Join host Paul Spain and Mark Knowles, Executive General Manager for Security Assurance at Xero, as they delve into the evolving nature of cyber threats, the importance of privacy and data protection, and the need to stay ahead of technological advancements and potential security risks. They also look at tech news from the week including:

  • New Zealand’s move towards a digital currency
  •  NZ Defence Force’s AI initiatives with the US
  • CrowdStrike’s lawsuit
  • Uber’s EV deal with BYD
  • Judge rules Google ‘is a monopolist’ in US antitrust case

Apple Podcasts  Googlepodcasts  Spotify RSS Feed

Special thanks to our show partners: One NZ, 2degrees, Spark NZ, HP, and Gorilla Technology.

 

Episode Transcript (computer-generated)

Paul Spain:
Hey, folks. Greetings and welcome along to the New Zealand Tech Podcast. I’m your host, Paul Spain, and great privilege of having Mark Knowles from Xero join us today. Welcome along, Mark. How are you?

Mark Knowles:
Thanks a lot, Paul. Yeah, great, thanks. It’s nice to be here.

Paul Spain:
Yeah, really good to chat again. We were chairing the stage at a cyber security event a few months ago and really enjoy getting to know you there. So, yeah, great to be able to reconnect, maybe to get things kicked off. You can give folks a little intro of sort of where you fit into this big, wide world of tech and cyber security. What’s your role? What do you do?

Mark Knowles:
Absolutely. I’m currently the acting executive general manager at Xero for Security. I’ve been with Xero for almost four years. I’ve been working in security for about 1617 years now. My usual job is general manager, security assurance. And so I look after a lot of the security risk and compliance. I look after education, awareness for all of our staff and our customers also have accountability for technical security consultancy. So a lot of people would think about that as security by design or looking for how we do penetration testing or vulnerabilities, identifying vulnerabilities within the organisation.

Mark Knowles:
And I also have the privilege of looking after data governance and artificial intelligence, which is, of course, growing and huge for all of us. So, yeah, it’s a great role and Xero is an awesome place to work.

Paul Spain:
Fantastic. Well, I’m looking forward to sort of delving into that during the show and find out how you do these sorts of things without losing sleep, because there’s. There’s always things coming at us and that we have to stay on top of from a security perspective. So, yeah, that’ll be great. Of course, a big thank you to our show partners to One NZ, 2degrees, Spark, HP and Gorilla Technology. We really appreciate their support of the New Zealand Tech Podcast and, of course, of the broader tech and innovation ecosystems across the country. Well, let’s jump in on a New Zealand front. A couple of things that caught my attention this week, and that’s been picked up in the news, is that the Reserve Bank, I guess, are maybe making it official around their aims to introduce a, you know, a government backed digital currency in the years ahead.

Paul Spain:
They’re saying by 2030, they’re talking about it as something to complement physical cash. And, look, I think we’re at a really interesting sort of time in history where more and more things are getting digitised and it’s kind of, you know, it’s interesting to sort of see how different countries sort of navigate, you know, this journey to a more and more digital world. And sometimes that’s, that’s really beneficial. You know, sometimes there are, there are varying sort of downsides and we have to weigh those things up. So I think this is going to be an interesting journey to follow. Yeah, I think a lot of, a lot of folks, particularly those in the, in the tech world or those looking to get rich quick, have jumped into the likes of cryptocurrencies. So there’s definitely some differences here in terms of a central bank, digital currencies compared to cryptocurrencies. But, yeah, it’s definitely a bit of a journey ahead to see exactly how that evolves.

Paul Spain:
What’s the input that I guess we, as technologists and people in society with an interest in good outcomes from technology can hopefully feed back to government, to the Reserve bank to encourage the best outcomes with these technologies. Mark, take much interest in this digitisation of money. Is it something that’s, you know, that’s caught your attention a lot? You’re pretty relaxed around, you know, where this might head?

Mark Knowles:
Yeah, look, it’s a really good thing to talk about, Paul, because the digital world is something that we’ve all been living through for quite some time, right? I mean, this is not new. And there’s countries around the world that have already introduced a number of things from a digital perspective. And so there’s a lot of good learning that you can get from other countries. Estonia is a great example of it. Their digital world, while they’re a small country, they’ve done some amazing things there. So there’s some lessons that you can learn from that. And I think the Reserve bank making this call now is a wise thing to do, to call it out and say, this is an area that we’re going to move towards. I think that one of the things that all of us will need to be doing is spending enough time exploring and investigating and identifying what the risks and challenges are across that for us and our customers, and ensuring that what we do is going to be the best thing for our customers going forward.

Mark Knowles:
So we’ve got to make sure that we protect our customers and protect their ability to work with their customers to be successful. I’m sure there’ll be people that will be quite daunted by the fact that. What do you mean? I’m not going to have some cash? But equally, many of us probably haven’t used an automatic teller machine for quite some time, and so you’ve kind of moved into that digital world and digital payment aspect already. So yeah, I think it’s a great thing to talk about and a great thing to explore. And I know that as an organisation, what we’re doing is we always try and stay ahead of it as much as we possibly can. One of the advantages of Xero being global is we can see what’s happening in different parts of the world and we’ve got people and customers that are giving us feedback from all those parts around the world. And so I think that really helps New Zealand out a lot. I mean, one of the things we’re very proud of is that Xero was started in New Zealand 18 years ago, and so we put a big stamp on the world by Kiwis doing great things.

Mark Knowles:
But let’s learn the stuff that’s happening in those other countries as well and hopefully we can help the government and be involved with some of those discussions. So we’re certainly open to being involved with that.

Paul Spain:
Yeah. Yeah, look, I think it’s going to be a really interesting, really interesting journey ahead. And yeah, I’m always, when it comes to probably anything with technology, I’m looking for how do we get the great uplift from using the technology, but how do we minimize those kind of, you know, the negatives, the downsides of, you know, that that can come. And of course, in recent times, you know, we’ve seen, you know, a fair bit of that when it comes to, you know, what can happen with money. And, you know, the stories don’t, you know, don’t stop coming through the news around, you know, people that have lost retirement savings or, you know, what have you, because one seemingly quite a small mistake can have some really, really big far reaching consequences. And I guess you think back to past generations and look, I’m not in the position where I’ve moved around terribly large sums of sums of money, but, you know, I guess, yeah, there are times in the past where you’d have checks and then that check would be, you know, physically handed to somebody and now somebody can, you know, build a relationship with somebody online and, you know, do a very convincing job of, you know, of telling them that there’s somebody that they’re not and then of receiving funds that they, that they shouldn’t have. And, you know, there’s going to be an element of moving to central bank digital currencies that probably plays in to minimize some of those sorts of things. But consequently, there will be other sides to the coin that we’ll need to have a look at.

Paul Spain:
So, yeah, I agree.

Mark Knowles:
I think that it’s a really good point because all of us are at risk. It doesn’t matter what generation we’re part of. You know, my parents and I used checks. I used to work in a bank and was very aware of what was happening with checks. And now seeing the fact that in New Zealand, we don’t have checks anymore, and the impact on some customers, the changing world of technology has meant that cyber is a big concern for a lot of people. You know, 20 or 30 years ago, we were talking cyber. People wouldn’t have even known what we. What is this word, cyber? Whereas nowadays, your banks are constantly reminding you not to click on links, we’re constantly telling you that we’re not going to ask for your id and your password.

Mark Knowles:
Don’t tell anybody this information. And so the criminals are becoming so much more sophisticated that it’s not just an email that could be coming through to you, but it could be a phone call, or it could be, as we move into the artificial intelligence world, a deep fake, which many of you listeners will have heard a little bit about. And so I really like the fact that podcasts like this are brilliant because we’re raising awareness with people as to the sorts of things that are happening. And the speed of change is so rapid, way faster than what it used to be.

Paul Spain:
Yeah. Just to touch very, very quickly. And some of these topics, I think we’re going to have to delve into some special episodes on. But some of the things that I get pinged about when it comes to central bank digital currencies, people are concerned around privacy. What happens when the government can see every single kind of transaction I’m doing? And we’ve seen even a little bit of this just with banks analyzing people’s transactions. We’ve heard about this in relation to mortgages. Oh, we’re going to turn down your mortgage because we see you’re wasting too much money on Netflix and that. So the more visibility to data that you give to an entity, the more an entity naturally actually wants to leverage that data.

Paul Spain:
And then we look to China, where they’ve got their, I guess, their sort of social scoring mechanisms, and they’re able to turn the knobs and go, well, you didn’t comply with what we wanted you to comply with in terms of putting your recycling out, or I’m making that one up, but it’s like you didn’t comply with this thing that we wanted you to do. So, sorry, you can’t, you know, charge your ev anymore or you can’t jump on that on that train. So there’s some, there are some, you know, some interesting sort of flip sides to the positives. And I think, you know, in the west, we’re generally pretty relaxed about that stuff because it’s never really, those things have never really been an issue. But people do want to talk about them and, you know, some of them will be worthy of discussion, I think at some point because if you don’t, then potentially we don’t close some doors that maybe we should do as society.

Mark Knowles:
I think at Xero, we take the privacy of your data really, really seriously. And I’m not a privacy expert. What we do at Xero is we look for the toughest laws that exist internationally and then we follow what those laws are and implement them across all of xero, no matter where we are globally. So the GDPR privacy laws are very strong in Europe and UK, and so we follow and abide by those which absolutely covers what we have here in New Zealand. And so I think our customers can feel pretty confident that we’re protecting them and their privacy. But I think your point’s really valid. All of us need to be conscious of our own data and our own personal identifiable information and how we protect ourselves. And it’s good to ask that question of the people that are providing the service to you.

Mark Knowles:
What are you doing to protect my data? What are you doing to protect me? There are pretty strong laws exist internationally in regard to what data can be used for. And, you know, of course we follow those. We want to be able to provide the best service for our customers, but that service is to you direct as a customer, not to everybody. So I think that’s really important.

Paul Spain:
And look, it’s challenging to get these things right. And we’ve seen governments and probably every country in the world that have made missteps with data. So I think there’s that awareness that even we might go in, everybody might go in with good intentions. Nobody can get everything 100%, 100% of the time from a perfection perspective, just drilling into the GDPR, which is the European Union’s general data protection regulations, they’re sort of the strongest in the world, as far as I’m aware, in terms of expectations on data privacy. So because you operate globally, does that mean largely that those European Union regulations have kind of put pressure on you in particular ways that end up benefiting all customers? Is that what happens when a large part of the world says, hey, this is the new standard, you’ve got to go with it? Or do you end up with still quite a broad variation between one country and another. So I imagine there’s an efficiency that you don’t necessarily want to have to deal with 20 different levels of privacy.

Mark Knowles:
We follow the, the toughest standards from a security and privacy perspective worldwide. So your point is absolutely valid. GDPR is something that we would apply across and do apply across everything that we do from a privacy and data protection perspective. Obviously, we work with every government and every country that we’re in and we listen to our customers and listen to the feedback that we’re getting from those customers. But I know that our customers can feel confident of what we’re doing in regard to privacy and security. One of the things that I’m accountable for at Xero is around audit standards. And so some of your listeners will have heard of ISO and SoC two as audit standards. And in fact, if you haven’t, it’s something that people should look for when dealing with organisations because those audits are thorough and they’re very, very good.

Mark Knowles:
You know, some people don’t like auditors. I really enjoy the fact that we get audited because the auditors are looking for the things that you need to watch for going forward. And the piece that you’re touching on in regard to data is now included as part of the ISO audit standards that are being introduced. And that standard comes into effect next year. At Xero, we’re already implementing those standards in regard to data protection and what we do with data. So I think it’s a really important thing for all of us as individuals when we look at who we deal with and what services and products we buy to give us some confidence that that security is there and that it’s actually included in something that is audited by reputable audit companies. So, yeah, we absolutely look for what’s going to be the best for our customers.

Paul Spain:
Yeah, I think sometimes you can get a disconnect between, I guess, a sort of a standard and where the world is at because things can move quite quickly. Is that something that takes much of your attention, or are you sort of relying on those entities to kind of catch up pretty quickly? Or are there a lot of times where you’ve got to move maybe faster than what the audit standard or the industry standard is dictating?

Mark Knowles:
That’s a great call. So with the speed of change, of course, it’s difficult to keep up with technology and cybercriminals are going as fast as what we all are as companies. In my role, I have members of my team that are looking forward and listening to what’s happening around the world and in New Zealand as to what potential changes are coming. But we’re also looking for ideas and innovation for how we can do better things. We work really closely with the governments. We have government representatives within Xero that work with governments internationally and in New Zealand. And I’m actively working on the Technology Council for Australia and what the australian government’s doing in regard to their cyber laws and the changes that they’re making. So we try and keep up and stay ahead as much as we possibly can.

Mark Knowles:
Cyber is my life. That’s what I do for a job. I’m prepared to offer my opinion. If they would not want to listen, it’s fine. So we as a company and me as an individual, I try and do my best to ensure that what we’re doing is looking forward and trying to catch the things that might happen in the future. And it’s a bit like, as you say, the digital move that the Reserve Bank’s talking about, knowing that that stuff’s coming. Getting involved with those discussions is important, but implementing things before it becomes an audit requirement. I’m a big fan of doing the right thing and then that means you get compliance rather than put some ticks in boxes just to make sure you’ve got compliance.

Paul Spain:
Excellent. Yep, that’s good. Now, one of the other news stories that sort of caught my attention is the New Zealand Defence Force joining the US in deploying artificial intelligence for kill chains. And, yeah, it was kind of interesting to see that headline. It got a bit of coverage across media in New Zealand. I see there’s varying bits and pieces of content online around, in fact, one from the british army on YouTube about the few of warfare. I think in New Zealand we usually lean in a peaceful direction, more so probably, than a lot of other countries, and in part because we don’t have much resource to be able to go out there and be warmongers, which I think is generally a very, very good thing. Although I guess there’s probably opinions there from a perspective of defence.

Paul Spain:
And I guess we specifically call our armed forces the Defence Force here, which is good for those who are curious what that headline might mean. A kill chain in military terms refers to the sequence of events and processes involved in targeting and neutralizing a threat. So we’re talking here about utilizing artificial intelligence to help with neutralizing threats, which I think from a broad perspective, if we’re thinking, well, from a defence perspective, if we can neutralize a threat quicker and faster, then that’s probably most of us would think pretty good. But again, for me, these sorts of things, when I hear them, I’ll also have commentary from people and sources who are saying, well, Paul, this is really dangerous because the next bit can mean we’ve got robots out killing at our behest, autonomous, autonomously. I’m not sure that’s really where the New Zealand defence forces come from, but to me, certainly it’s another reminder that we shouldn’t just let these things operate without inspection and without questioning the approach we take to leveraging the technology.

Mark Knowles:
I think so I don’t have an opinion about the New Zealand Defence Force and what’s happening from that perspective, but I do have an opinion in regard to artificial intelligence, which I think fits with what you’re talking about. AI is the buzzword, and if you were establishing a new business right now, you would use artificial intelligence. You’d be crazy not to do that. It’s going to speed up your thinking. You can use many tools like chat GBT, which is the most talked about at the moment, but there are many artificial intelligence tools. But remembering that it’s based on machine learning and the learning that it’s got is from the questions that it’s being asked and the answers that it’s providing and people correcting that, I think AI has an important part in all of our lives going forward to be able to help us to be able to do things better. However, the piece that you mentioned just then, which I think is really pertinent, is people need to be involved with checking that and you don’t believe everything that a computer tells you. And so when you’re using artificial intelligence, I know when you’re asking computers like.

Paul Spain:
People, we have to question and check, do we?

Mark Knowles:
Exactly, mate. So we actually have to do some fact checking and if it tells you something that you don’t think is correct, it’s probably not correct. And so I think using AI tools is a great idea. It’s not going to get rid of people. We actually need to be even more proactive at making sure that the information that it’s passing back to us is correct. I think this part of my accountability in Xero is to do with artificial intelligence and having a policy in place to help how our teams work with artificial intelligence is really, really important. So we put that in place early. If it’s answering something that’s really quick, like can you write me a position description or can you tell me an answer of a simple question? Sure.

Mark Knowles:
But as soon as you start thinking about anything that covers data or privacy, then it’s not okay. And so I think it’s a really important balance to find Paul, and we’re all going to learn this. And the speed of AI growth is so fast, so what the defence force is talking about, I think, makes sense. The kill chain, as you talked about, there’s a kill chain from a cyber perspective, and you can do a Google search on it, or ask chat GBT if you want, it’ll give you some information about it. So understanding that kill chain of how a cyber criminal will work, and then maybe learning on how you can protect yourself by asking chat GBT or another artificial intelligence tool is probably a good idea. But don’t just believe it straight up. Do some fact checking, talk to some people that might actually know a little bit about that and follow that. So I would be concerned if we were completely reliant on AI, but I’m also very positive about how people will be able to use artificial intelligence in the future to be more successful.

Paul Spain:
Yeah, yeah. Look, I think you make some really good points there, so thanks for that, Mark. Now, there’s probably a few other things that have been going on in the news that we could tap into. One of them, Crowdstrike being sued by investors over the. The outage, that was that. I guess they facilitate it with a dodgy update that it seems like the Crowdstrike client software was not engineered well enough to do a checksum and check that actually, it was dealing with a good known quantity in terms of the, effectively, the signature update that came through to it. Yeah. Quite interesting.

Paul Spain:
When I see these situations arise where you have shareholders suing the company that they own, a slice of, it always makes me scratch my head a little bit. And probably because I haven’t really gone into two, I haven’t gone in too deep, but it’s kind of, you know, you’re kind of beating yourself up. You’re an investor in a firm, and if the firm’s liable, then, yeah. How do you get a huge advantage out of that? Because any money that has to be paid is coming from shareholders funds, effectively, anyway. But look, Xero uses CrowdStrike. I’m curious to hear, from your perspective, Mark, in terms of how do you feel as a customer when something like this goes wrong, how did it impact you and what’s been the flow on.

Mark Knowles:
It’s a great question, Paul, and, you know, many of the listeners will not have even heard of Crowdstrike before the events of a couple of weeks ago. Crowdstrike does an amazing job. They protect their role is about cyber protection and the tools that they provide act thousands, if not millions of times behind the scenes. And so, yeah, we use Crowdstrike, and they’re awesome for us. Obviously, when you hear about an incident going on, or as soon as you become aware of an incident, then you have to get to the bottom of what that is and how that’s going to impact your customers, because we care about our customers having access to Xero and them being safe. So the first steps for us, and for me is we just go immediately into our incident response processes that we’ve got. And I think this is really important for everybody to have this and to practice for those sorts of things. So someone within Crowdstrike made a mistake.

Mark Knowles:
I feel for Crowdstrike for that mistake. We very quickly identified what the problem was from our perspective and how it would impact us, and we very quickly fixed it because we have the processes practiced and planned. And so the outage was very short. And I think the news and the impact a lot wider became greater for many customers in New Zealand and around the world. The thing that was really important to me was as soon as an incident like this happens with an organisation like Crowdstrike, it’s when the cybercriminals then start to take advantage of that. And so cyber being my expertise was then the piece that I was more concerned about was the number of people that would receive an email from someone suggesting that they were from Crowdstrike and that they could help you fix this problem, or a phone call saying, I understand you’re having this problem with your systems. I’m from Crowdstrike, I’m here to help you. And even potentially deep fakes happening within that space.

Mark Knowles:
So one of the things that we did very quickly was once we ensured that things were up and running and safe, then we communicated to all of our staff to be aware and to look out for any potential attacks and look out for those sorts of emails and calls coming through. I think that crowdstrike are a third party provider to us, and I really value the service they provide to us and they protect us and protect all of our customers. Every day, lots and lots of times when something goes wrong, we’ve got processes in place to make sure that we fix it quickly, and we’re very proud of the fact that we have and did fix it really quickly. And my strong message to everybody is practice those processes and stick to the process when something goes wrong. I do feel for them, but as I said, they’re a third party provider to us, and I care about our customers.

Paul Spain:
Yeah. A couple of other bits of news caught my attention. Uber have struck a deal with BYD, build your dreams, the chinese company who have been sort of neck and neck with Tesla when it comes to market share. And I guess in recent times it’s been one or the other of those companies leading in terms of the most market share for, for electric vehicles. And through their alliance with BYD, they’re apparently going to add 100,000 electric vehicles to their fleet. Now when I read a headline like this, and there’s more detail in the differing news stories, of course, it sort of rings in my ears. Hold on. Uber don’t have a fleet.

Paul Spain:
They don’t own anything. This is sort of the beauty of the sharing economy which they tap into. But yeah, so there’s some interesting elements here in terms of what they’re going to be doing with their Uber drivers, creating incentives for the adoption of electric vehicles and the flow on there in terms of environmental. So, yeah, looks like a really, really interesting move. And yeah, I’m kind of curious to see how it plays out. Apparently they’re also looking at integrating or leveraging BYD’s autonomous driving technology as well into the Uberegh platform. And, you know, we’ve seen, you know, varying levels of success with autonomous, autonomous driving technology. Last week we talked to a New Zealand Tesla owner who was conveniently given access to the autonomous driving capabilities that are available in the US for a few days and then had that rudely removed from his vehicle, poor CB.

Paul Spain:
As I tweeted over the last few days, I would be happy to have that just for 24 hours to try out. But never mind. I do not. But yeah, really interesting just to see how these things are progressing. We’ve probably seen a bit of a slowdown in terms of the adoption of electric vehicles and the current economy. And yeah, this is probably something that puts some pressure on Tesla. But look, I think it’s a great thing, the competition that we have out there in these different fields, and we never want one player to become too dominant. And in fact, I was asked just that last week on news talk ZBtainous around Microsoft’s issues with 365 in new Zealand.

Paul Spain:
And a bunch of people were impacted late last week, particularly in New Zealand, with not necessarily being able to get consistent and reliable access for a period of time, whether it was to their email or their other services. And they said, Paul, are we too reliant on Microsoft? And look, in that case, I had to admit, look, in my personal opinion, you know, when one organisation has too much dominance then that can have a negative impact on many of us in one way or another. And I would say the same of Xero. If Xero had too much market share around the world, some might debate Xero’s got too much market share in New Zealand. I think there’s a reasonable level of competition that that goes on there, but it varies in different markets. But we look at things like, well, are we charged a fair price for this product or that product? If I was to pick on Xero, since you’re on the show, Mark, this was not premeditated. We’ve probably seen our price for Xero increase a bit more in markets like New Zealand where, you know, where it’s a very sort of dominant product, where it’s not got the same market share. We might see that the prices don’t move northward so much.

Paul Spain:
So these are just the realities. Of course, when we look at the New Zealand market, actually it’s a reasonably small market and there’s a lot of unique things that Xero have developed. It’s not just like rolling out Microsoft 365 and the same product in every single market. So we’ve got payroll and I, you know, a bunch of other things there that make me feel reasonably relaxed around, you know, what myself as a customer pays for Xero and the value that I get. But in that broader picture, yeah, we sometimes do have challenges with competition and in fact one of the bits of news that’s come through is around Google having maybe a little bit too much dominance and have been misbehaving. If we take what’s coming out of the US from the judgment there as they’ve just lost in the antitrust suit with the Department of Justice. So there’s kind of an interesting sort of, you know, balancing act here. I think in the technology world, you know, sometimes it is much easier for one player or another to gain too much dominance.

Paul Spain:
But I guess we look at Ev, which was what that story started about. In the electric vehicle world, I think we’ve probably got a pretty reasonable level of competition.

Mark Knowles:
I’m really pleased to hear that you’re a customer of ours and I know that we look after you. I’m hoping we look after many people that are listening to your podcast, your comments in regards to the electric vehicle market. It’s interesting, you know, again, the technology is moving so quickly, right? But we all as consumers have the ability to choose what we want and the sound that our vehicle makes. For example, my cousin doesn’t like the fact that my car is silent and he loves the fact that his makes a hell of a lot of noise. I like the fact that his drinks a lot of fuel as it. As he drives down the street and I don’t in mine. So I think we’ve all got choices. One of the things that we really have driven at Xero since Xero was started 18 years ago, is we really want to offer and provide a product and a service that’s going to be amazing for our customers.

Mark Knowles:
That’s beautiful. We’re very big on being human and ensuring that we produce beautiful products and services. And so our customers have a choice. We want them to stay with us. Of course, we would love for everybody within New Zealand to be using Xero. And I know that there is competitors around. I’m very interested in. And our company’s really interested in feedback on when things are going well, but also when things are not going so well and what can we do to fix it.

Mark Knowles:
And I think that no matter where you are in the market, no matter what job you’re doing, you want that sort of feedback so that you can continue to get better. My world of cyber. I’m going to make sure that the products and services are safe for you and ensure that your data is protected. And I’m going to make sure that we’re doing our absolute best worldwide to do that. Can I ever promise everyone that everything’s completely safe? That there’s never going to be a cyber event? I’d be a fool to do that, Paul. I don’t think anyone would ever do that. And if they are promising you that, then don’t believe them, because that can’t be true. But as I talked about before, the speed to recovery, the fact that if you practice for these sorts of things, that’s the most important thing.

Mark Knowles:
So research, being prepared, offering a great product and service, I think, is the most important thing. Good luck to Bydore. Um, and to Tesla. And I’m sure there’s going to be other electric vehicles in the market who are going to compete. But it’s an interesting story about Uber because. Yeah, I don’t think they owned any cars.

Paul Spain:
Yeah. Um, so what. What did you choose, Mark? You’ve. You’ve become an EV driver. What?

Mark Knowles:
Yeah, I have a t three Tesla. And not that I’m here to advertise Tesla, but it’s the best car I’ve ever driven in my life.

Paul Spain:
There you go. I’m. It’s nice sometimes we have some agreement on the show and I guess. Yeah, the last couple of weeks. Yep. We’ve been Tesla drivers all the way, so that’s good. But when I say that, I need other people to disagree and buy the competing products so that Tesla doesn’t ever become too dominant. So there you go now just sort of talking around these security things, Mark, and you knew that I’m always going to throw some harder questions into the mix.

Paul Spain:
There’s something that’s been a little bit of a bugbear of mine, and we’ll try not to stay on this too long because there’ll be some listeners that won’t be at all interested. But one of the things that myself and my team do a fair bit of is helping organisations with this software selection process. How do you decide, you know, what software an organisation should choose? And there’s a lot of criteria we look at. One of the things we always look for is, is there a single sign in capability that ties back to, you know, the platform that that organisation uses? And one of the reasons that we, that we take that interest. And most of the organisations we worked with tend to be using Microsoft for better or for worse. And so that means we have their entre id technology, which used to be known as Azure ad. And in there we can set up all sorts of rules which says, well, actually this user can only log in from New Zealand, or there’s all sorts of mechanisms, and then they’ve got a range of behind the scenes mechanisms. And so we get to be able to turn all those knobs and put those settings in place.

Paul Spain:
And so as much as possible, we’re looking for the software stack that we utilize to be able to allow us to use that sign in rather than maybe the proprietary sign in of the software involved. And I guess what I saw last week that caught my attention and maybe in a loose way, sort of reminded me of, of why I like that is I saw for the first time, as far as I’m aware, a communication from, well, that appears to be from Xero. That was a form of a malicious communication. It looked like an auto generated invoice. Now, I haven’t actually, I haven’t had the time to sort of delve into the whole story, but it looks as though someone’s either set up a trial account with Xero or an organisation has had their Xero account compromised in some way. And so I got this communication, which is effectively Xero, sending me an invoice. And it kind of triggered me to think around, well, yeah, what happened? Has an organisation lost control of their, you know, their Xero instance and now they’re sending me dodgy invoices. Was it a trial? But it was a bit of a reminder that, yeah, I like to see the tools I use be as safe as possible.

Paul Spain:
And I think Xero have been a key player in terms of keeping their software safe, force multifactor authentication and so on. But this particular preference, and I’m sure some other listeners will probably feel the same way, has yet to be fulfilled by Xero. Anything you can comment on? Mark? Is this something we might see changing at some point in the future?

Mark Knowles:
I love the way that you were asking that question, Paul, because I’m not sure whether people listening could see the smile on your face as you’re asking the question of me. So Xero was established for small to medium enterprise business, and the products and the services were built for that single sign on has been something that’s been more of an enterprise focus. SSO has been something that we’ve been looking at and investigating, and the listeners that are listening to this now that understand SSO, know how important it is to get it right, and the complexities around that. We’ve invested some time and effort and money in getting this right, and we’re rolling out SSO with some customers at the moment in the UK, we have a plan for it to be implemented across Australia, New Zealand and the rest of our global market. And so we’ll be doing communications with those customers. Obviously, I can’t tell you who the customers are because those customers are fantastic and are working with us in regard to that, just in regard to your invoice that you received. I think this comes back to the discussion that we had before, and your bank will constantly remind you about not clicking on links and providing information back. Unfortunately, the cybercriminals invoice fraud has been a way that people have been trying to commit for a long time.

Mark Knowles:
And it used to be they’d send you a PDF of an invoice. And now we’re moving forward and technology is changing, so invoicing is becoming a lot more popular, and it’s very, very good for you as a customer to be able to use that. For me as a consumer to be able to use that as well. Just watch for the protections and watch for the reality of the messages coming from the organisation. When I talk to people about phishing or false emails coming through, or false invoices coming through, sorry, we all have busy lives, right? So just take an extra ten or 15 seconds like you did and ask the question, would this be, is this real? And just double check and then if for some reason you’ve made a mistake and you’ve made a payment to a false invoice or you’ve clicked on a link, don’t panic, but talk about it, because the cybercriminal wants you to be embarrassed. They want you to go, oh no, I paid someone $3,000 that I shouldn’t have or this money disappeared from my account and I’m not going to talk to anyone about it because I’m too embarrassed about it. If you’re too embarrassed, they’re going to keep attacking you. So call it out.

Mark Knowles:
Talk to somebody. We have in New Zealand amazing people that you can get in touch with. NetSafe is brilliant. The cert. New Zealand are brilliant. There’s people in New Zealand that you can call. New Zealand police are brilliant at dealing with cybercrime, so don’t be afraid to reach out and talk to someone. And if you don’t want to talk to one of those agencies, just talk to one of your friends who would be prepared to talk to one of those agencies and talk about it, you know.

Mark Knowles:
So I’m not avoiding your SSO question because I completely understand where you’re coming from. It is an area that we’re moving to. We’ve invested our time and effort in doing that, but at the right pace. It may have been frustrating for some customers that we didn’t have it upfront, but we were targeting the customers that are really important to us at the time, small to medium enterprise, and we want to grow and continue to grow. So the service is coming and we’re testing it with some customers.

Paul Spain:
I think it’s great news. In fact, I think that’s a scoop because I haven’t read that anywhere online. Maybe it’s been published somewhere, but that’s the first. I wasn’t expecting that answer, so that’s very encouraging. Thank you, Mark.

Mark Knowles:
I always like to see you smiling.

Paul Spain:
Paul, so we’ll look forward. I’ll put my hand up if you need a local tester. So really, really, really encouraging. That’s great. And yeah, I guess, you know, seeing Xero who definitely your focus is on the smaller, you know, the smaller organisation, the smaller business, to, to see you move in that direction and put your sort of stamp onto sort of single sign in, becoming part of your offering is encouraging. What isn’t encouraging is the large number of software vendors who say, oh, you’ve got to be on our most expensive plan to ever get it. So they release it and then it’s like, oh, you have to spend twice as much or three times or four times as much money, you know, to turn that capability on.

Mark Knowles:
So I think the thing that you’ll see is passwords. You know, I would hate to have all of our listeners that are listening to us now to put their hand up if their password starts with a capital and finishes with a number, because there’s a whole lot of people who got their arms up right now. And then if we say to them, okay, yep. For those that didn’t put your hand up, if it finishes with an exclamation mark, can you raise your hand? Now? Look, do the basics well. Don’t keep waiting for stuff to come. SSO is something that we’re working with our customers in the future. It will be coming, but just do the right thing now and don’t use the same password for your bank that you use for your xero, that you use for that competition that’s going to win you a trip to Fiji. You know, there’s some standard basic security things that all of us can do to be a whole lot safer.

Mark Knowles:
And FastPass is coming. There’s lots of organisations that have rolled that out already, so keep looking for things that are secure. But the most important person here is you as the individual, the person that’s listening, it’s you. And so you keep yourself safe. And again, as I said, look out for the likes of us who have ISO and Soc two compliance, because we are being checked all the time to make sure that our stuff is secure for you.

Paul Spain:
I realize we’re probably, we are running out on time. We’ve tapped into a bunch of things from the Xero world as we’ve gone along in our discussions. But, yeah, I’m kind of curious if there are any particular areas that you think that we should tap into. I’m kind of curious around your role in the cyber education side because that’s been a big part of your work at Xero mark, and that covers across. You’ve got your software developers, you’ve got your broader team of staff, but you also really take an interest in your customer base as well. What could you share with us have been your learnings, because I think probably for most people that are listening into the New Zealand tech podcast, they’ve got a reasonable level of awareness when it comes to cyber security and the sorts of things to look out for. I hope, you know, driving, continuing to encourage and driving that sort of thinking and encouraging the action of talking to family members and others and those in your workplace on these topics. But maybe there are some sort of big takeaways that you’ve learned in terms of helping to move the needle, whether that’s in, you know, any of those sort of environments.

Mark Knowles:
And more broadly, the most common thing now, Paul, is what we’ve talked about in regards to artificial intelligence. When you were thinking about phishing emails that you’ve received in the past, it used to be poor grammar. It used to be quite obvious that there was something in this email that looked bad. And now if you were to take a fake email and ask chatGbT or another artificial intelligence tool to make it better, it would certainly make it very difficult for you to understand. And so I think my message is, as I said before, take a little bit longer, read those emails, read the text message. Someone sent you a text message saying that you haven’t paid a toll. Well, there’s no toll roads here in Wellington, but I’m sure that that person’s probably thinking that their partner’s not very good at paying toll. So maybe they clicked on the link or spoke to somebody with a very nice accent and paid them some money for a toll.

Mark Knowles:
Again, don’t be embarrassed, don’t hit the panic button, but talk to people. For me, my biggest tip to anybody with cyber is get back to the basics really quickly. Just do things well for yourself. Take the extra ten or 15 seconds to read the email, don’t click on links and talk to people. Make use of the amazing people that are around us that want to help. And this is speeding up. It’s changing very quickly. So, yeah, I love this because it’s something that I can do to help people to ensure that they’re safe.

Mark Knowles:
So we should all be looking out for each other on this.

Paul Spain:
Yeah, we should be. Now, you’ve got a fair bit of weight on your shoulders in your current role around if cyber things don’t work out so well. A lot of people, I guess, have put their trust in you to protect Xero. How do you make sure that you’re not sort of losing sleep over these sorts of matters? Because it’s not easy to have to be thinking about so many things. Obviously, you’ve got to, you know, you’ve got a team, you’ve got sort of systems and processes, but, you know, so did Waikato District health Board to, you know, to their own degree. And of course, you know, they got hit now, you know, I’d say there’s a vast difference between, you know, Xero and them, but there are many, many more entities that have, you know, have been impacted, you know, some to you know, quite, quite large degrees and, you know, if you were to pick any organisation and, you know, imagine the consequences of a significant, you know, cyber incident. Yeah. It wouldn’t necessarily be, you know, be very nice.

Paul Spain:
So, yeah, how do you deal with that, Mark?

Mark Knowles:
So we practice things on a regular basis. So do tabletop exercises, be prepared, practice what would happen in the worst case scenario, have a business continuity plan in place and practice how you would implement that. We run through it with all levels of people within the organisation and we’re constantly talking about it. We provide training to our people. We let them know where they can go to ask questions. I think, for me, the thing that helps me to sleep is we have great practices in place and we just stick to the basics and stick to those practices. And sometimes when something’s going wrong, the noisiest person in the room is not the right person to listen to. So just listen to the person that actually is there to run the incident and run the process.

Mark Knowles:
And if you’ve practiced it plenty of times beforehand, you’re going to be completely fine. So do the practice, Paul, and just be prepared, I think, is the way to do it.

Paul Spain:
Yeah, that’s great advice. Excellent. Anything else you’d like to add before we finish up, Mark?

Mark Knowles:
No, it’s great to talk to you. Thanks so much for the opportunity to be on your show. Really appreciate it.

Paul Spain:
Yeah, real pleasure. Well, yeah, thanks again and thanks, everyone, for listening in. And, of course, a big thank you to our show partners. Gorilla Technology, HP, Spark, 2degrees and One NZ. Well, that’s us. We’ll catch you again next week and hope everybody stays safe out there and you’ve maybe got a tip or two or a little reminder that you’ve heard before that’s just sunk in enough to. To push you to either some further action or push you to maybe nudge some change within. Whether it’s a family environment with a family member who, you know, might not be quite as far along the cyber journey as you are, or whether it’s within your organisation.

Paul Spain:
You know, I’m very much keen on us, you know, moving in the right direction on these things. Yeah. Thanks for your insights, Mark. I really appreciate it.

Mark Knowles:
It’s great to talk to you, Paul. Look after yourself.

Paul Spain:
Cheers.

Mark Knowles:
See ya.