Rules Navigator

Transcript: Emma Green podcast

Photo: Getty Images

GRIP

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Emma Green is Managing Director of Cyber Data Law. She told us how cybersecurity breaches happen and why she’s positive about blockchain.

This is a transcript of the podcast Emma Green of Cyber Data Law Solicitors on phishing, hackers, and smart contracts between GRIP Senior Reporter Carmen Cracknell and the Managing Director of Cyber Data Law, Emma Green.

[INTRO]

Carmen Cracknell: This week I am joined by Emma Green, a cybersecurity lawyer and managing partner at Cyber Data Law Solicitors. Emma, thanks so much for speaking to me today. Can you start by just introducing yourself in your own words?

Emma Green: I’m Emma Green. I’m the managing partner of Cyber Data Law Solicitors. My background is I’ve spent 20 plus years in a technical IT training consulting. I’ve co-authored an IBM Redbook and over the last few years moved into data protection cybersecurity from a legal perspective and set up the law firm with my partner John Green.

Carmen Cracknell: Lovely. And my first question is what are the sorts of breaches that you’re seeing that are the most common in the past few years?

Emma Green: So without doubt, the most common types of data breaches is human error. So somebody disclosing data that they shouldn’t, accidentally emailing it to incorrect recipients, blind copy, not putting things in blind copy and disclosing to a load of email addresses. But I’ve got some real horror stories if you’re interested

Carmen Cracknell: Yeah!

Emma Green: So I was working at a national secondhand car dealership and they had somebody who came in to pick up their car, chatting away to the chap behind the desk. And he said, “Oh, I think your daughter’s been in earlier today.” And so she said, “Oh, okay.” And for whatever reason, he ended up turning his screen round and just disclosing this individual’s address, this lady’s address to this woman who he presumed was the girl’s mother. Now, any kind of normal person would say, “Oh, I can’t see why that’s a problem.” The issue was that the daughter was in a witness protection program and was to testify against the mother in a big, big case. So the company had to rehouse her, the daughter. It’s happened loads. Some industries think that husband and wife are one unit rather than individuals. So disclosing addresses to a husband where a wife is in hiding and again, had to rehouse her. And simple things like, these are all car related, but it gives you an idea. When you go buy a car and they give you that form to fill in to change ownership, several instances where new buyers or potential new buyers have actually turned up at the previous owner’s home address and said, “So what did you think of the car? Do you think it was any good?”

So when you think of data breaches, people just think, “Oh, my data’s got out there, whatever, who cares?” But when you actually humanize it and personalize it and make it something that can actually have a devastating impact on somebody’s life, I mean, there’s one individual turned up at this lady’s address, he wouldn’t leave until she told him all about the car. And you’re like, “Really?” So when you actually think of the impact that that can have on somebody by disclosing their address to somebody that you don’t want to disclose to or any person’s face is disclosing to, you can see why it could be a huge, huge problem.

Carmen Cracknell: Yeah, absolutely. I mean, in our organization, we’re always on the lookout for phishing as well. Is that something you see a lot of?

Emma Green: Yeah. So from a cyber perspective, so we’ve got your standard human error disclosing of documents or emailing it to an incorrect recipient. Now, I’ve pulled up some statistics from the ICO, so every quarter the ICO publish statistics on the volume of breaches that have been reported to them. And the number one breach was emailing an incorrect recipient. Like 22% of the breaches that were reported to them were data emailed to incorrect recipient. So you’ve disclosed some data. And the types of industries is education, health and local government, and legal, are the worst offenders. So that’s number one on the ICO statistics from the last quarter. But in terms of from a cyber perspective, phishing is becoming more and more sophisticated. So it’s no longer just somebody’s trying to send you wire, some money, click on this link to give you details. They become way, way more sophisticated. And if they are really determined threat actors, then they will do what’s called doxing. So they will research you as an individual before they target you with very specific phishing content that will lure you to disclose either something about you, your login details, and so on. So it is a real, real concern. So phishing campaigns are usually quite, we find are quite effective in helping people just to recognize that not to click on those links or download or disclose something.

Carmen Cracknell: What sort of campaigns are going on when you when you say campaigns?

Emma Green: So phishing campaigns, so these are like, these are pretend phishing emails. So what will happen is you get software and it sends out an email and they’ve got loads of templates from real life examples. So an email will go out to everybody and they’ll be customized for HR, the bit HR oriented and finance, finance oriented. And the aim is that you do your phishing training and then you you’re sent a campaign and these are fake phishing emails. So when you accidentally click on it, it goes uh-oh sorry, this was just testing.

Carmen Cracknell: Yeah.

Emma Green: Yeah. And you need to redo your training or you need to…

Carmen Cracknell: Yeah, yeah. We get those here as a warning to change our password. It’s usually something like you’ve won a free Starbucks or there’s a voucher for McDonald’s or something like that and it really works.

Emma Green: Yeah, it does. Oh, if you just send an email with salaries as a file attachment, you’d be staggered how many people click on it. And when you actually analyze the types of departments that click on those links, you’d be staggered to know the senior management click on it the most.

Carmen Cracknell: Yeah. We deal a lot with kind of handling financial services firms’ data.

Emma Green: Yeah.

Carmen Cracknell: What do you think are the most pressing security issues for firms in that sector?

Emma Green: So when we’re talking about disclosing personal information, obviously that comes under sort of data protection, but in terms of disclosing financial information, obviously it’s confidentiality and you could be breaching all kinds of FCA and US financial laws in how you are to store and manage that data. So it really depends on what the breach is and what’s been disclosed as to which sort of bucket it falls into, I’d say.

Carmen Cracknell: WhatsApp has been sort of mentioned a lot in relation to its use as a channel of communication and business tool. Do you think that as a technology it poses different challenges to something like email that came before? Is it particularly dangerous in terms of security?

Emma Green: Well, in terms of security, it is encrypted end to end. So when you send a message to a recipient, it’s encrypted for that recipient. The issue is that anything, if you do back up your WhatsApp messages, by default, they’re not encrypted. So you’ve got the risk there that they are being stored on a server. And the other thing is that WhatsApp came under fire recently because they changed their privacy notice to say that we will share our data, your data with Facebook. Now, Facebook, why’s that a problem, well, because Facebook tends to then give that data to loads of other third parties and you’ll be served up with very specific customized advertising that you may not want. Also, where those messages are stored, excuse me, Facebook, WhatsApp, they’re most on the US and the US have very different views on privacy than we do. So in other words, they can just go and access whatever they like, whenever they like. So those security implications. But WhatsApp is, it was traditionally a personal app for exchanging personal messages. So if you’ve got any really company confidential information, I would have it in your contract that says, you’re not allowed to use these types of apps for that reason, that it’s company confidential and we don’t want that going out. So use something that we can track and we can get backups of things like Teams. See, there’s no reason we can’t use that. There’s loads of other apps, it’s not just WhatsApp, there’s a few others. But those sort of apps, they call them sort of grey, shadow IT, is something that companies need to be aware of that when the data is going between two individuals, you lose control of it.

Carmen Cracknell: And yeah, I mean, that’s, I guess, a challenge that’s come from the prevalence of bring your own device. What can firms do about that, do you think?

Emma Green: Well, I mean, bring your own device, see, it depends on the organization, because I would always say, well, you’re getting an employee to use their own phone. Why don’t you just give them a phone for the cost of it? Because it’s a lot of cost savings. And then you’ve got control of that. You need to have a really robust policy in place, which says what they can and can’t do with their phones when they are, if you are going to let them use their own phones, what they can and can’t do with the data that is going to be on those phones, you need to have some sort of software, mobile device management software, there’s loads of them out there. But basically, if that phone got lost or stolen, or the employee left under a cloud, that you could erase the data on that phone. But ultimately, it’s their phone, it’s not yours. So you’re getting into sort of tricky waters. If it’s really important that that individual has a phone, then just give them a phone or give them a mobile device, because you’re just causing yourself a bit of a headache, really.

Carmen Cracknell: Yeah. And when, yeah, sorry.

Emma Green: No, I was just saying, so policies can’t contractually say what you can and can’t do. But ultimately, it’s their phone. And yeah, it’s getting control of their property, not yours.

Carmen Cracknell: When these events happen, like the JP Morgan hack in 2021, and those big fines that are levied, does that lead to a stricter approach to security, do you think?

Emma Green: I think it really depends, because you only have to look at what happened recently with Matt Hancock. So the government said, yes, you can use WhatsApp. And so that they did. And then he actually disclosed screenshots of different of those conversations between the two. In terms of the JP Morgan issue, that was, again, coming under financial regulations in the US that they have to keep about violating federal laws for record keeping, that kind of thing. So that was an issue in relation to that. But if it’s so important, that, and confidential, that the data that you are exchanging between individuals, then I would just have a ban on it, have a blanket ban on WhatsApp, because then you don’t have that problem and use a corporate application rather than a personal one that’s going to potentially cause you difficulties further down the line. But then some companies may say, no, it’s fine. You can use it. And it’s up to them. But again, you need a really robust bring your own device policy, what you can and can’t do on social media, what apps you can and can’t use, and what types of data you can and can’t exchange. But there’s all kinds of horror stories in the press about, er, from individuals who’ve used WhatsApp to exchange sordid images, for example, between each other. So it is really important, I think, that you set it down very strictly at the beginning, what you can and can’t do. And in terms of that hack and the data and what was exchanged and so on and so forth, it’s down to the company for them to enforce to say, no, you’re not allowed to use it. And it’s a disciplinary offense if you do.

Carmen Cracknell: Sure. And what about the role of regulators? Do you think they are keeping up and handling things in the right way?

Emma Green: They try and be one step ahead. But obviously, technologies develop so quickly that sometimes they can’t keep pace. I think we need to have some corporate governance and corporate responsibility for what data is being shared between employees internally and externally.

Carmen Cracknell: And I did, since you kind of said that you specialize in blockchain and smart contracts, is there anything you can add about that?

Emma Green: Really, I just think it’s the future in terms, particularly things like for contracts, for things like house sales, for example, I think it’s definitely the future. It’s had a few glitches along the way and reputation in terms of perception of what it can and can’t do. But I think it’s definitely the future. And if anything, we’re going to go more in that direction than lesser.

Carmen Cracknell: What does that mean for security challenges?

Emma Green: Again, it’s all down to the corporate governance of keeping a handle on what is going out there, what’s being shared online, blockchain, wherever. You need to have very clear boundaries and guidelines what you can and can’t do with company and personal data.

Carmen Cracknell: Absolutely. Well, those were all my questions. Do you have anything else that you think is worth adding?

Emma Green: So the NIS regulation is a law that was brought in in 2018 to have some sort of control over corporate, sorry, infrastructure networks. So for example, water and electricity and so on and so forth. So if there was, let’s say, a major hack or a breach in the water supply, for example, they would have to report that to a designated regulator, which is defined in the legislation. Now, not many people know about it. One thing which is really interesting is that the Department of Culture, Media and Sport is going to expand the scope of NIS to cover managed service providers. So your IT, because they see that they’re so key in everybody’s day-to-day life. So there was a huge number of, vast, vast number of third-party supply chain attacks last year and ongoing. So for example, hackers realized that rather than just knock out one company, what they could do is go to a cloud provider, knock them out and underneath, where it could take out 10, 20, 30, 40, 50 companies. Likewise, they could infect a lot of companies out there, the managed service providers, they would roll out patches for several organizations at once. And they realized that they infected the people at the top of the food chain, so to speak, then that would be cascaded down through all those organizations, which is exactly what happened.

We were involved in several cyber attacks, online retailers were taken out by the executive decision that lifted and shifted their IT from on-premise, which a lot of companies do these days, to the cloud because of cost and risk and all of those reasons. And then when that cloud provider gets attacked, then they’re completely paralyzed. So to kind of help with that, there is going to be an update to the legislation that managed service providers. So either your Bob’s IT right up to your huge providers are going to have to, are going to be more regulated. So they’re going to have to register with the, we’re not 100% sure, so don’t quote me on this yet, but they will probably have to register with a body like the ICO and they will have to report incidents, like at the moment when you have a personal data breach, you report it subject to various criteria, you report it within 72 hours, for example, very similar thing for an incident on an MSP, they’re going to have to report that to the regulator and that’s not been 100% confirmed who that is. So that’s currently going through, again, when’s it going to come into effect? We’re not sure because it just says when government allows. So it is something that’s on the radar, but I think it’s really important that MSPs are aware of that, that they make sure they have appropriate technical and organizational measures in place because they are managing lots of organizations’ data and to protect it from personal, not just personal data breaches, but cyber attacks, I think is really, really important.

Carmen Cracknell: Absolutely. Yeah, I’ll have to look more into that.

Emma Green: Yeah, if you Google NIS and it’s a November Indigo Sierra regulations and it will come up.

Carmen Cracknell: I see it on the ICO site.

Emma Green: You’ve got it. Yeah, it’s network and information systems regulation. And like I said, it was really for core infrastructure originally in case anybody poisoned the water, for example. And if you look at that legislation, the water, anybody who deals with water has to report to a body that is relevant for water, electricity and so on and so forth, Ofcom, Ofgem. There’s a whole list of regulators that you would have to report to depending on your industry. But I just think it’s really interesting that they are sitting up and taking note of what’s happening with cyber and physical resilience to help support businesses. So coming back to your question about regulators, can they keep pace? Well, I think that they’re trying their best. We can never keep one step ahead of evolving technology or what hackers are going to do because it changes so quickly. But I think this is going to be something that’s going to be really, really important for businesses and for those MSPs themselves.

Carmen Cracknell: That was actually one of the other questions that I wanted to ask. Yeah, just like, what do you think hackers, going forward, the biggest cyber security challenges, how will they evolve in the next few years, in your view?

Emma Green: Well, I mean, at the moment, until we can get a handle on people clicking on links and disclosing information, the biggest hackers, I always say there’s two elements. We’ve got the tech element. So we’ve got hacker hacking into your network, which majority of organisations are using the best tech, the best fancy tech that they their fingertips, and that’s great. But what tends to happen is somebody in accounts will click on a link and disclose a key or whatever, or not change your password. I mean, the one that really makes me howl is, you know, the Anglian as in proper fishing, fishing for proper fishes. I think it’s the Anglian world or Anglian times. So with proper fishing rods and fishes, so their website was hacked by hackers and redirected to an adult website. So I think it was quite amusing. And the reason they were able to do that was because the the login for Twitter, the password was exactly the same as it was. Anglian. Yes, Anglian. I see. Anglian. So yeah, Fisher. Yes, so a fisherman proper as in not pH fish, but F-I-S-H. Right. So their website was redirected to an adult website, which I thought was highly amusing and not for them clearly. No. It was highly amusing. And how did that happen? It’s because the password for Twitter was the same as the password for login to the customer, you know, change their website. So we’ve got all the old tech piece, tech, tech, tech, but we’ve got, you know, you know, AI and, you know, quantum physics is going to make sure that it’s never going to happen. And we can stay one step ahead technically, but it’s the squishy thing between the laptop and the chair that you need to be the biggest risk to organisations of the people in it. Disclosing information, logging in. You’ve also got disgruntled personnel that go and leak information. So hackers realise that and they can socially engineer individuals. That’s why I go mad when anybody on Facebook, you know, that fills in those quizzes. What was your first car? What was your first? And really, what all you’re doing is you’re giving information to a baddie, so to speak, who’s going to collect enough information about you that potentially those type of passwords could be used for your banking app, password resets, for example. So until we get a handle on educating individuals not to do these kinds of things, then hackers are all going to have a field day.

Carmen Cracknell: Absolutely. Thank you very much.

Emma Green: You’re very welcome. Thanks.

Carmen Cracknell: Cheers.

Listen to the audio.

You may also like