Cyber News Global: Issue 11 by Cyber News Global

Welcome to the International Cyber Risk Symposium special edition of Cyber News Global, this informative publication has been brought to you exclusively by Cyber News Global Limited. The focus of the editorial team is to bring together leading subject matter experts that will be attending this years International Cyber Risk Symposium in Aberdeen.

There is still great controversy regarding the use of AI and how it may be governed, Sandip Patel KC has provided an insight into the Tug of War over AI regulation. The introduction of additional legislation within certain industries also has to be addressed, none more so than the introduction to DORA, Richard Preece shares his thoughts on DORA.

Microsoft and CrowdStrike have made the mainstream news for all the wrong reasons, we spoke to one Cyber Law expert about her thoughts on this matter, read what Betania Allo had to say about the challenges faced with this latest outage.

Many collaborations will forge a way forward for those attending this year’s International Cyber Risk Symposium, subject matter experts have travelled far and wide to attend this year, we can not forget our formidable charity the Royal Marines Charity and the great work they continue to do for its members past and present.

So please read and share the insight within,

Tinder Swindler Victim-Ayleen Charlotte

Editorial Design

lucy@lucyharveyprcomms.co.uk

media@cybernewsglobal.com

Advertising Events & Partnerships

marketing@cybernewsglobal.com

claire@consilioevents.co.uk

CONTRIBUTORS

WELOME

Thomas McCarthy

WELOME & INTRODUCTION

Kurtis Toy

09:15REALISING A SECURE AND RESILIENCE WORLD - THE UK AS A LEADER IN THE DESIGN OF RESILIENT SYSTEMS

THE HARD REALITIES OF CYBER RISK MANAGEMENT

Simon Rycroft

CYBER SECURITY & ECONOMIC GROWTH: REPORT & RECOMMENDATIONS

The Rt Hon Stephen McPartland

AI AND ITS IMPACT ON BUSINESS, WHAT TO LOOK OUT FOR

Caroline Barnett

CYBER INVESTMENT:

ENSURING CEO’S GET WHAT THEY PAY FOR

Colin Fraser - Betania Allo - Brian Boyd - Laura Irvine

AGENDA

Day 1

WELCOME TO THE INTERNATIONAL CYBER RISK SYMPOSIUM 2024 IN ABERDEEN!

The aim of this years Symposium is to discuss and agree practical strategic cybersecurity and resilience solutions, across 5 key industries, to address the ever-evolving threat landscape affecting senior business leaders and public authorities.

In the afternoon of both days (and late morning of day 2), the sessions split into two tracks. Chose the tracks with the most relevant sessions to you!

Tracks Sponsored By:

LEADING THROUGH THE FIRE, ADDRESSING BURN OUT AMONGST CYBER SECURITY LEADERS & CISOS

Tom Everard - Kurtis Toy - Nuala Kilmartin - Jonathan Ellwood

WELCOME BACK & RECAP

WELOME TO

Betania Allo

DATA PROTECTION KEYNOTE

Stuart Anderson

14:45

DATA FORTRESS: STRATEGIES AND INNOVATION IN DATA PROTECTION FOR LEADERS

Sandip Patel - Shannon Noonan - Irene Coyle - Susanne Bitter

Laura Irvine

DATA PROTECTION AND LAW UPDATE

RISK & RESILISNCE TRACK

WELOME TO RISK & RESILIENCE TRACK Guy Asch

BUILDING BLOCKS FOR CYBER RISK MANAGEMENT

Nick Frost

MAKING IT ALL WORK IN PRACTICE

Tom Everard - Amanda Finch - Sian John - Andrew Wilson

Stuart Anderson

15:15

Nuala Kilmartin 10:00 10:50 11:10 11:40 13:00 16:35 17:00 09:00 09:05 09:40

HOW TO OPERATIONALISE YOUR DATA PROTECTION / PRIVACY PROGRAM TO DEMONSTRATE COMPLIANCE

DATA BREACH INCIDENT RESPONSE WORKSHOP

Irene Coyle

TINDER SWINDLER VICTIM TO FRAUD ADVOCATEBREAKING DOWN THE SHAME AND TABOO OF FRAUD

Ayleen Charlotte - Sandip Patel

COCKTAIL RECEPTION 12:00 LUNCH BREAK

Susanne Bitter 15:15 REFRESHMENT BREAK

ADAPTING THE NCSC BOARD TOOLKIT FOR YOUR BUSINESS

& RESILIENCE TRACK

KURTIS TOY

THOMAS MCCARTHY

CEO, Cyber News Global; CEO, OSP Cyber Academy

As CEO of both OSP and CNG, Tommy is unwavering in his commitment to excellence in cybersecurity education and media. Under his leadership, OSP delivers cutting-edge training programs, empowering organizations to navigate the complex digital landscape. At CNG, Tommy oversees the publication of authoritative cybersecurity news, and is the media partner of choice at International Cyber Expos including GISEC UAE, AICS Bahrain and Saudi CISO Summit. He strives to produce the most outstanding cyber events in Scotland - blending his unique network of internationally renowned cyber leaders and experts with his innovative operations to foster a vibrant cyber community.

CEO, Cyber Centre of Excellence (CCoE); CEO, Onca Technologies

Kurtis Toy is a vCISO and appointed CEO of CCoE. Kurtis was responsible for the IT information security in an oil servicing company, leading to him becoming Global IT coordinator. He then gained an MSc in Information Technology, next becoming Global IT Team Leader before moving to Onca Technologies full time, which he established in 2016. He describes the CCOE as giving local authorities access to an umbrella of protection akin to a “validated Google of cyber security knowledge”. Further qualifications include GDPR Foundation and practitioner (DPO), ISO 9001 internal auditor training and ISO 27001 lead implementor, CISSP.

NUALA KILMARTIN

Innovation Lead, Innovate UK

UKRI’s Digital Security by Design (DSbD) initiative, supported by the UK government, aims to revolutionize digital technology by creating a more secure foundation for the future. Through collaboration with academia, industry, and government, DSbD focuses on developing secure semiconductor devices, ensuring that technology remains trustworthy and safe. DSbD enables a more trustworthy digital environment, permitting only expected access to data while limiting impacts of any vulnerabilities. DSbD is promoting a mindset change for cyber security, reducing the attack surface by default, and protecting operational integrity by design.

SIMON RYCROFT

CEO & Founder, Cyber Risk Management Group

Simon is the Co-founder and CEO of CRMG, bringing a distinguished 28-year career in cyber security to the role. His extensive leadership experience, honed through roles at PwC and the Information Security Forum (ISF), has made him a recognised authority in cyber security governance, risk management, and information assurance. Simon’s expertise is grounded in a deep understanding of the challenges organisations face in aligning their security practices with their risk profiles and compliance needs.

THE RT HON STEPHEN MCPARTLAND

Founder, GreenCyber; Author, McPartland Report

The Rt Hon Stephen McPartland is a Senior leader with deep experience driving commercial and governance outcomes across Government and the Private Sector. Unique expertise in macro-economic, geopolitical, security and regulatory risk drivers of commercial performance. Experienced executive and non-executive commercial leader driving growth, strong governance, quantifying risk and compliance. Founder of GreenCyberResearch Ltd, Chairman of a Digital Bank and Non-Executive Director of a nationwide UK retail company during a growth phase and buyout. Previously strategic advisor to FCA licensed VC fund, a FTSE listed professional services company, trade association and a life sciences company.

Principal Consultant, SAS

Caroline brings over 20 years of investigative and operational experience, having served in senior leadership roles within the UK’s national security, law enforcement, and defense apparatus. She has a proven track record of building strategic partnerships across public, private, and third sectors and leading high-performing, multiagency teams to achieve secure and compliant objectives. Now in a senior consultancy role at SAS, Caroline leverages her extensive public sector experience and broad network to foster multi-layered public-private collaborations, addressing complex global issues like online child

BRIAN BOYD

LAURA IRVINE

Partner & Head of Regulatory Law, Davidson Chalmers Stewart LLP

Laura Irvine is the managing partner of Davidson Chalmers Stewart LLP where she heads the Regulatory team. Accredited by the Law Society of Scotland as a specialist in data protection and information law, Laura is the convenor of their privacy subcommittee. Laura advises clients in relation to cyber and the requirements under the law but also in relation to responding to cyber incidents including their obligations to report and their exposure to regulatory or other legal action.

BETANIA ALLO

Founder, Betania Allo Cyber Law & Policy

Betania Allo, an award-winning cyber lawyer, policy expert and thought leader, brings over a decade of experience in governance and public policy, executive roles in the private sector, and entrepreneurial ventures. Awarded as one of the Top 25 Cybersecurity Stars of 2023 and 40 under 40, Allo excels in areas like cybersecurity, data privacy, compliance, and counter-terrorism, and has held roles at the United Nations specializing in technological solutions for criminal investigations and digital platform protection. Until 2023, she led the Cyber Culture Program and Innovation & Partnerships at NEOM in Saudi Arabia, the world's first cognitive city.

TOM EVERARD

Founder & CEO, People Cyber

Tom Everard is a former diplomat who specialised in intelligence and security. For 10 years Tom has been a consultant specialising in the human factors of cyber security, or what he likes to call, 'people cyber'. Tom led the development and delivery of a first rate approach to security culture, awareness and behaviour which is now being delivered in UK-based regulators, global manufacturing companies and at the heart of the UK National Security apparatus. Tom is also passionate about digital talent and has a template for closing the skills gap. Ask him about it.

JONATHAN ELLWOOD

Head of Incident Exercising & Response, The IASME Consortium

Following a successful career of over 20 years as an engineer in the aerospace, oil and gas sectors, Jonathan moved into a career working in cyber security with the IASME Consortium. Jonathan is also the scheme manager for the IASME partnership with the Civil Aviation Authority for their ASSURE cyber audit model. At the age of 48, Jonathan received a diagnosis of Aspergers and dyslexia and this helped him understand why he struggled at school. But it is thanks to his ability to think differently that he has now managed to excel in the workplace in various technical leadership roles.

GUY ASCH

Commercial Director, Cyber Risk Management Group

As the Commercial Director for CRMG, Guy has a strong background in leading commercial and operations teams across FTSE100 companies, Private Equity-backed organisations, and SMEs. With over 17 years experience in the regulatory space, his focus remains on compliance and regulation, paired with sharp commercial acumen, allowing him to build robust compliance frameworks while fostering strong client relationships.

NICK FROST

Co-Founder, Cyber Risk Management Group

Nick Frost is the Co-founder and Lead Consultant at Cyber Risk Management Group (CRMG), where he leverages nearly two decades of cyber security expertise to help organisations navigate an increasingly complex digital landscape. His career has been marked by pivotal roles, including Principal Consultant at the Information Security Forum (ISF) and Head of Information Risk for PwC Group, where he honed his deep understanding of the cyber risk field.

AMANDA FINCH

CEO, Chartered Institute of Information Security (CIISec)

Specialising in Information Security management since 1991, Amanda has been engaged in all aspects of Information Security Management and takes a pragmatic approach to the application of security controls to meet business objectives. Through her work she has developed an extensive understanding of the commercial sector and its particular security needs. In 2007 she was awarded European CISO of the year by Secure Computing magazine. She is frequently listed as one of the most influential women within the industry and in 2023 was inducted into CSO’s inaugural Hall of Fame for her contributions to the UK’s cybersecurity sector.

SIAN JOHN

Chief Technology Officer, NCC Group

Siân John MBE is Chief Technology Officer at NCC Group responsible for intelligence, insight and innovation within the company. Siân has worked in Cybersecurity for 25 years across strategy, business risk,

ANDREW WILSON

CEO, Hand Built Security

CISSP-ISSAP CRISC SABSA SCF

An IT professional, Andrew has specialised in information and cyber security for over twenty five years. He has extensive experience working with organisations from different market sectors across the world, helping them to design, develop and implement practical security solutions to address the complex challenges of information and cyber risk management. In his career, Andrew has held senior information security positions in ICL / Fujitsu, the Information Security Forum (ISF), PricewaterhouseCoopers (PwC), and Dyson. Andrew has a Masters degree in Risk Management and is a SABSA Chartered Security Architect. He holds the CISSP-ISSAP, CRISC, and ISO/IEC 27001:2013 Lead Implementer certifications.

SUSANNE BITTER

MD, BITTER Solutions; Head of Strategic Alliances, Cyber Security Forum Initiative

Susanne serves as the Head of Regional Strategic Alliances of Cyber Security Forum Initiative (CSFI) and is the Teaching Cyber Consultant for The National Cyber Security Centre (NCSC) in the UK. Susanne is a certified and passionate information security and data privacy professional with over 15 years of experience within the industry, and holding industry certifications such as CISM, ISO27001 Lead Auditor & Lead Implementer and ITIL amongst others. She is also multiple times Czech national powerlifting champion (IPF), holds several national records and frequently represents her country in international competitions across the world.

STUART ANDERSON

CEO, Xpert DPO

Stuart has gained a unique blend of business and technical acumen in the areas of Information Security, Governance Risk & Compliance (GRC), Data Protection, Data Quality and implementing Regulatory Compliance processes. Stuart has been certified by ISACA and holds the Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) and Certified Information Systems Auditor (CISA) certifications. Stuart has had articles published in the International Journal for Data Protection Officers, Privacy Officers and Privacy Counsel. Stuart has significant experience of working with many large public and private sector clients across the globe.

SANDIP PATEL

Chief Legal Advisor, OSP Cyber Academy; Director, Quantum Resilience International Sandip has been at the forefront of cases involving cybercrime and cyber security and has been involved in high profile crime cases involving fraud, deception, money laundering and organised crime. Sandip was the prosecuting QC in several high profile cases, ranging from the "Facebook Hacker" Anonymous, to prosecutions for computer hacking involving PayPal and Visa. Additional prosecution for hacking of the UK and US Government websites for agencies such as the CIA, FBI in the US and the National Crime Agency UK, he has also acted on behalf of the NHS and Ministry of Defence in the UK.

SHANNON NOONAN

CEO & Founder, Hi-Noon

Shannon Noonan, CEO/Founder at HiNoon Consulting, is a leader and subject matter expert in the compliance and security field.She has over 15 years of experience and an active leader bringing an operational approach and drive to develop efficiencies within internal controls, ERP implementations, financial and IT business processes including assessing and solving technical issues. She is a Certified Information Systems Auditor (CISA) and a Certified Information Privacy Professional (CIPT). Shannon works extensively with customers to implement a compliance program with management and c-suite to drive business strategies and road maps for Compliance, Privacy, and BCDR.

IRENE COYLE

Chief Operating Officer, OSP Cyber Academy

Irene joined OSP Cyber Academy after a 30-year career in the police force in a variety of roles, including that of Chief Inspector for recruitment within Police Scotland. During her career in the police force, Irene held various roles which centred on protecting people’s data, including as Detective Inspector of the Public Protection Unit at Grampian Police. In this position she was Project Manager of the Grampian Police Vulnerable Persons Database, a project which was then rolled out across Scotland. Coyle is also a Data Protection Officer, a NCSC Certified trainer and holds a teaching degree.

AYLEEN CHARLOTTE

Ay-Wines and Lifestyle Fraud Fighter & Advocate

Defrauded of USD 140,000 & featured in Netflix's controversial documentary 'The Tinder Swindler', Ayleen is now a leading voice against fraud & online scams, awarded as Scam Fighter person of the year 2023. With her contribution to the Netflix documentary and sharing her story as a speaker at events, she wants to warn people about scams because it can also happen to you. She also wants to inspire and motivate victims of fraud and give them the strength to regain trust.

FCIARB KC

The Evolution of Cybersecurity: From Compliance to Risk-Based Approaches

Over the past two decades, the landscape of cyber security has undergone a dramatic transformation. In the early days, the concept of “cyber” was not even part of the lexicon. Back then, the focus was primarily on IT risk and security, with a complianceled approach dominating the field. This mindset meant that organisations were more concerned with meeting regulatory requirements than with proactively managing threats. However, as Nick Frost, Co-Founder and Director at CRMG, reflects on his 23 years in the industry, the evolution from compliance to a more risk-based approach has become a necessity.

The Rise of Financially Driven Threats: Frost recalls that around ten years into his career, a shift began. The industry saw a significant increase in financially motivated threats. Organised criminal gangs started to exploit the financial gains from cyber-crime, reinvesting their profits into developing more sophisticated methods. These developments necessitated a change in how organisations approached cyber security. It was no longer enough to simply tick compliance boxes; there was a need for deeper, more nuanced assessments of cyber risk.

“Ten years ago, we started to see a real increase in financially driven threats, they had always existed but there was a seismic shift in the focus on identifying an organisations weak areas and investing the time and effort in perfecting the attack” Frost explains. This uptick in organised cyber-crime underscored the importance of understanding not just who might attack, but how and why these attacks would be carried out. The focus shifted towards identifying potential attackers, understanding their methods, and assessing the impact of their actions on the organisation.

Shifting from Compliance to Risk Management: This recognition of evolving threats led to a broader shift from compliance-only approaches to hybrid models that integrate compliance with a robust understanding of risk. Today, assessing the cyber risk profile of an organisation is a fundamental component of cyber security programs. Such risk assessments allow organisations to target their resources effectively. By understanding the specific risks they face, companies can allocate budgets more strategically, addressing vulnerabilities that pose the greatest threat.

The evolution from compliance-led cybersecurity to a risk-based approach is not just a trend; it is a necessary response to the increasingly sophisticated threat landscape. Organisations must move beyond simply meeting regulatory requirements and focus on understanding and managing the specific risks they face. By doing so, they can not only protect their assets but also ensure their long-term resilience in a world where cyber threats are constantly evolving.

Nick Frost, Co-Founder & Director at Cyber Risk Management Group (CRMG). www.crmg-consult.com

This targeted investment is crucial, especially for small and medium-sized enterprises (SMEs) that may lack the financial resources of larger corporations.

Challenges of Cyber Risk Management: Despite the progress made, significant challenges remain. Frost identifies several key issues. Firstly, there is often a gap in understanding cyber risk at the senior management and board levels. While cyber security is a recognised concern, many leaders lack a deep understanding of what cyber risk entails and how it can impact their business. This knowledge gap can lead to inadequate governance and a lack of proactive measures to manage risk.

Another challenge is the methodological approach to risk assessment. Organisations struggle with whether to adopt quantitative or qualitative methods, and there is often a discrepancy between what the board expects and what is realistically achievable. A balance needs to be struck between precision and practicality, ensuring that risk assessments are both accurate and actionable.

Additionally, the scope of risk assessments can be a contentious issue. Deciding what to include in the assessment—whether it’s critical systems, processes, or third-party engagements—can significantly impact the effectiveness of the risk management strategy. Furthermore, cyber security teams often lack the business acumen required to translate technical risks into business consequences that decision-makers can understand.

What Does Good Look Like? For organisations looking to enhance their cyber risk management, Frost suggests a pragmatic approach. The starting point is understanding what the organisation’s critical assets are. By identifying these assets, businesses can prioritise their risk assessments and focus on protecting what matters most.

Frost advises a top-down approach: “Understand the strategic goals of the organisation, the processes that achieve those goals, and the systems that support those processes. This will help you identify the critical assets to include in your risk assessment.”

Once the critical assets are identified, organisations should develop a clear methodology for assessing risk. This involves understanding the potential impact of risks and the likelihood of them occurring, as well as assessing the effectiveness of existing controls. Effective communication of risks is also essential. Risk information should be presented in a way that aligns with business priorities, avoiding overly technical language that can obscure the real issues.

The Unique Challenges Facing SMEs: SMEs, which make up a significant portion of the economy, face unique challenges in managing cyber risk. With limited budgets and resources, these smaller businesses often struggle to implement comprehensive cyber security measures. However, as Frost highlights, adopting a risk-based approach is still crucial. “SMEs need to diagnose their problems and focus their limited resources on the most significant risks. Even a qualitative approach to risk assessment can provide valuable insights and help SMEs protect their most critical assets.”

The Impact of Geopolitical Factors: In recent years, the threat landscape has been further complicated by geopolitical factors. Cyber attacks influenced by geopolitical tensions pose a new set of challenges, particularly for SMEs that are often the most vulnerable. As Frost notes, “Any attack influenced by geopolitical issues will likely target organisations that can lead to the largest impact for a nation. This could be critical infrastructure or could be SMEs that form the backbone of many economies, such attacks could have far-reaching consequences at a national level.”

Supply Chain Security: Understanding and Reducing Risks

From the aftermath of the attack on Change Healthcare, which impacted 67,000 pharmacies across the US, and even saw doctors having to remortgage their homes, to the more recent attack on Synnovis which disrupted vital medical testing services in the UK, supply chain attacks have caused havoc across the globe, with thousands of organisations combatting their dangerous and costly consequences.

Supply chain attacks occur when a link in a digital supply chain, such as a software provider or a critical service, becomes compromised. The incident often prevents the movement of important goods or services, which then has a knock-on effect for others down the line.

If we just think of supply chain security outside the realms of cyber, for instance a key water crossing being blocked, it’s sometimes easier for the uninitiated to understand its importance.

In 2021, the world experienced this firsthand when the Suez Canal was obstructed. A 400-metre-long vessel was hit with strong winds and ended up getting wedged across the waterway and blocking all traffic until it could be freed. The obstruction occurred south of the two-channel section of the canal, so there was no way around it for other ships. Five days after the initial blockage occurred, at least 369 ships were queuing to pass through the canal, stranding an estimated $9.6 billion worth of trade, showcasing the profound ripple effects a single disruption can have.

This highlights that when a key supplier is blocked or locked out of service, it can have a cascading effect on others – preventing them from operating, which then impacts their customers and can cause substantial financial losses. However, in the world of cyber, the attack surface and the ability to launch continuity-shattering supply chain attacks grows every day.

Colin Fraser

Director and co-founder of i-confidential

so the government is working hard to avoid more of these situations occurring in the future.

Most organisations today are digital businesses, and they are increasingly becoming co-dependent because of a reliance on shared services. But this also expands their digital attack surface and makes it easier for criminals to harm them. They only need to find one weak link in the chain, and this can offer them the opportunity to bring everything crashing down.

Given these consequences, it’s important that organisations take time to understand supply chain risks and work to remediate them.

The state of supply chain security

Unlike other areas of cyber, most organisations still have a limited understanding of the importance of their supply chain on operations. This is largely because they have an incomplete view of their estate, so they don’t know how dependent their services are on those provided by partners and suppliers.

Not knowing what services are critical to their operations puts organisations at real risk. Organisations must know all their suppliers, from their first tier all the way down to the fourth and fifth tiers. Otherwise, they don’t know who’s really important to them, so they will have great difficulty controlling and protecting themselves.

Furthermore, new regulations are being actively introduced to help organisations bolster the security of supply chains.

The UK government recently announced the launch of the Cyber Security and Resilience Bill, which is designed to improve the security surrounding operators of essential services and critical industries.

The UK has seen firsthand the damage that can be caused to the NHS and its citizens when a successful attack hits a supplier,

This is a positive step forward. It means critical suppliers will have no choice but to improve their security practices because regulators will soon want to see evidence of this.But what other steps can organisations take to improve the security of their supply chain?

Improving supply chain security

The first step any organisation can take to improve supply chain security is mapping out their estate and their partner and supplier eco-system.

This inventory needs to show details of all suppliers and partners and then map how the organisation works with them. The key goal is to identify the high-risk suppliers that would have an impact on the organisation if their services went down.

Organisations must then take time to understand the security practices of these organisations and ensure they are secure and adopt good cyber hygiene. This type of information can be shared via questionnaires, or via reports that go to executives or management. This will allow organisations to identify any security concerns which could put them at risk.

Once these suppliers have been identified, it’s also important to assess the impact that would occur if their services were taken down. This can be achieved through incident response planning, where organisations fire drill different scenarios. A key part of this must also be around devising contingency plans to ensure the organisation can still function, even if a critical supplier is taken out of service. Another key component that can improve supply chain security is information sharing with partners. This can be around threat intelligence, or even passing on security guidance to less mature organisations in the supply chain.

Supply chain security is a key concern for organisations today and it’s vital businesses take time to improve their third-party resilience. This will help safeguard their processes, customers, and continuity, even if only one link in the chain is broken.

2024 marks the year supply chain cyber attacks became a mainstream concern, disrupting industries worldwide.

We focus on the power of our people, not tools, to help organisations manage cyber security and risk.

For over 15 years, our blend of expert-led consultancy and specialist resourcing have enabled clients to achieve their goals.

Swindler Victim Ayleen Charlotte shares her

Well, everybody knows Ayleen from the documentary, The Tinder Swindler, but she had a life before that. Ayleen used to work in high -end fashion with brands like Louis Vuitton, Hermès, Hugo Boss.

She met Simon on tinder, thought he was the love of her life, but he ended up the most horrible part of her life. Ayleen lives in Amsterdam. A beautiful city in the Netherlands, a very small country in Europe.

Romance fraud is one of the most horrible crimes and frauds there is because someone is making you fall in love with them. Someone is using love and the goodness of people to defraud them and scam them, which is horrible.

Fraudsters only have one goal and one purpose in life, they do their research deeply to find their pray. They work very hard to gain your trust, they make you emotionally depending on them, and create opportunities to build up pressure and fear. Eventually there is a crisis to make you want to support and to rescue them. This repeats it selve until you are completely empty.

My story started on Tinder. Simon was very charming, well dressed, well presented. We had a coffee date in London, and I felt that we immediately had a connection.

After our first date, we started to see each other more often. He visited Amsterdam a lot, and everywhere I was, he was.

We travelled to Barcelona, London, Amsterdam, Prague, he was also very interested in my friends, my family, my work life. I received a lot of flowers, I thought he was the perfect guy, in the meantime I totally fell in love with him.

It was about seven months into the relationship, when he shared that he had lost a big business deal, because of his work in the diamond industry, and shared with me that he had a lot of enemies, it was after he lost this deal, his enemies were chasing him more than ever, or so he claimed, if they wouldn’t come to him, they would have come to me.

Eventually, he used up all of my savings, he also persuaded me to take out two personal loans of 30,000 euros each, that wasn’t enough he kept on pushing me to get more money, and even suggested to me that I should sell my house and pawn my car. Every time he was working on an business deal he would get to step nine out of 10 and then the deal failed and after a year into the relationship his stories became more and more unbelievable.

Ayleen Charlotte and His Excellency Dr. Mohamed Al-Kuwaiti, Head of the UAE Cybersecurity Council at GISEC 2024

Once I was waiting for my flight in Prague, I was scrolling down my phone and there I saw his face turning up on my own Instagram for the first time, there I read this article. It was called the “Tinder Swindler” from a Norwegian newspaper. Two other girls were sharing their story and they had been defrauded and lost a lot of money. I immediately knew, every piece of the puzzle fell into place. I knew that he had defrauded me and I knew I was in a lot of trouble in all areas of my life.

I told my friends and my family, one by one what happened to me and they became my beacon of support and trust.

But I wasn’t finished with Simon, my deepest anger was triggered. The only thing he could think of was money. So I suggested to him that we sell his expensive clothes and I would send him the money so he could continue and finish his business deals, so that’s what he did. He was very enthusiastic about this idea. He sent me pictures of all the clothes he had with him.

When I was contacted to be a part of the documentary, I really had to think about it for almost eight months but finally said yes. Within those eight months, I had a lot of discussions with my family and my friends.

What people don’t understand is that this was a very sensational story, but this story hosts the worst pages of my life. Like, that’s something people don’t understand. Yes, this actually happened. This was my life, unfortunately.

When I finally say yes, I came up with three purposes and those became my mission for the rest of my life because I really wanted to help other people who were dealing with the same issues I had to been through, and I wanted to break down the taboo and the shame on fraud. The more we are sharing, the more we can do something about it.

At this moment I am sharing my story, and now I am providing trainings to fraud departments in companies and banks worldwide. Focusing on how they can react to fraud victims, which I think is very important because a lot of people really don’t know what to do when an actual victim gets in contact with them.

A lot of people are sending you away because it’s too difficult to handle. Don’t be scared, listen to them, what I do at events like GISEC is share my story, making people aware that there is a human side behind these crimes.

What we see in cyber security are a lot of people working from their laptops or computers, oblivious to the real impact of Cyber Crime and Fraud like this, but they have never heard it from someone who was actually been standing right in front of them. I’m sharing my story to make them more aware, because these crimes happen to real people never forget that.

The biggest lesson I’ve learned is that if you are in love with someone, and they create a situation were they need your help and they are asking you for money, please take your time, step away from the situation, go share this story with your family and friends, see what their opinion is.

This is not something you need to decide over an hour or over a day, take a few weeks, and of course, please say no if you’re not absolutely sure. But if you say, give me a few weeks, then please watch how this person in front of you is responding. If they are pushing you, not allowing you think rationally, then you will know it’s a scam, a real friend or a real family member asking you for money, of course they would give you time because they respect you.

So please don’t make the same mistakes I did.

Watch our exclusive pod cast Interview with Ayleen Charlotte:

SCAN ME

Shimon Hayut - who legally changed his name to Simon Leviev to de-fraud people claimed he was the son of a Israeli Daimond Billionaire.

We Protect Your Data

XpertDPO provides GDPR, privacy, data security, governance, risk and compliance consultancy to public and private sector organisations

WE ARE XPERTDPO

Data Protection Consultancy Our Services

We are one of the leading providers of GDPR, privacy, data security, governance, risk and compliance consultancy services.

We aim to give our clients assurance on data protection and information security concerns which allows them to focus on their core activities.

As data protection experts, XpertDPO can help you to transform regulatory constraints into opportunities, ensuring that your compliance journey has a positive impact on your existing economic and organisational models.

XpertDPO is a data security, governance, risk and compliance, GDPR and privacy consultancy to public and private sector organisations that offers practical, tailor-made solutions.

Outsourced Data Protection Officer

Discretionary Data Protection Officer Service

Data Protection / Privacy Consultancy

Data Protection Impact Assessments

Cross-Border Transfer Impact Assessments

XpertAcademy – Privacy eLearning Academy

Artificial Intelligence Impact Assessments

71-75

London D02 H364

WC2H 9JQ Ireland Lombardia 20121 Bahrain

info@xpertdpo.com xpertdpo.com

THE DIGITAL OPERATIONAL RESILIENCE ACT (DORA): ENSURING STABILITY IN FINANCIAL SERVICES

In the evolving landscape of global finance, operational resilience has become a paramount concern. The European Union’s Digital Operational Resilience Act (DORA) is a regulatory framework designed to bolster the resilience of financial services by addressing the complexities and interdependencies inherent in today’s digital world. This article explores the purpose, scope, and impact of DORA, particularly in comparison to similar regulations in the UK.

Understanding DORA

DORA stands for the Digital Operational Resilience Act, a regulatory initiative by the European Union aimed specifically at enhancing the operational resilience of the financial sector. The primary motivation behind DORA is the recognition that financial services are increasingly interconnected and dependent on digital technologies, which introduces new vulnerabilities and risks. The act mandates comprehensive risk management practices, continuity planning, and robust cybersecurity measures.

Richard Preece, the Managing Director of DA Resilience and Chief Training Officer of OSP Cyber Academy,

provides valuable insights into DORA’s framework.

He emphasises that DORA is grounded in principles established by the Basel Committee on Banking Supervision in 2019, which called for robust governance, operational risk management, business continuity, and third-party dependency management, among other things. The committee’s guidelines underscored the need for financial institutions to assume disruptions as a matter of when, not if, reflecting the critical importance of preparedness in today’s volatile environment.

Key Differences Between DORA and UK

Operational

Resilience Regulations

While DORA is a significant regulatory step for the EU, it is essential to understand how it compares to similar regulations in the UK. According to Preece, the UK has taken a slightly different approach, with its Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) issuing separate but aligned guidelines. These UK regulations will come into full force by March 2025, shortly after DORA’s January 2025 implementation.

One of the primary differences lies in the scope and focus of the regulations. DORA is highly prescriptive and IT-focused, addressing digital aspects of operational resilience. In contrast, the UK’s approach is more holistic, considering a broader range of factors, including pandemics, property issues, and overall market stability.

This divergence reflects the UK’s relatively mature financial sector, which necessitates a more principles-based regulatory framework.

Coverage and Impact of DORA

DORA encompasses a wide array of financial services, from traditional banks to emerging sectors like crypto assets. It specifically targets over 20 different types of financial entities, ensuring that the entire spectrum of financial services is covered. Moreover, DORA extends its regulatory reach to critical third-party providers of IT services, recognising their pivotal role in maintaining the resilience of financial institutions.

For companies within DORA’s scope, the implications are significant. Firms must first confirm their inclusion under DORA and then align their practices with the act’s requirements. Even firms outside the immediate scope of DORA are encouraged to adopt its principles, as these practices represent robust operational standards applicable across various sectors.

Compliance with DORA involves adhering to stringent ICT risk management protocols, conducting regular operational resilience testing, and establishing clear reporting mechanisms for security incidents.

Additionally, firms must manage their thirdparty dependencies meticulously, ensuring a comprehensive oversight framework is in place. While these requirements might seem demanding, they are fundamentally rooted in good business practices essential for sustaining a resilient and secure financial operation.

Implementing DORA: Challenges and Best Practices

The implementation timeline for DORA is tight, with regulatory technical standards expected to be confirmed by July, leaving firms with only six months to ensure full compliance by January 2025. This timeline poses a considerable challenge, especially for larger financial institutions with complex operational structures.

Preece advises firms to adopt a methodical approach to compliance. The first step is to ensure that all stakeholders, from board members to operational staff, understand and are competent in their roles related to DORA. Firms should develop a clear, actionable plan for compliance, regularly review their progress, and make adjustments as necessary.

A critical aspect of DORA compliance is the ability to demonstrate credibility and competence to regulators. This includes not only having robust systems in place but also being able to show that these systems are effectively managed and continuously improved. Given the high stakes involved, particularly in the financial sector, regulators are expected to scrutinise compliance efforts

The Future of Financial Resilience

The introduction of DORA marks a significant step in the EU’s efforts to enhance the resilience of its financial sector. By setting high standards for operational risk management and cybersecurity, DORA aims to mitigate the risks associated with an increasingly digital and interconnected financial

Richard Preece - Chief Training Officer at OSP

While the potential for significant fines and regulatory actions looms, Preece suggests that regulators are likely to take a proportionate approach, much like with GDPR. Initial enforcement will focus on ensuring compliance and fostering a culture of resilience rather than immediately resorting to punitive measures. However, firms should not underestimate the importance of these regulations and must prioritise their compliance efforts.

In summary, DORA represents a critical evolution in the regulatory landscape of financial services. It underscores the importance of operational resilience in a digital world and sets a high bar for financial institutions to follow. By aligning with DORA’s principles, firms can not only achieve compliance but also enhance their overall resilience, ensuring they are well-equipped to navigate the challenges of the modern financial environment. As with any regulatory change, the key to success lies in thorough preparation, robust execution, and a commitment to continuous improvement.

Richard Preece at GDPR Summit Aberdeen

AGENDA

Day 2

TRACK

Iain Johnston - Floyd Woodrow - Caroline Barnett

“GETTING BOARD BUY IN” UNDERSTANDING BUDGETS AND GETTING IT ACROSS

Alan Greig - Maggie Titmuss - Joanna Goddard

SHAPING POLICY, LAW AND ACADEMIA IN THE DIGITAL AGE

Iain Johnston - Amanda Finch - Stephen McParland - Betania Allo

& OT SECURITY LEADERSHIP LAW ENFORCEMENT

FOCUS ON CNI AND OT: WHAT ARE THE ISSUES TO CONSIDER Martin Smith

CYBER RESILIENCE FOR CNI Pete Addison - Tim Harwood - Jessica Amery - Keith Chappell

THREAT LANDSCAPE - HOW INTELLIGENCE MITIGATES THE RISK Richard LaTulip

UNVEILING CYBER FRAUD: SAFEGUARDING YOUR BUSINESS IN THE DIGITAL AGE

Tracks Sponsored By: SIKER 14:20CYBER ESCAPE ROOM EXERCISELAW ENFROCEMENT DATA BREACH Irene Coyle - Vanessa Porter

Sandip Patel - Vikki Bruce - Ayleen Charlotte RANSOMWARE RESILIENCE NEGOTIATION TACTICS AND RESPONSE WORKSHOP Tom Egglestone - William Lyne

Martin Smith

MAJOR GENERAL (RTD) MARTIN SMITH

Managing Director, CyberPrism

During a 33 year military career, Martin headed the military contribution to shipping and oil & gas security, modernised the Royal Marines’ information and intelligence capability, commanded multinational counter-piracy operations and was responsible for Britain’s amphibious force. He spent three periods in Afghanistan, in both command and high-level advisory roles, in addition to other operational deployments. He commanded service personnel at every rank and led 7,000 Royal Marines as their Commandant General. Martin left the Armed Forces in 2018, becoming CyberPrism’s MD in December 2019, with a remit to expand its operations in the Energy, Maritime and Government Sectors.

KEITH MCDEVITT

Following a 32 year career in policing which included leading cyber investigations in 2013 Keith joined the Scottish Government to support the development of cyber policy and strategy. In 2015 the Scottish Government launched Safe, Secure, Prosperous a Cyber Strategy for Scotland which was followed in 2021 by The Strategic Framework for a Cyber Resilient Scotland. Keith was responsible for establishing the Cyber Scotland Partnership a collaborative leadership approach to focus efforts on improving cyber resilience. He currently leads the Scottish Government’s Scottish Cyber Coordination Centre (SC3) a collaborative function supporting combatting the accelerating threat of cyber attack to Scotland.

ANDY FREEBURN

Assistant Chief Constable, Police Scotland

Andy Freeburn is an Assistant Chief Constable in Police Scotland and leads on Organised Crime, Counter Terrorism and Intelligence. He is Senior Responsible Officer for the ‘Policing in a Digital World Programme’ and develops Police Scotland’s operational Cyber Strategy and Capabilities. Andy is also one of the UK’s Cyber Gold Commanders. Andy has 31 years’ policing experience and previously served in the Royal Ulster Constabulary GC and the Police Service of Northern Ireland, developing extensive experience in leading Counter Terrorism investigations and intelligence. Andy was awarded an MBE in 2020 for services to policing and the community of Northern Ireland.

KURTIS TOY

CEO, Cyber Centre of Excellence (CCoE); CEO, Onca Technologies Kurtis Toy is a vCISO and appointed CEO of CCoE. Kurtis was responsible for the IT information security in an oil servicing company, leading to him becoming Global IT coordinator. He then gained an MSc in Information Technology, next becoming Global IT Team Leader before moving to Onca Technologies full time, which he established in 2016. He describes the CCOE as giving local authorities access to an umbrella of protection akin to a “validated Google of cyber security knowledge”.

Further qualifications include GDPR Foundation and practitioner (DPO), ISO 9001 internal auditor training and ISO 27001 lead implementor, CISSP.

FLOYD WOODROW

Chairman, Quantum Group; Former Head Counter Terror Unit, UK SAS Floyd Woodrow founded the Quantum team recognising the need for the convergence of financial technology and cuttingedge cyber capabilities. This provides customers with a secure trading environment and then with the addition of other specialised products and services from within the Group protect its client’s wider environment. Floyd also has an excellent track record of success as a Military Leader, Director, Non-Executive Director, Consultant and Negotiator. Floyd has established an international reputation for designing and running leadership and elite performance training in Sports, Business, Government, Police, Not for profit organisations and Schools.

Executive Chair, BRIM

A former crisis management specialist, Mandy leads socio political expertise on solution design, and was the architect for the groundbreaking cybercrime, initiative The Cyber Resilience Centre’s (The CRC model). Experienced Chair of complex stakeholder groups. Award winning and awarded a cross party commendation from the Scottish Parliament for her contribution to the business sector, she was also awarded an honorary Doctor of Technology from Abertay University. Commended by City of London Police. Guest host CyberVersed Podcast for National CRC Group.

MAGGIE

TITMUSS

Associate Partner, BRIM

An intelligence, law enforcement and fraud specialist within law enforcement and advisory, Maggie worked in HMCE, NCIS, SOCA & NCA – and served as the UK’s lead for serious and organised crime based in Washington DC for 4 years. Over 5 years in the Finance Sector firstly with HSBC as the Head of Financial Crime Threat Mitigation for the UK, then at Lloyds Banking Group (LBG) as their Director Intelligence & Incident response. MBE for public service. Chair of the National Cyber Resilience Advisory Board for the Scottish Government.

IAN KIRBY

Detective Superintendent; CEO, National Cyber Resilience Centre Group

Prior to taking up his position as CEO in October 2023, Ian spent five years at the Eastern Region Special Operations Unit, where he became Head of Cybercrime, Technical Surveillance and Development. In this role, Ian gained extensive experience as a Senior Investigating Officer, leading specialist teams in the investigation and mitigation of serious and complex cybercrime cases across the seven East of England counties. Ian began his career in 1990 as a police officer in the Royal Air Force. In 2000, he joined Hertfordshire Constabulary, where he worked in operational policing as well as in serious and organised crime for over two decades. He also trained and served as a Hostage and Crisis Negotiator.

CRAIG JONES

Former INTERPOL Cybercrime Director

Craig led the development of the INTERPOL Global Cybercrime Strategy and implemented it through its Cybercrime Programme from 2019 to 2024. This delivered a step-change in the credibility and confidence between the organisations 196 member countries and partners. Under his leadership, INTERPOL’s Cybercrime Directorate achieved significant milestones, expanded its own capabilities and extended the influence and impact of INTERPOL in combating cybercrime. With four decades in public service, Craig is known as a strategic thinker, he foresees the impact of broad developments affecting the global cybercrime threat landscape, with the ultimate objective of building communities to protect communities through partnerships.

PETE ADDISON

Principal Advisor, Ofgem

After a successful career spanning several decades in the Military, GCHQ, NCSC, Capgemini and now Ofgem as a Deputy Security Advisor, Pete Addison is living proof that having recently reached the age of 60 age should be no barrier to a career in Cyber. He counts his key successes as being the NCSC UK advisor for security issues on the Galileo satellite navigation programme, designing a high- grade military cryptographic device, development of initial PKI security requirements for UK Smart Meters along with setting up and successfully running a large IT/OT security team for a Major energy company.

TIM HARWOOD

CEO, Siker Cyber

Tim Harwood has been providing information security guidance and expertise to corporate clients, the UK Government and the UK military for over 30 years. He provides strategic direction as CEO of Siker Limited. Tim’s professional background includes security capability strategy planning and development, information security capability framework design and implementation and security awareness strategy design and implementation. He has developed security professional development frameworks for global top ten oil and gas companies, is a Senior Member of the International Society of Automation, is a member of the ISA99 Standards Committee, is a member of the NIST NICE Community Coordinating Council.

JESSICA AMERY

Global Head of Security Operations, Weir Group PLC

With over 10 years’ experience across IT, Jessica is responsible for all Operational Security Services at FTSE 100 member, The Weir Group. Having graduated Abertay University in 2020 with a first-class honours degree in Ethical Hacking Jessica has delivered security transformation across global teams and has experience across both offensive and defensive cyber roles, all with an underlying focus on threat intelligence.

KEITH CHAPPELL

Technical Director, CyberPrism

Keith Chappell is a Former Technical Business Director for L-3 TRL (Harris), with over 20 years of experience in IT and OT, including Critical National Infrastructure (Primarily Power and Water), offshore operations and shipping. Keith is one of the few to hold the CCP qualification CESG(GCHQ) Certified Professional at the highest Level, ‘CCP Lead Cyber Security and Information Assurance Auditor’. Previous senior operational roles at Siemens, Emerson and RWE and significant consulting experience, additionally Keith is a qualified Penetration Tester and Certified Ethical Hacker.

IAIN JOHNSTON

Managing Director UK & Europe, Blackwired PTE Ltd

Iain is a dynamic and engaging leader with decades of experience in high pressure operational leadership roles. He has held diverse roles: Officer in The Royal Scots (The Royal Regiment), director in large enterprise, consultancy and latterly early life, early adoption, cyber growth companies. As Managing Director of Blackwired, the full breadth of experience is brought to bear as the team defines a new approach to Threat Intelligence. The flagship Zero Day Live platform is designed to proactively prevent cyber-attacks before they happen. It is the first and only platform making military-grade cyber-warfare capability accessible to enterprise.

JEREMY SAMIDE

CEO, Blackwired PTE Ltd

Jeremy Samide is a highly-sought after, global cybersecurity expert and speaker in the areas of cyber threat intelligence, next-generation security threats and cyber risk for governments, insurance, financial, healthcare, retail and legal vertical markets. As a trusted cybersecurity expert, Jeremy leverages his 21 years in cybersecurity supporting clandestine operations for the US Intelligence, Department of Defense, Federal Law Enforcement, allied foreign governments, Interpol as well as the private sector advising organizations around the world. Jeremy has also trained, briefed and worked with Europe, NATO and APAC intelligence agencies and military forces in the area of cyber warfare.

DAVE HARVEY

Director Cyber Response Services, KPMG

Dave has over 24 years of cybersecurity experience, specifically in countering advanced threat actors, developing cybersecurity resilience and responding to critical incidents. Dave has worked with a variety of global clients and brings a wealth of experience on overseeing client engagements such as complex cybersecurity incidents. He has extensive expertise providing independent board-level advisory and assurance, cybersecurity resilience and response engagements, and guidance on post-breach complex investigations. Recently, Dave has led a series of high-profile cyber incident exercises including a number of critical infrastructure, healthcare and government entities.

CAROLINE BARNETT

Principal Consultant, SAS

JOANNA GODDARD

Partner, BRIM

A niche market growth and engagement specialist, Joanna is former advisor to Channel 4 and has over 15 years’ experience as a consultant to business and HNWIs, providing award winning business innovation and data informed growth strategy services for some of Europe’s most prominent brands. Joanna designed the data analytics model for the CRC model, which now informs SME engagement in crime prevention across multi public sector organisations. Advisor to UK Home Office and Law Enforcement. Commended by City of London Police. Fellow Chartered Management Institute, ISO2700, Certified by Judge business School, University of Cambridge in Data Analytics.

THE RT HON STEPHEN MCPARTLAND

AMANDA FINCH

CEO, Chartered Institute of Information Security (CIISec)

BETANIA ALLO

Founder, Betania Allo Cyber Law & Policy

LANCE MORAITIS-JONES

Senior

RICHARD LATULIP

Field Chief Information Security Officer, Recorded Future

With a distinguished career spanning over 23 years in the US Secret Service, Richard LaTulip’s primary focus has been on the ever-evolving realms of financial and computer crime. Richard's journey in the US Secret Service was marked by his unwavering commitment to protecting critical infrastructure and deploying his extensive computer forensics and incident response skills. Richard then transitioned into the private sector, bringing a wealth of knowledge and an array of industryrecognized cybersecurity certifications, including CISM and CISSP. Throughout his career, Richard has held pivotal roles in which he successfully managed and led information security and IT management departments.

SANDIP PATEL

Chief Legal Advisor, OSP Cyber Academy; Director, Quantum Resilience International

Sandip has been at the forefront of cases involving cybercrime and cyber security and has been involved in high profile crime cases involving fraud, deception, money laundering and organised crime. Sandip was the prosecuting QC in several high profile cases, ranging from the "Facebook Hacker" Anonymous, to prosecutions for computer hacking involving PayPal and Visa. Additional prosecution for hacking of the UK and US Government websites for agencies such as the CIA, FBI in the US and the National Crime Agency UK, he has also acted on behalf of the NHS and Ministry of Defence in the UK.

VIKKI BRUCE

Co-Founder & Managing Director, McLean & Bruce Vikki Bruce is co-founder and Managing Director of MacLean & Bruce, Scotland's leading luxury whisky travel specialists, creating unique whisky access and bespoke luxury experiences for global clients. Vikki established the company in 2013 with renowned world whisky expert Charles MacLean MBE after creating a whisky tour of Scotland for a visiting Royal. The entry into the cask market during COVID-19, an area rife with fraud, led to the formation of CaskNet. CaskNet is a simple cask register which aims to give verification and authentication in this relatively newly emerged market, which is currently referred to as ‘The Wild West’.

AYLEEN CHARLOTTE

Ay-Wines and Lifestyle Fraud Fighter & Advocate

VANESSA PORTER

Escape Room Officer, OSP Cyber Academy; Customer Experience Director, TeraData

Vanessa has spent her career helping her customers to deliver great outcomes from trusted and secure data. Her day job is managing a team of Customer Success Managers for an AI company. A moment that changed her perspective on keeping data safe was when her Mum got scammed out of £70k in a push payment fraud. Vanessa has since spent her spare time designing “escape room” style training courses, to help people who don’t care about cyber security, to care about cyber security. Vanessa is proud to partner with OSP Cyber Academy to deliver mobile escape rooms to their customers.

WILLIAM LYNE

Head of Cyber Intelligence, National Crime Agency

With 12 years’ experience in Law Enforcement, Will heads a range of multidisciplinary teams that lead, support and coordinate the Law Enforcement cybercrime response in the UK. From 2011 to 2013, Will worked in Afghanistan delivering counter narcotics investigations with local, military and international partners. From 2016 to 2020, Will was an International Liaison Officer assigned to the FBI’s Cyber Division in Washington D.C., USA. Will is an experienced and internationally respected leader in the field of serious and organised online investigations, leading on a number of high profile cases covering money laundering, fraud, kidnap & extortion and computer misuse.

TOM EGGLESTONE

Global Head of Claims, Resilience

Tom Egglestone ACII is the Global Head of Claims at Resilience, overseeing portfolios across the US, Canada, the UK and Continental Europe. Before joining Resilience, Egglestone served as Claims Manager - Enterprise Risk at Tokio Marine Kiln, where he was recognized as a specialist in cyber and intellectual property products, having handled some of the London market’s largest claims in those areas. Previously a claims adjuster at CFC and Hiscox, Egglestone has over a decade of escalating experience and responsibility for complex specialty claims and claims operations in the London market.

ANDREW PATRICK

Head of Cybercrime and Digital Forensics, Police Scotland

With 28 years in policing, Andy is Police Scotland’s lead for Cybercrime and Digital Forensics. Prior to this, he was a Detective Superintendent in Local Crime in Fife responsible for reactive and proactive crime management and public protection. Andy was also a Detective Superintendent in Major Crime leading high profile, complex investigations including ‘Category A’ homicides across Scotland involving organised criminal groups and firearms. Andy is an

and extortion Senior Investigating Officer, and a UK PIP

Paradigm Shifts in Cybersecurity:

Blackwired is a cybersecurity innovation company that develops disruptive technologies in cybersecurity that challenge conventional thinking. Blackwired integrates cutting edge technologies such as artificial intelligence, blockchain and quantum computing along with human ingenuity into its products.

Paradigm Shifts in Cybersecurity:

Cybersecurity is constantly evolving, but the threats seem to be outpacing defences. Despite significant investments in cybersecurity, many organizations are still vulnerable and most are getting breached with costs skyrocketing in order to recover.

According to Blackwired’s co-founder and CEO, Jeremy Samide, a new paradigm shift in cybersecurity is being formed. Jeremy has over 22 years of experience in cybersecurity, including extensive work with U.S. intelligence, defence, and allied foreign governments. He shares his perspective on why traditional cybersecurity methods are no longer sufficient and introduces a proactive approach that is changing the game on how we battle cyber adversaries.

Jeremy Samide’s career in cybersecurity spans more than two decades, with 12 years dedicated to supporting clandestine operations for the U.S. intelligence community and various allied governments. His expertise covers both offensive and defensive strategies, focusing on counterintelligence and cybersecurity. From dealing with state-sponsored threats to providing incident response for major corporations, Jeremy’s experiences have shaped his unique approach to cybersecurity.

The Need for a Paradigm Shift

According to Jeremy, the current approach to cybersecurity, which focuses on detect and respond, is outdated.This mindset, rooted in the 1980s, is no longer effective against modern threats. Organizations are building strong defences, but attackers are finding new ways to bypass them. Jeremy argues for a paradigm shift towards a more proactive mindset, where organizations actively take a proactive stance to seek out threats and address them before the adversary has the opportunity to strike.

Jeremy Samide, Blackwired’s co-founder and CEO

The Role of Threat Intelligence

Jeremy emphasizes the importance of a proactive approach to cybersecurity and a ‘defend forward’ mindset. Rather than waiting for an attack to occur, organizations should be looking 360 degrees to identify potential existential threats. This involves building an intelligence apparatus by which every organization can build and visualize the threat landscape of its external environment. This allows anyone to visualize the threats they face at any given moment. Understanding the threat is only half the battle, according to Jeremy. Identifying the solution and implementing it at the pace of the adversary is priceless. Following this methodology and approach can dramatically keep organizations one step ahead of the attackers and prevent cyber attacks before they happen.

The Role of Threat Intelligence

At Blackwired, threat intelligence is at the core of their cybersecurity strategy. Jeremy explains that intelligence-led cybersecurity means embedding oneself in the world of threat actors to understand their motives, methods and plans for attack. The intelligence developed from these activities creates the opportunity allowing organizations to anticipate and mitigate attacks before they occur – staving off disaster. Unlike traditional methods that respond after an attack, intelligence-led strategies provide a proactive defence.

Differentiation in the Market

Jeremy highlights that Blackwired specializes in identifying zero-day threats—those unknown vulnerabilities that evade traditional security measures. These unknown threats are what keep security professionals up at night. Using this approach, by focusing on gathering intelligence on these emerging threats, Blackwired helps organizations stay ahead of attackers.

When asked about recent successes, Jeremy points to Blackwired’s ability to collect information from various sources, including the dark web, to predict and prevent attacks. In incidents like the Avanti and Akira attacks, Blackwired’s nine-year intelligence apparatus provided valuable insights that helped protect their clients. A proactive approach, Jeremy argues, is the future of cybersecurity.

Jeremy also introduces Blackwired’s latest product, ThirdWatch, set to launch on September 1st. ThirdWatch is a subject directed monitoring platform that provides a 360° view of the existential threats facing an organization and the ability to visualize the threat landscape in 3D. Unlike traditional security vendors such as firewalls, endpoint detection and response (EDR) tools which wait for an attack, ThirdWatch proactively identifies existential threats from all angles. This zero-touch, non-invasive technology offers a comprehensive solution to modern cybersecurity challenges.

Jeremy also acknowledges that small and medium-sized enterprises (SMEs) often lack the resources to implement advanced cybersecurity measures. However, he emphasizes the importance of protecting digital assets and being proactive. Blackwired’s platforms, including ThirdWatch, are designed to be scalable and accessible to businesses of all sizes, providing automated protection at an economical cost.

As cybersecurity threats continue to evolve, so must our approaches to defending against them. Jeremy Samide’s insights highlight the need for a shift from reactive to proactive cybersecurity strategies. By embracing intelligence-led approaches and leveraging new technologies like Zero Day Live and ThirdWatch, organizations can stay ahead of attackers and protect their critical assets. As Jeremy prepares to share more of his expertise at the upcoming International Cyber Security Conference in Aberdeen, his message is clear: the future of cybersecurity lies in visualizing and anticipating threats before they strike.

Don’t Duck with your Cybersecurity.

The world’s first zero-touch, non-invasive technology to visualize the threat.

In this issue we will talk you through the CCoE’s upcoming plans and progress made in our inaugural year. This is the second year the CCoE has funded a research exercise using the attack surface management tool FractalScan Surface. This means local authority leaders and their IT specialists can now download their second free confidential annual report which reveals whether their cyber security vulnerability level has improved since last year.

We also bring you up to date with the pilot programmes we’ve been conducting to help us draw together the right packages of cyber support for various sectors. The most recent to conclude has been the Care Sector Pilot.

The CCoE is making strides

The Cyber Centre of Excellence (CCoE) is now more than a year old and is making strides towards its vision of the UK being the safest place to live, work and play online.

CCoE training partner OSP Cyber Academy also has an exciting development to reveal, with the launch of its immersive ‘escape room style’ cyber awareness training . Lastly, a blog from CCoE Advisory Board member Niall Burns, Chief Executive Officer at Subrosa Group, outlines the importance of all security when it comes to cyber protection, including physical, technical, and manned security.

We hope you enjoy this issue and that it gives you some new ideas and thinking points as we pass the midway point in the ‘Year of Democracy’. With 2024 being the year with the most elections being held globally in history, we recognise that the need for cyber security in local government is more crucial than ever.

Kurtis Toy

CEO of Cyber Centre of Excellence

Vanessa Porter, the OSP Cyber Academy Associate who leads the immersive training, came up with the idea of running immersive sessions when she was tasked in a previous role with delivering General Data Protection Regulation (GDPR) training to groups of people in the travel industry. “Some people would see me coming and try to hide away in the stationary cupboard until I’d gone,” she jokes, “I created immersive training to engage the hard-to-reach people and make learning fun and retaining the training objectives easier.”

CCoE partner organisation, OSP Cyber Academy, is now offering the bespoke immersive cyber awareness training designed to complement any organisation’s online and classroom cyber awareness training. The immersive training makes use of escape room style tasks with a variety of games, challenges, and puzzles to bring learning outcomes to life, such as understanding phishing, malware, and password hygiene.

Having a mix of both online or in-person training alongside some immersive training and other awareness campaigns can be beneficial. “When you are developing a cyber security awareness training programme it is important to include all different types of training,” Porter stresses, “Sometimes regulation drives organisations to carry out tick-box training rather than training that works. Online training is brilliant and absolutely has its place for some people, but others need something different. As soon as you start playing games with people and adding an element of competition then it changes the whole thing. When you are having fun, you are releasing dopamine, and when you are releasing dopamine, you are making memories.”

A CFO from one organisation who provided a review of the immersive training carried out by Porter at his company agrees:

Immersive cyber training offered by CCoE

Organisations of any size can now access immersive ‘escape room style’ cyber awareness training through the sCyber Centre of Excellence (CCoE).

“Our team still talk about the immersive training a year after it happened. That really is training that sticks.” The events run by OSP Cyber Academy have a competitive element too, which Porter says is great because when people are under pressure, they start to make mistakes as they would in the real world. “When you are immersed, you don’t necessarily check yourself to ensure you are doing the right thing, which is what happens in a busy workplace when people are distracted,” she adds. Irene Coyle, Chief Operating Officer at OSP Cyber Academy, says training is important across the whole organisation because people are the biggest risk but also the biggest asset in data defence.

“In any large organisation you have groups of people who will think they are too busy or who think they don’t need to know or already know everything about cyber security. It is an experience for them to come along and genuinely forget that they are in a training session.” While immersive training might be offered to the whole organisation, perhaps at a teambuilding day, it is also possible just to target specific departments or people who have proven difficult to engage in traditional classroom-style or online self-study training.

“If you are responsible for cyber security training in your organisation, I would suggest that you need to think about who your higher risk people are,” Porter explains, “There are going to be teams and departments who have access to higher risk personal data, such as your HR teams and your finance teams.

They are people who need to be trained because they will be targeted repeatedly and the more you can reinforce that learning the better. The other important groups are your high-profile people such as your councillors. They are very busy and are going to be targeted by cyber attackers routinely.”

Both Porter and Coyle agree that sometimes, despite common belief, it might be the younger people in an organisation who are more likely to click on a phishing link or accidently download a virus, partly because they may think they know it all already, but also because cyber-attacks are getting increasingly sophisticated and difficult to spot. Offering regular training in different formats is key to ensuring learning is consistently reinforced.

“There might be online training once a year with a cyber security fun day once a year and a cyber security awareness week. Immersive training needs to be part of a whole programme. It is like going to the gym, you can’t expect to be fit if you go to the gym once a year or just buy a gym membership – that doesn’t work. You have to keep exercising the muscle. Immersive training is a tool you can use to keep that muscle flexed,” Porter adds.

The CCoE can offer a range of options to suit any organisation’s size and level of cyber security maturity, including training in-house trainers to facilitate them running immersive training exercises themselves. “We can supply the kit for them to do that. There are a variety of different offers from the CCoE to fit requirements,” explains Coyle. The CCoE will be offering some of its contacts the chance to experience an immersive training session soon to find out more about how it works and what it involves. If you would like to find out more about the immersive training in the meantime, please contact Vanessa Porter using the details below.

To find out more information about immersive training contact : training@ospcyberacademy.com

LEADING LEADING AN OT INCIDENT AN OT

International Cyber Risk Symposium 2024

Siker CEO Tim Harwood is delivering the ‘Leading an OT Incident’ workshop - Friday 6th September.

Aligns with the ICS4ICS Framework. Helps you plan for escalating incident complexity. Understand Leadership and Management responsibilities in an OT Incident. Determine incident objectives and strategy.

Siker

LinkedIn: Siker Cyber

X: @sikercyber

This popular workshop is now full but follow Siker and OSP Cyber Academy on LinkedIn and X for future announcements.

LinkedIn: OSP Cyber Academy

X: @OSPcyberacademy

solutions

THE

FAR-REACHING IMPACT OF THE OUTAGE

Fragile Infrastructure: The Microsoft-CrowdStrike Outage Wake-Up Call

The recent Microsoft-CrowdStrike outage sent shockwaves through the global business community, exposing the fragility of our interconnected digital ecosystem. This incident serves as a stark reminder that even the most sophisticated organizations are vulnerable to disruptions that can have far-reaching consequences.

As the outage unfolded, it became apparent that the impact extended far beyond the two tech giants. Airlines grounded flights, hospitals faced operational challenges, and businesses of all sizes experienced significant disruptions. The financial implications, loss of productivity, and reputational damage were substantial. This incident underscores the critical importance of robust business continuity and disaster recovery plans. Additionally, it highlights the need for organizations to diversify their IT infrastructure and reduce reliance on single points of failure.

A lot has been discussed lately about the instinct to invoke force majeure. The role of this concept in cybersecurity contracts deserves particular attention.

While this legal doctrine can provide relief in extraordinary circumstances such as war, natural disasters, pandemics, and the referred as “acts of God,” its applicability is limited in cases where the root cause is a preventable error. Here, it is unlikely to provide relief.

The root cause of the outage was a software update error, which generally doesn’t qualify as an unforeseen and uncontrollable circumstance. It’s crucial for organizations to carefully draft force majeure clauses, defining covered events with precision.

The outage also exposed gaps in current cybersecurity regulations. The rapid pace of software development and deployment outpaces the current regulatory landscape. While frameworks like the NIST Cybersecurity Framework provide valuable guidance, they lack the force of law to compel organizations to implement specific measures. Additionally, data privacy regulations like GDPR and CCPA focus on protecting individual data, but they do not adequately address systemic risks like supply chain attacks.

The potential legal ramifications for Microsoft and CrowdStrike are significant. Breach of contract, negligence, and product liability claims are possible, as well as class-action lawsuits. Both companies will face intense scrutiny from regulators and customers. This incident could lead to increased regulatory oversight of the tech industry and higher insurance premiums.

To effectively mitigate risks, organizations must adopt a multifaceted approach. This involves combining insurance coverage, robust business continuity planning, and welldefined incident response procedures with proactive measures like rigorous testing, real-world simulations, and independent audits. Diversifying security solutions and implementing a strong governance, risk, and compliance (GRC) framework further bolster an organization’s resilience.

JD, LLM, ALM, D.Eng (c), a globally recognized cyber law expert and policy leader.

Betania Allo

A robust Governance, Risk and Compliance (GRC) program is essential for managing risks and ensuring compliance. In an era of increasingly sophisticated cyber threats, organizations of all sizes are vulnerable. A strong GRC framework helps identify weaknesses, prioritize countermeasures, and effectively respond to incidents. It also demonstrates a commitment to security and accountability to stakeholders.

The legal landscape for tech companies is evolving rapidly. Beyond direct liability, organizations must consider potential claims from third parties involved in the incident. Data breaches resulting from the outage could trigger investigations and penalties under stringent data privacy regulations. Adhering to complex legal requirements is no longer optional. Proactive compliance, built on a foundation of risk assessment and employee training, is essential for safeguarding an organization’s reputation and bottom line.

Complying with regulations goes beyond merely avoiding fines; it involves understanding the intricacies of these rules and continuously benchmarking against best practices. Seeking expert guidance on global standards not only ensures effective protection against the escalating threat of cyber incidents but also fortifies organizational resilience, even if certain practices are not mandated in your jurisdiction.

The Microsoft-CrowdStrike outage is a wake-up call for the global business community. It highlights the urgent need for organizations to strengthen their cybersecurity posture, invest in robust testing and quality control, and diversify their IT infrastructure.

www.betaniaallo.com

betania@betaniaallo.com

LinkedIn:https://www.linkedin.com/in/

A strong GRC framework is the cornerstone of a resilient organization. By prioritizing cybersecurity, businesses can mitigate risks, protect their reputation, and build trust with customers.

NCSC ASSURED TRAINING PROVIDERS JOIN FORCES

OSP Cyber Academy and Siker Cyber – two of the UK’s leading NCSC Assured Training providers forge partnership to bolster presence in the UK and the Middle East with a focus on supporting clients in Bahrain, UAE and Saudi Arabia.

This collaboration is set to elevate the training capability that will encompass every aspect of Cyber, OT, ICS and Data Protection, assured in the UK with NCSC. CNG spoke to both companies to find out more.

“We are excited to partner with Siker Cyber, a company highly respected among all aspects of CNI. Their knowledge and experience specifically within OT and ICS in unrivalled and will be hugely beneficial for clients across the UK,” said an ecstatic Irene Coyle, Chief Operating Officer at OSP Cyber Academy.

This collaboration will enable us to deliver our entire training capability both online with our interactive eLearning platform, Virtually and Face-to-Face. Working with OSP Cyber Academy across all aspects of training will transform our offering into truly unique, memorable experiences,” said Siker Cyber CEO, Tim Harwood.

What will this partnership mean for the GCC member states?

Thomas McCarthy, CEO of OSP Cyber Academy, was in Dubai last month; “We are thrilled to partner with Siker Cyber to provide our clients in the GCC region with unparalleled expertise of CNI.

“The GCC region is experiencing rapid growth in CNI, and with that comes the associated risks. The need for effective and efficient training in OT & ICS Cyber Security is more critical than ever. We have witnessed this first hand in Dubai, Saudi Arabia, and Bahrain.

“But the region is prepared and fighting Cybercrime on all fronts. Our clients in the GCC Region can already attest to the advantages of adopting the UK NCSC guidance. Working with NCSC assured trainers within CNI is without a doubt a massive step forward in fending off Cyber Criminals in the industry.

“This partnership will elevate our capability to completely transform our Cyber Security training experiences within the GCC region.”

The agreement with Siker Cyber represents a significant milestone in OSP Cyber Academy’s efforts to drive innovation and meet the growing demand in CNI for UK NCSC Assured Cyber Security Training. By combining their knowledge, experience, and industry insights, the two companies are well-positioned to deliver transformative solutions that empower organizations to make informed decisions and maintain a competitive edge.

For more information, visit: ospcyberacademy.com/sikertraining

Irene Coyle educating at the GDPR Summit in Aberdeen

Tim Harwood leading training at the Saudi Global CISO Summit

The Tug-of-War Over AI Regulation: Innovation vs. Safety in California

As artificial intelligence (AI) rapidly advances, the debate over how to regulate this powerful technology is intensifying. Nowhere is this more evident than in California, the heart of the global tech industry, where the proposed Senate Bill 1047 has sparked a fierce battle between lawmakers and Silicon Valley.

This bill, which aims to establish basic safety protocols and whistleblower protections for AI development, has been praised by some as a crucial step toward preventing AIrelated disasters. However, it has also been met with significant opposition from tech companies and startups who fear it could stifle innovation. In this article, we’ll explore the key arguments on both sides of this debate and discuss the broader implications for the future of AI, including a look at how similar regulatory efforts are unfolding in the European Union (EU). Additionally, we will consider the latest research highlighting the potential dangers of AI, including the groundbreaking findings from Professor Daniel Kang’s team.

The Case for Regulation: Preventing AI Catastrophes

Supporters of Senate Bill 1047 argue that as AI systems become more sophisticated, the risks they pose increase exponentially.

AI researchers like Yoshua Bengio, Geoffrey Hinton, and Stuart Russell, who have spent their careers advancing the field, have voiced strong support for the bill. They warn that without sufficient regulation, we could face severe consequences, including AI systems being used to attack critical infrastructure or autonomously making decisions that lead to mass casualties.

One of the key provisions of the bill is its requirement for developers of the most advanced AI systems to test their models for potential risks before deploying them. This includes assessing whether the AI could be used to facilitate cyberattacks, create weapons of mass destruction, or cause other forms of catastrophic harm. The bill also introduces protections for whistleblowers who expose unsafe practices within AI companies, a measure that supporters say is essential for ensuring transparency and accountability in the industry.

In an open letter to California lawmakers, the AI researchers emphasised that the bill’s regulations are modest compared to the scale of the risks we are facing. They argue that the current approach of relying on voluntary commitments from AI companies is insufficient, given the massive financial incentives to push AI development forward without proper safeguards. These researchers believe that SB 1047 represents a necessary first step in creating a regulatory framework that can keep pace with the rapid advancements in AI technology.

The Opposition: “Innovation at Risk”

On the other side of the debate, Silicon Valley giants like Google and Meta, as well as numerous startup founders, have voiced strong opposition to SB 1047. They argue that the bill’s vague language and stringent requirements could create significant barriers to innovation. Specifically, they worry that the costs and legal liabilities associated with complying with the bill’s testing and reporting mandates could deter investment in AI and drive startups out of California.

Critics also contend that the bill could have a chilling effect on the development of open-source AI models, which are widely used by startups to keep costs down and foster innovation. Companies like Meta have expressed concerns that developers might be reluctant to release their AI tools as open-source software for fear of being held responsible for how others might misuse their code.This, they argue, could slow down the progress of AI technology and make California a less attractive place for AI research and development.

Some opponents of the bill have also pointed out that AI regulation is a global issue and that unilateral action by California could put its tech industry at a competitive disadvantage. They fear that if California imposes stringent regulations while other regions, such as China, continue to develop AI with fewer constraints, it could lead to a shift in AI leadership away from the United States.

Why Supporters Believe SB 1047 Won’t Stifle Innovation

Chief Legal Adviser

Sandip Patel KC

OSP Cyber Academy

Despite these concerns, proponents of SB 1047 argue that the bill is carefully designed to avoid hindering innovation. They offer several reasons why the fears of stifling startups and driving businesses out of California are unfounded:

1. Focus on Large-Scale AI Models: The bill targets only the most advanced AI systems—those costing over $100 million to develop. Smaller startups, which typically don’t have the resources to build such expensive models, would largely be unaffected by the bill’s requirements.

2. Alignment with Industry Practices: Many large AI companies have already voluntarily adopted safety measures similar to those proposed in SB 1047. This makes the bill’s provisions less disruptive, as they formalise practices that companies are already beginning to implement.

3. Less Restrictive Than Global Standards: Compared to AI regulations in regions like Europe and China, SB 1047 is relatively less stringent. By aligning with global trends without exceeding them, the bill aims to keep California competitive while ensuring basic safety standards are in place.

3. California’s Economic Influence: Given California’s status as the world’s fifthlargest economy, it is unlikely that major AI companies would leave the state over this legislation. The economic benefits of operating in California likely outweigh the costs of complying with the bill’s safety measures.

Why Opponents Are Wrong

While opponents of SB 1047 raise concerns about the potential impact on innovation, these arguments may be overstated. The bill has been carefully crafted to minimise disruptions to the tech industry, particularly for smaller startups. The notion that SB 1047 would drive innovation out of California fails to consider the state’s unique economic and technological advantages. California’s robust infrastructure, talent pool, and market size make it an irreplaceable hub for AI development, one that companies are unlikely to abandon over modest regulatory requirements.

Moreover, the argument that regulation will stifle innovation ignores the fact that well-crafted regulations can actually foster innovation by creating a level playing field and ensuring that all players adhere to the same safety and ethical standards. When everyone operates under the same rules, it prevents a “race to the bottom” where companies might cut corners to stay competitive. Instead, it encourages competition based on creativity, quality, and responsibility, which can drive the industry forward in a safer, more sustainable way.

Moreover, these regulations can build public trust in AI technologies, making people more likely to adopt and integrate them into various aspects of life, which in turn supports the growth of the AI sector. In the long term, responsible regulation like SB 1047 could strengthen California’s position as a leader in AI by ensuring that the state remains at the forefront of both technological advancement and ethical innovation.

Kang’s Research: A Stark Warning

Adding urgency to the call for regulation is the recent research conducted by Professor Daniel Kang and his team at the University of Illinois. Their work uncovered that large language models (LLMs), like those used in systems such as ChatGPT, have the potential to autonomously hack websites. This research revealed that under certain conditions, AI systems can identify and exploit vulnerabilities in websites, performing complex tasks like SQL injection attacks without human intervention. The implications of these findings are profound, suggesting that AI could be weaponised in ways that are difficult to control or predict.

Kang’s research underscores the dangers of allowing powerful AI systems to develop without stringent oversight. His team demonstrated that AI could autonomously carry out cyberattacks more quickly and cheaply than human hackers, raising significant concerns about the potential for AI-driven cybercrime. These findings align with the rationale behind SB 1047, reinforcing the need for rigorous testing and safety measures before deploying advanced AI systems.

The EU’s AI Act: A Parallel Approach

The debate in California mirrors a broader global conversation about how to regulate AI, with the European Union’s AI Act being one of the most comprehensive efforts to date. The EU AI Act 2024 aims to create a unified regulatory framework across Europe to manage the risks associated with AI. Like SB 1047, the EU AI Act categorises AI systems by risk level, with the most stringent requirements placed on “highrisk” applications, such as those used in critical infrastructure, law enforcement, and healthcare.

The EU AI Act has been praised for its forward-thinking approach, which seeks to balance innovation with protection for fundamental rights. It includes provisions for transparency, accountability, and human oversight, similar to those in SB 1047. However, it also faces criticism from the tech industry, which argues that the regulations could hamper innovation and make it more difficult for European companies to compete on a global scale.

One key difference is that the EU AI Act is designed to apply uniformly across all member states, creating a single market for AI with consistent rules. This contrasts with the patchwork approach in the United States, where states like California are leading the way in AI regulation, potentially creating a fragmented regulatory landscape.

Finding a Balance: Safety Without Stifling Innovation

The debate over SB 1047 reflects a broader tension in the tech industry between the need for regulation and the desire to maintain an environment conducive to innovation. On one hand, the potential risks posed by advanced AI systems are too significant to ignore. Without proper oversight, AI could be weaponised or cause unintended harm on a massive scale. On the other hand, overregulation could stifle the creativity and entrepreneurial spirit that have made California a global leader in technology.

A potential solution lies in finding a middle ground—one that ensures safety without imposing undue burdens on developers. This could involve refining the language of SB 1047 to provide clearer guidelines and ensure that the regulations apply only to the most powerful AI systems. Additionally, collaboration between lawmakers, industry leaders, and AI researchers could help create a regulatory framework that protects the public while allowing innovation to flourish.

Conclusion: The controversy surrounding Senate Bill 1047 underscores the complex challenges of regulating a rapidly evolving technology like AI. As California grapples with these issues, the outcome of this debate could have far-reaching implications for the future of AI, not just in the state, but around the world. The parallels with the EU AI Act highlight the global nature of this challenge, as regions around the world seek to strike the right balance between innovation and safety. Moreover, the findings from Kang’s research serve as a stark reminder of the potential dangers of unregulated AI, reinforcing the need for robust oversight. While opponents fear that regulation could stifle innovation, the careful design of SB 1047 suggests that it will protect the public while allowing California to remain at the forefront of technological advancement. The stakes are high, and the decisions made today will shape the future of AI for years to come.

Take a uniﬁed approach to fraud, compliance and security with AI. Only security intelligence solutions from SAS deliver an essential layer of proactive protection backed by domain expertise and the world’s best analytics.

Leadership Lessons from the Battlefield to the Boardroom

Insights from Floyd Woodrow In the ever-evolving landscape of business, the principles of leadership remain constant yet adaptable. This is a key takeaway from a recent conversation with Floyd Woodrow, a former UK Special Forces officer and current chairman of the Quantum Group, on the Let’s Talk Cyber podcast. Woodrow’s journey from military service to corporate leadership offers a compelling narrative that highlights the essential qualities and strategies that define effective leadership.

The Path to Leadership: A Military Foundation Floyd Woodrow’s leadership journey began in his youth, shaped by his upbringing in Bradford. With an entrepreneurial mother and a father skilled in negotiation, Woodrow was exposed early to the fundamentals of leadership and resilience. His passion for sports and a clear vision of joining the military set the stage for his future. At 17, he joined the Parachute Regiment and later moved on to the Special Air Service (SAS), where he honed his leadership skills in one of the most demanding environments imaginable. Woodrow’s military career was marked by continuous growth and adaptability. He emphasises the importance of mentors and the role they played in his development. This experience, he notes, was pivotal in his transition to business, where he found that the principles of military leadership— such as operating effectively in chaos and developing strategic thinking—were directly applicable to corporate challenges.

From Chaos to Control: Navigating Leadership in Business Woodrow’s entry into the business world came at a challenging time—the 2008 financial crisis. Despite the turbulent environment, he leveraged his military experience to navigate the complexities of the business landscape. His ability to remain calm under pressure and his understanding of strategic planning were crucial in helping him establish and grow Quantum Group, a diverse conglomerate with interests in security, finance, and media.

One of the key lessons Woodrow shares is the importance of surrounding oneself with strong leaders. He credits much of his success to the talented individuals he has brought into his organisations—people who are experts in their fields and who complement his own skills. This, he believes, is essential for any leader: recognising that you cannot do everything yourself and that the strength of your team is your greatest asset.

The Importance of Strategic Vision

Woodrow is a firm believer in the power of a “Super North Star”—a clear, overarching goal that guides an organisation’s direction. This concept, akin to a longterm vision, is crucial for navigating the fast-paced and often chaotic business world. However, he also stresses the need for agility and adaptability. While a strong strategic vision is important, leaders must be prepared to pivot and adjust their plans in response to changing circumstances.

Floyd Woodrow MBE DCM Chairman Quantum Group

Resilience and Adaptability:

In today’s rapidly changing world, where digital transformation and technological advancements are constant, Woodrow advises leaders to embrace technology while not becoming overly reliant on it. He emphasises that while artificial intelligence and other technologies can provide valuable insights, the final decisions should always be grounded in human judgment and wisdom.

Key Attributes of Effective Leadership

Woodrow identifies several key attributes that are essential for effective leadership: Self-Care and Personal Growth: Woodrow introduces the concept of “wise selfishness,” which involves taking care of one’s mind and body to ensure sustained leadership. He stresses the importance of continuous personal development and the need for leaders to evolve along their journey. Building a Strong Team: Successful leaders are those who build and nurture strong teams. This includes finding people who are experts in areas where the leader may not be as strong and creating an environment of high support and high challenge without threat.

Strategic Planning and Execution: A clear, well-communicated plan is essential for achieving organisational goals. This involves setting clear priorities, breaking down tasks into manageable milestones, and ensuring that everyone understands their role in the broader strategy.

Adhering to Core Principles:

Leaders should operate with a set of core principles and a team code of conduct that fosters trust, commitment, and accountability. These principles guide decision-making and help maintain focus on the organisation’s long-term goals.

In a world where change is constant, resilience and the ability to adapt are critical. Leaders must be prepared to adjust their strategies and approach based on real-world conditions and evolving market dynamics.

The Role of Agility in Leadership

Woodrow highlights agility as a key strength for leaders in today’s business environment. While a long-term strategic vision is important, the ability to adapt to new challenges and opportunities is what ultimately ensures an organisation’s survival and success. He cautions against rigidity, noting that leaders who are too inflexible in their approach may miss out on opportunities or fail to respond effectively to threats.However, Woodrow also warns against the opposite extreme—leaders who are too quick to jump on every new trend without a clear focus. He advocates for a balanced approach, where leaders remain focused on their core objectives while being open to innovation and change.

One Word of Advice:

FocusWhen asked to distil his leadership advice into a single word, Woodrow chose “focus.” He believes that staying focused on the most important goals, while avoiding distractions, is critical to leadership success. This involves not only setting clear priorities but also having the discipline to stay the course and not be swayed by every new idea or trend that comes along.

Conclusion: Leadership in a Dynamic World Floyd Woodrow’s journey from the military to the boardroom offers valuable insights into what it takes to be an effective leader in today’s complex and dynamic world. His emphasis on self-care, strategic vision, team building, and adaptability provides a blueprint for leaders looking to navigate the challenges of modern business. As the world continues to change, those who can combine a clear vision with the agility to adapt will be the ones who lead their organisations to success.

If you want to bring Cyber Security alive for your staff who are not involved in information security, then our pop-up “escape room” style training is an engaging and interactive experience.

Cyber Escape Rooms “Knock your Cyber Training out the Park!”

Cyber News Global had the pleasure of catching up with Irene Coyle, Chief Operating Officer OSP Cyber Academy who shared her thoughts on Immersive Training and the OSP Cyber Academy Cyber Escape Rooms.

Knock your Cyber Training out of the PARK.

I believe that to have an effective cyber training programme and not a one-off event), there are a number of things you should be considering when building your programme ...

Typically, information security training happens when an employee joins and they are overloaded with information, and they are only really concerned with where the coffee machine is.

1. Frequency and recency of signals passing from one neuron to the next increase memory

Tell people what you want them to know often! (don’t worry I am not getting too scientific here) Shift the focus from an annual task to an ongoing program, comprising e-learning, team meetings, face to face training and newsletters. The more you provide information, the more chance you will have that the message will land.

2. Emotions strengthen Memory

When we have fun, our brains release dopamine. According to neuroscientist Dr Martha Burns, dopamine has a direct impact on our ability to remember.

The more interested we are in an activity; the more dopamine is released and the better we remember it. She calls dopamine the

Research suggests that memories are stored in many different parts of the brain. Different ways of learning trigger different reactions and different connections between synapses. If we engage all the senses while learning it will create memories in many parts of the brain and will reinforce your learning.

“Save” button.

3. Memories are stored in multiple parts of the brain

In addition, our brains are programmed to focus on new and unusual ways of learning. Learning that taps into the brain’s natural curiosity will be more successful.

OSP Cyber Academy want your staff to be engaged and motivated and feel minimal stress, Learning comes not from quiet classrooms and directed lectures, but from classrooms with an atmosphere of exuberant discovery” – that’s what we have introduced in our Immersive Training – a pop up escape room style exercise.

Our immersive training is a mental and physical adventure-based game in which players solve a series of puzzles and riddles using clues, hints, and strategy to complete an objective. During our training, users will have fun, cover important topics, and have time to reflect on that learning. The originality of the immersive approach will also support remembering key lessons.

“We come to your office and just need the space of a desk, we set up the exercise all from one suitcase, so you are in a police officers desk area with items on the desk to explore” Solve clues, crack lock codes, decipher information in emails. You need to act as a team to complete the exercise.

We all know from training some people will just sit back and hide and let others do the guesswork – we have designed our training so that everyone has a part to play The message should be for your organisation to build cyber resilience – everyone has a part to play not just your IT team.

The training should form part of an overall information security awareness training, comprising different types of learning including e-learning and regular newsletters.

Studies show that people will retain up to 60% more information when they are having fun and this training is designed to be fun for the learners involved which means it is more effective in increasing cyber security awareness with your staff.

You will also be providing a great team building experience as well as valuable skills that will help to keep company data and personal data safe.

Get in touch with me and we can demo the immersive training over a 10-minute teams call – the advantages of technology.

To hear more about what Irene had to say with Lets Talk Cyber scan the code.

Scott Sutherland DA, RSA, FRBS; 1910 – 1984

SCOTT SUTHERLAND PROJECT (Commando Memorial Heritage Trail) https://www.commando-heritage-trail.com

Scottish creator of the iconic Commando Memorial at Spean Bridge, overlooking the original training grounds of Lochaber.

To ensure his life and works would not be lost in time, a joint team of former Royal Marines and Army Commandos have created a heritage trail across Scotland and beyond to mark significant locations in Sutherland’s life; birthplace, homes, studios, offices, colleges and others can now be identified by the brass plaques – the Commando Memorial Heritage Trail!

The final phase of the project will see the recreation of Sutherland’s lost statue, ‘Leaping Salmon’. The original was destroyed beyond repair by vandals in Perth. Working closely with the Sutherland family and one of his own students – Alan Beattie Herriot, the project team have gained permission to place the new statue adjacent to the gates of Achnacarry – the original Commando Basic Training Centre. On completion, this monument will be dedicated to the Officers and Men killed or seriously injured in Commando training during WW2. A unique testimony to their bravery.

The entire £70,000+ project has been funded by private and corporate donations and goodwill. We are now searching for the last £9,000 to complete the mission. If you wish to support this project - please use the attached QR Code.

MARINES COMMANDO

CHARITY CLAY SHOOT 2024

GUEST TEAM FRIDAY 27TH SEP 24 – TEAM FLUSH CHALLENGE

• Meet some of His Majesty’s Royal Marines

• 3 x Civilian Guns (Your Team)

Submit your bid today, email: ceo@cybernewsglobal.com

Reserve: £3,500.00

• 3 Rooms x 2 Nights Deluxe Accommodation B & B

• 1 x Royal Marine Wildcard

• 5 x 50 bird Team Flush Challenge

• Full Access to the NFU Mutual – Event Marqee

• Morning Rolls Tea/Coffee

• Royal Marines ‘Scran’ Lunch

• All Clays and Cartridges included

• Access to Pool Trap Stances (addl fees)

• Access to team Airgun Challenge (addl fees

• Reception

• Trophies for each Stance Winning Team And There is More….

• Royal Marines Band Scotland Display

• Prizegiving, Presentations & Awards

• 3 Course Scottish Dinner

• Charity Auction

• Opportunity to WIN a RM crystal decanter at each table.

• Opportunity to buy tickets to Annual Raffle

• (1st Prize new Browning Shotgun)

• Includes: 4 Gun Civilian Team Saturday’s Competition Guaranteed an Unforgettable Experience

Saturday 28th SEP 24

INTER-SERVICE & UNIV/COLLEGE & CLUBS TEAM GRAND PRIX COMPETITION “Protecting Those Who

County Clays, Dunkeld Park Estate, Dunkeld, Perthshire

• Meet His Majesty’s Royal Marines

• Morning Rolls, Coffee/Tea

• 5 x 40 bird Team Challenge

• All clays and Cartridges supplied

• RM ‘scran’ lunch Chicken Curry or Chilli Beef

• Access to Pool Trap Shoots (Addl charges apply)

• Top Military Team vs Top Civilian Team - Finale

Championing Regulation in Cyber Marketing

Joanna Goddard has worked as a management consultant for over 18 years, following an extensive business career. Her specialist area is data informed growth, usually in the commercial sector, to help businesses get into hard to reach or niche markets, or with big insolvency practitioners, where fast traction into new markets with existing proposition could keep a company that’s at risk afloat long enough while rescue structuring is being completed. She is engaged by UK law enforcement, with UK Home Office, to use these skills to help speed SME engagement in cyber resilience to de risk the UK supply chain.

In 2023 Joanna returned to the annual symposium and launched a white paper addressing the topic she is passionate about

In 2022, Joanna met OSP at the annual Cyber Leaders symposium. She raised a pertinent question with the legal panel in debate that day.

Should the marketing of cyber be regulated as it is in legal and financial markets?

This groundbreaking paper addresses the issue of companies promising ‘silver bullets’ or miss informed marketing teams naively publishing statements that cannot be substantiated.

High growth ‘cyber companies are at risk, SMEs trying to navigate the cyber landscape are at risk, and the UK supply chain is at risk due to this.

Worse, if SMEs are misled, they may disengage from cyber resilience support in future. Misleading statements can cause impact on budgets and leave SMEs with a false sense of security, both of which creates more risk for the country.

In our podcast about this with Joanna, we dive into the 1980’s advert where a man was hung from an helicopter (!), what two lawyers had to say about the matter, what the Advertising Standards Agency had to say about the matter, and most significantly, what can be done about it.

https://brim.partners/brim-whitepaper-launchedshould-the-marketing-of-cyber-be-regulated/

As an industry we all have a role to play – join us? Let’s make a difference and act now!

Joanna Goddard is a Partner at BRIM. BRIM is one of the most highly respected management consulting specialists for the security sector. They serve private and public sector; are entrusted by Home Office, Law Enforcement, academia, and private sector, to support strategic and complex stakeholder projects,

To strengthen national resilience in a digital era. www.brim.partners

Joanna Goddard | Partner | BRIM

FORMER U.S. SECRET SERVICE

AGENT AND CONVICTED HACKER REUNITED AT GISEC.

For the first time on the GISEC Global stage Matt O’Neill and Hieu Minh Ngo share their unique story of redemption, as the pair looked to transform global understanding of evolving cybersecurity threats.

The pair shared the stage at GISEC the most prestigious cybersecurity event in the UAE, to discuss their unique cat-and-mouse-style chase, whichultimately resulted in an arrest and conviction.

Matt O’Neill, a decorated agent, has dedicated his life to fighting cybercrime. O’Neil is a retired U.S. Secret Service Agent who worked as the Managing Director of Cyber Operations, where he led the service’s global cyber investigative operations which included the digital forensics, mobile wireless tracking, and critical systems protection portfolio.

Arguably the biggest breakthrough in his career, the Ngo case saw O’Neil develop a plan to lure the hacker out of Vietnam and into Guam, resulting in a conviction and sentencing that led to countless other hackers being brough to justice from Hieu’s ensuing testimonies.

Matt O’Neil remains one of the most decorated agents in the history of the U.S. Secret Service, having received the U.S. Secret Service’s Special Agent of the Year Award and the Department of Homeland Security’s Gold and Silver medals, among others.

Hieu Minh Ngo’s story is one of transformation, redemption, and restoration.Hieu Minh Ngo – widely known by his online persona, Hieu PC – has been recognised as one of the most prolific identity theft hackers in U.S. history, having stolen and sold the data of over 200 million Americans before his arrest in 2013.

Hieu served seven years of his 13-year prison sentence, after which he returned to Vietnam in 2020 and shifted his focus towards improving cybersecurity practices and fighting against fraud.

His redemption story has been acknowledged by leading tech companies, such as Apple and Verizon, who have celebrated Hieu’s work in identifying and resolving security flaws in the global cybersecurity industry.

Matthew K. O’Neill Former USA Secret Service Agent

This historic session between agent and hacker staged during GISEC Global 2024 was the first time that agent and former hacker met each other in person since Hieu’s.sentencing in federal court in 2015. The session offered an unrivalled inside look at a major cyber-criminal investigation from the perspective of both the hunted and the hunter. It also provided a platform for Hieu to share his transition from hacker to cybersecurity specialist, using his skills and knowledge of cybercrime to combat evolving threats and educate a new generation of digital professionals.

Commenting on the opportunity, Matt O’Neil, former U.S. Secret Service Agent, said: “I’ was delighted sharing more of my experience as a former U.S. Secret Service Agent and my involvement in investigating cybercrime. Sharing findings on what criminals are actually doing – and how they’re doing it – provided a tremendous amount of value to cybersecurity professionals tasked with protecting networks.”

Taking to the stage with Mr. Matt O’Neill was an historic moment for me, and I was very excited to share more around my new-found passion for fostering an empowered community of cybersecurity professionals around the world.”

Hieu Minh Ngo added: “From educating young kids, to addressing the rise of artificial intelligence and machine learning, the cybersecurity industry is complex and demands collaboration that extends beyond country and company borders – and I believe GISEC will provided the platform needed to achieve this.”

Book time with me: https://calendly.com/matt-5oh/30min

Watch our exclusive pod cast Interview with Matt O’Neill:

Hieu Minh Ngo, Cybersecurity Specialist and former convicted hacker, said: “My journey from being involved in cybercrime to becoming an advocate for cybersecurity signifies the potential for broader redemption across the industry.

Hieu Minh Ngo_Vietnamese Former Hacker

SCAN ME

For more than 30 years, leadership and technology have combined at ScotSoft.

The day is jam packed with more than 40 speakers across our Developer Conference and Leadership Forum, and topped off with our Young Software Engineer of the Year Awards dinner in the evening.

More than 1000 guests join us from around the country not just to learn during the day, but celebrate our incredible young talent emerging from Scotland’s universities.