How Information Sharing Has Changed: Part 1 SFAIRP Internet

Show Notes

In this first of two episodes of Risk! Engineers Talk Governance, due diligence engineers Richard Robinson and Gaye Francis explore how the SFAIRP principle (So Far As Is Reasonably Practicable) applies to managing internet risk.

Richard explains R2A's journey with data security, from backing up to CDs and running an in-house server, to shifting to cloud hosting during Melbourne's COVID lockdowns, and ultimately landing on an offline-first approach that keeps them and sensitive client data off the internet as much as possible.

Richard and Gaye discuss the growing tension between staying secure and staying connected and the rising problem of how AI systems may be designed to tell you what you want to hear rather than what's true.

The episode wraps with a relatable parallel: Gaye's battle to limit her daughters' screen time is, at its core, the same SFAIRP challenge organisations face every day – you need to be online in today’s world, but being online continuously creates risk. 

Tune in for Part 2 (Season 7, Episode 9), where they discuss risk in the public sphere.

 

If you’d like us to cover a specific topic or have any feedback we’d love to hear from you. Email admin@r2a.com.au.

 

For further information on Richard and Gaye’s consulting work with R2A, head to https://www.r2a.com.au, where you’ll also find their booklets (store) and a sign-up for their quarterly newsletter to keep informed of their latest news and events. 

 

Gaye is also founder of Australian women’s safety workwear company Apto PPE https://www.aptoppe.com.au.

 

Transcript

Megan (Producer) (00:00):

Welcome to Risk! Engineers Talk Governance. This is the first of two episodes where due diligence engineers, Richard Robinson and Gaye Francis discuss How Information Sharing Has Changed with Part 1 on SFAIRP Internet.

(00:18):

We hope you enjoy the chat. If you do, please support our work by giving us a rating and subscribing on your favourite podcast platform. And if you'd like more information on R2A, our newsletter and resources, or have any feedback or topic ideas, please head to the website, www.r2a.com.au.

Gaye Francis (00:39):

Hello Richard. Welcome to our podcast session today.

Richard Robinson (00:42):

Morning, Elizabeth Gaye. Good to be here.

Gaye Francis (00:44):

Oh, thank you.

Richard Robinson (00:46):

You're meant to say hello in Finnish based on an early discussion?

Gaye Francis (00:53):

<laughs> Okay. Today we're going to talk about SFAIRP and how it relates to managing internet risk. And I think that's one that's really become increasingly common and needs to be thought through a little bit by organisations, especially in the age that we're living in now. And I think you were going to explain R2A's journey with internet risk and how we've been managing it over the last probably 10 years or so.

Richard Robinson (01:22):

I like the term manage in that regard, but basically it was just worth explaining the history of this because it sort of explains why we are where we are. I mean, in history, we can remember backing things up to CDs and having duplicate CDs and carting them around.

Gaye Francis (01:39):

Correct. That was my monthly task or every three months to cut a CD of everything that we backed up to the file server.

Richard Robinson (01:46):

But then this drive suddenly got big and so we could write all the CDs back to the disk drive and then we could have a server in the office. Now when we put the server in the office, we're a bit more cunning. We didn't just sort of make it live with the internet with an address. Basically, even at that time, we concluded the right way to be secure is as far as possible not to be on the internet. It's the elimination option in SFAIRP terms. So what we basically did was put a server which was just serving to the office on the hard line and it had its own dedicated internal IP address and all those sorts of things with its own security. And that means anytime you wanted to back something up or get something, you had to actually be in the office. You couldn't be offsite. And if you wanted something, you had to get somebody to mail it to you if you didn't have it with you on the time. And part of the reason for doing that was because laptops didn't just have enough memory. So anyway, then COVID turned up.

Gaye Francis (02:37):

Yes.

Richard Robinson (02:38):

And our office basically got, well, we had to sort of leave the damn thing because they gave us six months at a reduced rate, but then they wanted to put it back up to 100% again. And we had another 18 months that turned out in Melbourne locked out. So we sort of had to move out. So what we then decided to do was to put our current in-house secure server on the internet, on a secure, I think it was AWS, Amazon Web Server, I think it was. And we hired quite expensive advice from a very competent person. And that was set up and that worked, that actually worked quite well.

Gaye Francis (03:08):

So you were able to dial in remotely.

Richard Robinson (03:11):

And everything was available online. The problem with that was that we didn't have a big staff. And when something went wrong, we tended to have to rehire this person. And because he wasn't spending time with us all the time, he had to go and reconsider our system. And it was all a bit klutzy.

Gaye Francis (03:28):

It added complexity to it, didn't it? And we didn't have control over what was happening.

Richard Robinson (03:33):

Yeah. And every time we wanted something, you had to log in and then something didn't work and you're going, what the hell happened? And then I'd ring you up and say, what's going on? Or perhaps more accurately, you rang me up.

Gaye Francis (03:42):

I rang you up too. Yes. That's not my forte.

Richard Robinson (03:44):

And then we thought about that for a while. I said, look, the whole point of this SFAIRP business is not to be online unless you need to be. And it's not as though we didn't have certain things online that we wanted. Like our CRM, our booking scheduling system is Canadian software. I have no idea where the server is. It could be in Australia, it could be in Canada. And our accounting package is actually Kiwi. We still actually run that on a server, but it doesn't have to be. It could be on the cloud and we'll probably do that in the near future because the server is so old now. But all our secure data, our client data, we said, well, look...

Gaye Francis (04:20):

Internal.

Richard Robinson (04:21):

..the laptops, we have two terabytes of storage on our laptops, which is absolutely unbelievable. And obviously we only have about a terabyte of actual secure client R2A data. And if you use Apple encryption, it's ... Well, I've no doubt that American government's probably got a backdoor into it, and I may imagine the Australian government can too, but if somebody's seriously about getting into our system, well, if they got one of our laptops, they probably could, but normal mortals can't. That part's pretty clear. And then basically in our office, what we do is we don't bother having a server anymore. We just have an encrypted hard drive to which we log on and back up when we're in the office. And if one of us needs something, we then send a file around. But that basically means our client data isn't online ever, except when we're online doing something, but then somebody's got to get through the Apple encryption to get to it anyway.

(05:12):

Now, but that's still focusing on the, from our point of view, the elimination option. Now, what's sort of happened the way the world's gone with, and you're talking about your daughters and how everyone's commenting online. I think that's actually going to be the subject of our next podcast in particular, the public sphere and what's happening to it in information terms. But the obvious way, if you want to be secure...

Gaye Francis (05:36):

And keep your kids safe is not to be online.

Richard Robinson (05:38):

Not to be online. And basically that's where we're trying to head. Now, the whole world is trying to prevent you from doing this. We try to buy Office, Word and Excel and all that sort of stuff on a standalone basis.

Gaye Francis (05:52):

Correct.

Richard Robinson (05:52):

Which we've done.

(05:54):

But we keep buying it that way.

Gaye Francis (05:56):

But you keep getting these messages to automatically update and log into Google.

Richard Robinson (06:00):

As soon as you log in and you put on an application now, if anything goes off and checks to see if you're legit and all the rest of it. And the way AI has gone, if you want information, it's forcing you to be online continuously and from a SFAIRP security point of view...

Gaye Francis (06:16):

An elimination option...

Richard Robinson (06:18):

That's dumb.

Gaye Francis (06:19):

Yeah.

Richard Robinson (06:20):

And I think a lot of people have started to recognise this and trying to get themselves back offline because if you look at the comments about Microsoft forcing you to 365 and continuous logons, there's a lot of narky people out there. You're not just the only one. There's a lot of narky people out there. And the way in which the different universes and the Apple and Google and everybody else, they're trying to get you into the universe and keep you there. I mean, that's what the AI is doing in effect because I think we're talking about it time before that you can't rely on AI to give you the right <information>. Well, what seems to be happening is that AI is hallucinating basically, and it's partly because the AI people, I think ChatGTP, I forget what version they're up to, but the AI that's going to win commercially is the one that gets the most questions.

(07:09):

And so they set the AI up to give you the answers you want.

Gaye Francis (07:13):

So you keep asking the questions.

Richard Robinson (07:14):

So you keep asking the question the way they want and you get happy about it. It's a bit like the podcasters, you keep getting the information that you search and the algorithm keeps giving you to podcasters that tell you what you want to know.

Gaye Francis (07:27):

Look, as people that have had AI spit out our name a couple of times, we were doing a course last week and somebody said they put a question in and R2A came up in that AI summary, it makes you feel quite good.

Richard Robinson (07:40):

Well, I did one last week too, and I got the same thing. What I couldn't work out was if it knew I was R2A, so it was giving me what I wanted to see.

Gaye Francis (07:47):

Possibly.

Richard Robinson (07:49):

And that's why when they're saying that the AIs are hallucinating, because it's basically saying, well, I've seen this person before, they belong to this, what do they want to hear? And the AI then serving are what you want and creating false references and basically reinforcing what you want to know. So it's not giving you truth, it's just giving you what you want to hear. So if you're talking about getting into a bubble, it's getting worse and worse. So I mean, according to <Patrick Boyle, podcaster>, they were talking about it's gone up from, I think in 2024 is about 10% of the answers could be hallucinations and last years, and it was getting up to 40% in some cases.

Gaye Francis (08:25):

Wow, that's a big jump.

Richard Robinson (08:25):

That's a big jump. Now, if the AI that succeeds is the one that gets the money, and that's why they're all pushing it so hard, they've got to get you into their ecosphere and they've got to hold you there. So they're really driving this hard. But that sort of then flows onto the question, I think that was going to be our next podcast onto the public sphere and risk in the public sphere and how it all works and what's going to happen there. But in the meantime, and I've got to say, our journey getting to try to stay off the internet, I mean, I think I've commented to you a couple of times, I'm going to go with a simpler phone in future. Once I don't need use the CRM that's Apple orientated, and I'll probably get rid of the Apple watch and just go on a nice mechanical one again and generally simplify my life.

Gaye Francis (09:09):

You reckon that there's a market for Nokia phones from the 1990s to come back and in fashion.

Richard Robinson (09:14):

Nokia phones is back because Microsoft sold them back after losing six million to the Fins.

Gaye Francis (09:21):

Look, and I think that comes back down to the topic of this particular podcast season is SFAIRP the moral imperative versus the commercial reality. And maybe it's not just commercial reality, it's sort of world reality, isn't it? But SFAIRP is trying to simplify the complexities that come with the world that we find ourselves in at the moment.

Richard Robinson (09:41):

Well, your problem with your daughters, which they're desperate to be online continuously.

Gaye Francis (09:45):

They are desperate to be online continuously. And I'm the worst mum in the world and the only mom in the world that doesn't allow it.

Richard Robinson (09:51):

And you're trying to get them offline as much as you can. You and your SFAIRP principles.

Gaye Francis (09:56):

I am. But it's tricky to navigate that and to balance it in the world that we live in and organisations are having that same <problem> like we had. You have to be online to do business, but to be secure, you have to be offline. So what is the balance and what is reasonable in the circumstances?

Richard Robinson (10:16):

Well, what we've basically landed on, not necessarily due to great design processes, I guess.

Gaye Francis (10:23):

Or management.

Richard Robinson (10:24):

Is that you keep anything that's really secure offline as much as you can, and you only go online when you need it ... We want to be able to do your work without being online.

Gaye Francis (10:41):

Yes. So I think it's ours is we're the confusing people because we're sort of intermittent, aren't we, online?

Richard Robinson (10:47):

Well, that's right.

Gaye Francis (10:47):

We're really unpredictable when you can come and hack us. Whereas if you're online continuously there's the opportunity.

Richard Robinson (10:54):

You're the target. Whereas we've flashing it out. And so if somebody's trying to keep track of us, we're making a lot harder work for them. I can't say they wouldn't do it, but it's a lot harder than it used to be.

Gaye Francis (11:04):

I don't know that that was a planned mechanism.

Richard Robinson (11:07):

Well, no, I think we actually thought about it because when we come into the office, we turn our internet on, otherwise the internet's off.

Gaye Francis (11:12):

Yes.

Richard Robinson (11:13):

So the office internet only shows up every week or two days a week at the most probably when we're actually in the office together. And at home, I mean, when I flip my laptop on, it's on. And then when I close it up again, it's off. So I'm intermittent. The only inserver I still have is our financial server, and the internet number and that changes enough to confuse everybody anyway.

Gaye Francis (11:42):

Well, I think on that note, what we wanted to show you today was that we're using the SFAIRP principle for a whole lot of things, and it can be a useful tool, not just for WHS and work health and safety.

Richard Robinson (11:56):

Well, it can cause some difficulties with daughters.

Gaye Francis (11:58):

It can cause some difficulty with daughters, but I'm happy to navigate those. So thank you for joining us today, and we're going to come back with part two <next episode> on the public sphere. Thanks everyone.

Richard Robinson (12:11):

Thanks.