Intro: 00:02

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro: 00:07

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. A podcast to launch, progress, and excel your career as a privacy pro.

Intro: 00:18

Hear about the latest news and developments in the world of Privacy.

Intro: 00:22

Discover fascinating insights from leading global privacy professionals.

Intro: 00:27

And hear real stories, and top tips from the people who've been where you want to get to.

Intro: 00:34

We're an official IAPP training partner.

Intro: 00:37

We've trained people in over 137 countries and counting

Intro: 00:41

So whether you're thinking about starting a career in data privacy.

Intro: 00:45

Or you're an experienced professional.

Intro: 00:48

This is the podcast for you.

Jamilla: 00:49

Hi everyone and welcome to the Privacy Pros Academy podcast, my name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislations, as well as any key developments and decisions by supervisory authorities. With me today is my co host, Jamal Ahmed, who is a fellow of information privacy and CEO at Kazient Privacy Experts. Jamal is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise wide data privacy and data security challenges for SMEs to complex global organizations. He is a revered global privacy thought leader, world class trainer, and published author for publications such as Thomson Reuters, Independent, Euronews, as well as numerous industry publications. He makes regular appearances in the media, and has been dubbed the King of GDPR by the BBC. Today he has provided privacy and GDPR compliance solutions to organisations across six continents, and in over 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. Hi Jamal!

Jamal: 02:10

Hello Jamilla! How are you?

Jamilla: 02:12

Good. How are you?

Jamal: 02:13

I'm really good. I'm really good. Really excited. You know, I've been making some positive changes to my lifestyle. So I wake up super early every morning now and I take myself to the gym. And you know what? I feel great. What did I wait all this time? I don't know what I was waiting for.

Jamilla: 02:27

esident of access backup from: 2007

Greg Edwards: 02:57

Yeah, thank you for having me. Jamal, I'm glad to hear you're working out. I'm an early riser too and have been trying to work out as well.

Jamal: 03:04

Yeah, thank you, Greg. Thank you for celebrating that with me.

Jamilla: 03:07

Anyway, so as always, we start off with an icebreaker question on the podcast. And if you had to delete all but three apps from your smartphone, which ones would you keep?

Greg Edwards: 03:17

Oh wow! That is a tough one. So I'd have to say I mean, definitely email. I've have to keep email, text messaging and probably my weather app.

Jamilla: 03:27

Interesting.

Greg Edwards: 03:28

I'm a private pilot, and so I'm always checking the weather on my phone.

Jamal: 03:34

Alright!

Greg Edwards: 03:37

Are we here to talk about privacy?

Jamal: 03:39

Yeah, something about privacy. You know what? I'm excited. This is our first pilot on the podcast. Amazing.

Greg Edwards: 03:46

Good. Glad to break that ice.

Jamal: 03:48

Jamilla, what 3 apps would you keep?

Jamilla: 03:51

Well, I probably use WhatsApp the most. I've tried going over to signal but there's only about three people on signal. Probably Twitter because it's entertaining, and maybe Reddit. What about you, Jamal?

Jamal: 04:05

I don't need any app.

Greg Edwards: 04:06

Yeah, I would love that. Wouldn't that'd be great?

Jamal: 04:08

It would. It would be awesome.

Jamilla: 04:10

Alright, let's get down to some questions.

Jamal: 04:12

Greg, why don't you explain what ransomware is?

Greg Edwards: 04:15

So I mean, I think everyone's probably heard of ransomware at least by now. But fundamentally what ransomware is, is it's an encryption system that will lock the files once it starts running on a PC or on a network. It'll encrypt all the files and lock them and then hold them for ransom with an encryption key that you have to pay for to get back. It's actually a very simple system. We have written our own ransomware to attack a network and be able to go out and discover everything on a network and then start encrypting it. 93 lines of code.

Jamal: 04:51

Wow!

Greg Edwards: 04:52

Not a lot. And if you think about applications, like WinZip or seven zip, it uses that exact kind of technology to encrypt the files when we used to have to do that to email stuff. It will encrypt those files and they taken that technology and weaponized it.

Jamilla: 05:10

So, just to put it in perspective, if it only takes 93 lines of code, how much code does for example, running Facebook? How much would be that?

Greg Edwards: 05:18

I mean, 10s of millions, maybe hundreds of millions.

Jamilla: 05:21

So ransomware is like a virus then.

Greg Edwards: 05:24

I've been in technology since: 1994

Jamilla: 06:14

It's been, you said it's been around since the end of the 90s. Was that, I remember Y2K vaguely and things like that. Was that worrying about ransomware malware?

Greg Edwards: 06:24

So ransomware really, I mean ransomware has been around. I think the earliest versions of ransomware actually came out on floppy disk, but really, it took the help of cryptocurrency to be able to get ransomware to unfortunately to where it is now because these ransomware attackers can get paid completely anonymously, anywhere in the world, and it's untraceable. It used to be that they have to do some kind of credit card fraud or have some sort of way that they were using the banking system. Well now with cryptocurrency, they've got a whole new way to get paid.

Jamilla: 06:59

So it's more about how they're getting paid rather than the cryptocurrency itself causing malware around.

Greg Edwards: 07:05

Correct. Yeah, yeah, and I'm actually a fan of the cryptocurrency but not a fan of how it's being used by criminals.

Jamal: 07:13

Yeah. So imagine this Jamilla. Imagine you had a car right? Imagine you're driving your car, or use your car today for purposes. And then one morning you come to your car and you find out someone's clamped it and you can't actually get into your car, not just for driving, but you get into your car anymore. So, that's what they're doing. They're stopping you from enjoying something that you should already be enjoying. Right? Yeah, they stopping you from getting into your system with your access. And the only way to get this clamp off the car is to pay the guy who's done it. Now if you pay the guy who's done it when he comes to me, you you've got a couple of options. You can ask the police to wait and meet him. Or you can describe him to the police afterwards. So they can trace him down and say hey, why you illegally clamping her car? Now if he says hey, here's the clamps on your car, we can have it removed. All you need is the code to have it removed. And I'll send you the code. All you have to do is send me some bitcoin. Now you don't even know who that person is. Whether it's a he or she or they, they could be anywhere in the world. And because it's got that level of anonymity because Bitcoin or any kind of cryptocurrency doesn't, you don't necessarily need to know the identity of the person receiving it. It means that he can clamp every single car industry and no one will still know who that person is. So that means they can stay safe from a law enforcement I guess.

Jamilla: 08:29

Cryptocurrency just makes my mind. I don't.. I don't understand how, like people are saying it can be mined, but it takes so much power to be mined. I'm like, well, where do you find it? Is it like on internet?

Greg Edwards: 08:40

It's all about solving an algorithmic problem, is really what it comes down to. So it's just solving for these calculations, and that's how Bitcoins are mined and all cryptocurrency are mined.

Jamal: 08:54

So tell us more about how Crypto Stopper helps with ransomware attacks and you offer 100% ransomware protection. I know a lot of privacy professionals who would be really interested in learning more about it and how it can really help them with their clients and their businesses that they work in right now. So tell us a little bit more about how that works.

Greg Edwards: 09:13

e attacks because starting in: 2012

Jamilla: 11:03

So, your software can tell the difference between ransomware encrypting a file and then me trying to encrypt the file for my own privacy.

Greg Edwards: 11:11

Yep, Yep, absolutely. And the big difference between that and we have, we have a whitelisting system so that we can go in and whitelist specific applications like a WinZip. But from a privacy standpoint, that's typically done at the disk level. And so it's transparent to the user, which is important and that our system, it doesn't stop that.

Jamilla: 11:39

Yeah, you said Crypto Stopper offers a 100% ransomware protection. What other things about Crypto Stopper is different from other ransomware providers?

Greg Edwards: 11:48

So I mean, the the big difference is that deception technology. So intermingling, not only our bait files and those native files but then watching those bait files so that no matter what the encryption is that's running, that we're going to detect it and kill it.

Jamilla: 12:07

Yeah. And that's really helped playing a lot about ransomware, it has definitely made things more clear in my mind.

Greg Edwards: 12:14

Yeah well, Jamal's explanation of the the car getting clamped. That's a great analogy of how it really works, and then to pay that attacker completely anonymously. Like how do you know if you're going to get the encryption key back? That was one common thing that would happen two years ago, that about 50% of the time people would pay and they wouldn't get their encryption key back. Well, the attackers realized that they needed to be better businessmen, or people wouldn't pay at all. And so they provide better customer service in that they do provide those encryption keys all the time now.

Jamal: 12:53

You mentioned that this is ideal for businesses. What kind of businesses is it really ideal for?

Greg Edwards: 12:58

So really, I mean, it doesn't, the type of business doesn't necessarily matter, but it's, I mean anything in health care, professional services, finance, manufacturing. We do specialize in working with managed service providers. So we sell business to business but all through resellers.

Jamal: 13:24

How did you feel when you saw the news about Kaseya attack?

Greg Edwards: 13:28

You know, that was ugly. I mean, I hate to see any ransomware attack that hits on a massive scale like that, or really any ransomware attacks, but that really is just where these attackers are escalating to. So that really may come out that, that was a state sponsored attack. But that kind of attack where they're using the supply chain, so infecting the software provider, and then infecting clients through that provider. That's a very high level kind of attack. And really a pretty scary escalation of where it's going, especially if that was not a state sponsored attacker. So meaning, you know, if it wasn't North Korea, Russia or China, the actual government doing it and now the attackers themselves have that level of sophistication, and that complex of tools to be able to pull something like that off is very scary.

Jamal: 14:29

It's very frightening. I once wrote an article saying how the next World War is going to be a data driven war, and examples of the state sponsored attack and especially hearing you talking about, it may seem more and more actually, like it was a lot more basically accurate, and that's exactly what's gonna happen. Why are we seeing so many state sponsored attacks?

Greg Edwards: 14:48

Well, I mean, part of it, the state sponsored attacks, I mean, so North Korea is really the only state sponsored ransomware purveyor, I would say. So the Russian government traditionally hasn't been involved in ransomware, other than a few incidents, but they haven't from a profit motive been involved in ransomware. Now, there are lots of Russian attackers and cyber criminals, because it's not in Russia, it is not against the law to be a ransomware attacker. Well, I mean, as long as they're not attacking anyone in Russia, then it is absolutely not against the law. And you know, so do you say is that a state sponsored attacker then? Well, I mean, it depends, and I do think that we're going to find out in the next several months if the US and US allies will force any kind of sanctions against Russia to try to get them to clamp down. Most recent UN, I don't know if it was a resolution or exactly what Vladimir Putin proposed to the UN. But really, he basically said, Nope, we're not going to do anything.

Jamal: 16:01

Interesting. We'll see how that plays out. Now you're telling me about the Accenture ransomware. What can you tell us about that?

Greg Edwards: 16:10

Yeah, so that just came out yesterday. So I really don't have a lot of details about that. But what it was, was an exfiltration of data, and I assume also an encryption of data. But what ransomware has pivoted to is not only what we talked about where it's clamping down the files on the local network, but then also exfiltrating that data and so yesterday, it came out that it was discovered that on the dark web, there's a trove of censored files that are being held for ransom, and I don't have a lot of details on it yet. It just came out yesterday. So I don't know the amount of the ransom that they're demanding, but wouldn't surprise me if it's not in the probably in the 10 to 20 million range would be my guess for a company like Accenture.

Jamilla: 16:58

Did these companies tend to pay those ransoms?

Greg Edwards: 17:01

So unfortunately, a lot of them do. So you guys are probably familiar with the Colonial Pipeline attack that happened here in the US. So that attack shut down 45% of the oil and gas flow to the east coast of the US, and they paid a $5 million ransom to try to speed the recovery up. I mean, the CEO of colonial said, Okay, we've got, you know, we, this is critical infrastructure that we have to get turned back on, and so they pay the ransom and about the reports that I've seen, 45 to 50% of companies hit by ransomware attack do end up paying, which seems incredibly high. But it's a faster, I mean, so many companies when you think about the disaster recovery, and that oh, well, everyone has backup, right? Well, not everyone tests those backups and to see how long does it take to actually recover from backup sometimes is much longer than just paying the ransom and getting access to the files back immediately.

Jamilla: 18:08

Yeah, so I guess they feel like they have no other option than to pay the ransom if they want to get back up and running.

Greg Edwards: 18:14

Yeah, well, and the fact that not only will the attackers try to sabotage the backups, and then are now exfiltrating that data and then ransoming and saying that they'll release that data if they don't pay, that adds to the complexity of whether or not to pay.

Jamilla: 18:34

And you didn't, we talked about quite a few large examples of ransomware attacks. Do you think that these kinds of attacks are increasing? And why are services like Crypto Stopper becoming more and more important?

Greg Edwards: 18:45

this coming from way back in: 2012

Jamal: 19:52

Yeah. If they're actively encouraging them by saying, hey, if you're in Russia, then you can go after any country, any company in the world, just make sure it's not in Russia, and do whatever you want to do, then it's kind of like saying, hey, come over here, and you guys really focus on becoming really good at attacking other people's organizations and holding them down someplace.

Greg Edwards: 20:10

heir craft, and that in about: 2024

Jamilla: 20:58

You mentioned that you kind of need the government's help or assistance in dealing with ransomware attacks. What is the current US government attitude to ransomware?

Greg Edwards: 21:08

Yeah. So I mean, so the US is, I mean, there are very few ransomware attackers that are based in the US because the penalties are very high. And the US or in the US, we have the FBI that primarily investigates these kinds of crimes. And one of the problems is that they're so overwhelmed, but then they're also, when they do actually track it back to an individual or an organization, it's a lot more organized crime than just individuals. So even when they do track it back, they can't do anything about it. So I've talked to several FBI agents that are just so frustrated by the fact that yeah, they can track them down but then they can't do anything about it.

Jamilla: 21:54

So what first, I mean, we heard in your bio, you were president of Iowa Electronics, and then president of Access Backup, but what first sparked your interest in data security?

Greg Edwards: 22:04

en I started my career. So in: 1998

Jamal: 23:06

What compelled you to say, I'm gonna be the one to solve it, and I want to help people, to really protect people's personal information.

Greg Edwards: 23:13

cloud existed. So starting in: 2007

Jamal: 24:23

Okay, awesome. Thank you for sharing that story with us. It's quite inspiring. So you was just getting on with your work one day and then you discover that your company had been attacked. And immediately you was like, hang on a minute, if this is what they can do now, imagine the consequences of this, and how devastating this could be as things progress, and as we become more and more reliant on technology. And now we see that you will come to a stage where you actually said you know what, I'm going to actually step up and I'm going to provide a solution. Not just any solution, I'm going to provide 100% protection against ransomware using all of these clever technologies and the embedding of the bait files, and then the other technology you spoke to us about and put together crypto stopper.

Greg Edwards: 25:05

Yeah, exactly. I mean, it was really that 20 years of experience of being in the trenches of seeing what was happening to companies on the reactive side. To say, okay, we've got to stop this so that it's not as devastating, and really what we do is damage reduction and basically stopping the bleeding. With crypto stopper, the attack has gotten in and it's actively running and that's something that I knew was always going to happen that these attacks just like malware, I mean, it's something is always going to slip through. One I mean, if you have 10,000 or 10 people in your company, it only takes one person to slip up to let that attack.

Jamal: 25:49

Exactly. And I always say to my clients, it's not a matter of when it's going to happen just when it happens, and when it does happen, you want to make sure that you put yourself in the best position to mitigate you know, really decrease chances of any damage, and If we're gonna make ourselves resilient or if you're listening, and you're privacy professional, and you want to help make your organization the new craft resilient, this is really the way forward.

Greg Edwards: 26:13

Yeah, you know, I'm obviously coming from an offsite backup and disaster recovery standpoint. I mean, you have to have backup, but you don't want to have to go to that backup and you can imagine, again, use the car analogy that you do. I mean, being locked out of your car is bad. Imagine a 10,000 employee company being completely locked out of their computer system. I mean, it shuts companies down.

Jamal: 26:36

Yeah, we had, we had an incident here in the UK not too far ago. They shut down the National Health Service. People are waiting to have the operations and there's people waiting for urgent medical procedures and the NHS, National Health Service, nobody could access their files. Nobody could access that information.

Greg Edwards: 26:52

Right. And if you think about it, almost every business today if you take away their computer system, you've shut them down pretty much. That's what these attackers know. I mean, everything from healthcare to manufacturing to even there's a lawn care service that's local here in my area that they said, yeah, you shut down our computer system, we can't do anything because we don't know where to send our staff. You know, so you think about that from a lawn care service that is out of business if their computer system is down.

Jamilla: 27:24

a record number of attacks in: 2015

Greg Edwards: 27:41

Certainly an increase in attacks. And I do think that companies are finally taking privacy and data security seriously, or at least starting to. I think that GDPR and some of the California Consumer Protection Act, I mean, I think some of those things are also helping. I think we need a combination of both CEOs, boards of directors, educating themselves, understanding the risks. And then there's also some government involvement to put regulation around what needs to be done. So absolutely, I see that over the next five years, it's going to continue to get worse, the protections are going to get better and better and make that, we really have to do is make that barrier to entry, from the punitive side government's taking it seriously penalising these people plus regulations plus companies taking seriously. I mean, it's not one thing that's gonna solve this. It's a multi front attack.

Jamal: 28:42

Yeah, definitely a combination of things that are going to help us to see a reduction. I don't think we'll ever see an entry but we have seen a reduction. And the good news for privacy pros is, because of all of these attacks, because we are actually understanding how devastating it can be when unauthorized, and people get access or lock you out of your files and lock businesses out. It means that there is going to be a huge demand or an increased demand for data privacy and data security professionals. And that's where we can really help with the privacy pros Academy. If someone's looking to pivot their career, or someone's thinking about making a career change, why should they consider data privacy, Greg?

Greg Edwards: 29:21

For lots of reasons. I mean, number one would be because you're going to really help companies and help the society at large, but then it's also a great profession and they're so like you say there's such a need for it that those jobs are in high demand.

Jamal: 29:40

lation and we can see that in: 2021

Greg Edwards: 31:12

Yeah, I completely agree.

Jamilla: 31:15

Right. So the last question is your opportunity to ask Jamal a question.

Greg Edwards: 31:20

All right. So Jamal, what do you see as the number one thing that companies can do to protect the privacy of their data?

Jamal: 31:31

Number one thing is awareness. An awareness that data privacy is a thing. People's personal information needs to be protected. I think that is the number one thing is raising that awareness and making sure people are always thinking privacy first. I mean, the law and all of the talk about privacy, but people talk about privacy by design, but unless there is an awareness of privacy and an awareness of the risk associated to it, it doesn't mean anything about it. So yeah, the number one thing is awareness.

Greg Edwards: 32:00

Yeah. And I think, add to that, it's got to come from the top down. It's got to be the board of directors and the CEO that take it seriously and implement the controls that are needed.

Jamal: 32:11

Couldn't agree more on that one, Greg.

Jamilla: 32:12

Thank you so much for joining us today. It's been great speaking to you.

Greg Edwards: 32:16

Yeah. Thanks for having me.

Outro: 32:19

If you enjoyed this episode be sure to subscribe, like, and share, so you're notified when a new episode is released.

Outro: 32:26

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 32:31

Thank you so much for listening. I hope to leave you with some great things that will add value on your journey as a world class privacy pro.

Outro: 32:39

Please leave us a four or five star review.

Outro: 32:41

And if you'd like to be on a future episode of our podcast.

Outro: 32:45

Or have a suggestion for a topic you'd like to hear more about.

Outro: 32:48

Please send an email to Team@kazient.co.uk

Outro: 32:53

Until next time.