Smashing Security podcast #411: The fall of Troy, and whisky barrel scammers

They start off by wooing you and then they say, oh my darling, you know, I have—

Let me explain how crypto works.

Exactly.

Have you heard the term bitcoin?

Smashing Security, Episode 411: The Fall of Troy and Whiskey Barrel Scammers with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 411. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, what's coming up this week?

Well, first, let's thank this week's wonderful sponsors, Harmonic, Vanta, and Acronis. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be telling you about how anyone, and I do mean anyone, can get phished.

Mm. And I'm talking about an investment scam on the rocks. Plus, we have a featured interview with Alastair Paterson, the CEO and co-founder of Harmonic Security, a firm which enables companies to adopt generative AI without risking sensitive data. All this and much more coming up on this episode of Smashing Security.

Now, chums, is there anybody who isn't vulnerable to being phished?

You asking me?

Well, yes, you're the only one here. Yes, I do. This is a frustrating topic for me because I think everyone is vulnerable enough to be phished because I was phished, right? So, yeah. And I often find people feel that they won't be phished. You know, it's impossible for them to fall for such a ruse. And maybe if you have that attitude of thinking, well, I couldn't, it couldn't possibly happen to me, maybe that actually makes it more likely it will happen to you if you have that kind of arrogance or think that you're somehow impervious to it. I agree with you. I think even the most security-savvy folks can fall foul of a phish. And that has happened in the last week because well-known Australian cybersecurity pundit and creator of Have I Been Pwned, Troy Hunt, has become the victim of a phishing attack.

Oh, no way, really?

Ouch. Yeah. In recent days, it's occurred, and it hasn't just been embarrassing to him, but it's also leaked the details of some 16,000 subscribers to his newsletter mailing list.

Nightmare.

Yep. Now, Troy normally hangs out with his jet ski on the Gold Coast of Australia, but he's recently travelled halfway around the world to the UK.

Mm-hmm.

I know he spent a day with the experts at the UK's NCSC, National Computer Security Centre, discussing ways in which we can encourage more people to use two-factor authentication, adopt passkeys, which would be all steps which would make data breaches more difficult for cybercriminals. And he was due just a couple of days later to give a talk in our neck of the woods, Carole, in Oxford at the Blavatnik School of Government, where he was going to speak all about some of the lessons he'd learned from processing 15 billion records of breached data for his Have I Been Pwned project.

Which is a project that we have referenced many, many times in this show. And I think it's done lots of good for the world.

It definitely has, but obviously made for a slightly awkward introduction to his presentation.

Right.

So have I been pwned? Well, it looked like this on Monday, so I screencapped this on Monday before I visited some other friends in government in London, and it had 877 different data breaches in there. Unfortunately, as of today, it has 878 because my mailing list got popped yesterday, which was really ironic because I'd spent the afternoon the day before with the NCSC talking about we really need to push unphishable two-factor authentication. We really need to push passkeys. Let's get traction. How do we explain passkeys to normal people? And I'll go home and think about it. I didn't think I'd be thinking about it this much.

So anyway, we'll talk about that later.

Oh dear. Well, good for him for owning it.

Absolutely.

Amazing.

Absolutely. So let me tell you a little bit about what happened.

Tell me.

So you can imagine having flown from Australia. He's going to be feeling a little bit groggy midway through his trip to the UK. Even if you're going super duper business class, even if you have the most luxury in the world, it's going to be pretty knackered.

I don't know. His life looks like a holiday all the time. So, you know, the fact that he has to leave his holiday to go to work.

Do you follow his Instagram?

You're probably right. You're probably right.

Well, I think he was probably feeling a little bit under the weather when he received an email which appeared to come from his mailing list provider, which is Mailchimp. And of course, Mailchimp are widely used, they're one of the market leaders. And the email told him that his mailing list's sending privileges had been restricted due to a complaint of spam. Someone had said that his mailing list had spammed them. And obviously Mailchimp thought, well, you know, we're going to have to prevent this mailing list from being used anymore if it is being used for spam. And it told him that he had to review his account to ensure compliance with Mailchimp's policies in order to restore his sending privileges.

Mm-hmm.

And what do you know? Troy clicked on the link.

Who wouldn't have?

Well—

Really? I'm listening to your story and I'm like, I would have if that was my mail provider. And, you know, I did have a mailing list going out and all the things stacked together.

Okay. All right. Well, he clicked on the link. It took him to Mailchimp-SSO.com. So not the main Mailchimp domain. And it asked him to enter his username and password. And he did that. And then the webpage asked him for his two-factor authentication, one-time password, the thing which changes every 30 seconds or so, those 6 digits. And he entered those as well, whereupon the webpage hung, which can happen all the time, of course. You know, you could be there on a laptop, it could be doing a Windows update.

He's in the UK.

Yeah, well, you know, it's the hotel Wi-Fi. There could be all kinds of reasons for that. But within minutes, Troy realised he had made a huge mistake. So he went directly to Mailchimp's official website at mailchimp.com. He logged in and he changed his password.

Smart. Yep.

Sensible step. But it was too late.

Mm-hmm.

His mailing list had already been exported from Mailchimp servers to a computer which had an IP address in New York, and Troy at the time was in London. 16,000 records had been taken from Troy Hunt's mailing list of both current and former subscribers. And he'd done the right thing in having 2FA, two-factor authentication, on his account, just like he'd been telling the NCSE and, you know, advising we need to recommend the use of two-factor authentication passkeys to harden accounts. He was doing that all right, but he had entered those details onto a phishing page.

Yep.

And if a phishing website grabs your username and password and your one-time password, it can relay that one-time password, those 6 digits, as soon as you enter them onto the phishing page. It can relay them to the genuine website, which means someone can log into your real account. And that is what they did in Troy's case. They created an API key, they stole his mailing list, et cetera, et cetera, et cetera. Nasty, nasty, nasty.

And they'll often change the password. So of course Troy wouldn't be able to get back in, right?

Yeah, but I think in this case they didn't want him to know. Potentially they didn't want to change the password. What they wanted to do was create an API key, which meant that they could continue to access his account, that would have continued working even if he did later change his password, if he chose to do it.

Wow. So he was properly targeted, right?

And Troy's password manager of choice, he's partnered with 1Password, which is a great password manager. It did act correctly because it didn't fill in his details automatically on the bogus page. So when he went to a page which wasn't Mailchimp.com, it didn't offer to enter them, but he did it manually anyway. I guess because he was tired. And so he didn't take enough care. Like you said, if you're under pressure—

And Graham, let us not forget that often things on computers don't go right. And it's not because there's always a scammer. Sometimes it just barfs.

Sometimes it can.

Just before this recording, you had to reboot, didn't you?

That's right. The Zoom call we joined was beachballing on me, so I had to reboot my computer. Absolutely true. So Troy, he blogged about this. You know, he did the right thing. He alerted people as quickly as possible. And he's also apologized. He said, sincere apologies to anyone impacted by this. He says, on balance, he says, I think this will do more good than harm, and I encourage everyone to share this experience broadly. So I'm doing my bit. I do agree. I think commiserations to Troy and his subscribers, because obviously this is non-ideal, but it can happen to anyone. And he wasn't the only one to have their Mailchimp list popped, by the way. A listener got in touch with me a couple of days ago. And he told me how the mailing list for the Thunderbird email client was also impacted, it appears, in the same way. So people who use that email program and have subscribed to the mailing list could have had their details. And who knows how many others may have had the same kind of impact. So it can happen to anyone. You don't need to be a big brand. For instance, last month, between the 19th and 21st of March, a group of students in France received a suspicious email. How many students do you reckon received this email Carole? So a bunch of students in France. Were you thinking half a dozen, 20?

I don't know. What's the email say?

Well, no, no, no, no, nothing. You know nothing.

A thousand. A thousand million.

No, no, you're wrong, Carole. You're wrong. More than 2.5 million students in more than 4,700 schools received a suspicious email, and it lured them to click on a link. It promised— this is my translation— it promised cracked games and free cheats. So the kind of things which you'd think many middle school students would be interested in checking out.

Right.

And according to reports, more than 210,000 students clicked on that link. So round about 1 in 12. Now, according to industry surveys, that's actually quite low compared to the typical phishing email. So 1 in 12 actually suggests the students were quite savvy. Now, I wonder if the figure is proportionally so low because the link was sent via email rather than Snapchat.

Yeah, 'cause what kid reads their email?

Right. Yeah, I know from when I communicate with my son, there's no way of getting him to read an email.

Can you imagine saying to anyone under 20, "Didn't you see the email?" And them look at you like, "No." See, I'm with the kids. I am with the kids.

Maybe whoever sent this message should have sent it via some other system as well. But still, 210,000 kids clicked on this thing. And do you know what happened when they clicked on it?

Mm, was it a government training?

Hopefully. Oh God, you're so savvy.

Oh yay.

You've guessed.

Oh, thank—

Yes. Yes.

I was just thinking, how would they have all the details of all these kids? It must have been—

The email actually came from the Department of Education. They had planned it all. It was a part of an operation called Operation Cactus with the motto or slogan, "Don't get pricked by a phishing attack." Okay.

Doesn't always translate the way.

You're making your own. And what happened was you were greeted with a video of a chap called Yassine Mouktadi. Bonjour, je suis Yassine Mouktadi, champion de e-sport. Pour gagner, je n'ai jamais eu besoin de tricher. Que du travail et de la rigueur. Si tu as déjà été tenté de télécharger un logiciel ou une appli piratée pour tricher, sache que tu t'exposes à des virus. Je suis aussi gendarme. He's an esports champion. You know about esports?

Yes.

He's a champion video gamer.

Yeah.

He's now apparently become a cop. And in this video, he says, well, you don't need to cheat to win. You don't need to get game cracks. You don't need to pirate games. Just be good at— Just be really good. Just be good at games.

Just be great.

Yeah, just play games more, kids. That was the message to these millions of students in France. Just play more video games. So the video also stresses to students the best practices to keep their digital lives safe, highlighted the penalties that courts could slam them with if they ever were to use underhand tricks to steal people's passwords. 'Cause that obviously can be a problem. Kids stealing passwords from other kids in order to do better at games and things, and they didn't want that to happen. So yeah, in this case it was a phishing test, but either way, try and be a little bit more wary. Maybe take heed.

Take heed, as I've always said.

Take heed.

Take heed.

Carole, what's your story for us this week?

So we listeners of Smashing Security know that investment scammers are stealing millions and millions by tricking individuals into investing into financial schemes not run by, you know, genuine financial professionals, but maybe by a scammer.

Yeah.

And it seems that the juiciest targets tend to be over 50. Graham, can you guess?

Hang on, what do you want? Why are you asking me?

Because you're old. Because you're wise. Because you're wise.

Well, I would think the reason for that is by the time you're over 50, you've hopefully got a little bit of a nest egg. Maybe you've collected more money. Maybe you have a property. Maybe you have a little bit of money in the bank. That could be a reason. Also, maybe you feel like you've missed out on the opportunities. You've heard about all these 20-year-olds earning millions through cryptocurrency. And you're thinking, oh, I'd love a bit of that. I wonder if I could make a fortune as well.

Yes, I think that is all completely right. In the UK, the most affected were those between 55 and 64. They lost more than £133 million to investment fraudsters in 2023. Ouch. And it seems as the victim's age increases, so does the average loss. So Martin James, he's a consumer rights expert who works on the BBC's Rip Off Britain.

Oh, yeah.

He said older people are targeted because they are more likely to have disposable income and to be home to answer the phone when the scammers call.

Oh, these scammers coming in via the phone.

Maybe they're coming probably from the landlines. So the 4% of people that have landlines. These are people also, as you say, have more valuable assets, maybe they probably have a house, maybe without a mortgage, a car without a loan. And as you say, maybe have time and money to invest, right? Cruises to plan if they're very rich. Who knows? So the City of London Police, they agree. They say investment fraud destroys lives and is of particular concern to the older demographic of the UK public. Victims who are targeted are those with a healthy amount of savings who've put their hard-earned money away for a rainy day or to help support family and have been robbed of those opportunities. So common scams that have been cited to have a particular penchant for the perhaps older individual, can you name a few, Graham?

Oh, maybe romance scams?

Not because you're old. Not because you're old.

No, no, no. Romance. They start off by wooing you and then they say, oh, my darling, you know, I have—

Let me explain how crypto works.

Exactly.

Have you heard the term bitcoin? So crypto scams, exactly how they get to you. We've talked a lot about this on the show. This is fake investment opportunities promising high returns with little risk. And it's just the professional-looking websites and the social media ads with, you know, a celeb and with a quote, and it lures you in to invest with them. There's pension scams because think of our demographic, right? This is where scammers target individuals looking to access their pension savings or perhaps change it. A lot of people do that, right? They're, I want to just make my nest egg or start a pension plan or move it over to a different investment firm.

Yeah, they may have left it in the same place forever and think, oh, maybe I could be getting better rewards somewhere else, right?

They saw something on the Instas that told them, or on the Facebooks. A lot of people offer free pension reviews, high-return investment opportunities, or early access to pension funds. And there's all these high-pressure tactics to convince victims to transfer all the pensions into this fraudulent scheme. It's just outrageous. You work your whole life to build this little fund, and it vanishes when you need it most.

Yep.

Yeah. Have you heard of clone firm scams?

Oh, is that when you're looking to have a member of your family cloned?

Yes, that's exactly right.

Like the sheep. If you have a sheep in your back garden, you could have that cloned. Or yes, or if you particularly like—

These are sneaky as anything. I would be interested if you would fall for this, right?

So go ahead.

Clone firm scam involves fraudsters pretending to be a legit financial firm. They will use the legit name, legit address, and legit firm reference number, FRN, for real companies authorized by the Financial Conduct Authority in the UK. And then they create these very realistic-looking websites and documents that closely resemble those of the genuine companies, use the genuine names of investment managers and financial advisors, all in order to get you to sign the money over to them.

Because I guess you would never actually probably write to the actual firm with the post. So the postal address doesn't matter that they're replicating that. You just interact with it online. It just happens you're with the wrong website.

Yeah. And then property investment scams. So yeah, these are promised high returns for real estate projects, fake property developments, rental schemes, and timeshares. And it's the same thing— glossy brochures, professional websites, convincing sales pitches that lures in the victims. And then, of course, once they part with cash, no further contact is made. They're gone.

Lordy.

So these are some that we've heard of. But this week, a more unusual investment scam made the headlines.

All right.

These scammers targeted a group of people that share a common love for something. And that something is— you would find this in a dark, jazzy bar, perhaps. Oh, it's whiskey.

Whiskey scams.

Whiskey lovers, right? Yes.

Okay.

Well, perhaps they don't love the whiskey. Perhaps they don't love what's inside the barrel. Perhaps they love the amazing returns they were promised if they invested in a barrel or three.

Oh no. So what, someone comes along with a barrel and they tell you it's full of whiskey and in fact it's full of horse piss?

I don't even think they had to show you the barrel. I think they could probably just take a picture of—

Oh. Right, right.

So police are investigating 3 Scottish whisky companies over fraud allegations with investments running into the millions. This is all according to a report from BBC, right? Hundreds of people were duped into plowing their life savings and pensions into casks that were overpriced or didn't exist, while some individual casks or barrels were sold multiple times to different investors.

They could have also put a little tap on the back of it. Empty it and fill it with water. Yeah, exactly. They could drink some of it and then just top it up with something else over time.

If they were doing that, by the time the investor is there to sell this cask, which they invested a small amount of money for huge returns in 10 years' time— because let me just explain how it works, then it might make more sense. So the whisky market's popularity has grown rapidly because people talk about making huge returns on rare whisky.

On rare whiskies?

On rare whiskies. Am I drinking whiskey right now? Just talking about it's making me feel fuzzy. So typically investors, these are legit investors, will buy a cask of whiskey when it's first produced and then hopes that it rises in value as the spirit ages in the barrel. And it takes 3 years for a spirit to become Scotch whiskey in a cask. I didn't know that. And investors are encouraged to keep barrels for up to 10 years or more to maximize the returns. So legit traders are there doing this as a legit business for people that invest early, but a lack of regulation has enabled fraudsters to exploit the market. So there's no central authority regulating or tracking ownerships of casks, so it makes it very difficult to verify claims as to whether the whiskey is legit or not. You don't understand because you don't drink. I can hear the way you're going, hmm.

Well, it's all new to me, yeah.

But see, if you were one of these whiskey aficionados, I've met a few, and they take this stuff very seriously, almost as seriously as you take chess, Graham.

Well, sadly, I don't take chess seriously enough because I'm not very good at it. But yes, I know what you mean. But I mean, certainly wine connoisseurs, they get very poncy about it all, don't they? Oh, lovely. And I imagine the whisky people do as well.

Well, a victim included one woman with terminal cancer who invested £76,000.

Hang on. The woman with terminal cancer invested in a 10-year whiskey investment for her children. For her children. Okay, okay, okay, that makes more sense. All right, bless her. That's horrible.

Now, my point is that it doesn't matter what prize a scammer dangles in front of you, right? It could be a pension scheme or property or a painting or even a whiskey cask. My advice though is to watch out for unexpected investment offers. And especially if you're from the older generation, it can be quite exciting to get an email. You know, I get a lot of emails and hide from them at every opportunity. And I see people of maybe, you know, a few decades older than me, because they're not in that same system, if they get one message, it's quite exciting.

It's a red letter day, isn't it?

Yes.

It's, oh, brilliant. Yeah. Time-limited pressure tactics. Yeah. Yeah.

And the other thing that I thought was interesting that I didn't know about is persistent calls but limited contact details. So you can't contact them. They can contact you. And of course, the final question is, if you happen to fall prey to one of these investment scams, can you get your money back? And you might remember we talked about this a few years ago, but investment scams can fall into that category of authorized push payments. This means that a scammer tricks the victim, or let's say me, into sending funds by bank transfer into an account that the scammer controls.

Right.

Right. Now, this includes if you make a transfer from your bank account into a fraudulent investment opportunity. And these are referred to as authorized because the victim voluntarily sent the money.

Yes.

But in October 2024, the new APP fraud reimbursement rules came into effect. And this means that any victim of a UK-based APP fraud may be able to claim their money back from their bank so long as they weren't grossly negligent. Now, grossly negligent.

Who decides that?

I don't know what that means.

Is that the bank which decides whether you're grossly negligent or not?

Maybe anyone who has any information on this, let us know. But if you're in the UK and you have been scammed, you should certainly report it quickly as you might be able to get your money back if the payment was within the UK and less than £85,000. There's a few contingencies. It's like small print.

AI tools are everywhere and employees are feeding them sensitive data, often without realizing the risks. And some of these tools train on that data. Others store it insecurely.

And that's where Harmonic Security comes in. They give security teams total visibility into how AI is being used across their orgs while making sure sensitive data never leaks into GenAI or AI-powered SaaS.

Their secret specialized pre-trained small language models that detect sensitive data in real time without the endless false positives of traditional DLP. No complicated regex, no training on customer data, just instant, accurate protection.

Yeah, 'cause with Harmonic, you don't have to hope employees follow your AI policy. You can enforce secure, responsible GenAI use without slowing anyone down. Help your workforce embrace GenAI securely. Visit harmonic.security to learn more. That's harmonic.security.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A.com/smashing. And thanks to Vanta, for sponsoring Smashing Security. Smashing Security is sponsored this week by the Acronis Threat Research Unit. They're a dedicated team of cybersecurity experts inside Acronis specializing in threat intelligence, AI, and risk management.

That's right. Acronis's Threat Research Unit stays ahead of cyber risks to keep MSPs and their clients safe from attack, releasing security updates, threat intelligence, and monitoring the global threat landscape around the clock.

So if you want to learn about emerging threats, get security insights, and support your IT teams with guidelines, incident response, and educational workshops, go to smashingsecurity.com/acronis. That's smashingsecurity.com/acronis. And thanks to Acronis for sponsoring the show.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week is not security-related. My pick of the week this week is a TV series which I binged on just the other evening. Have you heard of something called Adolescence, Carole, as a TV series rather than actually the word adolescence? Have you heard of Adolescence on Netflix?

I have not seen it. I've seen it. I've heard of it, but not seen it.

Well, apparently it has made British TV history because it is the first streaming show ever to become the most watched programme of the week.

Wow.

So it's been quite a big deal. And I watched it. 13-year-old Jamie, who is accused of murdering a female classmate. That is the basic plot premise right at the beginning. It looks into what happens to this young man and the impact on his family and how unpoliced social media and the indoctrinating voices of — well, you know, online voices like Andrew Tate, I suppose, may have contributed to this horror. Now, as I said, there are 4 parts to this. I found part 1, where Jamie is arrested in a dawn raid and questioned at the police station, and episode 3, where he's interviewed by a child psychologist, really made a big impact on me. Those were my favorite episodes. I'd be fascinated to hear what you think about it. Jamie, this 13-year-old, is played by an extraordinary youngster called Owen Cooper, who is probably gonna win every acting award going.

Oh, really, eh?

I've never seen anything like it. It is extraordinary acting. And the other really compelling thing about this, other than the acting, which throughout the entire programme is unbelievable, is the extraordinary camera trickery, because each episode is recorded in a single take.

Wow.

So each episode goes from location to location, in buildings, out of buildings, even at one point up in the air as you go from one location to another. Suddenly, you realize you're flying up in the air, and they take you down somewhere again, all in one take. It's just extraordinary. So, from the technical point of view as well, it's unbelievable. The acting is really, really very, very good as well. But you are left thinking, I think, at the end of the program, "What are we gonna take from all this?" I mean, I was conscious that there was a huge focus on the family of the accused young boy and the impact on them. But there's nothing really about the victim or her family and what they're dealing with. I thought at one point they were going to switch to them for an episode. What you do get is a sense of this violent rage that can be bubbling inside people, and sometimes it doesn't take much for it to come out. And—

Sounds pretty intense.

It is very intense.

Okay.

But I think it's suitable for teenagers as well. In fact, I first came across this program because my son was watching it. And he said, "This is really good, Dad." And apparently, there have been pushes for classrooms up and down the country to watch this drama for what it's gonna say about knife crime. And I think it puts a— Towards the end, there's a lot of onus on parents, how they should be doing a better job of bringing up their kids. But you also end up thinking there's been a lack of investment over the years, I think, by the state as well. So, I think maybe kids have been left with nothing to do. There aren't enough community centers. Kids are left hanging around street corners or on their computers rather than engaging with each other. And that's a sort of thing which it doesn't really address. But it's probably one of the most impressive pieces of TV which I've seen this year. And I think it will win many, many awards. Anyway, Adolescence, extraordinary television. It's on Netflix. And I would recommend it.

Okay, well, I will definitely, definitely watch it.

What's your pick of the week, Carole? So my pick of the week is part 1 of a BBC documentary. So we're both— we have a double tango. We've both got square eyes this week.

Yeah, it's called Thames Water: Inside the Crisis.

Okay.

Now, I haven't been able to watch part 2 yet before the recording, so I'm sorry. But okay, so let me just go back. Thames Water is a British private utility company, okay? And it's responsible for the water supply and the wastewater treatment in most of Greater London and Luton, the Thames, Oxford Valley, Surrey, Gloucestershire, et cetera, et cetera. It's the UK's largest water and wastewater service company servicing 16 million humans.

And many people listening to the podcast may think, why would a documentary about Thames Water be of interest? Is there any particular reason, any sort of crisis which has happened at Thames Water recently?

All I can say, you know, let me— I go back to 1989 during the privatisation of the water industry, and I would say privatisation has not been great for Thames Water. Or its brand reputation. Would you agree with that, Cluley?

Or indeed for the people of the United Kingdom.

Who live here, the 16 million that live here.

People who maybe quite water or would find water, clean water, to be useful to us.

Yeah, no, no, we've seen things the last 20 years has been tumultuous but substantial dividend payouts to shareholders, leaving behind really poor infrastructure that's in desperate need of repair. And yeah, and it's being pushed harder and harder because there's all more people in the area to service. So anyway, so what does Thames Water do? Well, the UK's largest water company has lifted the lid on what goes on behind the scenes in a two-part observational documentary which aired on BBC earlier this month. Oh, the episodes filmed over six months followed Thames Water colleagues as they navigate the financial position of the business, work to improve company performance, and Graham reveal the day-by-day challenges when working on the front line and in the public eye. Yeah, oh my God, this is gripping TV.

They must be one of the most reviled companies in the country at the moment, Thames Water. They are dealing with an enormous crisis in terms of their brand.

And the media critics are in a tizzy because people are really going, what a stupid move by Thames Water. Because it was the brainchild, they announced this early on, of the corp comms director of Thames Water.

Right.

To invite in the BBC to film these 6 months and have basically fly-on-the-wall documentary.

It's a good idea to be transparent, isn't it? You would visibility just you'd be able to see through water, for instance, rather than it being full of sewage.

Yes. So you have a lot of employees of Thames Water who talk about that, who basically just say, oh yeah, people say we're the people that throw shit in rivers. It's kind of heartbreaking when you see it. And I think most of the staff seem decent folk trying to do a good job. The CEO comes off as a bit of a posh twonk though. The new statement said of the Thames Water CEO Chris Weston, he said, quote, Chris Weston, a cherry-faced former army man with bog brush hair who wears polo shirts and cocky jerkins and a leather band on his wrist à la Prince Harry. And what a prize chump he is.

Oh, that's a bit personal, isn't it?

The prize chump?

Well, all of it really.

The article was quite scathing. I got the sense of that. Yeah. I mean, Thames Water have been quite rightly criticised because, you said, they have made millions and millions and millions of profits which have been doled out to the people up the top and the major investors, but they haven't invested. CAROLE THERIAULT. Now they have new owners that have no money. And how are they going to get more money? So that's really what the whole show is about. How does a company like waterworks, of which we are all dependent upon, make money when the people that it services hates it? GRAHAM CLULEY. What's it called? CAROLE THERIAULT. Thames Water: Inside the Crisis. It's available from BBC iPlayer. You're welcome. GRAHAM CLULEY. Fantastic. I will definitely check that out. That sounds—

CAROLE THERIAULT. Let's maybe start with you. So perhaps you can tell us about your background and maybe specifically what drove you to create and head up Harmonic. ALASTAIR PATERSON. Yeah, you might be able to tell from the accent, but I'm not originally from the US. So I started out life back in the UK and I actually set up my first company there, Digital Shadows, which was in the threat intel space. So I did that, you know, that was kitchen table, just two of us initially all the way back in 2011. And then in 2015, I got on the plane to Silicon Valley, as you do when you're in tech and you hit a certain size. And we were fortunate enough to raise a Series A round there. And I moved out in 2015, and I've been in the Bay Area ever since. So just coming up on 10 years actually here. Digital Shadows had a really great journey. I mean, we grew up to about 500 customers globally. We were about 160, 170 employees when we got acquired back in July of '22. And so that was a great journey. I learned a ton along the way and I thought I was going to take a bit of time out after that. But yeah, then, you know, July '22, we get acquired. November '22, ChatGPT came out and the world changed. So yeah, I couldn't sit on the sidelines for long and my brain just couldn't help but start ticking into, you know, number one, all the risks, of course, that are going to come from this GenAI revolution. But secondly, what can we use it for, right? How can we apply this magic technology to make companies more secure? So this time, instead of the kitchen table in London, it was a fast start off to the races here in the Valley for Harmonic. CAROLE THERIAULT. Maybe let's set the scene. Okay, so let's say I'm working in infosecurity at Company X. And employees from the finance department all the way to development and marketing, they all want to use an AI tool for something to make their lives more efficient, effective, make their jobs faster. And correct me if I'm wrong, I think this is happening across all industries, right? ALASTAIR PATERSON. This is a top 3 challenge pretty much everywhere we go. It's been remarkably easy to get doors open and talk to people about this because they're all facing exactly that challenge. It's really that tension between the employees and the business wanting to adopt GenAI as fast as possible, but see, you've got privacy, security, compliance, legal that are all just saying, well, hey, you know, let's not lose our shit here while we're leaning in. So yeah, that's the tension exactly where we sit is in that pivot point between the two.

How is a company dealing with this typically? Because AI tools have been around not very long and there's a lot of them coming thick and fast, brand new ones every single day. So how is the infosecurity guy keeping the network and the perimeter and the ecosystem secure?

Yeah, it's tough. I really feel for them at the moment because it's not like it wasn't a busy job anyway. So I think the first challenge is visibility, frankly. Even pretty mature large organizations we work with typically don't have a great handle on what's being used where and where their sensitive data is going, more importantly. And so part one is just understanding that picture. There's obviously a whole lot of risks around GenAI adoption, and you can go and look at any number of frameworks. There's feels like there's hundreds of them out there now that will tell you about AI risk. But I think when you really boil it down, the number one risk comes back to worries about sensitive data leaking out of the business and going somewhere they shouldn't go. So whether that's your IP becoming part of someone else's training dataset, or frankly just being stored insecurely somewhere, or it's employee data and the compliance challenge. They usually don't have a great handle on what's happening. Part one, when they're worrying about their data leaking out, they turn to sometimes their existing tools if they have DLP. That sort of three-letter word's usually a four-letter word in our industry, of course. So yeah, I mean, it's false positives everywhere. It's a nightmare for the security team, it never really works, and we've been doing it for 20 years. This idea that you can use regex and rules to spot sensitive data kind of works for PII, but not really, and credit cards and not much else. So that's one nightmare. The other nightmare is to try to label all the data in the business, which again has been around as a concept for a long time, but I think it's just never worked, right? We keep trying it, but finding all the data is hard enough, let alone labeling it accurately. So what we typically see there is probably two-year programs that get spun up that never complete and cause a lot of pain and friction for everybody. The other option we see is there's a new brand of AI firewalls that have come out, and there's quite a few of those that are pretty good at the visibility piece. So they'll show you what AI tools are in use and give you some level of governance. But where they struggle is on the data protection again, because they're using the same DLP that we're using in the gateways that we're using on endpoint, and we know it just never really works. And so the final option that we see probably most often, we call sit, block, and wait.

And say it's—

Yeah, you probably guess where I'm going with that one. But yes, companies, you know, they'll sign one enterprise agreement with somebody, right? Whether it's Microsoft, it's OpenAI, it's Google, and they've got a safe AI that they try to point all the employees at and then they try to block everything else. Maybe it's the categorization that they get from their gateway or something like that. But of course, that, you know, I think it's a reasonable intermediate step. But it's obviously a short-term measure here because employees don't just want to use the sanctioned AI, right? They're at home getting used to using all kinds of tools and they want to do the same in the workplace. And there's this, as you mentioned, it's not just about the big, you know, 5 or 6 foundational models out there. There's tons of other great AI tools now, whether you're building a slide deck or doing your finances or legal.

Right.

And employees want to use them, quite rightly. And so, you know, they find ways around those controls and blocks. They use their own devices. I was talking to a CISO recently who had employees emailing things to themselves, to their personal email, to run them through generative AI apps to then fire them back into the business over email, just getting around all the controls that way. And we, you know, it's tough. We shouldn't be forcing employees that are just trying to get the job done to deal with it that way around.

Very important for the infosecurity people in a company to behave in a way that allows for innovation, allows for creativity, allows for new tools. But the job's difficult because you've got to balance that against security, right? So, it's a really tricky job, especially with a new technology. So, how do you, Harmonic, help them? What can you give them?

So, the way we're going about it, we're calling what we've built, zero-touch data protection for GenAI. And the reason for that is we're trying to be the easy button in this space where there isn't really an easy button in data protection. And so we start off by, yes, giving you the visibility into all of the GenAI adoption and where the sensitive data is going. The real differentiator for us is we've actually built our own small language models for data protection. So there's more than 20 of them. They're not going to do the kids' homework or write Shakespeare. But what they are really good at is identifying sensitive data exceptionally accurately and with all the business context around it as well. You can think of it as a bit like having a smart human looking at all the data leaving the business and figuring out where the sensitive stuff is. Across our client base, which is made up of a lot of large enterprises now, across US and Europe. We've analyzed all the sensitive data that we see, and it's actually 8% of all of the prompt data has some sort of sensitive business content in it. And whether that's customer information, IP, legal documentation, anything like that. And it really is a significant problem. The beauty of Harmonic's small language models is that we can not only stop things like PII and identify credit cards and things like that, which you could do to some extent before, but with the model-based approach, we can detect all kinds of unstructured IP as well. So we've recently been rolled out to one of the global chip designers, for example, looking after their IP and sensitive data. We're doing the same for a large automobile company and a lot of tech businesses and financials. So, and because we have these models and we're so accurate, we can, instead of making the security team's life a nightmare by firing a ton of false positives over, we can actually resolve these issues directly with end users at the point of data loss. So at the moment, they're about to expose the company to some sort of sensitive data incident. We jump in the middle, we stop the data leaking out, and we coach and nudge them towards safe alternatives and behaviors. So instead of having to just try and block everything, you put Harmonic in the middle, we'll save the company from any issues without having to just block everyone and force them around existing security controls.

Yeah, it's kind of a win-win though, because it helps the infosec person be able to feel safe, sleep at night, not stress out all the time, and also get a heads up if something's going awry. But also the end user is not just being caged. Yeah, I like the idea of leaning them in the right direction. It's almost like cybersecurity training, really.

Yeah. And 99% of employees are just trying to do the right thing. You know, they're just trying to get the job done.

And we've got to let them do that.

And it's funny when you turn us on and you start to get the visibility into what's going where, we give you that picture and pretty quickly we've had organizations see, oh, you know what, we've got our marketing teams using these tools. We didn't even realize. That's cool, right? Let's enable them to do that with an enterprise agreement around one of the tools that they're using that's safe then, and we don't mind our company data going into, or whatever it might be, right? Same for coding assistants for the engineering team, the same for sales and go-to-market tooling and all that kind of stuff.

So often when you're in infosecurity, you're obviously trying to service all the employees in order to help the business grow. But your real pain point can be on occasion the C-level, the C-suite, because they may not be as au fait with all the things that you might require to secure, and they might be very, very excited about GenAI tools. So is there any kind of reporting within the tool or anything that you do to help that bridge between the C-suite and the infosecurity kind of be able to prove the point of the importance of it?

I think every enterprise we talk to pretty much has rolled out some sort of AI policy, right, of what's acceptable. And then most of them have some sort of steering committee for AI and security is always represented on there. Sometimes it even chairs that committee, which is slightly surprising to me, but they're very involved. And I think AI is the opportunity to make the security leaders the kind of the superheroes in the business by making them the enablers. And so typically what we see is the security team gets given the controls responsibility for the policy. And historically, there's no great controls. But if you roll out Harmonic, we try to make the CISO and the security team the superheroes here in this movie because we can show them, we can give that visibility to the whole business in terms of which AI is being used by which teams, you know, where are the risks, who's using personal accounts and free editions of tools instead of the corporate editions that we'd like them to use. But it's that kind of strategic view of AI adoption. And, you know, maybe we've sanctioned a couple of tools, but are people actually using them or are they using some other third parties that we didn't even know about? Right. And so that picture is not interesting just to security. It's interesting to the rest of the business and the rest of that AI steering committee. So we give that reporting, that visibility and that assurance to the security team that they can then bring to that AI committee and have something to talk about and kind of show the rest of the company that they're on top of this and acting as an enabler for the business. And that's our primary goal.

Yeah, that's really key, isn't it? We're fast running out of time. Is there anything you want to add and tell our listeners specifically?

Yeah, it is absolutely all about that AI adoption and enablement without the pain. And I just feel really bad for these security teams and leaders because they have so much on their plate on any given day anyway. And then the idea that they've now got to wrap their arms around this, you know, one of these 200 different frameworks for AI security on top of everything else is pretty wild. I think the cool thing with Harmonic is you can roll this out in 30 minutes.

Wow.

You start delivering value and visibility, super lightweight. Don't need to go through all the pain of DLP and labeling or trying to configure your gateway. And also don't take the heat from the business that wants to adopt these tools, you know, be the hero and enable them and give them that visibility. With the right controls around it. You know, bring that security policy to life for once and instead of it just being sat there on the shelf. So yeah, zero-touch data protection is the way that we go about that.

Yeah. And you've heard the CEO. You can do it in 30 minutes. Listeners, you can learn more at smashingsecurity.com/harmonic. That's H-A-R-M-O-N-I-C.

IC.

So smashingsecurity.com/harmonic. And Alastair Paterson, the CEO and co-founder of Harmonic Security, thank you so much for explaining it to us. I totally feel the pain for them and the relief.

That's right. Thanks, Carole. Really great chatting with you.

Brilliant.

Thank you so much. Fascinating stuff. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge shout out to our episode sponsors, Harmonic, Vanta, and Acronis. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog, of more than 410 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye!