AI-Powered Cybercrime: Why Your Firewall Isn’t Enough

Mark Smith: 0:14
Welcome to the Power Platform Show. Thanks for joining me today. I hope today's guest inspires and educates you on the possibilities of the Microsoft Power Platform. Now let's get on with the show. In this episode, we'll focus on AI and cybersecurity. Today's guest is from Greater Bournemouth in the United Kingdom. I don't know that I've ever been there. He works at CodeStone as a solution partner. He holds multiple Microsoft and non-Microsoft certifications and exhibit a dynamic leadership style, championing modernization and application of emerging technology Beyond professional realms. He is pursuing his private pilot's license and learning how to kite surf. If you'd like to know more about that, you can find links to his bio and socials in the show notes for this episode. Welcome to the show, Louis. Hello, good to have you on. Tell us about food, family and fun. I always like to start with these questions to get a bit of background on what people do outside of their professional lives.

Louis Arthur-Brown: 1:21
Absolutely yeah. So food I do love a curry and a roast dinner you could say it's the national dishes of the UK Absolutely love them. Family I've got a lovely fiancee and I've got a five-year-old daughter and an 18-month-old daughter as well. And in terms of fun, uh, yeah, I'm absolutely um enthralled with the possibility of kite surfing. It's something which I'm quite early in my journey in, but I am learning how to kite surf, um, and I'm also um a few lessons in to my private pilot pilot's license. So, yeah, in terms of picking hobbies, I know I've picked the hardest and most expensive and it doesn't really go well with family, but yeah, it's something I can work at at least.

Mark Smith: 2:06
I think that flying is just phenomenal right, the ability to take a whole different perspective of the world. And so, yeah, good luck with that. I hope you do well. And, of course, kite surfing pretty amazing. I see a lot of kite surfers around where I live and, uh, I think I've got to do a bit more work on my body before I'll be in a position to be able to get out there and throw myself around over the uh, over the water, with the? Uh. Maybe one day, maybe one day. Maybe these aerofoils that they're on these days are pretty amazing.

Mark Smith: 2:40
Yeah they truly are. Tell me about your career path, your career journey. How did you get into the area of tech you're in today?

Louis Arthur-Brown: 2:50
Good question. So I actually started as believe it or not as an aerospace engineer apprentice. So I did that for maybe five or six years, hence my interest in in aviation and getting my private pilot's license. And then I kind of fell into it. Just I did. There was a placement available in my apprenticeship. I thought, why not? I'll go sit in the it department for a few months and I never left. I did it supports for a few years and then got aligned into service delivery, it management and then, more recently, it leadership, in terms of creating departments, cyber departments focused on revenue growth and expanding solution portfolios.

Mark Smith: 3:30
Wow, amazing, amazing. And I find this subject of cybersecurity incredibly interesting, particularly as we move into an age of ai, and I suppose that the level of ignorance that a lot of people have at how sophisticated and how advanced, uh, cybersecurity is, uh. One of the cvps at microsoft that a conference I was recently at, she said that if cybersecurity was like an entity, a government or an organization or a country entity, it would be the third largest based on GDP in the world. And so I looked that up. What does it mean to be the third largest? Well, the US is the largest state by GDP, followed by China, and then third is Germany. Now, between China and Germany, the amount of money made in cybercrime globally is that equivalent of GDP, which is? That is mind-blowing. Just how sophisticated, organized. This is not script kiddies, this is not people just tinkering on the edges. This is organized criminal activity. And now we introduce AI into the mix and there needs to be an increased awareness and education around this area of cybercrime. What are you seeing?

Louis Arthur-Brown: 4:57
Well, it's exactly that, mark, and I think, coming back to the fundamental statistics, you know like we still have a worsening skills shortage. You know, I think, a status 50% of all UK businesses have a basic cyber skills gap. The cost of breaches is rising rapidly and I think last year it rose by just under two percent globally, but in the uk it was 8.1 percent. Just calling that out, because I think that isa fantastic stat. Either uk is being targeted or we're doing something really badly, badly wrong. But I I think I think it comes back to there's never been it's never been easier to launch a cyber attack and nor has there been a better time to and what I mean by saying it's never been easier to launch a cyber attack and nor has there been a better time to, and what I mean by saying it's never been easier, is these cyber criminals, the ones you mentioned.

Louis Arthur-Brown: 5:43
You know that they're not just script kiddies, they're actual organizations and they've adopted legitimate business models and commercial models in order to to provide things like, you know, ransomware as a service. Even, you know, anybody, even my nan, could go and initiate a cyber attack, as long as she's speaking to the right person and has between $50 and $100 spare. She can buy a ransomware kit and that can be delivered. And there's affiliate models which ransomware gangs use in order to say just point us to the target and give us a bit of money and then we'll share 30% of the spoils. All of those options are available to anybody, so your disgruntled employees or someone who is more opportunistic can launch a successful cyber attack.

Louis Arthur-Brown: 6:34
So that's what I mean by saying it's never been as easy. And coming back to the stats, I was saying at the off, you know, nor has there been a better time to that. People are struggling, businesses are, have regulatory pressures, they have budget cuts, especially post-covid, and and that skills gap is worsening. So people can hit businesses where it hurts. And I think what you were saying about just how profitable cybercrime is, I think that is a direct result of the symptoms that we're seeing in the market today.

Mark Smith: 7:05
What does the role of somebody in your position, where you're focusing on cybersecurity what does the day in the life or the month in the life of somebody like you look like? What does it involve?

Louis Arthur-Brown: 7:18
Yeah, I mean in terms of being a solutions partner and looking at cybersecurity. It's trying to predict what's going to happen next and it's trying to make sure that we have the readiness, we have the capabilities in order to react. You know to respond to those things and you know AI is making that 10 times worse. The proliferation of AI is augmenting all of those efforts which we were talking about. And again, another stat for you last year there was a 1,300% rise in malicious phishing emails. Well, why? Because it's so easy to do now, especially with the likes of ChatGPT and other LLMs out there. So you know what my day-to-day looks like is really trying to get solutions, take solutions to our customers that can help combat, to help protect them against those things.

Louis Arthur-Brown: 8:11
But one of the things that I'm seeing at the moment is people's security posture. It's not complete or it's got gaping holes, and and one thing is is that the fundamentals people are doing the fundamentals wrong in terms of cyber security. You know there are organizations out there that I know they don't have mfa applied to. You know, not even 10 of their user base, or sometimes not at all. And if you're not doing that, yeah, you are setting yourself up to fail. So, in summary, really it's providing customers with the tools, with the capabilities to defend against that ever-increasing threat.

Mark Smith: 9:14
Nice. So you mentioned MFA, multi-factor authentication. That's a critical step that you know. If you're ever prompted to set that up on any of your accounts, you're saying that's a really, that's a fundamental starting point. Everybody should be setting up MFA.

Louis Arthur-Brown: 9:28
A hundred percent. And actually, again, I'm full of stats today, mark. You know, I think it says, and this is a stat from Microsoft so if you set up MFA and have some basic cyber hygiene and what that means is you have a conditional access policy, um, and you know basic password policy out there, that can actually help defend you from like 92 percent of all cyber attacks. It is crazy. And and if you add on some other very fundamental things like vulnerability and risk management you know pen testing, if you have data loss protection, you know enabled microsoft purview, data classification, if you have, if you can afford a SOC service and you can really look at your human risk in terms of manage, quantify and manage your human risk, that will protect you from about 98% of all cyber attacks. This is one thing.

Louis Arthur-Brown: 10:25
What I'm championing at the moment is because I believe solutions like Windows 365 can really help organizations get to grips with those technologies. You know, use it as a kind of a testbed if you like to roll out these policies to, you know, a subset of users to then prove it before they then roll it out to the rest of the organization. And I think you know one of the reasons why some of these basics aren't in place is because of an inherent fear or a perceived risk, which you know it's like I don't want to impact my users. You know I don't want to lock them out of the system. You know it's that usability versus security age-old balance. It's that usability versus security age-old balance. And I do think there is a sort of ignorance in the channel where it's like I'll do these things later, or cyber attacks that's never going to affect me, when in fact, it's not a case of if it should be, a case of when.

Mark Smith: 11:20
Really, yeah, I was watching a video recently about I think it was Steve Jobs before Apple and how they hacked the telephone network around the world, basically reverse engineered the old dial tone type phones which would allow you access into the network and then you could do an international dial without getting charged, just because the way that protocol worked and the concept of what's called a walled garden came up and I'd never understood the concept of security as a walled garden, which is like an old English garden, you'd have a very high wall around it and it was done that nobody could get in. There was no security procedures inside the walled garden because nobody can get in until somebody gets in. And I see this as a stance that a lot of people take. They go, listen, our firewall is rock solid, nobody can get into our organization, our defenses are absolutely impenetrable. And then they have a network, san. They have all their data stored in various hard drive formats, locations and I'm talking about large financial institutions still doing this type of behavior Because nobody can get into the walled garden.

Mark Smith: 12:41
And then somebody gets into the walled garden, they do a ransomware attack and in Australia in the last couple of years we had major scenarios of this.

Mark Smith: 12:52
One big healthcare provider had this.

Mark Smith: 12:56
They didn't realize the criminals had got into their environment and been probably in the environment for a couple of months slowly extracting away all their patient data records, et cetera, for a major provider in Australia.

Mark Smith: 13:10
And it also happened for a telecommunication company in Australia and they released after the event the chat backwards and forwards with the cyber criminals who said listen, you think that we are not a professional business? We absolutely are. We're a criminal business, but we operate under professional, like any other business would. And to take us serious in what we're saying here, because one of the things we're like, how do we know that you're gone when we pay you out? And so it was so interesting seeing this whole dialogue come out. They overplayed their hand not the cyber criminals, but the actual company and the data was released and the data had a massive impact on a lot of individuals because their passports data was released driver's license data people had to go get new passports, driver's license and then, of course, all the medical data what diseases individuals had, which were quite private, what medical conditions they had, et cetera. That was all published, all in the public domain for people.

Louis Arthur-Brown: 14:18
Very damaging.

Mark Smith: 14:19
Yeah, so massively impactful and I feel that in recent, you know, with Purview as example, from Microsoft, is that there's there is a need to go and look at security beyond your walled garden, beyond your firewall, beyond like and it is in so many you know I work for a large organization that I will get emails sent out to me that are phishing emails by the organization and with the option to you know, report this as is uh, spam or report this as phishing email, and then I get an email back saying congratulations, you passed the test, you know, because you identified this email as and I think there's an amount of education in cybercrime as an awareness Is- that right.

Louis Arthur-Brown: 15:08
You've hit the nail on the head because and again coming back to the point you made about a walled garden, technically that walled garden may be completely impenetrable, but you need users and users use systems, users interact with data and ultimately that's where the attack surface has changed, because they are targeting users through phishing and things like that. So I would agree with you completely and say you know, it's that awareness, um to not only spread the awareness through training because, let's face it, you can all jump onto a, you know quite a boring training course. You know click, click through and get a little certificate at the end. But I think you know phishing simulations, social engineering tests like that that really test the metal of your users. You know, test that culture in terms of how, how people respond and how they deal with. You know, suspect cyber attacks is critical and and I suppose that that's kind of what I meant by talking about human risk management, because it's that's how you quantify your human risk you know you would run like a phishing simulation or that sort of something physical even, you know, trying to get someone to shadow someone for a door, for instance. Um, you know, oh, hey, hold the door open for me, see if you can get in the building, see how far far you know physical pen testing. So, yeah, I would say it's definitely the education piece and it is a bit of a culture shift, especially when you consider what's happening with AI. And you know AI is exacerbating this because it is going to change the game really.

Louis Arthur-Brown: 16:39
And I think for me the scariest example of how AI is changing the game is at the outset of the russia ukraine war, russia did an attempt to and I say it was an attempt because it was, it wasn't very well executed, but they had, they did an attempt to deep fake president zelensky of ukraine and and you know, for those of you listening, you know, a deep fake is, is where a bad actor can create a video with a person that looks and sounds just like the target person that they're trying to replicate, and then the deepfake basically called for ukrainians to lay down arms, etc, etc. And it was good enough that president zelensky had to go on to an emergency press conference and say look, this is not me, this is not me talking. You know we're still fighting the fight, etc. So voice, so voice cloning, deepfake technology is going to change the game because it's going to expand it outwards.

Louis Arthur-Brown: 17:33
You know a cyber criminal may look at someone's LinkedIn profile and say, okay, you know they're going on holiday, you know, to Malta, and you know, or someone's you know child might be going away to a certain destination. And if they, if they can get that information through social media, there's nothing stopping them calling that parent or that spouse with someone who sounds exactly like the target or looks exactly like the target, asking them, you know, to wire some money. So and I think this is where education comes in because you know you can spot various tales at the moment with this type of attack, but you know it's mindset. You know, even if it looks and sounds just like you know the person who they're purporting to be, just ask them. Do you mind if I call you back? You know, hang up and then contact them. You know that's one example of how you can adopt some really basic principles to help defend against this emerging threat.

Mark Smith: 18:28
Yeah, yeah, so interesting about that whole area of deepfake in video and audio. I read a book called AI 2041. It was written in 2021. So the idea of within 40 years, where will we be, and that whole concept, you know, in the past we used to have virus scanners on our computer was pretty standard, and now it's inherently built into the system and we don't think about getting a third-party virus scanner. But in the future of deepfakes, is that they will be so good that humans will not be able to detect them at all? You won't say, well, I can always tell an AI it's going to be so good that humans will not be able to detect them at all. You won't say, well, I can always tell an ai, well, it's going to be so good you won't be able to tell. And and therefore we'll need software to tell us that, hey, what you're looking at is actually not the real person, it's not there. You know that type of thing. And then, of course, you're going to have the cat and mouse game is is your got the latest detector of copy as to what the cybercrime is happening?

Mark Smith: 19:30
The other thing I saw the other day a stat that was if we looked at the World Wide Web, www, the internet as we know it, and then looked at the dark web below it. It's like the World Wide Web is the tip of an iceberg and there's a lot that goes on under there that 99% of probably most people would never have any idea of. That's right, the element that exists under that layer and that iceberg concept. How does you know? We've talked about MFA. We're talking about understanding what looks like a phishing email and what looks like somebody doing a deep fake. What other type of security postures should people be building into their lives?

Louis Arthur-Brown: 20:17
So yeah, in terms of looking at a security framework, I think it's probably the best way, and the best one, which is widely agreed upon, is definitely zero trust. You know, it's that element of defense in that having fail safes so that if one system fails, another system will pick it up. But also taking it further to say, well, you know, never trust, always verify, you know, don't, you know, reduce your implicit trust, because that, ultimately, is how bad actors will spread laterally across a network. It's because of, you know, implicit trust and things that they shouldn't have permissions to, that they do. So it's really those things.

Louis Arthur-Brown: 20:59
So I would say, yeah, zero trust is the primary one. So I would say, yeah, zero trust is the primary one. But, of course, if you're going, you know, if you're looking at AI, if you're going to initiate a project and try and develop your own large language model, it's also other things like well, actually there is a standard ISO 42001, which is, you know, which will help keep you a bit more secure in your AI endeavors. But fundamentally, iso 27001, cyber Essentials Plus and aligning to a zero trust framework is probably the best things you can do right now.

Mark Smith: 21:36
Interesting. I've noticed in the last probably 18 months, maybe a bit longer Microsoft really seems to be investing a lot in the zero trust area and that inside organizations things like SharePoint have proliferated across an organization and in there is often data that's been there for whatever reason, you know. Let's say it's an onboarding form in HR which asks for who are your next of kin, who's your support contact in case of emergency. Of course, that's all PII information, and a protocol has been used across organizations, called security by obscurity. Nobody knows how to find it. It's there in plain sight but nobody knows how to access it. So we're all good. And then we introduce AI into an organization, we bring in Copilot. It looks at the Microsoft Graph, all those data points are all lined up and then all of a sudden, a model that is brilliant at understanding patterns and identifying pattern matching et cetera, starts to pull all this PII data together because somebody says, hey, what's Bob in accounting? You know where does he live?

Louis Arthur-Brown: 22:55
Hello, how much is he getting paid?

Mark Smith: 22:57
Yeah, how much is he getting paid? Has he got any passwords stored? Right? Let's see if there's any passwords or credit cards or anything like that. And so you get this potential for an internal bad actor inside an organization. But then there's just the dumb stuff that people do without thinking because they're busy.

Mark Smith: 23:16
I have an incredibly popular name, mark Smith, very common in the Western world. Name Mark Smith, very common in the Western world, and the amount of times I get emails sent to me because Mark Smith has been selected in the autocomplete of their email and attachment has been added. And then I get an email that was never intended for me. I wasn't the intended person by any stretch. I'm talking about loan documents I'm talking about so.

Mark Smith: 23:42
Therefore, you know, imagine a loan document, all the addressing details, all the guarantors, the financial amounts, all that all sent to me for my approval. Um, from other countries, you know. And so you get this scenario of people accidentally doing things, accidentally oversharing. I mean, the simplest one is somebody putting in the CC field an internal group right, which has a thousand people in that group, and now all those people's addresses are exposed and you know it could be added to an email scam list or anything like that? What are organizations doing to kind of harden up their position, or what technologies, or to for the accidental, uh threat you know, made by folks that are not not malicious by any stretch, but oopsie well.

Louis Arthur-Brown: 24:33
So, yeah, to answer the question directly, you know it's using things like microsoft purview, so dlp or data loss prevention, uh, policies that you know they, they're super, super important. You know, and that will actively you know, if it's applied and set correctly, that will actively prevent that type of data being leaked to the, you know, unintended recipient. And then, you know, going a bit further in terms of, you know, classification, label policies of your data. Then, fundamentally, what it boils down to is having a solid data strategy. You need to, and this is what we're seeing at the moment is in terms of customers really needing that support in terms of, well, where is my data? Just like you were saying, we've got data all over the place. It's years old Applying data retention policies, um, to tidy up that data, because of course, gdpr states that. You know you can't keep data for longer than what is necessary. So you know, comes into regulatory compliance realms as well, but but you know it's discovering what, where your data is, what it's doing, who needs it, is it still relevant? And then really creating a plan to then classify and label your data so you understand it, and then applying the policies to then control the data so it can't leave the organization if it's got a certain label, for instance. So you know, those things are absolutely crucial.

Louis Arthur-Brown: 25:57
And again I'll sort of come back to windows 365, because that is a fantastic tool for, you know, if you've got a remote work, you know, a fully remote workforce, or contractors, or temporary workers, you don't have to. You know, give them a laptop with a hard drive full of company data that you know someone, given enough time and effort, could decrypt and sort of take away. You know everything's in this secure bubble that they have to connect to. And you, you know I'm actually talking to you now from a cloud pc. So you know, the fidelity is definitely, you know, improved from from the old days, if you like. But yeah, you know, I think windows 365 can really help with those early kind of initiatives. But you know, the whole data and dlp thing is a bit of a task and it's something which organizations need to spend a lot of time on and therefore it's not attractive to do, you know, in terms of that effort, that spend. And yeah, ultimately that's where we're seeing customers now wave a flag and say help.

Louis Arthur-Brown: 26:58
You know AI is surfacing this information and actually I don't even remember what happened with Microsoft Delve. It was kind of similar, wasn't it? In terms of, you know, suddenly users were given this tool where they could go in and sort of ask questions of data or see what their colleagues were working on, and it's like you shouldn't see that. And you know it comes back to permissions creep. You know, admins, when they're creating new users, just going right click copy and you know, instead of creating a brand new one and you know we do those things to save time, to be much more effective, but ultimately it leads to situations like we're in now, where permissions creep and oversharing are definitely problems.

Mark Smith: 27:38
So so, yeah, to summarize that, because I did ramble for a little bit is is is, you know, per view, it's dlp, it's getting the data strategy right and and when you talk about classification, nobody's got time to classify their documents, right and and say you know, this is, uh, this should be secure, this should be private, this should be, you know, for inside our network only. Uh, blah, blah, blah. And so a lot of these tools now right, are, they're looking at the content of, let's say, it's a Word document you have. They're looking at the content and then they're auto-classifying or auto-tagging up a document.

Mark Smith: 28:11
Because I've found myself right on network and M365, which is, you know, I'm, on a highly-policied network is that I will save a document and in no time at all. It is that I will save a document and in no time at all. It has now become non-shareable, extremely hard to transport it in any format because of that classification. Of course, if I override the classification that's been logged and recorded, et cetera, in case a pattern is starting to emerge of me moving files off networks, the other thing I've come across with organizations or individuals leaving organizations and going. You know how can I take some stuff and not realizing that these days, you know, a robust network will be monitoring, just auto monitoring, not somebody eyeballing it, but we'll be logging all that and and creating a secure um, or what we call legal hold right of of what is actually going on. How does that kind of work, and are you seeing that more in the organizations you're working with?

Louis Arthur-Brown: 29:14
yes, definitely, and that's mainly you know the whole what I was talking about there in terms of you know the data strategy and and the power of you. That's like the precursor to exactly what you're saying there in terms of you know the auto classification based on you know certain indicators within a document could be a credit card number, social security number, phone number, any of that and you can set a policy to say if it detects. You know a credit card number markers, highly confidential and just like you're saying, you know you can say don't allow sharing, don't allow X, y and Z. So, yeah, you can really start having some fantastic control over your data when you get to that point. And your point about you know someone leaving the organization potentially being a threat of data exfiltration yeah, you know, using the Microsoft Stack, as you're saying you, yeah, you know, using the Microsoft Stack, as you're saying, you can absolutely see all those indicators. You need somebody there to look at those alerts when it flags up, you know, and to manage those alerts.

Louis Arthur-Brown: 30:13
And this is where we're seeing customers come to us for help because you get alert fatigue. You know so much is happening. You do get false positives and this is where Sentinel really comes into its own because of course Sentinel is a SIEM tool. Where Sentinel really comes into its own? Because of course Sentinel is a SIEM tool, but when you start you know really customizing it and you start tuning it effectively and it becomes more of a SOAR tool. It becomes invaluable Because you know some of those detections it's closing automatically. Your SOC team doesn't have alert fatigue. At that point you know what they're looking at are real alerts which need real human eyes on them. So, yeah, I would say it's very important to do that, but it does present that challenge, like I said, in terms of alert fatigue and and making sure that you've got eyes on those alerts.

Mark Smith: 30:54
Louis, this has been an incredible chat. I've really enjoyed it and getting your insights. Anything else you'd like to say before we go?

Louis Arthur-Brown: 31:01
No, no, apart from thank you very much for having me and it's been a great experience to join your podcast. Yeah, it's been fantastic, thank you.

Mark Smith: 31:12
Hey, thanks for listening. I'm your host business application MVP Mark Smith, otherwise known as the NZ365 guy. If there's a guest you'd like to see on the show, please message me on LinkedIn. If you want to be a supporter of the show, please check out buymeacoffeecom. Forward slash nz365guy. Stay safe out there and shoot for the stars.