Join host Paul Spain as he delves into the world of cybersecurity with Dan Richardson (CyberCX). They discuss the concerns about cybersecurity legislation and the technological advancements that are shaping the cybersecurity landscape in New Zealand and beyond.
Plus a look at Tech News from the week including:

  • NZDF testing of space hardware
  • Westpac introduces fraud-busting tech…in Australia
  • Successful human trial for Neuralink brain implant
  • Big Tech’s race to buy AI training data

Apple Podcasts  Googlepodcasts  Spotify RSS Feed

Special thanks to organisations who support innovation and tech leadership in New Zealand by partnering with NZ Tech Podcast: One NZ HP Spark NZ 2degrees Gorilla Technology

Episode Transcript (computer-generated)

Paul Spain:
Hey, folks, greetings and welcome along to the New Zealand Tech Podcast. I’m your host, Paul Spain. Great to have with us, Dan Richardson today from CyberCX, Great to see you.

Dan Richardson:
Great to be here, Paul. Long time listener, first time caller, as they say.

Paul Spain:
Always good to have listeners joining us on the show. And look, Dan, cybersecurity is something that I think a lot of us are very interested in. And so, yeah, a real privilege to have you join the show and share some of your insights. Maybe a quick overview of where you fit into this big, wide world of Tech.

Dan Richardson:
Absolutely.

Dan Richardson:
So currently I’m the executive director, strategy and risk at CyberCX New Zealand. So CyberCX is a pure cybersecurity company. We do cloud as well, but in a very secure way. So we do the full end to end spectrum of cybersecurity services, right through from strategy consulting through to penetration testing, digital forensics, incident response, managed services, those types of things. So we’ve got our clients covered. Great.

Paul Spain:
That’s really good. And, yeah, you previously worked in a range of places kind of across the industry. You were chief information security officer at Westpac. Yeah, previously, a little bit of work you’ve been around for the spooks, GCSB.

Dan Richardson:
Very proud of my time at the National Cybersecurity center. But, yeah, I think I was telling you before we started that I caught up with a friend last week and we were having a chat and he said, oh, I remember 1999, when we were working in London together and you used to sit there and send my windows pc the ping of death. And then at the most inopportune times, and I turn around and you’d sit there and you were laughing. So I’ve been doing cyber security for a while now and I’ve been around, so lots of corporates, obviously, in New Zealand and overseas, a bit of time in government, about five years at the National Cybersecurity center, which was great, great team there. And then. Yeah, about three and a half years at Westpac as the chief information security officer joining CyberCX.

Paul Spain:
Oh, very cool. Andrews. A little bit of time.

Dan Richardson:
It’s actually quite a small window of.

Paul Spain:
Time in London in 1999 and did some stuff with the bank there. Great time to be y, two k days. So, before we start, of course, a big thank you to our show partners. One NZ, 2degrees, Spark, HP and Gorilla Technology. Lots I’m definitely keen to delve into on the cyber security front, but it’d be good just to tap in on some of the recent news, New Zealand Defence Force, they’re testing some hardware that’s gone up into orbit, I think. Yeah, it’s really interesting and I guess depending on the perspectives that you come from on, I guess, the defence element of space. But in general, I guess to me it’s pleasing to see New Zealand as a country from a commercial perspective and from other perspectives that we’re getting involved in the world space more and more. Lots of companies here that are involved in aerospace and in space.

Dan Richardson:
I was talking to a colleague in Australia a couple of weeks ago. Actually, the comparison between the australian space industry and the New Zealand space industry, that’s something. We’re beating the Aussies, so let’s keep doing that.

Paul Spain:
Well, yeah, it’s interesting to see on that front because it does seem as though in Australia the government had put their foot to the floor more. So whilst New Zealand have, you know, had quite a. Quite a lead with, you know, I guess on, you know, on a number of fronts. But, you know, rocket lab probably, you know, being the biggest, most well known, you know, part of our sector, I think in a way that’s kind of put a rocket under some of the Australians. We don’t like Kiwis beating us and actually if there’s money New Zealand can make, we should be able to make at least as much. And so I think there’s probably a level of friendly rivalry in that area and I’m sure it will continue. I think what we’re seeing with a space minister and some. Some of the direction that we’re seeing from the current government, this has taken on a more important role at a government level.

Paul Spain:
So I think that is just something that hopefully keeps heading in a good direction because I think our ability as a nation to be able to generate more export revenue and do more work as it relates to space and the broader aerospace segment is generally pretty good thing for our country and for the economy.

Dan Richardson:
It’s cool to see as well, especially with rocket Lab and other companies as well, the interest in stem that that brings for like a younger generation. Super cool.

Paul Spain:
Yeah, I think when you see these possibilities that actually, hey, you can go from studying in a New Zealand school and end up in a space company. It’s not such a far fetched thing. As, you know, I remember when I was growing up and there was one of my brother’s friends and he was telling me his friend’s dad has been working for NASA. And I mean, that was not a common story to hear around New Zealand to have some sort of connection back.

Dan Richardson:
To NASA, it seems so distant. Back in the eighties, seventies and eighties, it seems to seem very, very distant. But now we have our own space industry, and it’s so good.

Paul Spain:
Yeah. Really, really pleasing. So, yeah, without sort of delving into the politics of defence force and so on. But I think it’s. It’s pretty encouraging overall where we’re headed. Now, another thing that caught my attention, this was an article from Susan Edmonds and stuff saying Westpac introducing fraud busting technology, but only in Australia. So we might just leave the headline there and come back to it once we start delving a bit more into cyber security, because it sort of sits in that broader. In that broader area.

Paul Spain:
But, yeah, it’s a scam busting technology called safer pay, which would add additional screening, basically, on every payment that’s flowing through Westpac utilizing artificial intelligence. And so, yeah, there’s probably a discussion to be had there, and I know not just from your Westpac experience, but your other sort of connections across the banking world, you could probably share some thoughts on that.

Dan Richardson:
Let’s park that for a moment on that front.

Paul Spain:
But, yeah, it might just be that there’s a bit of a trend with what New Zealand gets versus what Australia gets in some cases. So looking at some of the things happening on a global front, neuralink, uh, that’s been kind of crazy to, to kind of see what, you know, I guess, when, when we, when we first heard about it, and I don’t know about you, Dan, but, you know, this idea of sort of brain implants, and we’ve known a few companies doing it, but, you know, musk tends to be able to get the, you know, get, get the attention and stuff and get the headlines and as you say, and get stuff done. Um, but I’m not sure that I’ve sort of had really too much anticipation that we were going to see anything anytime soon. But. But, you know, here we are where, you know, their first human patient, you know, has already been sort of, you know, touting, touting the technology. 29 year old Noland Arbor. I’m not quite sure if we’ve got his name pronounced right. But, yeah, he’s, he’s, you know, he’s got the implant, and away he goes.

Paul Spain:
And he’s able to, you know, play chess online and, and the like. Yeah. As a quadriplegic by can, you know, controlling the game.

Dan Richardson:
I’m not sure I want to be the test subject for it, put it that way. But look, if he’s, you know, obviously with his medical condition, getting something out of it, then, you know, there’s a net positive there already. So, you know, I think it’s probably a long way from general adoption, obviously, you know, good 2030 years plus, realistically, by the time it gets to market and gets through all those regulatory hurdles. But definitely something to keep an eye on. And, yeah, for those with a, you know, chronic medical condition or issues like that, then absolutely. Why wouldn’t we use technology to kind of help those people?

Paul Spain:
Yeah. And it seems to me it’s for those, you know, for those edge cases and, you know, of course we can throw around ideas of, you know, how this stuff could be used if it was available, sort of mainstream. And, you know, I think most of us have seen the matrix and, you know, there’s enough out there to the.

Dan Richardson:
Matrix too many times to freak us.

Paul Spain:
Out if we, you know, if we want to go down the rabbit hole. But, yeah, I think just in many ways, it just sort of blows my mind that this thing has happened, you know, quite quickly. Obviously, you know, what it can do and how accurate it is and how useful it is. Yeah. These are things that we will see evolve over. As you say, it could be quite a long, long period of time. There would be an argument, and I don’t know how advanced the technology is that it’s not a million miles off. Some of these sort of headset type things that you can wear.

Paul Spain:
Definitely, you know, the next level from. I’ve tried out some of that sort of technology and it kind of, you know, pretty, pretty, pretty rudimentary, pretty, pretty simple. Yeah. That, you know, it’s a step along from that, but it’s not the sort of thing where it’s reading your thoughts and able to, you know, squirt them. Squirt them out with an AI, an AI voice. Right.

Dan Richardson:
It opens up some interesting cybersecurity questions as well. You know, you look at any piece of software or hardware out there, many vulnerabilities. You know, are there vulnerabilities in these things? How do you patch them? How do you deal with them? So, yeah, that’s a real consideration.

Paul Spain:
Just a band aid on the brain.

Dan Richardson:
Oh, yeah.

Paul Spain:
Yeah. It’s a, it’s a. I guess it will be one of those points that I imagine someone is already looking at how they can, you know, how they can exploit, exploit the, the technology. Now, AI, we’re seeing this kind of move towards buying training data, and there’s been a bunch of sort of coverage on this front. It seems as though there’s almost a kind of a shaming going on for those who are utilizing information that’s sort of publicly available. And there was coverage in recent days around OpenAI training on YouTube. There’s I think a range of sort of licensing agreements and so on getting fired up so that AI companies, AI providers can be using content sort of legitimately. It’s kind of a challenging one because I can see how an organization that’s got a great AI just wants to kind of suck up the data that they can find that’s publicly accessible and just say, look, you know, trainer, just like a search engine or just like a, you know, it’s just replacing a human, but it can remember a whole lot of stuff.

Paul Spain:
Any, any perspectives on, yeah, you know, where you think we should be going here is, you know, fast sort of legislation useful? What, you know.

Dan Richardson:
Yeah, I’m not an AI expert, I’m just a humble security guy. So, you know, I’ve had thoughts and feelings like everybody else does, but if you point a large language learning model at an existing set of data, of course you’re going to get similar outcomes. AI, as we know, is not great at anticipating black swan type events. Expect the unexpected. So things that the human mind can conceptualize, AI really struggles to because for exactly that reason, as you said, you pointed at a particular set of data, you’re going to get a very similar outcome. It will think that that’s all it knows. So I can fully understand why everybody, people who are training these models might want to push that out to a much, much broader set of data. But even then I think you’re still going to run into issues.

Dan Richardson:
If you’re pointing it at YouTube or X Twitter, you’re going to hoover up a lot of bot content. And is that really the stuff that you want regurgitated back out from your AI? I don’t think so. So all of these considerations we have to take into account.

Paul Spain:
Yeah. And the challenge of how good and robust the sources are, the differing sort of viewpoints on varying information that’s available online. We’re all probably unique in terms of what it is we read and consume and we’re interested in and so on, and the perspectives through how we look at things. Right. You’ll read a headline, I’ll read a headline. We might take quite different viewpoints on what that means. You read the article and it’s like, well that makes sense. And I might look at it going, well, that doesn’t make much sense to me, and so on.

Paul Spain:
So when you mash all of that sort of stuff together, the outcomes can be, you know, sometimes just super useful and helpful for everyone. Sometimes it doesn’t play out well. You know, we saw that with some of sort of Google alphabets, you know, AI things recently where. Where they’ve tried to sort of, you know, nudge it in differing directions. And it’s kind of, you know, ended up going, going off the reservation. And I think you kind of see that with, you know, pretty much, you know, you know, every platform to one degree or another, is going to upset, is going to upset people in differing ways.

Dan Richardson:
I mean, I watch a lot of YouTube like most people do, and I’m really into architecture, so the YouTube algorithm is really good at giving me interesting architecture videos. Now, it doesn’t account for the fact that, you know, sometimes after a glass of wine on a Wednesday night, I might watch love island on tv and Zed. So, you know, we’re discrete individuals and, you know, we might use one platform for one thing, which is giving you a set of data that points to a particular thing, but actually we’ve missed a whole bunch, you know, so, yeah, we really need to take that into consideration.

Paul Spain:
And then there’s the, you know, what should or shouldn’t we be paying for? And so, yeah, should we be. Yeah. Utilizing, you know, or should AI platforms only be utilizing sources that they pay for, do you say? Well, this is public. An individual could go and read these news sources and could watch any video and so on. And, yeah, you see, there’s all sorts of potential for drama in that front, and we’ve already heard around, yeah. Potential court cases.

Dan Richardson:
And so from a legal perspective, regulatory perspective, you know, just access to those data sets, it’s. Yes, it’s a mind filled.

Paul Spain:
Yeah, yeah. All right, well, those was kind of, I guess, the big, the big newsy topics for the week, and there’s probably a bunch more we had down there we could delve into, but I’m keen to, to chat more around cyber security. This is very much your world because I think cybersecurity is so important to each of us individually. We don’t want bad things happening to our organizations, and therefore it has a flow on to New Zealand as a whole. We get things wrong from a cyber, you know, perspective. It’s kind of like having a hole in the boat. Right? You can sink. And we certainly don’t want, you know, our economy and, you know, and our people to be sinking because we’ve been taken advantage of from a cybersecurity perspective.

Paul Spain:
So that kind of, I guess, you know, puts us almost in a view of New Zealand versus the world, you know, we’re this little country sort of, you know, towards the bottom of the planet, you know, however, you know, we’re online like everyone else, is as connected as everybody else. We can be under attack. Yet there’s only ever going to be a sort of certain capacity when it comes to, you know, what the government of a sort of smaller country can, you know, can invest from a cyber security perspective. And because we have a lot of sort of smaller and medium organizations, those organizations are only ever maybe going to have access to probably a lighter levels of investment compared to the bigger players. And we certainly see a range of geopolitical issues going on in the world where we’ve got wars, we’ve got economic, you know, dramas and, you know, and then we’ve got our neighbors in Australia who are, you know, just that much, you know, bigger than us. And so, yeah, there’s that, I guess, debate of, you know, how we’re doing versus our Aussie, you know, cousins or whatever you want to call them, our.

Dan Richardson:
Good friends across the ditch. Yeah.

Paul Spain:
Yeah. So I think there’s a few things we could sort of delve into there. Maybe this Australia versus New Zealand side because on the New Zealand tech podcast when we launched, one of the things that was happening was that the government had decided to invest. I think at the time it was 1.5 billion into fibre infrastructure for New Zealand. Now that’s increased and, you know, we’ve ended up with, where are we at? Something like 87% of the population with access to, you know, superb broadband and varying other options for the other 13%. And in Australia, you know, I would politely say they’ve been trying to catch up ever since.

Dan Richardson:
It’s been a bit slower. Yeah.

Paul Spain:
But on the cyber front you could argue that that shoes maybe on the other foot a little bit. What are your thoughts on how we’re doing in this area, particularly from the realms that you’ve worked in, banking and government and so on?

Dan Richardson:
That’s a really interesting question and the way I always kind of look at it is, yeah, Australia, a much bigger country, much bigger economy. Absolutely. And I don’t want to sort of get fixated on what they’re doing as our close friends and neighbors. CyberCX is a transtesman organization. We work with organizations in New Zealand, we work with australian organizations as well. We sort of see obviously there’s a quite a different regulatory environment in Australia and that drives a lot of cybersecurity investment. So you think about things like in security of critical Infrastructure act they have in Australia, mandates minimum standards. They can designate systems as systems of national significance which, you know, have extra protections wrapped around them.

Dan Richardson:
We don’t have that equivalent kind of regulatory or policy setting within New Zealand, and that means that you can operate a reasonably important bit of critical infrastructure for the country, but there’s no minimum cybersecurity standards that you have to meet for your technology. And that obviously puts us at a slight disadvantage compared to Australia. I’m not sort of saying that we’re under investing necessarily, but actually you kind of look at things. Even in recent budgets in Australia, they put a whole heap of money into their national cybersecurity defences. Red Spice was the name of the program, but they’ve also partnered up with Microsoft for Cybershield. The New Zealand government is still lagging behind a little bit with some of that and obviously we’ve had a change of government that may change things, but, yeah, it’s quite a different environment here compared to Australia.

Paul Spain:
Yeah, I mean, they’ve had a minister of cyber security, haven’t they? And, yeah, a range of other things. I guess you could say that the legislation there as it relates to cybersecurity and data privacy tends to be more mature, more forward looking. And there’s some teeth there in some of the legislation, which is at a different sort of level to our city on that data privacy.

Dan Richardson:
Yeah, I compare the responses to, you know, last year in Australia they had some issues. Optus, Medibank, latitude financial services, all suffered cyber incidents. And that was headline news in Australia for a good couple of weeks. Yeah.

Paul Spain:
And they were being called out by the government.

Dan Richardson:
They were being called out in parliament really big time. Yeah, very forward leaning. And, you know, only one of those organizations operates in New Zealand, you know, latitude financial. And the privacy commissioner in New Zealand is having a joint investigation with their australian counterparts, which is great, great thing to do. But it dropped out of the news cycle in New Zealand very, very quickly and we’ve seen that recently with media works as well. They had a data breach and it was in the news on the Friday. By the Monday it had completely gone. So our sort of not necessarily level of interest, but the amount of airtime that it gets in the media is quite different here compared to Australia as well.

Dan Richardson:
So maybe that slight, you know, drives slightly different behaviors.

Paul Spain:
Yeah, it’s a really big point, actually. You know, I think in that the more air time that we give these things, you know, the more we’re likely to, you know, think about them, attend to them and, yeah, and so on. And, yeah, I think that was something that has been really super visible in those cases. For those that are comparing, you know, the media on both sides. It is night and day different when it comes to these sorts of issues. And I guess that comes from varying perspectives. Certainly the emphasis that we see from a government level and the government really calling out these organizations and holding them to account, there being enough of a solid enough sort of legislation that really puts quite a bit of weight on these entities. So when something happens, there’s going to be a big fallout, not just from the media perspective, but then that sort of, that tends to come along in.

Dan Richardson:
Terms of fines and penalties as well. Quite different in terms of, you look at some of the provisions that I, I think it was Medibank had to put into their financial statements as potentially money to compensate victims of their data breach. It was hundreds of millions of dollars and we don’t see that same level of response here at all.

Paul Spain:
Yeah, I think when you look at, say, latitude with what happened there, I can’t quite remember what the impact was on them in terms of, you know, what they would do. It wasn’t a lot in terms of, certainly here in New Zealand, in terms of what the cost was sort of per person impacted, but it seemed to be probably a lot higher on the australian side. It was for things, for a number of reasons. And the expectations when something happens as well in Australia. So if an organization leaks a whole lot of personal data, then they’re really having to sort of step up and pay for a range of services. It might be pay for a new driver’s license. You’ve got new id documents with different numbers and so on, so that what has been taken in the breach then can’t be used against an individual on this side. I don’t even know whether we’ve, whether we’ve had really addressed a lot of these things.

Paul Spain:
I remember last time, a while back looking at this with driver’s licenses, and I think the New Zealand thing was like, no, you’ll find you just keep your driver’s license. It was like, no, we don’t have a route for you to be able to change your driver’s license.

Dan Richardson:
No, there is no.

Paul Spain:
If you want one in New Zealand, it’s like, sorry, mate. Yeah, good luck. This stuff can just remain online for the next ten years until when your driver’s license expires or something.

Dan Richardson:
I think I’m right in saying even if you lose your driver’s license, you just get an exact replica of the.

Paul Spain:
One you with a reissue with the same numbers and so on. So there’s maybe a little bit of work to do behind the scenes there if we’re going to, you know, if we’re going to be in a place where we’re not taking advantage of because there’s a degree to these sort of settings ultimately impacting behavior, isn’t there? And it’s not like as Kiwis where we’re all sort of, she’ll be right, mate, on these topics. But there probably is a kind of a down under kind of approach that would be impacted likewise in Australia is impacted by if there are regulatory sort of pressures and legislation that says you’re going to get hit this way or that way if you don’t have things in place that changes the picture of that.

Dan Richardson:
We’re also quite a trusting group of people in this country, I would say. You know, we trust not necessarily just our banks and our civic institutions, but individually, we quite trust each other, maybe a lot more than in some other countries.

Paul Spain:
Very low from a forward fraud perspective.

Dan Richardson:
Yeah. So we don’t expect that sort of stuff to happen to us. But as we all know, fraud, especially sort of cyber fraud and scams and those sorts of things, they work at an industrial level. So there are literally office buildings full of people who do nothing all day apart from perpetrate those sorts of crimes and those sorts of frauds. And we’re not immune to that. And I think we sort of, we fall into the trap of like, oh, yeah, we’re a small country, you know, nobody’s going to really care about us too much. But as you said up front, you know, we’re as connected as everybody else. So we suffer from the same sorts of threats and the same sorts of issues.

Dan Richardson:
So we need to kind of think about that as well from a global perspective.

Paul Spain:
Now, we’ve sort of talked about New Zealand versus Australia, as it were, which is, you know, I guess it’s good to have those chats sometimes. And even if it’s just to remind ourselves, you know, maybe we’re not as good as we would like to be, but if we step back and kind of look at the whole world, there are certain parts of the world that are probably more focused on outgoing attacks, whether it’s nation state type things or for just general financial gain. North Korea often sort of comes up as a place that, you know, probably struggles to earn a lot from an export revenue perspective. And so, you know, for them, this is something that can really move the.

Dan Richardson:
Money spinning move the needle.

Paul Spain:
Right. They can generate all sorts of sanctions.

Dan Richardson:
At the same time.

Paul Spain:
Yeah, yeah. Bypass, bypass everything. So, you know, what can you sort of share from your experiences without giving away, you know, too many secrets from inside some of the environments where you may well have seen things that you’re not supposed to talk too much about, but around that sort of overall, those international sort of threats and what stands.

Dan Richardson:
Out, that’s a great question and actually something I was reflecting on a few weeks ago because like I said, I’ve been in cybersecurity a long time and there must be something kind of keeping me interested, otherwise I wouldn’t do it. Got and become a farmer or something. But I kind of look at it as a bit of a layer cake. So you think of the top layer of cyber threats as those nation state actors. They destructive, they might take down your ports or your critical infrastructure, and then there’s another layer down, which is the sort of, again, state actors, but they’re more focused on cyber espionage. And you look at espionage now, especially signals intelligence, and it essentially is just computer hacking now. You know, the days of the stuff that Edward Snowden talks about mass collect on Internet access points. Encryption is not ubiquitous, but it’s ubiquitous enough that that sort of data is way less useful than it used to be.

Dan Richardson:
And there are still some specialized applications around RF and HF radio and those sorts of things of being able to track ships. And that’s great. But you think about espionage and you sort of think, well, how do you get data remotely? Of course you’re going to hack into somebody’s system and get it. And that’s just how the world does espionage now. And we’re not immune to that. We’re a country. People want to find out things about us and we want to find out things about other countries as well, of course. And then you sort of go down in the layer cake of highly organized criminal gangs, cyber criminals that operate in certain jurisdictions in Asia and eastern Europe and other places as well, not just those places, and they’re purely driven by money.

Dan Richardson:
How do they monetize the cyber threats that they have access to and how do they use some of those tools, techniques, procedures to get as much money as they can? And that’s actually where large portions of the problem actually are. It’s things like ransomware that’s prevalent and continues to be. So data extortion, as we’ve seen recently with some recent data breaches, things like fraud and scams on a massive industrial scale. And there is lots of money in it, and that’s the motivation. And then you also, as you get sort of laid down more into the hacktivists, people with an issue that they sort of want to push those sorts of attacks, mostly ddos, denial of service type attacks, they sort of do those sorts of things. And we saw a lot of that around the Israel Hamas conflict. People picking sides and launching denial of service attacks against infrastructure that was deemed to be supportive of one of those two sides. And that was much the same with Russia, Ukraine as well.

Dan Richardson:
So while there was no real sort of direct impact from a cybersecurity perspective for a country like New Zealand, a lot of the time there were flow on effects from those denial of service attacks. So there’s so much variety, not just in the type of actor, but the type of methodology that they use and also, you know, their motivations as well. And that’s. That’s kind of what keeps me interested. It’s super interesting once you start sort of getting into it and understanding some of those things.

Paul Spain:
Yeah, yeah. It’s not, it’s not a boring.

Dan Richardson:
That’s for sure.

Paul Spain:
There’s always. Yeah, things going on. Do you, when you look at the role of AI, how do you pick where we might head over the next few years? Because from one perspective, it’s like, wow, we’ve now got all of these tools coming through from an AI perspective that can detect anomalies and so on. Usually activities that a person or a group of people could never keep up with on their own. But then on the flip side, you’ve got the bad actors also have access to technology. And if they’re able to really ramp things up with AI, which of course they are, that brings its own consequences. It sort of feels like we’ve got something of an arms race happening.

Dan Richardson:
We totally have. And you’ve been in technology long enough, Paul, as we both have, that technology is agnostic. It can be used for good things, it can be used for bad things, and AI is really no different. But we’re absolutely seeing cyber threat actors use AI tools to help them in their operations. So, common example, and this is happening to financial institutions around the region. In Australia, New Zealand and other places, AI generated voicemails that go to bank customers trained on a voice that they would find familiar. So most people you can find on Facebook, YouTube, Instagram, you can get voice samples from people really easily. Probably doing myself a disservice by being on this podcast because they have some great voice samples of me.

Dan Richardson:
It’s too late now, but you can use AI tools to generate the voice of somebody that is familiar to somebody else. Leave a voicemail on their phone, oh, I’m in trouble. I need $1,000. Can you send it to my bank account? Here’s my bank details. And that stuff actually happens. It seems a bit like science fiction, but it’s purely AI generated, but it’s definitely going on out there. And then the flip side to that coin is we’ve got some great security tools that help defend against some of those things on an enterprise level. Things like Microsoft Copilot for security device, some great job in making a security analyst job not necessarily easier, but being able to get through more threats much more quickly.

Dan Richardson:
So we can use that the same variety of tool for good purposes as well. So it’s very much a double edged.

Paul Spain:
Sword, like everything is now delving into the backs because that’s a world where you’ve worked and you will, I’m sure even as you add different firms, you’ll have a fair bit of exposure to these things. It does seem, and I think this is sort of probably public knowledge, that the New Zealand banks don’t get the same probably level of investment when it comes to cyber type things as are australian banks. And you could probably quite easily link that back up to size, scale and the different regulatory environment that we talked about earlier. There’s been a fair bit of discussion recently around a move to verification when you’re making payment to a bank account. And I think we’ve got maybe one or two players that are in the fintech space but aren’t traditional banks that are, that are able to sort of leap ahead of the big banks and offer some sort of verification type process. So when you take some money, and I mean, we can look back on, there’s probably a whole range of scenarios, but I pick on the Team New Zealand one because it was reasonably public and Team New Zealand’s of reasonably broad interest. And you know, they got the email saying, hey, can you, can you pay this bill into a different bank account? And I think that the story goes that, you know, Peter Dalton said, yeah, no worries, I don’t care which bank account it goes into. Yep, all good.

Paul Spain:
And, you know, deposited the funds. Now there’s a range of ways of sort of stopping that sort of thing. And I think, you know, they were in a period where it maybe wasn’t as broad knowledge as it is today around what your payment processes should look like. But there were lots and lots of organizations at that time that certainly knew to have some good processes in place. But there’s also that element where if your bank account is verifying your money’s going into the right accounts, that can cut down the risk. Not necessarily entirely, but it becomes another part of the picture. What are your thoughts on how hard is it to make these sort of changes, and how do you feel about the sort of the different levels of investment into our banking security here versus Australia?

Dan Richardson:
Great question. Look, when I was at Westpac, I’d spend time, obviously, talking to the board, and the board and all of the senior managers were really concerned with cyber issues and fraud and scams. And I think if you went to any financial institution in the country and talked to their board, talked to their chief executive, you’d hear exactly the same thing. If cyber risk isn’t in your top three risks, operational risks at a financial institution, you’re probably not doing your job very well. And I would say that for most, if not all, financial institutions in this country, it would be up there in terms of the risk that they’re thinking about. I suppose where the difference comes in from a New Zealand perspective is we are a lot more resource constrained than our friends in Australia, so less people, less money. The big Aussie owned banks obviously make huge profits, and there was a recent Commerce Commission report that called them out saying you need to invest more in your technology stacks in New Zealand. And I would completely agree with that because you look at some really critical applications that run in banks, and I’m not talking specifically about Westpac here, but more generally, they’re running on bits of technology 2030 years old.

Dan Richardson:
Lots of banks still run mainframes as their main core systems, and actually probably nothing wrong with that. Realistically, modern mainframes are very robust, but you look at it and go, well, why are we behind in the banking industry compared to Australia and certainly compared to Europe? I have an account with a european bank and I log onto the app and the level of security controls that I have to go through just to log on, not even transferring money.

Paul Spain:
It’s like that with my swiss bank account, too.

Dan Richardson:
It’s not a swiss bank account, I wish, but it’s a level above what you get from your New Zealand banking application. Lots of New Zealand banking applications don’t even use multi factor authentication. And you go, well, surely you’re going to run into some problems with that. Not just fraud and scams, but actually pressing problems, anti money laundering problems and those sorts of things. So there is a lag. There is a lag in the banking industry in New Zealand. And I don’t think it’s because people aren’t focused on the problem or boards or senior executives don’t take it seriously. It’s more that there’s a lot of legacy within banking environments, lots of legacy technology, and sometimes retrofitting good, robust security controls over some of that legacy technology.

Dan Richardson:
It’s really difficult. So that’s probably the biggest issue. If you look at Westpac, I think the story you were referencing might have made mention that in Australia, Westpac Australia is about to embark on a massive core banking refresh of all of their technology, all of their critical applications. I was reading news articles about this and I didn’t see any mention of New Zealand in any of these articles. And you go, well, actually, that’s a billion dollar bank for the New Zealand economy. So surely there has to be some commensurate level of investment on this side of the Tasman as well. So, yes, it’s interesting.

Paul Spain:
Yeah, yeah, interesting. One very polite way of putting it, I would tend to say, Dan. So, yes, there’s probably. Well, there is a lot more I would love to go. Love to go into probably just about sort of out of time in terms of the variety of work and the things that you’ve been involved in at CyberCX. I guess as an external party that’s working with a range of clients between Australia and New Zealand. How does that sort of variety compare to, you know, you work, you know, with national cybersecurity side of things with the NCSE and working in the. In the banking world.

Dan Richardson:
Yeah, look, I look at all of my experiences throughout my career as a learning journey. And where I’m at now with CyberCX, I’m only successful at doing that because of the experience that I have. And I’ve built that experience up over a number of years. And working at CyberCX gives me the opportunity to. To go into different organizations and help them with their cyber security challenges. And that is immensely rewarding in lots of ways at a bank. Great. I love my time at Westpac, love the team, but it’s very samey day after day.

Dan Richardson:
And what I love about my job at the moment is I can be working with the bank one day and then government the next day, and then actually a small medium enterprise out in Pakaranga and helping them, like, you get to see such diversity. And that’s actually what really makes us strong within New Zealand is that diversity. So, yeah, I’m super pumped and super.

Paul Spain:
Happy to be there now without ensuring that you end up walking out of here in handcuffs. What might people find interesting around? I guess what goes in at a government level national cybersecurity center and any, any things that you can share that people might not broadly know that people find interesting.

Dan Richardson:
I would say if you’re a person that’s interested in cybersecurity and you don’t quite know where to start, but you’ve got some really good skills, it’s a great place to go and learn.

Paul Spain:
Yes, I’ve heard that.

Dan Richardson:
And it’s a great place to do things that you can’t do anywhere else legally in the country. But it’s. I loved my time down there in Wellington with the team. Had some great people, learnt a lot, had some great opportunities to go to different places and work with different agencies and, you know, I wouldn’t trade it for anything. It’s, you know, I. I think people kind of, you know, look at the public service and they look at the governments and go, oh, you know, they’re just Wellington bureaucrats. And that was not my experience. And that goes, you know, for the wider cyber security sector within, you know, the national security system.

Dan Richardson:
So not just the NCSE and the GCSB, but people like DPMC, National Cyber Policy Office, certain New Zealand, DIA, everybody’s there is really mission focused and actually coming to cyberCX. I’ve really found that at CyberCX as well, we have a lot of ex law enforcement, ex military, ex intelligence people and everyone’s really focused on the mission. So that’s super cool.

Paul Spain:
Yeah. We’ve probably run out of time to sort of delve into NCSE and sort of cert coming together. But your thoughts, is that a good move for New Zealand to see these two entities be one?

Dan Richardson:
Yeah, look, I’m on record as saying that I think it’s a good idea. I think having two agencies fulfilling very similar functions within a small jurisdiction like New Zealand was always going to cause a few issues with overlap. I think. For me, the thing that we really want to see within the cyber security industry is what’s the plan? What does it look like going forward? What sorts of services can we expect out of the NCSC Cert NZ merged entity? What does that look like? And I know they’re working on that right now. So I’d expect over the next two, three, four months, there might be some more information out there available, but broadly a very positive thing.

Paul Spain:
Good. Yeah, I’d be on the same page on that one. So, yeah, that’s good to hear. Well, that’s us for this episode, so thanks everyone for listening in and joining us on the New Zealand tech podcast. Of course, a big thank you to our show partners, 2degrees, Spark, HP, One NZ and Gorilla Technology. If you have been watching the live stream, just make sure fire up whatever you listen to, audio through, be it Spotify, Apple Podcasts, et cetera. A favorite podcast app. Look up for the NZ Tech Podcast there.

Paul Spain:
That’s a great place. You can subscribe for free, of course. And for those that are listening into the audio, which tends to be the bulk of our audience, of course, look out for us on your favorite video platform. We do tend to stream most weeks on a Tuesday afternoon, some variations if I’m under the weather or other things happen, but most weeks that tends to be a Tuesday afternoon. And you can find us by following myself on LinkedIn, also nztechpodcast across YouTube, X and Facebook. So thanks, everyone, and thank you, Dan. Great to have you on the show.

Dan Richardson:
Great to be here.

Paul Spain:
Thanks, Paul. Anyone that wants to sort of connect or is looking for help, what’s the best way to get in touch?

Dan Richardson:
Well, if you go to cybercx.co.nz, you’ll find us. I’m on LinkedIn. Dan Richardson on LinkedIn, you’ll find me. If you’re a LinkedIn user. I don’t do Twitter, unfortunately, but, yeah, you’ll find us.

Paul Spain:
Excellent. All right. That’s great. Thanks very much, Dan.

Dan Richardson:
Thank you. Ok, cheers.