AI Makes Breaches Faster: 30-Minute Data Theft

00:00:07 Mark Smith
Welcome to AI Unfiltered, the show that cuts through the hype and brings you the authentic side of artificial intelligence. I'm your host, Mark Smith, and in each episode, I sit down one-on-one with AI innovators and industry leaders from around the world. Together, we explore real-world AI applications, share practical insights, and discuss how businesses are implementing responsible, ethical, and trustworthy AI. Let's dive into the conversation and see how AI can transform your business today. Welcome back to the AI Unfiltered Show. Today, I'm joined by Andrew. He's joining me from Denver in the US. Andrew, welcome to the show.

00:00:51 Andrew Scott
Thanks, Mark. Appreciate you having me.

00:00:53 Mark Smith
Good to have you on. I love speaking to people in other countries and getting their opinions and views on things, particularly around this massively fast-changing landscape we're in with AI. But before we get started, food, family, and fun, what do they mean to you?

00:01:07 Andrew Scott
Honestly, I'd say that's But no life worth living is without those things, I guess you could say. So yeah, I mean, I'm a huge traveler and that's what me and my family and my wife and two kids, we enjoy. My kids are young and so it's an absolute circus at home. But yeah, they're, my boys and my wife, that's why I do what I do. And I think that's why everybody, kind of maybe wakes up for the day and so forth. But yeah, I mean, kind of whether it's, travel's a big part of what we do. It's a big part of my job, but it's also just what we like going out and doing. So exploring new cultures, you mentioned different parts of the world, right? So Bendal. Six of the seven continents haven't got to Antarctica yet, but hopefully one day. But yeah, no, it's, that's definitely the focus for me, I think, is just spending time with the family, being outdoors, you know, here in Colorado, right? That's kind of, you know, if you're not in love with the ocean, it's kind of probably the best place to be, I would say. So we have, you know, the mountains, the outdoors, that's where If I'm not, somewhere on the road, travel with my family, or spend time at home.

00:02:13 Mark Smith
That is so cool. So, six out of seven continents. Yes, You've done one more than me.

00:02:23 Andrew Scott
Oh, which one? Well, I guess we have to figure out which one you haven't been to then.

00:02:27 Mark Smith
I haven't done South America.

00:02:29 Andrew Scott
you got to do it. Yeah. South America is so cool. Definitely, I guess, both sides, right? Because you got Brazil, one side, you got Argentina, Chile on the other, and then kind of north to south. And it's a definitely mixed bag, of all different types of cultures. But I think it's really cool that while the language may mostly be the same outside of maybe, let's say, Brazil, all the different countries and even parts of every country are all just very different and diverse. And so you get a lot of just different perspectives, realities, cultures, just it's a lot of fun to even explore just a single country and all the different things it has to offer.

00:03:03 Mark Smith
So what's taken you to all these locations?

00:03:06 Andrew Scott
Honestly, just a passion for the world. I benefit from parents that we didn't really buy new cars or kind of do a lot of things like that growing up, but we traveled. And so that really kind of imparted on me a lot of just getting out and traveling the world and seeing things. What can we learn, understand, and enjoy? I like to say, if you really want to explore some place, go on the main street, go three streets in. Go kind of find out where the locals are, kind of how they live, where they eat, what they do, and you'll find kind of the really core culture of a country or a place you're in by doing that. So.

00:03:40 Mark Smith
This is very un-American.

00:03:42 Andrew Scott
Yeah, I mean, these days, I guess so, yeah, a little bit, but you know...

00:03:47 Mark Smith
Not these days. You know, when the second time I went to the US was in 2012. And I went to Seattle, went to Microsoft, they'd been invited to an event there, and predominantly the audience was all Americans. And I couldn't believe the number of them that did not have passports, none. And even though they'd been overseas, because they'd served in the military, you don't need a passport when you're serving in the military, right? But what blew me away, just their concept, as an American's concept of travel based on this group of people, and I know it wasn't necessarily representative, But as travel in America is going to Hawaii, like that's travel. Like I've been overseas, Hawaii.

00:04:28 Andrew Scott
Well, I mean, I think it's, you know, my hope is that that changes eventually. I mean, the world's, there's so much to learn, so much to experience. I think it's even just getting outside your comfort zone and being willing to accept and acknowledge there are people, countries, places that may not be how you are at home or live the way you are. And that's, I'll say for the most part, probably that's okay and that's good. And we should just kind of acknowledge that and just leases that to inform ourselves. it's also a privilege. it's, crazy times economically, all different things. And so I don't, it is not lost on me that, the ability to go travel and explore is not something that everyone has the opportunity to do so either. So, you know, feel very fortunate for

00:05:14 Mark Smith
that. I've been to countries that, At the time being in them, I said to my wife, I don't think that this freedom is going to be available in the future. And it happened way sooner than I expected.

00:05:28 Andrew Scott
Yeah, no doubt. I completely agree. Yeah, it's like, what does kind of exploration of various parts of the world look like in not even 10 years, let's say five years. Places that I've been in the past are fundamentally different. physically even, it's because of wars, maybe they've been there and how that's changed. So I'm with you.

00:05:50 Mark Smith
If you could go back to one place again, if I said, hey, listen, you teleport there today, where would it be?

00:05:56 Andrew Scott
So I study abroad in Istanbul, Turkey for like 6 months and spend another three months over in the region just exploring. And it's such a cool dichotomy of European, but also Asian and Middle Eastern, but different cultures, different languages, different vibes to sort of, and also just kind of the, Bosphorus Straits there and kind of the separation of Europe and Asia. It was just so cool to see kind of two competing cultures, but also just, kind of the old style historic, I guess you could say metropolitanism of it. Like it was very much this big city, but also you could see it been around for hundreds of years. And it was, I just loved it there. And, you know, it's also just, weather's great. So just going there and hanging out would be really good. But it's been It's almost two decades since I've been there and I'd love to go back.

00:06:45 Mark Smith
Yeah, 2017 was the last time I was there. Amazing, amazing, amazing, amazing. And particularly because I'm from New Zealand. New Zealand has a very unusual, I suppose, relationship with Turkey because in the Second World War, a lot of New Zealanders died fighting against the Turks.

00:07:07 Andrew Scott
Right.

00:07:08 Mark Smith
And so Gallipoli is our big kind of, we celebrated each year. We just got literally mown down by machine gun month after month after month as the Brits forced this colony of troops to just keep fighting their battles for them. Which if you look at the history, which I did it in hindsight, it was Winston Churchill's arrogance is why that whole war happened. And I used to elevate Winston Churchill on a massive pedestal. I thought he was the boss until I read the full detailed story of his life. And I mean, it was a tome. It was massive. And I was like, my reveredness of him changed dramatically because he's responsible for the deaths of so many people.

00:07:56 Andrew Scott
Well, I did not know that, Mark. So now I have somebody out to my reading list to go learn about. So I appreciate that.

00:08:03 Mark Smith
Yeah. At the end of the day, the Turks were in. and alienated at that time because they had an agreement to buy ships, warships off the Brits. And the Brits decided to, after the deal was done, sell them to somebody else. And so Germany said, hey, we'll give you the warships. And that meant the alignment flipped the other way. In a really strategic location in the world, right? So.

00:08:27 Andrew Scott
Yeah, exactly.

00:08:28 Mark Smith
Silliness, silliness. Anyhow, let's talk some tech. We've already burnt 8 minutes talking about life. What are you doing? What's your focus? How is AI changing your life and what you do?

00:08:44 Andrew Scott
Yeah, no, yeah, it's a great question. Yeah, so to quote Office Space, what would you say you do here, right? So I'm Total's field CISO, so my job is really a security strategist, kind of an evangelist, really a resource for our total managed service provider partners and user clients, really, right, around how do we build scalable security programs for today's day and age, especially with both, I would say, limited resources, right? Because not everybody has huge budgets. But also, I think in some ways where we can run before even we walk. And I think that's what AI is letting us do, especially myself, right? Like I was building security program, documentation and governance, kind of materials this morning with AI, just helping take a couple hours of work off my plate so I could focus on something else. But I think, AI is really a core part, whether people are actively embracing it. I'll say it, it's funny because we're on an AI-focused podcast, but I think people are embracing whether they're saying, I'm going to go all in on AI or we're going to use it, or they just almost aren't, are using it unknowingly. I'll say just because it's baked into the technologies they're already using or still trying to figure it out. A lot of my work is really helping organizations bridge that gap into doing so securely, right? Kind of using AI appropriately, I think, for both kind of business purposes, but also cyber, right? And how we're really navigating how fast the world's changing. and how AI is being used and how we need to kind of checks and balances there. So that's a lot of the work I've been doing lately, especially around AI and using it, frankly, to speed up and solve a lot of the problems and challenges so that we can help more organizations faster.

00:10:32 Mark Smith
Yeah. And it is phenomenal how it can help. Last night, I was riffing with my AIs and it's It said, do you know that you've got an endpoint here that the only protection on it is security by obscurity? That was the words it used with me. In other words, it's open if people were able to find it. And the thing is, in the past, you'd go, yeah, they'll never guess it. They'll never find it. But hang on a second. Now on that outside, you've got another AI that is going after those obscure locations. at a rate that we could never handle. And so I went straight into lockdown mode in that scenario. And so it's definitely helping. But two years ago, I was at an event, a Microsoft event, and the senior head of security, she got up and she talked about if cybercrime was a nation state, based on the revenue that cybercrime is producing, it would be the third largest economy in the world. So that means US is the largest, China's the next, third is currently Germany, but this would fit between China and Germany, as in based on GDP, if you like, that, as in the crime was producing. And I don't think so many people just know how there'd be dragons, dangerous it is out there, because Often, you only hear the crazy cases that make it into the public arena. And then that's only if you're in tech that you're probably even seeing a lot of those. A lot of them never make the newspapers and things like that. What's your observation now that AI's been really, the current form of AI we have has been around three years? Has things got more crazy in your observation?

00:12:25 Andrew Scott
I would say so, yes. I mean, there's a lot out there about AI-driven threats, and everything from deepfakes to social engineering and phishing to, we see the reports around fully automated attacks by the Chinese, but I think the... The biggest takeaway, Mark, really is that if nothing else, like all of us hoping to get kind of efficiencies and time back and productivity gains out of AI, cybercrime is doing the same thing. So you mentioned the GDP, right? Like I saw a report the other day, it was Booz Allen did an AI kind of threat analysis report. And they noted that from the time of compromise, so when an organization is attacked and kind of an adversary is in to when data's started to be ex-filled, they were seeing it down to 30 minutes with AI. So that's like, the joke kind of, enough time to order a pizza, right? But like, it's, that's, it's from when data's being stolen, not when they're in and then having to figure the way around. So AI, if anything, is just simply... It's the volume and scale and speed that concerns me. So if we look at kind of cyber crime where it's maybe I steal someone's credentials or kind of I want to look for a hole in their network or I want to kind of try to find my way around their network once I'm in or understand what data they have, it is making that those tasks that an adversary will have to do, it's making it so much faster that I think that's the biggest concern I have is that really the fundamentals, now of just cybersecurity posture or just hygiene or even response, right? It's so much faster and more impactful now than it was before. And so we can look at making, you know, there's deep fakes here, you know, as I was referencing, but I just worry and I'm seeing, we're seeing this constant barrage of attacks where is it because of AI? I can't say that this AI was used in this attack that we observed, let's say, but the The sheer velocity and scale of them suggests that it's far beyond the humans that are doing it. It's using AI and automation to really exploit organizations in mass.

00:14:45 Mark Smith
Crazy. So in the line of work that you're in, how can companies particularly start protecting themselves? And oftentimes they don't have the ability to get the knowledge themselves. because it's shifting sands, right? The landscape is changing constantly. But how can they kind of get into a posture or position that allows... self-healing, self-learning, self-protection, ongoing, like proactive rather than reactive stance when it comes to protecting their digital estate.

00:15:22 Andrew Scott
Yeah, absolutely. Well, you know, I think it comes from the, you know, kind of the old adage, you can't protect what you can't see, but especially to like AI, and you know, I'll take this from a couple different angles. You know, I think you also can't govern what you don't know about and can't see. So I think like, The first step is honestly self-reflection. And it's asking the hard question, almost take a step back as best as you can and saying, just what's out there, right? And that's where, yes, for better or for worse, with AI, with software, with the cloud, with all the different tools, non-human identities and bots and everything that people are going, you kind of got to figure out a way to get observability. right and awareness of what's across your environment. So that's where tools like a SIM, kind of, endpoint management, kind of solutions to figure out even what's installed places. looking at your firewall logs and seeing what web-based LLMs or AI tools are people going to. Just do a dump of all the domains people are hitting and try to unearth and search that. I think, you know, honestly, don't be afraid to ask for help too. This is where service providers, consultants, professional services orgs, right, It might be really worth engaging in that, because if you don't have the time or skill set to evaluate it all, like you mentioned, if it's resource strapped or just don't really know where to start, sometimes the best thing is just to raise your hand and ask for some help and to help peel back that onion, because I think that will really inform how is the organization using, let's say, AI, but also just what's out there. where are holes, right? You talked about cyber crime and exploitation, just how many different, maintaining, an asset inventory, just knowing what systems or what applications, but even so, even worse, what data, that's a whole nother category. But like, what's out there, you got to start there. Because if you don't have the governance, right, and kind of awareness of what your current state is, you're not gonna be able to really then button things up to become more proactive and kind of that continuous improvement. You gotta set your foundation first. So that's why I'd really encourage it when I think many people are diving into like, I gotta get this tool or we're gonna embrace this or whatever. It's like, well, hold up. We were talking with one client recently who was, they were building a data lake that they were gonna then push into an AI model to help them with insurance quoting or something of that nature. And I was like, okay, what's populating this data lake? And they're like, well, it's all of our, these various pieces of information. And I was like, okay, where's that information coming from? And they're like, oh, well, it's coming from our ERP and other things. I'm like, okay, do you even know who's got access to that? What's populating it? How are you doing change control and data governance there so that you know how the model's then being informed? Because they didn't know where that data was going to go once in the model or into these other workflows. And so I think that's the thing that people need to really come to terms with is you can't skip that planning part, especially in today's day and age, and adopting AI tools, bots, or just even how to know how to protect your organization best in everything you've got.

00:18:33 Mark Smith
It's interesting, I think, that in some way, are we training AI to be more, to have a stronger ability to find the holes? And why I say this is that If I look at the last three years with AI, if you are an AI agent going onto the internet, it's a hostile environment out there. Gartner came out with a report and said, hey, if you've got a website, lock that **** down. Don't let any AIs, you know, get on it because they could do prompt injecting, any number of things. Now, what has that done? It's made it extremely hard for an agent to interact with a website. And like I noticed this on a lot of e-commerce sites, for example, you try Amazon, you try any of these, like block, block, block, block, block. And I think it's a wrong move on two counts. One is I want to buy a product, but I don't want to spend ages browsing the internet to find it, right? I just want to be able to say to my agent, I want this product, go find it. go get it into a cart for me and then just ping me when the cart's ready, give me the URL to it and I'll go and I'll do the credit card payment. I'm comfortable with that level at the moment. But what it has also done is that you then go to your agent, well, it's adversarial out there. It's a hostile environment. They hate you. And so how do we still do business and get around it? So then it gets coming, right? It starts reading source codes on pages, works out how I can inject via JavaScript or any number of ways. And then it finds an endpoint or an API. And what does it start doing? It starts prompting it to find out what language it's written in, what I'm going to get a response on. And then bingo, I found something. Now I'm going to write a script. And it's just like, I'm finding this is happening in front of me in real time. And so we're training agents to really find those holes. I run home automation, about 1,200 sensors around my property. And I am surprised that anytime I have a sensor that's, if you're like not in the catalog that can be ingested, it just says, hang on a second, give me its IP address. Goes to its IP address, ping, ping, ping, ping, ping, like finds out what it's got open. What language is behind it? Hey, I've created a fix for it. I've just written one for it. And I'm just like, now you take that, let's say if you're a bad actor, that level of tooling that you have at your fingertips now, I mean, forget the script kiddies of 20 years ago, and what they could do with a few downloaded scripts off, what was it called, using it back then? Whatever it was. What they could do now, what you can do now without necessarily being very sophisticated, but just have a good way of understanding how systems and networks run, you could do a lot of damage.

00:21:27 Andrew Scott
A 100%. I mean, this is where, kind of, kind of the, those reports of, let's say the Chinese or just, anybody else that's running these attacks, whether it makes the news or not, as you mentioned.

00:21:38 Mark Smith
I don't think it's just the Chinese, it's the Americans as well.

00:21:40 Andrew Scott
Oh, it's America, yeah, a lot of people. I'm just saying that there's that one that was like about like Anthropic and Claude being used like 80, almost end to end, right? As an example that.

00:21:50 Mark Smith
I think Anthropic's whole code base got dropped in the last 24 hours. I don't know how. There's a big, yeah.

00:21:55 Andrew Scott
That was definitely not a great moment, right? Exactly. Yeah, but to your point there, Mark, right, I think that, you know, the barrier to entry to just for attacks to happen, but I think that the bigger concern is where, you know, not only the lower level sophistication of attackers or malicious use, but I still go back to like, we almost have to assume we're going to get hit at this point, sort of that zero trust, kind of strategy, approach and say, okay, if I have to assume that I'm going to get compromised, then I have to look at actually how I'm walking my internal network down, not just the perimeter, right? It's got to shift almost our entire mentality. Just to your point, like if your agents are actively solving problems that it's running into and creating fixes, like that example of how malware is adapting or the models are adapting to what it's running into in an environment and then finding new avenues or mapping networks, that then becomes this really sort of almost autonomous attack where I have to now try to really, for whatever I can, wall off, almost logically, if I can, as much of the environment or my crown jewels as a business. So it's like, I have to assume this stuff's going to be gone. So how do I almost reverse engineer from inside out instead of outside in? I think that's the other challenge that Oregon's going to have is it's almost got to change an architectural mindset of the way that cyber defense happens, but also how businesses engage in technology.

00:23:28 Mark Smith
You've given me a bunch of ideas. I've talked about walled gardens as how most people protect their, and don't have a zero trust strategy. And it was actually Steve Jobs has got one of the best stories about pre-Apple, where they hacked into the telecommunication network back then because they had a walled garden approach. Nobody could be a connection point unless you're authorized. So all they had to do is compromise and authorize. And they got into the global network of telecommunications and the world was their oyster. They could do anything they want. Toll-free. And I feel a lot of companies have this walled garden type security posture. We're stopping people outside but don't have a strategy when they don't know they've got inside and or that you might have an adversarial employee inside the organization.

00:24:20 Andrew Scott
Well, I think that raises the other point too, right? You mentioned about just, you know, your bot, you know, your AI, you know, kind of, you know, tools and bots solving for their own challenges. I mean, this gets to the question, you know, is it a, was it a CISO networking dinner and event recently where this was actually the exact topic, right? Like, how do we actually know if or when AI goes rogue, right? It's not working really outside the bounds of anything that you said it couldn't do. It's not like Skynet trying to mess with you, right? But it's solving its own challenges. And that's where I think, like, to be honest, you know, Mark, like, you know, you have incredible knowledge and time and resources to embrace AI use, you know, kind of at your home, your property, your business, whatever it might be. I don't think, I think many orgs are barely just like, I'm going to spin some stuff in OpenClaw and see what I can do. And it just like, is tying in AI to your data and your systems in hopes of productivity actually introducing far more risk? And are you taking your business backwards because of even a innocuous incident that could happen because it's simply learning how to solve things and suddenly your data is going wherever you don't know. That's actually my biggest fear, where like insider risk is simply just people choosing to embrace AI legitimately, but with no planning.

00:25:43 Mark Smith
Yeah, and you're so right. Unintentional consequences in the early days when I was on OpenClaw, the amount of times I'd go, oops, I just exposed your keys, your API keys. Oops, let's quickly rotate them because I didn't do that right. And the last thing I want to talk to you about is VPNs, virtual private networks, been around forever. But I don't know, they seem to be becoming super, super important nowadays than ever before. What's your experience with that?

00:26:13 Andrew Scott
Well, I think a VPN is absolutely essential for doing business in today's internet connected day and age in the, you know, securing traffic and communication. But I think a VPN in of itself actually no longer fits how many organizations work. Right? A VPN, you mentioned the walled garden, the perimeter model. A VPN is saying, hey, I'm going to securely access this organization's network from the outside. But once I'm in, there's zero control on the inside, it's providing this, depending on something else entirely. And I think that's where organizations really need to look at how their users are working, where they're working. So it's like in the cloud, like most of what I do is on applications of the cloud or SaaS apps or things like that. Like we don't really have, much physical infrastructure and on-prem that we're dealing with, where a VPN used to be needed. And so, you know, I don't want to say used to be needed in that it's not anymore. I think we need to level up into more of that sort of, you know, sassy style approach, but really where it provides more control and governance of what users are doing, how they're accessing certain resources, but actually like how they're interacting with systems and data and looking that deeply. And that's because, right, where people are off that traditional perimeter where you lose that visibility, how do we ensure that secure access, but where it can meet them where they are? So like people bringing a laptop home and working from home, I don't know if their home network's compromised or if other things are running or their own stuff. So it's like, that's where I think the VPN is absolutely essential, the concept, but we need to be adapting that VPN concept into really how we're working now. and securing how we're gaining access to resources, whether it's AI tools, just our networks, the cloud, et cetera, and really making sure that these are the devices, users, locations, like networks, et cetera, that we know about multiple different points of enforcement than simply is that a VPN client. I'll take it one more step further just to, you know, kind of, you know, love your thoughts on this, Mark. But I mean, we talked about adversaries conducting attacks. I mean, if I had to, call 2025 the year of something, I think it was like the year of the VPN exploit. I mean, it seemed like every month we had a brand new VPN critical severity, or even zero day vulnerability popping up that was getting exploited. And so in that traditional model, many organizations are embracing, there's a physical VPN server box that's internet facing, that is getting taken advantage of, that adversaries will exploit. can we think differently about using, evolving our understanding, like I say, into more of that SASE, secure access service edge kind of approach to even reduce that risk footprint? I think that would move the needle considerably for many organizations. But I think the VPN model is absolutely essential. The fundamentals still be true, but we have to adapt it to how we're working now.

00:29:17 Mark Smith
Yeah, so true. Andrew, if people want to get in touch with you, what's the best way for them to reach out?

00:29:21 Andrew Scott
Yeah, LinkedIn, I'm on LinkedIn, Andrew S. I'm field CISO at Total. also, I can kind of, I can make sure, that I, if there's any contact info or whatever, if people want to reach out to you.

00:29:34 Mark Smith
Yeah, we'll make sure we put it in the show notes.

00:29:36 Andrew Scott
Yeah, absolutely. But no, I mean, I would love to hear how people are looking at AI and even adapting their, network security architectures and their programs to just today's day and age and threat landscape. So I would love to hear from folks.

00:29:52 Mark Smith
You've been listening to AI Unfiltered with me, Mark Smith. If you enjoyed this episode and want to share a little kindness, please leave a review. To learn more or connect with today's guest, check out the show notes. Thank you for tuning in. I'll see you next time, where we'll continue to uncover AI's true potential one conversation at a time.