The Defuse Podcast: Where Experts Defuse Real Threats
When the threats are real and the stakes are high — what actually works?
Right now, as you're reading this, someone's watching your family, your business rivals are digging through your digital history, and a disgruntled employee knows exactly where your vulnerabilities are. While you're focused on your day job, they're building a plan.
This podcast exists because ignoring threats doesn't make them disappear.
I'm Philip Grindell — former Scotland Yard detective, behavioural threat specialist, and author of Personal Threat Management. After Jo Cox MP was murdered, I was tasked with creating Parliament's specialist threat assessment team. I've spent 35 years stopping people who wanted to hurt prominent individuals, from MPs to royalty to the ultra-wealthy.
What You'll Get From Listening
You'll recognise the warning signs everyone else misses. That "helpful" new employee asking odd questions. The photographer at three different family events. The online critic whose interest feels too personal.
You'll understand how dangerous people operate. The people planning to harm you treat you like a research project — cataloguing your habits, weaknesses, and blind spots whilst you're oblivious.
You'll know what to do when a crisis hits. Not theory — actual steps. How to control the narrative when your reputation's under attack. When to stay silent and when silence destroys you.
You'll discover what's already out there about you. Right now, strangers can map your life using tools you've never heard of.
What You'll Hear
Straight-talking conversations with ex-FBI agents who've tracked serial killers, digital investigators who can find anyone online, crisis managers who've saved billion-pound reputations, and psychologists who understand exactly how fixated individuals think.
Topics include stalking, fixated individuals, insider threats, protective intelligence, reputation management, OSINT, digital vulnerability, and crisis leadership.
These aren't interviews — they're operational briefings. Real cases, real tactics, real consequences.
Who This Is For
You must understand modern threats if you're responsible for protecting someone important (yourself, your family, or your boss). Physical violence is just one possibility. Reputation assassination, digital stalking, insider betrayal — these happen far more often and can be just as devastating.
If you're prominent enough to be a target, you already are one. The question isn't whether someone's paying attention to you — it's whether you're paying attention to them.
What Makes This Different
No corporate nonsense. I've watched too many good people get hurt because they received sanitised advice from people who'd never faced real threats. You'll get the truth, even when it's uncomfortable.
Experience that matters. I've identified planned terrorist attacks, managed stalking cases involving royalty, and helped ultra-wealthy families navigate threats they never considered. Every recommendation comes from cases where lives and reputations were on the line.
Stories that stick. Theory doesn't save lives — understanding does. Every episode includes real cases that show you what threats look like before they turn dangerous.
Because the people planning to hurt you aren't taking the day off.
Subscribe now and learn how to manage threats before they become crises.
The Defuse Podcast: Where Experts Defuse Real Threats
When Cyber Risk Becomes Personal with Lucy Burnford
In this episode of The Defuse Podcast, Philip Grindell is joined by Lucy Burnford, founder of coc00n, a specialist cyber security firm protecting high-risk individuals, families, and senior leaders from targeted digital threats.
Lucy works at the sharp end of personal cyber risk, where phones, messages and trusted relationships are often the way in. coc00n focuses on people rather than systems, securing personal devices, private digital lives, and the grey area where work and home overlap.
Their team includes former UK government cyber specialists who once protected sensitive national assets and now apply that experience to private clients.
The conversation explores how cyber threats really start, why successful people often underestimate personal risk, and how digital compromise can quickly turn into reputational, psychological, or real-world harm.
This is a grounded discussion about judgement, habits, and trust — and what genuinely helps people feel safer.
Bio
Lucy Burnford, Chief Executive Officer, coc00n
Lucy is the CEO at coc00n. She works with a team of former GCHQ cyber security and digital privacy experts to deliver proactive, unrivalled cyber security with absolute discretion and privacy. She works closely with high value clients, and their advisors, to bridge the gap between technical requirements and practical solutions, combining her ability to understand consumers of premium services alongside cyber expertise.
https://www.linkedin.com/in/lucyburnford/
Subscribe to 'Defuse News', our weekly update of the week's events on our website.
Follow me on X /Twitter
Connect with me on LinkedIn
Welcome to the Diffuse Podcast with host Philip Grindel, CEO and founder of Diffused, a global threat and intelligence consultancy that blends psychology and intelligence to mitigate threats and risks to prominent people and brands.
SPEAKER_01:Hello and welcome back to the Diffused Podcast. Happy New Year to everyone. It's now 2026. God knows where the time's gone. This is our first podcast of the year, and I'm absolutely thrilled to be introducing a lady that's become a good friend of mine. But before I get onto that, just a quick reminder to those of you listening, if you if you're new to the podcast, please do subscribe to it and share it with others if you if you enjoy it. And also go onto our website and sign up for our weekly newsletter, Diffuse News, which will provide further information and gets fantastic feedback. So I'd love you to become part of that ecosystem. That's enough of the marketing. I think what gets missed is how often cyber harm lands quietly, personally, and closer to home. Now we've all got mobile phones. Pretty much everyone in the world now seems to have one. And phones, messages, trusted people, everyday habits. That's where many of the problems begin. So this conversation is around cyber risk, where it overlaps with trust, reputation, and personal safety. And my guest is Lucy Burnford from Cocoon. And they work at the sharp end, protecting people, not just citizens. So this is about how threats really show up and what makes people safer. Lucy's the CEO of Cocoon, and she works with a team of former GCHQ cybersecurity and digital privacy experts to deliver proactive, unrivaled cybersecurity with absolute discretion and privacy. She worked closely with high-value clients and their advisors to bridge the gap between technical requirements and the practical solutions, combining her ability to understand consumers of premium services along with cyber expertise. And as I briefly mentioned, Lucy's part of our ecosystem, and we uh have great pleasure of referring Lucy into our partners and our clients because we use her services and we we we think others should do too. So, Lucy, welcome, happy new year. And um, you went a bit quiet then to me, so I need you to step step forward slightly. That's it. Happy New Year. That's better. We can hear you now. Brilliant. Happy New Year. So welcome. Um Lucy, before we start, your you know, your kind of background is not necessarily the kind of conventional security background, which I think is a good thing. What is what how did you come into this world? How did you how did you develop the idea, the concepts around Cocoon?
SPEAKER_02:Well, it's a good question, and it's really interesting because when people hear about my background, sometimes they think I can't marry that up with what you do now. But I think my background actually, in combination, is really relevant for what we do now, which I know that you've realized. So, my my background is for 11 years, I ran a marketing agency that specialized in devising and implementing concepts for super premium brands. So we would come up with the idea, we would execute it in the market, ultimately trying to connect discerning consumers of high-value products and services with that product through a creative idea. And um I love that business. I ran that for about 11 years. Um, I only realized much later that I actually had a hundred percent client retention record and I won 100% of pitches. So I was probably doing something right, um, exhausting as it was. Um, but I really wanted to have a product. I really wanted to have a tech company. And I came up with a concept for what became my second business in uh the sort of early uh sort of 2010. And by 2013, 14, I really wanted to kind of back myself to launch that business. So um I founded and funded a company in the automotive tech sector, which very quickly, at sort of concept stage, pre-revenue stage, uh, attracted um investment offers from a number of quite significant institutional players in that space. And we formed a joint venture subsequently with one of the largest automotive companies in the world. And uh that was quite a disruptive tech concept. So what we do now with Cocoon kind of marries the two. So it's a super premium product and service used by very discerning clients, but it's quite an interesting and innovative tech business. So I think those sort of two businesses that I had previously benefit our company now quite significantly. Um, but how I actually came to start Cocoon was um by meeting one of my um three now other co-directors, who at the time was a cybersecurity architect, GCHQ, and had worked on a project with my other two now co-directors as well, um, to devise and implement the mobile phone security for some of the highest risk individuals that the UK government has the responsibility to protect. And the challenge that they had been set was nothing existed in the private sector that could be procured and applied to a mobile device to give it a proactive level, uh sophisticated level of defense against sophisticated cyber threats. And these are the kinds of individuals who are targeted by nation states and sort of highly sophisticated cybercriminals and organized crime. So there wasn't anything that existed that they could just procure and provide. And so they were tasked with creating something. And they successfully did that. And as part of that process, a huge amount was learned about not just the kind of technical capability and requirements needed to do that, but also what a client's needs and requirements are. Um, there is always a trade-off between usability and security, and sort of the higher profile and higher value you are, the more demanding, quite rightfully, you are about the usability side of things. Um, so that has um always been quite a challenge for providers of security-related services. You know, how do you, whether that's physical or digital, how do you provide something that seamlessly embeds into someone's life and doesn't cause them any pain points or friction? And that was certainly a learning as part of that process. And we carried that sort of um thinking through into how we then devised and architected cocoon.
SPEAKER_01:Really interesting. And I I think it's um it's so interesting the kind of merging of your commercial background and then the introduction to security, tech, and and and the success you've had is is kind of unsurprising with your background. So let's move on then and talk about sort of more specifics around and what happened. So when when a cyber incident kind of hits somebody, when it happens to an individual, what does that actually look like?
SPEAKER_02:Well, it there there are many and varied things. I think what's interesting for us is that the all of our existing clients have had some form of trigger or distress situation that may not be directed directly at them. It could have been somebody close to them or it could be something in an organization that they own, but they have had a brush with either directly or indirectly, something quite serious from a cybersecurity point of view. Um, often these things are not necessarily a highly sophisticated nation-state-based cyber attack levied at an individual. It could be um behavioural um failing on our own part because we are all terrible at cyber hygiene and reusing passwords and not setting up MFA and all of those kinds of things. And maybe that their credentials have been have been leaked and breached and they've used that to gain access to some of their information and subsequently they've had some form of breach that has highlighted to them that their digital privacy is an area of concern that they should mitigate. And obviously, if you're a high value individual, so whether that's high profile publicly or professionally, if you have uh a significant level of wealth, even if you have a what you would consider a low digital footprint, there is always information about you out there that's easy to determine. It could be a press release about a business you've sold. It's very difficult to kind of remain under the radar. So all those pieces of information that are out there. And if you are lax with your cyber hygiene, or if you are unfortunately the victim of a slightly more sophisticated attack because somebody has managed to compromise one of the services you use on your device, so an application you use, or the device itself, then the ramifications of that are quite significant. And they tend to, I think, fall into two categories. They are either financially serious, so a sophisticated phishing attack, where you could lose, we've had a client lose an excess of a million pounds through a phishing attack, um, or they could be reputational risk. That is certainly the predominant concern for our clients, because money is replaceable and reputation is not. So extortion is a serious concern for our clients, um, or just the concept of private and personal information, communications, photos, files. It may not be nefarious, it may not be something that's, you know, unsavory, um, but it's private and it's personal, and it has a detrimental impact on your life if information that's private to you is in the public domain or is threatened to be exposed into the public domain. So those kind of tend to be the two areas that people are concerned about: financial and reputation, and the kind of different attack vectors and routes into that, um, there is almost always an element, however small, of behavioral failing on our part to help facilitate that attack.
SPEAKER_01:So can we can we um I suppose dispill a few myths? Yes. Are there any phones that are more well what's the you know, if you're gonna start from scratch, if you're saying to your client, okay, you're gonna go and buy a mobile phone, is there is there some that are better and more secure than others?
SPEAKER_02:Well, Apple obviously spends billions of pounds every year on cybersecurity, so you should always buy a phone from a kind of major provider, first off. I think one of the interesting things is in the early days of our business, people would say, Oh, is it a handset? Have you developed a handset in an operating system? And, you know, my my personal sort of commercial view of that is the amount of money that you would need to spend and the technical capability you would need to have to develop something more secure than an Apple phone is ludicrous. So, you know, why would you why would you bother? Um, so anyone, you know, the good all of the good providers spend a lot of money on cybersecurity. Um, I think one of the interesting things about uh Android devices is that because that operating system is provided to multiple manufacturers, there is a lag when operating system vulnerabilities are identified in patching those. And then that can open up a bigger window for someone to gain access to a device through that exploiting that vulnerability. Apple tend to be very good at patching those automatically, or pushing the updates rather in a much more timely manner. But you know, that also requires us to update the operating system or update the vulnerability on our device. And often we say, oh, I'll do that later, retry later. And uh actually that's that's a major attack vector. So one of the things we do when we enroll devices into our configuration is we enforce those vulnerability and operating system updates to kind of mitigate that risk window. Um, but in answer to your question, I think you know any of the main manufacturers invest billions of pounds on cybersecurity and making sure that vulnerabilities are identified and patched as quickly as possible. So that's a really good base layer, right? That's a good base point. I would be very skeptical about people using um operating systems that they have amended or um that they have said they have developed a different version of, um, or handsets that they that are secure and inverted commas and devised for specific things, because they're just not going to have the um expertise and and the money that it requires to kind of develop anything more secure than a major provider would.
SPEAKER_01:I'm pleased you said that because I've got an Apple iPhone and I've always I've always said to people Apple are brilliant because they they update their phones even every day, sort of every 15 minutes or some of those updates, etc. Um going back in time, you know, we we had the phone hacking scandal here a few years ago.
SPEAKER_02:Yes.
SPEAKER_01:Is that something that could still be done to people? Is that is that still a viable tactic by journalists or adversaries?
SPEAKER_02:Well, I mean it was it was a voicemail hack rather than a phone hack. So it wasn't a cyber attack in any way. It was, you know, dialing into your voicemail using a remote pin and listening to the messages. So that's again a behavioural thing. That is as bad as reusing your own password, which is your name plus one, two, three, maybe with an exclamation mark if you're trying to be clever. Um it's the equipment, you know, it's equivalent of that. It was it wasn't putting your own PIN or password on a voicemail. So that's again, that's kind of security hygiene. That's a basic. So our equivalent of that now is reusing passwords on applications and services and emails that are really easy for somebody to access. Um, I think because we live much more digital lives now than then. Um, everybody has a smartphone. Our entire professional and personal lives are contained within that device. There is far more interesting information on those devices than there was 10, 15 years ago. And so the security of that information and your personal privacy that that relates to, your location, your photos, your where your children go to school, everything is within that device. So I think we we have a kind of duty of care to ourselves. And then, you know, in the industry we work in, this is how we can help people to make sure that they really are taking those um risks seriously and mitigating them to sort of understand just how much information there is and how valuable that is to somebody who um maybe wants to bring you down a peg or two or um you know has has um yeah, nefarious um, you know, leanings, let's just say.
SPEAKER_01:And and do they, you know, do clients of yours need to be technical in order to um use your systems and your services?
SPEAKER_02:Our clients are not technical people at all. Um, most people are non-technical people. Okay, so um I'm not a technical person compared to my three co-directors. I'm not a GCHQ cybersecurity architect. Fortunately, I don't need to be. Um, but um no, most people, you know, they want to use their device in the way that we all do. That is communication, that's functional things like banking, transactions, um, uh interactions, browsing the web, social media, all those kinds of things. The way that Cocoon works, it's not an app, it's not software, it's not a phone. It's a configuration that we have devised to secure the device itself. All of the data leaving the device is encrypted. So a total outbound data privacy. Everything coming into the device has gone through a threat intelligence filter to block malicious attempts to access the device or compromise the data within. And then we can set you up with a secure email service. We can set up a secure comms service suitable for high information threat environments if clients need that or they're traveling somewhere that they feel has a heightened risk. Um, and also, really importantly, and to your question about do they need to be technical, one of the things that has been the most, I suppose, surprising for us in terms of how much clients sort of revere it and value it is access to our team as a cyber concierge service. So we always enroll clients in person where possible. We can do it remotely technically, but it's much better to do it in person because then you get to help mitigate those behavioural risks at the same time. But access to our team allows that non-technical interaction, that cyber concierge person is able to talk to somebody in a non-technical way about technical risk and translate something that may be a technical cyber threat into what does it actually mean for me as the client? Like, could this happen in scenario A, would someone be able to do example B? Uh so that human element's really important for us and our clients. Um, because also that relates to trust. And I think you have to trust the people that you are um requiring to provide a service like ours to you.
SPEAKER_01:So, on that subject of trust, then, just so we're clear, are you monitoring their phones?
SPEAKER_02:No, we don't have that level of privilege on a device, and nor would we want it. That would invite risk into our organization. So we don't store or monitor data. Uh it doesn't, it doesn't work like that. So very happy to say we're not monitoring, not we're not looking at what anybody's doing. We can't see what you do on your device, we can't access files, photos, you know, WhatsApp conversations or anything like that. No.
SPEAKER_01:So, you know, we've we've talked about behaviors as being a vulnerability. So can we talk a bit more about that? About about, you know, I appreciate we've covered some of it around failing to update our um or the updates and introduce all those. What sort of other things do people do that that causes them vulnerability via their device?
SPEAKER_02:I think cyber hygiene, which is a really horrible term. Somebody needs to kind of rebrand that, I think. I'll have to think about that.
SPEAKER_01:Um your marketing background, you must put it in.
SPEAKER_02:I'll love to come up with a new a new name for that. Um they're all the things that are administratively a bit dull and clunky, and we think I'll do it later. And actually, what we end up doing, obviously, is not doing it and inviting risk in. So that's one of the reasons I said why when we enroll people, we do it in person, because we actually do all of that cyber hygiene as part of that enrolment. And those are the things like making sure you're not reusing passwords, checking if any of your information has been leaked or breached, and making sure that you remediate that immediately, setting up password managers, all those kinds of sort of good hygiene things, setting up multi-factor authentication on accounts. Um, because if somebody else does that instead of you, then you're you're in a really sticky situation to kind of re-authenticate who you are, and then that you are the legitimate owner of that account. Um there's a huge amount that's behavioural. I think something we have come to realise is that the ideal combination from a security point of view is technical security married with behavioural security. And you can mitigate one or the other, but really, especially for our kinds of clients, you have to address both. Otherwise, you're only sort of dealing, you know, really covering half of the area of risk. So I think a lot of these things, um, we run a service actually for parliament to help our parliamentarians um sort of a digital uplift service effectively for all of the areas of cyber hygiene that need to be mitigated. And, you know, the they are relatively straightforward things that anybody could, if they sat down for a few hours, do. But very seldom do people do it. And I don't think we've whenever we sit down with a client, they always say, Okay, you're gonna think I'm the worst person. My my I I I don't have any, I can't remember any of my passwords. And everybody says the same thing. Everybody is as bad as each other, so no, no one needs to worry, right? We've you know, like everybody's terrible at it. Um but it's a really it is actually a relatively straightforward thing to do. It's just slightly laborious, and therefore we never get around to doing it. Um, but it is critical to to um to cover those kinds of things. And you know, you need to do it for your children's devices and all those kinds of things too.
SPEAKER_01:And when you're dealing with with discerning clients, and they be they be they professionally or or or Or um or wealth driven or privately um high profile, are you you know often these people are have got other people that are dealing with all their uh issues in terms of they they manage their world, so they may even manage their phones or their or their uh security, etc. So how how do you balance that relationship when you're when you're dealing through um advisors or intermediaries or or that kind of chief of staff who's actually or even the security chief who's managing their their boss's phone, for example, for example?
SPEAKER_02:Well, I think two things. Firstly, our biggest competitor is do nothing. Most people don't have anything on their device of any level of kind of robust security. The best would might be, oh, I've got like a$9.99 a year VPN and I use, you know, a secure messaging app like Signal, and that's about it. So very rarely do we um have a conversation with somebody who's a trusted advisor or part of that client's close network that says, well, hang on a minute, I'm already doing something like this. Most of the time, we've already spoken to those advisors because they're typically the person introducing us then to the client, or we've certainly had um a significant amount of time explaining to them what we do. And some of the reason for that is that they're owning part of that risk and they don't want to own part of that risk, they have to mitigate that risk. And usefully for us, those um trusted advisors have the responsibility to really understand what we do so that when they say to the client, just like you, Philip, you know, when they say to the client, this is really something you should consider, it's because they have bothered to understand what we do, why we do it, and the fact that it does actually solve a problem that that client's got. So then that for the client, it's ultimately quite a quick decision, yes or no. The kind of legwork, if you like, is done with that trusted advisor in advance, um, who actually typically are slightly more technically adept and are um interested in the detail behind how the technical side of the service is provided so that they're comfortable and confident to then recommend it.
SPEAKER_01:So going on, I mean, uh going on to sort of behavioural things again, I guess, and some advice. And I'm thinking about what clients have asked me in the pr in in you know past lives and what have you. Things like Wi-Fi always comes up. Yeah. And accessing Wi-Fi when you're not at home or at work. So accessing Wi-Fi remotely, be it in a vehicle or a hotel or wherever else, an airport. What what's your advice around that from a security perspective?
SPEAKER_02:Well, ideally you would use a VPN. Um, there are VPNs and there are VPNs, obviously. Um, and one of the reasons we we built um an architected R services we have to be always on is that you never have to remember to turn on your VPN when you're in a hotel or an airport lounge or anywhere where you're using an unsecured Wi-Fi network. Um, but it connects by default, and every IP packet goes through our VPN. Um, because that is obviously an attack vector that, you know, if you if you wanted to target some high-value people, well, the first class lounge in one of the airports is probably a better place than, you know, the EasyJet Lounge at Luton. Um and similarly, with you know, members' clubs and luxury hotels and those kinds of environments. Um, and you know, we get the we get the pop-up, don't we, saying connect to this unsecured network and you just go, yeah, click, you click it like you click a cookies acceptance without considering that if someone's in that network, there's information that they can glean from um the way you're using your device that might help them to kind of profile you or identify you or see what websites you visit and and therefore be able to gain more of an idea about you as an individual. Uh, so from a privacy point of view, it's obviously and security point of view, it's very sensible to have a VPN in place. But typically people use VPN so they can, you know, watch BBC iPlayer or Netflix when they're in different locations. Uh, it's not understood as a security product, and that lots of them are not really security products, actually, when it comes from a technical point of view. Um, so that was an important element of the approach to building our VPN. It's a kind of security-first approach to the way it's built. Um, and there's lots of technical detail that sits behind that, which is very interesting if you're interested in that. Most of our clients are not. They just want to understand is this going to keep my information private? And the answer is yes, and constantly, because it's always on. So, yeah, logging on to and accessing unsecured networks. Um, the warning's there for a reason when you log on and you accept you're accepting that risk when you connect to it. And we don't think that's a risk people should openly accept when they don't need to, when there are easy solutions that they can put in place to kind of help mitigate it.
SPEAKER_01:And one of the challenges with VPNs is it it it can slow down considerably your access, if you like, to various uh websites, et cetera. And and you know, people then turn it off because it becomes limiting in terms of how you you function. Yeah. How do you overcome that? Is yours overcoming that problem?
SPEAKER_02:Yeah, we have we don't have any issues with that because we spin up servers wherever our clients are, so it's kind of globally scalable. And you know, latency is something that yeah, people cite as a um not a major concern. You know, if if it was a trade-off, they'd choose the security over the latency issue. Um, but we've managed to devise um the way we deliver our VPN in a way that doesn't seem to impact that for clients. So wherever they are, we spin up a server in the in the closest location.
SPEAKER_01:And so you know you know, cyber is is a really hot topic. Wherever you go right now, everyone's talking about cyber. And I and I guess it's a a term that is such a um an overused phrase and has lots of different connotations, whether it's you know Marks and Spencer being hacked or or or someone hacking your home Wi-Fi or whatever. How do you keep up with that changing um evolution? You know, particularly I guess now when we're looking at the kind of geopolitical issues around the world and the the fact that we know that some states have encouraged, have developed you know, in entire teams to um cause problems through cyber. How do we you know how if I'm using your services, how do I protect myself from that? I mean, i i is that is that real? Is that a challenge? Are they going after these high-profile individuals?
SPEAKER_02:Yeah, there's there's definitely been a growth in um, especially on the dark web in the sale of information that is um personal identifiers of high value individuals. You know, if you're gonna focus your efforts on hacking someone, then you know, I'd rather hack a billionaire than a primary school teacher because the outcome is probably going to be more lucrative for me ultimately. Um, but how we keep up with it, two elements to that. Firstly, um our CISO kind of heads that in our business. So understanding the threat landscape, how that's evolving, not just from a geopolitical point of view, but from a technical point of view as well. Like who are your adversaries? Because they're quite wide-ranging and they're not necessarily who they used to be or who you think that they might be. Um, you know, interestingly, so one of the things that we've done as a result of seeing a change in that landscape is we provide an on-demand device for clients if they're traveling to a high information threat environment. So it could be journalists going to a war zone to report back, it could be someone going to uh a less friendly country, but it's an emerging market for them, for their business, and they're going for a two-week, two weeks to kind of explore and uh have meetings, and they don't want to risk their company or personal device being used in that environment. So we've developed kind of an on-demand service for that where we spin up everything ephemerally and then it's all kind of torn down when the when the client comes back. But what's been quite interesting in the last sort of six months is the change in the definition of a high information threat environment. So it wouldn't necessarily just be restricted to the obvious candidates. It's now much more wide-ranging. And I think that's that is the knock-on effect of um sort of geopolitical tensions and different governments' attitudes towards um data privacy and security. And that's ever changing. So there's definitely a duty of care on us as a business to keep up with that, but also to kind of say, well, so what? What does that mean for our clients? How do we then do something or provide something that's suitable for that changing landscape and for their needs? So it's kind of ever evolving from that point of view. Um, but secondly, our our threat intelligence, that's kind of one of the main benefits of having something proactive that protects your device. And so our threat intelligence obviously we use a whole host of feeds that come into our DNS, and that ultimately blocks access to your device and the data within it by known malicious actors or known malicious URLs or attempts to compromise your device by dropping malware onto your device, for example. So it just won't get through. So anything that has got through, you know, has been through that filter. So there's that sort of proactive, proactive um aspect, but those threat intel feeds are also obviously related to the threat landscape. So that's ever changing. So it's incumbent on us providing that service to make sure that those feeds are um robust and as you know, um as beneficial to our clients as they can be, because we don't want anything to kind of get through. Um, but actually, if I can just mention in relation to that, one of the kind of design approaches to Cocoon was to apply sort of a defense in-depth kind of methodology, which means even if something were to get through that threat intelligence filter, uh, you know, something else then kicks in, something else then kicks in. So you're never at a point with a device where there could be a hundred percent failure and there could be something that actually gets through. Um, so all of the suite of proactive protections, they all all interplay. And that is one of the real um, I suppose, what beauties about um what the team have managed to devise, because that's actually technically very difficult to achieve. Um, so it's it's probably why when we see clients, the best they've got is a third-party VPN and some form of you know an inverted commerce secure messaging app that's free. So um devising those together, architecting them in a way where they all interplay to give defense in depth to your device is a really interesting and quite unique um proposition that fortunately with the the brains behind this business, we've been able to um deliver.
SPEAKER_01:And you know, what do we predict? Where's this all going in terms of cyber threats? We as you mentioned, I mean, I, you know, phones are um critical to what we to our everyday life, whoever we are. And I and you know, kids are getting them younger and younger, they're getting more used to having them as as you know, you perhaps not you, but certainly I in my age. I can remember before we had phones and all that sort of stuff. Now it's That's very kind of you, but I can also remember but but uh you know it it's I mean I I you know I remember going to a briefing not that long ago where they talked about phone phone theft in London as an example. And where the primary reason or motivation behind the theft of a phone had changed from the device being of value to the data on the device being the value, um, which is quite a significant change. The the device has still got a value, a residue value, but actually what they're really after is the data. And I and I know you've mentioned that already. Where where are we going? Where are we moving? How what's the kind of prediction over the next, I don't know, 12 months about what are the types of things that we need to be more aware of?
SPEAKER_02:First of all, and related to that point about phone theft, there are very clever automations that anybody can set up on their device if it gets stolen that takes the device out of airplane mode, which is typically what they do, so that they can disable FindMy and they can see all your data in all your communications. There are various automations that you can set up. We always do this for clients as part of the kind of enrollment, but you can do it yourself to make sure that if that happens, that your data and the device is secure. Um, with Cocoon, we had the ability to remote freeze or wipe the device if it's lost or stolen. We have had a client who has been the victim of one of those phone thefts and his phone was unlocked when he was using it. And he was a very eminent individual, so he's extremely concerned about all of the other contacts actually that he has on his device. Um, so I think you're I think you're right. I think there is definitely a um a higher value in data than there is in hardware. And um that kind of privacy element around all the extortion around that information is um an increasing issue. Interestingly, it it seldom um kind of goes um reported because it's embarrassing. So if you're extorted over something, the whole point of paying somebody off is that you don't want that to become public knowledge. Um, but we work with a lot of law firms and and they've had that, you know, they've said this is an issue for our client. We have a client who is going through this at the moment, who has engaged in in um in extortion uh because of information on their device that they don't want in the public domain. So a lot of this stuff, you know, goes unreported or or under the radar. I think one of the wider um trends uh that's emerging is um because phishing attacks are ever more sophisticated now through AI and are going to become ever more so, as will all cyber threats, it becomes much harder to determine what is legitimate and what isn't. And as a result of that, I think there will be a growing mistrust of big technology companies and how are you using my data and who owns this data, and how is it being, you know, is it being used against me? And so I think the human side of technology companies is going to become even more important. Um, you asked me earlier, actually, you know, we we mentioned a bit about trust and about relationships with clients. I don't think I've had a meeting with a client where they've asked me anything about the technology for the first, I don't know, 90% or 90% of the meeting. It is much more who are you? What are your values as an individual and your business and your trusted credentials, and why should I entrust my security, my cybersecurity on my personal devices and my families into your control? Um, you know, what kind of gives you the technical capability, but also more importantly, the ethical, I suppose, um values to be able to do that. And I think that's going to be exacerbated by um by AI and by big tech using your data constantly uh to their benefit. And actually people are becoming much more rightly so, I think, skeptical about how that information is being used.
SPEAKER_01:Yeah, I think so. And I I also think one of the other side effects is we we worry so much about cyber, but the reality is you can have the best cybersecurity in the world. But if they hack MS, let's use them because they've been in the public eye quite recently around it. Well your data's there. And and that's it, and it was quite interesting for me how MS, as an example, said you know, yes, they've stolen your data, but don't worry, they haven't got your financial data. No, no, but they've got everything else. So there's this there's this kind of misunderstanding about the value of and what people do with that data. Um but moving on slightly to some of the your advice though. So if I'm a if I'm an ideal client for you and I say, yep, I want to have your services. Is it I mean, would you be then saying, and I don't mean this from a sales perspective, but from a security perspective, are you then saying to them, okay, well, you know, you need your partner, your wife, they need to have it as well because they've got information on that that's of use, your, you know, your nearest and dearest or you know, business chief executives or whoever. Is there this kind of holistic perspective around it that you're not operating in isolation as a high profile individual? You've got these other people around you that actually um the bad guys can target and get the same information.
SPEAKER_02:Yeah, absolutely. I think you know, obviously it has to stop somewhere, okay, because uh ideally people are going to say, well, hang on a minute, how how big is my ecosystem? But when we talk to clients or potential clients, I think the the overriding concern they have is about privacy and about reputation risk. And, you know, linked to that, their kind of financial status and sort of health and wealth. Um, but also their family members too, because it's not just themselves, they're aware, you know, if they've got a spouse and they've got children, especially teenage children who probably have multiple devices and use every single social media application you can think of and are constantly connected. Um, that, you know, all of there are all of those individuals are an attack vector in themselves and their devices, therefore, are. So you have to be realistic about, okay, well, who are the who are the principal targets here? And then who else is in your ecosystem kind of on the periphery? And what are the other things that we can maybe do to make sure that those individuals are as as secure as possible if they have access to things like your diary or your location or information on their devices. Um, it's a balance. And I think the the highest um likelihood uh targets, so the kind of say that the principal and family members would obviously need some form of um proactive protection that we would provide with our device protection service. But it may be that um others in their ecosystem, so their household team, their personal staff, would really benefit from having a session with one of our concierge team to do a sort of digital uplift on their device to make sure that all of the settings are as secure as they can be, that they haven't given default access to the location, all their photos, and they haven't just um inadvertently um granted access to something that probably is inviting a bit of risk in that doesn't need to be there. Um, we also talk about to our clients about sort of role-based access controls, like who needs access to what and why and when is that constant? And just trying to put some of the measures in place that are um better practices that can help mitigate some of those areas of risk. And so it's a balancing act, you know, obviously from a kind of like sales point of view, you'd say, oh, everyone should have it. But the reality is some people have a much more heightened um threat profile than others, but there are still others in that ecosystem where their cybersecurity can be improved. And that's that is actually quite straightforward to do. You've just got to kind of be aware of it and then dedicate the time to do it.
SPEAKER_01:And presumably you have to have access to their phone, do you, in order to actually activate the process. You so they couldn't do it, you know, you couldn't say, listen, I've got a 15-year-old, I want his phone looked at, but I don't necessarily want him to know about it.
SPEAKER_02:Uh it's always better to do these things by consent, but I guess if the device belongs to the the adult and then they're giving the child the device, then um then you know that that's between them, I think. Um what I mean by securely, we can't you obviously can't see what's going on the device, and we're not disabling anything.
SPEAKER_01:But you have to access to the device though, the physical device.
SPEAKER_02:We don't have to. We can um we can enroll people remotely, but in almost all instances we have enrolled people in person, including children. And one of the kind of benefits of of um of the way that we've devised our service and the team members who deliver it is they understand that you know, we don't want you don't want to scare people, and you don't want Clients or their children to think that they are being prevented from using their device in the way that they want to. So nothing is precluded unless we are asked to prevent the download of certain applications, which we've had to do for high information threat environments. But typically for families or private individuals, they want to be able to use their device as they would normally without anything being restricted, but with a level of security around it that gives them confidence in their own, you know, digital privacy. And so that's what we do. And we do the same with children's devices. We've also done a lot recently where we have secured the sort of gaming consoles and the kind of digital ecosystem of children and teenagers in the household, which typically, you know, as parents, we're quite remiss in making sure that we've put on the best level of parental controls or that we're aware of what devices are being used in the household, how and by who. So we've done quite a lot of that kind of family digital privacy and safeguarding in person. And that I think is important to do in person because it's a softly softly approach and it's a very soft education bit. Um it's not saying you can't have that app, or we're going to stop you from clicking and downloading that. It's it's much more of an approach of that um application that you use is now more secure and no one's gonna be able to access your information because and we do it with them, not just for them. We much prefer clients to um have hands on their own device than to kind of leave it with us. I think it's important from a trust point of view that you're present.
SPEAKER_01:And you know, young people are often very tech savvy because that's their world more than perhaps ours might have been once upon a time. Can they deactivate whatever you're doing?
SPEAKER_02:No, because it's a configuration that's pushed through the operating system. It's not an app that you can kind of delete or settings that you can go in and amend yourself, um, and you know, then inadvertently uh invite further risk in. Um so that's that's kind of an important element. I mean, I don't you wouldn't disable it because um it doesn't interfere with your usability. So again, that was why that usability security balance was so important because the last thing you want is someone going, I I can't use this, okay, I can't work with this, forget it. Uh it has to be, you know, it has to be seamless and it has to enhance and not restrict how people use their devices.
SPEAKER_01:And what what's the sort of typical pushbacks you get from different clients in terms of from you know whether they're teenagers or or um or billionaires? Are there kind of common pushbacks or common questions and queries that they're concerned about?
SPEAKER_02:So I'm laughing because I am going to tell you the honest answer to this, which is that the only question that um I have regularly had is um, can you see why I'm looking at on the internet? And it's the porn question. Okay, so um, because it's the only question that gets asked, and it obviously puts that person in a slightly embarrassing situation, um, I cover it before it gets asked. So when I explain how our threat intelligence works, I say, which is true, it doesn't classify and categorize the web. So it doesn't say that's adult content, block it. That's gaming, gambling sites, block it. It doesn't work like that. It's not judging uh what you're looking at on the web and determining whether or not you should be doing that. It's saying that's a malicious URL, that's malware, block it from downloading onto your device. So it's designed to protect your private data and your device itself. It's not in any way to interfere with you know your browsing habits or um, you know, any interests that you have. But that's really the kind of only question that we that we get, um, which is yeah, I mean, it relates to people's privacy and it kind of relates to their reputation, doesn't it?
SPEAKER_01:And what's what's what's what's coming up for you guys then? So is that is there developments, are there new products, are there anything you can share with us that's kind of in your plan this year that's going to be changing?
SPEAKER_02:Yeah, there's there's lots actually. Um there's lots of sort of behind-the-scenes technical advancements that go on all the time that are not necessarily things that clients get to experience because they're much more um keeping up with the threat landscape and making sure that threat intelligence and that our you know the way that our VPN's been devised is as secure as possible. Um, we are developing um a few interesting uh things, some I probably you know won't talk about at this point, but one of the things we are developing is a native app version of Cocoon. Um it's not an app, as I've said, it's a configuration, but for scalability and for kind of immediacy, if somebody were to say, I want a hundred devices with this on in 15 minutes because um, for whatever reason that might be, um, or a specific high-threat environment configuration for devices that are being deployed tomorrow to X location, we will be able to provide that kind of at scale and at speed. Um, so that's probably one of the kind of major um developments that we're doing kind of internally. And then there are lots of um client-facing um benefits that we've devised because we've understood what's valuable to our clients. So things like making sure that they are aware when they're in a high information threat environment, which actually might be a beautiful remote island that they're on holiday in, but actually the cybersecurity there is is pretty poor. So dialing up the threat intelligence feed at that point and then saying, you know, a couple more uh things may get blocked, but we've done that to protect your privacy. And so kind of, I suppose, some of the more about the communication that we give to clients, the things that are kind of have been going on in the background, um, and understanding really what their concerns are and how we can provide enhanced services to that end um is really important for us this year.
SPEAKER_01:And do we do we I mean, do you get a like a report to tell you what's happened in your device over the last you know month or whatever?
SPEAKER_02:Yes, you do. So you can have it on whatever frequency you like. You can actually see it daily. Um, you can see the um the analytics daily. Um, but obviously, unless you're really interested in those kinds of things, which let's be honest, most people are not. They're not really going through. Oh, what's the threat intelligence block today? So um we provide that to whomever in their ecosystem requires it on whatever frequency they need it. So typically it's quarterly. Um but it is actually very interesting reading because our devices reach out to hundreds of thousands of URLs every month. And, you know, it's not like you would expect someone to have thousands of um risk, like serious level risks, blocked like malware, but there are always several, and it would only take one of those to have you know gained a foothold on your device for you to be in in quite a serious potential disposition. So it's useful because we also need to be able to validate that the technology is providing you with a sophisticated level of security that you wouldn't have otherwise had. So we have all of that information. Um, it's yeah, making sure you disseminate it and communicate it in a way that people find interesting is often different, you know, from what your perception of it might be, like a technical person's view of what's interesting is very different to what one of our clients would consider to be interesting. So we've got to kind of translate that too.
SPEAKER_01:So uh as we kind of draw to a close, uh if there were sort of, I don't know, two or three key bits of uh advice that you would give in terms of let's say behavior. Um and again you may have already touched on them, but just as a kind of refresh and a kind of final um piece of advice, what what would they be? What would the things that people listening to this would or should be thinking about?
SPEAKER_02:There are a huge amount of things that you can do that cost nothing, that you can do on your device yourself in minutes that will make a dramatic difference to risk. Um, you know, password manager is one of them, um, absolutely essential. Um, multi-factor authentication would be another. Um, and then I think probably the third thing would be looking at who has access to the services that you use. Because typically our clients have lots of people in their ecosystem that might manage their social media accounts or might have access to their banking applications. I would look at, well, who are those people? Do they still work for me? In some instances, people have left and they still have access to certain applications. So that kind of, you know, the the um accessibility of your information, you know, do all of those people need to have access? Should they still have access? That would be another thing. Those would be the three things I would say would you could address immediately that would make a significant difference to whether you are invited, don't invite the risk in, you know, you can do those things immediately for free and without any technical um knowledge. You can just get on with it. So that would be what I would do straight away.
SPEAKER_01:And if people want to get hold of you, want to want to um email you or find your company or find you, how do they do that?
SPEAKER_02:So they can find me the multiple multitude of ways. Um, our website is cocoon.com, which is co c 00N, cocoon.com. Um I'm on LinkedIn, Lucy Burnford. Um, or my, yeah, I'm sure, I'm sure you can put a link in your newsletter when it goes up with this podcast in as well. So I'm not um I'm easy to find. Uh transparency is important. We're not trying to hide um behind anything because we want our clients to know who we are and trust us and the service that we provide. So I'm very accessible.
SPEAKER_01:Good. Well, listen, we're going to put all those details onto the podcast um uh brief. Um we will absolutely be uh sharing this with our uh readers in our on our weekly uh newsletter diffused news and on our LinkedIn profiles. It's been a real pleasure, Lucy. Thank you so much for your time. Yeah, no, listen, I think what you're doing is brilliant. I think it's such an important area, and I think um, you know, particularly those people who are have a bit have a vulnerability or a potential um attractiveness to adversaries because of their status or or wealth should absolutely be thinking about their phone as a you know as a vulnerability. It's the one thing that we all carry all the time. It's the one thing we've got all of our data on it, our personal data, our pictures, you know, to our to our private stuff, everything. Um you know, if we look and we all know that if we ever lost our phone, how much of an inconvenience that is. So uh and how how terrified we are when we can't find our phone for five minutes. Don't, you know, um, I think it's it's invaluable. Um I'm really grateful for your expertise and sharing all that over the last um 50 odd minutes. Um thank you, Lucy, for um for being a guest on on the podcast.
SPEAKER_02:Thank you. It's a pleasure to see you and talk to you as always, and thank you for your support. It's much appreciated. It's a a small community of experts that we have in our in our network, um, as you as you know. Uh so I'm very grateful to you to um for amplifying what we're doing. Thank you. Thank you, Lucy.
SPEAKER_00:Thank you for listening to the Diffuse Podcast with host Philip Brendell, CEO and founder of Diffuse. Please rate, review, and subscribe on your favorite podcasting platforms.
