A

They called me a few days after I met with them and they said, yeah, we need to, we need to step on the gas pedal here. And I'm like, what happened? And they said, one of our biggest customers has been hit and they're completely locked. And they've notified us to say, we're not sure we're going to be able to pay you. And that's when they started thinking, oh, the Stivers stuff is real. When our clients are saying they can't pay us. So that's when it really starts.

B

Welcome to Cybersecurity Today. I'm your host, Jim Love. One of the cool things about my job as a podcast host is that I get to meet a lot of people who are doing some interesting things and I'm fascinated by what they're doing and what issues come up. And one of those issues for me is how do we advance cybersecurity with small and even medium sized businesses? Not in theory, but what do you really do? And that's what I was interested in talking about when I set up this meeting with Graham Berry, a white hat hacker, a CISO with a lot of years of experience, and somebody who works with companies that have anywhere from a couple of people to hundreds and more. This is the conversation we had. I recorded it with permission, of course. And when these conversations are interesting, I share them with you and I think you'll find some interesting stuff in this conversation. Welcome, Graham.

A

Thank you very much, Joe. Glad to be here.

B

Your bio says you fell in love with computers when you discovered a Tandy TRS 80 at the public library in rural Ontario. So I have two questions. One is, what's the town? And how old were you?

A

It was Hanover, just south of Woolen Sound. And I was probably eight or nine maybe. That was my first exposure to computers.

B

Yeah, I, yeah, and the magic of it, I, I first saw those things, I think I was in my 20s when I first saw one in northern Saskatchewan. And I think La Ronge and this, this guy was already running his business on this TRS 80 and I would, I was, it was magic. Yeah, you obviously stayed interested in all this. Tell me a little bit more about how you got from there to here.

A

Yeah, it's. I, you know, I, I progressed through the Commodore series, like the Vic 20, the 64 and all that. And then I went to school for computer technology and was in Waterloo and, you know, that was the hotbed of technology then. And I started with a retailer at the time and ultimately they went out of business and then Jumped into some other retailers in the, you know, in the early 90s, laptops were, you know, they were, they were getting more prolific in businesses, but they were still expensive. I remember like the Toshiba tech routes were like thousand dollars. Exactly. And we started getting clients around the Waterloo area like HP and a lot of the technology companies. So that just kind of spun out from there then into government. Really worked my way from tech support up to director level. Really got to understand the business side of technology and that's where it's really took from there. I started my own business about seven years ago, moved over this way to Lindsay, and I'm a close jaunt to the gta, so it works out well.

B

You're in Lindsay, I'm in Miners Bay. I'm just south of Minden.

A

Yeah, I think we've talked about that before.

B

Sure. Yeah. I just, I realized he's. Yeah. Anyway, enough Canadiana for people there. But how did this go from. From an interest in technology to cybersecurity?

A

I was always fascinated by it. Like, even when I was working in Waterloo, I started getting a bit of a reputation that, you know, reset passwords and get into systems that way, like the old laptops. I was one of the few that were disassembling them and going board level with repairs, etc. So at that time when passwords were set and then people left companies that could reset. You could do a hardware reset on the motherboard and very few people were doing it. So then insurance companies started coming in and saying, well, we've got these systems. Can you start doing appraisals for us? And, you know, theft and all that. So that's where it's fun out of, really was, you know, mid-90s interesting kind of stuff. Yeah.

B

And today you call yourself a white hat hacker, so you've been playing with that.

A

That's kind of the, the moniker I'd been given. Yeah, I know it's been kicked around a lot over the years. Yeah, I, I used to play a lot of how can we break into the networks, et cetera. And now I do it more from a theoretical point of view with tabletop exercises. And that gets back to the business risk piece of doing it for executives, like putting them in the hot seat to say, your company has now been ransomed and here's how it happened. And I put together that theoretical hack, basically.

B

Yeah. And unfortunately not altogether theoretical these days. And I'm always careful about how we approach this idea, Particularly we deal with small businesses. And I think you might have Got this sense when you worked in retail, there is no business that is more direct than retail. You know, like they're, they sell stuff or they don't. These guys, everybody, or guys and women know their numbers for every location. They're just incredible in terms of how direct they are. And I never want to, to say that they're behind in terms of technology or cybersecurity because there are, they're the mythical ones. They're the people who, I don't care about that computer thing. I. But that's not it. They care about selling, they know their business and to the degree that you can help them do their business, they're interested. To the degree you can't, it's all theoretical. So I don't want to take that away from them. But these businesses are small and medium sized businesses have in many cases I think thought that they are under, they're flying under the radar, they're not at risk because they're too small or nobody, you know, and, and then that's just not the case. And I'll just rabbit on about this because Danish Yousef from Zensurance sent me a survey and it was the survey Polfish survey of a thousand business entrepreneurs in Canada found that more than half of the country's small businesses have already been hit. And that's, this is them responding. So, and that was phishing attacks, malware, fraudulent transfers, ransomware. And the one that's I think is going to be a biggie, DDoS in terms of taking you off the air. So they are under attack. In your talking with businesses, do you feel that they really realize this?

A

They start when it starts getting closer to home. I was, worked for a company a couple of years ago and we, they engaged me, they said yeah, we, we should be looking at this cybersecurity thing. You know, we're, we've heard about insurance, we're going to start looking down that path. So I started doing an assessment with them, understanding the current state, what they had in place, et cetera. And they called me a few days after I met with them and they said yeah, we need to, we need to step on the gas pedal here. And I'm like, what happened? At least one of our biggest customers has been hit and they're completely locked and they've notified us to say we're not sure we're going to be able to pay you. And that's when they started thinking, oh the styro stuff is real. When our clients are saying they can't pay us. So that's when it really starts.

B

Thank God they didn't say, we think it came from you. For small businesses, you're not going to get a lot of sympathy. If you have a big supplier and you pass on any sort of malware to them, they're not going to be your next. Contracts can be a little more difficult.

A

Yeah. And I, you know, I pulled into some, some incidents where the, the company has, it was one of their customers that got hit with ransomware and it came through their organization as their supplier. So it, and they were a small business, like they were 30 employees and it actually came from their network. And we had to really be gentle and explain to the company this is how it happened. It was a vulnerability that we weren't aware of and MSPS evolved and M&SSPs, we brought it back in line, we got them rectified and cleaned up and they're still a client of the client. So that's. It was a good story.

B

Yeah, I don't know. So you're not only advising them on technology, but also helping them with the communication piece of this, which is be honest, be straightforward, don't be embarrassed. You know, if you've done everything well and this is where the pre prep comes from. You know, if you can tell them, look, we do exercises, we, we do preparation, we have good things in place, everybody gets hit. That's a different thing than having a sloppy shop.

A

Oh, for sure, for sure. And it's, you know, that's, that's why when, when I do tabletops with companies and it's their first one, they, they're a little apprehensive. They're like, what is this? You know, be careful with our CEO and things like that. But once we get into it, they get right into it and they're like, holy cow, we need to get some communication templates built. We need to get, make sure our insurance company, we understand where those lines of demarcation are, that we bring them in, that they're going to take over, they're going to take care of us. And that's when the criticality around the discussions of insurance is important because a lot of small businesses aren't aware of it.

B

We've had discussions on the program and one of the things I think businesses don't realize, first of all, if you tell your insurance company you're doing something and you're not, you're uninsured and it's just that simple, that insurance, you stop paying the premium because you're not going to get anything. They're not stupid. They'll come in and look at you when you make a claim.

A

Yeah, look at Hamilton. When they had their pension, they didn't have mfa. They said, sorry.

B

Because I think a lot of small businesses, and I've seen it, they get the form from the business, they go click check, check, check. Yes, we do all that stuff and hope to God that or maybe they're just not aware. But tell me about this. So you, when you come into a business and you say, look, we need to get you prepared for both, I presume both cybersecurity, but also prepared for recovery, how does that conversation go?

A

Well, it's, I walk them through the life cycle of it. So it's, let's look at your inventory, let's make sure you've got, you know, we understand your hardware assets, your software assets, but most importantly your data assets. Where's your data residing and have you identified what's truly critical to your business? Being in the industry so long, I've had to restore Unix green screens for tape and I still have emotional wounds. So I take that in and say it's not just a push the button, you recover. There is a lot that's involved with it and I walk them through the business impact analysis process to say, okay, what can you do without this software? Or what can you do? How can you operate your business without this? Look at what's involved to make that tick and run people, processes, technology, take some of those out of that equation and can you still run? And then you start seeing the lights going off like, oh geez, we never really looked at it that way. Those are risks to your business. That's not a technology issue. Let's build on that. And we walk through and look at their backups. And a lot of companies will say, well I use Google, so that's not a backup. We have to make sure your data is immutable and can't be accessed by any bad actors. So we walked through that whole process and when we start having the conversations, like during a tabletop exercise, the CEO or the CFO will hey, well let's just restore. We can get back online. But what are you going to restore to? If your data, if your servers are encrypted, you may have forensic investigators or the authorities investigating because it might be fraud or what have you. So what are you actually going to physically restore to? And then they start thinking, oh geez, there is a lot more to this than the old days would pop a tape in and restore.

B

Or you said you've had the scars or watch the tape zip by and realize there's nothing on it. I'll tell you, nothing makes your night better than going, that tape shouldn't have run that fast, guys, you introduce them to this conversation. This is why I really want to dive into this, because it's something I think we all grapple with is how do you make this real? Just walk me through an encounter with a client. They call you.

A

How.

B

Why do they call you? And then what's your first meeting like?

A

Typically, I get called. Either they've had a close scare or they're being asked by a client, or it's regulatory. They're having to make sure they're adhering to privacy legislation, or they may have a big client that says, you know, we want to make sure you're secure, like you're handling our data. We want to make sure that, you know, when something goes wrong, you're doing your part in our supply chain. So that's usually how it comes about.

B

And who do you meet with?

A

It depends. Size of the organization plays into that. Sometimes it's it. Typically with small businesses, though, it's usually the business owner where they've. They've gotten the questions from. Like I said, a supplier or contractual. And that's when they. We don't know where to start. Like, they've told us to follow the NIST framework. We don't even know what that is. So then we start having the conversation of, okay, let's see what your actual requirements are, and let's break it down. And, you know, if it's. If it is contractual and they're asking that you need to follow, say, the NIST ESF framework, well, then that's what we're benchmarking to. Let's start building there. We'll start looking at things. Like I said, you don't have to go after the break. Shiny objects, like, that's. That's too much money. Let's break it down to the bare minimum and make sure you're hitting the key. The key controls, like I mentioned earlier, the inventory of the assets, your data, et cetera, et cetera. And I really try to put it in a business context rather than a technical context, because once you start talking tech, they too know it's not their thing. They're there to run a business, and.

B

They know things about their business that I always. When I used to teach consults, one of the things I taught them was, do not go in there and try to tell them, you know, more about their business. That is not only insulting, it builds a barrier. My line was always, you know your business better than I do, but I know this area better than you do.

A

Yeah, it is a fine line. A lot of times I'll say, you know what, we were given one mouth and two ears. You know, use them more, listen and take it all in and understand the business. And then you could pinpoint and pull out where you think the risks are and start talking to them about that.

B

So tell me a story about the company that you've turned around. What's your worst encounter that you've turned around? You don't have to name them. How did you get somebody on side who really was looking at you going, really? Do I have like. Yeah, because I've heard lines from a lot of guys. My favorite still. Oh yeah, nothing more than another quarter million dollars can't solve, eh? Like they look at us like we're just coming in to spend their money and I. And fair enough. But how do you give me an example of somebody you've turned around?

A

I've got a client now that they've been moving like a freighter and we're just starting to make that big wide turn. They're a software company and they have their processes and security was never one of them. So we're starting to bake it in and when the devs are calling me and say, does this make sense? Should I be looking at this or when should we be putting security in place in our flow and things like that. That's what I know. We've got the ship turning around and the CEO starting to ask questions. They were uninsurable at first. We've got them insurance. So that was a big thing because at first they didn't think they needed it. And I really stressed to them that yes, this is something you should be looking at as a small business. Their first, their first go round, the insurance company said, no, you guys, you need to put more processes in place, more controls. So we, six months later we came back and we had the controls in place and the insurance company said, yes, we've got your back. Oh, it. That's a big worth really is thing in that short a time.

B

Personally, from a business aspect, I think that's one of the great starting points that many companies should consider is could I get insurance? Forget whether you got to buy it or not, could I get it? And I think that's a business question you should be asking yourself. Forget the technology. Could I actually qualify for cyber insurance?

A

Yeah. And it's, you know, it's Depending on the industry, it is an easy way in. I you mentioned earlier, you know, you check the check boxes and away you go. Some of them are as simple as five or six questions and they can, they'll run external scans against your external IP address and what have you and they'll approve you. Others I've seen where we've spent eight hours going through their online forms to. It should have been a brutal process but for the most part for small businesses it's an easy exercise. Yet you get told right away pretty much that yeah, you're approved and we've got you. And I can't stress it enough that how important it is because the costs of recovery are just, they're insane for a small business.

B

They're stopped doing well. Yeah. And if you're a small business and I'm surprised that more people don't, don't push this idea is you're probably get, trying to get that, that customer, that great customer and you're probably talking to them right now and when they send you the form and they will saying tell me about your cyber security practices. You're not going to be able to develop those overnight and you don't want to lose that sale because you haven't at least done the basics. Do you have that conversation with businesses?

A

Oh yeah, it's, it is one of those. I have it as kind of a baseline question of you're doing this, you're doing this, do this. What about, what about your insurance? What about your clients? Like what are they demanding from you? Always seems to fall back on that. A lot of times when you're, when I first started in business and you quoting jobs and it always asked if you had one or $2 million liability insurance. I have started seeing some questions of from your liability insurance, what is your cyber coverage? It's becoming more and more, a lot more questions around cyber for sure and how, what are you doing?

B

I would imagine it because like I said if you're, if you're a larger company or even a mid sized company, you're hiring someone or you're engaging in business with someone, you can't sue them. What's the point? You'll just drive them out of business. If they don't have insurance, chances are they don't have the money to pay you. So you're not going to recover anything in those cases. And a lot of especially big companies have professional purchasing and they're not going to, they're not going to get by this. They've got, they talk about checkbox people, if you've ever dealt with professional procurement people, they got a checkbox for this and they're going to check that or not.

A

Yeah, that part of the. Some clients have to do third party risk management where it's just that where go out to their suppliers and say, can you provide us with your cyber insurance details? If you've got a SOC 2 ASO certified, all of that, or in lieu of all that, what is your security program? And if they don't have it, if they can't readily tell us that, then they're getting a big red X of okay, maybe we should be looking at another supplier. And that you're exactly right. With larger organizations, that is a gatekeeper.

B

So I want to go back to this idea of the tabletop exercise. I think that's a wonderful thing to do with these businesses. So tell me what, how you would describe what are your best tabletop insurance office. What. How did it go?

A

I got two. These were larger organizations and one typically what I really like to do is I do a technical one. So I come up with a technical scenario and I have the technical team at the table and we walk through, okay, we're seeing this kind of log activity. This has come up, blah, blah, blah. We go right through to Ransom or whatever the scenario is. They want to tie. We take a one hour, two hour break. I do up like a situation report and then we bring in the executives. And then I say, okay, here's the situation. You've been ransomed. The tech team has contained it, but it's impacted your business. So how are you going to now run this? Here's the details. You've got regulatory challenges, business challenges, et cetera, et cetera. And I've had CEOs that'll say we just pay. And I said, are you sure you're just going to pay? Well, okay, let me think about it. And then they'll banter around the table. Prior to two in particular, the IT directors, now these were bigger organizations, said to me, you're going to have a hard time keeping them engaged. These guys will be playing on their iPad, et cetera. They won't be engaged. One of them, the CEO, joined by teams or Zoom or whatever we were on. And he sat in his office with a solo cup and he was tucking tobacco. And I'd had him so stressed out, he was just continually tucking and spitting. And another one.

B

I want a client. I want a client where somebody chews tobacco. That's.

A

Yeah, yeah, another one. We were told the CEO, he's not going to be engaged. Within 30 minutes, I had him pacing the meeting room and he was freaked out. And he was like, what about our manufacturing line? I said, it's done. He spoke, no, you've got my attention. What are we doing? How are we doing this? Communications, how we run an operation. And he was the most engaged CEO I've seen after that. And the IT folks afterwards came to me and said, that was unreal. We've never seen him so engaged. You hit the where Earth.

B

And I think you have to hit them with the right language. I still remember one time I, when I was, I was heading up consulting at dmr, they brought in a CEO and they sat him down and nobody prepped them for this thing, this meeting. And I said, well, we're going to do this workshop. And the guy just, you could see him viscerally react. He said, workshop here for any effing workshop. And now there's, when people do that, there's two things you can do. One is you can try and convince him that he should sit through a workshop. The other thing you could say is, okay, but you're here now, I'm here now, we did some work. What's going to make this work for you? What do you want to get out of it? And that's the sense I get from what you're doing with this is turning the problem to them and saying, hey, just tell me how you get around it.

A

Yeah, it's really, like I said earlier, you'll start to see the light bulbs go off when they realize this isn't a technical thing, this isn't an IT issue, this is a business issue and it's a business risk. And I'll bring it back to insurance again because that's one of the first questions that the companies or the clients will ask is when do we retain or when do we call insurance? And I'll say you're doing that right away. Even if you're not filing a claim, you're bringing them in so they can be engaged and understand what you're facing. And then if you do need to file a claim, they're there with the resources for you. And I did a tabletop on Tuesday and that was the first thing they said. They said, we're calling cyber insurance and we're getting their experts to the table with us because we don't have the, we don't have the depth on the bench.

B

Yeah, but those guys aren't magic. They, I mean, they. And, and they are. I mean, they're Skilled. I've. I've interviewed people who do nothing but crisis communication during ransomware attacks. But the fact that they're really good at what they do is no substitute for the fact that you have to have a message. You have. You know, if you're drafting that at the time of an attack, God help you.

A

Well, and that's just it. It's that fine line of, do we go with what we know or do we go with, you know, what we anticipate? Because it. Two different things that you could be saying, well, only. Only a subset of our data has been accessed, but two hours later you realize, oh, no, it was all of it. You know, it's. It's really a fine line. I envy people in crisis creation because it, it is such a precarious. Spinning the right message or getting the right message out there. Not my forte. No.

B

But generally being prepared for it is the most important thing.

A

It is.

B

And so tell me, what's your most successful recovery? What's the one that you look at and you say, I'm so glad. What was your most successful recovery?

A

We. We got into one luckily. I shouldn't say luckily. They were prepared. It's rare to have someone be as prepared. Yeah, they had some major interruptions. There was questions, though. They didn't have the coordination and the internal communication piece ironed out. It was early days with me working with them, so we were still working through all of that. But. And that's the other thing. And it's. It always comes at the wrong kind of just. It was. But they made a major investment in immutable backups. And yeah, they had some hurdles getting it up and running, but they got it up and running and we were able to flip the switch and do a full recovery. It was intense. Like, they're never fun. But we were able to recover. We did. We didn't have any data loss, so that was a major. A major win. I always liked those.

B

Yeah. And I've lived. I confess I've lived through the reverse. If you're around long enough, you'll be in a disaster. I've been through the place where you look at the backups aren't there, and I, you know, that happened relatively early in my career. I laid awake all night waiting to get fired, even though, like, there was nothing. I hadn't done it. But, you know, and to this day, I. I'll still. Well, I won't do it anymore because I don't run companies anymore, but I would. I was famous for walking and tapping somebody on the shoulder said, I want you to restore this file for me now in front of Nick. Yeah. And the, and in nice terms, the. And I don't, I don't. Not threatening people or anything like they're pulling a power trip. But the answer was, and I think we all understood it, if you can't restore that file, I don't need you. And I think you have to have that without it being a power trip. I think you have to have that degree of, of insistence and thank God. But when you're convincing a client, it's different. When you're running a place, it's different. But you know, because God, I've talked to, I talked to a major. Most people would know this business if I told them who it was. And they were a $50 million business. They built it from a family business and they got hacked ransomware. All of their files were encrypted and they couldn't access the backups. And it was, they were just, they stopped doing business and customers noticed and it was getting. And fortunately, thank God, they had a dev system that was unaffected and they could find some of the files. It wasn't perfect, but they could get back up and running. But I talked to this guy, he'd taken a family business all the way up to this size and they were going to lose it now. And I think that was. I was so happy that he was able to at least limpify. But when I think about what the balance of compared to that experience, what, how bad is it to actually spend some time, I don't know, somebody takes you in and you get them going, how long does that take?

A

It really? It depends. It depends on budget. A lot of it is, it's a two way street. Like I, I start building stuff, but I need them engaged as well. So if they keep pushing back and saying, oh no, I don't, I can't, I can't make this meeting, I can't make this meeting, then there comes a time where I have to say, look, are you serious about this? Because you may not think it is critical to your business, but I'm, I'm here to tell you that it is. And we need to set aside some time to, to build this and work on it. And you know, we could do it in eight months, 12 months, it could be two to three years depending on how engaged they are and what kind of business it is.

B

But a relatively small component of a business, if it's done well, and I think you pointed out correctly, is, and I think as consultants as people work with business, we have to be able to guide them because customers can make things very expensive. The end. I gotta tell you, it didn't take me very long before that canceled meeting was charged for because I'm not going to turn up at your office to have a meeting. Have scheduled my whole day. Have you say, oh, my secretary told me I've got this meeting double booked. Well, guess what? You just paid for the time. I finally gave up on that. I stopped being a nice guy about that. But it is, it is something I think people can make, make any consulting with assignment, whether it's security or anything, they can make it much more expensive by not engaging it.

A

For sure. Yeah, it's like, you know, you miss a doctor's appointment, you get in charge. It's the same thing. You need to put that out there. So we're here to help your business.

B

What's your advice to people like yourself or customers out there who are looking at this now and we still haven't moved? What, what would you say to them?

A

It's not too late. It's start taking it serious. It's going to hit you. Right. The experts say it's not a question of if, but a question of when. Now, with accelerating attacks getting harder to defend against in a lot of cases, especially in small businesses, because they don't have tools to do it. Yeah, I think it's more critical than ever just to start having the conversation of looking at where data is and what are you doing to protect it. What are the crown jewels of the business? It used to be you could say, oh, I'm in manufacturing or I'm in this and I'm in that. And then someone's, I'm a technology company. Well, now everybody's technology doesn't matter. We all rely on and we have to start looking at it that way.

B

And I'm glad you gave me the intro because my podcaster's license gets revoked if I don't ask a question about AI. Well, seriously, the little man comes in, he says, oh, sorry, you're no longer a podcaster. You didn't talk about AIs. So what are the challenges that companies are facing with AI now that you see that's affecting security? And especially for SMBs, the big one.

A

I find is data leaving the premises. Like people are using the AI tools and just uploading documents, uploading data. Can you rewrite this? Can you review this? And without having the protections in place, you're pumping your corporate data up into someone else's server. Real. And at this point, I don't think there's been any actual incidents around that. I think New Zealand actually has a court case going on around it where a company did put data up into an AI engine and the government's classified it as a, as a data incident.

B

Stuff has turned up. Whether or not it's been revealed or not, stuff has been turned up in queries where people have loaded things up and it comes back as an answer most. I mean, again, this is one of the things I, I think companies, especially when you're working with small businesses, you have to get people to tell you they're using AI so you can help them do it safely. Because this is a simple Switch on. On OpenAI for don't send my data. Like you can do things if you know people are using it. The scary thing for me is people are just sort of going, well, whatever. If they're doing it, they're doing it. No, if they're putting your company data in there, and chances are they are the other one, that scares the heck out of. Not scares the heck out of either. Sorry, that's the wrong way to look at it. But Google, right now, you can, you, you can take the Perplexity browser and hook it up to your Google account, your email and all that sort of stuff. And I keep saying, wait, you might not want to do that at work or even with an account if you've got your bank account information until you figure out how you're going to avoid it. Not just taking data or sending something out, accidentally clicking off one of those automatic emails that sends out. We've all. Everybody's done that. Send all email. I used to think should have a Breathalyzer on my laptop when I was younger, you know, because you've. Everybody's done that. Send all email. Well, guess what? You automate your emails. You can automate emails to clients really quick, not the ones you want.

A

And now with the browsers, like you say, The Perplexity and ChatGPT's Atlas, I think the malicious scripts and prompts that could be created embedded in a website could prompt the engine to do exactly that. Harvest email. Harvest data. When I have the AI conversation with companies, I say put your foot on the brake. Yes, it's good, but you have to do it responsibly.

B

Yeah. Get somebody who knows where they're. Prompt ejection is so, I mean, like I said, it's so easy to send you an email that. Especially if Gemini is reading your emails. Send you an email with white on white, you'll never read it. And it will give an instruction to the AI. Simple, prompt injection, easy to do. We'll see more of those.

A

Yeah, it's the new shadow it, definitely.

B

Exactly. And I'm a big proponent, by the way. I'm working on a book called the Company of One. I believe that AI effectiveness will be what small businesses need, but it needs to be out in the open.

A

Yeah, we have to govern it like we do all the other technologies. For sure.

B

What else are you looking forward? We're looking at forward to. Like it's hard to be look forward to it in security. Jim, I'd like one more weekend where they call me Sunday night. What are you looking at forward to in terms of the positive stuff you want to do? Over the next few months, I'm starting.

A

To see people more involved and more engaged around security. It's less of an education for people. I'd like to say we are becoming numb to all of the breach news. Like, oh, this company's been breached, this company's been breached and people numb to it. I think people are getting more engaged. I find myself having a lot more conversations around how do I secure my data or you know, what about this for AI? Yeah, it's still a challenge, but in a lot of cases it's getting easier. Good or bad insurances. I'm like you, I, I like the AI wave. I'm a one bit. I'm a one man show, a one man band. I'm excited to see where it can go, but it has to be done correctly. It gets back to the old Tandy TRS 80. I'm still a, I'm still a technology junkie. It's just a new form.

B

Nothing wrong with that. Nothing wrong with that. You do what you love. My guest today has been Graham Berry. He's a CISO white hacker and a tabletop exerciser par excellence. And that's what I learned from this. Thanks for joining us, Graham.

A

Awesome. Thank you very much, Jeff.

B

Yeah, and thank you for sitting in with us. We always appreciate your interest and I love to hear your questions and comments. You can reach me@technewsday ca or dot com. Just use the contact us page. And if you're part of the small but growing audience watching us on YouTube, leave a note under the video or maybe a thumbs up or a subscription. It all helps. It goes a long way to building the audience. Or you can just share this with somebody you know. I'm your host, Jim Love. Have a great weekend and thanks for listening.