good afternoon everyone I'm Chris Rogers and I'm the director of research here at the SRA and I'd like to welcome you to the virtual conference session on cyber crime understanding Ai and protecting your firm in this session we'll be looking at the potential for AI to increase the risks associated with cyber crime and the way this is going to work is that we'll see a recording of the presentation from our session at the compliance officers conference which took place a few weeks ago however we do want this session to be as interactive as possible so we'll then have time after that for a new and Live question and answer session to ask questions you will need to click on the link below this broadcast and then submit your question to us now it's always great to know your name you can submit questions anonymously if you'd prefer to do so and I for one look forward to hearing the expert panel answer those questions from you but without further Ado let me reintroduce the panel the experts who are here with us today we'll then jump onto the recording itself and that should last about 30 minutes so I'm joined on the panel once again by a number of experts in this field I am joined by Dr Tom Wood who is the lead data scientist here at the SRA he's at The Cutting Edge of our work with AI and machine machine learning I'm joined by Natasha cromby who is a detective Sergeant with the city of London Police she's working within the national fraud intelligence Bureau and I'm joined by Rowan Troy who is a senior cyber security consultant at littlefish UK limited an organization who specializes in providing cyber Security Solutions and with that let's begin the video of a session um so let's start with a really important question and one that we're asked a lot here at the s ra what do we what do we mean when we say Ai and then we'll explore how that's related to cyber crime in particular well I'm going to hand over at this point to Tom our lead data scientist and he will explain cool um so yeah as we said we thought it'd be useful to kind of introduce this session or start the session by talking about what actually is AI it's in the news all the time at the moment but lots of people and I supect lots of people in this room don't actually have a clue what it is how it works underneath the Hood um so that's what I'm here to do and I I guess I'll start by saying what AI is not so forget Isaac Asimov cyberdine systems and the Terminator the robots aren't coming to steal your jobs I promise uh AI in its current iteration is literally just a fancy name for statistical modeling it's a slightly glib statement maybe maybe biased by my background in statistics but it's true uh and it is already ubiquitous AI is everywhere we all use it every day every time you're on a zoom call or teams call and your camera Auto focus is if you spell check uh you're using AI every day these days um now when you signed up I'm not sure if they told you but there is a little math lesson involved in this session I think we've locked the doors so you can't leave um but to explain what AI is we need a little bit of maths so I say it's just statistical modeling what do I actually mean and essentially all of AI boils down can be boiled down into one of two types of kind of overarching types of statistical model uh the jargon for these in data science is unsupervised and supervised learning models but the delineation basically comes from what we're using these models to try and do so unsupervised learning models are there to spot patterns within data whereas supervised learning models are there to predict the future in inverted Commerce because it's just the future in terms of the data that we've seen before rather than necessarily the temporal future so to show you what these look like we've got some I've got some plots to show you so let's pretend that we're a law firm and we're looking at the matters we've worked on over the last let's say six months so every circle on this plot is a different matter along the horizontal x-axis we're looking at uh how much time was spent working on the matter and up the y- Axis is uh so the vertical is how much revenue that matter generated for the firm now if we feed these data into a an unsupervised learning model and say computer please find patterns in these data for me it might return something like this and it kind of makes sense we look at this and we see red through green is kind of simple medium complex cases and then we've got these like more interesting clusters in blue and yellow the yellow we've got matters where maybe we've made a loss you know we've we've not made as much money as the amount of time we've invested and up in blue we've got the really nice ones right where we've made loads of money and it hasn't actually taken that long and we might want to analyze matters like this and try and understand what is it that led to those yellow ones and how can we get more up into that blue area for example now this is where I say not stealing jobs or whatever AI turns data the circles into information these colored clusters to get knowledge relies on somebody actually looking at that and using it and kind of trying to get some kind of meaningful explanation from it and that still requires a person moving on to supervised learning similar case in this case we're a really big firm um and uh we've got some money to burn so we're looking at all the Departments across our firm and on the x-axis is how many people we employ in those departments up the y axis is how much revenue they generate and we we say we've got some money to burn we want to go buy in some new expertise we want to buy a department this big well we could realistically based on historic patterns expect to make this much money from that pattern the red line that we're using to do this is our AI model that's it it's that simple and pretty much all AI uses these two fundamental principles obviously you don't need AI to draw that red line right you could do it by ey with some crayons um AI isn't powerful when we've got two Dimensions like this it's powerful when we've got tens hundreds millions of Dimensions it's just really hard for me to draw a million dimensional red line to show you on a PowerPoint slide um and I promise that's the end of the math lesson it's it's that simple that's that's AI in a nutshell um I mentioned millions of Dimensions which brings us to the the sexy face of AI at the moment GPT or or other large language models meta have llama Google have Bard there are others um these are essentially very very complex large models that are designed to kind of interact I say understand they don't understand language but they're there to interact with language um I don't really want to focus on how they work or anything like that one of the things I do want to point out is if youve use chat GPT which I'm guessing a lot of people here have you're interacting with a kind of two model system there's a chat boot called chat which chats to GPT which is the really really clever bit the large language model and the what's really cool is the companies Behind These large language models provide an API access to them so an API is basically for those who don't know kind of like a an access point in a bit of software that allows another bit of software to talk to it and why this is powerful is you can basically use that API to include these very clever very complex large language models into your own products and processes uh and I kind of this is what is driving a step change in the situation in AI at the moment um and I like to joke that it's because these things are no longer the purview of nerds locked in University basements or people like me the Nerds who escape the basement anybody can use these now and that's really exciting because the nerds in the basements aren't the people who understand what the real problems are and they're not the people with the creativity to solve those problems in specific sectors or across Society giving these tools to people that can do that is really exciting and we are seeing and we'll continue to see a boom in services that use these things so this democratization of AI what does it mean uh well it's kind of just an exaggeration of all all the existing benefits and cons that we've talked about for decades of AI and machine learning we'll see cool new products exciting new Innovative automation speed accuracy of results all these things that go hand inand with kind of increased use of computing the negatives um they're available to everybody right so topical for this this panel today they're not just the good guys that can use these things um and there's a real big problem of the kind I like to think of the computer says no problem in the otherwise highly intelligent highly qualified people kind of switch off their mental faculties if a computer tells them to do something and they'll make a really stupid decision that they never would have made if the computer hadn't told them to um and obviously there's there not there's not really any ethics or regulation around these things deep fakes are a really big issue um it's not really a deep fake but I love this picture I don't know if you remember this from a few months back uh I work in this all the time right and I saw this picture at the weekend and thought Oh is that's fun the pope went out dressed as a member of E7 it took me three days until I realized that he didn't go out like a boy band in the '90s Christmas music video This was a AI generated picture um and it totally it totally took me to a surprise so the big message I want to kind of leave people with is the current state of AI as Paul said this morning is simultaneously scary and exciting and we shouldn't let either half of that statement blind us to the other right let's not let the fact that there are scary elements distract from the opport seizing the opportunities but don't blindly chase the opportunities and forget the downsides so that's me I'll hand back to Chris thank you so I'm sure you'll all be pleased to hear there'll be a pop quiz on the way out about what is AI and no one can leave until they've answered that correctly so we've learned what what AI is um in terms that even I can understand which is no mean feet I will say um I'd like to think about this in the context of cyber crime or cyber security as well so I not some publish some research was published last week which said that um Ai and machine learning will likely to be the most significant Trend in cyber security across the next two years specifically typically use cases of contextual analysis and email screening and with that point we'll turn to the panel and ask them some questions so we'll start with the ncsc first what is your assessment of the threats to the legal SE sector and what role does AI play in that so thanks very much firstly for the invite to be here and the chance to come and talk about this topic and also secondly to my colleague who asked me to talk to a few lawyers about cyber security lesson learned on that one so as we see the Cyber threat from thetion cyber security center it's laid out in a report that we have from 2023 from June I think it was and that lays out a few different areas first of all it explains why you as legal firms are a really juicy Target and I'm sorry to say that you are first of all you've got really good client information and really sensitive client information which you and your clients want to keep quiet next disruption to your services could be extremely deleterious to your business and therefore you'll want to keep those going you deal with lots of money in various ways whether it's conveyancing merges and Acquisitions and other business transactions you're in the supply chain for other really interesting firms as well so it's not just the threat to you but the threat to your clients from your organizations and lastly your reputation is really important at least I certainly hope it is and therefore you'll want to protect that too so unfortunately legal firms are really interesting and viable Target for cyber security Bad actors so who are those so first of all it's cyber criminals I won't speak too much about that just to spoil the other panel members but I will mention that we published a report just a few weeks ago with the National Crime agency the NCA that explains much more about the cyber crime ecosystem and especially about extortion and ransomware which I would encourage you to have a look at if you're interested in wanting to know more so we have cyber criminals next we have nation states so if you're dealing on subjects that are of interest in nation States then I'm afraid you will also be a Target there or if you are dealing with clients or working on topics that are of interest in nation states and their National interest you'll certainly be of interest there next we have what we call hacktivists which are people who will conduct cyber security attacks for a particular specific cause which may be again related to the topics that you're working on and that's of course the greatest risk if you're working on behalf of clients that the activists care about and on to damage and lastly there's always the threat as well from Insider threats and that can be accidental or it can be deliberate they will use various methods to attack you the report talks about them in more detail But it includes things like fishing business email compromise password attacks and a few others which are all in the report if you're interested so that's how we see the threat as it currently is but then how do we see AI changing that and as you'd say I think it's going to be massive so I think first first of all it's really important to say AI is going to be fantastic it's going to be great as Tom so brilliantly put it it's really exciting and quite terrifying at the same time so we're looking at AI from three different perspectives related to cyber security the first is the cyber security of AI itself so how do you protect the AI and the models because your firms and your supply chain are going to be using AI probably already and a lot more in the future so how do we build security into that and into those tools that you are using the next is that AI will be used to support and increase cyber attacks so whether that's in identifying new vulnerabilities in programs that you are using whether that's related to using it to create better fishing emails and that's already something that we are doing to demonstrate just how good it is at that creating very specific emails to people from information that can be gathered from the internet and more generally it's just going to help attackers it's going to help attackers automate things it's going to be able to talk them through how to conduct attacks so unfortunately AI is going to be used to increase the number and potency of cyber attacks but luckily of course the last area is that it's also going to be used for cyber defense so we are working with firms to try and help make that as productive as possible speaker one so there are already tools out there that use AI to help people respond and understand to incidents better the most famous example at the moment is called sec security co-pilot which is being tested so I think overall what it's going to do is it's going to increase the Gap it's going to increase the gap between those who are doing the basics well and those who aren't so more than anything this wouldn't be a cyber security talk from the government if I didn't encourage you to do the basics well particularly around cyber Essentials so do the basics in cyber Essentials and I suspect a lot of the AI attacks will pick on other people instead thanks very much thank you for that interesting um so this time I'll ask Natasha what are the emerging trends when it comes to cyber crime um thank you and thank you for inviting me here today um cyber crime I just want to differentiate into two parts we have cyber dependent crime which we've heard a little bit about today the ransomware attacks the distributed denial of service attacks hacking attacks and so forth and then we've got cyber enabled crime which for example a lot of fraud is perpetrated by the use of cyber or devices in some form or another so if we take cyber dependent crime in the last 12 months or so we had over 25,000 reports of cyber attacks and that equated to over 12 million pound worth of losses now this is pretty impactful but particularly if you're a small to medium Enterprise because those Enterprises are prolifically targeted by ransomware hackers and so if you are an organization with let's say one to nine employees you're particularly at risk of um social media hacking ransomware attacks and general cyber crime and I think ransomware is definitely one of the highest threats we have um at the moment because of the impact it has not just to your own organization but to to infrastructure as well um if we compare it to sort of fraud in terms of fraud reports just to put it into perspective over the last 12 months we had over 300,000 fraud reports and that actually resulted in losses that were reported of 2.5 billion pounds now in terms of uh fraud organiz or organizations who were targeted by fraudsters you will be surprised or or not to learn that limited companies and plc's are the most targeted organizations for that and particularly within the areas of card payment and banking from check fraud mandate fraud so your payment diversion frauds and financial investments as well as your viruses and malware and spyware attacks I think in terms of typologies I'd just like to talk about three things uh briefly uh something that's going on at the moment which you may or may not be aware of hopefully you you're you've not been victim to this is remote access fraud so that's where a fraudster will call you um purporting to be from your cour corate bank account or corporate banking organization and they will convince you through social engineering to install remote access software onto your device they will encourage you to log in usually by putting pressure on you or making it all a rather urgent call and other tactics that social engineering employs and at some point during the call your screen may be blurred but it's all part of doing this software update that they've told you about but whilst that's going on of course they're starting to make transactions because they've managed to get you to log into your account at the same time then of course they're going to tell you that they're sending you a series of numbers and it's all part of the banking update but of course this is your own bank actually genuinely sending you your two-step verification codee which of course you then hand over being duped into this um engineered chat and at that point your your funds are cleared out your account now there are variations to this fraud but it usually involves um obtaining remote access onto your device and perpetrating the fraud in that way something else I'd like to just touch on quickly as well is social media um of course social media is being utilized a lot more instead of face-to-face contact and I know a lot of you will be using social media and zoom and teams to conduct meetings and so on and so forth um there is a risk to the kyc aspect of what you do because of course it provides reduced stability to really check legitimacy and authenticity of who you're speaking to so it's just something to be aware of and then of course one of the reasons why everybody's here is AI um and it really is Tom's already touched on it it's a combination of the various generative um programs that are around like chat GPT um and this really is a vehicle for the future to employ deep fake technology so visual uh uh fakes that purport to be live human beings and also voice cloning as well so even without the visual um aspect you've got the voice cloning as well um it could result in automated social engineering scripts being generated and of course AI is going to um encourage a different type and increase in fishing which really if you think about the I say the old it's not that old but it's a a current fraud that's going on the hi Mom I'm in trouble WhatsApp chat really taking that to a new level because you've now got your loved one actually who looks like they're there on the end of a FaceTime call who sound like them saying they're in trouble and needing money and funds are being transferred or will be so I think those are the main stats and some of the current trends and emerging threats thanks Nasha thank you and so moving on to Rowan then what are the typical mistakes that firms make when it comes to cyber security um thank you very much for inviting me to the panel um it's great to be here I think ultimately the mistakes are still the same mistakes whether AI is involved or not and our NCC colleague on the left here touched on it with cyber centrals it's the basics um there's far too many vendors out there that have actually been ounting that their product has AI in it and has had for last 5 to 10 years and generally speaking it's not genuine AI it's more as Tom pointed out statistical models and it's machine learning is far more uh prevalent in those products so you are if you go to any show where you've got um cyber secur is one of the top top agendas you'll see there'll be plenty of vendors there that will tell you their products the best thing since slic bread it's the Silver Bullet it's going to fix all your problems and it's got AI in it um and then if you sort of just peel one layer away you turn turns out that AI is not actually genuine AI it's actually machine learning it's understanding how people behave um and ultimately security cyber security physical security whichever security arm you want to look at is all about human behavior it's about understanding how humans behave and you're trying to essentially manipulate that behavior to do things the right way rather than circumvent the controls you're putting in place to stop them doing the wrong way so I think the mistakes generally tend to be made at the basic level far more than the advanced level so there's plenty of Frameworks out there there's plenty of control sets like the cyber ENT plus control set that people can follow and they can use that's the starter for 10 that will get you on the a good foothold and then you can advance that through the other more complex Frameworks where we talk to things like National Institutes of standard Technologies framework which is from the US quite a big framework probably not relevant for the smaller organizations but for the the larger Enterprises it's there but things like ISO 27,1 gives you a good solid framework of controls that are very broad uh and allow you to find how you want to implement they're not black and white they're not sort of you must do this or you must not do this I think with the Advent of AI and we've talked about chapter gbt and Bard there's three sort of very key things I want you to take away today to consider I'm not here to tell you to do or don't um but you should consider these three points the first point is um when you're inputting stuff into these uh large language models you are effectively telling them that you can keep that information indefinitely because it's learning from it and if you're you know as we're in a room full of lawyers I'd expect you to have read the terms and conditions from top to bottom unlike me who probably didn't just went yeah that'll do um you will know that that's what they that's what they're there to do they're there to learn from what you input and if you're inputting sensitive information to those there's a very small chance but still a significant chance that if the right input was put in by someone else and bearing in mind this is doing thousands of transactions an hour every day it's costing them 20 4 million a day to run this thing that input could come back to someone else someone else could see that input or see some form of that input so you got to be really careful about what actually goes into it the second thing to remember is it's um the truthfulness that comes out of these engines how true is it what it says bearing in mind that we've seen many cases where people have engaged with a a chat GPT or a Bard um and the answer that's come back is complete fabrication it doesn't understand because the input that it's been given has been cleverly manipulated uh by the input the person who's input it and it doesn't have any idea of context it knows nothing about you or me or any of the societies we we're in it knows nothing about our job nothing about what we're trying to do it just relies on what you put in so what it doesn't know is that context so it can fabricate stuff and you look at it and you think that's a lie it's that's not even I asked it how does it know that um so you've got to be really careful about what the truths that come out the back of it because it is as your slide said Tom bad input equals bad output and that's going to happen a lot as it starts to learn things the third thing to remember is historical a lot of chat GPT 3 version three and three and a half is all historical it's only goes to September 2021 so you've got to remember that even if it's historical that history may have changed in 3 years so again think about and consider the information it's coming back with and and do your due diligence shall we say on what it spits back out to you because you might need to actually revise that and it's it shouldn't be relied on as a source of Truth as I said it should be used as an engine to try and help kind of bring things together find patterns and Trends as Tom was saying in his talk and not be used as the gospel shall we say but I think the big mistakes really are just not considering those Basics and not actually thinking about how am I users using these AI models how are they uh implementing them in their day-to-day lives there is some fantastic stuff it can help with some fantastic things it can do and I'm sure with all of those Integrations that we love with our applications and all things of of this nature it's going to be extremely powerful as it develops but we just need to make sure we take a step back consider what we're inputting into these things what are we giving it and then making sure that what we're giving it isn't going to cause any sort of loss of data any loss of confidential information to something that ultimately is there to learn and it will it will take everything and it won't ever probably give it back there's no there's nothing you can do about that it's in there for life and we've seen a lot of cases about copyright uh infringement and trademarks and things like that that it's essentially learned from a lot of people who published books have said you know my book is in this large language model I never authorized the book to be there so we've got to be really careful about what we put in um in terms of injecting stuff into these large language models but in in case of Technology AI is has already been there for a while what they considered to be AI um is already there it's only going to get more prevalent and even my own contract management system that I use in my place has got an AI capability to go through contracts and find patterns and Trends and you know terms and conditions that are the same so I can pull those out all in one hit it's very very smart and that's really clever that would take hours for a human to do it takes seconds for this to do so there are some great benefits but just consider those three points what you input the truth of of what comes back out and the fact that is historical so you may need to do some more homework thanks Rowan plenty of food for thought there so in a moment I'm going to open it up to the floor for any questions that you may have but we've had one pres submitted beforehand which I know that's something that people do fear and the question is look what should I do in the moment of an attack so I'm just going to ask briefly the two colleagues immediately left to me what what should you do you you go into work tomorrow morning it's happened what do you think go first thank you um so if you're undergoing a live attack and I'm talking a cyber dependent crime attack so a ransomware attack or a hacking attack and so forth um I would like you to call the enhanced cyber reporting service um there's a telephone number it's 03001 12324 it's a 247 service and it's an exclusive service for business Charities and other organizations um you will receive specialist help and signposting um for example you might get signposted to the n CSC uh you can sign up to newsletters uh you might get signposted to a cyber resilience Center but it's really important and of course if you are undering something like that to get that specialist help it will actually also be necessary if for example you subsequently make an insurance claim because you'll get the essential crime reference number that you need and also if there's third party involvement for example of financial compensation recovery scheme involvement you will need that there as well however of course prevention is always better than the Cure and as a lot of you is my understanding are small to medium Enterprises there might not be massive budgets for cyber protection and something very easy that you can do is install something called police cyber alarm onto your systems it's free and it's a home office funded um piece of software that you do put on it is safe um and it will alert you if your system is vulnerable or actually um under threat it will also alert us and we can then actually um provide advice via your local police force because we can notify and disseminate that in information out to them so that's something definitely worthwhile looking up um I have arranged some handouts with links and things afterwards which will be available on your way out so if you do feel that that would be of use by all means pick pick one of those up um and that will signpost you a bit further I hope that an thank you thank you Rowan your take on this yes I think the um the first thing is don't panic um don't rush to make any decisions uh I know it's it's a frightening scenario I've been in it myself personally several times I've dealt with three different cases in the last two months where where we had our good friends at the NCC involved in one of those and and it is a significant uh scenario to incur and a lot of people do get scared they're afraid of what's going to happen so the first thing is say Don't Panic um the second thing I would say is do seek support I mean what Natasha has just shared there is fantastic a great way to do you know to get some immediate help from from someone um organizations like myself at littlefish we obviously can help people as well in those scenarios um we do have cyber services in what we do but we've had other customers who we work with not on the Cyber side of things but on mer the service desk and the other it as of our business who have been attacked they ring us and say we haven't got a clue what do we do and we have support them through that process we work with a number of really good third parties that are very extremely well trained in digital forensics which is the key bit that you need in these scenarios you need to be able to protect that chain of custody and I know Natasha would love that word because it's a very police word but it's that chain of custody um but that's the key bit is being able to protect that and try and see if you can recover from that scenario my best advice is now if you haven't already got a plan for when this happens is to go away and investigate putting a plan together you need some form of plan to say if this does happen what can I do to get out um most of the time in my early career we had backups that were on tape if everyone remembers tape backups they were fantastic you had to change 24 tapes a week it was it was a great job but you know what it was so much easier to restore from backup but now we're all loving the cloud and we all got rid of all of those things typically these attackers will go for backups first before they go for you if they if they do get inside because what they want to do is want maximum damage and the maximum damage they can do is to stop you restoring things so yeah my advice is if you haven't got a plan start to put one together and if you need help with that the ncsc has got fantastic resource online it's all free go and seek it out and look for that because that gives you a really good step-by-step approach to building a recovery plan a way to recover from that disaster great stuff thank you Rowan so we Heard lots there from the panel about AI itself and about the ways in which it may change the risks associated with cyber crime and we also heard a number of ways in which you as businesses can keep your firm safe and the more keyi amongst you will have noticed that at the in-person conference we had a panelist from the national cyber security Center for obvious reasons given the nature of their role in organization we're not able to broadcast them and it's rather appropriate I think in this case that we used an AI to repeat their words in that session so let's jump straight into taking further questions and a quick Remer if you want to submit a question to us you can do so by clicking at the link uh below first couple of questions have come in so I'll start start asking these and our first question is AI and Tech The Preserve of big city firms how can my smaller firm ever hope to make use and we'll turn to Rowan first if that's okay and then follow up with Tom yeah um definitely I think smaller firms can take advantage of AI I don't think it's it is The Preserve of big city firms there are a multitude the things that use AI as I described in in the panel talk that actually is machine learning it's just got the AI badge on it so lots of things you're using today will probably be doing some very similar things to what AI might be doing chat GPT um clearly is free um 3.5 version 3.5 is free so anyone can use that version four does require subscription but I think it's something like $20 a month so not to Breaking the Bank um and that has a few more features in it that you can you know tap into but Microsoft co-pilot that's coming out um it's on I think it's on General release now in the UK co-pilot is going to be Microsoft's new big investment uh trying to introduce AI into all of our everyday things like in Word and Excel and PowerPoint and again the subscription to that I think is roughly at the moment £25 per us of per month uh but that I will assure you will go down as they start to see the benefit of that and see more and more people using it so always see see these things as they will start at a certain price and they will start to drop as they come you know more and more people use them they can start to be clever with their pricing so I think smaller firms will be able to take advantage I don't think it's it's just a Preserve of the bigger firms um but there are plenty of things out there that are using Ai and machine learning today that you can use yourself thanks uh ran just to I guess to add from stuff I've seen uh in the past so obviously I I talked about the democratization of ai ai is becoming cheaper and more accessible to everybody uh and it will start being baked into kind of products that everyone uses things like CRM systems will be driven by AI so maybe dedicated inhouse big large scale stuff might be The Preserve of of larger firms but to be honest are they even going to be necessary with the democratization of these tools as Rowan says co-pilot's incredibly powerful GPT is incredibly powerful and they're not particularly expensive products products and we will see more and more uh third parties using these things to build products which are affordable for for most firms not just The Preserve of the big the big ones thanks Tom we've had another couple of questions come in asking for specific details of the phone numbers and the links that Natasha mentioned there in the recording um and I'll cover this later in terms of the resources that will be made available to you after this session but maybe this is a good chance to bring in Natasha now are you able to talk to us through some of the specific examples from the most recent cyber monthly threat update alerts yes sure um so first of all I just repeat the numbers um that I gave in the main presentation which was 03001 12320 4 for the um enhanced cyber crime reporting service and also police cyber alarm which is what you can do to proactively install on your systems and it's www. cyber alarm. police ukp police cyber alarm so um there will be um and I think it's there already actually a handout on the uh solic regulation Authority Post event page on the OnDemand page where those details will be available to you um after this um in terms of the sort of last couple of months worth of updates or emerging Trends um there's been sort of a couple of things that have come to light that you may want to be aware of in terms of fishing emails in particular um one of them is bank fraud obviously this extends on from the remote access broad but it's still going on by email and essentially it requests the recipient to uh update their details by clicking a a malicious link and uh specifically Halifax has been one of the organizations that's been used in these fraudulent emails I think that was in September we we had some uh emerging uh fraud with regards to that there's another one as well um you may be aware and it's called a free Spin uh fishing email you may be aware that when you sometimes click a an advert to a product that you like you'll get a a spin cycle on your screen and uh it will say you've won so and so now we're getting and we're seeing reports in with these free spins uh fishing emails where you're actually being asked to spin the wheel but then put in your details to win a prize or click a malicious link so it's just to be mindful of that there's another one which is quite um concerning which is a maffy Total Protection fishing email that's uh we've seen in the last couple of months which informs recipients that their maffy protection is literally about to expire and they must renew now so you're getting that pressure and that sort of social engineering within the email that we've we've talked about before in the main presentation and that is something that we've seen reports on recently and then of course in the last couple of months we've had the iPhone 15 plus or 15 Pro launched and we've seen fishing emails with regards to this where people are being sent emails saying they've won a prize and in order to claim that prize they're being asked to enter all sorts of details so the long and the short of this I think is that fraudsters a very entrepreneurial as something new happens and as something emerges it's being taken advantage of by frauders so it's really just about making sure that you keep Mindful and you keep aware of what you're doing what you're clicking and information that you're providing thank you thanks Natasha we've had a question come in which is very short but is one that sounds like it's for Rowan will a mutable backups help absolutely and mutable backups will help uh that is one of the first targets when people get into an environment the first thing they look for once they've done initial bit of reconnaissance is they'll go and find out where those backups are and they'll try to delete those backups or remove them or destroy them in some way and then they'll attack the live environment so you've got no way to restore so mutual backups 100% definitely is something you should be doing as I said in in the talk we don't really use tape anymore a lot of people have have moved away from that and they've want to have a cloud backup that can synchronize relatively quickly and not have to wait an entire day which makes sense because that would in you know reduces our recovery Point objective um the time that we can go back to but the flip side of that is of course that the backups are online they're in a place where people can get to them they're no longer on a on a machine fed tape so there's that weighing up of of have we done the right thing moving all our backups to the cloud and in some cases that I've seen and I've worked on personally people haven't and they haven't made them IM mut and therefore they have been destroyed it's the first thing they go for so yeah 100% make sure those backups you put into the cloud are immutable they can't be tampered with um and make sure that any any access to those backups is very limited to the people that need to see them thanks Rowan another question for you here which has come in and it's related to a point you mentioned in the video where you talk about the use of llms at firms that's large language models how can we monitor the use of llms within firms it's a tricky one uh we had this so this question came up at the conference as well we short of installing key loggers we can't really watch what our users are doing in terms of what they input into these large language models but I think the best way to uh enforce control is through policy so we need to create a policy around the use of these large language models we need to educate our users on them need to say to them what can they put in what can't they put in what they should avoid in inputting into the large language model uh but also we can do things like web filtering using a web hydram product so we can see who's using them how often they're using them obviously to make sure that that use is within policy within guidelines so we can't really watch what actually goes in um without being very intrusive and I strongly advise you don't do that um but we can see how much is being used and also we can make sure that we're educating our users to understand that these large language models are there to learn everything you put in is a learning experience for it but remember it doesn't understand context it doesn't it is historical the data that comes out so you may need to do some more homework on that front um and also just make sure you're not putting anything sensitive in there any case references anything like that is going in because it will learn that and it will keep that knowledge it may never come back out again someone may never be able to pull that back out again but there's always a chance so best thing to do is not do it thanks Roland um so we've question come in um about does the SRA think it's concerning that AI tools could be offering legal advice rather than a real person um the answer from this one would be that supervision is key of course um so so from the sr's perspective um it's um sorry it's it's imperative that the ADV that the process is supervised that the um the AI is supervised particularly in the same way as any other par constituent part of that particular um workflow that's really important um we've had a question come in here can you recommend any products or approach for simulating fishing emails as part of Staff training so it's not our it's not our role to recommend specific products per se um so we're not able to do that however I think Rowan's probably going to come in about the last part of that question so an approach for simulating fishing emails as part of Staff training yeah um there are a myriad of products that can do this um and we have we have our own tools and capability in house at littlefish to do this as well what I would advise is that when you're building fishing simulation um don't be mean um I've seen some very mean fishing simulations things like bonuses and stuff like that to try and catch people out so saying oh you've received a bonus just click here and open this and and redundancy is the other mean one I've seen and and we've been targeted as an organization with with you know someone pretending to be someone in the business saying loads of people can have be very redundant open this to see if it's you sort of thing so don't be mean because that doesn't actually teach anything apart from you know touching on people's sensitivity uh what I would say though is make sure that the fishing simulation you do generate is targeted um at groups of users try not to do it to everyone because it kind of dilutes the message and so what we try to do is we take say like a a small amount of users at a time and we send a specific one to them and then maybe the next month we send it to another set of users but maybe it's different uh and a good thing to do is probably use people that you are aware of your company um users are aware of so Microsoft one would be a classic because everyone's using Microsoft Technologies most of the day um if not Google um using uh suppliers maybe that you're you're using using pretending to be those suppliers because it's the what we're trying to do is not really teach people not to click links we obviously don't want them to do that the key for us there in the key metric for any fishing simulation is how many people report it to you that's the bit you want to see increase um we don't want to see people clicking the links we don't want to see people opening attachments but that's not the target the target is how many people actually report to you so in combination with a fishing simulation exercise you first of all want to train your staff on what to look for what are the key elements we need to check before we even think about opening attachments or clicking any links in an email so if we can get that bit first and then do the fishing test we can see if that education was effective if it was great if it wasn't we need to go back to the drawing board but yeah there's there's tons of products out there um we're happy to talk about them offline but yeah I can't really recommend an individual one at this stage thanks Rowan uh we've got a question here about just how easy is it to get an llm or something similar to produce generative text or even audio reporting to be from someone in particular so I'm going to hand this one to Tom so I guess all AI is is based on data if there are enough data then it can do some pretty clever stuff so if you went to chat GPT right now and said write me a poem in the style of Robbie Burns about cyber crime it probably would be able to and be fairly convincing like a Robbie Burns poem Robbie Burns obviously didn't write about cyber crime uh for specific individuals that might be slightly harder it depends how much of their kind of personality is conveyed in public writing that's available of theirs uh as we move into audio and video um I in my opinion the technology is just not quite there yet I've seen some really cool services that can kind of make avatars this is where you actually go and feed it the data yourself you record yourself speaking and and video and then the idea is it can create an AI Avatar of you speaking now obviously to do that you are providing a lot of the data yourself uh and I still think they're not particularly convincing especially if you start doing stuff like turning your head sideways they're really bad at at uh kind of showing that sort of thing so actually a kind of note if if a if someone's staring at you in the face and not turning their head sideways at all uh I always a bit suspicious these days when you see see a video like that um but yeah the I guess as we always talk about AI the the tech is moving at such a pace that what is true now might not be true in a year's time so um at the moment I'm not convinced by AI generation of audio or video of specific individuals uh but give it a bit of time maybe maybe it will thanks Tom we've had a couple of questions come in about cyber Insurance specifically and our message on this one would be to speak to your insurer about exactly what's covered and how that may suit your business needs I know also that Natasha has some data on the types of firm who account for the majority of cases so I'll hand over to Natasha with this one thank you and I think I alluded to this um in um in the main presentation but small medium Enterprises are really the sort of um mostly sort of reporting type of organization that we're experiencing for fraud so for example um in the top three um frauds that we're getting from organizations and uh you know small to medium Enterprises mostly um our business email compromise they're for they're getting about 301 32% of our reports um and that's the highest reported fraud by organiz ations that the um enhanced cyber security service actually received the next one is ransomware and that's the second highest reported and that's about 28% near on and the medium small to medium Enterprises uh were responsible for the highest volume of reports and that may well be because small to medium Enterprises may not have big budgets to mitigate against this type of fraud so perhaps that's something that's worth considering and therefore insurance is definitely something to to think about I can't recommend of course um hacking on the other hand is the third highest reported fraud by organizations at just under 20% and social media hacking is the is really sort of the most targeted um uh with internal systems hacking being a close second something that's um emerged also throughout August and September are Insider threats um or and stolen or spoofed credentials um usually from from uh sort of disgruntled employees um but this is something that we've seen also in the last couple of months so insurance is a consideration but it's it's like Chris said it's a matter of for you on the discussions you have surrounding that and what what level you might want uh to consider thank you yeah just to um just to add to that with the Cyber insurance I think we're seeing a lot more of the insurance organizations stop offering cyber Insurance because of the complexity of it uh so I would say what I'm seeing more of now is people investing in a digital forensics instant response service what we call dfir as their insurance rather than going to an insurance company because the insurance company is upping the level that you need to achieve and for some small organizations sometimes it's just too high um it's it's not practical to be you know ISO 27,000 one certified as well as cyber centrals plus and all the others thrown in um so in order to meet their requirements to obtain insurance it's becoming too too big but dfir a dfir service so a digital forensics incident response service is actually more attainable um and probably is going to be slightly cheaper than than cyber insurance but you have to speak to your insurer to see you know what what their requirements are but that's the change in the market that we've seen um as an mssp is that people are more asking us now saying look we haven't got cyber Insurance because we can't obtain it because of the level they're asking for is there an alternative and the alternative is to have a DFI service that's on hand on tap 247 that you can go to if there's ever you know a major incident thanks Rowan um and then I think what may be the last question we've had so far so if you do want to submit anymore please do get them in now um do the panel think that we the profession should be proactively giving clients cyber hints dos or do nots on their on their engagement and I suppose from our perspective here it can't hurt to re iterate this message but that clearly your clients should take responsibility for their own cyber safety and I think um if we think about some of the links and the the phone numbers Etc that Natasha's mentioned earlier it can't hurt to sort of pass those on and raise visibility and awareness for those particular ones um I don't know if anyone else on the the panel has anything to add on this question yeah I think um I was going to say just just on that front absolutely if you know if there's things that um you want to suggest to people you feel free to do so as long as they're backed by something I mean the best source as we said on the on the the the panel is the NCC they've got a lot of guidance a lot of things that small businesses should be doing they've got a small businesses 10 steps to cyber which I think is really powerful and I said those basic things are the things that people are sort of forgetting in in the the glory in the light of these new AI uh machines that have appeared everyone's seeing the wow and going W this can do great stuff and they sort sort of forgetting those basic things so I really do offer and say check out the NCC website there's lots of tips on there there's lots of guides on there on on what small businesses small to medium businesses should be doing uh and that will obviously help you in the uh in the future in order to advise your clients as well thanks everyone so we we have no more questions coming in at this point uh and if that's the case then I'd like to offer a huge thank you to all of our speakers for sharing their expertise here today if you do have a specific query that pops into your mind after this finishes please do reach out to either our ethics helpline or the S innovate service and one important reminder I have to give you that all the resources today in particular those referred to by both Natasha and Rowan can be found on our OPD demand pages so look I think it's been a really good session but we want to know what you think did this format work for you how could we make it better uh please click on the feedback link below and let us know your views for that and finally this is the last session of our virtual conference um so we're bringing the curtain down on the week we hope you've enjoyed the range of sessions that we've presented we will be sending out evaluation forms to get feedback please please please do try and complete it because it really really helps us to plan for future events and it only remains for me to offer my sincere thanks to you for your time and for your questions today thank you