Cyber Crime Junkies
Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
AI Risks EXPOSED--How Hackers Use AI Today
Don't let your small business fall victim to devastating cyber attacks! Expert joins us t discuss AI Risks exposed. We explore how hackers use AI to target small businesses. From AI Social engineering to data theft, learn what you need to know to protect your business from cyber threats.
Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
π₯New Special Offers! π₯
- Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
π₯No risk.π₯Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies - π₯Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today π₯ Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq
π§ Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!
Dive Deeper:
π Website: https://cybercrimejunkies.com
Engage with us on Socials:
β
LinkedIn: https://www.linkedin.com/in/daviddmauro/
π± X/Twitter: https://x.com/CybercrimeJunky
πΈ Instagram: https://www.instagram.com/cybercrimejunkies/
AI Risks EXPOSED-- How Hackers Use AI to Target Small Businesses
Chapters
00:00 Introduction to Cybersecurity Risks for SMBs
02:28 Understanding the Threat Landscape for Small Businesses
05:28 The Importance of Basic Cyber Hygiene
08:25 Cultural Differences in Cybersecurity Awareness
11:13 The Role of Education in Cybersecurity
13:59 The Impact of AI on Cybersecurity
16:42 Risks of Artificial Intelligence
19:36 The Future of AI in Cybersecurity
22:21 AI in Cybercrime
24:59 The Cost of Inaction in Cybersecurity
37:53 The Future of Cybersecurity and AI Threats
Topics: Ai risks,AI Social engineering,risks of artificial intelligence,hacking,social engineering,cyber security, ai, cybersecurity, Machine Learning, ethical hacking, Artificial Intelligence, Hacking, Cyber Awareness, Information Security, social engineering, AI in Cybercrime, Online Safety, Small Business Security, Cyber Awareness,Information Security,ai business trap,social engineering,AI in Cybercrime, Online Safety,Small Business Security,risk management,information security,digital safety,small business security,cybersecurity awareness,risk management,cyber crime junkies,
Speaker 1 (00:00.014)
Did you know there's one main security mistake that nearly every small business makes? by the time they realize it, it's already too Most think shunned because they're regulated. It's compliance, not security. And that misunderstanding, it's first crack that threat actors and hackers doing. But you're too small to target. You're just small.
You're already losing. Today we're breaking down the smack framework, proven system to help leaders navigate chaos, eliminate and reduce the noise, outmaneuver competitors and thrive. You'll benefit from paying attention, especially toward the end when our guest reveals five key strategies that will set your business growth on fire. This is real. works. So we hope it helps. This.
is Cyber Crime Junkies and now the show.
Alright, well welcome everybody to cyber crime junkies. I am your host David Morrow and in the studio today is Alex Gorkovinco Sir, how did I do in your last name? Pretty good. Okay
Acceptable? It's all good.
Speaker 1 (01:20.088)
joining us from the United Kingdom and we welcome you sir. Welcome.
Thank you very much. Pleasure to be with you.
Well, we have spoken to other Alex is a security expert and compliance expert in AI advisor with risk crew over in the UK and they have a phenomenal reputation. We've worked with them. We've had Richard Hollis on the show. Always a great conversation. You guys are always welcome. So let's talk today about small business, big risks.
because it is really, we can always talk about the enterprise organizations, the larger organizations with their own SOC, own, the security operations center, their own internal team, maybe they've built their own help desk internally, and there are a lot of risks, there's a lot of a wide threat, overall threat landscape there, but that's not really the vast majority.
people and the vast majority of people work and get their jobs through smaller organizations whether it's private industry, public sector, etc. What are you seeing walk us through what some of the biggest security risks are that smaller organizations are maybe not finding out until later?
Speaker 2 (02:54.318)
Sure, absolutely. well, you know, it's 21st century, unabombed in 2025. So cybersecurity is a very hot topic. And I think it's done nothing new. I'm just saying something that everybody knows. But I think not too many people in SMBs really understand that this is really their concern. So probably the biggest problem as I see, they don't see the problem.
Really, they think oh, yeah, we are too small who would be interested in this right? Obviously all this, know big fuzz is about large organizations big hawks zillions of data stolen and published god knows where So yeah, we are teeny tiny. So Why us? So the thing is that it's conceptually really really total misunderstanding how the thing works because if you literally step into hawkers shoes
The first and foremost thing that all of them have in common is opportunistic approach. They really don't care. So obviously, if you think about like large, I don't know, hacking organizations or hacking businesses, then obviously, yes, they will probably prioritize. But for, but there are so many of them. I mean, if you are system admin, you just check logs every day, you will see your IP addresses are scanned.
Thousands of times per day just because you are online It's enough that you are online enough that you have a web server So the threat is there it just waiting for a small thing something where they can catch small hole where they can get inside and they can Do those famous lateral movements and and and do do they dirty work? So is it large organization or SMB? It really doesn't matter and this is probably one most important thing
leaders of SMBs should have in front of them all the time.
Speaker 1 (04:51.028)
That's outstanding. So I have an analogy that I want to bounce off you, because I use it often and I want to make sure I'm not misusing it. And that is...
The bad news is that attackers can get inside and be undetected, especially, we're just talking smaller organizations, because oftentimes they don't have the security controls in place, meaning the cybersecurity services, right, whether they're building it themselves or buying it through a provider. But they don't have them in place. And so they are inside for a while undetected, or they come in and leave.
But the good news is that they're not necessarily to guess you're small, right? And you're not like Nike or Louis Vuitton or like a global brand, right? Yeah, we get that. But that doesn't mean you're not a target. Right. And the way that we've always explained it is let's say we're at a shopping center or a store and there's a parking lot, right? Attackers are the thieves.
that walk through the parking lot just pulling on the car doors. They're, yes, they could always break the window and go in and steal what's inside, but that's gonna draw attention and that's gonna take a lot of effort. They're opportunists, like you said. They are just walking by pulling on the car doors, right? And the moment they get one that's open, because people do leave their car doors open, then they go in and they steal and then they move on to the next one.
The is, the good news for small businesses is they don't need enterprise cybersecurity and to build this big thing themselves, but they do need to do something. There's a big risk of believing falsely that you won't get hit or looking at the past and saying, well, I haven't been breached, so therefore I'm fine. Why would I invest in reducing my risk right now?
Speaker 1 (07:02.85)
And the truth is, is how do even know you haven't been breached? Right? How do they even know? Like half the time when we're onboarding a new customer, we find that they were breached two years ago and they didn't even know. Right? It's, it's, it's shocking. What do you think about that analogy? Is that a logical one? The one where they're walking through the parking lot.
Absolutely. Yeah, that's the way it is. again, because if I do like even just very basic thing, just do log analysis on my own teeny tiny website, and I can see that every day there are like a standard patterns how the website is pro. So again, it's not it doesn't fancy there's probably if let's say some three lines organization will be after me probably
they will have no limits and they will actually hack me, right? But for average hackers, doesn't matter, right? Just hammer standard requests, standard tools against everything that they can find on their way. And it's because the internet is vast. if amongst those thousands and thousands of IP addresses or web applications, there will be one vulnerable, it will be enough for them. And then they will just get in and they will roam and see what they can do.
And coming back to what you said about what SMBs can do, you're absolutely right, you said that yeah, it's different scales, different objectives. There's no need to think about like a large, omnipotent, massive plans, right? Do basics first, do basics. Just think about implementing strong passwords, like MFA. don't know, do software updates. So think about what are the crown jewels in your organization's.
Get into those hacker shoes. I know that everybody's using this very often, but do it like a play the mind game. What if I'm a hacker? What I would steal from you?
Speaker 1 (08:54.196)
So true. So true, right? Yeah. Even if they just do basic things, even if they just do a little bit, you know, when you look at all the different regulations and all the different frameworks and everything else, it still boils down to like five things like know what your risk is, be able to find it and prepare for it. Like this is not a logical and any smart business person
would want to do that, right? Like I don't, like sometimes when I get resistance, I'm like, look, we're not trying to sell a new widget or a new like a new tool, a new technology that's fun and cool and like trending. this, like cybersecurity is not, it is a risk, a real risk when you use technology. And last time I checked, we all are more dependent.
on our technology today than we ever have been in the history of mankind. Like, ever. Like, when you go to, and I don't know how things are in the UK, I know that you guys have, you know, national health insurance, but everybody I know there also has private health insurance, so I'm like, well, that seems expensive. But, but...
It's still a lot better than here in the States where our healthcare system is just a complete mess. But the point is, whenever we go to a physician for a checkup, let's just say, in the US, the nurse doesn't come in with a bunch of papers that have all our medical records on it, right? There's a tablet, there's a kiosk, there's a PC, and they're like, ah, now they can give us medical care that is based on our history. Without it,
When those systems are down, it is literally affecting lives.
Speaker 2 (10:43.531)
Mm-hmm.
Speaker 1 (10:48.526)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.
Speaker 2 (11:08.782)
I can give you one more interesting thing because I'm in cyber security business for a very long time and I'm managing pen testing teams also in already four organizations. And I can tell you that, know, little thing, who is that? is that? How I see what is the best customer for me and for my company. I wouldn't say it's the one that just comes to us every five minutes for the smallest thing. No, actually, I would much prefer dealing with smart customers.
who could reach the security baseline and maintain that baseline themselves. So we as professionals can come after those fancy things, something that is really difficult to find and it requires professional knowledge and experience and everything, right? So basic things, it's something that many...
We are.
Speaker 2 (11:58.478)
I think there is no single country in the world not issuing the guidelines. All governments in the world, all without exceptions, they have standards of cybersecurity these days for SMBs and also for enterprises. But for SMBs it's one hundred percent guaranteed. So just follow, download the PDF and follow the standard steps and leave the rest to professionals.
Well, and they're so similar like when I I've read I do a lot of public speaking So I'm on a lot of panels and I've read a lot of compliance plus I was in law before so I like to read all that boring stuff but I'm telling you that I have and I we have like a whiteboard where we've gone through all the controls for every Regulation out there everything right and in general they all say the same thing like there some of them go deeper some of them have
a bigger cadence, for example, some require vulnerability scanning or vulnerability assessments, right, that are done, period, right? Some require them monthly. Some require them the scans or the pen tests to do every six months or like, like the cadence of how far you have to turn those dials will change. But in general, they're all saying the same thing. So just do a little bit of each one. Another analogy I want to bounce off you and I'm sorry.
to do this, when I get actual experts that do this for a living, like to make sure that we're using the right stories to explain this to businesses and organizations. Another one that I got from Zurich, from the CISOs of Zurich that talk to boards in the small business space throughout, obviously, Europe, Canada, Australia, the US, what they always say is,
The analogy of either like the bear in the woods or a shark, right? when you think of an attacker as being either the The killer grizzly bear or the or the or the shark right like a great white If that's the hacker and we're out swimming, right? The truth is we'll never be able to out swim that shark like a Mako shark can swim 45 to 60 miles an hour a great white 25 miles an hour
Speaker 1 (14:19.202)
the fastest human on the planet has only been measured to swim eight miles an hour, right? And I'm not the fastest human. So if I'm out in the water and somebody sees fins, I don't know if it's a shark or a dolphin, but I'm not sticking around, I'm heading towards shore. And the point is, is we'll never out swim that shark, but we don't have to. We literally just have to out swim that guy. Like we literally just have to out swim.
the other people that aren't doing the basics. Making that analogy for cybersecurity does make sense to me anyway. I can visualize it because I'm like, the good news is you don't have to have every bell and whistle and every new trend and every expensive, like cybersecurity doesn't have to be this massive cost for a small business or a small organization. It can be managed, right? It needs part of the budget.
but it can be managed and is so much more impactful than other things that they invest in. So what do you think of that? And then I to get into you explaining who you are and all the good things risk crew does and then let's talk about AI.
So, yes, you're totally right. you I think I want to add first to this thing is that you need to know that there are sharks in the water. That's very important. Don't expect sharks. Then you are in serious trouble, right? If you know that there are sharks, like for a worm is for an arm. Yeah. So that's what I'm talking about. If you know, because this has
love it. Even better, right?
Speaker 2 (15:59.33)
vast implications means how do you develop your code? How do you develop your databases? What will be the architecture of your publicly available? I don't know solutions, how you combine cloud and in house. Lots of things would automatically like an avalanche of decisions.
just by the fact that you know that the russians if you if you think that we are all good friends that story is completely different and that they're coming back to the internet from seventies eighties rights of them there was a no no no they knew what what what hacking is but now it's it's the every day
Eight point. So that's it. That's so this is why I asked these questions. That was great, man, because that's a good point. Most small business when you think of the movie Jaws, I don't know if you've seen it. It's very bad, of course you have. But I mean, think about it like she didn't know there was a shark in the water. She couldn't even see it. Like that first scene when the shark attack happens. It was undetected and it had been there for a while.
very similar to cyber attacks, right? They get in and most small businesses don't have the capabilities for detection, real-time detection. They don't have 24-7 eyes on glass, right? And so they're in, they build footholds, they move laterally, they escalate privileges, boom, they launch whenever they want, right? Sometimes it's months later. And that causes a lot more damage than
somebody getting in, being detected immediately before they can get to your sensitive data and then kicked out and shut down. Because that's the difference between winding up in the news for an embarrassing and potentially bankrupting scenario and not winding up in the news.
Speaker 2 (17:52.046)
David, I can add one thing here. Someone explained to me many, many years ago something that had huge profound impact on everything I did after. It means the cost of doing nothing. There's always cost. If you do nothing, there's still cost. if you're a clever manager, you have to understand that. And yes, I understand that for small organizations, it's always a trade-off.
I love it.
Speaker 2 (18:21.998)
between, you they don't want to spend too much money, but at the same time, well, you also part of some reality and those realities in the UK, for example, and US is slightly different, right? Generally Europe, UK and US, there's slightly different focus, right? US is a bit more kind of, I don't know, focused on innovation, on being the first, on getting straight to the markets.
and you know europe is more regulated from cyber security point of view regulations in
Because we're idiots. I mean, let's let's let's get down to it. Like I love I'm very patriotic. I'm very loyal to my country. You know, people that serve in the military, first responders, police, like they I know all of them like these are good people with a bigger calling than individual selfishness. And we need every one of them.
Having said that, Americans are idiots. Like culturally, our view of cybersecurity compared to my friends that live throughout the UK, like it's night and day. Like Americans don't get it. Like we are like tick tocking our lives in front of our schools with our kids faces on there. We're, we're ridiculously lazy when it comes to our own cyber hygiene and using things we, we can.
barely get investment in things because nobody tells us we have to do it, right? And in the UK, and this is something I had asked Richard Hollis, and I want to get your opinion. I think culturally it's different. And I don't know if it stems generationally from World War II when we saw
Speaker 1 (20:15.336)
what happens when people can identify what your religion is, where you live, who your relatives are, all of that. And we saw the harm that can happen. But they take you all, generally speaking, take your privacy and take your online hygiene much more seriously than we do. And that's a problem for Americans. What do you think of that? What's your take on that?
see that that's you open a massive can of well
Oh yeah, that's what I do. Yeah, I yeah.
And it is not honestly, I don't think it's really only related to the US because generally we as well humans of the earth we are gradually slowly moved Away from privacy. We are forgetting what privacy is and this is maybe I'm going too far But I would say it's deliberate act by by large companies by organizations because it's good for them
It's definitely it's very very not good for us, but nobody cares because if it's it's a classic boiling the frog, right? You should just gradually do it you can boil it and she will stay there. Unfortunately, right if you Jump jump away. So so so that's what is happening now and kids and you know, we this it's so Fuzzy, it's so unclear. Where is my data? What can I do with it because
Speaker 2 (21:43.63)
Now you don't even know, it on your laptop, on your phone, or is it in the cloud, or in between? If in the clouds, where? So it's completely blurry now. in the end, for young generation, they just don't care. They just say, oh yeah, whatever. For me, it's important that I have a phone, can do as many pictures as I want, and it's stored somewhere. Where? It doesn't matter. What's important is large company told me that it's secure, and that's enough.
trust to the brand rather than understanding the basic elements of cyber hygiene as you call it. I personally think this is the global problem. young, I mean, large organizations, large companies, they're they think that it's a part of their business, a part of the way that they act. In the UK, I can tell you also from my experience, my family, my younger son,
hang on
Hang on, don't mean to interrupt you. Are you telling me in the in the and you're in you're in England. Yes. Yeah. So you all had in primary school cybersecurity education as part of the curriculum.
Yeah, it's a basic level but yes it's there.
Speaker 1 (23:12.052)
It's more than it's more than our it's more than our children get at all, right? So that's phenomenal. Actually. I mean, it's least they start to realize, hey, I have data, right? And where's my data kept? And what's a password? Why is a password even more important? I think everybody knows what it is. But why is it important? Why is it important to not reuse them? Like everyone's like, boring. I saw this on a
PowerPoint slide and my IT guy always tells me but you know, there's convenience on the one side and then there's security and we're trying to find a balance but the problem is is there's resistance even for doing anything reasonable sometimes and I love that they're teaching children younger to at least be aware of it. So I just want to point that out. That's great. That's a huge difference between
UK and the
The... They explain it. It's very simple. Again, I don't know if this is the school, it's the nearest public school we were using. My son was attending, or is it just a global thing? Probably it's a global thing. But it's just very, again, very, very basic. It's like, okay, you don't open the door to strangers, right? You check who is out there, or you don't publish your data blindly without thinking, because once it's in the internet, it's there, right?
done, you can't reverse it. So think before you click. Because the younger generation, they're digital natives, so they have no choice, they have to know those things. And if they don't know, they automatically become a potential target for scammers. And again, it's a global thing. I don't think it's anything specific to the US or UK. It's a matter of, again, seeing the shark.
Speaker 2 (25:08.396)
right if if you if someone told you about sharks since you know your early early yes you probably would know that there is such a scary thing if you probably never seen a of live one in your life but at least in the back of your head you know that there are such large fish and they can bite so that's already again probably give you some thought before you the sea wherever you are doesn't make sense and the same same about cyber
So cyber becomes inevitably a part of our lives, right? Because we have lots and lots of devices. I know maybe I'm special because I have like a lab at home, but you know, if you count number of devices at home, it's not one, it's not a 10, it's not even 20. It's a lot. IoT, we have even fridge can be connected to the internet. Don't know why, but it can. So everything, you're probably, iron can be connected to the internet very soon. So.
A tongue.
Speaker 2 (26:05.74)
So everything is interconnected and every connection, everything that every data transfer means that it's potentially a door to your system, right? If you don't think, either manufacturer didn't think about it or you just by negligence or lack of vision or lack of thinking or making a mental shortcut to something you want to achieve, you just neglect it, that could lead to trouble.
Absolutely. And when we think of the generations too, we've got the younger generation, Gen Z, right? Younger than the millennials. And then you also have, Jen Alpha now who's about 15 years old in general. And they're growing up in a world with AI. So even more so than digital natives like Gen Z and millennials, like these, this youngest generation.
really needs some, the curriculum needs some tweaking, right? In terms of usage, safe usage, responsible use of AI and technology. And what I want to ask you is a little bit about your background, how you got into this.
what risk crew is doing and then you and I were speaking before the recording about you have an AI lab that you've built and I want to talk about that. want to talk about some risk to AI. tell us about how did you get when you were a kid? Did you know this is what you wanted to do or did it come from life experiences?
no, no, no. When I was a kid, I very vividly remember I was asking when I read an article about computers, I asked my dad, can we have one at home? And my dad was laughing and said, look, computer is the size of that house, the building nearby. that was in the 70s, 80s. But obviously now the situation is completely different. So yeah, I went through quite long career in IT in general. I was working as a software developer many years ago. I was designing GUI working for
Speaker 2 (28:14.862)
banks for large consultancies and I just wanted but I was playing with cybersecurity myself since I started playing with computers really and since I got access to the internet and and yeah so one perfect day I thought why wouldn't change slightly the the direction of my career to there I was I managed to impress one of my former employers with my findings and my experiments and yeah so that
started completely new chapter in my life and since I can honestly tell you since you once you once you are in cyber you always in cyber it's
It's a lens that you see so many things through right? mean, yeah it really is because once you see the harm and you talk to the people Involved you can't get it out of your head. Like you're like we have to help other organizations Yes So tell me about I Think it's so important when people ask me all the time about how do you break into cyber security?
And there's a lot of different ways. There's a lot of different paths. A lot of it depends on what you want to do. Saying you're in cybersecurity is almost like saying you're in business. Like it's so vague. It's so broad, right? But once you kind of figure out, I want to be in, you know, advising and compliance, the GRC route, I want to be in red teaming. I'm very technical. I want to break things and learn how to hack, you know, then then you're in the ethical
Hacker realm and the red teaming or you want to work for an organization or a service provider that hunts them down right and that like Detects them where you're working in a sock or you're becoming a sock analyst things like that great careers all of them But there's so it's so important to have a home lab and to experiment and things. Yes. I I mean
Speaker 1 (30:13.312)
Right? I mean, it's, really helped explain it's shown that you're dedicated to the cause and to the field. And then you're able to have findings, right? You're able to show, look, I did this. It might not be completely 100 % relevant to that organization, but they see the effort and the findings and the experimentation. And that is so credible. It's incredible. It's a great way of standing out among the crowd. So walk us through.
Walk us through some of the labs that you've built and this AI home lab that you're building.
Yeah, so let's maybe just say first a couple of words about love, just love as a...
as a thing in the of every cybersecurity specialist. think I honestly, don't know, I don't remember if I found, if I met a single person who is in cybersecurity and never had a home lab. Because it's so, I mean, I'm talking about specifically about pen testers, right? Someone who is doing hands-on security assessment of web applications, infrastructure, what's it, you know? And experimenting is an essential part of this story.
And that what keeps people in this business for years because it's so brain stimulating. Obviously you can be on this dark side, right? And we can be a professional hacker or you can be a white hat or you can be a pen tester, right? So if you're a pen tester, it's inevitable. have lab, even if it's just two old laptops, it's still a lab and you can set up a database, set up a web application or a couple of VMs and you play with it. You experiment, you download someone else's.
Speaker 2 (31:56.014)
and you train yourself and that's how you grow professionally. It gives you sandbox when you're a big child and you can play with a bit more complicated toys and expand your knowledge and prepare to real challenges. And obviously each time we encounter something new or we...
read about some hacks or some new techniques, it's a very good opportunity for us also to try. Yeah, so let's try to replicate it.
Right. So that you understand how they're doing it. Right. Because how can you advise them? How can you advise any customer of ways to protect if you don't understand exactly how they're doing it? Right.
That's correct. That's correct. And also lab is the place where you can fine tune different testing tools, make them working correctly. And generally as you rightfully said, just understand the nature of vulnerability. And once you understand it in depth, it gives you confidence to explain it to the customer also. So they understand that. You can find the right way to illustrate it. You can make a demo, you can make live demos. And so I'm talking about like cybersecurity labs in general.
So now we can move a bit to AI because AI is a new trend and probably you've heard that these days there is a trend and it's global trend. can read about it on Google, it's called AI First. So this is an approach by large organization basically by any organization almost assuming that AI is there to stay, it will never go away, right? So we have to find our way to live with this and that so means
Speaker 2 (33:39.02)
This means deal with it so it helps helpful for our business and at same time it's secure for our to our data and to our users. And so it's again, it's inevitability. So large organizations have a bit more structured approach to this. Probably not the same could be said about small companies, but it's same important. So AI is everywhere. We have lots of chatbots, lots of AI publicly available.
you can ask questions, you got answers, right? So nobody's asking, this is cool, yeah? This is cool, right? You can ask, you know, to write funny stories or even flirt with it. It doesn't matter. Important is that it's there. There's big, big black box doing some funny thing and you can interact with it. Nobody thinks or want to think what actually is happening there. And it happened a lot. And there's also privacy.
is here is very, important element, right? Whatever I say, if I'm authenticated, someone can find that I wrote this and this thing, right? I'm feeding the beast, right? I'm feeding with my data and God forbid, if I'm using corporate data or customers data, then it becomes a really big problem because you almost have assumed that whatever you feed can be used for training or basically goes to some data pool, data lake, you don't know where.
But it can be retrieved. And we know already that there are even lawsuits where large companies finding their data just by asking ChartGPQ or any other chart engines because they might train on this data. It's very easy to. I think the most recent, most funny story was about the Gibbler Studio, right? Those cartoons. And everybody's saying the whole internet is making all pictures of everything in the world.
converting images to give the studio like, know, It's very clear that those AI engines were trained on those things. Legality is not for me to answer this, but it's clear, right? And clear. And there are some very tricky way how you can turn AI to disclose some information inside. And if you know how, can actually find the source. can find the real
Speaker 2 (36:00.206)
the training data or very clear indication what kind of data, what kind of documents were used for training at the very beginning. So this means that you as user, have to assume that anything, same story, see nothing changed. Anything you put to the search engine could be used somewhere. Same story here. Anything you put to AI can be used somewhere. So think twice before you write something sensitive.
Right absolutely and there have been numerous instances where intellectual property I remember I forgot which I thought it was Samsung that if I'm wrong I'll stand corrected but somebody was developing one of the new phones that was coming out they had some bugs they were right at the 11th hour and they put the code into I believe it was open AI and for chat GPT and it fixed the bugs great, but the problem is is
Now the source code for the new product is public and somebody else was able to grab that. And people just weren't thinking like that. They weren't thinking through where does this data, who all can access this? And that's where the push for internal AI, meaning within the organization, a model of machine learning that can exist behind your network infrastructure so that it's protected.
And that's somewhat of what you're doing with your home lab, right? How are you building an AI home lab? Like how are you getting the machine learning at home? How did you do that?
you
Speaker 2 (37:44.856)
So luckily these days it's not so complicated because there lots and lots of open source tools. don't need even to pay anything. So you can set up your own teeny tiny chat GPT at home and it actually would work pretty well. So you need to have obviously a relatively powerful computer. You need to have GPUs because GPUs are important to crunch all the data needed for AI to work. So it will never be as massive and as smart as chat GPT or any
out of these big players, but it's your own. You can test your theories. You can experiment with it. You can use different models. You can interact directly. can write coding in Python, for example, that does something that you will not be able to do with online large systems. Well, you can obviously, because there are APIs for everything, but you have to pay for access to it. And this is completely free. You pay only for electricity.
So long story short, it's not maybe as smart as large systems, but it's yours. All data is inside, so nothing goes out, and you're free to experiment as much as you want. And the same thing we have, by the way, in our company, in our head office, we have our in-house AI that is used for proofreading, for helping us to generate some text, working on reports, et cetera, et cetera. But the biggest problem
The biggest discussion we had initially, right? Can we use charge? No, we can't. Why? Because we are dealing with massive amounts of customer data. So maybe we will not have the smartest system in the world, but it works and it helps. Right? So it may not kind of change super dramatically. In the end, it will not do our job. So this or that AI will never do our job. It's just going to help us to do our jobs.
No, in my yeah, I agree completely and that's so interesting. So thanks for sharing that I mean for me like it gets you 80 % of the way like it like whenever I've used it and I use it every single day like it gets you 80 % of the way like you can't just Copy and paste what you get because everybody can kind of tell and it looks like a error sounds like AI when you read it, but it does
Speaker 1 (40:04.622)
do a lot of the processing, a lot of the mental compute that we otherwise would be a lot of time spent doing that and coming to it, and it helps you organize things. I mean, it's so convenient. It's outstanding. But doing it responsibly and doing it in a safe way is really key.
I can tell you a funny thought here. I don't know if you read any books of Yuval Noach Harari. It's Israeli philosopher, modern philosopher. And he wrote several books about development of humankind and also about AI and how technology impacts us as humans. And I think one of the very interesting thoughts was that, look, as you said, you are using AI.
every day and probably majority of people you know and I know doing it every day. by this, if you sit and think, our life is seriously impacted by machine, right? So it's not like, you know, turnpikeers will come and kill everybody. So that will not be probably like the world will be dominated by AI this way, but maybe in a very subtle, subtle way because our... I read the article, don't remember where, that...
AI making decisions actually make impact on key decisions people are making like marry or not to marry or financial decisions, lots of things. And so they're asking child GPT, should I do this or should I do that? Should I take a loan? Should I buy this car or that car? So it's much more impacting individual lives and businesses than you can think really. coming back to my original point, so I don't know if AI is starting to take it over the world, but.
but it definitely makes a very substantial impact on decisions we humans make every day.
Speaker 1 (41:57.768)
Absolutely, absolutely. So and there's risks with AI, right? Depending on that's where having somebody that understands the technology and how it's configured and where the data sits is really important. So that's not exposed to the outside. But then we've seen threat actors and cybercrime.
gangs and social engineers leverage advances in AI to mask their voice and to mask their video presence on Zoom or Teams calls or Webexes and things like that. And a year ago, even a year ago, it was okay. Like you can usually tell.
Right. And there were, you know, there were some safeguards when you're speaking with somebody, you can have them put their hand in front of their face or turn, but that's gone. Like it's gotten in the last six months. All the examples I've seen have been undetectable by the human eye. And so right now where we stand is it seems like the technology and AI has advanced faster than the
Technology to detect it or to stop harm from it. And so we have to revert back to the traditional human verification process, right like If somebody is telling you something just verify that it's actually the person right through a channel, right that is that is recognized within your organization because you don't know if that's
the right vendor, like if that's actually the person right now. And that sounds preposterous to a lot of people, but that only means you haven't seen it yet. Like it's there, it's being used on a regular basis by these cyber criminals. And oftentimes they're doing it, like you mentioned, in romance scams or individual sim swapping attacks or to gather up data.
Speaker 1 (44:08.632)
to bolster their phishing campaigns, right, when they're trying to socially engineer us to download documents or click on things. But definitely the traditional ability to verify is still critical, don't you think? Are you seeing that in your practice?
Absolutely. Yeah, and you're rightfully said that technology is developing so rapidly. Now it's enough like 10 seconds, 15 seconds sample, sound sample, and the system can generate very sound replica of your voice and then can be can be used in real time for anything. you know, if
Used to it used to require days or several hours of recording like samples to train it and That is part of the reason why years ago it was celebrities because they had so much Presence online that people can take and train their model, but now it doesn't require as much so now anybody that has any social media presence or any
public recording of a voice or your face is at risk. Like your voice and your face are now a threat landscape.
That's a huge risk, absolutely huge risk. I honestly, don't even, I can only speculate about which direction this all would go because you, know, one perfect day you can pick up the phone and your son or daughter will be crying on the other side saying I've been kidnapped, right? Or your bank or your neighbor or whoever will be talking to you saying, hi, I need such and such amount of money. And the story may be so, so...
Speaker 2 (46:04.654)
you know impactful that you actually would believe because it will be someone you know and you know for years and that could be these days it's more doable than ever and unfortunately probably this thing would be even easier in the future so again coming back to the beginning of our conversation this basic foundation knowledge about you know don't open the door to strangers don't talk to strangers
This is same thing, right? If someone is calling and asking for money or you see if you have a gut feeling that this is suspicious, what are the ways to verify? So I spoke with several people recently, quite high position, and they said, look, we have like a secret keywords, me and my family and me and my wife. if she calls me and I have a suspicion, I ask about something that only she and I know. And that's that's
the way you can verify because you can't. especially, know, situations might be very difficult, be life-threatening situations, or maybe you might be under stress and it will be enough for you to react completely differently for the same phone call that you
Every family should have one. Like we've talked about this before on our show. Every family should have a code word, a safe word, a challenge word, whatever you want to call it. They should have that. So that way, when you least expect it, you can say, absolutely, I'll wire you those funds on like I realize is a really traumatic, et cetera. What's our, what's our code word?
Because your son will know, right? Or your child will know. And if not, then it's not your son, even though it sounds like your son. Right? That's really a big challenge. Same thing in organizations. There are ways to have challenge words and code words used with your vendors in organizations. Ways to verify human to human that these are the people you're really speaking with.
Speaker 1 (48:02.854)
before any sensitive information or wire transfers or money then that needs to be done. We've talked about and I'm sure you guys are aware there's several examples now where deepfakes have been used to get wire transfers for hundreds of thousands of dollars, millions of dollars. Yeah. mean it's
was sitting on chat and seeing the whole board of directors in front of him. So it was very compelling, you know, I'm not surprised really. So the whole board of directors speaking, talking to him the way he know and he knows and all these was very, looked very, very legitimate. So I'm honestly, I'm not surprised that he was convinced.
No, exactly. mean, and that's the whole point. And that's where just double checking, no one will ever be mad at somebody for just double checking. Hey, before I release this, just want to verify and you're talking to them in a channel that you know, that is the human on the other side. And so if you're able to do that, then that's what needs to be done. And that's been the same. Hasn't that been the same advice ever since fishing began?
Right? Like ever since phishing kind of became a thing, we're like, we'll verify that before you click on it, like make sure it's actually coming from them. You used to be able to tell because of whatever, like old red flags in emails, they used to be what? Well, know, misspellings or syntax or grammar or whatever. All that's been gone. Like now you can write an email that will
Boof where it's coming from, it's going to look, it's coming from that vendor that you know, it sounds exactly like the vendor, right? It uses the words, the phrases, it sounds exactly like them. There is no red flag in the text itself, but the fact that there's some sense of urgency and the fact that they're asking you to do something that if it's bad, could be really bad, then you just need to verify with the person and then you'll be surprised.
Speaker 1 (50:15.458)
you know,
Sorry for interrupting, I just recalled one funny story. In the UK, I don't know if you read the article, was, think, one of large telcos created an experimental program for dealing with scammers, with phone scammers, with artificial AI granny. Did you read about that?
Yeah, walk us through that. Tell the listeners about that. I love that story.
That was absolutely hilarious. obviously we have like scam phone calls and trying to lure you to something to disclose your data or click somewhere. And they created an AI model, a simulation of Granny, who has problem with hearing and just basically turning the caller to absolutely mad person because just really asking, hey, mouse, I don't have a mouse.
Which where do you me to click? don't know what click is some so some really silly answers and and but after some time obviously some people just get Starting just getting to this game and then you understand. All right, something is just Put the front down so
Speaker 1 (51:28.824)
So funny, yeah, they're keeping the cyber criminals on the phone and not attacking real people. And sometimes it's for hours, which I love, right? Like sometimes that is.
was hilarious. Find examples how it works on the internet and they're just so so hilarious.
Really are because they get so mad they're like screaming at him and stuff and like don't yell at my grandma. It's so funny. I Love it. So that's that's phenomenal So let me ask you when you guys are doing You guys do a lot of penetration testing you do vulnerability scanning for organizations Do you ever come across organizations that actually do pretty well?
them.
Yes, and it's actually very good to see that our effort helps organizations to learn on mistakes or just improve their security posture after a year. And so they are coming to us, we do annual audits for them, we are preparing them for ESO standards or any other certifications or just to be sure that they are secure. yeah, we are a relatively small company and...
Speaker 2 (52:50.382)
our biggest trends are recurring customers and they're coming to us because they feel confident, they feel secure with us, with us being nearby, able to help them, give them their advice and they see the change in how they perceive risks, how they treat risks, just because they learn and one of the...
very important outcomes of our reports. are heavily illustrated with lots of charts, lots of kind of, sometimes almost look like a comics with so many screens. But it's important to educate, to show them what we are doing, how we are getting to our conclusions step by step so they learn together with us. And actually you can say, yeah, next year we didn't find anything, we have found only low risk issues. But that's actually good because this means that they learn.
Right. Yeah, no, I completely agree. We have the same experience here and there's nothing better than that. And being able to kind of get them evolved into a position where now they understand their risk, right? And they're able to accept the risk here, they want to reduce the risk there, then they're able to like understand their overall technology and
and how they can leverage it best because again, they're not, they don't do what we do, right? They build widgets or they provide a service or they do what they went to school for and they're really good at that. And it's so important to explain, okay, here's a technology risk and then why does it matter? Right? Like because by fixing this, you can avoid this, this and this. And if you don't do it, there's a cost of doing nothing.
Your users can expose you this way, this way, this way. And that way they know. then every business organization, et cetera, has a risk appetite. Would you agree? Like some are like, okay, I'm good. Like they're okay with just using general numbers, but they're okay with 70 % of risk in this environment. Others are like, I'm not going to be able to sleep until that's down below 50 or until that's
Speaker 1 (55:11.136)
in the 30 % range and that way you're able to drive it down for them. But most of them, one of the biggest issues I see is because they're small and because there's that false belief that they won't get hit, they don't do anything and they just assume I'm assuming this risk, but they don't know what the risk is. Like what, like they don't know what they're assuming. They just falsely assume things and that to me is really dangerous.
for an organization because if they get hit, they can be out of business. Like the data shows so many of them, you know, from a long tail, the long-term effects of ransomware attacks and stuff. Like it really, really damages them. So I don't know what you're thinking too, what you're seeing.
I completely agree and probably the biggest shift in the beginning of our relationship with especially with companies, with customers who never did plant testing before is get transition from let's say the state I don't know what I don't know to a position where I don't know. So you suddenly becoming seeing these wide gaps on the map. Okay, here I have a gap and there I have a gap and someone else I have a gap.
So I know that something should be done with it because before I was living a very happy life. But with all those box and holes and just waiting for for that day to come. So that's very, very important. It's probably the most important kind of mind shift or paradigm shift in head of people. So, yes, there is a problem. It's there. It's in our system. And we at least now we know that we can deal with it. We know that there is something we have to deal with this.
So then you can think about budgeting prioritization, what's it? But first and very important thing, the milestone is to see that there is something to fix. So that's the biggest thing. Once we are there, then you can do planning, can do annual scans, you can do Delta scans, you can do a vulnerability assessment that is cheaper, smaller, you can do full blown pen tests annually, for example.
Speaker 2 (57:27.16)
play with all those things, with numbers, with dollars, with pounds, and with effort, but you have to see, open your eyes, see the problem first. And that's, I can honestly say that, just coming back to what I said a second ago, for us as a small company, it's very, very important that we, hand of our customers and helping them get through the whole way from the beginning, but they don't know about those things.
to the situation where they, do remember I said, having, being able to maintain their own baseline. So that's the ideal situation where they can be, it's like a child that reaching the moment that they can safely cross the street, right? So we know that they cross the street themselves and anything complicated, they can always have a trusted advisor and that's us.
Yeah, absolutely. I mean, that's a great point. when organizations have a false sense of overconfidence, right? To me, it's like they just don't know. They're like, you know, because they haven't made any effort that inaction almost creates a false sense of overconfidence, because they haven't looked to see whether they
actually have those risks or what those risks are so that they're investing or shoring up even through open source means or through time and resources to make sure that risk is brought down. When you think about it, if you live in a neighborhood and you now learn that there are break-ins every Tuesday and Thursday mornings in the early mornings through the laundry room windows.
and somebody sitting there in that neighborhood and they're like, well, we haven't been broken in and don't worry. I've got a really strong front door. I've got a ring camera. I've got a steel door with a double lock. Well, what does that have to do? Like if you don't know and you're not concerned, like you don't even know that they're not even breaking through through the front door. So who cares about your front door and your ring camera? You're not going to be able to see them, right? You, you need to know what is actually
Speaker 1 (59:50.008)
Happening so that you know, hey, you know what we probably need to put a light out by the laundry room window or we probably need to have a camera that can see the back part of the house right and that way you know because now you know now you know what to do right or You're high risk and that's your nature and you're like, I'm good Like don't worry about it. I'll deal with it. I you know, have a weapon at home or whatever like
you can still accept the risk, but if you don't know about it, then it's worse than knowing about it. Does that make sense?
Totally makes sense. just adding to what you said is there is there is one more way to reduce the probability of someone is entering your house from any door, front door or back door. Do know what it says?
No, what is it?
It's just not publishing if you go for holiday, for example, anywhere. Don't publish it anywhere because people would know. And some people, it's their bread and butter. It's their life packing and checking. And maybe not necessarily the people who are checking online, those who are having, you know, all these tools and then get into your house. It might be completely different people, but they're working together. so that's also the illustration. Don't even know what kind of
Speaker 1 (01:01:10.081)
So true.
Speaker 2 (01:01:14.122)
side channel information might affect you. But that's with cybersecurity. That's where you say, yeah, I'm going to Fiji or I'm going to whatever, know, Bahamas, right?
Can't wait. Yeah, can't wait. We're taking a two week trip to the Bahamas really excited Like why why are you why like don't I mean we tell this to people all the time for your personal privacy and personal safety Don't post anything take all the pictures that you want and then when you get back Then you can post about it because then it's fine
Totally.
Yeah, so Alex, thank you so much sir. This was this was fantastic. What's on the horizon for you? What do you guys have? Coming up more work with clients. You're gonna keep working on your AI lab, which is really cool. I love that
There is one more thing. actually security of AI is one of our objectives because I mean, we will be testing AI systems because more and more systems are using AI like online chat boards for different organizations and obviously multiple use cases already where they can be abused or retrained or hacked to disclose some sensitive information. that's a new, completely new
Speaker 2 (01:02:38.798)
area, it's almost like non-technical hacking for hackers. It's more to psychology really or brainwashing computer than real kind of hacking dealing with bits and bytes. But nevertheless, it's hacking. It's hacking. that's what it says. Next next exciting challenge we have and everyone in the team is really happy to play with that.
That's exciting. Well, I'm looking forward to touching base with you all again, once that gets developed and as you guys have cases to share and clients that you've helped. It's always fascinating to hear what you guys do. You guys are outstanding. So we thank you for your time and thanks everybody for listening. We really appreciate it. have risks. We'll have the link to risk crew in the show notes.
and wait so that you can follow Alex as well. So thanks everybody.
Thank you very much.
