Talking Wise

Episode 16: Supplier data protection: what businesses should be asking

Talking Wise

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 56:04

When a data breach hits, we often assume it was an inside mistake. But the reality? Your business is only as secure as the software, and third-party suppliers you trust with your data.

This episode we're with our security and compliance experts Niall Geary and Darryl Oung from Wise to map out where supplier risk actually enters your business - and exactly how to spot the red flags before signing a contract.

Whether you are a startup vetting your first software tool or an established business managing hundreds of supplier, this breakdown simplifies the messy world of supply chain security.

SPEAKER_02

Sounds silly to say it's important.

SPEAKER_03

Its importance is growing and the threats are getting more sophisticated. And their attacks are getting more and more successful. So our defenses have to build against that and they only need one to be successful.

SPEAKER_02

Correct me if I'm wrong here. Obviously, the more sensitive your data is, the more that you should do, I guess, to protect that. Yeah, absolutely.

SPEAKER_03

You're only as secure as the person who has the least amount of understanding of it. Providing multiple outlets of ways to train and provide that information does a lot to sort of just upskill everyone in general.

SPEAKER_00

That's where I think people they might not realise that. They might think, oh well the data's on that system, so it's their responsibility. But no. The regulatory fines from the ICO is on top of that, which is 4% for just outright negligence and repeat offenders. 4% of 4% of turnover.

SPEAKER_02

In reverse order almost what you should do is understand the roles and responsibilities, where's your data held and what are you actually holding? And then once you know that, you know, okay, what measures do I need? You know, you're responsible for vetting your suppliers.

SPEAKER_03

Be very cautious, right? And think before you click.

SPEAKER_02

I can't live my life in in that fear anymore, no. I'm on my fear. Is it here? Is this no way? Object, reject. Welcome gentlemen. Thank you. Thank you. So we're here today to talk about data protection and um effectively what good data protection looks like, what to watch out for, and ultimately what the consequences are for getting it wrong. Um I think you know, just to give you my opinion, I guess, before we start, why not? I think it I mean it sounds silly to say it's important because I think obviously everyone knows it's important. I think its importance is growing. Um and I think for me it is growing in line with almost the threats that are out there. I think the threats are getting more sophisticated, and I think uh the importance is obvious is almost a reflection on how much we're seeing in terms of activity and uh you know ishing attempt snarl which I know some of you drillers on you know pretty intensely as a company. Uh but rightly so because they're getting more sophisticated and therefore the likelihood of breaches and whatever else is going on.

SPEAKER_03

It's exploded. Yeah, like you know, like not just because I mean mainly because of AI. Let's be let's be honest. Large part of it is because of AI, now it's super easy to create something fairly convincing and span them out in vast amounts, right? Yeah and it basically they're just building upon the traditional sort of techniques that have been using before. Yeah. On top of that, because of the level of accessibility, it's now far easier for people who have no grasp of any kind of English whatsoever to take something and just make it into a 500 different languages and it will work in most cases. No, you know, and then on top of that, you know, the attacks are bespoke. So they will harvest what information they can, and their attacks are getting more and more successful. So our defenses have to build against that because otherwise they will uh successfully get information and then it'll go, right, we want to target Dan. What can we find out about Dan? And they will just send loads and loads of very convincing and they only need one to be successful. So they're quite happy if 500 fail. Yeah, they don't care.

SPEAKER_00

No, it's true. I think actually, sorry, I think you did actually say that um I think everyone knows it's important, and I think the problem is that everybody doesn't. Um, I think that's why this uh podcast is so important is to really sort of make people aware of the different types of uh GDPR threats and what their responsibilities are because Niles just mentioned just one part. You've also got what you know what people are using that data for and the responsibilities of what they can and can't do with it. Yeah, um, so you've got the threat of people stealing data, but you've got also companies out there that will get you to sign up to a website, and then before you know, you've got a hundred people calling them and uh you know selling it onto different sales.

SPEAKER_02

I mean, the amount of phone calls I get on my phone, it's almost like how do these people get my number? But before we get into that, let's introduce it. It was so passionate about it on your straight while you're in there, which I love. Uh but uh let's start with you, Nar. Do you want to introduce yourself, a bit a bit share of your background and just what you do at Wise and so whatever else.

SPEAKER_03

I'm uh our wonderful infrastructure lead, in case you didn't know. Um so unsurprisingly, a large part of my job is security. Yes. Um, and it involves securing the business against attacks, building our defences, but also maintaining compliance. Yeah. And building everything that goes around that. You know, a large part is consistently developing the security culture. You know, so it's not just a case of, oh great, we've got this new shiny VPN. Cool, no one knows how to use it. It's understanding why we should be using the new shiny VPN and the consequences of not using the brand new shiny VPN.

SPEAKER_02

Yeah, no, for sure. Yeah, I think that word I was this what I was gonna say at the start, actually. I think I think businesses have got to adopt a bit of a culture of security, haven't they? Which is absolutely we have really started to install in us. So no for sure. Thanks, Nile. And no, just quickly, your background before wise. So what were you doing before wise? How did you get into security?

SPEAKER_03

So, oh well, so so getting into security was a bit of a bit of a story there. So when I was a wee young lad, I started started out doing retail and found that wasn't for me. Yeah, so then I decided, okay, cool, I'll go to university and I'll study. I did a BA in policing, and that was great until I finished my BA in policing, and rather than join the police, I broke my back. Ah, okay. So I was rather unable to chase criminals down with a broken spine. And you know, it meant, okay, I've got a year of bed rest. I'm not gonna be able to do that. What now? Yeah. Um, and I was very fortunate at the time to have the local e-crime unit reach out to me and be like, look, we heard about your situation, you you know, because they knew me from like me being a police special and whatnot. Yeah. And they were like, okay, do you know anything about computers? And at the first I was like, kinda, I guess. You know, like I'd done some stuff in cybercrime, and I was always good with computers, but I didn't think I was like the a computer guy.

SPEAKER_05

Yeah.

SPEAKER_03

Um, and then yeah, they've very quickly I took to it like a duck to water. And then from there did independent consulting, worked with all sorts of weird and wacky businesses, one which sold F1 cars. That was a that's a great one. I've got some great stories from that one. Um, and then I worked uh for a bank, which was really interesting, is they're sort of getting their ISO 27001 in nine months. Okay. No pressure there. No pressure. Um, and I worked for education services as well. Okay. Um very interesting situation in the states doing that. Yeah. Um brings its own challenges, a very different compliance landscape. There's still a very strong compliance landscape dealing with HIPAA and copper and all the various state ramps that get different cords, yeah. Um but yeah, then I found wires and I thought, what a great opportunity to uh build out a security estate and uh really get these guys over the line.

SPEAKER_02

No, for sure. No, that's great. Uh see I knew a bit of your story, so it's a bit of a loaded question. I think it is an interesting story. And for what it's worth, mate, I think you would have made a great copper. I did not as a copper interrogating.

SPEAKER_03

I mean my original plan was to go and see Counter Terror. If you if you my uh dissertation was all about uh drone terror attacks in the UK. Okay. And uh what's really interesting is a lot of the predictions I made then have since come true, not necessarily in the UK, but like around the world, and you can see in the use of drones and how that's changed and things like drone swarms. Now, you know, I was talking about that uh 2018-ish. So, you know, it's interesting to see how that's since come true on a wider scale.

SPEAKER_01

Yeah, of course, yeah. Okay, Daryl, over to you. Well I'm not gonna go into quite as much detail as that, but does it make you back? Uh no, no, no, no. My back's all good. Uh doing a little bit of strengthening, a bit of core work relatively.

SPEAKER_00

Uh but yeah, I'm the head of compliance and I've been working uh with compliance more within um employment status uh for the last 15 years, uh logistics for the last 12 years. And I'd say um I've kind of moved towards GDPR, sort of just just sort of fallen into it over the last sort of three or four years as we've needed stuff for ourselves. Um obviously I I'm quite client-facing, so whenever the clients have issues with um any area of compliance, they tend to come to me. And if I don't know it, then I'll go and do my research. And um it was because of uh a few events that happened with some of our clients that um I came to you and we decided to uh put myself and uh Chrissy through the GDPR Foundation practitioner and uh the um the DPO um position. So we're quite certified in them areas, and that's only so that we can understand it better ourselves for our own business and uh to make sure everything's um remaining safe here, but also so that we can pass that knowledge on to the clients and see what we can do to help.

SPEAKER_02

It's brilliant, and it has been uh super valuable, Daryl, since you've got that qualification. It's really uh, you know, I've spent quite a bit of time myself talking about GDPR, etc., over the years, uh as you do, but I'm a complete novice, you know, I know the basics uh because I've been put through Bob's business like we use and all those certifications that that you have.

SPEAKER_03

Don't worry, I've got a GDPR particular future trading system. Cool, don't you want to get too quiet for that? Yeah, exactly.

SPEAKER_02

Um yeah, uh, but I think um having qualified people on our side makes a really big difference, and it's just another string to the by when it comes to supporting our clients. Definitely okay, so that's um that's great, and thanks for the intros, Jen. So just moving on, uh Nile, over to you for for this this section around from your perspective, given you've been in the in the in the cybersecurity industry for for a while now, what does good data protection and and and more broader than that, what does good what does a good sort of security approach look like? So let's start with the data protection side.

SPEAKER_03

Right. So the first thing to understand is there's no one size fits all, right? Everyone is in very different situations and that will always be changing, right? As will be the fret landscape and the regulatory landscape to a certain extent, right? So right now there isn't really anything super strong on AI, for instance, in terms of the regulatory landscape, yeah. That will definitely change in a couple of years. There's already stuff in motion, but um, in terms of like, look, you know, what do I do? Right? If you're a small company, you know, like let's be honest, like us, right? We're not even 500 people, you know, versus like a large bank, which you've got tens of thousands of people, very different sort of landscapes, very different sort of uh threat vectors that you're dealing with it. So okay, but that bearing in mind, what's the commonalities, right? First thing, where is your data? If you don't know where your data is, it doesn't matter. How you can't protect it, yeah, right? You need to know what data you have, okay? I need to know do I have PII? Do I not? I mean, I probably do, but I need to know if I've got PI, and then importantly, okay, I do. What PII do I actually have? Do I actually have someone's passport? Do I just have their email? Like, you know, and people think, well, okay, you've only got their email. Well, actually, that's quite uh coincidental, like especially these days when I can use that as an attack vector. Of course. You know, like fish phishing again.

SPEAKER_02

But you know, but a lot of phishing comes from email, doesn't it? Email and mobile.

SPEAKER_03

But I can also then potentially go, well, you know, you can contact me on this email. I'm pretending to be John Doe, you know, oh, come get off my account. You know, could you guys help me out? And whilst a human might be able to pick up on that and go, okay, this guy's kind of sus. Um, I spotted John the other day, he's now got a very strong accent. Um yeah, a lot of the sort of chatbots and stuff that people use don't have that nuance to them. Of course. And that could be a way that to get around. So you know what data you've got and you know where it is. Cool. Now you need to do the obvious thing, which is protect it.

SPEAKER_05

Yeah.

SPEAKER_03

Okay. So, first of all, you need to get your whole team to understand that this isn't just a one person in the back room does this for us. Yeah. No, no, you know, um, no, you know, everyone has to be involved in it, right? Everyone has a part to play. Everyone needs to be able to understand, okay, well, I've got this document here. This needs to be labelled as an internal document because the public can never see this. Yeah. Or actually, this is sensitive because it contains PII, I've got to throw that away.

SPEAKER_00

Yeah. Okay. So now, and just for anyone who is going to be watching this that doesn't know what PII is or what's uh Oh, sorry.

SPEAKER_03

So PIN, so PII is personal identifiable information. Yeah. So but it's anything that I can use as a piece of information to identify an individual. Yeah. Is the simplest way to sort of understand it. Now, again, commonly that will be a photo of someone, fingerprint, telephone number, but you do get very obscure cases, right? So technically, uh if I manage to have like a personal identified bit of clothing that said Nile on it, right? Okay, it's Nile's t-shirt, it's got null on it. Technically, that could be PII, but that would be a very cheap case, right? I don't I don't expect you to put a sensitive label on that one.

SPEAKER_00

It can even be down to about IP addresses and things like that, can't it? Absolutely nice or anything.

SPEAKER_03

Oh, really? Yeah. Yeah. Okay. Because everyone is individual, which is why you then get to the technical controls. So you've got these labels and you've enforced some rules based on it. So Google's a popular example where you can throw a bunch of labels on and then go, right, if this label is this, do this. Yeah. So commonly you'll go, do not allow external sharing of something that's sensitive. Yes. Or if something is shared externally, let me know. I want a red flag on that. Right. Because there might be a use case for it, like with a client, etc. But I also might not want to know and be like, why is Niall sharing financial information externally? You probably shouldn't be doing that.

SPEAKER_05

Yeah.

SPEAKER_03

Um, but you then you get your firewalls in place, okay? That uh you get your WAF sorted out, which is your web location web application file. Yeah. Um, that's where you start to bring in things like access control. So now you go, okay, we got this data, we know what the data is, we've got controls around the data. Now, who can see this data?

SPEAKER_05

Yeah.

SPEAKER_03

And then you break that down by going, well, Niall's and security probably needs to see things that are security related. Yeah. Dan, you need to see things that are kind of on an operation basis across the whole company. You need to see compliance relating. Yeah, good. So on and so forth. And then you create roles around that, as well as uh levels of privilege. So you go, well, Niall needs to realistically be an admin in most places, not necessarily in all of them. Does Dan need to be an admin in Nile security systems? Probably not. He should probably be able to see what's going on, but he doesn't need to be an admin in there.

SPEAKER_02

And nor does he want to be.

SPEAKER_03

So you know, you start to break it down by that, and you know, you add layer upon layer upon layer of control, and eventually you're building what is known as uh defense in depth so that even if there's one failure, which okay, that's not great, there isn't going to be several failures which allows the whole thing. Now, of course, one thing could fail and you could lose data or have data leak externally, which not great. And I'm sure Daryl will tell you there's rules around that in terms of who you have to report to and what you do in those situations. Yeah.

SPEAKER_02

And and I think so on that nozzle, obviously the the the two I think first bits are really important, right? So I guess knowing where where your data is uh and what you've got are two of the key things, right? Because correct me if I'm wrong here, obviously the more sensitive your data is, the more that you should do, I guess, to protect that data.

SPEAKER_00

Different values, different values. Yeah, yeah.

SPEAKER_02

Yeah.

SPEAKER_00

Uh name, email address, that's your sort of your your entry level, your low stuff.

SPEAKER_02

Yeah, you bug standards or something. Yeah, yeah, yeah. But yeah, you brought financial details, especially if you're holding like card details and whatever else, right? Absolutely. So I used to work at a telco company and we used to take card details, and that was uh PCI standards. Uh so we had things like you couldn't have pens and paper in the office anymore. Oh PCI DSS. PCI DSS, that's right. Yeah, yeah. So you couldn't have pens and paper because technically phone agents could write down long card numbers. Yeah, yeah. All the call recording software. So that when you got to the part of taking card details, you would pause the call recording so you didn't have a phone record of the card details. Uh it was really intense actually. If we had a pen on a desk and you got caught, it was like big finds. Yeah. Uh stuff. No, it's uh I have to admit, I'm I I do find it actually really interesting. Uh, which is maybe some people might go, then you bought it. Um I think you know understanding what you have to do to protect yourself as a business is critical. Yeah, he is critical. Yeah, he's critical, yeah. And uh Noel, I've seen from um uh what you've just said there sort of opening up so firewalls and and things like that and access controls. Yeah, I guess some of that stuff is free, right? So I guess you know knowing where your data is. Knowing where your data is and want to be. But I guess for people that are listening that maybe think to themselves, oh, I don't really have a lot of this stuff. Yeah. To get the basics right, you can do that fairly cost-effective. Oh well, absolutely.

SPEAKER_03

Yeah, yeah. So you don't need so often you will find that uh particularly sort of large MSSPs, they will try and sell you sort of the best and brightest thing they've got, and they will sell you a great service and it will come with all the bells and whistles, but it will cost you an arm and two legs. Yeah. And it doesn't need to. There's lots of great services out there. I mean, there's great open source services out there which are free that you can use. Yeah. However, I personally don't recommend doing so in most cases, unless you're not what you're doing, because there's a risk associated with that. Yeah. But you could go down that route if you wanted to, but you don't need to. There's plenty of great uh services out there that are relatively cheap for the most part, yeah, that don't cost a huge amount. Like Bob's business, right? Security traded platform, we use it. Cost us two grand for a three-year contract. That's nothing.

SPEAKER_02

That's yeah. Nothing, yeah, you're right, yeah. Does the government offer any support to companies on this sort of stuff like cybersecurity? I know that they've got like national crime agencies that we're gonna do.

SPEAKER_00

You've got you've got the ICO themselves, yeah, who are very helpful. So if you have any questions or you know you want to run anything by them, that's what they're there for. Uh-huh. Um, because it's they're there to you know, obviously, come after you if you if you do it wrong and find you and keep you in order, but they're also there to help. Um, so if you if you haven't gone to them and asked, and then you have a breach, that's when they come down hard on you. If you've gone there and you've asked for advice and they've given it to you and you've followed the steps, yeah, and then something happens, then they're not they're not going to do anything because they you know you're following their advice. So they're that's what they're there for. They're not there just to come after you, they're there to support you and help you.

SPEAKER_02

It's interesting when you think about someone like the RCO, you only ever think about them coming after you, and not about them being a support resource.

SPEAKER_00

Exactly. And when I when I when I was doing the um DPO uh course, um there was quite a few people that were on the course with me that have had a whole range of different uh circumstances, uh breaches, different or they've just been a little bit unsure about certain things. And then whenever they've used the ICO, uh they have been they they they said that they've been brilliant, they've been really supportive, really helpful. Um, in fact, they can't really do enough for you, but you've got to know that they're there.

SPEAKER_03

It's with their interest to help.

SPEAKER_00

Yeah, yeah, yeah.

SPEAKER_03

What they want to do is get you to a place where you're being proactive about your security estate and making sure that your defenses are ready to go. And you know, they won't fault you if you've taken every reasonable measure you can and you've shown, look, I'm we're trying the best we can here. Look, they accept that you might have limited resources, right? They will work with you and they understand that, right? If even with limited resources, you've done the best you can and things still go south and you have a breach, they're not gonna penalize you for it.

SPEAKER_05

Yeah, right?

SPEAKER_03

Because you've shown, look, I did everything I possibly could. They're gonna be like, Yeah, you you absolutely did. It lit stuff goes wrong sometimes, and it was unfortunate on this occasion, yeah. But they're not gonna come after you. It's when you are reckless and you just go, don't need to do that. Don't you know you you don't you either just neglect your security controls or you don't bother with them in the first place, you've not reached out to anybody for sort of help or support. And then when it goes south, it's like, well, what did you expect? And now are you gonna get fined? Yeah. Because you were reckless and you let people's data get exposed.

SPEAKER_02

Yeah, no, it's true. I think that's the point, isn't it? Not being it's it's a mad thing, isn't it? Because I guess you know, if you do have a breach and you follow the ICO's guidance, then I guess you would be you know maybe exempt from being fined by them, but it's a reputational damage that comes with it, right? And that's the bit of it that you can't really under, I guess. It's the reputational side.

SPEAKER_00

It is, um but I mean it's even more so if you've just uh sh you've just been negligent. You know, if you've if if you've uh if you've done done all the necessary checks and you can talk to the people that have been affected afterwards to say we've done this, this, this, but unfortunately this has come through. The ICO agree with us, da da da da da, then there'll be a little bit more forgiving, I think, than if they said, Well, we didn't do that. ICO think we were in the wrong, they thought we were being negligent, yeah. And then it's uh then it's a little bit less forgiving, isn't it?

SPEAKER_02

It's a good point because I was just thinking then, I was just thinking as you were talking, what would I do if someone came to us and said there's been a breach? I think it'd really depend on how they responded and how proactive they were in coming to us and sort of saying this is what's happened and this is what we've done to fix it going forward. I don't think I would dis necessarily abandon a supplier if they had an issue, provided that they were honest about what happened and how they were going to fix it.

SPEAKER_03

Well, I think we looked to help first and foremost, well we could.

SPEAKER_00

Yeah, you're right. And I think a good indication of um, you know, that whether someone's doing all they can or not would be what the outcome of the ICO investigation could have been. So because obviously if there's a breach and they need to be informed, so they they will know and they'll if if if it's something that if where they've been negligent, then they're gonna be fined. Yeah, yeah. If they if they're not and they've done everything that they haven't, then you know. That's a really good point.

SPEAKER_02

Yeah, really good point. I didn't think about that. And that's that's that's really interesting. So just going from there, um, and obviously we've spoken a little bit about you know what what to find, what to sort of look for uh now, but I know one of the things that maybe one of the first things You took on working at WISE was obviously the renewable bar ISO 27. Yeah, that's typical. Can we talk a little bit about why that's so widely recognised and what that actually means from a business short disk?

SPEAKER_03

So uh that was a wild week to throw me in. That was the that's the reason why we never missed it, man. Definitely dig deep down with that one. Um but no, so it's held up as the gold standard in the industry for a reason, right? Now there are other sort of variants of ISO 27001, so the ever what popular ones is ISO 4200 and one, but that's much more of a sort of a specific scope. So why is 2701 the one that matters? Well, it's the one that has sort of the broadest range that's applicable to most businesses, right? So some of it you might be able to go, well, that control's not applicable to us, and you work with the auditor, and you know, you agree this all ahead of time in terms of scope. But if you can go through that and you can demonstrate, yeah, we've met all these controls, we have something here, we've ticked all the boxes, the auditor has looked at this and is satisfied that we have all those controls, then your business is in a damn good spot because it's got layers of security, it's got layers of understanding in it. Right now, some people will go, oh you know, all that means is an auditor look to your business and say, Yeah, you kind of vaguely have that control. Well, I think that's a little unfair because there's a lot involved there at many different layers. You're talking everything from instant response to building a security culture to physical security, all of it, right? So if you're passing all of it, you've got to have multiple layers of security at multiple different points throughout the entirety of the business.

SPEAKER_02

Yeah. Yeah, no, so uh obviously we've had it for a for a while, right? And I think every year we're trying to improve our standards as a business. Uh but what does that uh for a new business now? What does that process look like to achieve ISO 27,000?

SPEAKER_03

So, and what sort of businesses do you think should get ISO 27,000 and more? So I think where possible, every business should look to have it, right? However, it don't it's no uh easy undertaking, right? So I did it in under nine months, and that was considered very fast. Yeah. Normally most businesses will give themselves sort of two years to go from zero to completion. Now, obviously, it depends on where you are, where you start it. If you've already got 90% of the controls, it's gonna be quite easy to finish it off, right? Um, or if you're just doing it because you're like, oh, we've been told to, you know. So, you know, those are quite easy. But I think going through that whole process will do infinitely good for you because you are forced to look at different parts of your business and go, do we have this control? Are we complying? And if the answer is no, even without the ISO audit, you still need to find an answer for that. You can't have data leaking while you have the uh ICO after you. Exactly.

SPEAKER_00

And I think with the um it depends on the size of the business as well. I mean, we we have a lot going on here, um, so there is a lot involved, and with the kind of data that we're holding and the processes that we're putting through, it's it's gonna be a bigger task than if it was like uh maybe a small construction or a logistics company that has minimal processes because, like you were saying, um with the auditor, you'll be looking over, well, that doesn't apply to us, that doesn't apply to us, yeah. That doesn't apply to us where when they're doing it for a company that's doing uh the kinds of things that we are, yeah, we're ticking all the boxes, so we've got uh there might be a few that aren't, but we're we're we're touching everything, so we have to prove everything. Uh so that that depends. The bigger the company, the harder it is to get through that.

SPEAKER_02

Yeah, and I think we we made a good decision, or James Orton definitely did, because we got our ISO in really early days. So I guess we didn't, I think I think we pretty much had it within the first year of trading. So we didn't have a lot of almost historic stuff to tidy up, uh, because we'd already we started so early. Yeah.

SPEAKER_03

Um but I think obviously now you come into the business is definitely uh a sign of our commitment to improving our standards because I I'd I'd like to think uh I've made a fairly large impact fairly quickly.

SPEAKER_02

Absolutely have, and I think that brings us on to the the next point, which is uh just before we move on, actually, ISO 27. I don't know the answer this. How much does it cost to get certified?

SPEAKER_03

Or is this how much it costs to bring live so well this is the thing, it all depends upon the auditor and the auditing service and what you're paying for, you're not paying for the SER, you're paying for an or a certified auditor to come in and run an audit. Oh, okay. That's what you'll pay for, and they will provide you the certification.

SPEAKER_02

Got yeah. How long doesn't how long does an audit take? How long did our audit take last year?

SPEAKER_03

Well, I mean, an audit can take two weeks, normally it'll take one. Right, but you can scape it out to be two days.

SPEAKER_02

Okay.

SPEAKER_03

So normally what you do is once you complete your so you have like a full audit, and that would be like the week long one where they look at everything in detail. Yeah. Then once you've got that, you then have what are called surveillance audits where they come in, they normally do two days of looking at things in detail, looking at your previous failures, minors, OFIs, what where you need to improve the sort of things they've been told to look for as well, right? Because there's always a a theme these days. Um, but then at the you might have two of those, and then you'll have a full audit again. Okay. So for instance, this year we have a full audit. Yeah. So that'll be fun. Okay. That'll be like, yeah, just appearing for a week with the auditor. But um, even there, you know, we've uh got a GRC tool this year. Yeah, cool. Which we're you know, all shown down a lot earlier. You know, you go governance, risk, and compliance tool. Yeah, yeah, yeah. Yeah, yeah. Uh we we bought Drata for those who are interested. But um, you know, even there, you've got all the controls mapped out and someone assigned. So now I can go, right, okay, this is owned by Nal and Ann, Narland James, Narland James, Narland James, James. Yeah, it's got James, yeah. You know, you can now go to that and things like, you know, is there a network diagram? Yeah, cool, it's uploaded, boom, there you go. The auditor just goes, cool, I see it, ticks, next.

SPEAKER_02

Love that.

SPEAKER_03

And it's and it's painless, right? And also it then means uh eventually things like the trust center and data will make that public and go, you want to see how good we are? Yeah.

SPEAKER_02

Okay. That's good, isn't it? Yeah, that's fantastic. Yeah. Uh there um there's lots of these tools out there, isn't there? But you've got to know how to use them, I guess. Yeah, absolutely. No, absolutely. Okay, so you you've sort you've spoken about it a little bit as we've gone back now, but I think one thing that you've definitely come in and dialed us up a lot on is the culture, the security culture. Um so what why do you think that's so important to be something that culture?

SPEAKER_03

So as I said sort of early on, right, security is everyone's uh thing, right? Everyone has to be involved in it, or it doesn't work, right? Everyone's responsible in some way, shape, or form to greater and lesser degrees, sure, but everyone's responsible ultimately, right? You're only as secure as the person who has the least amount of understanding of it. Okay. So a lot of businesses will do security training, right? And a lot of businesses are very good of doing tick box, fire and forget training, right? And that's all they do.

SPEAKER_04

Yeah.

SPEAKER_03

And you know, we do security training and we like to vary it, sure. But it's what you do outside of that that determines people's understanding. So yeah, okay, we do security testing in terms of you know, we have a pen test to test for vulnerabilities. I fish test quite often, as you know, but I don't just go, oh, here's a out of the box, you know, don't click this, you know, Nigerian print sort of thing, which is very common, but like so obvious, it's not really training people. No, it's not. You know, I I go for some that are a bit hilarious, such as bait and switch electrical. Yeah, you know, they provide you very cheap power, just click this link. Yeah. Um, some which are linked to sort of social. So we had the attack of the zombie dinosaur terrorists after our VR social.

SPEAKER_05

Yeah.

SPEAKER_03

And then you know, I'll take straight up realistic ones, like the here's a Bob's Business training email that you would normally get, but rather than a seven-day reminder, it's one day. Oh, and if you don't do your training today, you will be subject to disciplinary action. And then I followed it up a couple of days later with a oh, well, you know, fantastic. You spotted the fish test on Bob's business. Ah, but some of you failed. Well, for those, you know, click this link and it will name and shame those who failed. But for those who succeeded, well, congrats. You know, I'm able to budget a small Amazon gift card, scan this QR code and receive your Amazon gift card.

SPEAKER_04

Yeah.

SPEAKER_03

And that was a second fish test. So it it but it's taught you to all to now be very cautious, right? And think before you click.

SPEAKER_02

And I I can't live my life in in that fear anymore now.

SPEAKER_04

I'm just gonna come for some bag in there, just check if it's no, reject, reject.

SPEAKER_03

But you know, then you've got uh small things like you know, we've got an infraction uh channel on Slack, yeah, and I'll put comms on there and people will talk in there. Yeah, I'll put a small section out in the newsletter, which okay, you go, but really it's only a small thing. Yeah, sure, but it gets people to go, oh yeah, that's what's going on in security. Yeah, for sure. And then of course I've got the drop-in sessions, right? So there I always present, you know, a bit of like, what's going on with security? Right? I don't want it to be a backdoor function, I want it to be front and centre. I want people to think about and be aware of what threats are on in the world, yeah. You know, and then of course I provide training, right? So deep fakes, huge problem of the world at the moment. Last time we had that deepfake training, so I go, look, deep fakes are problem. This is why they're a problem. He's only spot deepfake. Can he spot a deepfake? And then I of course gallery of uh wonderful pictures of me in uh real and not so real, yeah, you know. But the thing is, you know, you might remember a couple of the slides where you go, oh, you know, Niles V deepfake training, but you sure as hell remember the images of me. Of course. And you go, ah, I knew that was fake because this, this, and this. Yeah. So providing practical training like that goes a long way. And you know, you've got to be careful not to saturate people because then people start to switch off, and it is a fine balance sometimes. But providing multiple outlets of ways to train and provide that information does a lot to sort of just upskill everyone in general.

SPEAKER_05

Yeah.

SPEAKER_03

But then I think I pair that with a very uh sort of outgoing and approachable sort of personality on my side, and I like to be very sort of present and make sure people know that they can always come to me. Yeah, something I always reiterate. My door is always open. You could always talk to me, you can always message me, right? If you're not sure, let me know.

SPEAKER_05

Right?

SPEAKER_03

I don't care about the 99 times out of a hundred, it's not a problem. I care a hell of a lot about that one time out of a hundred, it is a problem. Yeah, that's the one I need to know. And I need to know that you can come to me and I will listen and talk to you rather than going, I don't want to disturb now.

SPEAKER_02

Yeah. No, I get that. And look, uh, this isn't a podcast to praise you now, but you definitely hide under awareness as a business. And I think, you know, I think it's important for everyone listening. I think that awareness factor, and I think what we've probably got as a business a little bit now is I don't think anyone would want to be the person that gets caught out. Uh you know, that because you've done such a good job of sort of uh educating people, there's no excuse almost. So I think anyone that did get caught out with a real attempt would almost feel like they've let their business down. Actually, I wouldn't say they'd let us down, do you know what I mean? Because they are sophisticated.

SPEAKER_03

It's it's okay to make mistakes. I would much rather you make a mistake of a test and learn.

SPEAKER_05

Yeah, of course.

SPEAKER_03

And you know, look, you're always gonna have new people joining the business or people leaving. So this needs to be a continuous process, right? And of course, people then will forget that uh that was a year ago, what was the red flags? So you know, refresh and remind people. And of course, it might change, right? Yeah, of course. Especially uh with the current emerging technology, the rate of change is like every six months this new large language model change. That's crazy fast. So given the how quickly attacks are also adapting, you know, like I didn't have to worry about uh agent centers being compromised a year ago, it wasn't really a thing. Now it is, and they're not secure, so it's a vector of attack, and you've got to be potentially worried about so there's lots of continuously, consistently, constantly. And uh with more hand movements, yeah.

SPEAKER_02

More hands the hand movements are obviously really important as well. Um uh and no, one of the things that I know uh you've you've pulled me on before is the physical security side of things, which I think does get when you think about data and cybersecurity, you don't think about the physical side of it, but there is a threat there as well, isn't it? Absolutely.

SPEAKER_03

So it's quite hard these days to actually hack in air quotes into someone's laptop. Yeah. Yeah, there's easier ways, but you know, generally speaking, it's quite difficult. Most people put a bunch of technical controls, it's sure as hell quite easy to get in one door and then grab a laptop and then I've got all the time of the world with it, or just you know, go in an office. And if staff are not following basic controls, like you know, we've got a clear desk, clean screen policy, right? Which means if you're not at your desk, lock your screen, don't have any important documentation at your desk. If you don't have things like that, and I walk in the office, yo, I got free access to your laptop and all the documentation in the world.

SPEAKER_05

Yeah, right?

SPEAKER_03

So small things like that go a huge way. Uh removable media being another one, USBs, etc. In particular, you've got to have control of those. The amount of information you can store or export to a USB is insane these days, right? I think about it. How easy it would it be to you know put on a high VS and look like a worker and then at an opportune moment. Yeah, so you've got to have all these controls in place and they start at the front door.

SPEAKER_05

Yeah.

SPEAKER_03

Right? So visitor management, get people to sign in. Why are they here? Access cards, scan in.

SPEAKER_02

Yeah. Yeah, you're right. No, it is it is important because like you said, you you know, I mean, like you said, we have got we're we're pretty good at happen to layer desks and locking machines.

SPEAKER_03

Uh there they are now.

SPEAKER_02

Yeah, but I think someone looks locking also comes from the fear of someone and something out Slack messages on your website to other members of staff, which has happened fairly. Yeah, you know, but no, I think it is uh is an definitely important it's also just dar things like being able to unlock a cabinet, right?

SPEAKER_03

And being able to go, right, these laptops, just lock them away.

SPEAKER_02

Yeah.

SPEAKER_03

Rather than leaving them out.

SPEAKER_02

Yeah, you're right, yeah. No, you're right. I know I used to do quite a bit of work with a cybersecurity company from a marketing perspective. And one of the things that I learned about doing that was like social engineering and like the old dropping a USB stick in a car park and seeing if someone would pick it up and pass a machine, which is like a classic social engineering test. But you know, now I think most people sorry, I say most people, people that work in offices in particular are aware that you don't just plug a random USB stick into a computer. But go back ten years ago, even I'd if I'd have found uh a random USB stick, you know, I'd have been like, oh, what's on this? Do you know what I mean? Because it's the temptation, it's almost like the red button book, it's on the box.

SPEAKER_01

What's that doing then? Because uh I mean it's been a while since I've used the USB stick, yeah. So you you you it's kind of doing away with it a little bit, isn't it?

SPEAKER_02

I think things change, yeah, they do, yeah. You do, but even more so you found a USB stick now, you're like, What's on this? Yeah, VHN thing.

SPEAKER_01

You just can't just throw it in the big check.

SPEAKER_03

Uh but the you know, there's other ways to get people to open stuff, and that's where the social engineering aspect comes in. Because as a person, you are far easier to hack than a machine or a hardware.

SPEAKER_02

Yeah, it's so true. I mean, the one that the classic ones, and I feel really sorry for the people that fall for them because some of them are super fit sophisticated, a lot of messages from HMRC, and they they use Thea, don't they, as the thing the thing is, right?

SPEAKER_03

You you know, people will fall for it, right? There's not you know, okay, sometimes it really is quite obvious, and you should know better. But you know, often they are very vindictive and very clever in their techniques, yeah. And they tend to target people when they're vulnerable with very accurate information, and it's just convincing enough in most cases.

SPEAKER_00

Well, yeah, because they they've hacked someone else that that that does doesn't have the experience, and they've seen a couple of emails that have come in from you, so they've they've got a bit of uh a story that they can go back on. So before you know it, it it looks uh good.

SPEAKER_02

Well, James had a really sophisticated one last week, actually. Yeah, he has booked a hotel in uh Italy, and he got a fishing attempt saying, Oh, we need you to reconfirm your card details, otherwise your hotel's not gonna reservations like and they had the hotel name.

SPEAKER_00

Yeah.

SPEAKER_02

Right? So there must have got there must have been a leak somewhere for them to get the hotel.

SPEAKER_03

Probably the hotel itself would have been compromised, yeah. Yeah, exactly.

SPEAKER_02

But they may not even know that they're compromised. So James obviously, you know, as you'd expect, was like, This doesn't seem right. Contacted the hotel, and they went, You'll never and actually the hotel's uh uh website had something like we'll never contact you via WhatsApp and ask for con uh confirmation detail.

SPEAKER_01

Oh well, that's a that's probably added been added recently.

SPEAKER_02

Yeah, so they must have had they must have had some sort of um uh data breach, but well, it could just be malware just sitting, you know, exporting data. But it was really sophisticated the fishing attempt was, and you could see why you'd fall for that. Yeah. Especially when you know, you know, again, it's that almost like urgency factor, on it, because when you know when you're waiting for something and you're expecting it, when you most possibly flag of fishing the right one, urgency.

SPEAKER_03

Urgency. Now, now now. If someone's asking for you to do it now, now now it's probably a red flag. Like, do you need to do it now now?

SPEAKER_01

Yeah. Well, that's why I mean, especially what they're it depends what they're asking for, isn't it?

SPEAKER_02

Look, anything that you get that's HMRC is asking you for for now, then you know he's wrong because they never get back to anything immediately. I say quietly we're looking at you. Um okay, no, that was all really uh brilliant information there. And I think yeah, I guess the the takeaways are there. Things like ISO 27,000 and one, you know, they're worthwhile looking at. I think the more sophisticated you are as a business, you know, the more you know important that is.

SPEAKER_03

Even if you don't necessarily want to get certified, it's worth going through the process of an audit just to find out where you might need to improve.

SPEAKER_02

Yeah, of course, yeah. Um, and then having that culture of security is obviously really and then looking out for the physical security effects, right? Because, like you said, doors not being locked and visitor blocks and all that sort of stuff, you know, it's uh it's an easy one to sort of forget about that. Someone can just walk in you. Oh, we've had it here, we've had we've had workmen coming in, uh, and they've been legitimate workmen. But I've been like, Who's that? Do you know what I mean? Like, because no one asks, uh, and there's a sitcom actually where a TV gets nicked and the guy's like, Why did how did the TB get nicked? He's like, Oh well, they were wearing overalls. Oh, they're wearing overalls, all right. There's no problem. I mean, but you know, sometimes it's a little workmen in you. And it was a little clipboard if you can get in anything. You can get in, you sort of go on.

SPEAKER_01

There must be doing something.

SPEAKER_02

Something that blatant must be there. But that's where the that's where it happens there, isn't it? Absolutely. All right, so Daryl, sort of moving on to the GDPR side a bit then. So see, everything we spoke about so far is sort of identification, protection, and what you can do to sort of build a robust business around that. Yeah. Uh, but let's talk about the actual implications itself. So, what what GDPR is, what a data controller is, a processor is, and sort of some of the stuff around that.

SPEAKER_00

So you've got um the company that is the controller of that data is the company that's uh sort of collecting that data and deciding what is done with that data. Uh you've then got the processor, so or you or you could potentially have a processor. You might be the processor, you might be processing the data yourself, but if you're using a third party, so if you've got any uh sort of subcontractors that are using the data, if you've got a supplier that's using the data, then um, but you're still controlling what's being done with the data, then you are ultimately responsible. Okay. And they will have their own things that they need to adhere by. But the the controller is the one who's ultimately responsible for any data that's collected by them and deciding what they're doing with it. So all the things that Niall was talking about, about how to um create a safe environment um internally also has to be um put onto any suppliers and subcontractors that they're using as well that might be uh utilizing that data. So, for example, you've got um we've got hundreds of clients that we have, thankfully. Um now they are utilising our system, they're they're they're getting the data, they're putting in, they're telling us what data they want to collect and what they want to do with it. Um, but it's being stored on our system, so we're we have a really big part in that. So it's their responsibility really to ensure that we're doing things correctly because that it's their data, yeah. Um, and that's that's where I think people um they might they might not realize that they might think, oh well the data's on that system, so it's their responsibility. Yeah, but no, it's still the responsibility of the person that asked for the data in the first place. Because if you have um you know you're bringing on a subcontractor and you need to collect all this data, and you're saying, Oh, and he's saying, Where should I put the data? Where do you want me to bring it into the uh depot? No, no, no. Use this app or use this system um and you put all your data there. So you've asked them to put it on there, and then something happens to that. Yeah, it's not he hasn't he didn't want to he he didn't source this company out to store it. It's got a job processing. Exactly. And he's and and he, you know, that uh if you're in a if you're own your own company, you'll have a you might not have a great understanding of GDPR. Well I can guarantee you if you're a uh self-employed subcontractor, you you probably don't know much at at all. I mean there's obviously the few out there, but why would they? Because they're not dealing with loads of people's data. So if they're if they're providing a service to a company, they expect them to have certain uh measures in place to make sure that that data's safe. Um and therefore, if something does happen and there was a breach or anything like that, then it goes back down to the controller.

SPEAKER_02

Yeah, that's that's really interesting. And I think that part around obviously I'm in this world, right, and I spend a decent portion of my time talking about how we treat and look after data because you know, our our big customers in particular are. Are are very quizzical on it. Uh but the bit of it actually that you don't really think about is you're absolutely right. If you're saying to someone like you've got to use this, uh then you've taken almost responsibility for that then because it wasn't that person's decision to do that, it was it was yours.

SPEAKER_00

Absolutely. Uh they're using the system to collect the data that they need, and they and there is no overall option. You're telling them you've got to use this in order to be engaged by it. Absolutely.

SPEAKER_02

Yeah, no, that is uh that is interesting, yeah. Okay. Um we're gonna come back on as we've got something that we can share with people around debting suppliers, but Daryl, let's say worst case scenario, you know, you are a company and you have a breach. Yeah, what what steps should you follow? What should we do?

SPEAKER_00

So the the the the first steps are to identify uh you know what the breach is, you know, what what you know how it happened, why it happened, um who's affected, um, has the matter been resolved, is it safe now? Yeah, these are all the things that they need to identify pretty quickly. Um once that's done and that they have the full picture of um where it went wrong and um what's how they've put it right and who was affected, they then need to report it to the ICO.

SPEAKER_05

Okay.

SPEAKER_00

Okay, and the ICO will then go over that plan and they'll say, right, okay, yep, um okay, we can see this as this has happened. Hopefully they had measures in place beforehand. If not, then you know they might not look too favourably upon it. Um but providing they had um if it was just like a a little slip by one of the uh employees or something who worked for the company, they might go, right, okay, well it's not so bad. Um but we could we we like we appreciate that you've jumped on it quickly. We appreciate that you've you've got a plan here, it all looks correct. We we agree with the the measures that you're going to take. And then once they uh sign it off, um they will then need to probably go and approach the people that were affected to let them know, and then that's the the the secondary people that they need to try and appease because they need to tell them why it happened, how it happened, what they've done to put it right, and put their mind at ease. Because if it's something like bank details, they might not feel too comfortable about that. They might have to pay uh for that person to have some kind of um support to make sure that they're not affected. Um the that person there might come after them for uh under a civil lawsuit, um, because um obviously if there's some kind of financial loss, then they would definitely get that back and it would be the uh the amount that they they lost out on. But there's also the uh the anxiety of it all. You know, people uh do get um anxious a lot with stress and everything these days, anyway. If if if they know that their details are out there in the in the the big wide world with all these um threats going on, then um they could quite easily um have some kind of emotional distress. And the the the financial implications of that range for anywhere between 600 all the way to 79,000 uh uh pounds, depending on how much it's affected them. I mean that's just one person.

SPEAKER_03

Yeah, cool.

SPEAKER_00

So if you can imagine before the fines, oh yeah, these are the these are the civil laws. We're not talking the regulatory fines from the ICO is on top of that, which is um that's yeah, four percent for just outright negligence and repeat offenders. Four percent of four percent of turnover. Yeah, yeah, yeah. Non profit or anything like that, turnover. So that's a big one. Um and then if they if um if it was uh slightly minor, but the the the data was critical data, like bank details, that kind of stuff, you might you might you might fall within the two percent uh two percent of turnover. Okay um which again is probably enough to take out most of the most of our. That's all somebody a discretionary thing, like yeah, there's there's no there's no set amount. Um it's up to uh two percent. So depending on how much work they've done, how quickly they've jumped on it, because you you you have to let the IC unit know uh once you know that once you've been made aware of the breach within 72 hours. So that's the time that you've got to to get on top of it, to come up with your plan and approach them and let them know what's what's what. Um but if you don't do things like that and you didn't do anything previously to make sure that your s company is uh safe and protected, um that the suppliers that you're using are safe and protected, then they might not you're gonna be at the higher end of the 2% or the 4%. Um so the the the more you do and the more that the ICO can see that you're really not burying your head in the sand and working towards um and treating the this data that doesn't that belongs to the individuals with respect, then yeah, the better it will be for them.

SPEAKER_02

And what if you have a breach and you don't report it to the ICO within 76 hour window?

SPEAKER_00

Well, I guess when they yeah, when they find out then you're gonna be at the top end of the top end, you're gonna be at the top end of the scale and it can go from the two percent to the four percent because also then you then you completely um I I I mean you did yourself zero favours by trying to hide it. Yeah, yeah.

SPEAKER_03

And then or just just not reporting it, which they will consider trying to hide it. Yeah, of course. And if people are like, well, we just didn't know, but they won't accept that as an excuse. That's not an excuse.

SPEAKER_02

Yeah, I guess because when you think about it, you you shouldn't strike to personal data, right? But I guess if you've had a breach, you've not made the ICO aware, they probably then by extension think you wouldn't make the users aware. Uh and if something happens to their data and you didn't notify them and then you didn't give them a chance to sort of go and do something about it, it's like bank details. So if you said to me, Dan, your bank details have been linked, obviously the first thing I'd do is call my bank and say, you know, my bank details might be compromised, do you know what I mean? And they would block my cards or whatever else. But if you don't even give someone the opportunity to do that, then that's when I guess it's super risky, right? That's massive, yeah.

SPEAKER_00

That's that's really big. Yeah. Um yeah, that's I mean, that's why it's here, right? And I I could I I honestly believe that they're gonna be making some examples of uh people as well, um, because they need to they need to wake people up. I put even when we put uh we put a webinar out the other day, didn't we? And uh we've had quite a few comments of people s agreeing with what we're saying and and just saying look a lot more people need to be aware of all of this, they need to know what the responsibilities and what the risks are because there's so many people out there that just they've heard about it, but it's it's not at the the forefront. And what you're saying, it has to be at the forefront of everybody's businesses.

SPEAKER_02

Yeah, and I guess you know, for our uh for logistics companies, uh four percent of you, not everybody's you know, probably all of you all of your margin, right? So you'd be potentially out of business, wouldn't you? Turnover, two percent's gonna be first.

SPEAKER_03

I mean, even if you survive, like that's a that's a year at least, you know, with or maybe two, like and we were talking about reputational stuff.

SPEAKER_00

If you've been hit with a fine of uh of that magnitude, then the chances are you weren't doing everything that you should have been doing. Sure, that's a couple of things. Um and therefore you will you know you will lose uh people wanting to engage with you.

SPEAKER_03

It's like getting the black spot as a pirate, yeah, yeah, yeah.

SPEAKER_02

Yeah, yeah, yeah, yeah. And I guess this is where I assume not our resources like the ICO can help you in terms of understanding what your your your your responsibilities and your role is in in the data system.

SPEAKER_00

Yeah, so if you if you if you're um just I mean we've we've mentioned the um the ISO and everything, but if you if you're looking to use a supplier, don't just take our word for it. Go and speak to the ICO, ask them what they should be checking um when they're using a new supplier or engaging a new subcontractor. If you've you know if you've got all your measures in place, then they're they're there to support you. So if you if you go right, this is what we do, this is our business, this is what we've got in place at the moment. Is there any you know are we doing everything correctly, then you know, then you get a sign-off.

SPEAKER_02

It's really interesting, like because as we've gone through this uh web uh through this podcast, it's a webinar then uh uh webinar on mind. Um I think actually the way we've done this almost feels like to me, in reverse order, almost what you should do is understand the roles and responsibilities, you know. So are you a controller, are you a processor? Understand that. Yeah, then from there, where's your data held and what are you actually holding? So okay, as a controller, yeah, what is it that I'm holding and where's it being held, etc. etc. And then once you know that, you know, okay, what measures do I need? Am I am I at the sort of size where ISO 27,000 one's gonna be really valuable? Do I have a physical security threat? Because not everyone has uh a physical security threat, I guess, if you're especially in the virtual world, the data offs, I guess your own home could be a physical sector. Well, yeah, well, that that is part of it, yes. But okay, so have you got a physical threat? Do you need a security culture around that? So it's almost like you know, be aware of your roles and responsibilities, then understand where and how and who's got access to your data, and then what do you do to build a culture and a response plan around that? And it almost feels like that's the the orders of going. But I think probably the bit that has really stuck out to me today, and you know, thankful to have Noel and James and the and the rest of the tech team took it seriously prior to this. But I think understanding that you know you're responsible for betting your suppliers, I guess, is the really important probably uh an unhappy but happy for us in a sense consequence of today is we're probably gonna get a lot of people asking us questions about how we hold our data and what we do about it. Now, I always say that we're very good, so it'll probably be good for us.

SPEAKER_03

I mean watch the podcast and the women knows exactly we'll we'll pass with flying colours. Well the thing is, you know, when we with our vendors, we've got a questionnaire that we send out, right? Now, some of them might be a bit difficult and trying to answer the whole thing or send it about, but you know, we've got a questionnaire that's uniform, we send out it's only 35 questions, something like that. Yeah. Um, but you know, it's it's you know, for the most part, it's pretty common sense. Like, you know, look, who's actually in charge of it? What do you have in terms of data? How are you securing it? That's basically what it boils down to. Yeah, but by getting a sort of uniform series of questions out for everybody, we can go, okay, this is what we expect, this is how XYZ is handling that for us. Fantastic. Then we know that whatever we might have sent to them or them sent to us, and vice versa, isn't a secure place. Because if it's not, you better believe I've got a red flag it.

SPEAKER_00

And that's how you uh that's how you vet all the suppliers back and the providers have stuff, and we can supply that.

SPEAKER_02

Well, I ask people now when someone brings a new tool to me, I go, has Narall approved this because if he hasn't, don't bother because it's w not worth my time looking at it. Uh no, we had to now goodies, yeah. He has approved I'm not alright, then let's talk. Uh sorry. I bet you there's hundreds of companies out there now that have uh had Noel's questionnaire because of us uh free stuff.

SPEAKER_03

I think it is 120 something. Yeah. Geez, shows you how many suppliers that one company can use, right? Yeah, you have to remember this is everything from like, you know, things like Google where everyone's on it to things where it's like only free people are on it.

SPEAKER_02

Yeah, you're right, yeah, yeah. I know it's uh okay. So chaps, look obviously that that's been really helpful and useful to get into that today. I guess before we wrap up, is there anything extra that you guys want to say that we haven't really covered on today's podcast? Anything that we think we've missed?

SPEAKER_00

Uh with me, it's just just don't bury your head in the sand. If if you're if you're still unsure after today and you've got more questions, then ask, either reach out to us, um, reach out to the ICO and um find out exactly where you stand and what your responsibilities are. Ignorance isn't bliss. Yeah, yeah. No, not if there's a breach.

SPEAKER_03

Yeah. Anything from your perspective? I mean, I mean that's that's basically it, isn't it? Like think before you click, yeah, know where your stuff is, don't be afraid to ask questions. My door's always open.

SPEAKER_02

Love that, mate. That's a great little summary of mine. I like that, was it? Think before you click. What was it, second one?

SPEAKER_03

Think before you click. Think before you click, yeah. Know where your data is. Yeah, something something.

SPEAKER_02

You're saying something. Yeah, we'll come back to that one. All right, gents. Thanks very much for today. Appreciate it. That was always until the next time. Yeah, see that. No papas. Thank you.