Security, privacy, regulations, AI, and the people factor are big themes that have figured heavily in BH Consulting’s 20 years in business. And those themes were all present at an event in Dublin’s Westbury Hotel this month to mark the anniversary.

Founder Brian Honan – the BH in the company name, for anyone who doesn’t know – opened the event by looking back at the past 20 years. Back in 2004, there were no dedicated cybersecurity companies in Ireland offering independent and impartial advice to organisations, he said.

Since that time, the company has grown from one person to 30, comprising 20 fulltime employees plus associates. After initially focusing on cybersecurity, the company expanded into the related fields of privacy and data protection. Today, BH Consulting has a global reach, with clients in the United States, Canada, India, Japan, Australia and China.

Collaborating with international partners

BH Consulting has built its reputation through collaborating with many international groups including the EU’s cybersecurity agency ENISA, the European Centre for Privacy and Cybersecurity, and the SANS Institute. It was one of the first private sector partners of Europol’s No More Ransom project after it was founded in 2016. Brian Honan also founded Irisscert, Ireland’s first computer emergency response team.

Companies now need to be more aware of managing risks and knowing where those risks lie. Brian said it’s no longer a case of having a supply chain but a supply net because so many organisations are intertwined with suppliers and partners.

Brian talked about how regulations are playing an increasing part in the cybersecurity and data protection landscape. Over the years, BH Consulting has gained experience in working with global rules and directives in cybersecurity and data protection. The company was the first cybersecurity provider in Ireland to become certified to the ISO27001 information security standard. It also obtained the Europrivacy official data protection seal under GDPR.

Helping clients to comply with data protection regulations

Regulations were also a theme of the presentation by BH Consulting’s customer CarTrawler. Eimear Vellekoop, the company’s regulatory compliance manager, paid tribute to the help of BH Consulting in complying with regulations like the EU GDPR. BH Consulting has provided its DPO as a service to CarTrawler.

She said having good data protection policies in place was valuable for knowing what actions the company needs to take in the event of a data breach, for example. Policies help to define who carries out risk assessments on new projects, and assign responsibility for actions like reporting to regulators. She said it was key to have buy-in from everyone in the organisation and make policies ‘living documents’ that are updated as the business adapts.

Policies also make it easier to do business – like responding to supplier RFPs, or meeting due diligence requirements where partners sometimes request reports. Now, like many organisations, CarTrawler is evaluating how it can use AI to innovate in the business. Eimear said the company is assessing how it can potentially use the technology while making sure it’s on the right side of issues like copyright and data privacy.

Privacy challenges of working with AI

The theme of AI also figured strongly in the next talk by chief operations officer Dr. Valerie Lyons. She gave the audience a whistle-stop tour through the top 10 challenges at the intersection of the EU GDPR and the AI Act. This was a rapid-fire version of her presentation at RSA in San Francisco this year, where she spoke for the second year running, having been the first Irish woman to present at the prestigious cybersecurity industry conference in 2023.

“The AI Act will force organisations to increase transparency,” she said. Organisations need to conduct ethical data privacy impact assessments to uncover all the many places that someone’s data can end up, she added. “In the EU, you can’t use someone’s data just because they make it manifestly public,” she said. “We’re trying to get to a space where we can still do business and use AI.”

The nature of the technology means that it will raise all kinds of interesting questions. AI will bring the category of inferential data to the fore because it can make inferences or connections that we as humans never could.

Hacking people: highlighting the human factor in security

The final guest speaker on the day was Jenny Radcliffe, a security consultant who goes by the title of ‘The People Hacker’. That’s also the title of her excellent book, which some lucky guests were lucky enough to win in a raffle at the event.

Jenny’s talk leaned on her extensive experience in being asked to test the defences of clients’ organisations, where she often exploits weak links – which usually involve the human factor. “Most security breaches at some level involve a human either making a mistake or being manipulated,” she said.

Jenny took issue with the often-repeated industry trope that “humans are the weakest link”. Using that phrase won’t get your troops battle-ready, she stated. She explored some of the ways that humans can be exploited … but there was a twist. Instead, she flipped the message to advocate for a more people-centred approach to security. “Everyone needs to realise this is as important as health and safety.”

She said organisations should give their people the information and the messages they need to do security better. The way to do this is to work with people, by getting them involved in security and making them aware of the risks. Many organisations get this wrong, by bombarding people with numbers instead of telling them a story they can relate to. “If you want people to do something for you, you need something juicier than a statistic,” Jenny said. “Your best defence against anything is an informed human,” she said.

It was a fitting note to round off the day and look forward to the next 20 years.