E2 – Susan Brown of Zortrex
The Data Diva Episode 2 - Susan Brown of Zortrex & Debbie Reynolds.
37:15
SUMMARY KEYWORDS
people, tokenization, data, companies, Debbie, token, secure, security, technology, compromised, tokenize, business, privacy, protect, Cybersecurity, biometrics, regulation, problem, customers, devices
SPEAKERS
Susan Brown, Debbie Reynolds
Debbie Reynolds 00:02
Hello, this is Debbie Reynolds on "The Data Diva Talks" Privacy Podcast, our special guest today Susan Brown, who's the Executive Chairwoman and founder of Zortrex Vault, Zortrex Software, where she helps customers protect data using Advanced Encryption, and Tokenization Interception technology. Hello, Susan.
Susan Brown 00:22
Hi, Debbie. Lovely to have you.
Debbie Reynolds 00:24
It's funny. So you and I have talked at length on LinkedIn, and you and I would message back and forth. I remember some nights I'll be up like to two or three o'clock in the morning, and you're like, before your coffee, we were like texting about different things. I think you've always been super vigilant about certain threats and things that happen in, you know, the Cybersecurity industry, and you're very passionate about Cybersecurity and protecting individuals. I would love for you to introduce yourself. You are, you know, quite a dynamo. And I love people to get to know you and your company and the things that you're interested in.
Susan Brown 01:02
My background is financial. And in the last 15 to 20 years, watching people's accounts being totally emptied. Until you see the back end of what is actually happening with these people, it's devastating. There's only one word for it. It's absolutely devastating. I mean, you're working in the financial industry, there is a lot of trust there within the business or the customers. So this went on and worked with the bank and hospitals and worked for the government doing grants and what have you. And in 2012, I thought, okay, I'm going to start my own business. So I started with an accountancy. So that's that done the first of April 2013. And since then, I now have five businesses, I did say 20 years ago, me nope got a job for life, but there are no jobs for life. So basically, it grew of what some of the best and developers and architects, basically just in the accounts that realize that I had a passion for Cybersecurity. And so I would get up early in the morning, and how does the computer work? How does a phone work to fit them today. And even though the design and what we're helping design and what Zortrex is talking about, that I'm so proud of, and we're releasing this week, and the black boxes, black box for the tokenized databases SQL database. So we all seen that in full swing last night, and I just, oh my god, it's worked. Because you see things, you try different things, or you go back to the drawing board. And but I'm so proud of what I've achieved, Debbie, and this is a must-have to secure data to secure people's identity. Identity's fallen off the cliff. And it's quite dangerous at the moment because that they're also giving away the biometrics. And when that's gone, and if the biometrics has not been secured, a lot of people think biometrics is security. It's not. It's access management. And these people will go into court trying to fight to save, keep their identity for them to be thrown out of court. And the bad actors are winning, this the courts think of the person, they know absolutely everything about you to the person who is the real person has no identity at all. I've actually been looked upon as a criminal, so three years ago, I brought Zortrex to market, and I'm going to really do my best to try and push this data security. At the same time, GDPR is going to be implemented the following year in May. So it was a long shot. So I've had to fight to basically educate people. And at the end of the day, they talk about the big giants, or they talk about how people on Facebook, they don't have a brain basically, and who cares? Well, I care. Right. You know, exactly. They might not understand the process now, understand that they don't understand the process, I understand the process, but I'm happy to fight for them. You know, you know, we as human beings, if our data is important to the Facebooks and the Googles and what have you, then it's important to me.
Debbie Reynolds 04:33
You know, I always see that you're incredibly passionate about what you do. And you're passionate about, you know, protecting individuals. And I really like when you're talking about the difference between, you know, managing identity and managing access because people do get that confused a lot. And it is really important because you're right, especially with biometrics that someone can steal your biometric information they can impersonate you possibly better than you could, you know, they can ask those questions that, you know, security questions that people pose to you. And in terms of being able to protect yourself, the laws really haven't caught up, especially with things like definitely biometrics, but even like, you know, we're in the wild west about deep fakes. And you know, what is real? And what is it? One thing that struck me about the profiles that you were saying that Cybersecurity threats have a psychological element to them? And you sort of try to think about it as an inside out type of way. Like, what do you think a Cybercriminal would be looking at, or you know, what they will be interested in, and how, how people can be less vulnerable. So I'd love for you to talk a little bit about that.
Susan Brown 05:52
Cybercriminals are watching every move that people do and their digital footprint. And when you've worked in the financial industry, a long time ago, I know how that is managed and how it's done. And also, when you work in the financial industry, where there's a compromise, or there's a breach, and we have a certain limit, I have to find out how that breach happened, where it happened, and who's responsible. And you need to start thinking like a criminal to understand what they're doing and what will be the next moves. So I started looking at that last year, and the biometrics got stolen. And the software snooping in mobile security. So if you think about it, the speed and the IMEI number should be secured. The minute they use biometrics to open up the phone to read a message or make a payment that same because the phone is now being cloned, that actor is getting old authorization codes and going in and taking over the bank account. And that was really quick for me to realize that. We call them Cybercriminals, bad actors. They are really good actors. Right.
Debbie Reynolds 07:14
Yeah.
Susan Brown 07:15
I mean, they're really actors. And like even saying, I'm Susan Brown but am I really, and people go, what? But it makes people think differently. I mean, are you Suan Brown? Do you have Zortrex? So yeah, it does make people think, and my career in IT are going to board meetings. IT was never asked. I mean, at the end of the day? Well, that's IT, this shouldn't really discuss that here on the board. They just want to know what the figures are. What's the dividend? What's the profit, I haven't got a loss. And then talk about the lots of talk about the KPIs. When you're looking at how many years this has actually gone on. You made a post this morning, yesterday, or this morning Debbie, about the antitrust. I'd still like to think that the regulations are there to protect people. Right. But even over the last few years, the trust is eroded from the regulations. We both have spoken at length about GDPR. And what have you, and you've got NDA'S and confidentiality rules with whoever customers you're working with. So you really can not disclose, but what comes first, a regulation or a document? We've also spoken at length about how whistleblowers have been treated within the company, right? And I do understand both sides, but at the end of the day, it is not if there is a problem. I mean, at Zortrex, we have a procedure if there is a problem. We have an open-door policy. They don't have to go through a manager. They can come directly to me, right? Because I want to know if there is a problem. So that it can be addressed.
Debbie Reynolds 08:57
Absolutely.
Susan Brown 08:58
Insider threats have started to increase in the last couple of years, most of all now, especially this year. But if your staff feels that they can't come in and knock on the door anytime to say, hey, I've noticed this or I have noticed that you're never going to know,
Debbie Reynolds 09:13
Right. I had a meeting yesterday with the New York State Bar Association. I'm on their Technology Committee. And so the purpose of it is to educate lawyers about these issues, and one of the key points that we all came away with is that you have to have a culture of Cybersecurity, you have to, you know, you do have to have those open doors. A lot of you know, for example, the example you gave about someone getting their bank account cleaned out like that's such a hot issue because it happens a lot like, for example, in real estate, where let's say a hacker has infiltrated someone's system and they're just watching the communications, and someone says, Oh, I need to send my bank account number. They get an email that looks like it's from the same person, and they say, well, we change the bank account number you send it over. And those people, you know, often don't get any of their money back. So they like their life savings are completely gone because of that. And a lot of those situations happen because maybe the person is making the payment is afraid to talk to their boss, or their manager, or say wait, you know, this thing has changed. You know, I'm concerned about this. And you really have to have those open lines of communication. Also, one thing that you mentioned I will talk a little bit more about is board membership. So, you know, I've seen in some corporate situations where they very much devalue the technology part. So they think whatever business they're in, that's so much more important than the technology. And right now, so much of what we do is dependent on technology and dependent on data. And some of these companies, if they're not really listening and have an open door to those cybersecurity professionals and data privacy professionals that are trying to educate and protect them, you know, some of these companies end up going out of business, you know, not everybody is a Facebook or Equifax and they can, they can recover from a Cyberattack. But one thing I want, in addition to the board members. I would love for you to explain just tokenization how it works because that's your business.
Susan Brown 11:24
It's a fantastic technology. And we are about I would say the moment about four years advanced in technology. We all know Visa, MasterCard is tokenizing the PIN number on the credit card. We tokenize everything on that credit card. So tokenization is taking that data, changing the data to so I'm Susan Brown, but I'm actually Debbie Reynolds, it says my date of birth is this, but it's actually something totally different to the point that no one can data harvest that data if one token was compromised, so we took in everything one token at a time. So basically, and say, for instance, in 20 years, the bad actors got in and compromised one token, it's absolutely fine. Because look at the name, whatever names on that. It's never the real name anyway. So they've just wasted all the time, going through all the different levels of security to just get a person's name, and then go on to the second one, which is a total different tokenization, a different token, and try and do the simple process all over again, and can't do it. So tokenization is basically changing the data or changing the raw data to synthetic data. But that token will work as if it's the real data. You've probably heard and seen, oh, we can tokenize this, and we can tokenize that because it's so exciting. I mean, sometimes I need to pinch myself because basically tokenization is tokenization. And for the tokenization of devices, it's just a change in configuration. So we want to tokenize the device, we want to tokenize the IMEI number, or we want to tokenize personal data or healthcare data. It's all different configurations that we can put in on the security of that token. And if you think about the seven levels of security within the tokenization process for tokenizing. There, there are even more levels of security for detokenizing that data. And it's all managed. So what is this is this comes from the same device, same location. So it goes through a number of areas within the token before that token will be detokenized. We can see what the raw data is. So if you can imagine a database which so the black box has got think 137 different fields, you're talking about 137 different tokens, and this list outweighs the hackers for a start. Because if there's no value to a token, they're not going to waste time to go into the token can also be controlled from the bank account, and credit card accounts are basically Visa MasterCard, you can use that token four or five times and then start the process all over again. You should never really do that. Because then that token becomes a value. It's being used four or five times we ask for a different token, every transaction, so if you're going to Amazon and pay for something, and you say oh, I should have bought that, and then you go directly back in and purchase what you forgot. It's a totally different token. That never matches that the first token that was just on Amazon or another shopping channel. So our roadmap is exciting, to say the least. I'm now looking at totally different other different inventions that people have said Susan, you're mad and then come back two, three weeks later, and say actually how did you manage to do this because you're right. It can be done. Yeah. So it is new, and there is new technology. And I have to be very careful for security reasons. On what is tokenization? How do we do it? Because that is the magic sauce. Yes, of course. Yes.
Debbie Reynolds 15:21
Explain to me how tokenization, the way you're thinking about is different than encryption.
Susan Brown 15:27
So encryption, encryption, and you've got the keys there to protect to de-encrypt the tokenization. That is no encryption keys at all. And it's the token that authorizes the matches the token to open a data and what have you. So it's definitely you don't have all the keys to keep safe from bad actors as well as the data. But even when you look at encryption, to me, encryption has had its day because I have watched a bunch of ethical hackers access data in milliseconds.
Debbie Reynolds 16:02
Yeah, that's true. That's true. I guess one thing that I think about when I'm talking about Cybersecurity, a lot of people I don't know, I feel like people who don't understand Cybersecurity, they think about protecting data, almost like a castle. So it's like, I have this castle, and I'm gonna protect the walls, and the walls are thick, and the walls are tall, then I'm protected. But the problem is, a lot of times the threat that you have can jump over the wall, they can go through the wall, they're in the castle already. So how do you protect, like, if someone was already in your infrastructure? How do you protect the data once they get in? And you know, I don't know, you see it too because you keep track of this a lot about a lot of the hacks that happen in these big companies. And a lot of times, it's like, once the intruder is in, inside, they can do all types of stuff. So I think the reason why I am very attracted to tokenization is that you can do it at a data level. So let's say if someone did infiltrate your infrastructure, and they got into some personal data, that data will be useless to them. You know, so that I mean, I want to know your thoughts about you watch all these hacks and you watch all the news about people are having these data breaches. And to me, it's, it's very saddening to see the damage that can happen once someone gets into your infrastructure.
Susan Brown 17:36
First of all, when it comes to the infrastructure, that is no data and another infrastructure that totals all tokens. So if our infrastructure was compromised, and there are no tokens, the data is not there. And the data is in the vault, which is to get locked away, and doesn't even have to be in the same country. It might be in the same country. And it all depends. So even if they did try and compromise the fortress, there is nothing there for them to take of value. And then if you think how can that possibly happen? At the moment, you've probably heard people talking about Ireland Open, so Smart Cities are being built. And the bad actors are political and, and World War Two Enigma time for them to do is jump from here to here to there to get to the main target. And we're talking about soldiers. And though, essentially, this is what the bad actors are doing, they're jumping from device to device, to get to the target to the point that Hewlett Packard, they've got a bounty to just now to check the print cartridges and people think "A print cartridge? This is nonsense.". But it's not. I mean, anything basically with a chip in it, are connected to the Internet, and is connected will be compromised. So although these Smart Houses are being built, which is a great technology, but then to the fridges that, if you've run out of milk, it can purchase it for you, who now wants a device to be able to get access to the banking details and order. The groceries, for instance, who look at the tokenization of Smart House, secured every single device. I mean, when it was first spoken about and the Ring doorbell now even people are using that against the police because it's a fresh gateway that can be used for the good can be used for the bad. There's always an open-end, there's always a gap.
Debbie Reynolds 19:44
Absolutely. I think sometimes people are so enamored with the possibility of what technology can do and they don't really think about the harms. And I totally think about that. Actually, your example about the refrigerator that orders milk for you, that exists really, and I'm not sure I would never use that. I'm not sure who would. But some people do. Some people really want that. But I think too people assume that they have more protection than they do. So I think when you put these things in your houses, you almost have to be your own IT Cybersecurity person to know the best way to protect yourself or, for me, I just don't bring them into the house. So that's like, the easy thing for me. But even, you know, like your Wi-Fi connection, or just the Internet of Things, stuff that you have in your house, like, for example, I asked people like how many Internet devices do you have in your house, they'll say, their phone, they'll say, their computer, you know, they don't say, their vacuum cleaner. They don't say their thermostat. They don't say, these Smart Speaker, the TV, the Smart TV that they talk to anything with the Internet connection can be breached. And you know, it has, obviously, connects to the Internet, but it's collecting data as well. And depending on the country you're in, you know, that may or may not be legal, but I feel like what a lot of these companies are doing because you know, they're creating a product and they're selling a product. So once you, as a user, purchase the product its sort of your you know, whether you're a part individual or a business, you know, you have to wear your Cybersecurity or Data Privacy hat to figure out if what I'm doing is even legal to do or is it even safe for me to do this?
Susan Brown 21:37
You made a few valid points there, Debbie. So basically, you're going to the store, and you buy a smart fridge. And you walk out the door. Oh, do you want insurance for a standard warranty for five years because you only get a year's warranty? But these smart devices you've not been advised that you need security, you've not been advised it's lacking in this, this and this and this is the features, this is what it can do for you. So that's a big, a big massive problem in the consumer market. You mentioned the thermostat. Can you imagine that being compromised? I mean, as people's health is absolutely everything because different people suffer from different disabilities, people really need to take the security on these devices more seriously. I mean, they now even the devices are going a bit more personal, that needs to be secured. The contact tracing app and that and although as a native that got me talking about because one, it's so important because if we're hit with another pandemic tomorrow right and having to cope, and to me, we would not cope too great, trust is going so quickly. But the Cybercriminals never stop. They're not. They're just not interested in this COVID going on, people are worried, and a lot of people will be ill over it. They will use that to their advantage. Absolutely. Every single time they'll use it to their advantage to go into a shop to buy these Smart devices or even put your money down to buy a home, especially if you've got Smart devices in it. Right. As insurance companies, you're looking at this to insure or to put a double or treble premium on it. Yeah, it's in every single market. If it was going to be totally open and honest, I think the security of data has lapsed for a long, long time. Yeah. And so much because it slapped on the most important aspects of economic growth, right, we're in a recession if they got hold, or secured people's data and the financial transactions and everything like that the billions are lost, but that's what put them a backup in a growth area that could say, you know, we should have done this years ago. Right? But because it all lacks the security. Now, even the devices I remember even here in the UK, when we had the manufacturing back in the 1980s, 90s. And it was all done and stamped the bit of standards. There is nothing like that. It's totally gone. Right. And people wonder why people wonder why it's as bad as it is. Right?
Debbie Reynolds 24:27
Exactly.
Susan Brown 24:28
And consumers don't think how what this device is built. What's in it? Can it be compromised when you look at all the medical devices they have already started on the medical devices? That issue is serious. I mean, when you look at privacy or any kind of medical condition, I've been there myself, I should know, Debbie many many years ago and even then I'm just a number, and my son's a number. So I've been very fortunate and the privacy of medical data, where everybody is, yeah. But I still care that they're their medical data should be secured. At the end of the day, we have ransom exponentially growing. There's gonna be other attacks and compromises. I don't know on both hands how many healthcare and hospitals have been compromised, but at the end of the day, the people will die. And if I have to show up every day and secure the data, secure that individual, because that individual's life is important. If you can save one, a hundred, a thousand, a million, it's all worth it at the end of the day.
Debbie Reynolds 25:45
And what do you think? I mean, we touched on a little bit in terms of the COVID pandemic. How do you think that's changed things for better or for worse for individuals or for companies? What do you see in your practice?
Susan Brown 26:02
Basically, in my practice, we've been very fortunate. When the COVID happened, everybody started to work from home. And we did refurbishment here in the office and changed all the office procedures for customers coming in and basically, for staff. My staff is very trustworthy. So basically, if anybody close to them has had to get a test, we are communicating back and forward. We came back to work at the end of September. And then there's other lockdowns happening, or someone in the street or someone's kids who went to school, the parents got COVID, and what have you sort of as what in but businesses are not being advised by the government. What do we do? Right? Then you maybe have some stuff played on the fact here, for 14 days off for work, self-isolation is not being checked up. Businesses, there's no way for a business to realize that this person doesn't need to isolate. So if you look at it as hitting businesses, it's hitting the homes. My parent, my parents, never my father's never been out because if he got COVID, he just would not survive it basically. But when you read articles of your data going to different corporate, different companies, different corporates to police. Medical data has to stay medical. If I was married and my partner died tomorrow, and he had said full confidentiality, they wouldn't be able to tell me what he died of. Right. But all of a sudden, a pandemic that every company can use the phone for contact tracing apps and now where are you? And I mean, I understand the location. It's not been secured. Everybody knows that Bluetooth isn't secure, Debbie, and that makes me wonder is this just basically another ploy, another spying thing now and we spoke about the figures, on the COVID, at the very beginning, I was talking to a friend of mine, and I just could not get my head around it. It just did not make sense of all these thousands of people have got COVID, and they're dying, and we will see people drop down in the streets, not being able to breathe or need medical help. I do not see that here. And I've not seen that over the last six, seven months. But obviously, every country is different. So I can't really comment on what's happened in your arena, and you already know. But at the same time, people are wearing masks people go into shop some children, they leave the school, and the masks come off, and the parents are at work. And they just don't know that the kids have no wearing the masks and what have you. It's like it's rules if they go to this place, but different rules once they leave, and the problems just the problem just keeps on evolving.
Debbie Reynolds 29:05
In terms of security threats, what do you see? Or what would you like to see in the future? What would you like to see a change in terms of either technology regulation? If you had your druthers and you rule the world, what would be the change that you like to see in terms of privacy or Cybersecurity?
Susan Brown 29:26
Basically, they strengthen regulations. And the company and the company for me and the companies that are starting up in business to be tagged that they have everything in place before they even actually start in business so they can protect customers data if it's financial, protected financial transactions if it's medical, and to secure the medical information to put the customers first and the last 20 years Debbie you want to buy this within two seconds you have an email, please verify your account. There's no know your customer, But there is just no process there. I've also watched companies say, oh, we paid the company 50,000 pounds. And because they sent us an invoice, I mean, in 30 years in the financial industry, you have the processes from step one, step two, step three. So you can go to the purchase order, yes, this is finished, and you can pay the person. So it's telling me even the accountants or processes have been all be messed all the way through all the new companies. And again, technology is a problem with that, because of the slip here invoice, one invoice on the go, what are they using, Bluetooth? So you're talking from, start right through to the end of any Cybersecurity be taken as one of the very first processes to secure the population, putting a look at the whole process. And in the even in 2023 when the drug supply chain act is coming out, and this is going to be every chemist, and what have you, at the moment chemists are doing this and flu jabs and all the rest of it. But how, again, are they securing data?
Debbie Reynolds 31:08
Right.
Susan Brown 31:11
Why are the gaps in the regulation allowing it to happen? Regulation has to be at the forefront of everything that we do.
Debbie Reynolds 31:20
I agree, and it needs to happen. To me, it feels like a lot of these problems, we all have these problems that we're all facing with COVID and privacy, and so there are so many different countries that are trying to make regulations now and trying to work on enforcement. But I feel like some of these things, maybe at a higher international level, we should have some type of agreement just on basic things, you know, like, you know, hacking is bad. I don't know.
Susan Brown 31:49
You're making a real valid point, Debbie. Because I mean, in the last month or so, EU has stipulated that the data transferred, went into the EU has to be secured, what have you. So I mean, it's absolutely brilliant that the EU is taking security first. So there are other countries that followed suit. But to me, every country has to follow suit. And that includes the UK because come the 31st of December, we become a third country, and basically, who would allow unsecured data coming through, especially if it could be compromised. If they let it through and it ends up in the EU, then who's responsible for allowing that data transfer through?
Debbie Reynolds 32:36
Exactly, yeah,
Susan Brown 32:37
Businesses have to keep on moving, but they need to take security seriously. I think the time of the year, especially for the UK, is going to have to be a massive change for the UK. Absolutely. And when we talk about tokenization, and I've asked the question every day, who's your customer? And you've probably seen the post and what have you tokenization for everyone. But if you look at it this way, and if every citizen in the world came to me to secure their data, what would the big giants do? What would the companies do? Because there would be no access to the data unless the person allowed them access. That's right. And it's like turning the tables, from what companies, it's not just a case of ticking the box to consent, that lovely box does not say that you can disrespect my data. But once it's been taken, who knows what's happened behind that laptop,
Debbie Reynolds 33:33
I think the shift is happening from the company focus to the focus on the individual. So to me, that tokenization goes in line with that. And I think that's the way the world is going to have to be in the future. Because other than that, you know, I think it starts to carve into businesses, problems as well, because they're, you know, they're experiencing fraud and data breaches as well. So being able to have individuals secure their data and be able to have more control over their data is really important. We're almost out of our time, but I would love for people to know, tell me, again about your company and let people know how they can reach you.
Susan Brown 33:57
So basically, Zortrex is Cybersecurity, is tokenization, and they can reach us at https://www.zortrex.co.uk. There is also a platform on there that you can register and play around with tokenization that what would be more suitable for the company. They can reach out to me on LinkedIn, they can reach out to me on Facebook or Twitter, but I really have to say, Debbie, everybody's been so supportive on social media. And the word is now really getting out there. And to the point that my inbox is not really from customers, it's about citizens, right? Is this going to be expensive, or what? My kid got hacked last week. I want to secure my data. And then today, I love to raise awareness because of the reaches one person has done a bit good. Absolutely, yeah, you're doing a great job.
Debbie Reynolds 35:04
I always see you out there. You're always putting out information to educate people. And we always talk on our posts, and I always comment on your stuff. It's really great. And I'm really happy and proud of all the work that you're doing. You know, we're all such good supporters of you. And we love to see, you know, you thrive, and the company thrive, and also just have more awareness for individuals about how individuals and companies for how best to move forward and in this new world where we're trying to really push privacy and data protection and Cybersecurity.
Susan Brown 35:39
There's a lot of young developers reaching out to me over the last couple of months, and how can we work with you? We understand some parts of tokenization. Not all, but we'd love to have the opportunity to work with you. I've had companies and want to collaborate with partners and us and find out more about how we can help strengthen their solution. And so as I've been admitted, sort of, of, of different kinds of individuals. A lot of people think that tokenization is blockchain. You can do tokenization and blockchain through ERC 20 tokens and what have you. But we actually, at the moment, have two products and digital security and mobile security cloud security. Everybody's heard about the containers and how much data has gone. Do you know it takes us nine minutes to bring on a new customer? Nine minutes, all it takes to secure the data.
Debbie Reynolds 36:35
Oh, that's amazing. That's amazing. I would love for people to reach out to Susan and take a look at her, especially on LinkedIn. You do a lot of, you know, good educational things for people not only about a company, of course, but just about the threats and what's out there is really important so well, thank you so much for being a guest on my podcast. I was really proud that you said that you would come on because the work that you're doing is so important. Thank you so much. You're welcome, Debbie.
Susan Brown 37:03
Thank you for having me.
