speaker-0 (00:00.846)
Hello everyone and welcome to the My Local Marketer podcast. I'm Maria and today I'm speaking with Peter Andrijeczko, a cyber security expert based in Reading about the human side of security, how to build systems and processes that protect your business and staff. Peter, hello and welcome again to the podcast because we had you on before for the Ukrainian Center, which is where we are now.

Yeah, and thank you again for inviting me.

My pleasure. Well, thank you for inviting me back on such an interesting subject because I think nowadays, as we're going to hear, it's so relevant.

Absolutely, yeah absolutely. mean the level of cyber security focus now has grown considerably and for very good reasons.

Well, I think we should start then with the obvious question, what is cybersecurity?

speaker-1 (00:45.536)
In one sentence, it's about protecting data. Nothing more than that. As you can appreciate, data has value. A business's data, their database of clients, their database of new products they're bringing to market would be very useful to a competitor. Medical records, considered to be sensitive data, would be of great use to insurance companies because obviously they can adjust premiums accordingly.

Personal data as well is extremely important. The obvious one is banking information. So all of these things have to be protected because there are people out there that want that data to do the fairest things with it. So there are two core aspects to cybersecurity. One's obvious, the other one's not necessarily so obvious. So the obvious one is that it's about keeping the bad guys out, stopping them getting in to get that data in the first place. You'll see me refer to them.

as bad actors rather than hackers because hackers has a group of multiple definitions that are both good and bad. But the second part of that, and I'll use the analogy of your own home. If you think about, so how do I secure my own home? Well, the obvious answer is you're to put strong locks in place and what sort of process are you going to use? You're going to make sure that when you go out or when you go to bed at night, you'll make sure the doors are locked. You might put in security lighting. You might put in a video camera.

But there's a secondary aspect to that. And the secondary aspect is, well, okay, that's all very well. But if you don't close your curtains and pull the blinds on over your windows, then people can still look in and see what you're doing. So you're leaking stuff about yourself anyway, if you don't cover also the privacy aspect. So there's two parts to it. There is the security and the privacy side of it. Businesses, when they look at data security and privacy,

They're governed by particular practices that mean they have to treat that data with respect. And the obvious one that everybody probably knows is GDPR, which is a European standard to say this is how you use and protect data. And you can't hold too much data on a person, particularly if you don't naturally deal with

speaker-0 (02:59.15)
I think you've mentioned some really interesting points that I love your analogy with the house. think that is so important. The thing is, I think it's so complex and you must see that companies make some pretty obvious mistakes. So what problems do you find that companies face when it comes to data? And then we'll ask what is some easy fixes they can do.

I think at the core of cybersecurity is educating everybody. For me, inside a business, your employees are the first line of protection of your data and of your systems. They are the ones who can spot unusual activity and hopefully alert someone. So if you educate them on the types of attacks that may come into your business, then they can be your first line of defense.

Cybersecurity attacks often start with some kind of reconnaissance activity. The bad guys out there are trying to find a way into your systems. They think you're a potential target. So they can do a reconnaissance activity to try and gain information that ultimately lets them launch some kind of attack against you. Now, there's a term that used to be used a lot more commonly in cybersecurity called social engineering.

And it's the idea of the confidence trickster. So it might be, for example, we've all had them, the phone call that comes out of the blue that says there's an 800 pound transaction happening on your credit card now from Amazon. Can you ring us to get it sorted? And of course, that's usually a spam call, someone that's probably going to try and take money from you. The other type of confidence trick you get is if you're in a business environment,

You know, someone walks in, goes past security with a fake pass, and then there's a security door to get into the rest of the building. They tailgate someone, get through the door and then they're inside your building and they'll start, you know, looking around, maybe trying to get access to systems and so on and so forth. So that's the concept of doing some kind of reconnaissance before you attack. A very, very common attack methodology today is phishing with a pH.

speaker-1 (05:12.64)
rogue telephone calls, they're a form of phishing, but often they come through emails. And so the email is going to be, it's usually something that appears to be a very, of a very urgent nature. It's usually convincing. It's pretending to be from an organization or person you deal with normally. And they're going to try and get you probably to click on some kind of link that's going to then take you to a page that says,

your computer is compromised, ring the Microsoft help desk, or they may even download some malware, which then gets into your environment and it could even start to encrypt your databases, make that data inaccessible to you. And then the next thing is you get an email or a phone call saying pay us 5 million in Bitcoin and we'll decrypt your database. And that's where the concept of ransomware comes in.

So it starts with a fishing attack and then ends up with a critical attack like that.

think it's key what you said about employees being the first line of defence. So what solutions do you have in place or what can you suggest for businesses who want to know how they can help prevent or minimise these issues?

A lot of businesses already, they conduct simulations. So they will send out fake phishing emails with links in them, and then they'll see who their employees clicks the link. And the link normally leads to a small training program so that they can then be educated not to do it again. This is just good best practice. know, people shouldn't be reprimanded for making those mistakes, but they should be educated and shown because ultimately the buy-in for your employees is, let's be honest here.

speaker-1 (06:55.794)
those same phishing emails could come in on their own private email accounts and stuff. if they're aware of it within the business environment, then they'll hopefully also protect themselves in their own private lives.

As we said before, cybersecurity is incredibly complex, maybe because of AI. How has AI actually impacted on cybersecurity?

That's a really good question. So really before COVID, businesses had this idea of bastion defenses for cybersecurity. So they had particular office locations. You went and worked in the office location. You went through the front door. You showed your pass. You used a card to get through a gateway, got to your desk. And then once you're in there with your laptop, you're trusted and you left alone to go and do your job. And then everything

outside of that physical location is defended, know, with firewalls and other things to keep the bad guys out. When Covid happened, everyone went to home working very, very quickly. The problem there is that that old security concept didn't really hold because it was this idea. If you think of the castle, the castle has the moat around the outside, the drawbridge and the archers up on the battlements, right? But everything inside is protected.

And it doesn't really matter who attacks the protections work. The problem comes when you start having people who work from home, they're connecting into their office locations from remote locations, you know, their homes, and they're doing it over an untrusted network, which is the internet. So then you have this additional problem that Bastion defends is whilst they still are in place, they're not good enough. And a lot of businesses now are talking about what's called a zero trust model.

speaker-1 (08:41.821)
And I guess to a degree, it kind of means what it says in that we don't naturally trust anyone or anything. So if you take the office location again, you if you think about you went into your office, you put your laptop onto the network, you logged in and then that's it. That was you done for the day until you logged out and went home. Zero trust doesn't work like that. It constantly evaluates who is using your network.

what systems they're using. It's very careful to watch. Maybe if someone changes from one system to another, maybe they've been doing their email on the exchange system. Now they've got to go and administer a database and do some work on that. So every time you change or move laterally, as they say across that network, it's going to check. Now it doesn't always mean it's going to ask you for a password, but in the background there is stuff going on that's saying, okay, so Maria's just access that database.

Is she using, so using a business approved laptop? Has she got the authority to do that? And so Zero Trust talks about verify, don't trust. So check every time something happens on the network, encrypt everything because you don't want to have people snooping into network connections. And also the concept of least privilege. So only have the capability of working on the systems that you need to do your job, you know.

If you don't need to be a database administrator, because all you do is look at that database, then you don't have the patience to do that. And also monitor everything, assume that you've been breached. And in that case, then put on the heaviest monitoring that you can to constantly watch for the things that are going on on that network. Now that's a long way around to talk about AI because AI takes that to the next level. Because then if you've got an activity that looks unusual on your network,

then maybe normally a human would make a decision to say, well, I'm going to shut down that server. I'm going to terminate that connection. Well, AI can do that for you. So AI can be doing that monitoring process for you. It sees an unusual activity on the network and makes a decision based on that. Now, for example, companies put in place incident response policies. So best practice is to make sure that when you monitor the network, when something happens, you take the appropriate response. Now,

speaker-1 (11:03.35)
Let's say, for example, one of your systems reports that someone's tried five times to log in with a password and they failed and that their log comes out to say, this has happened. Now think about that could mean one of two things. It could be one of your genuine users has just forgotten their password and you've got to get someone from ID just to bring them up and say, you don't you reset your account and reset the password. It could also be that someone is actually on your network trying to break in. So you've got to recognize these

things that happen on your network and then take the appropriate activity. If you think you've got someone in your network, okay, this is a big response. We need to get everybody in, let the managers know, let the IT teams know, start to investigate it, isolate it and hopefully fix the problem. So AI has value in being able to respond to that because as you can appreciate, a lot of these attacks occur when the systems are quiet overnight and so on and so forth.

24 by 7 personnel coverage, they? So yes, that's where AI will add value. But at the same time, it also makes attacking a system a lot easier because you can use AI to do those attacks. So it is essentially just another aspect of a Cold War where the attackers and the defenders both having to use AI.

I suppose the other aspect of that is educating your staff so they don't take something personal, private, and stick it into chat GPT or one of these ARs. So educating the frontline staff as well goes hand in hand. That leads on to the other thing I want to say about the complex data. I love true knowledge about a castle. Taking something really complex, I wanted to ask, how do you communicate that to a CEO or a team?

in order to get them to do something because it's one thing you know something, but you've got to get someone else to do something, convince them to go out of the way, go through to your factor of security. So how do you go about doing that?

speaker-1 (13:01.122)
Well, you start off with the basics. mean, again, it comes down to protecting the data. know, every business is going to know the data that it's reliant upon, whether it's, know, business clients, partners, invoices they've paid. And they're also going to them to be able to classify that data to a degree of sensitivity. A database server that just holds, I don't know, all your sales documentation is not going to be as important to protect than

the list of your clients. So you have to decide how sensitive that data is. When you've done that, you can then start to think about, so what protections do I have to put around it? Because that data is sat on a database on my network. So I've got to think about, okay, how do I defend my network? And also people are going to be legitimately coming in my employees and using that data. So I've got to make sure how do I authenticate that and make sure they're not imposters.

And so then you bring in this concept of having to conduct a risk analysis. So that's really the first thing you have to do as a business. You look at your entire environment, you say, okay, what are my risks of attack? What are my sensitive attack targets? And then put in the systems in place that defend you enough against those attacks. Now, cybersecurity is entirely about mitigating risk. No question about it.

and you could spend an infinite amount of money to never be fully secure. Risk is equally applicable in project management where you look at costs of completing a piece of work. Sometimes you go, it's not worth doing that because the cost benefit ratio doesn't work out. It's the same with cybersecurity. You think about, okay, so how am going to be attacked? And there are things that I can put in place

that will defend me against every kind of attack anyway. Again, it's the bastion concept. If you put up a moat and a drawbridge and your archers on the walls, it doesn't matter if it's one person trying to get into your castle or a complete army, the defenses work hopefully equally well. So you're going to always put those in place. So then you talk about putting in your firewalls. You're going to put access controls across your network. One thing that the Zero Trust concept brings in a lot more

speaker-1 (15:23.552)
is the concept of micro segmentation across your network. the idea being that all of your laptop users and your business employees are in this one network doing their own thing. And then the systems that they access, which might be the telephony system, or it could be databases, they're putting their own networks. And then because they've got to step across network boundaries to get from one to the other, then that's where you can put a lot of protections in place.

So those are all considerations for what you need to think about if you're putting a cybersecurity system in place. But when you're going to the CEO to tell them this, to say, we need X thousand to put a system in place, you're very good at communicating. So is it just you have to be very good at communicating, break it down and explain using analogies to the staff and CEO so they understand the risk?

Yes, again, you have to do these risk calculations. CEOs want to see very simple numerical values. If you can display it in a numerical value, if you can say, well, look, this, I don't know, 50,000 pound firewall is going to reduce the risk of just about every kind of attack that come into our systems, then perhaps that's more value, more cost benefit than say just putting protections around a single database. This is what the risk management process reveals.

So how do you explain that to the average Joe employee then? So the CEO is very clear to him, yeah, that'll save me X. For the average employee who has to go through two-factor authentication on these different systems, how do you explain it to them so they aren't trying to bypass it?

It's a compromise. I've said before we started, I'm about to move into a, information security manager role in a research organization. And there's going to be some particular challenges in that because there are going to be members of the scientific community who will need support and they'll need to be guided. And if one thing scientists do, they have lots and lots of tools, usually open source tools that they like to use to do their analysis and fair on.

speaker-1 (17:30.882)
They need that stuff to do their job. Very commonly as a language to do data analysis, it's very, very big in the research space. The problem with Python is that it is constantly being updated. And so you can go into a network and you can do a scan of your network and you could see maybe 15, 20 different versions of Python being used across all the machines. Now, some of those may be vulnerable to particular types of security attack. So they're bringing an inherent risk to your network.

Now that's actually something called shadow IT. Shadow IT is this idea that in a zero trust environment, you know exactly who is doing what on what things at any one moment in time. But if you use a start bringing in their own tools or installing their own tools, I'm not a fan of concepts like bring your own device to work because I think that's inherently dangerous. But if you're in that environment, then

These users who are just doing their jobs and think they're doing their jobs, they install a piece of software that may introduce a back door into your systems. So you've got to be aware of that. Now, in the case of the science community, we're going to have to go to them and say, well, look, you are running an outdated version. Can we put you on this later version is putting you on that later version going to stop stuff you've already written from working because that's the other thing about upgrades. You can lose backwards compatibility. So it is a lot about negotiation and understanding, but

I always remember something one person said to me about cyber security and I think it's very important. Cyber security isn't just about keeping the bad guys out. It's about letting the good guys in as well.

So you've got small micro companies, you've got the big companies. I imagine, correct me if wrong, but the big companies, they know what they're doing. They can spend money to get the teams and systems and all the security in place. So really it's only the smaller companies who can't afford things and they're trying to find bypasses. They don't have an expert in place who will tell them this is a really big problem.

speaker-0 (19:31.948)
What are the problems that those smaller companies are facing comparatively or how do they differ with the large companies and what can the smaller companies do?

There are always external consultancies who you can bring in to help you. I was maybe done with my last role in March and I spent a few months working with an old colleague of mine who's now in New Zealand, but he was looking at putting together CISO as a service. So he was going to offer that to small and medium businesses that don't have their own CISO and then look at how you would bring in the additional services beneath that.

that a CISO would normally do. So to make sure that you are regularly auditing systems, that you've got instant response processes in place, that you're backing your data up because, you know, losing your data can kill your business. There's a case of a trucking company in 2025, who I think were in existence for over a century or so, had 500 trucks, 700 employees, and they went out of business because they suffered a ransomware attack. They were asked for 5 million.

in Bitcoin currency, it's believed. They couldn't pay it and they went out of business. And they believed that was simply because someone somewhere had left a default password on the system and that had been the door into the systems from the bad actors.

think that leads nicely into what you're planning to do with your talks at the Ukrainian Center. So could you say a bit about that? Because I think it's very good for people to educate themselves. They may think, oh, I can't afford a cybersecurity person. But like you said, there are ways about it. You could hire someone for a small amount of time to do an audit, or they could go and do a bit of research to educate themselves and find other things. So could you tell people about that and how else they can find out about cybersecurity and how to protect themselves?

speaker-1 (21:23.074)
Yeah, I think what you don't need to overlook as a small business is cloud. Cloud in one sense, in simple terms, is somebody else's computer. That's the meme that goes around on the internet, which is kind of true because it is putting your stuff on other people's computers. The nice thing about cloud is it's something that you can deploy very quickly and it's very, very scalable. So if you are a small business that only needs a couple of servers out there, you'd gravitate naturally towards cloud and cloud providers.

to see what they can do because ultimately that is going to take a lot of the cybersecurity headache away from you anyway, because they'll cover a lot of that as a partnership with you. So it's important to know what technologies are out there that enable you to do that. You're right. Big businesses do already very much understand the concepts of cybersecurity, whether they'll put it in place properly is another question, of course, but ultimately they understand the process. Small and medium businesses and individuals don't.

understand that. And I think they often get an unfair deal anyway, because they don't necessarily have the context in which to understand how to view cybersecurity and privacy. Because again, it is two topics. It's about being secure and being private. So to me, there's a gap that needs to be filled. And I'm very, very passionate about data privacy, particularly in private individuals who do get a bad deal. You'll sign up to services on the internet.

And you won't read the TNCs that are inside it. And if you did read them, you might have second thoughts about really what you're giving over in terms of your own data privacy to use that particular service. Now I'm not here to attack any, any particular provider of a service or the people that use them. But ultimately I think nothing is better. And again, it comes back to education, making sure people understand that these are the consequences of using those services.

And decide really at what point, because if you think about it, you could draw a straight line on one side, you write the word convenience and on the other side you write privacy. Now you'll be somewhere on that line. You have a particular workflow. You like using certain applications. That's fine. But then think about where you are on that line. You know, how much of your privacy you sacrifice as a result of that. And would you like to be in position where you were more private? And then.

speaker-1 (23:48.532)
If you give information to people about how they can use alternatives to do what they need to do, then they have a choice to do that. And so that's really what I want to try and do at the Ukrainian club here is have some evening sessions where we'll just bring people in, we'll make a nominal charge just so that I can generate some money for the center. And then we'll just come in and talk about cyber security.

I love the idea. think it's so good. It just goes to show you can get access to expertise. You don't have to spend thousands and thousands. You can just get some quick advice. So I think that's really good of you. Thank you for putting that on. And I'll definitely put that out. The other thing I wanted to ask you about was change resistance. I know this goes back to what you said before, but just to reiterate it. So when you implement anything that is different, people don't like change. They like the software they've used. They don't like to learn new things.

And as you said, you need to update things, things change. I struggle when I look updated. I'm like, I don't like this. It's new. So how do you get people to take on board and accept these new changes? Is it what you said before about just communicating and telling them why, or do you have some other tips and tricks?

I've never believed that you ever say to anybody, you can't do that or you shouldn't do that. I think what you try and always do is present things as a choice. So it's about information, education and tell them this is one way you can do it. And by always happily continue doing that. Or maybe you can use this application, which is less based on a cloud environment and more under your own control. You can learn to take your own backups of your own data. You can keep it on up.

a separate hard disk, for example. So I don't want to lecture people and say, don't do this. I want to say to them, well, look, if you do it this way and you rely on a third party, in effect, a cloud company, whether it's, you know, Google, Amazon, Microsoft, Apple, whatever, you are subjecting them to being able to use your data. I said to people, there are essentially five core companies that are doing a lot of data collection. And there also happened to be the five core companies that are building more and more data centers, i.e.

speaker-1 (25:59.36)
a center for data. So clearly they are collecting data. Those are Google, Amazon, Microsoft, Apple and Meta. Those are the five core companies. I'm not saying don't deal with them. We all have our own workflows. But just bear in mind, the more you expose yourself to those companies, the more of your data that they will take and use. And there are also five very big companies that are also focusing on AI at the moment. And what does AI need? It needs data to learn. So you're part of that process also.

So when you think of these services, don't think of them as being free because they're not free. They're free from cost, but a data center to run costs a huge amount of money. And these are all companies governed by shareholders that don't want money just spent willy nilly. So of course they're going to be getting value for money. And of course they're going to take that data and reuse it.

Yeah, just be aware of it. So the only thing to do is say final thoughts because you've given so much value. If you want to leave anyone with some final thoughts, everything we've discussed or anything we've not, what would you like to say?

I'm passionate about the little guy, okay? Because again, the big guys have got their own coverage and they've got their own processes in place. So the little guys, so the little private internet user, I count with five suggestions that can immediately improve your privacy and very, very quickly. So number one, if you have an email client like Outlook or Mozilla Thunderbird, close down the preview pane. So all you need to be seeing is really that list of emails that just shows who it's from, when it came in and what the subject line is.

The reason why I suggest that is because of something that's called a tracking pixel. And a tracking pixel is usually inside marketing emails. And when you open the email, your client, your email client will go off and retrieve that pixel from a remote website. That pixel has a unique name associated to your email account. So when your client grabs that pixel, they know you've opened that email and that you're a real person. So if you leave your emails in a list,

speaker-1 (28:04.706)
you have the option of deleting it before you ever open it. The problem with the preview pane is it's already opened your email. So by the time you preview it, it's already got that tracking pixel alerted then that you're there. So it's a good idea to turn off the preview pane. Second one, use multiple web browsers. Again, the common browsers are Google's Chrome, Microsoft's Edge, and Apple's Safari. These are data collecting companies. They will know everything about you if you use

do all your stuff in one browser in their browser. If you have a Gmail account or use Google Maps, it's no problem using it inside Chrome because Google already know you've got those systems anyway. But if you're doing your banking or you're making online purchases, they can see all that as well. This answers the question about, you know, when you hear people in conversation say, I just put my car in for a service yet and all of a sudden I'm getting emails about car insurance and stuff. And that's the reason because they can see

what you were doing and then they can tarv in advertising it. So it's a good idea to use multiple browsers. So basically anything for Google, Apple or Microsoft, then stay on those browsers. But any else you do, choose a third party browser like Firefox or Brave and do all your other stuff in that. And then they can't see what else you're doing on the internet. So that's a good, piece of privacy advice. Number three, use a password manager. I'll give you some links for some of these things.

So there's one called key pass XC that runs on every single platform out there. All the mobile phones, Apple, Linux, Microsoft, Windows use that. You can get browser plugins so that if you have to enter the password into a website, it will retrieve it for you and put in in the field. And then when you get to using that, you can then start thinking about a very, very good best practice cyber security policy, which you just make sure you have a different password for every site you log into. And that's a good way of managing.

When you post photos online, remember that a lot of mobile phones and cameras, they add metadata to the photos. So it will say what day it was taken. could even provide coordinates of location data of where it was taken. Now think about it. You put those photos on Facebook, you know, say you've taken a photo in your back garden. Well, if that metadata is in there, someone else can work out what your home address is. If you post holiday photos, they can work out when you're away from home.

speaker-1 (30:28.076)
And of course that leaves you potentially open to buy a burglary. So when you post photos, there are applications on any phone or device which will strip the metadata out and then just post them after you've done that. So that's the fourth one. And the fifth one, I always say to people is try and avoid public wifi spots as much as possible. You can't ever avoid them completely. But the problem is it's very easy for some kiddie to come into a cafe bar with his backpack.

with a small computer inside his backpack that pretends to be a Wi-Fi access point. You connect to that. He becomes the middle guy between you and the real access point. And then he can see everything you're doing on that. And of course, that's a cybersecurity nightmare. So try and always use the data allocation that you get with your mobile phone provider if you can, because then that is not something that can be spoofed as easily.

Peter, those points are so valuable. Thank you so much that. I will be highlighting those points to make sure everyone knows. And you're right, I use KeePass myself. I think someone in IT recommended to me years ago. And it's brilliant. Like you said, you're to have really complex passwords. I can just copy it from there, go and paste it somewhere. The only thing is when you need to update it. Yeah. But you need to update everything. So yeah, I mean, that's great. So Peter, thank you so much. You're trying to... can't wait for people to listen to this.

Yeah, that's true. That's true.

speaker-1 (31:48.748)
Lovely, thank you.