Security in business: Building trust through resilience in the age of AI

In this episode of the Tech on Toast podcast, host Chris Fletcher sits down with Naveed Islam, Chief Information Security Officer at Dojo, to explore what it really means to keep businesses secure in an increasingly digital world. From phishing scams to PCI compliance, Naveed breaks down the biggest risks facing businesses today – and the practical steps they can take to stay protected. With insights on everything from AI-led fraud detection to the future of identity and regulation, this episode is packed with advice for businesses of all sizes looking to build resilience, reduce risk, and strengthen customer trust.

Speakers:

• Chris Fletcher, Host, Tech on Toast Podcast
• Naveed Islam, Chief Information Security Officer at Dojo

Watch the full episode now:

Podcast synopsis

1. The real cost of breaches - Naveed explains why cyberattacks hit small businesses hardest – not because the attacks are more sophisticated, but because recovery is so much harder. With limited resources and minimal support, micros are often left vulnerable, making resilience a business-critical concern.
2. Phishing, fraud, and human error - From classic phishing emails to modern impersonation scams, attackers are targeting businesses every day. Naveed breaks down how fraudsters exploit impulsive behaviour and why training, awareness, and AI detection are crucial for defence.
3. AI vs AI: The new battleground - Dojo is already using AI to fight AI – from filtering phishing emails before they reach inboxes to spotting fraud in real time. Naveed shares how machine learning and automation are helping Dojo act faster, reduce false positives, and protect its customers at scale.
4. The boardroom blind spot - Despite rising threats, many organisations still see cybersecurity as an afterthought. Naveed explains why board-level engagement is vital – and how regulations in the US and UK are pushing businesses to treat cyber risk like any other financial exposure.
5. The future of secure payments - From point-to-point encryption to hosted payment pages, Dojo is making it easier for businesses to stay compliant with PCI standards. Naveed outlines how Dojo removes the complexity of secure payments – especially for micros and SMEs.

Transcript: Business security in the age of AI 

Introduction

Chris Fletcher: Welcome to a very special episode of the Tech on Toast podcast. Today, I'm delighted to be joined by Naveed Islam, Chief Information Security Officer.

Tell us a little bit about you and your role at Dojo.

Naveed Islam: I'm the Chief Information Security Officer at Dojo. I'm responsible for protecting all of Dojo's information and digital assets from malicious actors – the information we generate, card and personal data, etc. It’s the whole remit of protecting the systems as well as the data.

Cybersecurity awareness and growing threats

Chris F: AI is very relevant at the moment, and we see it a lot in the headlines. I was in Marks & Spencer's in Cornwall, and I couldn't pay because it was the start of a security issue. It's becoming more common as data becomes more widespread across the industry. 

Do you think that other businesses are now taking it more seriously – around how we protect our data?

Naveed: Yes, probably not as much as security professionals would say that it should be, but the awareness has improved. Especially with larger organisations and high-profile cases. I feel for the M&S and Co-ops of the world, because I've lived through something similar in my previous life. When these high-profile cases happen, it focuses the mind. Organisations start introspectively going: “What are we doing? What would we do if something similar happened?” – which ultimately raises awareness. The UK government and EU lawmakers have come up with regulations which help elevate the topic of security, privacy, and digital resilience.

The shift to digital resilience post-COVID

Chris F: Do you think there was an understanding of digital resilience before the last two to three years? Do you think that people are finally starting to join that mission?

Naveed: Definitely since COVID. It made everything go digital – because we had to. We were in lockdown across the globe. A lot of organisations had to think on their feet on how to adapt and become digital and resilient. 

A lot of it is still about making sure things are up and running. When you hear about resilience, for Marks & Spencer’s, for example, having the website up and running is considered resilience. Now, it's not just about websites or systems; it's business processes in the background that also have to be resilient. To your point, when you said you went to a store and the shelves weren’t stocked – that's a supply chain issue. The whole piece from start to end needs to be resilient, not just things like websites or prominent systems.

Breaches across the UK – the real numbers

Chris F: The cybersecurity breaches survey reported that 43% of UK businesses experienced a breach in the last 12 months. That's over 600,000 companies. It's quite shocking. 

What do you make of those numbers, and how do they represent what you're seeing happening on the ground?

Naveed: It's about right. There are a lot of incidents daily. I've just read in the BBC News that a legal aid database has been breached, which has information going all the way back to 2010. Certain breaches make the news and get our attention. 

Daily, there are a lot of lower-level things happening. An email compromise where someone may lose £10,000, for example. They don't get reported. When the government does surveys like this or other organisations like Verizon do a data breach report on a yearly basis, they highlight a lot of the lower-level things that are happening, which don't always make the news. But that number doesn't really surprise me.

Why micro and small businesses suffer more

Chris F: The smaller businesses, we presume, are being attacked less. Maybe it's happening and we're just not aware of it. The financial impact is almost double, because of the smaller turnover and smaller base. 

Why are micro and small businesses being hit harder when it comes to cost?

Naveed: It's a multitude of things. It's small, so they don't have the resources at times. Especially micros, where maybe one or two people are running the business. They are taking the payments and doing whatever's needed to fulfil orders. They don't have the sophistication in terms of systems and often outsource it to IT family members or IT providers, and don't have the financial means to recover as well.  

We in enterprises can lose £10,000. It's bad, but not the end of the world. For a micro, this would mean losing the money and spending time and resources on recovering it, which would mean they go out of business. Micros are disproportionately impacted, but not because their attacks are more sophisticated. The cost isn’t just the attack but the recovery process. They don't have the means to recover, so they end up in a whirlpool of attacks, and now can't trust their systems. Will it happen again? It just goes around in circles.

How enterprise businesses strengthen defences

Chris F: The enterprise costs are down by 69% in that scenario. 

They (enterprises) have larger resources. You talked about third parties and how they are now investing in IT support, but what more could they do?

Naveed: The enterprises of the world just have more resources and can partner with more reputable or experienced organisations who do this on a day-to-day basis. They have resilience plans, recovery plans, insurance, etc. 

Micros can't do that. There are some hygiene factors they can invest in – things like a strong password and multi-factor authentication, keeping software up to date, and having some level of awareness of what social engineering looks like. Having the capability to recover, whatever that means for an organisation. 

It’s easier said than done. If someone encrypts your system, can you recover with a backup? Versus if someone scammed you out of £10,000  – what do you do? It's having three or four areas they can look at. Micros don’t have much they can invest in, but they have some hygiene factors that they can look at, which will make them slightly harder targets.

Phishing in the modern world

Chris F: It's the awareness piece plus actually doing something – the hygiene factor is the best way to put it. It says here that 85% of businesses are being attacked by phishing. 

Could you break down what a modern phishing attack would look like to a business and how they might experience it?

Naveed: Phishing is a form of social engineering and has been around since the dawn of time. Social engineering has become very digital. Email is the most common – phishing – sending an email to get a desired action. Whether it's clicking a link to steal credentials, download or install malware. 

The other type of social engineering that is quite prevalent right now, and one that the National Cyber Security Agency has mentioned, is telephone social engineering. This is when fraudsters call places like IT helpdesks or contact centres, social engineering them into giving information, resetting passwords or getting account information. A lot of this has become more prevalent in the last 10 years. 

Other common forms of attack

Chris F: It's manipulation of people, isn't it? Which used to be on the playground, or a business transaction. Now it's on WhatsApp or your phone.

Naveed: Exactly. We are so used to being on emails, WhatsApp and instant messages are the norm. A fraudster can just piggyback on that and try to con people.

Chris F: How are people being targeted in other ways? 

Naveed: I'll reference a Verizon breach report – they do this on a yearly basis and do a really comprehensive job. They flagged three main things that are currently happening. Social engineering is one of them – specifically email-based phishing. Software vulnerabilities are being exploited, especially stuff which is available via the internet. If your website is not up to date, fraudsters will see if they can hack it. The other one is credential theft. There's a lot of focus on stealing credentials, but not everything is through phishing. 

I'll give you an example. Stealing credentials, or enough information to send an email to an accounts team and request a change to the bank account where a payment should be sent. The technical term for this is ‘business email compromise’. It's a form of social engineering. It's just a different method than what’s used for phishing. Those are the three main things that Verizon say are happening right now.

The role of AI in phishing scams

Chris F: AI is now becoming part of the conversation. 

67% of people think they can spot an AI-generated scam. But most of them actually can't, can they?

Naveed: People find normal phishing difficult to spot. At a talk a few years ago, they talked about the impulsive side of your brain versus the rational side. They called it Homer versus Spock. The Homer side of our brain is what we normally act with – impulsive. Emails come in, we click them, read them, and move on – versus the Spock side of things. Like when you’re making a large purchase, say spending £10,000 – you’re not just going to say yes. You’ll take at least five minutes to think about it.

Attackers are counting on the fact that people are very impulsive, especially when it's a request which doesn't seem to mean much. “I need this done. Can you click this link? There’s nothing obvious there, right?”  But they click with impulse. That's just a traditional phishing email. The typical giveaway signs used to be things like a sense of urgency, spelling mistakes, grammatical issues, and so on. AI is helping get rid of a lot of that. Emails have become more realistic because they sound colloquial. It sounds like someone I know is sending the email. Grammatically, they're correct, and all of the links look good. 

One factor that remains the same is the sense of urgency. What the attackers don't want you to do is sit there considering whether that email is correct or not. They will say something like: “We need you to do this urgently, otherwise, something bad will happen.” The AI-led phishing can't change the fact that attackers need the recipients to act with urgency. They can't write that you have 30 days to comply – that’s a long time, and humans will do it later. They will say something like: “If you don't do this now, you will get fined. We need you to do this in the next 10 minutes.” In a roundabout way, I smile because people can't spot them now. What AI is doing is making some of the telltale signs more difficult.

Executive overconfidence and ‘whaling’

Chris F: The other day, I asked a roomful of people if they used ChatGPT – every single hand went up. It's becoming commonplace, and people are finding it hard to spot when you've written a blog with ChatGPT, let alone recognise a phishing scam.

Naveed: The telltale sign is the urgency. The time-sensitivity doesn’t change, AI or no AI.

Chris F: 90% of C-suite executives claim they can spot AI-led phishing. 

Do you think there's overconfidence creeping into the boardroom? Where there isn't a level of expertise, but a self-taught understanding?

Naveed: Yes, I've seen enough execs being compromised through phishing. Then there's a term called ‘whaling’, where you go after the C-suite. If you can compromise them somehow, then you can do whatever you want in the organisation. Imagine if I compromised our CFO and assumed his identity or email somehow, I could then start emailing the right people to do whatever I want. If they think it's the CFO, they are more likely to do it. 

Organisations in the last 10 years have lost money because of that, where a CEO says: “I’m working on a very confidential M&A deal with an accounts payable team somewhere. Can you make this payment of £50,000 to this legal team? But don’t tell anyone about it.” The accounts payable person thinks: “It’s the CEO – of course I’m going to make it.” This is what has been happening. Now, if AI is making it more human, I can’t see how the board members and execs are more confident, especially because the security industry hasn’t done that much work on AI phishing awareness training.

Chris F: I was a director at Carluccio's 10 years ago. We were getting emails from the founder saying: “Chris, can you send me £500? I need to do a transaction for the opening we're doing.” It does take a double check. As you said, it's becoming more digital, less easy to spot and more humanised. The scary thing is, we're only just getting going with AI. 

How AI is used in cybercrime

Where do you think AI can go in terms of how advanced these guys can get at manipulating us?

Naveed: There are different levels to it. No two attackers are the same. You've got the really sophisticated nation-state-led attacks, which are a country-to-country type of warfare, such as Russia, China versus the US and the UK. They operate in a manner that’s beyond most enterprises. But they are going after nation-led things like critical infrastructure, as opposed to consumer data, because that's not their game. It’s cybercriminals who are going after this. 

Sophistication will vary. Cybercrime's almost democratised in the last five years, where you've got really entry-level attackers coming in because they can buy things as a service. It's really interesting because the criminal world is mimicking the professional world. We have software as a service.

Chris F: Are you telling me these guys have got their own SAAS fees?

Naveed: No, we have ransomware as a service, for example. I read about an attack where a lower-level, less sophisticated attack group bought a service from a more sophisticated group and then targeted an end company. It can get very sophisticated. Organised criminals are not going to spend time and resources training their own LLM models. They'll either try to purchase it or they will go after the lower-end because they want to have the lowest effort for the maximum yield.

 The scary thing is software as a service. They may be able to buy LLMs as a service in the future, which would change the game. However, the positive part of me thinks that the security community and the big tech organisations are building AI for good. 

We'll get into this battle of humans versus humans, and machines versus machines, and be spot enough of it to be able to make ourselves a harder target. I don't want to say that’s 10 years out, it's probably sooner than that. We're seeing a lot of advancements in that space, but I still expect the organised criminals to spend minimal time and money, because they want to get in and get out as soon as possible and make the most amount of money.

Why criminals prefer digital crime

Chris F: It’s like a robbery.

Naveed: You don't often hear about bank robberies anymore. The last one I remember was a Hatton Garden heist. That took a lot of planning, and they were caught in the end because they left physical things behind. Now, organised criminals, in the last 10 years, have worked out that you don't need to drill through diamond shops and banks to get the money. You can get it out in other ways, while leaving a very small footprint. They want low effort, high yield. They don't want to spend six months taking something out because it's too long.

Where to start with a defensive security strategy

Chris F: Where do you start a defensive strategy for a business? 

Naveed: Much of it starts with hygiene, as a lot of the attacks start at a lower level. You either get the motivated attackers who will keep trying until they get in, or the lower-level attackers who are essentially looking to get in and get out. Wherever they find any type of resistance, they’ll just move on. 

I was at a conference a month ago, and we talked about identity, which has become crucial. Just like how we care a lot about our passports and our driver’s licences – because they allow us to prove our identity to access a lot of things – our digital identity has become crucial. So, identity has become a perimeter. 

Rather than having an outside-work organisation and an inside – like a castle and a moat – we don’t have that anymore because of the proliferation of digitalisation, SaaS services, and so on. When you log into your online bank, it’s your identity that proves it’s you. There’s nothing else in between. A lot of organisations have started looking at that and going: “How do we make it as hard as possible to be compromised?”

Cybersecurity as a boardroom priority

Chris F: 27% of survey businesses said cybersecurity was a priority at the board level. That's low, considering what we just talked about. 

Why do you think that number's not at least 50%?

Naveed: It’s the optimistic side of any business – the mindset of: “It won’t happen to us.” I noticed the same thing during COVID – everyone around you might have caught it, but you still think, “It won’t happen to me.” Businesses have that too. “It may have happened to someone else, but it won’t happen to us.” So there’s a level of ignorance. 

Secondly, some industries are just not regulated. The financial industry, telecoms and national infrastructure are regulated – not so much retail and hospitality, so there's no driver there. The driver for any business is to be profitable. From an accounting perspective, it's a cost; there's no value to be attributed. The security industry has to do a better job of showing how it adds value. 

Due to some high-profile breaches, the U.S. Securities and Exchange Commission has made it mandatory for all public organisations to disclose breaches. Every year, they have to report on the risk and governance and prove that someone at the board level has enough experience in cyber to question it, and that they're managing it just like any other financial risk. 

The UK has a cybersecurity bill that’s going through parliament at the moment, which is looking to do something similar – mandatory reporting, especially around some of the high-profile industries. It’ll become a bit like the annual accounts an organisation has to prepare, where a financial audit comes in and checks everything. Eventually, cyber risk will become so material that organisations will have to show that they’re taking it seriously and testing against it. It will probably start with the financial institution, because the regulators are more keen.

How Dojo is using AI for defence

Chris F: In terms of Dojo, how are you guys using AI to help your customers and businesses look after themselves and stay ahead of the threats?

Naveed: A lot of the AI we're currently using is in a defensive posture. We have plans to lean into the product side, but that's very much in its infancy at the moment. From a defensive perspective, we leverage a lot of the AI capabilities from our partners, such as Google, to help us detect and mitigate risk as soon as we can. 

Our email system, for example, has AI built in to fight AI-led phishing. It's AI versus AI, because we are not relying on humans to detect it at all times. We need to help the people. Before it lands in someone's inbox, it's going through the good AI.

We're using AI to detect potential malicious activity within a wider environment, where our crown jewels are our customer data. We use a lot of machine learning to automate actions in real-time, rather than a human looking at it and deliberating based on years of machine learning. If it’s looking bad, we have enough confidence to kill that action and reduce the risk upfront rather than just alerting someone to then have a look at it. We rely a lot on automation, machine learning, and AI to help address these threats quicker.

Why payment data is so valuable

Chris F: Why has payment security become such a high-stakes business?

Naveed: Because it’s profitable. Payment card data, such as the 16-digit card number and the CVV, has value to criminals. Last time I checked, a 16-digit card number was worth anywhere between $15 and $30. If you have the CVV, which is the three or four-digit authentication, it becomes even more valuable because that allows you to do a lot more. It’s digital currency.

I now don't often use my physical credit card; I use my Google Wallet or enter the card information into a website, and it's all legitimate. If cybercriminals get it at scale, they can either use it to commit major fraud or resell it. It's almost a resale market, and that’s the reason they steal it – because there are groups who want this card data for financial fraud. That's what card data ultimately is – digital currency that allows us to operate nowadays. 

PCI compliance and how Dojo supports its customers

Chris F: How is Dojo keeping its customers compliant in terms of PCI? 

Naveed: We focus on the in-person economy, doing remote payments and e-commerce. In both instances, we build as much security into the payments offering as we can, so that the customer doesn't have to do much. For our face-to-face payments, we build all of the security into the terminal and communication to take that responsibility away from the customer. All of our payments are point-to-point encrypted, which means that between the terminal and us, no one can hack them.

As we do focus a lot on the micro and SME space. We're trying not to place too much emphasis on them securing the payments – we're giving them the secured version. We do the same thing for remote payments, where we offer a payments page hosted and managed completely by us, so that the customer doesn't have to worry about the website – because we handle the payments completely. It takes most of the obligations away from the customer, but we manage them by making sure they're following the right guidance from a PCR perspective, which is the gold standard for payments. 

Chris Fletcher: You’re doing a lot of hygiene for Dojo, right?

Naveed: As much as we can. Some of the bigger customers want more bespoke solutions, and we will work with them to secure this. Bigger customers have more resources, so they can take more of the burden.

Future trends in security and tech

Chris F: What are the three biggest innovational trends that businesses should keep their eye on? 

Naveed: Right now, AI and large language models are used for data analysis and making decisions based on it. The next iteration, and we start seeing some proof of concepts around it, is allowing the systems to become autonomous and make decisions and take actions independently of humans. 

If the attackers are using AI, and we have enough confidence in the systems, we can allow the AI to detect and mitigate the threat all by itself. It takes some of the human aspects out of it, within reason, because in this business, I would never want the agentic AI to do anything with our payments platform. We need extra precautions around that, but some of the lower-level things can be done.

The second one is identity. There's a phrase going around in the security industry: “Identity is the new perimeter.” If I sit at my laptop for work,  a lot of it is browser-based software as a service. So identity proves who I am versus someone else. In my previous life, I would have had to VPN into work and use tokens. Younger listeners may not remember those days, but you had to do a lot to prove that you were in the work environment to work – that's all gone. A lot of work has become identity-first. 

Last one – the tech industry has been talking about the quantum and post-quantum world. What does that look like? There's a lot of concern that quantum computing will enable a lot of the encrypted data to be decrypted at speed. A lot of the data at the moment is encrypted in a way that can't be decrypted or hacked. Quantum will make it easier to hack. 

There are a lot of attackers who are harvesting data now to decrypt later and monetise, because they're waiting for the quantum world. Now that one is a bit of a stretch and has been around for five years, but I've seen a lot of work by Google and some of the other big tech firms around quantum computing and this fear. It’s a bit like the AI piece, where there is usage for good, there will also be bad actors who will jump on that. Those are the three big trends that the security and tech industries are looking at.

The importance of hygiene

Chris F: Thank you for bringing this to us in a consumable way, because this information can be hard to understand.

Naveed: A lot of what I say can come across as scary, but a lot of cybersecurity comes down to a technique of cyber resilience, covering basics – I'll call it hygiene, such as strong passwords, the MFAs and keeping software up to date. Because criminals are ultimately trying to do this with the least amount of effort for maximum yield. If you can make yourself a harder target by doing some of the hygiene stuff, it deters them. It's like having your front door and windows locked and a burglar alarm set up – the normal criminal will decide: “That's too hard. I'm going to go somewhere else.” 

The digital world is not that different from the physical world; it’s just that everything is anonymous. While it sounds really scary, there are some practical steps we can take to make ourselves a harder target, from the micros to the enterprises, to the personal world. If everyone does that, the attackers will move on to some other scam.

Chris F: That was Naveem Islam, everybody. You can go and check out Dojo at dojo.tech. 

Wrapping up: Security as a strategic priority

This episode breaks down exactly how cybersecurity impacts real businesses. Naveed shares why prevention, resilience, and recovery should all be part of the same conversation, especially for small businesses that can’t afford to take the hit. With real-world examples, practical guidance, and a look at where regulation is heading, this episode offers clear advice for anyone wanting to stay one step ahead of cyber threats.

Want to dive deeper into the tech shaping today’s business landscape? Head to our blog for Episode 2 of our Tech on Toast podcast partnership, where we explore how to manage a fractured tech stack and bring together systems like POS, payments, and staffing software. You can also check out Episode 3, which focuses on why strong communication is essential for smooth tech rollouts — from stakeholder buy-in to frontline adoption.