Play

Today on The GDPR Series podcast, our focus is ransomware – cyber security AND data protection!  I chat with a well-known on the training circuit and expert cyber guy about the current ransomware landscape and how he got into data protection work.  Yes, it does involve managers reading employee emails. Heads up: he’ll be one of our Serity support consultants!   Listen to find out more.

Our guest today is Liam Lynch who prides himself on keeping security simplified and training fun!  Yes, fun cyber security and data protection done excellently.  Liam was really involved in the GDPR Awareness Coalition and still hosts some great infographics on his site.  Fact – I met Liam for the first time in a Centra (inside joke).  Liam is based in Tipperary and Limerick and can be found at https://www.l2cybersecurity.com/

In this episode, Liam reflects on his journey from cyber security and the tech world into sharing his knowledge with us through GDPR data protection training.  We discuss dealing with data subject rights requests, CCTV footage requests, backups, TESTING your backups, and other interesting matters!  If you need training, consulting or audit done, give Liam a call or drop him an email!

Tel: 087-436-2675
E-mail: info@L2CyberSecurity.com

Liam’s Links:

Interview Transcription:

Philipa Farley 0:01
Hi, and welcome to our podcast called The GDPR Series, where we discuss data protection, privacy, and cyber security matters, that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests and we hope you enjoy listening along with us. Hi Liam, thank you for joining me on the call. I really appreciate the time and it’s great to chat to you. Yeah. So do you want to tell us a bit about yourself? I’m going to share the screen before you start here. So we’ve got your website up on the screen.

Liam Lynch 0:42
Yeah, so thanks for arranging this, Philipa. So, as you said, my name is Liam Lynch. My company is L2 Cyber Security Solutions. I am a cyber security and data protection GDPR trainer and consultant. I have been in business since January 2016. So it’s just over four years now. And my main, I suppose, focus, my main way of doing things for my clients is: I keep it as simple as possible. Yeah, so therefore my maximum security simplified so you’ll, you’ll see me use security simplified absolutely everywhere. So, I take, you know, the kind of scary technical topics such as, you know, cyber security, and boring legal subjects like GDPR and turn them into, you know, simple plain English that anybody can understand. So, that’s, that’s the main focus of my business. A bit on the side then would be business continuity planning and security risk assessments for clients, the small business clients that are unsure about their, you know, that their security of their IT setup, I can go in and review it for them and make recommendations, etc. And I also then produce plans for disasters, such as fires, floods and ransomware, which I think we might discuss later.

Philipa Farley 2:24
Yeah, absolutely. We’ll discuss it. I’m just gonna open that up here. It’s ready. Like what we’re trying to do with this series of chats, Liam, is get the message across that it’s not huge, and it’s not scary. And, for the most part, people know their own businesses and they know their own spaces, and they just need to get going. They need to start somewhere, wherever that starting point is, whether it’s with a privacy policy or notice, a data protection policy or notice, or whether it’s with the security side of things. You know, those will meet in the middle at some point, when you do your GDPR compliance, you’re naturally led towards cyber compliance. When you start your cyber compliance, you’re naturally led towards the data protection compliance. Yeah, yeah. So, we shall discuss somewhere, definitely, because I would like to cover that, but just so that people kind of get an idea of your background here, I sent you a couple of questions and we can just chat through them very quickly, before we start the real meaty discussion. Where would you first have come to grips with data protection and GDPR? Like, when when was that that moment in time when it kind of sort of hit you in the face and you kind of went “wow, okay. We need to do this now.”

Liam Lynch 3:42
Yeah. Well, my background was mainly in infrastructure – IT infrastructure in corporations – but I always had a kind of a deep interest in the security side of things. And of course, on the security side, you know, it incorporates data protection. But I was also reading, doing a lot of reading of security newsletters and articles. And the result was a bit of a privacy aspect to them as well, you know, people having their identities stolen. You know, particularly, over in the States back in the 90s, this was happening quite a lot. So, I was always kind of interested in that aspect and the, you know, in Brooklyn and certain companies, there were certain, I suppose, managers that had, they used to insist that they have access to their team’s email boxes, so they could actually read and make sure that they’re not using the email for personal purposes, they must only be using it for for business purposes. And, you know, there was one manager who was particularly strict about this and he had like 15 staff. So, he was reading 15 staff email boxes. And I was thinking that’s, you know, that’s, that’s wrong. And you know, and I looked into it at the time and yeah, he was kind of breaking the law because he hadn’t told him anything about it. They weren’t aware that he was actually reading their mail. And, you know, he was horrified about it. So, you know, so that kind of was where I was really, kind of, I suppose, interested in looking into these things. And, you know, I tried to just look at the law and figure out, you know, that yeah, he was kind of breaking it and we had to make changes. So, that’s where I always had the interest and then, when I struck out in 2016 and set up L2 Cyber. I had at first focused on developing my cyber security awareness training, which is the best training in Ireland, of course. And it has improved several times since.

But, that was my first focus. And that does say that that took me up until, you know, to have a proper detailed training programme developed in that took me up until about August, September. And that’s 2016. So, kind of back in April, the GDPR was rolled into the EU law. So, I knew this was coming. So I, then after I completed the cyber security training, I decided I’d look at the GDPR training. And I was looking around, doing some research and of course, my first port of call was to the Irish Data Protection Commissioner’s website, which had, you know, barely a mention about this GDPR thing at all. I think it was maybe one or two newsletters or news items about it. So, I made inquiries to the Data Protection Commissioner’s office. I sent him an email asking for details. I got a response from them some weeks later. to say “thank you for your enquiry, here’s a link to the GDPR legislation.” Yeah. So yeah, very helpful. And I suppose they did kind of answer my, my question. But then I started looking at this thing and like, I’m not a lawyer. Yeah, you know, and I know you love that kind of stuff. But I looked at as I went, I started reading and I start falling asleep. Basically, I just really struggled with it.

So, I was highlighting and writing notes, and tagging, yeah, and going “What does that word mean?” And you know, I found it difficult. You know, I had to read reread things to truly understand what it was meaning, and I just found it a great struggle. So I then went, did a bit more research and I found the Information Commissioner’s Office in the UK, his website. And that was full of very easy to understandm very easy to use and digest information, which I found was much, much more beneficial thanobviously the link that the Data Protection Commissioner’s office gave to me. So I then, around that time in late 2016, I happened to bump into a lady called Molly O’ Neill, who was compliance consultant for regulated entities for mortgage brokers, insurance brokers, etc. And I just bumped into her, we just exchanged business cards are thought nothing more about it. And, a few months later, in early 2017, she contacted me and said, you know, hey, I’m going to do this, I’m going to do this presentation to some of my clients in Galway, and there was a kind of a cyber security aspect to it because the Central Bank had issued some guidelines for regulated entities. So she asked me would I do something on that ? And I said, sure. And she mentioned she was also going to cover things like anti money laundering. And then she mentioned that data protection though, she was talking about the old Data Protection Act. And so I said, Yeah, sure. And you’re gonna include this GDPR thing? And she said, “Oh, yeah, we probably should, because that’s coming down the line.” So I said, You know, I told her, I’d been doing some research on it, you know, and I’m happy to speak to that as well. So, that was that was pretty much it then, and we got together we did up the this this session for these clients of hers in government, and we went ahead and did the session and it was a great success. So we then kind of met afterwards said, you know, maybe we should take this bit harder, you know, this, this GDPR thing is now it was like, just over 12 months away from coming into law, and she said, “Yeah, let’s develop something.” And I was going well, I tried to read this GDPR thing and I could make no sense of it. You know, she was actually a qualified solicitor. So I said, “Would you mind translating it?” And she said, Sure, so she went away and translated into English which was a great benefit to me because then it was easy to break it downm and I was able to then scope it out and put it into different sections, which made sense because I’d also had recently qualified as a Training Development and Evaluation, which is a trainer kind of certification.

So, with the English language version of the GDPR from Molly, then I was able to turn that into a plain simple English training material, which is what we we developed and started to roll out. But not only, but around that same time when we kind of had met up. There was also an initiative started by Gary Connelly, of the data centres of Ireland, or Data Ireland, or Hosting Ireland, sorry, Hosting Ireland. And they had set up and formed this GDPR Coalition, which was, you know, not for profit. It was a gathering of observers, it ended up with over 100, I think 120 companies, who were just spreading the awareness of GDPR across Ireland, throughout the remainder of 2017 and into 2018. And they they did this with and through the medium of like infographics.

Philipa Farley 12:02
Yeah, it’s amazing. Like that I came across it and I was like, wow, the effort that went into all of that, that’s that’s how we met. Okay. Thank you, you guys, you’ve done such an amazing thing here, you know, really helped so many people. Yeah.

Liam Lynch 12:19
So it was, yes. That was a great initiative and like we were doing these infographics that were always like six point, simple, easy to digest infographics and, I say one thing I love is keeping things simple. So I was involved in the creation of quite a few of those infographics. So um, yeah, you’ll find them in my GDPR section.

Philipa Farley 12:47
Like just sadly, so that people know that they coalition kind of, when did you guys shut down, like last year?

Liam Lynch 12:54
Yeah. It formally finished at the end of May 2018. There’s one of the infographics, it was at the end of May, they waited until the Tech Connect conference in DRDS was starting, and just all sorts of meetings last Thursday or something in May. So and they they finished it then. And in fairness to them, they still any inquiries that come in on the GDPR coalition sites for like five or six months afterwards any inquiries that came through, angel from monster or I was central to meet myself. And yeah, so that was a great grouping to be involved with. So

Philipa Farley 13:38
Yeah, so yeah, like you, Liam. What amazed me about like getting to know you was that you know, you could really easily have kind of just stuck with cyber and tech stuff, and not bothered with this like, yeah, I’m not gonna; this is not an accusation by kind of by any means, but A lot of the cyber guys are very comfortable in their space, they don’t want to, you know, cross over into the data protection slash privacy space because, there’s, I think, a lot more humanity there and policies and procedures and, you know, standard operating procedures business stuff, where, like lots of a lot of us have a comfort zone in tech. So I think it’s, it’s great how you came over into the space and made it so simple and easy to understand. And fun. Yeah, you know,

Liam Lynch 14:35
yeah.

Philipa Farley 14:39
Oh, yeah. So, these are, these are these are going to stay up on your site. You’re going to leave them here so people can come and have a look.

Liam Lynch 14:46
Of course, yeah.

Philipa Farley 14:49
So cool. And just so that people know if you follow Liam on Twitter, is it on your personal account, the L2 Cyber Account? You put up your video tips. They’re fantastic, you know, short little bite-sized videos on different topics. I enjoy watching them and sharing them. Because I really don’t like doing videos.

Liam Lynch 15:12
What are you doing here?

Philipa Farley 15:16
Having a chat with a mate! Okay, so the impact on you personally of your GDPR or with your understanding of the law, like, have you got a personal story to share because like, I’m quite cheeky on my Twitter where I try and keep it as anonymous as possible. And like I say, this happened to me today. I mean, our life insurance for work, you know, the business, that was seven months of drama, you know, that’s over, but like I very much done in principle and I go, okay, this isn’t right, and I’m not going to go with it. So people know that about me like, do you have a story where, like the GDPR directly impacted your own personal life?

Liam Lynch 16:03
Yeah, it was nothing as elaborate and scary as what you had to go through. But, you know, like I love the way the GDPR has helped, you know, particularly in the one particular aspect, I suppose, of data subject’s rights, and that’s in relation to getting your data in an electronic format. You know, a portable electronic format, because in the past I have tried to when I’ve requested my prescription for my glasses, yeah, from a certain High Street chain. They’ve always provided as in a very poorly written, you know, kind of scribbled writing on a card. Which is, you know, effectively unreadable. And you know, you could never truly, you know, you have to say, you know, was that something else, is that is zero? Or no or whatever, you know, it’s just difficult to read. So I actually waited until the GDPR came in and gave it a month or two, and then I put in a request – I was also kind of busy at the time running around the country training people. But anyway, so I put in a request anyway to get my prescription in a readable format, electronic readable format. And the company’s Data Protection person did respond within a couple of weeks and just to clarify what I was looking for and why. And I said, you know, that’s fine. They went away and I heard nothing. So I gave them the up to the thirty days, I said, you know, by the way, you’re reaching the time limit here. And, you know, if I don’t hear back from you within a couple of weeks, you know, I might need to make a complaint. I think I think I might have given him one more, you know, kind of said, here, listen, I’m gonna give you another couple of days, would you mind? And then without a response, I think I’d given them over two weeks. So it was like into like 45 or 46 days after the initial request. I popped a report an issue into the Data Protection Commission. And, lo and behold, two days later, I get a response.

Philipa Farley 18:41
Yeah, you know, and on that point I got, I’ve got your thing up here for this right. Particularly, it says: “You must respond without undue delay, and at the most in one month. This can be extended by two months where the request is complex, or you receive a number of requests, like, we’ve done as sort of like little unofficial survey amongst a bunch of independent consultants, okay. And I shall continue it with you, Liam, and ask you off the top of your head: Has there been a flood of data subject rights requests in the last two years?

Liam Lynch 19:23
I probably wouldn’t think it was a flood. I certainly have heard some people I’ve been training they’ve mentioned they’ve received requests where they never received them before.

Philipa Farley 19:37
But they can handle. Let’s just let’s just use that kind of terminology. Manageable handle. Yeah.

Liam Lynch 19:45
I would think so. Yeah. Don’t think it’s been an absolute flood.

Philipa Farley 19:50
So let’s go back to your example. How do you sit for nearly 60 days, just not responding?

Yeah. And that is your function in life to respond to these things, you know. And like, for me, I really do kind of let the string get pulled longer and longer and longer and I just I wait, because sometimes, there’s some days where I feel like it’s very unfair of me to sort of unleash the the professional side on somebody who’s possibly overworked, and not equipped correctly to deal with this. You know, I try and understand, but then there’s some instances that you just go like, come on, guys, you know, can you please just actually just do this now? You know? Yeah. How do you balance that up? Like, in these situations, it’s very difficult.

Liam Lynch 20:44
Like in the case of my requests, like that should have been something going, right. Here’s a person’s name, address, date of birth, print a PDF and get it off to me.

Philipa Farley 20:55
Not difficult. Yeah. Yeah. So you know, it’s…people say to me when I’m like, I’ve had a couple of sort of not interviews, but yeah kind of interviews recently and they say, people think the GDPR is a bad thing. Do you think it’s a bad thing? And I’m like, no, it is a good thing. It is a good thing, because of stories like this every single day, you hear stories like this, and it’s, it’s more about the accountability and the transparency for me, you know, and the fact that people actually know now they can, they can know, you know, but you do still have walls, like thrown up in your way, you know, on the way to trying to find out and I think that’s what we try and break down, I suppose, as professionals in this space.

Liam Lynch 21:39
Yeah. Yeah. And that is the really important thing from my understanding of the law is it really has put control of people’s data back into their hands. Definitely.

Philipa Farley 21:49
And they must exercise that control, people must exercise that control and organisations and businesses must be ready for that. You know, it’s not it’s not a personal vendetta. A lot of the time sometimes it’s just really somebody needing something, you know?

Liam Lynch 22:05
Absolutely, yeah.

Philipa Farley 22:06
We’re trying to just understand something.

Okay, so the third question I sent you was, and obviously, we’ve kind of discussed it already is where have you seen opportunities for your own business in the context of GDPR. So, you know, would you like to say something about that?

Liam Lynch 22:23
Well, like I’ve done, I said I was running around the country quite a lot in 2018, doing lots of training and that, you know, when people receive the training or they have kind of gone away and got their businesses ready or their organisations prepared and ready for to GDPR themselves. In a nice handful of cases. I was called in, because they were so happy with having received training that they could understand and they actually knew a bit more about the GDPR day, but they still would prefer to have somebody who actually…

Philipa Farley 23:00
Yeah, it takes time out of their day to do – we were chatting about this yesterday. The time-cost calculation. You know, like 20 to 30% out of somebody’s day who isn’t equipped in terms of, you know, trained or has experience in the field, that’s how much time they take out of their normal tasks, to do the portion that’s been delegated to them. It’s a real time cost to businesses. So this is not me trying to sell consultant services at all, it’s me being absolutely realistic. You know, this is my area of expertise, it’s your area of expertise. You do your business, I’ll help you do the bit that you’re not used to doing, you know, it’s as simple as that. So you can kind of fast track it and show them where the very risky areas that are pertinent to them lie, you know, and and how to how to cover those gaps. For me, if I can make a comment on, you know, where you’re so different from from others, is the humour that you bring it, but not funny haha humour, you know? Yeah there is but like it’s it’s just making it realistic for people, Liam, because this morning like when I was talking about data breaches I think I said you were talking about the big ones like Marriott and you know Travelex and Equifax and Ashley Madison, and like they’re these big massive data breaches but no like, guys, that’s not that’s not everyday reality. So I think it’s nice to have people like you around who make it real, you know? Yeah, yeah. Exactly, exactly. You know, give it context there. Okay, so you deal with businesses, you’re B2B sorry, B2B, you deal with businesses. I’ve been chatting to a couple of people who deal with actual consumers, you know, B2C, you’re B2B. So, where would you see opportunities for your customers or clients, like just one or two small examples like that have done their compliance as an encouragement to others to do it, you know?

Liam Lynch 25:12
Well, there was one client, I think, he was quite possibly my first GDPR client, who I landed in 2017. And that was actually from a business networking group that I was in, in Limerick, and I got a referral there and I got talking to this gentleman. We worked anyway and gave them some training. We did some consultancy for them. And they were kind of an online platform. I won’t cover whatever business they are in, but it was an interesting one on right but we did. We got their GDPR policies and procedures and stuff in place and you know that, kind of, by about September or something 2017 they were pretty much ready to go GDPR wise. And then they had a tender, big client in Europe went out to tender. And one of the things your man he sent on to me, he said, you know, develop these questions about the GDPR which, you know, they were able to, my client was able to address you know, directly. And when they won the contract, they went to meet the client and start the project up. And they found out, that two of my client’s biggest competitors are these are big international companies just had nothing for the GDPR; they weren’t ready for GDPR back in September 2017. Whereas my client was, and he got a fine big contract over that.

Philipa Farley 26:53
Yeah, amazing. Yeah. Yeah, no, and that’s that’s it. Liam like, people don’t want to take your risk onto themselves when they do business with you. It’s as simple as that. They don’t want to be tied into a relationship with you where you’re going to cause a problem for them down the line. Yeah,

Liam Lynch 27:13
Exactly. Yeah.

Philipa Farley 27:14
Yeah, the supply chain effect has been interesting. Okay, so positive story. You just shared a positive story. That’s a very positive story.

Liam Lynch 27:24
I’ve got a doozy one. Yeah. Yeah. It is kind of a funny one as well. And I love telling people this. There was a not for profit organisation down in Kerry. I was doing some training for now. They had three locations in Kerry, and have a number of volunteers and a number of staff. So, the way they wanted the training done, was I was going to train in two locations: a morning session, in one place an afternoon session, in another office. This was kind of a very basic introduction to GDPR for the volunteers and staff. And then the following week, I was back down for a morning session again for staff in this was in Killarney, and we had a morning session again for volunteers and staff there and then the afternoon session then was going to be a much more deep detailed, deep dive on policies and procedures for the staff. And this involved know they brought the staff out from the other two locations for this afternoon session. So I did the training and I recall that when I was going into the first location on the previous week that I seen CCTV cameras up outside in the public area and inside the public areas of the premises, so I made sure to bring up and mention how they should be handling that data. Make sure that you know nobody is able to get access to equipment etc and hope to handle your requests. Yeah. So I passed on all that advice, anyway. And then the following week as I as I mentioned, I was in the afternoon session then. And like I had literally just started the session and one of the ladies from that four sessions stood up and said “Geez, that training you gave last week was wonderful, particularly about the CCTV.” Wait, what happened? And he said, “well, the day after the training, a detective arrived on the premises and said ‘may I review your CCTV footage, there was an incident last night. I would like to see if there’s anything picked up and your cameras.’ So they brought them to the DVR and they left them alone. So he was there a few minutes anyway, and he went to leave the premises and he was saying goodbye to the to the lady and says, oh, Thanks for that. I got the footage. I have it here. I’ve got it on my USB stick. And she stopped him.

Have you got, and this was now before the GDPR was a thing, so it was called the section eight letter which as you know is the letter that a guard needs to produce from a superintendent to get it to a data controller to basically gain permission to take, to remove a recording from the premises. So, but detectives have never needed to do anything like this before and I’ve come and get the footage you just give it to me. And she said, no, no, we’ve received a training and this man was there and he was telling us all about this and you must produce this letter from your superintendent. And what I got really worried about was he didn’t say: “Who is this man? What’s his name? Where’s he from?” Jesus I’m gonna get arrested. No, next anyway, so no, she stood her ground and she said she took the USB stick off him, and he went away muttering but he came back three hours later. Much humbled and he said, Jesus, I went to the superintendent and he said, yeah, you need these letters to get CCTV footage. And here’s one, so he gave him one and he said none of the rest of the team down there were aware of this requirement. Yeah. And so much, ya know, she was delighted with herself and she even brought in the Section 8 letter to show it to everybody. And this is what you need to look for your footage. Yeah. That was a that was good fun anyway. And I haven’t stopped since so.

Philipa Farley 31:45
You’re not on a list, Liam. Not at all.You’re a troublemaker, down there in Tipperary. But you know what, it’s, it’s it’s correct. And like, this is what I was saying earlier about standing on principle because, you know, it must be done properly, like it must be done properly. We’re all accountable at the end of the day. So, you know, that’s fantastic. It’s really good. Yeah. I’m going to share one story on training because, like, I know that you love the training, it would not be my my favourite sort of area of focus when I’m doing compliance work. You know, I really love the more the paper side of things. I do enjoy doing training in specific circumstances, but it would not be my focus, but I had a client that I signed off and – it’s happened a couple of times – but this specific one was really interesting. We signed off a job that was posted about five or six months in total, you know, it goes sometimes take that long to get through various aspects. And, one of the things that we had done was, we had recorded training PowerPoints, you know, the ready, bloody boring way of training guys, you know, voiceover PowerPoints, everybody wants our awareness training just to get it done and out of the way. Yeah, no, I know.

Yeah, exactly.

But to give this company credit, they took their training and they did a session, you know, she, HR manager session with everybody. So it wasn’t just literally like planking people. You know, she made them watch it. And they had a whole week, a whole week of awareness that she ran, she did herself, she ran posters around the place, you know, tips by email, that kind of thing. Not even two or three days, it was less than a week, Liam after we signed that job off that I got a phone call. We have a data breach. Now everybody says we don’t have data breaches, until they have their training right? Because then they actually realise that they do have a data breach. And I was like, okay, let’s go through it, explain what’s happened, and we’ll we’ll go from there. So they explained sorry, calendar notification there. They explained what had happened. And very simply, one of the staff members recognised the fact that an email was being sent out of one of their systems to an email address that nobody recognised. So really, it sounded absolutely off. So I was like, okay, go to the vendor, the software vendor, tell them to send you the logs when address was changed, and who changed it. Within an hour, Liam they had information and it was a contractor of theirs who was under contract. So they had received email with personal data in that they were entitled to receive, but the contractor had changed their business name, changed their domain name, changed their email address, the check and balance that’s missing is the fact that there wasn’t a verification step. My client, the business should have said, yes, we verify this change, you understand, like a change just be made on software. But the fact that one of her employees looked at the screen and way, that’s an email address I don’t recognise, I need to tell somebody. Yeah, that’s that. Yeah, that’s the difference that we’re kind of, we’re looking for, you know, training is not boring. It has a real, real, real change effect in a business if done properly. And I would really, really encourage people to get in touch with you, because I think your training is of that kind, you know, where you really personally pay attention to people in their different contexts and, and that change can happen where people know what’s going on. Yeah. So one piece of advice to potential clients of yours. What would you tell them?

Liam Lynch 35:54
Yeah, well, you know, when you’re looking at the GDPR, it looks probably really, really big, there’s a huge amount of stuff to do, you know, you might even look at it like it might be like this big elephant, or maybe an elephant in the room. But, you know, how would you how do you eat an elephant? One bite at a time. Yeah. So, it’s just a case of just getting in there, you know, getting a consultant, like yourself and myself. And, you know, we can step you through it. Is there some tool or something we can use for this? Hehe, like Serity.

Philipa Farley 36:31
Yeah, yeah. The people that made it are just wonderful. That’s exactly why that’s exactly why we made it so people can see the scope of it because it’s not just this never ending painful thing, you know? Yeah. Easy. You can do it. Just do it. Yeah. Yeah. Just pick a point, start and get it done. So now, the real meaty discussion that I’d like to have with you for the next sort of 10 minutes, because I don’t want to take up too much of your time. 10, 15 minutes is the actual real impact of ransomware on Irish small, I said small business bit more like the S and Ms of the SMEs, you know? Yeah. Because I think the Es in Ireland have a bit more resources to put towards managing this this type of thing. But the real impact of ransomware on Irish small business. I sat on a panel a week ago, two weeks ago, whenever it was, and one of the questions that was posed to us to prepare beforehand, I don’t think I was directly asked the question was, what is the biggest danger that you… what would you think the biggest danger to business in Ireland is, smaller business in Ireland? And my answer would be ransomware. But a different answer was given which was quite interesting. I won’t say what it was, but ransomware definitely, I believe, has the potential to have the biggest impact on small business. So, would you like to give us your thoughts on that, Liam, because I know that you do know this very well.

Liam Lynch 38:13
Like, the whole kind of ransomware thing you know, when, you know, it’s obviously been around for a long, long time. But, you know, it initially peaked, there back in 2017 when we had the Wannacry and NotPetya, and then it seemed to tail off because crypto mining became fashionable and lucrative because Bitcoin was a stupid price at the time. But, that then dropped away. So ransomware has started becoming much more profitable. And they’ve been really, you know, going after big fish like, particularly in the US. They were targeting a lot of healthcare providers who usually used a similar kind of a certain, managed service providers, you know, IT support companies, that they would compromise the IT support company, and then they’d be able to reach into all of the these healthcare offices and companies. They also targeted a lot of municipalities. Yeah. So that that was very, very profitable, profitable for them there and now was the end of 2019 and as we came into 2020, there just seemed to be so many, so much of an increase in ransomware particularly likes of REvil are so they know to be as it’s known, and the really scary one, I would say from a from a data breach perspective, though, of course, you know, any ransomware impact or incident is is considered a data breach. But, the maze ransomware, where they steal the data before they encrypt it, and so they now have a copy of your data. And, they will then if you don’t pay the ransom to decrypt your data, they’ll just post it online. And you know, you definitely have a data breach then on your hands, which will be deeply embarrassing. So, this is the kind of environment that is really going to be badly damaging for, you know, any kind of small business because if they’re not, if they can’t prevent their data being leaked, like we all did, they could have not only, you know, their systems shut down because of ransomware and then they’re down for weeks on end. But, you know, they could then potentially end up with maybe a fine from the Data Protection Commissioner.

Philipa Farley 41:04
Okay, well besides civial action you like, if it’s your health data or whatever, you know, your full insurance records that are sitting online, you know, you’re not going to be happy about that. Yeah,

Liam Lynch 41:16
Absolutely. So, you know, there’s all these things could impact on a company like a small business. Unfortunately, in my first year, I was in business, I had a former colleague of mine from a previous job. Anyway, I was into cyber security game and she rang me up. At that point, she had been four weeks down because she had all of her data up in the cloud, in some weird storage provider that I had never heard before, and I’ve never heard of since. But, her IT provider had recommended she use this group, it got hit with ransomware, she opened that document and checked “enable macros” and you know, everything, and all her data was gone. And they struggled, they couldn’t get their data back. Even the backups they had were unrecoverable. And she went out of business two weeks later. Absolutely everything over there, like so. You know, this is where I always say to people, you don’t put all your eggs in one basket, you don’t just trust the cloud, because people say it’s secure, you’ve got to make sure it’s secure. You’ve got to take these extra steps. And so and, you know, the, as a kind of one of my recent videos, I talked about having data backups, and you know, obviously, these are things if you have good data backups, you will be able to recover from ransomware

Philipa Farley 42:50
Absolutely. And, and backups in in different formats. Yeah, yeah. In different places, as well.

Liam Lynch 42:56
Yeah, offline, offline, offsite. And, you know, on a hard disk or on a backup tape or, you know, all different formats of different locations. And the other thing is to make sure they’re tested, this is critical, they have to be tested. So if you have an IT department or an IT service provider, you should challenge them to tell you, to provide you proof that your backups are working.

Philipa Farley 43:22
Stand there and say, put it there on a fresh install of whatever it is we’re using. Show me that you can get it working again.

Liam Lynch 43:30
Yeah. Yeah. And this should be all part and parcel of the service they’re providing. Because when I when I did it in the corporate world, this was, you know, our IT department. This was our job. This is our responsibility we had.

Philipa Farley 43:42
Yeah, yeah. Yeah. Yeah. And you had a timeframe within which to bring the system up. Yeah. You know, so like, if you go back to when you were discussing your services, you talk about disaster recovery, you know, document business continuity type documents. For a smaller business, like it’s not a huge task to come to somebody like you and say: “Can we do this process where we develop our disaster recovery business continuity plan, you know, and work out a plan that’s bespoke to us,? These are the systems we’re using.” And we can we can judge roughly, it’s going to take a day to bring it back up, it’s going to take half a day, a couple of hours, whatever it’s going to take, you know, and actually go through the exercise with you, because the cost of doing that is infinitely less than the cost of dealing with an incident like ransomware and losing your entire business, because that’s the reality of it

Liam Lynch 44:34
Exactly, yeah. And, you know, then you’re okay, that’s you’re backing up your data from your ransomware which then, as we mentioned, we have this situation with the maze ransomware, where they get in and steal your data before they encrypt it. And, your protections there, you’re going to have to have, you know, proper, you know, keep everything of course, keep everything up to date as possible. Like we had the Travelex issue in the UK, they were using the pollsecure VPN, which had terrible, terrible vulnerability. And that’s how they logged in to the perimeter of their network. were wandering around for weeks on end.

Philipa Farley 45:19
In teams we’re currently, looking at these four bad password practices. Like, how many people are using teamviewer?

Liam Lynch 45:29
So all these remote access things, you got to make sure they’re fully secured and updated. And you know, in bigger organisations, you can have things like data loss prevention, and things that have pushed smaller business you just got to make sure you have a firewall in place, a good, maintained firewall, antivirus, anti malware…

Philipa Farley 45:51
2-Factor Authentication where possible, Liam?

Liam Lynch 45:53
Oh, yeah, absolutely. Go on. Unique passwords for every application, long and strong. So use a password manager folks.

Philipa Farley 46:04
Yeah, OnePass, LastPass, etc.

Liam Lynch 46:06
Yep, all these things, they’re all absolutely essential nowadays for keeping your data secure. So you know and still look, you know, we ourselves are all small businesses, we know what a small business faces. So, you know, you know, we can talk the talk of a of a small business owner, and, you know, we know what they’re facing, we can help.

Philipa Farley 46:31
Absolutely. And like we had this discussion with one of the others on the chat, you know, we’re in business to make money. You know, we’re in business to stay in business, because we have those skill sets that’s desperately needed. And we would like to share that skill set with many more people than would get the benefit other than if each of us went to get a job. Because if you went to get a job, your skill set would be lost, the access to that skill set would be lost. If I went to get a job, the access to my skill set would be would be lost and and a couple of the other consultants I’ve chatted to, we’ve had this discussion because I think there’s there’s this perception out there that you know, we charge a lot of money or you know, you’re too expensive or how to justify that cost or whatever. And actually, you know, no, it’s not that what is, what is your business worth to you? What price tag are you going to put on your business, because, you know, you put up your CCTV cameras, you put up your alarm systems, you see where I’m going with this, you have your insurance for your vehicles and your goods and whatever else but there your computer is sitting with a big fat welcome, you know, the door is open sign on it. So I think it’s something that people really have to consider. This is now an actual cost of doing business. And you know, you mentioned Serity, and I’ll say it again, we made Serity to lower the cost of compliance, please use it so that you don’t have to spend that money on the initial benchmark. Yeah, call us in to do the actual, you know, works on your on your gaps and get you compliant, you know.

Liam Lynch 48:16
They can take Serity themselves and do the questionnaire themselves sort of, for the simple cost of of the license first, and you know, then if they do if they do want help after that…

Philipa Farley 48:28
And this is really not a Serity sales piece, this is like, this is just an actual example of professionals getting together and saying, you know, we understand, we completely understand that there’s a cost factor to this, but we don’t, I don’t want to see in County Cork, North Cork, I don’t want to hear that the business down the road has shut down because of ransomware, you don’t want to hear it in your community. We do not want that to happen because, you know, it shouldn’t. It shouldn’t. I feel very strongly about it. It shouldn’t.

Liam Lynch 48:59
Absolutely. And like, you know, one thing I am is, you know, if somebody has me in as for their cyber security, I’m prevention. You know, I’m there everything I do for you will prevent this from happening. So you don’t have downtime are if there is downtime, it’s minimised. You know, it can all be done.

Philipa Farley 49:22
Absolutely can.

Yeah. So we hope people like hear the plea, because it is a plea. You know, please get your house in order, please, please pay attention to these things. It’s been two years since the GDPR. happened to everybody. Now we are heading for two years now. Let’s say the hype died down very quickly. I can honestly say, I don’t think it did, because it got very specific very quickly, in a lot of spaces. But I think that there is a general waking up to the fact that oh, you know if we don’t do our compliance, the security is compromised and there’s a there’s you know, there’s there’s gaps and holes there you know. And there’s a wider awareness also like of the supports that are in place you know in which you call them organisations like Cyber Ireland are very good and and here to stay, so, yeah. Like, there’s good newsletters to sign up to like yours and following you on social media is fantastic. People should, people should do that, Liam, they should because it’s just short bite sized, as I say, it just keeps it you know, kind of at the top of your mind and we need to be we need to be mindful of good practice. Yeah,

Liam Lynch 50:38
Yes. Like if you go down to the bottom of the homepage, on my website, there, underneath the About Us, there’s a link to all my social media from myself. Oh yeah. There’s all the L2 Cyber ones as well. So I’m all over the socials.

Philipa Farley 51:05
Yes, yeah. There’s some fantastic videos here.

Liam Lynch 51:14
And if you’re not, if you’re not on any of the socials, you can also get them and I post them as a weekly blog on the website as well. So I put Funny Dog memes as the thumbnails. They’re kinda cute.

Philipa Farley 51:31
Yeah, I think people people maybe underestimate our need for emotional support dogs.

Liam Lynch 51:38
I have three beautiful dogs myself.

Philipa Farley 51:41
Yeah. I just don’t. I don’t tell the young the young one that when she goes to school I just I use her Corgi as an emotional support dog. She would be very cross with me.

Thank you so much, Liam, for chatting. It’s it’s been really great. Yeah. And again, I really hope people get in touch and just follow and listen, you know, and and learn a bit. Yeah. Anything else you want to say before we disconnect here?

Liam Lynch 52:13
Just thank you for the chat because it’s always good to have a talk about these things. And yeah, good people were, you know, we’re out there. We’re available. Yeah. Yeah. Yeah. Thank you so much. So thanks for that. Philipa take care now.

Philipa Farley 52:31
We hope you enjoyed that episode of The GDPR Series. If you do, please subscribe, find us on social media, we would love to have a chat.

Philipa Jane Farley
Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.