Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 93
Afternoon Cyber Tea with Ann Johnson 3.19.24
Ep 93 | 3.19.24

Inside the Smashing Security Podcast

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I'm joined by Graham Cluley and Carole Theriault, fellow podcast hosts of the show Smashing Security. Smashing Security is this incredibly helpful and really hilarious take on tech snafus. Each week, Carole and Graham talk about, yeah, [laughter] I know, that's a great way to put it, isn't it? [Laughter] All right. We're going to have some fun today, by the way, on Afternoon Cyber Tea, [laughter] and we're going to have Carole and Graham. They chat normally about cybercrime and hacking and online privacy and all kinds of things. But I want to first welcome you to Afternoon Cyber Tea, Graham and Carole.

Graham Cluley: Thank you very much. What a delight to be here.

Carole Theriault: Thank you so much for having us. It's such a pleasure.

Ann Johnson: So you are both industry veterans, researchers, speakers, authors, and I would love to go back to the very start. Can you briefly tell the audience how you got your start in cyber and why you've stayed all these years? Carole, [laughter] let's start with you.

Carole Theriault: Okay. So, like many people I think at the time, I kind of fell into cybersecurity. So I'm not from the coding or development world, you know, but I did find my niche or niche, right, niche, being a person that could be a bridge between analysts and researchers and developers and those kinds of people and the rest of humans that use computers. And I don't know if this was easy, like this was the mid-'90s. The industry was young. It was very researcher-led where I worked. And researchers, no matter how smart they are, they don't necessarily have the strongest cross-industry communication skills, right? So, and they don't necessarily see this as an obvious need, you know?

Graham Cluley: Surely not. Surely not.

Carole Theriault: It's kind of -- [ Laughter ]

Ann Johnson: Yeah.

Carole Theriault: I kind of compare it to like mechanics, you know, who know everything about, you know, a broken engine in a car and, you know, you're there with your broken car and they start telling you about the car's problem like in detail. And they're using these car terms and you don't understand and they're talking fast. And this is because they're used to speaking to other fellow mechanics all the time, not like the average person who just uses a car. And you just tune out. So my job became how to create fun and engaging narratives that would get like the important cybersecurity messages out there, be it passwords are important or don't trust every advert you see, you know, all these kind of things. And now we do it through podcasts, through Smashing Security with my longtime colleague and dear friend, Graham Cluley. [Laughter]

Ann Johnson: Graham, let's talk about your career. Why are you still doing this?

Graham Cluley: Why are you? Well, well great question. [Laughter] Why am I still doing this? I'm not sure. I mean, really, how ridiculous is it? First of all.

Carole Theriault: Is this where you're going to break up with me? [Laughter]

Graham Cluley: Yeah, exactly. [Laughter] Let's do it right now.

Carole Theriault: This is the stage.

Graham Cluley: [Laughter] On the Afternoon Cyber Tea, let's do the break up.

Carole Theriault: My work husband.

Graham Cluley: First of all, I'm upset that Ann has described us as veterans. I mean, that's quite insulting to begin with, [laughter] to make a big thing about our age and how long we've been doing this for. That's pretty insult. I mean, veterans normally, I think I sort of think of Vietnam or something like that. And in some ways, I do feel a bit like [laughter] we might have been through something hideous like that. But, yeah, I've been working in cybersecurity now since before it was called cybersecurity over 30 years. I actually began as a student writing computer games. And at the end of some of my computer games, which were distributed as shareware, it would play the tune from Love Story and it would say, I'm a poor, impoverished student. All I dream about is going to visit my girlfriend who's studying in Paris, send me a packet of cheesy biscuits and a check for 10 pounds and you'll make me happy. And I'll be able to go to supermarket and stuff myself with cheesy biscuits. And one day, a parcel appeared on my doorstep and I opened it up. There was a check for 20 pounds, which is more than I asked for, an actual packet of cheesy biscuits so I didn't have to go down the supermarket, and a copy of Dr. Solomon's antivirus toolkit. And there was a letter from this guy, Dr. Solomon, who said, "My kids, my two girls love your computer games. They've done some drawings. If you want a job, let me know." And I rang him up and I went for an interview and I got a job in the antivirus business writing one of the very first Windows antivirus programs for Windows 3.0. Thank you, by the way, Microsoft for Windows 3.0. That was a pleasure to write for, let me tell you. [ Laughter ] But anyway, this, but yeah, I've been doing that ever since, working in both technical and communications roles. And for the last seven years, working with Carole. We worked together at a security company, but the last seven years as independents, we've been working on the Smashing Security podcast, which has been great fun.

Ann Johnson: So let me add a couple comments here first, Graham. If you were 30 years ago, still in schooling, doing games.

Graham Cluley: Yeah.

Ann Johnson: I'm actually older than you. So the veteran's [laughter] comment, now I'm taking it personally.

Graham Cluley: I left school a bit late because I kept messing up my exams, so I had to retake them. Let's just put that into context, okay. But, yeah. [Laughter]

Ann Johnson: Oh, understood then. The second comment though, and I, you know, before we get into the meat of this conversation, is I had always thought that a biscuit to you would be what we would call a cookie, and I'm trying to get my head around a cheesy cookie. [laughter]

Graham Cluley: You guys are missing out.

Carole Theriault: I've lived here 20 years and I still don't understand it. [ Laughter ]

Graham Cluley: This is obviously the failings in American civilization is they haven't grappled with a concept of a cheesy biscuit, which is a delicacy over here.

Ann Johnson: I'll have to make certain next time I am over the pond that I acquire some because that sounds like something I would love. Okay. So let's talk about Smashing Security. Look, it's a household name in the cyber world. Can you talk a little about how it came to be? What inspired both of you to create it in December of 2016? And Graham, let's start with you this time.

Graham Cluley: Well, I think Carole will agree with me that Smashing Security was entirely my idea. [Laughter] It was my concept. It was my instigation. No, the truth is that for some years, Carole has always loved podcasts, from the early days of podcasts, and she kept saying to me, why don't we do a podcast? Why don't we do a podcast? And for years and years, she nagged me that we should do one. And eventually, one drunken evening, probably, I don't know, but for some reason, she had some blackmail on me. And so we began to produce a podcast, and it turned out to be quite popular. And we've been doing it pretty much every single week since. I think we're just up to about 360 episodes, something like that. So [laughter] we've done a lot of them. Still funny things to say, though.

Ann Johnson: That's fantastic. And Carole, how do you think about it? Why did you start it? Are you loving it, et cetera?

Carole Theriault: It's I don't know. It's become something that I do every week, you know. And what's interesting, I think, for us is that we are a team of two. And we invite guests, but we have like all this great stuff that other podcasts have, like editors and script writers and all this stuff. It's just the two of us. So, you know, and you don't, you know, it's a lot of work to run a podcast, especially if you've got supporters as well and you want to be part of a community. And I think what's great about working with Graham is because we worked together before, we know each other's strengths and shortcomings. And we somehow have been able to fill those gaps in order to have a successful show for all these years. And long may it continue, shall I say.

Ann Johnson: That's awesome. It really is. And congratulations, by the way. This is a lot of work. I do have all those fancy things. I have Greg who writes scripts and produces. I have a studio team, and it's still a lot of work. So congratulations on, yeah, eight years and you're still doing it. That's awesome.

Graham Cluley: Every week.

Ann Johnson: Thank you.

Graham Cluley: Every ruddy week we do it. [Laughter] Yep, it's amazing, isn't it?

Ann Johnson: Well, let's get into the heart of this. On your show, you cover a wide range of topics from cyber to hacking to privacy. What is one topic that surprised you or challenged your perspectives during the journey and one that surprises you because it continues to come up a lot? Carole, you first.

Carole Theriault: It's covered so many topics, you know, because like Graham said, we've had 360 episodes. So honestly, I kind of forget what story I've covered as soon as it's published and out in the world. It's really, it's like a mental toilet that I flush as soon as we publish. And then I can focus on the other bazillion things in my life. But saying that, there is one that is currently seared in my memory. I was recently duped by an Instagram scam in December, hook, line, and sinker. And I know very well what to look out for, right? But somehow the scam managed to skew my vision in such a way that I couldn't hear that inner voice saying, what the heck are you doing until I had paid for the non-existent product, right? And this for me was a super humbling and, okay, honestly humiliating experience, because I should know better, right? If anyone's supposed to know better, I should know better. But it also made me viscerally aware that there's lots of shame when people get duped in these kind of scams, like be it malvertisement or romance scams or whatever. And I think I'm learning that the way to get over shame is to talk about it. So I decided on my own, you know, to own it and to tell the story on Smashing Security. And I didn't tell Graham, right? I didn't tell you beforehand.

Graham Cluley: No.

Carole Theriault: So you walked in totally blind so we could get your honest reaction, your supportive reaction.

Graham Cluley: I thought you were talking about a friend of yours [laughter] being scammed, and then it turned out it was you. It was --

Carole Theriault: Well, that's how I set the story up.

Graham Cluley: [Laughter] Yeah. Yeah, exactly. Yeah. It was quite brilliant. I mean, it was great. But yeah, I mean, I think being authentic, being open about the things, even though, you know, we're cybersecurity veterans, to quote [laughter] the afternoon cyber tea, [laughter] its which we'll put on the back of the packet, probably. That's how we'll tell people in future. But you know, all of us are human. All of us are capable of making mistakes. And by the way, cyber criminals, they're not geniuses either. They're just as dumb as the rest of us. Of course, some of them are clever, but they can make elementary mistakes too. And that's something which we see happening time and time again. And we love to tell funny stories on the podcast of how the hackers have goofed up, about how sometimes companies goof up, all the mistakes which we can make, which admit that we're human. And sometimes that a cover up can be much worse than a breach as well. So sometimes some of these stories are astonishing tales of how people have tried to pretend that they weren't hacked and the problems which go on. I'll tell you one thing, though, that has changed over time. One thing which did surprise me, which we saw during the evolution of the podcast emerge and become a problem, was this issue of deep fakes. I remember when one of our guests, Maria Varmasis [assumed spelling], came on the show and I think she was talking about deep fake porn when it first happened, which was where they were taking Hollywood actresses and they were posting on Reddit forums horrible videos of porn stars with their faces replaced by celebrities. And we did begin to talk about, I wonder how this technology could be used by scammers in the future. Well, what do you know? That's the reality which we're beginning to see right now. You know, AI and deep fake has come along as a technology and is beginning to be used by the cybercriminals and chances are it's going to be used much, much more in the future.

Ann Johnson: Yeah, there is absolutely no doubt in my mind that deep fakes are going to be used much more in the future. And it is something that we also now have the added benefit of artificial intelligence that are driving those things. So do you see that there's going to be a significant increase?

Carole Theriault: Yeah. I would say absolutely we're going to see an increase because we're out of, I think right now, we're out of sync. So we have protective methods to try and handle this, but also there's been an incredible speed that has been coming to new technology. We're seeing new AI-driven services coming up every day. And some of them are great, I'm sure, right? [Laughter] But it's still so early for us to see, and we don't know the cost to these wonderful things yet and there's always a cost. So it's a scary world, I think, for us right now, because I'm not sure anyone has a total handle on it or a very strong viewpoint across the whole spectrum.

Graham Cluley: Let's face it, we've been facing threats like phishing, for instance, for what, 30, 40 plus years of people forging email headers. So you send an email which appears to come from someone. Typical person can't tell the difference and is duped by that kind of thing. So what chance have they got to deal with, but I saw with my own eyes or I heard with my own ears it was this person talking to me and telling me to transfer the money? If that kind of thing is now a reality and in the hands of cybercriminals at very low cost, then that is a real, genuine, huge threat.

Ann Johnson: It is a huge threat. And it's also, Carole was talking about a bit of social engineering, right? And social engineering is the exploitation of human psychology and you talked about that, the ways attackers have manipulated all of us. We've all become a victim, even the most sophisticated cyber professionals have been victimized at some point in time. So Carole, can you talk a little bit more about how attackers have manipulated that behavior, how individuals and business leaders can help create better human, I don't love the expression human firewalls, but can create better human capacity and also the impact of AI?

Carole Theriault: Oh, wow. Okay. I'll take a bit of that. So social engineering is basically being duped, right? So let's have a few examples. Say an attacker wants to get into a company, perhaps to steal information or hold the company to ransom. They might try and dupe an employee into giving away some login information. They may do this by pretending to be the boss or the IT director or the finance director and use the authority behind those titles to bark out an order that needs to be completed right away, like ASAP, ASAP. And the point is to make you hurry, make you panic. It puts out this vibe that this is not the time to ask any questions. You, you know, you've been trusted with this huge task, this unusual task, and it's your job not to screw it up. And you're not thinking, am I being duped here? You're thinking, how do I get this job done and not lose my job? So in those situations or like you think about dating sites, a scammer might do everything possible to try and get you to fall in love with them. You know, send you poems and shower you with compliments and ask you questions. I wish my husband would learn some of those. [Laughter] No, I'm kidding. And then, you know, you're thoroughly smitten, you're thoroughly smitten. And then they ask you to help them out in a difficult financial situation. And if you've like literally falling or fallen in love with this person, you're not thinking, is this guy a scammer? You're thinking, how do I help my poor Fabio or Philippa, right? And I think my point is humans are fallible. We're dupable, all of us are dupable. And maybe that's why I also am not sure I like the idea of human firewall. Because it kind of puts the onus on the user to always be vigilant. And this is impossible, even though we try. Because if we miss something, it feels like we've screwed up, you know, like we the user have screwed up.

Ann Johnson: I think that's right. And I think that, by the way, here's one, Carole, good example is if somebody is trying to romance [laughter] you in that way, you know, it's definitely not real, because I don't think my husband understands that concept either. [ Laughter ] Anyway, but back to the real topic. I think that you're right. And I do think that we, I talk a lot about digital empathy and that concept that humans are going to click links and humans are going to be vulnerable. We actually need to have better systems so that when humans are --

Carole Theriault: Agree.

Ann Johnson: -- vulnerable, there's some safety net for them, right?

Carole Theriault: Yeah, absolutely. But you know, saying all this, I do absolutely think that we can lessen the impact by talking about the tricks that the bad guy use, you know, the bad guys use. Drill into the cybersecurity practices, you know, of the day that are considered the best so that you can better protect yourself and make yourself a harder target. And of course, what can you do after a suspected attack? So if you think you've screwed up, we don't really have the systems in place to handle that, I think, certainly not in my, where I live in the UK. And it would be great to have more of that, like, what can you do?

Ann Johnson: I think that's right. Graham, let's flip to you for just one second. Do you have advice for folks who have been duped by a scam? You know, do they contact the local police? Do they contact the vendor? What would you suggest folks do?

Graham Cluley: Well, certainly there are organizations you can contact in your own country. Here in the UK, for instance, you'd contact Action Fraud and lodge it there. Obviously, you can also go to groups like IC3, which is a division of the FBI in the United States. There are people you can report these things to. Unfortunately, I imagine they're absolutely deluged with these things and they're only going to be investigating those ones which they actually think they have a reasonable chance of resolving or they're getting so many reports on that they'll oblige. They really have to investigate these things. But there's other things you need to do as well. So, for instance, speak to your bank. Tell your bank or financial institution that you may have handed your information over to somebody. They can take measures to prevent your payment cards, for instance, from being further exploited. But it's a problem. I mean, the truth is we've all been breached, right? Someone has already got our data. There have been so many of these humongous data breaches over the years that none of us have managed to avoid it entirely.

Carole Theriault: Okay. But I don't like that statement because it makes people think, well, what's the point of doing anything then? You know, like, let's just sit back and just --

Graham Cluley: Yeah.

Carole Theriault: -- you know, let it wash over us, let the bad guys win.

Graham Cluley: Yeah. I don't think we should do that.

Ann Johnson: I take steps that truly make my family a little, you know, crazy. They look at me and they're like, wow. But things like I get a text if there's a dollar transaction on any of my financial accounts, whether it be a credit card or a banking account, I get an immediate dollar text. [ Inaudible speaker ]

Carole Theriault: My husband gets that too in our joint account.

Graham Cluley: [Laughter] Your husband's phone is going beep, beep, beep all the time, yeah.

Carole Theriault: Yeah. [ Laughter ]

Ann Johnson: As is mine, because I may shop a lot. But anyway, that's a whole other thing. But it really does lend protection. And I look at them. I don't ignore them. And that's one of the things that you sometimes get so many alerts, you start ignoring them. One of the best --

Graham Cluley: Yes.

Ann Johnson: -- pieces of advice, a couple pieces of advice I can give. Number one, don't ignore alerts. And don't set alerts at a level that you will ignore them to get too many. The second thing is don't use passwords on your accounts. There's a lot of authenticator technology out there. Use something other than a password on your regular consumer accounts. If you're working for a corporation, the corporation generally is using some type of stronger authentication. But a lot of people still even on their consumer finance accounts are just using a password. And you really need to get out of that practice.

Graham Cluley: And a lot of people are using the same password for everything.

Ann Johnson: Yes, they are. So let's change the topic a bit. Graham, you write quite a bit on privacy. What do you think are the top issues that individuals should think about when it comes to their data privacy?

Graham Cluley: Well, I think there's a lot of focus on data breaches and things like that, which, yes, we should take seriously. But I think people tend to turn a bit more of a blind eye to just how much data they are offering big organizations completely willingly. And sharing maybe their location, sharing maybe the contents of their emails, maybe sharing their web histories also or their search information. Huge amounts of that sort of information is being given away for free or maybe on social networks, your likes, your interests, your friend relationships. And this is perhaps the most scary thing of all, is just how prepared we are to give this up to huge organizations who could use this for advertising. But also if it were to fall into the hands of a not pleasant government, for instance, or if there's a change of regime one day, maybe this wouldn't happen in the Western world, but there may be other parts of the world where it could happen. It could lend itself into a situation where, you know, there's really rather horrendous possible consequences as a result. So I think people need to think very carefully about sharing information by default. And another piece of advice I'd really give to people is stop feeling you need to tell the truth all the time. There's a lot of organizations out there who ask you for authentication information. For instance, what's your mother's maiden name? My bank wants to know what my mother's maiden name is as a security question so it can verify who I am. That's a matter of public record. Anyone can look up what my mother's maiden name is on my birth certificate. But the bank won't actually check whether that was my mother's maiden name when I give it to them. So don't tell them what your real mother's maiden name is. Make up something. Say Zephod Beeblebrock, say Xena Warrior Princess instead, because that will give you a better level of protection.

Carole Theriault: And this is why we have a good show. Do you mind if I jump in?

Ann Johnson: Please jump in.

Carole Theriault: Okay. But Graham.

Graham Cluley: Yes.

Carole Theriault: So, okay, for example, dating websites, for example.

Graham Cluley: Yes.

Carole Theriault: Will ask you a ton of information to get you there. And the reason you're answering honestly is to meet someone that you actually will like. You know, you're not going to sit there and say, I'm nine foot tall, you know, and into math if you're not. And the same with things like insurance comparison websites. They ask you a bazillion questions in order to give you a particular quote. And what do they do with all that information, right? It's not like you can skip the questions. I think the system is set up for us to drool out our data privacy. Like we are designed to do that now in this new world. And we have to learn how to watch it, I think.

Graham Cluley: I don't know how successful you're being at dating, Carole, but if you've been telling the truth [laughter] on your profile, there's no surprise you've been having difficulty. I mean, it's the first rule of online dating. You don't tell, everyone chooses the only good photograph they've had in the last 15 years, for goodness sake. It's okay. It is a photograph of you. But is that really what you look like? No, of course it's not. People are lying all the time online.

Ann Johnson: I do think that we have to be real, though, to the beginning of what you said, which is a lot of our personal data is already out there. Even data you think is proprietary is already out there. And the best thing you can do to secure yourself and your financial account and your family's privacy is understand that your data is out there. Understand there will be social engineering attacks. Understand that you should be alerting your bank or setting up alerts. But that just that reality of accepting, hey, a lot of my data has already been stolen, is in the public domain. How do I work around that? I think that is a place that we can't even get people.

Carole Theriault: I think it's well said.

Ann Johnson: Let's talk about conferences. Cyber conferences like RSA, Black Hat, Defcon, they're like rock concerts for the [laughter] industry pros. I love that. They are events and they're exhausting events. And I'm sure you two have been too many [laughter] of these events. So which and I'm going to say this, first I'm going to say this is a corporate podcast, so they [laughter] need to be appropriate memories. But which conference memories stand out? [laughter] Yeah, which memories stand out? Whether it's a brilliant talk, something funny that happened or just something really unexpected? Graham, you're up.

Graham Cluley: Well, you know, I don't want to be a bit of a wet blanket and all the fun here. But the week that we're recording this, my old boss and friend, Alan Solomon, who was a true founder of the cybersecurity industry. He was, like I said, Britain's version --

Carole Theriault: Yeah.

Graham Cluley: -- of John McCarthy, but not quite as crazy. He sadly passed away earlier --

Carole Theriault: Yeah.

Graham Cluley: -- this week. And I, in my early days, was working with Alan and I enjoyed many talks by him. He changed the model of a cybersecurity talk, whereas previously it was someone standing at the front of an audience with an overhead projector and some acetate slides. He turned it into a stage show. He dressed up as a cowboy. I was dressed up as a pirate. We had train drivers. We had musketeers. We were even pretending to be Doctor Who at one point with a long scarf, all while sharing tales of fighting computer viruses, making it engaging, making it fun for people to enjoy. That's what I'm thinking about right now. So it was a bit of fun. I really think it's important, although it's a really serious topic, cybersecurity. Let's have a little bit of fun while we're about it as well, rather than be dry and ponderous, which sometimes these conferences can be.

Carole Theriault: Graham, don't --

Graham Cluley: Yes.

Carole Theriault: -- don't give people our magic. [Laughter] We're the funny ones. [ Laughter ] I honestly don't go to many conferences anymore. I think it's because we're able, I think probably has a lot to do with COVID as well --

Graham Cluley: Yeah.

Carole Theriault: -- actually. But I remember a conference in the, Graham, you were there as well. I think you and I were up to mischief at this one. And it was in the early days when Twitter had just launched. And one of our cybersecurity buddies, Mr. Mikko Hipponen [assumed spelling], he was on stage giving some address at a conference.

Graham Cluley: Oh, yes.

Carole Theriault: And he was all on trend because he had put a Twitter wall --

Graham Cluley: Yes.

Carole Theriault: -- up behind him so that the audience could ask questions. Do you [laughter] remember?

Graham Cluley: Yes, I do remember.

Carole Theriault: Do you remember what happened?

Graham Cluley: Yes, yes, I do. [Laughter]

Carole Theriault: Can we share?

Ann Johnson: I remember that also. [Laughter]

Graham Cluley: So what we did, what we did, do you mind, shall I explain, Carole, or would you want to?

Carole Theriault: Yeah, yeah, yeah. Go, go, go.

Graham Cluley: Okay. So what we did, I remember I quickly created a Twitter account with the name Mikko Hipponen. So I pretended to be Mikko Hipponen on his own Twitter wall. And I started posting sort of [laughter] existential messages behind him. Oh, my God, I'm so bored of this talk. I'm even boring [laughter] myself now. And then we would quickly create another Twitter account of a famous cybersecurity researcher. And he was arguing with Mikko and Carole was chipping in as well. So he didn't realize any of this was going on. He was giving his talk. In fact, I don't think we've ever admitted to Mikko it was us who --

Carole Theriault: No.

Graham Cluley: -- did this, did we?

Carole Theriault: See, we've given you an exclusive. Mikko does not know that it was us behind --

Ann Johnson: Oh, excellent. We will tag him and make sure that [laughter] he hears this. I have to tell you something really funny. So I was preparing for a talk at a cybersecurity conference, and I tend to talk at home and I walk around the room and I say things out loud because it helps me edit them. I'm like, okay, that didn't sound great, right, versus just reading it. So I'm giving this talk, and my child, who was probably about 10 at the time, looked at me and just said, "What are you doing?" I said, "Oh, I'm preparing this talk for this conference, and I actually want to, you know, say something funny and get the audience engaged. And in just all seriousness, my child looks at me and said, "Well, who are you going to get to tell the jokes?" [ Laughter ]

Graham Cluley: Out of the mouths of babes and sucklings. Oh, my goodness.

Ann Johnson: [Laughter] So I had a T-shirt made that said, mommy is funny. Anyway, gorgeous.

Graham Cluley: There we go. Funny.

Ann Johnson: Kids still didn't agree, kids still didn't agree. Yeah, exactly. Well, thank you for chatting today. Look, despite the rise in overall cybercrime, I actually do believe that cyber defenders are more often than not one step ahead of the bad guys. I am a cyber optimist. I like to be a cyber optimist. I've been doing this for almost 24 years, and I wouldn't still be doing it if I was defeatist. But what are both of you optimistic about? Carole, let's start with you.

Carole Theriault: Oh, optimistic. Look, we have all these new technologies. So like we were talking deep fakes earlier, right? And we're going, they're so scary. And, you know, it's, you know, for anyone who's seen them in action, they are pretty frightening. Like they can mimic a voice and they can mimic a face and everything is kind of real. And you think misinformation, misinformation. I mean, we saw the Pope in a puffer jacket. You know, we saw Elon Musk peddling crypto. And what are we going to see tomorrow? But at the same time, it's not oblique because I see huge possibilities for education. We can bring famous thinkers and artists of the past to strengthen the learning. I can see a revolution in online classrooms. Business might vastly improve their engagement and support of the customer base without breaking the bank. So the only thing I'm hoping for, what I'm really hoping for, is kind of a universal adopted ethical code of practice when it comes to all these new technologies so that we are not necessarily out of step with it all and we don't have to be worrying all the time.

Ann Johnson: I like that. That sounds right. Graham, what about you? What are you optimistic about?

Graham Cluley: I don't know if I can be as optimistic as Carole. I'm going to try to be. Because I am optimistic too. I think, I remember back in the day, back in today, you know, all those years ago when [laughter] there was --

Ann Johnson: The veteraness of you.

Graham Cluley: Yes. Now I'm going to be a veteran. In the old days, [laughter] there was something like 200 new computer viruses a month. And now we see, and people used to say, I remember I'd get phone calls from journalists saying, "What are you going to do when it's 400 new viruses a month?" We used to post out our [laughter] updates via the royal mail on floppy disk to people, you know, every three months. It was, you know, that's how it used to be that we did these things. Now we see over a million new pieces of malware. We see tens of millions of attacks every single day. We see ransomware attacks and business email compromise, you know, but we're still here. And we're still doing business online. And the internet is an incredible thing, which connects people, allows them to communicate. And yes, there are problems, but people are getting more savvy. Maybe because they've been bitten before, but people are getting wiser. In the old days, if you mentioned something like identity theft to them, they would think that sounds like, well, does that mean someone's stealing my shadow? Is that some kind of sci-fi concept? People are beginning to understand what these things are. People are beginning to wizen up about them. And the technology has got so much better so don't be pessimistic. Be optimistic and do what you can to make sure the staff at your organization are clued up as well.

Ann Johnson: [Music] I love that. So, Carole, Graham, thank you so much for joining me today.

Carole Theriault: Oh, it's been brilliant. Thank you so much for having us.

Graham Cluley: Thank you. It's been good fun.

Ann Johnson: And many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea. [ Music ] I invited Graham and Carole from Smashing Security to join me on Afternoon Cyber Tea because they are amazing. They've recorded over 350 episodes of their podcast. They are a lot of fun, but they are also incredibly knowledgeable about the industry. It was a great episode, and I know the audience will get just tremendous value out of it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft