Host Paul Spain is joined by Philip Whitmore, head of KPMG NZ’s Cyber Security team, as they explore the impact of Microsoft AI’s controversial images, 2degrees’ new CTO, Callaghan Innovation cost cuttings, Fair Digital News Bargaining Bill and US lawmakers’ TikTok crackdown. Hear insights on cybersecurity concerns facing businesses in New Zealand, including current threats, recent incidents, and regulatory changes.

Need help with cybersecurity?
About us | CERT NZ
Cyber Security Services for Small-Medium businesses – Gorilla Technology

Apple Podcasts  Googlepodcasts  Spotify RSS Feed

Special thanks to organisations who support innovation and tech leadership in New Zealand by partnering with NZ Tech Podcast: One NZ HP Spark NZ 2degrees Gorilla Technology

Episode Transcript (computer-generated)

Paul Spain:
Hey, folks. Greetings and welcome along to the New Zealand tech podcast. I’m your host, Paul Spain. Great to be back again today with Philip Whitmore from KPMG Cyber. How are you, Philip?

Philip Whitmore:
I’m great. It’s great to be back.

Paul Spain:
Yeah, it’s been a little while, maybe pre COVID that we last had you in. It was the old studios before we moved. So lots to talk about today. I’m keen to sort of delve into sort of cyber and data privacy type topics, obviously with the focus on New Zealand, because it is the New Zealand tech podcast. But there’s things going on in the broader world that are quite relevant as well. United States, China, TikTok. And there’s some other news as well we can delve into. On the AI front, artificial intelligence seems to just be the thing at the moment.

Paul Spain:
And some other local news to delve into before we start, of course, a big thank you to our show. Partners to One NZ, 2degrees, Spark, HP and Gorilla Technology. Well, for those who maybe aren’t familiar with you, maybe just a little reminder where you fit into this big, wide world of cyber and what your role is with KPMG.

Philip Whitmore:
Sure. So I’m a partner at KPMG, one of the large consulting firms, for now, cyber practice. So there’s a few of us there, bigger and better every year. So we help organizations test security, design security, run security, so we help manage the risk from end to end.

Paul Spain:
And how big is your sort of cyber practice these days? Because you’re not small in those regards, as far as New Zealand is concerned, shall we say?

Philip Whitmore:
No. Look, I’d have to add up the numbers, but I’m thinking we’re 40 some things. We’re not huge, but we’re not small either. We’d love to be bigger and better, but finding good staff can be challenging in New Zealand, across many fields.

Paul Spain:
Yeah, definitely. Well, let’s jump in. I see. Hitting the news is one of the things, is that Callahan innovation, who very closely connected with the tech world in New Zealand and work closely with a lot of the startups that come through and a lot of the high tech firms are going through sort of a cost cutting exercise. Do you think this is something that’s unique to Callahan? I mean, I think we’ve got a new government in play. They’re looking to sort of rethink where money has been spent, probably across the. I mean, this news that RNZ had covered is probably not unique to Callahan, but I guess Callahan will take their own approach in terms of how they look at cost cutting as one of the smaller government entities.

Philip Whitmore:
Yeah, that’s common across the public sector and certainly governments indicated that. I think most government agencies, or many government agencies are being asked for savings of six and a half, seven and a half percent. So it’s nothing unique, but it is always hard. I think we all know the economy we live in has changed and you’ve got a limited amount of resources. How do you use that better? It is an interesting challenge.

Paul Spain:
Yeah, 430 people. So I guess they have, over the ten years that they’ve been operating as Callahan innovation, I think they have grown. And obviously when they were founded, I think what was it? There was some existing entities that sort of came through into Callahan. So I guess they’re always going to have a number of people as long as they’re around. And you never know with new governments coming into play when they decide to remix things, as it were, and slice government entities up and move things around and rebrand them and relabel them. As we’ve seen a bit of that.

Philip Whitmore:
Happening, there’s always some change. And look, Callahan plays a critical role and it’s a fascinating organization, critical role in helping develop innovation in New Zealand. So I guess we watch and see where things go.

Paul Spain:
Yeah. There was mention from RNZ of a scenario where this was maybe more broadly, Callahan Crown research institutes and universities facing a loss of around 68 million annually in research funding when the current national science challenges end in the middle of the year. So there’s a bit to sort of delve into on how these things will play out. And yeah, I think it can be pretty uncomfortable going through some of these changes, but we’re also in a position where you can only spend so much money. So, yeah, a challenging time ahead in those regards. Now, we’ve seen a bit of coverage around the fair digital news bargaining Bill and this has been quite an interesting one to follow when I look at it, and I was asked on Newstalk ZB around this, what should the approach be doing? What should New Zealand do? And one of the recent things is that there’s some sort of levy put on international players. There’s probably multiple approaches that could be taken to how we ensure that the big players, the Facebooks and Googles and so on, that will draw on news content from our local media. But today doesn’t necessarily pay for that and how that should be appropriately compensated.

Paul Spain:
And I don’t know where I’m kind of landing is. Well, look, New Zealand is a small country. We can’t really dictate a whole lot on this basis. And if we put our foot down, we’re potentially going to lose our media getting coverage in those different platforms. And I guess I’ve always thought of it as being a sort of coverage for news media, being in the big international platforms. If they’re linking back to content of our media, then that’s actually driving traffic to the media. So definitely a balancing act where I’m not sure that you can go too over the top. And probably the approach should be to lean in and follow what’s happening in other markets, or at least other markets where it’s working.

Paul Spain:
Because I think we have seen things where there’s been scenarios threatened or actual scenarios where news has stopped to be carried. I think it was Canada that had a scenario like that. Any thoughts on where you think we go?

Philip Whitmore:
I tend to think similar thoughts. It is difficult. We are a small player, but that news is something that the news organizations are producing. You can have a degree of influence. Can you control it? Probably not. I can also understand that media companies, how we consume news is different these days. So your more traditional media organizations, their funding is dropping and it’s also information they produce. But I think it’s not something we can do by ourselves.

Philip Whitmore:
It more is what is us in other countries doing. But the likes of Google and others does drive traffic towards other sites as well. So I don’t know what the answer is.

Paul Spain:
Yeah, there’s two parts to it isn’t. Yeah, because sometimes they get all the benefit, other times people click through. But yeah, we do see it all the time in social media. Know a headline or a link gets shared and then all the commentary will be based on the five words that were in the or eight words or whatever it is that were in the headline without actually ever clicking through, reading the content and consuming it. It’s what was basically in that preview. And that generates masses of traffic for a social media platform. Maybe keeps people on there as they’re discussing and debating it, and only a percentage of the people are clicking through. And I’m sure there’s a level of that that happens on Google as well as this happens on social media platforms.

Paul Spain:
So yeah, it is a complicated one. I’m certainly glad that it’s not something I’ve got to try and figure out, although I would have thought that there would be a kind of mathematical or a scientific way to actually do some sort of evaluation on this stuff and land on a methodology for what is a fair and appropriate way to do it. But yeah, I guess we don’t necessarily have to do that. If other countries are putting in all the work and effort, we don’t have to spend millions of our dollars researching and trying to land on the perfect solution. We can emulate what the best one.

Philip Whitmore:
Is out there, I think that I imagine will be coming and I imagine all parties would be happy to deal with that. At the moment, it’s a bit of an unknown. What is the fair thing to do? There’s no easy answer.

Paul Spain:
And the challenge is we’re now in a situation where our media are effectively being disrupted. Right. So we’ve heard. News Hub, most indications suggest that they are going to close down unless something new comes up. TVNZ shutting down some of their most successful and long running content. In terms of Sunday and fair go, which, looking at the viewerships and so on, it’s a little bit hard to get your head around that they would take that approach, but clearly that’s what they are thinking is their way to cutting back and to saving some money. You’ve got to feel for those people that they’ve gone through. They’ve spent years studying.

Paul Spain:
This is their career path and then the rugs being pulled out from under them. Even though I think probably all of us have known for, I don’t know, decades that we should expect in our lifetimes to change careers kind of multiple times and that that would happen. But having it sort of foisted upon you en masse, because a lot of people deal with this as individuals without the media coverage around it. But it happening to a whole lot of people en masse. It’s a horrible thing to sort of see it happening, and especially when, you know, a bunch of the people that are being impacted. I think the positive side is that most of the people, certainly the ones I’ve got to know in varying roles across the likes of Newshub and TVNZ and other media, seem to be great, hardworking people who will end up doing great work in something maybe slightly different, but I can’t see them not being able to land on their feet. But it’s a pretty hard period in between.

Philip Whitmore:
I think you’re right. It’s going to have significant impact on the individuals and their families. I can also understand that a business isn’t there to lose money. In fact, it can’t work losing money. So it’s tough. And I think we saw similar things back in 2020s. We entered COVID lockdowns. A lot of restructuring happened then for some organizations, but I think most of those people landed on their feet doing something different, albeit there is a period of pain in between.

Paul Spain:
When it’s not happening to you, definitely you will see it through a different lens than when it is happening to you, and you kind of see those realities. So I definitely try and have empathy, but I know that I can’t understand exactly what it’s like when I’m not actually in that position myself. Now, one thing that we have talked over the years about is a lot around disruption and digital disruption. And it’s always part of my discussion, actually, when I’m wearing my futurist hat and doing a conference keynote and encouraging sort of futurist mindset and this approach that we all need to be thinking ahead. We all need to be futurists and preparing for coming changes, because technology will continue to disrupt. And I look back at my earliest days in the workforce, and I started out with a magazine publisher, and I’ll often talk through, where are these magazine publishers now? Where are the printing firms? So many of those firms that were just mainstays in those days are either completely gone or they’ve gone through incredible change in order to stay relevant. You look at the ad agencies, for instance, part of what they’ve had to do is kind of acquire the young digital upstarts that are coming through in order for these big old firms to stay relevant. But of course, in some cases, like what we’re seeing here in the news media, the outcomes aren’t that rosy.

Philip Whitmore:
Potentially, technology does disrupt us. Alphan doesn’t feel quick, and maybe it’s not quick, but still, of course, an interruption. I miss going to the video store on a Friday night to grab a video. My local video store only probably closed down three years ago, but there’s only a handful left around the country. I miss as a teenager going to the music shop, look at some records or some DVDs. Yeah, you still get those. And you can probably get more on vinyl now than you can 510 years ago. But changing.

Philip Whitmore:
But change is sometimes good and different. And I think we benefit collectively from the positive outcomes. But the impact on individuals and businesses in the shorter term is not.

Paul Spain:
That’s. I guess that’s part. Could you could talk of new Zealand tech podcast as part of the problem for mainstream media, right? We are a smaller media outlet, and when a small media outlet operates, usually operates with a lot less resources than the traditional media. So that’s part of the disruption. The fact that we can live stream video and put an audio show out. 2030 years ago, this sort of stuff was completely impossible. And it is part of the changing shape of this world. And I think it will continue to change, and I just hope we get good outcomes over time and that these things land in a good manner.

Paul Spain:
But we do have those challenges of being a smaller market as well. Right. Which is going to play into it. And so Kiwis will probably continue to lean in on some of the big international sort of media outlets. And, yeah, it’s even hard to get your head around that in terms of in the old days with sky and you’d stream your CNN news and so on. Now there’s umpteen different news platforms that are streaming and a lot of them you can get for completely free. And that might come with some strings attached, if know, RT, Russia today or whatnot, ones coming from different parts of the world and with different sort of political perspectives sort of tied into the content.

Philip Whitmore:
I think we can expect technology disruption forever. We’ve been talking about it since victorian times. I mean, the first cyberattack, what we might call cyberattack, happened when the weaving loom got introduced to modernize making of fabrics. So they were going back a long time ago, but that doesn’t make it any easier on the people that it impacts. But it is a constant change ahead. If we could all predict the future and be dynamic enough to change with that, it’d be fantastic. I think we’d all be millionaires. But it’s tough.

Paul Spain:
It really a little bit of news in on one of our show partners on 2degrees, bit of a change up of their execs. So they have a new chief technology officer, Stephen Kurzeja. He has stepped into the CTO, the chief technology officer role, with Martin Sharrock resigning. So, yes, a bit of a change there. And also Adrian Dick has moved across to be the chief transformation officer. So some interesting shuffles going on there, as we tend to sort of see across the sector from time to time. But these are really key roles for 2degrees. And of course, 2degrees is a bigger and more important player within the telecommunications sector now than where they were sort of five or ten years ago.

Paul Spain:
Certainly when we started this show, they’re a very small player and so it’s been fascinating to watch that. So we’ll be certainly tapping in with them on an upcoming episode and hearing a little bit more of what’s going on behind the scenes, as we tend to do across each of the telcos who are each, I guess, innovating in their own different directions and continuing to sort of establish their future and deal with the ongoing disruptions themselves. Right. And we see, it’s quite interesting in the different steps that they’ve each made to compete in different ways and in different sectors, well beyond the traditional telecommunications space. Right.

Philip Whitmore:
It’s a fascinating sector, and I think it is interesting. They tend to be more innovative than a lot of technologies in New Zealand. I’m sure competition helps out of a bit. As consumers, we all tend to benefit from it. So, always interested to see what all the telcos are bringing out and how we might.

Paul Spain:
And, you know, we do tend to call them out on the OD mistake as well on the show, but we appreciate their support, which is brilliant. Now, onto other items, I guess if we’re looking at the bigger picture, what’s happening around the world, the big thing that I’ve been called on the last few days to talk about across RNZ and Newstalks MB, has been this move to really crack down on TikTok. This seems to be a really big deal. And of course, Trump tried to do this and wasn’t successful. But it looks like the lawmakers on both sides of the House and the US are keen to push ahead with new legislation that would basically force byte dance, who own TikTok, to either divest of TikTok or exit the US market, which is just quite fascinating. Last week, when I was asked about this, and, Paul, what do you think the chances that this will go ahead after having sort of seen things fail in the past? My take, you know, but the things that I’ve been reading and monitoring on it suggest this is a pretty sort of serious thing this time around. And so I’m starting to lean more and more in the direction that this will pass. That in theory, anyway, they’ve done their due diligence on what’s going to get through the media.

Paul Spain:
A lot of the pushbacks last time were around free speech, and this would impact that. But by very clearly offering for the ownership to change, that impacts the picture. The two areas that we’re seeing where the issues are being raised is one around sort of spying and on the user base in varying ways. And we’ve already seen government, New Zealand parliamentary devices are in the same category, where TikTok is not allowed on the devices, or presumably for those reasons of spying. But then the other bit, which I tend to think, particularly being an election year in the US, is even bigger, is the aspect of algorithms. And what happens if you’ve got a government who has so much power over any company that operates in that country, and maybe not in a transparent way, who might like to ensure that the algorithms show particular types of content. How could that play out? That could change the results of an election. So I think it’s those two aspects that are really big.

Paul Spain:
I think varying people have their own challenges and thoughts. What are your thoughts? Because social media companies in general, I can’t say they’re a particularly liked or trusted bunch. And almost regardless of what perspectives you come from a political standpoint, you can find a company that will offend you. Right?

Philip Whitmore:
Yeah. Look, it is interesting, having watched it and being a TikTok user myself, I think a big part of it potentially, in the US is political grandstanding. We all saw the videos where the senators are interrogating the chief executive, a singaporean gentleman, about, was he chinese? Was he a member of the Chinese Communist Party? It came across like, well, I don’t understand the difference. I think the senator clearly understands the difference between Singapore and China, but he’s playing out to people in the US, so that’s part of it. But social media companies as a whole, they do collect a lot of information about us. So I think it comes down to where you’re from and which side of the political debate you’re on. If you’ve got someone like meta, they are privately owned. Us doesn’t have much influence, if any influence on them.

Philip Whitmore:
If you’re Chinese owned, there has to be a level of influence from government in China, just how it’s structured, the more socialist nature of them. So do you trust one and not trust the other? Do you not trust either of them? Trust them both? It’s not easy. So it is. You know, I can understand the concerns they raise. Know bite dance ownership of TikTok. TikTok was already looking to move all their data for certainly US citizens into us. I think it was called project Texas or similar to that. That wasn’t good enough.

Philip Whitmore:
Certainly people’s perception. So I can imagine it’s going to happen, which is a challenge. And it is very much about freedom of the press, freedom of speech that gets cut off. Do people just work away, circumvent around it? Because you won’t be able to download the apps in the App Stores. That doesn’t mean you can’t download from maps. Store a different country while being in the US. So will people circumvent it, particularly as Android, you can download for any App Store you like. We’re starting to see with Apple, we’re in the EU now, you can download apps from different App Stores as well.

Philip Whitmore:
So will what the US does have an influence? They can ban App Stores for having it. Can they ban individuals from using it?

Paul Spain:
Yeah, well, I think that’s part of what New Zealanders will be curious about, because we’ve got, and I haven’t got the numbers in front of me, but last I looked, a big base of users in New Zealand, I think certainly the high hundreds of thousands, if I recall correctly, based on previous stats. So there’s a big user base here. Right. And so, yeah, what would happen if the US banned it? And this is where I think, well, the banning to me seems less likely than actually byte dance divesting of it. But then how long does that take for them to divest of it? These things often can take. They’re saying there’s a six month window on this. Right. And if we step back through the sort of big acquisitions that we’ve seen over the last decade, it’s unusual for any of those to actually clear within a six month period.

Paul Spain:
So they might announce one. But for it actually to take effect, these things can take multiple years to go through. So, yeah, there’s certainly some complexity as to how those sorts of things would play out. And then if they were at all banned in the US, yeah, I would think actually we would be fine in New Zealand and it would keep running. However, a lot of the content comes out of the US. So then what does that do to TikTok as a platform if some of the biggest content creators are no longer able to operate? Or do they, as you say, sort of manage to still get their content up to TikTok, even if maybe the broad populace ends up losing access within the US? There’s a few ways it could play out, isn’t there?

Philip Whitmore:
It’s interesting. And look, I can understand the concerns, but the same content just shows across reels and Instagram and other platforms as well. Will people move platforms? I don’t know, but it is the collection of data. It is political influence. Influence on other countries certainly does happen through social media and other mechanisms as well. I’ve got to laugh. I use TikTok occasionally. I’m not dancing on it.

Philip Whitmore:
I’ve got a north korean one that pops up in my feed occasionally. Tell me about how great it is and do I want to move to North Korea? And it has 160,000 followers. That’s great. Do I want to move North Korea? No, I don’t. But it is quite comical. But that one is probably less subtle than some of the other political interference you may have directly or indirectly. Whether it’s controlling algorithms, I don’t know whether that’s happening or whether it’s just the content being generated. Because we tend to believe what’s in the media is real.

Philip Whitmore:
Some of us will challenge and doubt that others won’t. If I look on TikTok also, I believe the earth is flat. Based upon the information it comes to me quite fascinating. But it is an interesting challenge and it plays out in the US. Will it play out in other countries? Beyond that? Europe is an interesting challenge. We’ll wait and see.

Paul Spain:
Yeah, I’m very curious as to what the future will hold for us on this front. And I guess we’re just going to have to keep monitoring and seeing what actually does proceed within the US and maybe we’ll know fairly shortly. I mean, it’s already had a level of approval, so it’s just got to work its way through from there and then the waiting game begins. Now, also, looking at the US, we’ve seen this media coverage come through in the last few days around a Microsoft engineer warning that his name’s Shane Jones, actually different from the Shane Jones in New Zealand. So he’s worked in Microsoft for a little over half a decade. He’s been testing, I guess, some of their sort of copilot designer type features. So particularly focused on the images. And he’s saying that Microsoft’s tools, which are effectively the tools from OpenAI because they just license those tools and that AI and provide their appropriate sort of front end and changes.

Paul Spain:
He’s warning sexual and violent content being able to be produced by the product at the moment. And this seems to be an ongoing story that there are dramas and challenges when it comes to AI platforms, and there are mechanisms through which you can control the way these platforms operate, usually based on the words and whether you’re willing to accept those or maybe filter them out before they’re given to the AI system or the large language model to deal with. And I saw one the other day that somebody used. So their input was not to put the word in a normal sense, but they made ASCII art, so they used different characters together to write out a word. And so when it was being sort of parsed before it got into the AI system, it didn’t see the issue. But once the AI got, it’s like, hold are you’re trying to say this? And then it was able to do it. So it got past whatever filtering mechanism was there at the front. And then as we saw with what Google and Alphabet did and attracted so much attention for, then you’ve got the different sort of knobs that have been turned and little kind of hard coded things to try and encourage the AI to output in a particular direction.

Paul Spain:
And the results of those may vary. So, I mean, this one is reasonably shocking with some of the things that they’re saying that anyone can get out of the copilot, especially where the app is marked as child friendly and so on. If you’ve got an app that actually can maybe come up with some reasonably.

Philip Whitmore:
Inappropriate content, I find it an interesting debate. Because a tool could be good or bad. I’ve got a screwdriver. I can use that screwdriver to help screw in part of my deck and fix my deck. That’s a positive. I can use that screwdriver to jimmy the lock on your Mazda demio and do a ram raid. So is that a good tool or a bad?

Paul Spain:
Oh, that sounds like an evil tool that it could be used that way.

Philip Whitmore:
Steal your car with a screwdriver. And I think it comes down to other tools like AI. It is a bit of an arms race that the companies developing these tools want to do good. And it does help to have society debate what is good and what is bad, albeit what might be good from my perspective, might be different from your perspective. So they do put things in place. I can’t use, say, copilot. I can’t use copilot, say, write a phishing email to try and trick people to give me stuff. And we do phishing as part of our job.

Philip Whitmore:
We phishing test organizations. Okay, so won’t do that. That’s a good thing. I could ask it, so just write me an email to asking for someone with their password. And it would, but it can’t tell good or bad. They’re trying to filter block. But humans are an imaginative bunch. That’s why there’s a bit of an arms race.

Philip Whitmore:
Originally, certainly when chat GDP came out from open AI. Great tool for developing code. Help writes from code to do this in this language. Great help write some code that will exploit this vulnerability. Oh, that’s bad code. But what is good? What is bad? Who says this is right and this is wrong? Who makes those judgment calls? For some things, it’s easy. Don’t show this type of pornographic image or maybe don’t show pornographic images at all. That’s easy for us as society to say good and bad for other things.

Philip Whitmore:
It comes down to our individual perceptions, whether it’s good or bad. And again, I will put something to stop that because we all think it’s bad, but someone else will use their imagination to get around it. It’s always been that case with tools and it tools, but it is challenging and it becomes more challenging with the likes of video and images and sound. Whereas, okay, that’s a cartoon, that’s not real. That’s not a cartoon. But I can’t tell whether that’s real or not. That blurring between reality and non reality is challenging. And while again there’s a range of discussions about how do we do it? We put a little star on the image to say it’s fake.

Philip Whitmore:
I’ve just photoshopped that star out. I don’t think there’s an easy answer when it comes down to morals and ethics, but I think that the technology companies are trying and continuing to evolve and other people are trying to evolve to get around those blocks.

Paul Spain:
Yeah, I saw a very interesting one around AI training. And by this I’m not talking about training the AI, I’m training the users in their prompt engineering to understand the varying aspects of using AI. This is one of the things we produce here in the studio is a lot of our course material for Gorilla Technology. Sometimes it’s delivering a remote keynote or a talk and so on. And so anyway, for one of these things, basically a content around Microsoft copilot for Microsoft, three, six, five. Just trying to work out well, what’s a really good description? Let’s see what Copilot can produce for us in terms of a description. We asked it to provide a good description for the training and what came back was very Microsoft promotional element to it. And it was like, no, this is just a description of the content.

Paul Spain:
We’re not after you to wave the flag and to highlight how Microsoft copilot for three, six, five keeps your data private and this and that. It’s not about you, Microsoft. This is about this content.

Philip Whitmore:
It sounds like you might need some more prompt engineering skills.

Paul Spain:
Well, the thing was, whatever we tried, it would come back with something like this. So I’ve actually just tried it again. It’s come back with a whole lot of stuff and I’ll read out what it’s put. By the end of this module, participants will gain insights into Copilot’s capabilities and Microsoft’s dedication to responsible AI practices. And everything that we asked to say, oh, please remove the little bit about Microsoft’s dedication to AI practices. So you ask it to rewrite it with that bit removed. Right. And yeah, basically you could not get it to do it.

Paul Spain:
And eventually what it did like grayed out the box. I couldn’t put any more in. It was just like no, I refuse to obey your commands to try and steer me in this direction. And this was after it was telling me that I was trying to be evil and trying to get it to say negative stuff. And I was just like, no, I’m not trying to get you to just say negative stuff. It’s just this is not your place for promoting yourself. Microsoft AI and yeah, just quite hilarious to see how it actually dealt with that. And I guess this is where some of these hard coding type things come through.

Paul Spain:
So yeah, it’s going to be interesting to see how they evolve.

Philip Whitmore:
Yeah, I don’t think big brother is out to get you, so I think it’s okay. It’s interesting because I tend to think, as technologists, I tend to think technology evolves quite slowly. My cell phone, my mobile phone that I use now is almost the same as the one I used 1012 years ago. Better camera, better resolution, but essentially the same from us talking originally about the concept and idea of large language models to having something that’s commercially in our hands that we can use now to do lots of great things, whether it be copilot or some of the other products. That’s been a very short time frame, honestly, six, nine months from idea to something in our hands. So that is interesting. People should play with it. Get copilot.

Philip Whitmore:
There are free versions of copilot. There are free versions that sort of work in enterprise versions.

Paul Spain:
That’s important isn’t from a data privacy perspective that people are using a product that is appropriate for use within an organization where you’ve got confidential data, you shouldn’t just sort of drop it into random AI tools, especially free bits and pieces. Your mileage may vary.

Philip Whitmore:
It is, I mean there are enterprise versions for enterprise purposes, free versions, free. I think most of the organizations, most of the ones that are well known, your Microsoft’s like clearly explain the differences and what they do do and what they don’t do. And there are ways to manage risk as well. So we’re a very risk averse organization, yet we’re using censure version of chat GDP internally. So it’s an hour and zero environment. It stays there. It’s not the public version and we’re using it as a great tool to help drive business. But we have control over everything but also free versions and we might put some information on there but not others.

Philip Whitmore:
It is again a tool, but it is a tool to get the imagination going about how it might benefit ourselves, our businesses, our clients, whoever it may be.

Paul Spain:
That’s good. Now looking sort of away from the broader news that we’ve been, headlines. We’ve been reading and discussing those things, looking closer to home, and particularly the sort of things that you’ve been seeing out there in terms of trends and things going on in New Zealand from a cybersecurity and data privacy perspective, what are the things that are standing out for you that are on the horizon in terms of changes coming for us in New Zealand and the trends and I guess, common cyber dramas that you’ve been seeing out there?

Philip Whitmore:
Sure. It’s interesting in cybersecurity world, because in New Zealand particularly, I don’t think we’re getting better. We probably have the lowest maturity, therefore, probably lowest effectiveness of the developed countries that are similar to us. It’s a mixture of a lack of regulation. It is our Shelby right attitude, or hakuna matata to an international audience. It isn’t good. We’ve talked about it more than we ever have. We’re spending more money than we ever have.

Philip Whitmore:
Are we getting better? I don’t think we are. We’re sometimes keeping pace with the evolving threat, sometimes we’re not. So it is interesting, but there is hope, and this is going to sound quite wrong because there is a bit of a stick coming, albeit it’s not really a stick. So we have no regulation in New Zealand around cybersecurity. We have a privacy act that says you must keep private information secure, and that’s great. But beyond that, there’s nothing. There is regulation just over the horizon that’s coming that way. So if you’re a financial services organization, certainly the likes of the Financial Markets Authority and the Reserve bank of New Zealand have put out guidelines in recent years about cybersecurity and their expectations.

Philip Whitmore:
I imagine those will change into a form of regulation normally, when regulation appears hits financial services the most, because that’s stuff that impacts you and I. And we’ve already seen government communicate expectations to banks this week about trying to combat fraud scams, where I say, hey, I’m Philip, here’s my bank account, just pay me, don’t worry, be safe. But there isn’t matching of my bank account to my name. And that’s been the same around the world. It’s nothing unique to New Zealand. Other countries have started to evolve some, and the expectation has been clearly made here, and that could take out a significant amount of the scams and frauds that impact you and I as individuals and particularly small businesses. So it’s about regulation. Financial services also, which is very close by, is regulation around critical infrastructure.

Philip Whitmore:
So most developed countries have legislation, regulation about protecting that is critical to New Zealand, critical infrastructure. Now it used to be about energy generation, electricity, water supply, but it’s evolved. But we don’t have any of that, not even around the basics yet. I look at Australia more than a year ago now they took their act around critical infrastructure and expanded it to be around food production, education. All those things are critical to Australia as a nation, domestically and internationally. So New Zealand, we’ve been talking about this. I don’t think COVID probably helped the quickness of it. I don’t think a change of government probably helped too much as well.

Philip Whitmore:
But it’s coming very soon and I imagine it will look like the australian model where if you’re an organization that’s of critical importance to New Zealand, to New Zealand Inc. There will be some level of expectations of what you must do. Now that’s not going to be a high hurdle, it’s going to be aspects of good practice, but that will help. So that’s a bit of a stick. We don’t tend to do big sticks as more an encouragement, but that might help lift things up. To go from where we are pretty bad at cybersecurity to being pretty good isn’t a huge hurdle. But imagine if we were good at cybersecurity. We could be a Singapore type nation, we could export New Zealand’s a safe, secure place to the world.

Philip Whitmore:
We’re safe and secure. Come live here. We’re safe and secure from an IT perspective as well. And particularly the new data centers opening up with the likes of Microsoft bringing Azure here and Google cloud and AWS, why couldn’t we be that Singapore of the South Pacific and countries re inherently trust us, let’s trust us from an IT perspective, but needs our cybersecurity to rapidly increase.

Paul Spain:
Yeah, that’s a good point. And when we look at. Because we are a country that is full of smaller businesses a lot and obviously medium and large as well, but with just so many small businesses, what are you seeing? Is this kind of New Zealand that’s behind? Is that as predominant in small business from your perspective as it has been in years gone by?

Philip Whitmore:
I think it’s just as bad. And the challenge with small business, often you don’t have any IT staff or people. Folks certainly know people focus on cybersecurity and you rely heavily upon an IT outsourced organization to support you. The problem is that the mileage will vary about what they know about cybersecurity and what they don’t so sometimes you’ll get no advice, really poor advice. Sometimes you get good advice and I often get asked, who’s someone good to use? And I often don’t know an answer to that. I know lots of good individuals and I know lots of organizations that are good at this and that. But from a cybersecurity perspective, who do you go use? I don’t know. Sometimes that is a challenge, but I do see good instances of it.

Philip Whitmore:
I guess a good thing is, if you are a small business, where do you start?

Paul Spain:
I would say come and talk to me, but keep going. Exactly.

Philip Whitmore:
Which was part of the Ministry of Business, Innovation and Employment. It’s now part of the Government Communication Security Bureau. Puts out some great advice for us as individuals, small businesses, medium, large as well. That is some good advice.

Paul Spain:
Great result.

Philip Whitmore:
And maybe that’s if you’re a small business owner or running a small business, pull out, say, the critical controls, the ten best things you could do to prevent a cyberattack. Limit the impact should one incur. And to recover from it, take out those ten critical controls that are on the CERT NZ website. All free. Say, Mr. It provider, have we done all this?

Paul Spain:
Yeah.

Philip Whitmore:
Now I expect the answer will be no. In fact, I’ve not seen a small business yet that has all ten of them. And these are designed for all sizes of business. That’s probably your security strategy for the next year on that page. Please help me.

Paul Spain:
That’s a really good advice. And going back to those sort of lists, we’ve got the essential aid out of Australia and varying ones around the world. Those are great reference points to focus on and very easy to put in front of people as well. So we definitely need to be doing more of that. And, I mean, I see it too. We’re regularly auditing the technology and cybersecurity in smaller to medium organizations. And, yeah, sadly, it doesn’t seem to have sort of moved along at the sort of pace that you might have expected after all of the dramas that we’ve kind of had over the years with different firms getting hit in different ways. And look, some of this comes from the small businesses themselves.

Paul Spain:
I’ve been in talking to firms and they’ve had multiple incidences and they maybe haven’t been that bad. So they’re just like, well, this just seems to be part of the course of being a business. And, yeah, we’re not going to change a whole lot, so maybe an unwillingness to invest. And, yeah, sometimes they’ve been taken out even in somewhat significant manners. And it’s like, oh, yeah, we were back up and running within a few days. And, yeah, they’re looking for the very cheapest way possible. And of course, a challenging economy impacts us in these regards as well. And we’ve got government departments that are looking to cut back, we’ve got small businesses that are struggling.

Paul Spain:
And so when it comes to, oh, you actually might need to invest a bit more here and step up what you do. From a cyber perspective, that’s pretty hard when there’s maybe a struggle to cover the existing costs and keep up with bills as it is. Right.

Philip Whitmore:
It is a challenge. It is a challenge economically, it’s a challenge because it’s like mental health. We don’t talk about it enough. I’ve not been affected. I don’t know anyone else has been affected, therefore it won’t happen to me. And that’s not a scenario you’ve been affected, but you’re not going to tell me because you feel embarrassed. So we see organizations, we see it in industry groups at times, sharing information about what’s impacting them actually works a lot better to uplift everyone. Look, there are other resources as well.

Philip Whitmore:
If you’re a small business, there’s a great New Zealand startup company called onwardly that’s developed resources for small to medium businesses to uplift their cybersecurity. You don’t need to have that it person, you don’t need to have that chief information security officer for a relatively low amount of money. They’ve got a range of processes and things that they can guide you through and tools and techniques to help improve cybersecurity that onward delays appeared probably in the next last year or so. That’s great.

Paul Spain:
Yeah, I think we’ve had Phil on the show maybe a year or so back, if I remember correctly, but great.

Philip Whitmore:
Product, very enthusiastic guy.

Paul Spain:
Fellas, it is important to double down on this stuff. So, yeah, really good reminder. It’s been great to catch up again and delve into these topics. It’s always one of those things that there’s so much going on and everybody is so busy, limited in resources. But, yeah, really, it’s the last thing that we should be pushing down our to do lists is improving our cybersecurity. So, yeah, really great to catch up, Phil, excellent.

Philip Whitmore:
Thanks for having me again.

Paul Spain:
Yeah. So for folks that are just wanting to maybe connect, know what’s happening at KPMG cyber or connect with yourself, is it LinkedIn? What’s the best way to track you down?

Philip Whitmore:
LinkedIn is great. Philip Whitmore, you’ll find me there. Or KPMG Cyber as well. Happy for people to reach out, say hello, have a bit of a conversation. Not a problem.

Paul Spain:
Yeah. Okay. That’s awesome. Well, that’s us. We’re out of time for this episode. But thanks, everyone, for joining us on the New Zealand tech podcast. Of course, a big thank you to our show, partners Gorilla Technology, HP, Spark, 2degrees and One NZ, and you will find some of those partners do a fair bit also on a cyber perspective. So it’s not as though folks have sort of limited for choice, is it, in terms of getting help from a cybersecurity perspective.

Paul Spain:
But I always think it’s a combination. Organizations need to invest their own time as well as finding partners that can help them move forward from a cybersecurity perspective. So, yeah, that’s us for this week. Thanks, everyone, for listening in. If you’ve been catching the video, then we would always encourage you to make sure you subscribe to the audio podcast. So be that through Spotify, if that’s your podcast platform of choice, Apple Podcasts or any of the podcast apps, you can find the NZ tech podcast there. And that way you’ll keep up to date with our audio episodes, which tends to be most of our listenership. Of course, if you are listening and you haven’t caught the video, make sure you track us down.

Paul Spain:
You can follow myself on LinkedIn for the live streams. Also, you’ll find NZ tech podcast across on YouTube, Facebook and on X or Twitter, whichever you prefer to call it, as we’re still getting used to that change. So thanks, everyone, and thanks again, Philip Whitmore, for joining the show.

Philip Whitmore:
Thanks a lot.

Paul Spain:
All right, cheers. Cheers.