received no response. Or as she described it, disappeared into the void. Second attempt, she reached out to a person.
She found the LinkedIn account for the Head of Football Technology and Data at FIFA and tried to reach out to him.
DANNY PALMER
No response.
DANNY PALMER
Her third go, she tried to contact the FIFA headquarters in Zurich directly. She didn't receive a response there. She also tried calling the FIFA media line. Same result.
No one was there.
In her now, what we on now, fifth attempt to get through to someone, Bob called the Dallas Convention Center, which for the World Cup is home to the temporary International Broadcast Centre, which is basically where all the media involved in covering the event are based for the duration.
DANNY PALMER
Nobody picked up and Bob left a voicemail message. So that's quite a few attempts now just to tell someone about this.
DANNY PALMER
She phoned then MediaKind, the hosting partner for the streaming, and she got through to someone.
She said that person understood immediately what the issue was and asked her to email details as proof, which she did.
But she isn't sure if action got taken immediately at that point.
So she tried contacting Host Broadcasting Services, a specialist media organisation which helps to broadcast major events like this.
GRAHAM CLULEY
Did she think of sending a Truth Social message to the winner of the inaugural FIFA Peace Prize?
Because he's normally online, and I believe he probably has the mobile phone number of the FIFA president. I'm just thinking, go to—
DANNY PALMER
You're right, yeah. Unfortunately, I don't think she thought of that. But lessons to be learned there.
DANNY PALMER
But this 7th attempt, calling this host broadcasting services, she got through to someone, but they said on the phone they didn't have anyone there who could help, and they hung up on her.
DANNY PALMER
And then didn't answer any further calls. You wouldn't want that if you're calling, say, the police, and they went, "Ah, nah, sorry, mate. Nothing to do with us," and hung up.
GRAHAM CLULEY
Bob de Haka has shown remarkable patience by this point.
I would be tempted to think, why don't I just take over one of the streams and put up my email address on the screen and say, if you want this fixed, contact me and I'll tell you what the problem is.
DANNY PALMER
That would have been eye-catching. I imagine she would have gotten a bit of trouble for doing that though.
GRAHAM CLULEY
Probably would. But you can understand why someone might feel so frustrated they would do that.
DANNY PALMER
Definitely. So at this point, she's clearly getting a bit fed up that the situation hasn't been fully resolved.
So she contacted CISA, the critical infrastructure agency in the United States.
DANNY PALMER
Holds the official title of federal lead on cybersecurity for the FIFA World Cup 2026, including broadcast services.
GRAHAM CLULEY
Okay. I was wondering why on earth CISA would be involved in the World Cup. Was that really critical infrastructure?
But okay, they have somehow allied themselves with the World Cup, maybe for a few cheapo tickets in order for giving some cybersecurity advice.
DANNY PALMER
Well, I suppose the stadiums are infrastructure.
GRAHAM CLULEY
I suppose they're— okay, I suppose they are.
DANNY PALMER
You don't want those getting ransomwared and fans not being able to get in. That would be embarrassing, I imagine.
GRAHAM CLULEY
Fair enough. Okay, so CISA now are going to fix this problem.
DANNY PALMER
Well, they listened and asked for more information, which she sent across. And it seems that they responded positively.
And then she made a final attempt because, you know, she had contact at the FBI from some previous work she'd done.
GRAHAM CLULEY
I bet she does.
DANNY PALMER
Yeah, who said they'd look into the disclosure right away. So it seems that after all this effort, the vulnerability was fixed. So all of this effort was for something.
But as has been reported by various media outlets and Bob themselves, FIFA haven't acknowledged that this was a thing which was a problem.
They haven't acknowledged that Bob tipped them off.
DANNY PALMER
Maybe they were too busy hobnobbing with celebrities and world leaders, perhaps.
GRAHAM CLULEY
If you've got the choice of answering a message from some vulnerability researcher, some security bod on the internet or hanging out with Shakira, which are you gonna do?
DANNY PALMER
You're probably right, I imagine. You don't get to meet celebrities very often, I suppose.
DANNY PALMER
In any case, it feels like it should not have taken this much effort to get the issue, which boiled down to a simple client-side authorisation issue with no server-side enforcement, sorted.
And FIFA might consider themselves lucky that it wasn't someone more nefarious who was trying to do something of this.
DANNY PALMER
Bob concluded the write-up with some advice for FIFA, which was, "When a researcher has to call CISA and the FBI to reach you, something is wrong." And she recommended that they might want to start some sort of bug bounty programme before signing off with the phrase, "So long and thanks for all the fish." This episode is sponsored by ProtonPass.
JOE
ProtonPass, the password manager from the team behind ProtonMail, the world's largest end-to-end encrypted email service.
GRAHAM CLULEY
Now, Joe, you and I both know the grubby little secret of how a lot of businesses actually share passwords.
JOE
A spreadsheet, a Post-it note, sending it to a colleague via Slack and hoping for the best.
GRAHAM CLULEY
That's pretty much it. All of the above. And every one of them is a breach waiting to happen.
ProtonPass is built to fix exactly that, letting teams store and share credentials securely, with end-to-end encryption baked into every feature.
JOE
It's open source and fully auditable. It runs on Swiss infrastructure, so your data sits outside US jurisdiction, and it's backed by a nonprofit.
No venture capitalists, no pressure to chase a quick exit.
GRAHAM CLULEY
Which is the bit I like. You know, it's built to serve you, not investors.
So it will never be pressured to cut security corners or rush towards a liquidity event that could change ownership, pricing or priorities overnight.
It's trusted by over 100 million people, ISO 27001 certified, SOC 2 audited, and it helps you tick the boxes for NIST 2, DORA, and the UK's Cybersecurity and Resilience Bill.
JOE
And crucially, people actually use it. One Swiss customer told Proton, and I quote, "It works. It works perfectly." High praise indeed.
GRAHAM CLULEY
So why not start your business's free trial right now at proton.me/smashingsecurity.
JOE
And thanks to Proton Pass for supporting the show.
GRAHAM CLULEY
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
DANNY PALMER
Pick of the Week. Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Now, my pick of the week this week is not security related.
My pick of the week this week may take you back to your geography classroom, Danny.
DANNY PALMER
Remember them well. I was one of those people who enjoyed geography, I will say.
GRAHAM CLULEY
Yeah, geography's all right, isn't it? I mean, basically you learn how an oxbow lake is made.
DANNY PALMER
Very important information, isn't it?
GRAHAM CLULEY
A bit of erosion. Yes, that was good.
DANNY PALMER
Stuff that sticks with you, even if it's not particularly useful for everyday life these days.
GRAHAM CLULEY
Well, I wonder whether the image of an iceberg has stuck with you.
That picture, the sort of cross-sectional image of the part of the iceberg which is above water and the part of the iceberg which is beneath the water.
DANNY PALMER
Now you mention it, I think it does. Yeah, they're quite large, these things, I believe.
GRAHAM CLULEY
Well, this is the whole thing, isn't it?
Is that you get a little bit above the water and then you get this huge mass underneath and it's always like, oh, that's not the— that's the bit which isn't visible.
It's like a mountain underneath the much smaller hill above the water. So we've all seen that. But have you ever asked yourself, is that really true?
DANNY PALMER
Well, I've not really thought about that in depth, as I assumed it was true because an expert in geography and icebergs was telling me it was true.
GRAHAM CLULEY
Well, I am going to question this because although it is true that only about 10% of an iceberg is above water, I don't think it necessarily matches that image that we've been given.
And this astonishing truth has been revealed to me by a website which I have visited.
A website created by a chap called Joshua Torbera, where he actually invites you to examine the physics of all of this.
DANNY PALMER
Does sound very interesting. And that's not being sarcastic either. That does sound interesting to me.
GRAHAM CLULEY
Right. So this is a site which allows you to draw an iceberg. So it has the waterline. You draw the shape of an iceberg.
So imagine that one, which you can see from that image with just a little bit on top and the huge massive mountain underneath.
Draw that, and then it shows you how it would actually float. And what you find is that the iceberg will sort of adjust itself and change its position.
So you don't end up with Everest underneath.
DANNY PALMER
No, and it doesn't just sink, I presume.
GRAHAM CLULEY
Yeah. I'll put a link in the show notes, but why don't you go and try it for yourself right now? Cool.
I'm looking at one here which someone else has drawn, which is an image of something which appears to be like a unicorn's head.
DANNY PALMER
I see it, yes.
GRAHAM CLULEY
Well, why would it have to be a particular shape? Anyway, you draw your own little iceberg and see what happens.
DANNY PALMER
Huh, I can't think what to draw now.
GRAHAM CLULEY
Draw a traditional iceberg, how you imagine it would be underneath.
DANNY PALMER
I was just talking about football. I'm just going to draw a ball. Draw more something that looks like a rugby ball there. Oh, it's sunk and most of it is underwater.
Drawing a circle is a difficult thing, but I like how it bobs up and down. That's cool.
GRAHAM CLULEY
Anyway, check out the show notes. I think this will be a revelation to you that we've been lied to by geography teachers as to how icebergs actually float.
Yes, they only have a little bit above the water, a little bit of their mass. We agree on that. But you're not going to have this colossal mountain shape underneath.
GRAHAM CLULEY
And so this revelation is my pick of the week. Danny, what's your pick of the week?
DANNY PALMER
So my pick for the week is a video game I've recently started playing. It's a modification for the video game Fallout 4.
So, first things first, Fallout video game series — it's a popular video game series which is set in a post-apocalyptic nuclear world.
Sounds quite dark, but it tends to take quite a sideways, sort of funny look at things. So in this dark world, there's elements of humour. I'll give you an example.
In the game Fallout 4, based in Boston, you can go down into a bar and the skeletons at the bar, which have been nuked in this war, they look suspiciously like people who might frequent the bar Cheers.
There's a postman at the bar, or a photo guy, kind of thing, so yeah — they've always had quite tongue-in-cheek humour in the games.
That Fallout 4 came out 10 years ago now, which is mad to think about. And a couple of years ago, about a year ago, a mod came out, so a fan-made modification of the game.
DANNY PALMER
It's Fallout London, so they've taken this world and placed it in London, which is very impressive, especially for a fully fan-made project.
And, you know, as someone who lives in London, I'd say the map is generally quite accurate.
Basically, when you start the game, it dumps you near New Cross Gate, which isn't that far away from me.
DANNY PALMER
The fun thing is though, that the people who made it, they know London because the exact shopping centre that I've visited in Bromley is in the game. Wow.
There's even a thing where there's an equivalent of Boots exactly where that should be. There's an equivalent of a Games Workshop exactly where that should be.
GRAHAM CLULEY
And this is a post-apocalyptic London, right?
DANNY PALMER
It is. Yeah.
GRAHAM CLULEY
So this is based on London after the Brexit vote.
DANNY PALMER
Yes. And the nuclear Brexit.
DANNY PALMER
A lot of effort has gone into this and it also has some surprise celebrity cameos. I'm not that far into it, but it's a lot of fun. A lot of love and effort has gone into this game.
And if you own Fallout 4, it's completely free.
DANNY PALMER
That's my pick of the week. Come visit post-apocalyptic London, it's great.
GRAHAM CLULEY
And go and visit Danny in his local Boots.
GRAHAM CLULEY
Great pick of the week.
Now, Black Kite has just released its first report focused specifically on Europe, covering ransomware and data extortion across 31 countries between January of 2025 and April of this year.
And the findings of that report paint a pretty clear picture of how attacks are accelerating. It's not just about a growing number of victims who are being reached directly.
There's also, of course, a lot of companies who are being hit through their suppliers.
So to dig into this report and walk me through the research, I'm really delighted to have on the show Jeffrey Wheatman, who is senior VP at Black Kite. Jeffrey, welcome to the show.
JEFFREY WHEATMAN
Graham, it is a pleasure and an honour to be here with you.
GRAHAM CLULEY
Oh, steady on, old chap. Enough of the mutual backslapping. This is Black Kite's first report specifically focused on Europe.
So my question to start off with is what made now the right time to really look at what's going on in Europe?
JEFFREY WHEATMAN
That's a great question. And I'll sort of look back on my whole career — I feel like many American technology companies are very focused on America, North America.
And I think that we live in a global economy and the reality is there are some different drivers and different approaches that take place in the EU, in the UK, in the whole region.
And we just saw some interesting trends, because we have a ton of data.
We saw these interesting trends and we decided it was worthwhile maybe doing a focus on some of the countries in the region.
And it turned out we found some really interesting things. And I think really the answer to your question is, why did it take so long for people to start focusing in Europe?
GRAHAM CLULEY
Right, right. Well, I think some of the things which you've dug up in this report are interesting. It's worth digging through these.
So the headline number is this big rise in ransomware attacks in early 2026.
So you're saying there's been a 55% year-on-year rise in those attacks, which is quite a big jump, isn't it?
Is that genuinely more attacks or are we just getting better at counting ransomware incidents?
JEFFREY WHEATMAN
So I think there are a few parts to that. I think there are definitely more attacks.
We saw a huge number of CVEs last year and with Mythos and the Frontier models, we think that's going to continue to spike. So it's definitely more attacks.
We are also getting better at counting them, in large part because of the regulatory environment. Companies are being required to make announcements when they have breaches.
In the US, for example, if you're publicly traded and you have a material breach, you have to make an announcement. The EU, we know, has very similar things.
DORA for financial services, NIST too — all of these things are requiring organisations to be much more open. So I think it's really a combination of both of those things.
There's more of them and we're being forced to talk about them more. And the other thing that I think is important is it used to be very much about data.
It's still about data, but now it's much more about resilience.
JEFFREY WHEATMAN
Right. Can you keep your business up and running even if something bad happens to your partners who you don't directly control?
GRAHAM CLULEY
Yeah. Which is the scary thing, isn't it?
You may have your own house in order, but the problem is that you're letting in all these other people or you're letting other people's code into your organisation.
And potentially that's a route through which you can suffer a ransomware incident.
JEFFREY WHEATMAN
Yeah, I present all over the world and I always get up on stage and say, look, you're all perfect at defending against ransomware.
You're not, but I'm gonna give you the benefit of the doubt. But what I can tell you for sure is your partners, they're not.
JEFFREY WHEATMAN
And that kind of opens people's eyes up a little bit.
GRAHAM CLULEY
This problem of ransomware, it's not hitting everywhere equally, is it? The geographic picture around this, it's really quite striking.
You're reporting nearly 70% of the incidents landed in just 5 countries. So you've got the UK, Germany, France, Italy, Spain.
GRAHAM CLULEY
Is that just because they're the biggest economies in Europe, or is something else going on? Germany in particular seems to be having a really rough time.
JEFFREY WHEATMAN
Yeah, I think it's again a combination. I think it's because their economies are bigger, there are more targets there.
Infamous US bank robber Willie Sutton, when they asked him why he robbed banks, he said, 'Cause that's where the money is.' And that's definitely the case.
We also think that in part some of it is related to the regulatory environment. People are gonna be quicker to pay, I think, because of the potential financial impact if they don't.
And then the other thing too, I think for global companies, they're more likely to have a presence in these 5 nations than others.
As an example, it's because the economies are big, but really the targets are just bigger. So that's what the bad actors are gonna go at, right? It's a magnification game for them.
And I always say bad actors are like water. They take the easiest pathway.
And frequently the easiest pathway is going to be where you have the most opportunities and the most targets and the most concentration.
And that's why we think that these particular countries are getting nailed so badly.
GRAHAM CLULEY
And when you're talking about bad actors, you're not talking about Nicolas Cage, you are talking about—
JEFFREY WHEATMAN
Hold on, hold on, Graham. Do not badmouth Nicolas Cage. Nicolas Cage is one of the finest actors of our generation.
He's not always good at picking scripts, but he is a terrific, terrific actor. We just watched Spider Noir and he was fabulous in that.
GRAHAM CLULEY
I haven't seen that one yet. Now, talking about these threat actors, though, Qilin, Q-I-L-I-N, pronounced Qilin, I believe. They pop up in 26 of the 31 countries you looked at.
What's made them so prolific as a ransomware gang?
JEFFREY WHEATMAN
The short answer, they run this thing like a company. They don't run it like a ransomware gang. They run it like a criminal enterprise. They provide ransomware as a service.
So if I want to go after a company with ransomware and I don't have the tools, they'll do it on my behalf. So that's a magnification.
They are using what we call double extortion, which is they exfiltrate the data and then they encrypt it.
So even if you have really good backups, that's not enough because they have your data and they're going to send it out. And there are a couple of examples around that.
They're also always improving. They're paying attention to the software market. They are updating their software. They're testing everything against all of the detection tools.
They're also focusing in a very opportunistic way in areas where downtime is significantly impactful from a dollar, pound, euro perspective. It's not haphazard.
They're going after companies that they know cannot afford to have any downtime.
The bottom line is they operate like a company and not like a gang, like these organisations used to do.
And if I'm a bad actor and I do business with them and it works and they support me, I'm going to continue to do business with them just like any company.
And that's why we think their presence is so high.
GRAHAM CLULEY
So another thing which caught my attention were the most hit sectors. Now, what types of industry are getting hit? Manufacturing — nearly 28% of all incidents.
But it's IT services which is the single most targeted subsector. Why does that matter, do you think?
JEFFREY WHEATMAN
So I'll talk about manufacturing very briefly, and then I think the IT services is really interesting.
So manufacturing traditionally, they haven't put a lot of time and effort into cyber because that's not what they're in business for. They're not about moving ones and zeros.
They're about making physical things.
What we've seen in the last 18 to 24 months, very visibly, is that these organisations are getting hit with ransomware and it's causing downtime.
JEFFREY WHEATMAN
And that is very, very painful for them. And we have some great examples — K&P Logistics, which is in your neck of the woods. LastPass, two years ago they got hit with ransomware.
They were out of business in 125 days — a 156-year-old shipping and logistics company. We saw Jaguar Land Rover last year got hit with an attack.
It had an impact on the GDP of the UK, one of the biggest economies in the world. This is big money now.
JEFFREY WHEATMAN
IT services is a slightly different target. They are going after those organisations — why? Because they're connected into multiple organisations.
So the blast radius of these IT service providers is really, really big. And, you know, as an example, we saw a breach last year that went after Royal Mail.
JEFFREY WHEATMAN
And they got breached through a German data collector called Spectos. Well, Spectos provides data collection for a bunch of different organisations in a bunch of different sectors.
So it was this magnification thing. We also saw Miljödata in Sweden, which is an HR company.
Most people have never heard of them — I never heard of them until they showed up in the report.
Well, the bad actors went after them and they compromised 200 entities — governments, universities, et cetera, and Volvo, a big car company.
And they compromised one company and had access into hundreds of organisations. So IT service providers tend to be that single repository. They have their fingers everywhere.
And we run up against the shoemaker's children problem — they generally are not focusing enough on locking down their own stuff, even though they're providing these services in a lot of cases for customers.
GRAHAM CLULEY
So it's the whole supply chain problem once again, isn't it?
GRAHAM CLULEY
Yeah. Which is what the bad guys are exploiting here.
You can have all kinds of different businesses out there, but if they're reliant upon some kind of IT service provider and the IT service provider gets hit.
JEFFREY WHEATMAN
Yeah. And then you're in. And the reality is most of these IT service providers are considered trusted entities.
JEFFREY WHEATMAN
And therefore, once you compromise them, get their credentials, you're inside and you're trusted. And once you're inside, the monitoring is gonna change.
What they're looking for is gonna change. And I don't think people look enough at sort of data exfiltration in bulk and those kinds of things.
So it's definitely an ongoing challenge. And I think we need to hold these folks to higher standards. And I don't think a lot of organisations out there recognise that.
You know, I always badly paraphrase Animal Farm by George Orwell. All partners are equal, but some partners are more equal than others.
And we see organisations struggle with prioritisation. This is not unique to the EU or the UK. This is a global problem.
But in these cases, we're seeing some specific examples that are regional in nature.
GRAHAM CLULEY
And I think one of the takeaways I took from your report, and it makes really clear, is that this is now a legal question as much as a security one, because European regulation has fundamentally shifted where the accountability sits.
We've got the likes of NIS2 and DORA, which you've mentioned. The message is quite plainly that now you are legally accountable for your suppliers' security, not just your own.
But has that message got through to organisations yet?
JEFFREY WHEATMAN
I think a little bit.
I've always said that the EU and the UK has definitely been more risk-aligned in the way security and information security and cybersecurity have been practised.
So I think historically that's the case. I think it is still the case.
And I think a byproduct of that is the regulations tend to be more risk-based and therefore they make much more sense within a business context.
So that being said, I think until we see people see these big financial impacts like JLR, like nights of the old KMP, I mean, I told that story in our customer advisory board and one of my customers in manufacturing put their hand up and said, yeah, that cost us $50 million 'cause the truck didn't show up with raw materials.
Right?
JEFFREY WHEATMAN
So the regulatory environment I think is definitely shifting.
I think one of the things that we at Black Kite focus on as a really, really important objective is collaboration is the key to success. The bad actors are collaborating.
They do it really well. They do it through affiliate networks. This is some stuff that shows up in the report. We are bad at collaborating. We are way too competitive.
We don't want to put out there what's going on because they don't want anybody pointing a finger and blaming. And that again is a global problem.
But I think that slowly but surely organisations are starting to realise, and if you look at attack surface management or continuous threat and exposure management, whatever the analyst firms call it these days, what we're starting to see is that security operations centres, the SOCs, are starting to realise that their perimeter is not the perimeter they need to focus on.
It's really about the perimeter that includes third parties. And as you mature, fourth, fifth, and sixth.
So I think from an operational perspective, I think we're seeing that from a regulatory perspective, we're seeing that, but it's always very slow.
I mean, you've been around a while.
It is very hard to get the board to shift focus, to get the CEO and the CFO and the COO to shift focus because they're focused on money coming in, money going out, and if something goes bad, who gets in trouble?
JEFFREY WHEATMAN
So we need to start more aligning our talk tracks and our conversations with money coming in, money going out, and who gets in trouble.
And I think it's happening and I do think it's accelerating. And I think a few years down the road, I think there will be much more focus on it.
I mean, the market we're in is growing like crazy. We are seeing a lot more interest now than we were last year and more last year than two, three years ago.
And I think that is a reflection of the focus there and the fact that people need to pay more attention to this.
GRAHAM CLULEY
Now, this podcast, we're lucky enough to have listeners around the world, not just in Europe. And I think this report is actually relevant to folks outside of Europe as well.
I think there's a lot we can learn from this.
GRAHAM CLULEY
For anyone who's listening who runs security, what's the single most important thing your report tells them to go and do?
You know, tomorrow when you arrive at your desk, what should you be doing?
JEFFREY WHEATMAN
I'm gonna cheat and I'm gonna give you a three-part answer.
JEFFREY WHEATMAN
So the first part, Graham, is you need to inventory your suppliers. I talk to so many people and I say, how many vendors do you have? And they go, 50? I go, there's no way.
My wife runs a business out of our kitchen. She's got 36 suppliers. You have way more than 50, and it's not just IT suppliers, it's all of your suppliers. So that's the first.
The second thing is a follow-up to that. You need to prioritise them. You need to tier them. Not all of them are going to lead to the same exposure.
And then the third piece of that is you need to identify single points of failure.
A friend of mine was the chief security officer for a global manufacturer, and they had one supplier that manufactured a screw. That screw was only manufactured by that company.
That screw went into a module that went into an aerospace guidance system that went into military hardware all around the world. That small company was terrible at cyber.
And the CISO went to the board and said, "Look, I need $5 million. I gotta go buy a bunch of screws." And the board said, "What?" And he articulated that story.
They gave him the money and lo and behold, Graham, two weeks later, that screw supplier got hit with ransomware.
They were down for three weeks and this company didn't lose a minute of production.
JEFFREY WHEATMAN
So if you don't have alternatives, you need to understand what your fallback is and can you be proactive? So I think those are really the key things, right?
So inventory, tiering, and identifying your critical points of failure. And I think that gets people closer to where they need to go.
There's obviously a bunch of stuff you need to do after that, but if you don't know who your partners are, how do you get them to change?
How do you get them to be more aligned with what we want them to do? And the answer is you can't. Because you're not engaged with them. And that's a problem.
And with AI, I don't know if anyone out there has heard it. It's this new technology, artificial intelligence. It's crazy, apparently.
And we're seeing more and more of that in organisations and agentic workflows and MCP servers and all of this stuff.
You're connecting to a bunch of people you don't know and never agreed to do business with.
GRAHAM CLULEY
Well, it's been really fascinating chatting with you today.
And listeners, if you want to learn more, you can find the 2026 European Cyber Risk Report — download your own copy at blackkite.com/smashing.
We'll put a link in the show notes as well. Jeffrey Wheatman of Black Kite, thank you so much for joining us today.
JEFFREY WHEATMAN
Graham, it has been an absolute pleasure. You have a great rest of the day, my friend.
GRAHAM CLULEY
Well, that just about wraps up the show for this week. Thank you so much, Danny, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?
DANNY PALMER
Thank you for having me, first of all, and you can follow me on LinkedIn, Bluesky, trying to get back into using Mastodon more.
Got my website as well, which I should update far more regularly than I do. And of course, for the next sort of 6 weeks or so, you can catch my articles on infosecuritymagazine.com.
I'm still there until my contract is up, and then I'll be off to explore the world on my own again.
GRAHAM CLULEY
Terrific stuff. And you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky and Mastodon, and even Reddit.
And don't forget to ensure you never miss another episode — follow Smashing Security in your favourite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
Episodes, show notes, sponsorship info, guest lists, and the entire back catalog of 473 episodes — check out smashingsecurity.com. Until next time, cheerio. Bye-bye.
GRAHAM CLULEY
You've been listening to Smashing Security with me, Graham Cluley, and huge thanks, of course, to Danny Palmer for joining us this week and to this episode's sponsors, ProtonPass, Black Kite, and Vanta.
And you know what? We've also got to thank the patrons, haven't we?
Yes, those people who've signed up for Smashing Security Plus, because we're going to pick a few of their names out of the hat right now to thank them. Thank them specifically.
We've got Daniel Kromeck, sounds like a dab hand at opening a jar of pickles. Jack Unverfurth. Orborus, which is, could be a person, maybe a snake with an appetite for its own tail.
Dan H, who perhaps wisely thought twice about sharing his surname.
Billy loves the podcast, but is even more privacy conscious than Dan, and so can't even tell us a single letter of his surname. MJ Lee.
Well, we know their surname, but we're just getting initials for the forenames now.
GRAHAM CLULEY
Saital, Mark Norman. Could be— sounds like should probably be presenting the 7 o'clock news. And the utterly delicious Sammy Doza.
Those are just a few of the members of Smashing Security Plus.
And because they are members, they get their episodes ad-free and earlier than the general public, and they can have their details pulled out at random and mercilessly mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus, because it puts a few shekels in my pocket, and I'm always grateful for that.
Keeps the servers running. But you don't have to support us financially. You can also support us in other ways.
You can subscribe, leave a 5-star review, or maybe tell your friends about the show. Simply spread the word. Why not?
Because every little bit helps and it makes all the effort worthwhile. Until next week, where I hope you'll be tuning in again. Cheerio. Bye-bye.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.