Rachael Lyon:
Welcome to to the Point Cybersecurity Podcast. Each week, join Jonathan Knepher and Rachael Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now let's get to the point.

Jonathan Knepher:
Are you seeing a lot of acceleration in, you know, you brought up malware, but across all of the types of threats you're seeing, are you seeing an acceleration in the diversity or new methods coming out now?

David Saunders:
Yeah, so, I mean, obviously, you know, you said this before, we're very caught up with the day job in some ways. I mean, we are. I mean, AI is just, you know, fundamentally all it does is make things easier and more efficient. We see more of the same stuff. I mean, I've probably covered most of the things that I guess are different for AI. I mean, at false point, we're continually trying to evolve, improve, make more efficiencies and so forth. So yeah, I mean, I don't think there's anything new. It's the same websites, it's the same emails.

David Saunders:
It's just more that. There does seem to be a kind of a pickup really, in some ways, certainly. I think phishing is one area where, okay, it's pretty obvious, but yes, you have seen that and you've been seeing that growing over time. But now you still need the websites, you still need to attract the person again or the email sort of thing. So it keeps us busy, I think, you know, definitely. I mean, I think, but, but I think we naturally improve, we speed up, you know, we look to automation. I mean, let's face it, you know, I can be used defensively as well as aggressively. And you know, we're all doing that the same as well.

David Saunders:
We're looking at tools and how we can use AI and utilizing them in our backend infrastructure as well, which is, you know, improving things. So again, from my engineering focus, it's hard with my head, where my head is most of the days to, to actually tell you the answer to that question definitively because there's just this continual journey going through it. I mean, I think, I think there is, I think there is definitely. But I think also it's the quality of attacks, so, quantity. Yes, I think it's growing, but I think what we're getting less is of the really obvious rubbish that you can pick up and more sophisticated, more better crafted websites, better crafted emails and so forth. So we're able to be on our game more than we might have done before. And we will desperately rushing around to Pick up the best we can out of AI and our existing technologies and speeding up that whole process as well.

Rachael Lyon:
I'm curious on your perspective, talking about speeding things up, but also AI and I'm always fascinated by the long game. The attackers that have that patience, they worm their way in and then they just sit there for months or years. I think I just love the name of the shadypanda browser. I just wanted to say that. But I'm curious on your personal perspective, right? I mean, how, how can people win against that long game? I mean, that's, that's a lot.

David Saunders:
Yeah, no, that, that's. I mean, I, I gotta, I gotta have to say, I don't have a really, really good answer on that one. I mean that, that actually caught a lot of people out for the time. You know, we're talking years here. I mean, obviously it was a, you know, a relatively obscure browser plugin. You know, I mean, it. But it still had like about four and a half million installs. So, you know, that's a fair number.

David Saunders:
But yeah, no, I mean, the period of time, you know, many years that it sat there and functioned as a legitimate app. I mean, I think there was about seven different apps of which five had functioned legitimately for many years. I think, you know, in terms of what organizations need to think about is that trust shouldn't persist over time. If you trust an application to install it now, don't just blindly patch it, update it continually, you need to reassess it. Again, there is no magic bullet in this scenario, but I think that's the one thing. Browser extensions are all a bit more of a challenge as well than maybe just an application where you might take a little bit more effort to evaluate it. But again, tool set, if you allow your users to install whatever browser extensions they want, that might be a problem. So maybe you should look at your security solution that can limit or control what browser extensions.

David Saunders:
Because it's so easy to install a new one or update a new one in that sense. But yeah, no, that long game, I think, and I think, yeah, from an industry perspective, it starts to make us think again. If they're playing the long game, we have to play the long game. And again, if you can't trust something like that over time, that's been several years, legitimate app, you have to have zero trust on everything, Assume it gets talked about. But again, there's a cost with that. A business needs to think about everything, every application they're running and to reassess, not to continually accept something, you know, Is the only way really seriously to handle this.

Jonathan Knepher:
Yeah, I think we've seen these attacks too, like across the open source community too. Right. Like there have been stuff in NPM and other areas where there's been a lot of supply chain stuff.

David Saunders:
Yeah. What do we do? Yeah, no, I mean, yeah, again, I mean with the supply chain side of things. Well, if you're talking about sort of libraries and use of libraries, then yeah, obviously that is very challenging because often you're developing software and importing in those. I mean, obviously that's where being active with the community out there, especially when talking open source, you need to keep a head on top of these and pick up on this, understand, dare I say it, what you have installed in your application, that's the other challenge often is that developers allowed free rail. They all install everything from everywhere and before you know it, you've lost control. I think you've got to have control. You've got to know exactly what you're using. And again, that comes to good engineering practice.

David Saunders:
It's straightforward, there's and limit what you're using. I mean, I've worked with many engineers over the years and there's a tendency of want to use everything and anything out there to learn and gain from it. That needs. Whenever you're having an engineering discussion with any of your team, you need to have that discussion of why you want to use this application versus another one or, sorry, a library or something like that. Again, you know, easy answer to that scenario. I mean, certainly, yeah, the recent supply chain, I mean, you think about supply chain in terms of libraries and so forth, but you've also got, you know, supply chain in terms of, you know, you know, other vendors selling you services that you work with directly and connect with. And I think if you think of that as well, I think there needs to be a sort of paradigm shift in the way the business is think about those relationships. I mean, John, you know, in your area of expertise, you know, when you're planning for outages, problems, you think of things that can break and you typically think of a network connection, you've got to have resilience there, a database, you know, multiple servers, whatever.

David Saunders:
You need to think about that whole supply chain in that same context and you need to plan for it as well. And so, you know, treat your supplier, whether it's a third party package or a software or service you provide, as if it's your network or it's your database, and then include that in your planning for failure and so forth, which again, I think People do have a distinction. They do naturally think of what they own and control and they plan more around that. But actually they should be thinking more about stuff that's beyond that really and outside of their control.

Jonathan Knepher:
Yeah, I think that's a good analogy you bring up. Right. Because like on the infrastructure side, right. Like I'll think about my connectivity and I'll think about who my providers. Providers are.

Rachael Lyon:
Right, right.

Jonathan Knepher:
Like, oh look, everything's going to land on this same sub C cable. Like I, I don't want that. But I think, I think a lot of people don't think about that in the open source libraries and other dependencies too, that that might be systemic even. Not with the libraries themselves, but the systems and the repos where all those things are stored.

David Saunders:
Yeah, no, I definitely concur with that and I think again it's about, I mean you can never guarantee nothing will go wrong, something will happen or whatever, but the worst case scenario is not knowing about something when it does and not having that knowledge and understanding of everything you connect to and those dependencies in your organization. So, you know, you just said straight away, it's the, you think about not just the vendor, but the providers of the cable or beyond that. And it's the same, it's the thinking broader, beyond just the obvious that you know about.

Rachael Lyon:
Could we talk about insider risk? I don't know why, but all of a sudden I'm hearing it everywhere. David. I mean, years ago it used to be like the thing, I guess 2018, 2019. Right. We were all talking about it and then we kind of moved on to SASE or whatever the case may be. But all of a sudden, I'd say in the last six months in particular, I'm hearing more and more about insider risk, disgruntled employees, not necessarily the accidental employee. Oopsie. When you talk about data access across distributed systems, there's a lot going on, particularly with AI and its, you know, kind of integral or integrated nature into your SharePoint or OneDrive and, and all these other axes.

Rachael Lyon:
I mean, so how did, how is this evolving in terms of the insider threat and how should companies be thinking on, how do you, how do you get a handle on it? Because it could run amok very quickly, I suspect.

David Saunders:
Sure. And I mean, I mean, you mentioned the disgruntled, you know, employee scenarios that, you know, insider risk. I mean, I, I almost think that's probably less important. I mean the insider threat is accidental in often cases. Yes, you will get. And actually it doesn't really matter Whether it's accidental or intentional, it's the fact that it can happen at all, at all. And so you kind of always want to treat the two the same. And you've got to have a zero trust mindset really when you're doing any of this.

David Saunders:
So I mean, if you hear about one employee exfil tracing a significant amount of your data, there's a problem with the organization really in that way. So you know that, you know, you obviously couldn't function completely without allowing users to access to data, but you need to know what they need to access and limit them to that data. No one employee in the organization should have access to anything. And so yeah, no, I think the real only answer to that is that you've got to have a setup or an environment where you can control that access and to allow your employees to do their jobs, but not to go beyond that. And typically as an engineer, I shouldn't be able to access any HR or finance data. It sounds obvious, but the more senior you get up the chain things sometimes, Again, it's the same old really, dare I say it's having a good knowledge about your data but who needs to access it and why they need to access it.

Rachael Lyon:
Particularly zero trust. That's right. Still holding true, still holding, holding true.

David Saunders:
So yeah, unfortunately, even though as I say, we all love the fact that we can access things quickly and not have to ask and stuff. But I think if you're thinking about that as well, you've got to have an environment where it is easy to ask. If I need access to something, I should be able to ask John and he can give it to me like that if it takes me three days to free response to it and then have to wake another week. That's when employees start to do things that they shouldn't do and whereas if they can get a quick response. So yeah, again, when we're thinking about that, it's not about stopping anyone. In fact, you should think about how you enable people. But of course, if employees are encouraged to go the right way to get access to data, not share credentials or copy it off somebody's, you know, but.

Rachael Lyon:
It'S easier if you just do that, David. It's faster.

David Saunders:
Exactly. Well, you know, as I say, we're all human, we all want to get the job done, you know, so businesses just need to also think about, yeah, zero trust, but also enablement of their employees and how they manage that within their organization as well.

Jonathan Knepher:
So, you know, we talked a little earlier about like the duration of outages and when you were talking about, you know, protecting everything, how are you seeing things change with the duration of issues and what's going on in the environment and how customers or how basically people can see data observability within their network and what's going on.

David Saunders:
Yeah, no, I mean, I think if you take any interest in what's happening inside the industry at the moment and all the attacks that's going on, the that period of time that organizations are offline and it does lead to certain questions, why did it take so long? And I think there's a lot of assumption there that basically they know they've been compromised, but they either have no idea of what's being compromised or they just don't really have a good idea of what their data is, where it exists, where the systems and infrastructure is. And I think having visibility of your data, not just at rest, but in motion and the independent is behind it, is kind of pretty key to an organization. I think it wouldn't be if I said to anyone, data is king, organizations rely on data is money, all those phrases, we'd accept it, that's fine. But when they say that and then they don't have an understanding of where it is or it's the most important thing for the business, but they can't tell me where it resides or where it's backed up or who has access to it or whatever. And so if you think of a typical attack, there's two sides to it in that sense. There's what the attacker has done and there's what he could have done something to. And you can't always anticipate what the attack is going to do. I mean, hopefully you've got some kind of auditing going on, so you get a clue to start with.

David Saunders:
But you can know what he could do and what's there and available in your systems, where your data is and so forth. And I think, you know, when we think about this sort of situation, from a sort of a panic situation to a managed recovery or restore of your services, you know, the panic happens when you, when you don't know what the attacker's done and you got no idea where your data is or who has access to it or what systems are there. So the best way to, if you like, prepare for that situation, to have a really good understanding of one side of it, which you can do, but you can never know what the attack is going to do. We could definitely know what your systems are. And again, when it comes to recovery, we all know you're going to have critical systems. You're going to have systems that are kind of important but aren't critical to your primary function as a business. And then you're going to have some systems that maybe development kind of, you don't. Not so critical at all.

David Saunders:
And again, unless you can understand that and then can then if you like correlate what you know about what's happened in the attack to those systems, you might find you'll be able to get up line a lot quicker. I think a lot of business, you know, clearly wanting to be 100% sure before they go back online. Completely understandable.

Rachael Lyon:
Right.

David Saunders:
But in reality, if that's because they don't really know about everything. Do you know what I mean? And so. So, yeah, so. So, so I think, you know, understanding your data, I mean, you know, that is your crown jewels, you should, you should definitely fully know it. And any organization that doesn't puts themselves clearly at risk in that situation. When, when somebody's, you know, dare I say, unfortunately that happens.

Rachael Lyon:
Does 100% certainty even exist, David?

David Saunders:
Yeah, well, when you unplug it, maybe. Exactly. Well, back to the stone age, you know. Right. I mean, you joke, but I mean the recent issue with the, again, supply chain, with the airlines, you know, they were resorted to checking in passengers with paper, you know, for a short period of time. And I mean, you know, maybe this wouldn't be applicable in all organizations, but when you're thinking about disaster recovery, you know, if you're offline, maybe there are some things you can still function with that old paper. You know, maybe using pigeons is a bit beyond most organizations, but certainly writing things down occasionally. I know, you know, it's not something I do very often.

Rachael Lyon:
I still take handwritten notes. I think I'm like the last person I know that still does this. I don't know why pigeons flares, whatever the case may be. So I think this makes an interesting full circle moment though.

David Saunders:
Right.

Rachael Lyon:
So when we talk about knowing where your data is and kind of where it is, what it is, who's touching it. But again, coming to backup and recovery processes, how do you test these systems? And I mean in particular like to pressure test these systems and I don't know that companies do this often enough or are you seeing that they do, but that's what I'm really curious about. And as the nature of attacks change and continue to evolve, how should organization be thinking about this and how often should they be pressure testing their system?

David Saunders:
Yeah, no, I mean, well, that's a bit of a Like how long is a piece of string really when it, you know, in terms of, you know, I could say every day, every hour, every five minutes. I guess there's never going to be an exact answer there, but I think there's often been situations where, you know, backups are happening but nobody's actually checking whether they can restore from the backup. I know that sounds really obvious, but it still happens. No, I mean, we were joking about using, you know, tapes and things like that, but, you know, that was the, I mean, the problem because it was relatively quite hard and you'd have to go to the bottom of the cupboard and pull them out and plug them in and turn around. Obviously now, with more backups online, it can be faster, but still the amount of data that we have that maybe we might have had when we were using tapes is increased many fold. So it's not always that easy either, because you could have terabytes of data backed up. So, you know, I'm not a backup expert, it's not really my day job. But I mean, the obvious thing I would say is that, you know, you shouldn't just back up all your data together.

David Saunders:
You're going to have critical data that you need to back up immediately and you can have other bits of data that you should back up, you need to recover. But, you know, so, I mean, I guess maybe it's a bad analogy, but you might have a website doing some trading of some sort, buying, selling things. If you lost that data, you probably want to recover the credentials for the users to allow them to log in and continue functioning, but you wouldn't care about the transactional history that goes back two years. And so you'd want to have those two things separated from backup side of things. I guess that's the only sort of. If I was going to try and say, well, that's the way I'd look at it. There isn't a golden rule with backups, but I do think you probably shouldn't just backup everything together. And you need to have a distinct backup plan for different types of data, basically because you need to restore it quicker.

David Saunders:
The most important data should be the quickest to back up and bear that in mind. You need to plan for that. So if you're going to plan for how long you need to be offline, you need to allow for the fact that you can recover in that period of time. But, yeah, no, I think, you know, I think given what's going on and, you know, the way that the whole industry is going and the challenges in cybersecurity, I mean, I think, you know, backups is, dare I say it, start to become sexy again. I mean, they never were before, but they are, should be on the top of most, you know, managers or senior management of organizations to make sure that they are considered important again.

Rachael Lyon:
And then you need a backup to the backup. So there's that as well. Right?

David Saunders:
Yeah. And that could carry on as well. And they're not going to tell you when to stop either with that.

Rachael Lyon:
Well, I do know we've run a bit long today, David, and I do want to thank you for all of your insights. Do you have any other kind of parting thoughts as we head into 2026 for all of our listeners, on what things you see transpiring or maybe escalating as we look at the year ahead?

David Saunders:
Yeah, no, I think, I mean, we've touched on it so many times, you know, AI, AI and AI. You know, I think next year, I mean, everybody's, you know, excited, but also element of apprehension. Everyone's watching to hear what's going to be the next kind of thing and trying to anticipate it. I think, I mean, clearly from the security and also just that technology, we started to talk about agentic AI. I think in the cybersecurity space, there's clearly a lot of interest and a lot of examples where AI is starting to have an impact. There's very little examples of where it's completely autonomous. It's getting that way, I think. So in 2026, if there was one area there where I'd think about it is the fact that is that going to happen? And on both sides.

David Saunders:
But yeah, no, I think it's going to be busy. There's never a next year that's not busy.

Rachael Lyon:
It's wonderful. It's nice to be busy, right? There's never a dull moment in cybersecurity. For those that are considering joining the industry, please come. We'd love to have you.

David Saunders:
Definitely.

Rachael Lyon:
So to all of our listeners out there, thanks again for joining us for another really insightful guest. And as always, Jonathan, let's remind our.

Jonathan Knepher:
Listeners to smash that subscribe button and.

Rachael Lyon:
You get a fresh episode every single Tuesday. So until next time, everybody stay secure. 
 

About Our Guest

David Saunders, Director of Security Labs, Forcepoint

David Saunders is an experienced cybersecurity professional with a robust background in threat research and engineering. Currently serving as the Director of Forcepoint Security Labs since July 2015, David previously held the position of Research Engineering Manager at Websense from October 2007 to July 2015. Prior roles include Threat Research Manager at SurfControl, Threat Team Manager at BlackSpider Technologies Limited, and Development Team Lead at Activis / MessageNet. David holds a Master’s degree in Information, Communication, and Electronic Engineering from the University of Plymouth, attained between 1985 and 1990.