Cybersecurity Secrets of the Ultra-Rich Transcript

 

Alice:  You are watching Cyber Made Human, the podcast that takes complex emerging technology and cybersecurity topics and makes it into accessible, understandable content. I’m your host, Alice Violet, and today I’m joined by Harry Gough, who is the Chief Operating Officer of Coc00n. They’re a cybersecurity company that specialise in ultra high net worth individuals, celebrities, and anybody with sensitive access.

We dive into a CEO scam that cost the company 25 million pounds. Plus we dive into the new online Safety Act, and whether VPNs actually make you anonymous online and discuss Australia’s move towards making social media limited for under sixteens. If you are around in October, make sure to join CyNam, a Secure Futures Event series.

We are going to be hosting a Cyber Made Human live episode on Wednesday, the 15th, diving into the use of AI as therapists and the risks involved in using AI as emotional support.

Alice: Harry, thank you so much for joining me today. It’s great to finally have you on. Cyber Made Human. We’ve talked about doing something together for a really long time, so I’m excited to have you here. So you specialise through your company cocoon in ultra high net worth individuals, keeping them safe online.

Harry: Yeah, that’s right. Yeah. So came about through, uh, previous expertise, within government where we were looking at, uh, individuals there who are under, government protection, and then seeing the real need. For this outside of government. So seeing the need for, people who maybe don’t fully kind of grasp the the need for cybersecurity. So both educating them and, uh, you know, then securing them.

Alice: Wow. Really interesting. So today we’re gonna dive into some of the stories of high net worth individuals kind of coming under attack and what kind of issues are arising with AI and deep fakes and social engineering.

And we’ll begin by just talking a bit about what type of security are you looking at when you’re working with. High net worth individuals.

Harry: We kind of, when we first started Coc00n, we were very focused around the devices of individuals, So protecting the device, you know, from, time in the space. Now it’s very clear that it’s not just the device, it’s their whole kind of digital ecosystem, Uh, like you said about families and, and, and children. These are part of it. You know, an individual is not just their device, it’s not just their accounts. It’s kind of everything surrounding them as well.

Alice: And what do you see as the biggest risk right now for people?

Harry: So I think it’s, it’s a bit of everything. It’s the fact that everything is now kind of coming to a head. Uh, you know, the use of AI to expedite these things is really kind of making it not just. You know, there’s no silver bullet.

There never has been a silver bullet in cybersecurity, but especially now, uh, the line between, uh, targeted attacks and kind of mass distribution attacks is getting less and less. Uh, the targeting in mass distribution attacks now, is far more prevalent. And we’re seeing people not just necessarily being tricked by a technological flaw or anything like that, but actually. Pressure through social engineering attacks, and the technically enabled attacks.

Alice: Right. So just for our listeners, benefit, for anyone who doesn’t know, can you describe a bit about what you mean by mass distribution and also social engineering?

Harry: Certainly. So, uh, you know. Terms like phishing attacks, uh, are thrown around.

I think when people think about phishing attacks, they think about, you know, poorly worded, uh, very unspecific emails arriving in their inbox that they go, I’m not engaging with that, and then we have, uh, and, and obviously dealing with, with, with high value individuals. Spear phishing and wailing is, is another level to that whereby they are targeted.

The email or the, the, the means of communication is far more. you know, specialised to that individual might be their hobbies. It might be something to do with their family, with their friends to get that hook to guarantee a click or a download. Um, in the past, those fishing attacks were very easy to spot. Um, they’re a lot harder to spot now.

The idea of sending out lots of emails to lots of people in the hope that one person clicks the link or downloads the file is now a case of sending out lots of specific emails to those individuals with a far more accuracy and far more kind of a guarantee that more people will be clicking.

Alice: So an example of that would be knowing that somebody is interested in sailing or is part of a certain sailing club or yacht club. Yeah. And emailing them at that specific yacht club saying you were here on Friday. Can you fill in this form? You’ve left something in the cloak room or whatever it is, something that’s a lot more believable to that individual that you’d only know if you’d, you knew that information about them and how would they be finding that information? Is it through what they are posting on social media?

Harry: Yeah, so, absolutely. So yeah, in the past if someone was a target, people would go out of their way to find this information out about them. But now, due to the amount of data that is available about, you know, everyone online.

You don’t have to try that hard to get it anymore. You know, you can see from someone’s social media posts what clubs they’re part of. Yeah. You know, where they go on holiday, things like this. Uh, and then that can all be, be pulled through to, to these targeted attacks. Uh, and then, like I say, expedited through the use of tools like AI.

Alice: Interesting. And so can you give me some examples of some of the biggest stories that have, have happened recently in terms of. Targeted attacks.

Harry: So, uh, we see it a lot with financial fraud. Um, so someone gets an email or gets some form of communication from their bank. Um, and, and these are often not just, you know, I’m your bank, please transfer funds, or, do you want me to transfer these funds?

But actually linked to, uh, specific actions going on. So for example, things like house sales or house purchases, the knowledge that that. You know, a transaction is being completed on a specific day at a specific time, and then beating the real message to the individual with a fake message that is then actioned by the individual because they believe that to be, you know, true.

If you think you’re completing for a house, um, on that day, you’re gonna send the money to the bank account. if someone. Beats that the actual kind of estate agent or whoever to that, you’re still gonna send the money because you believe, you know, everything has come together to make you believe that that is the, a real, uh, a real, uh, situation.

Alice: So when you were working in critical infrastructure, you must have been, I assume, looking at the kind of risk landscape of any kind of companies that different government bodies or companies were working with, and you’d. I guess analyze that risk landscape of every supplier and people that they’re working with.

Now, when you are working with an individual or a celebrity or a wealthy person, are you looking at things like if they’re purchasing a house, is that estate agent like fine and country or somebody? Are they even aware that their client could now become a risk if they’re posting the gorgeous house on their Instagram account and doing a tour of the home that’s potentially telling a Hacker or a scammer that that person’s house is currently for sale. Is that part of what you do in terms of education and risk landscape?

Harry: Yeah, absolutely. So we talk about supply chains. You know, supply chain’s a big thing in cybersecurity and often it is attributed to companies. Yeah. So where you are getting your, you know, X part for, for your machine from,.

That is also true of families, of individuals. So your family is a supply chain. You know, the people that you bank with are part of your supply chain. Um, and actually having that knowledge of, the risk that they bring into you as an individual. And it’s something that I don’t think has been kind of on the.

You know, on the mind of a lot of people for a long time. Um, they are trusted parties and therefore they do bank. You know, they do my banking for me and I trust them to do my banking. For me, the questions aren’t. Really ever asked of them. You know, what are you doing about, uh, securing my data?

What are you doing about, you know, stopping, um, transferring money out of my account that shouldn’t be going out? And those things. And I think there is that shift now in, in appreciation of these types of attacks that is making people question it. And is making people more open to, to input into how they can secure themselves.

Alice: Interesting. So just pivoting slightly onto the rise of deep fakes, and we just did an episode on Deep Fakes with Richard Norton and Derek Ahmedzai. Check it out. Um, but in terms of the work that you do, I know we’ve spoken a little bit about being able to clone voices and create AI videos of CEOs and things, and there’s quite an interesting example.

I’d love you to run through where that went very badly wrong.

Harry: Yeah, absolutely. So, so the deep fake, um. It’s, you know, it’s becoming more and more prominent and it is being used to enable social engineering attacks. So, a good example, a company called Arup, um, recently, uh, or say 2024. There was a deep fake, voice, uh, clone of, of the CFO, uh, actioning a bank transfer, um, to an employee further down the chain and that applied the pressure of a senior executive asking someone to action something, right? And so they don’t then look to, necessarily go through standard, you know, security validation, checks and things like that. Um, and it resulted in 25 million US dollars going out to multiple different banks bank accounts.

It was really due to that pressure. Um, and I think this is what we’re seeing a lot more now. AI itself is not necessarily the, uh the tool that is, uh, or, you know, it’s not a technological attack. It’s a social engineering attack that is massively expedited through the use of things like AI.

Alice: Wow. So, I don’t know. It’d be interesting to know how that scam took place. So it was a voice note from the CFO saying, please transfer these funds today by 4:00 PM or whatever it is. I think they said it was a, uh. Private business dealing, so not to discuss it with anybody else, what can we learn from that type of attack?

Alice: I think in the past, uh, these types of attacks have been put down to technology or cyber attacks, and therefore it is seen as the responsibility of technology or cybersecurity to block these attacks. I think what we’re seeing now is this, this understanding that it’s not just, you know, affecting your technology, it’s affecting your, your culture, your processes.

And these are processes that have been put in place years ago and people have never had to change. Um, and therefore they’re, they’re pretty staunch, in their use of them. Um, and actually they are the problem a lot of the time. These kinds of outdated approaches to, uh, you know, sending out, sending out, um, finance, uh, it’s something that.

That has been around for years. The finance department stands out, the finances. If an executive tells you to do something, you do it because you have trust in that executive. You can no longer necessarily have trust in, in a message from an executive anymore. And I think that’s what’s really scary about Ai

It’s, its ability to, to kind of, um, you know, impersonate and put pressure on. Parts of processes within companies. That they know, um, are, you know, suspect.

Alice: Yeah. And I think a lot of the tools that we use as a business are constantly sending me emails saying You can now do voice cloning. And I’ve been interested in trying it because, you know, if I’m recording an intro for the podcast or something, I might be able to just.

Pop my scripts in and it’ll do it for me. But actually that’s terrifying. And as somebody who is quite public facing and does put a lot of content of myself out there, there is then the risk of somebody taking my likeness or my voice and creating something that’s not real, and I don’t know how I feel about that because.

One solution. I guess people would say never put yourself online, but that’s not real reality. And as a founder of a company, I need to be putting myself out there and doing all of those things. What’s your personal opinion on deep fakes and where this is heading. How do you feel about that?

Alice: So I think it’s a, it’s a scary place purely because of how optimised it’s becoming. Think in the past you think of things like, um, deepfake content online. It was produced. It would take, you know, a lot of compute to get it there, and then it would be published online. A lot of this is now being localised.

So there’s no real way of, you know, like take down, take down, um, content from an online resource. Um, that’s, uh. You know, it’s hard to do, but it’s doable. The reality that someone can create something so likable, to a human, um, in, you know, on their phone. And have it, and only, only kind of deploy it when they need to deploy it.

Alice: It is scary. And so in terms of the people that you work with, you mentioned that you do education on that. Would part of that start with. There is the ability of just letting them know that DeepFakes about themselves could be created.

Harry: Yeah, absolutely. And then it’s, what do you do about it?

And again, technically it’s really hard to do something about it because of how quickly these things can come out. And so it’s about making them aware of it so that they can put the right safeguards in place to know, uh, you know, their, uh, accountants or whoever it may be, are aware of that. There’s enough out there about them that a deep fake could be created.

Therefore, if I send you a voice note or a video of myself saying a transfer funds or, or whatever it might be, check with me first. Banking is an industry that is still, uh, certainly, you know, high net worth banking is, is an industry that is based on trust and trust, not necessarily, with a process, but with an individual.

You have a private banker, for example. It’s really difficult to operate. That model when the trust in an individual is being eroded constantly. The use of things like voice to validate a request when, uh, using a bank, um, is something that when it was brought in, I think was seen as, you know, it’s really cool.

You know, it’s like Mission Impossible films. And things like that. It’s great. Um, but that is something that AI is actively kind of just completely kind of. Destroying the, trust. That process can bring you,

Alice: if you were targeting someone of extreme wealth and trying to get a lot of money out of them.You could look at their private banking relationship and say, that guy’s actually on holiday this week, so he’s gonna be less engaged. So when I send this voice note to the banking person. Is it about putting in additional verification?

Harry: Yeah, absolutely. It’s putting in additional verification that doesn’t take away from usability. Uh, often, especially with banking, it’s quite easy to apply pressure in a banking environment. Often, finances are a real pain point for people if, if they are told they need to pay something by a certain date, for example, there’s that pressure immediately there.

That balance of additional verification with usability is really important. What you don’t want is to bring in so much authentication and, you know, multi-step things that people become fatigued because that can also draw mistakes. Um, so, putting it in but in a way that works with your client is really important.

And I think the voice side of things. Did that for,a period, it was an easy way for someone to validate themselves without necessarily having to go on another device or to look at their phone or do anything. Multifactor authentication is a great tool. It’s the best security you can do for access control, but it does come with a bit of a, you know, uh, a bit of working to, to get it to go.

I think it’s, it’s, it’s about really making those processes as efficient as possible. So that your clients, or so that. Your staff aren’t frustrated with them and look for workarounds because workarounds are the single most, kind of best way to take down. Cybersecurity.

Advert: The Cyber Made Human Podcast is produced by Alice Violet Creative, my content marketing agency based in Cheltenham, we specialise in complex brands, which primarily means those in emerging technologies, cybersecurity and intelligence, we’re able to take abstract, clinical, and difficult topics and make beautiful, compelling and results driven content.So get in touch with us for digital marketing and all your content needs.

Alice: So when you are doing things like, I know you said that Coc00n originally was really focusing around devices and also, you know, you’ve worked with kind of government protected individuals and things like that. Does this erode their sense of independence in a way? If I was somebody who I had to have my device being secured by a third party, yeah. How does that feel as an individual? Does it remove a sense of privacy from their life?

Harry: That’s been something that’s been really important to us from the get go. Uh, the understanding that, you know, your mobile phone and, it’s only gonna increase is, is your kind of. Your whole world is on that, and so the idea of giving access to that or control of that to anyone that isn’t you. It’s really scary. Uh, so everything we do is with that in mind. So, you know, we don’t want to see anything, we don’t want access to, uh, anything on the device. All we want to do is protect the individual and the data and so we call it an invisible wrapper that we put around the device. Um, this idea of. We will provide, uh, we will take, we will use information purely to provide protection. As soon as we are not providing protection with that information. We don’t want that information. Uh, but it’s really important to make sure that they don’t feel like, you know, we are monitoring them or anything.

Alice: So, moving on to children and parents. ’cause I think. There’s a lot of lessons that parents can take from the work that you do in how to protect their own families and things like schools, photography, um, social media. I’d love some kind of lessons and insights you can share on keeping your children safe online. And I know that Australia’s recently put out a law around, children not being able to use social media, and I think the culture as a whole has celebrated that, whereas in the UK. Some families say that if their child doesn’t have a phone on social media, they’re the only child in class without it.

I’d love to just hear your thoughts and advice on those areas.

Harry: Absolutely. I think it is, it’s, it’s a kind of a social thing as much as it is a,, uh, online safety thing, uh, in, Australia. Um, you’ve got this community that’s been built around that and, and they’re celebrating it, like you say.

But they’re all in it together. And therefore, no one is left behind. No one is, no one is left out. Uh, I think there is also, um, the sense of being online and being digitally savvy. is really important and it’s only gonna become more important as more jobs go online. And, you know, you have to be able to operate in that space, to have a career and things.

So I think there is that worry that if I’m not exposing my child to these things early, are they gonna be left behind? Not just from a social perspective, but also from a, um, a professional perspective. Um, and I think it’s about exploring the ways that we can provide online safety and safeguarding around children without taking away that core skillset.

It’s really difficult. Um, and I think there’s always going to be a back and forth on this stuff that, that, you know, the new safety act that’s just, um, yeah, that’s just come out. on paper sounds fantastic in terms of what it’s bringing and the, the security that it’s putting around, um, children.

But actually there’s always gonna be backlash. Because some people are always going to think that that is too, uh, invasive or too, um, restrictive, and I think we’ll probably be in a situation for awhile where it will go back and forth and I dunno if there’ll ever be a happy medium reached. But, um, I think we’ll probably, yeah, we’ll probably kind of stay in this limbo between, uh, open and closed.

Alice: It’s really interesting ’cause I wonder. If things did become too strict online and you had to kind of verify who you were in every area that you went to, that actually spaces like the dark web would become more compelling to people.

Because people don’t want everybody knowing what they’re doing on the internet and there’s a good reason for and against that. And I think with things like WikiLeaks with whistleblowers and people being able to talk about stuff they couldn’t publicly, it’s really important to not feel like,Oh, you’re being monitored online.

Harry: Yeah. I mean, bringing it back to a kind of cybersecurity, um. Workarounds are something that. We kind of built Coc00n off. the idea of not wanting people to build workarounds. If you build security that is too restrictive, people will find ways around it and they’ll blow holes in the security that you’ve built and I think that’s true of this as well. If you make things too restrictive, people will go to the extremes, and so it’s, it’s finding, it’s finding something that, that does enough to, provide that safeguarding without pushing people to those extremes.

Alice: And then some parents wonder whether or not to just never post pictures of their children’s faces online. And being based in Cheltenham and some of the government bodies that exist here. I know there are people who work in that industry who can’t put their faces online, and I’ve often wondered if they were a child whose parents had posted them everywhere, would that have restricted their ability to work in certain agencies? But what is your opinion on posting pictures of your children online?

Harry: I think it’s just understanding what the risks are. We try to kind of instill in, in,our clients, but also anyone we kind of speak to this idea of everything is a risk-based decision. Uh, and it’s about kind of making sure that you are aware of those risks, you are over those risks so that you can make the right decision.

Understanding worries around posting your child’s, uh, face online and, and making your child a known entity online. Um, but that’s not to say you shouldn’t. You, you still can do these things, but it’s doing them while understanding the risks that they bring into your, to your ecosystem. You know, children are an extension of an individual, uh, for our client base.

If people want to target one of our clients, they don’t necessarily always go for the individual. They’ll go for the people in that ecosystem. They’ll go for the um, assistance, they’ll go for the family, they’ll go for the friends as a way through to the, to the end target. Um, so it’s knowledge that if you are posting things about your children, they may become a target as a result of that.

But also it’s, it’s okay, if you want to share things online, you can share things online.

Alice: Yeah. So it’s more about what. Information sharing those locations is giving people about your children versus it just being a picture of their face online. Yeah. That’s interesting. So what do you think the future of individual security is for people of wealth or people who, just, individuals who wanna keep them safe online.

What’s the main thing you think?

Harry: I think the best thing to do is staying educated, staying aware of what’s going on. Cybersecurity has for, for, you know, for years been a, an increasingly just fast paced space, both, uh, on the, uh, offensive and the defensive side of that. And I think it’s, it’s, it’s that risk decision piece.

Again, it’s coming back to that, it’s, it’s making yourself aware so you can make the right decision. Uh, and that right decision isn’t always. Security, right? That right decision can be, you know, any number of things. Um, but, but you are aware that when you make that decision. The risks and the pros that come with that.

Alice: So my right. In thinking as part of your solution, you offer your users a kind of type of VPN. Yeah. So I’d love to know a bit more about, I think with the new online Safety Act, there’s been a lot more use of VPNs, which for anyone who doesn’t know, is a virtual private network which hides your IP address and where you are coming from.

Tell us a bit about VPNs and your opinion on that.

Harry: So we, we, uh, implement a VPN for, uh. Data security, and I think it’s really interesting when people talk about VPNs, ’cause a lot of people have a lot of different opinions on VPNs, depending on how they have been exposed to them. Yeah. So for example, our VPN that we push, um, is security led.

It is there to encrypt your data. It is there to secure you, uh, VPNs for years. Were misused. They were seen as ways to get around certain, uh, security, like accessing streaming services in other countries. Um, interestingly with the VPNs now, uh, we’re seeing that they are now being used to access adult content on the web and again, I worry with this, that this is then taking us away from the security of them, that they may be seen as an opportunity to sell a VPN. To do, you know, to circumnavigate certain things as opposed to providing security and therefore kind of eroding the confidence people have in VPNs or the way that they should be using them.

Alice:As much as I agree that, you know, using it for accessing adult content or watching the different US version of the office in a different country, as much as that’s not what the VPN is intended for, does it matter if you’ve got a VPN and it’s making you more secure? Does it matter if your intention wasn’t actually to be more secure?

Harry: So I don’t think it’s necessarily a case of it matters for the individual. If, like you say, if the individual is using a way to encrypt their data, that’s fantastic. I think the worry is that the people providing the VPNs will then see it as an opportunity to not necessarily prioritise security there and they can. They know they can sell it on something completely different and therefore they can kind of turn a blind eye to that. And that’s the worry is that then people getting VPNs for security are almost buying something that doesn’t quite meet that brief anymore.

Alice: And with VPNs, is it essentially that if you are using a VPN, your IP address is just going through that app instead of. Direct to the website. So you’re still trackable online. Are you anonymous if you’re using a VPN?

Harry: Um, what you see with the kind of widely commercially available VPNs is that a lot of traffic comes out in the same place. So a VPN will, the, the end point will be somewhere online. Uh, different countries could be the same country.

That’s where your traffic is, is coming out from. So rather than it being seen as your device, it’s seen as another IP . Um, so, so I think to an extent, your data over A VPN is encrypted from, uh, your device to at the end point of the VPN. Um, but what is interesting is that what it is, it is coming out that endpoint, um, if that endpoint is shared across multiple users of A VPN, it is coming out as unencrypted traffic at that point.

There’s loads of data there, then that data is interesting for an attacker.

Alice: I wonder with the new online Safety Act and people wanting to access certain websites anonymously, whether actually that will cause more phishing attacks or targeted phishing attacks, because people will now pretend to be a VPN or a free VPN, that’s become really popular and say, we’ve actually got all of your data and timestamps, um, because you used us instead and got your bank details. Whether that’s a scam or not, I think people would fall for that and think, oops, my data’s now accessible. Just through a different means.

Harry: Absolutely. I think, I think separate to VPNs in general, I think the Online Safety Act, while it brings this security, it opens, it opens, uh, online up to these types of attacks to, to your finding a way around it if you don’t want to, to get a VPN, but you also don’t wanna verify your age.

For example, people find them workarounds or they go to slightly less, um. Trusted sites and things like that. And actually the security impact that that can have could be just as damning as, as what the act itself is, is protecting against.

Alice: So thank you so much for your insights. My final question for you is the Cyber Made Human bookshelf. This is an opportunity for our listeners to learn a bit more about you as a person. Um, doesn’t have to be related to cybersecurity, but it can be, um, just a book that’s changed your thinking or your current read would be great.

Harry: Absolutely. So, um, I struggle. My attention span is terrible. Ah, so reading a full book is often really difficult for me unless it hooks me within, you know, the first few chapters.

I absolutely adore mythology. I love this idea of stories that have been told for years, uh, and adapted and changed, but are still so relevant to, to kind of what we do today. Uh, so my book is, is Mythos by Stephen Fry, which is a fantastic retelling of, of some of the, the great myths.

Alice: Amazing.Thank you. Well, in a similar vein then I’m gonna choose, uh, meditations by Marcus Aurelius, which anyone who’s interested in philosophy may have read or should read. It’s the School of Stoicism Really. And it was his private journal and it’s really interesting because it’s written from the perspective of him being a leader and trying to kind of battle with his own, um.

Leanings towards greed or the easy option versus trying to be a decent human being and choose the harder option. And it’s really just designed to be read and consumed and thought about, and I’ve kind of just been reading certain quotes out of it and thinking about how I can apply that to my daily life.

So instead of having a lie-in on Saturday or skipping yoga on Monday, doing the thing that’s a bit harder because it improves my life or not eating a second chocolate bar. And I think it’s just really interesting to know that he didn’t write this for public consumption or to be published. It was just his way of trying to be more disciplined. In his own wallowing and indulgent. And yeah, so I’m finding that really interesting and I’d recommend anybody who kind of, it’s I guess a bit of, um, self-help category in a way, but also obviously philosophy. It’s very interesting. So that’s my recommendation.

But thank you so much for joining us. Your insights have been really interesting and yeah. Thanks for watching, guys.