Modern Cyber with Jeremy Snyder - Episode
96

Robert Siciliano of Safr.me

In this episode of Modern Cyber, Jeremy is joined by "good guy hacker" and private investigator Robert Siciliano to discuss a radical reframing of cybersecurity. Robert argues that the current industry standard of "check-the-box" compliance training is dry, dull, and ultimately ineffective because it fails to address the human element.

Watch Now
Robert Siciliano of Safr.me

Podcast Transcript

All right. Welcome back to another episode of Modern Cyber. As always, I am your host, Jeremy, and I am delighted to dive into a topic that is so important and relevant in today's modern digital world that we all live in, and we all transact in any number of times, every day. And it is something that affects each and every one of us. And that is personal cyber security. And we've got a real expert here to join us today to talk about really reframing the problem and thinking about it in ways that we maybe haven't thought about it before, where we can get better results, where we can get everybody to care, not just those of us who work in cybersecurity professionally and make our living working in cybersecurity, but everybody who's a part of the organization also to the level of every family member relative you have, that grandmother that you need to support and make sure she doesn't get tricked by scammers.

Let's get everybody on the same page and really improve results for everybody. And to that end, I am delighted to be joined today by cybersecurity expert good guy hacker and private investigator Robert Siciliano, who delivers straight talk on safety and security, stripping away the jargon to empower everyday protection. A best selling author and CEO of Safr.me, that's spelled S-a-f-r dot m-e and head trainer at ProtectNowLLC.com. He's a trusted commentator, featured on CNN, Fox News, MSNBC, and the Today Show. Decoding complex threats for mass audiences. I could go on with the list of accomplishments and appearances, but there's too many and we won't get through the whole show. But let me just say, Robert, thank you so much for taking the time to join us today on Modern Cyber.

Hey man, this is great. I appreciate this. Appreciate you. Thank you.

I wanted to start with something that we were talking about before we started recording today. And that was something that you said that really resonated and really struck a chord with me. And that is that we've all had that experience working in corporations. We get our annual summons, so to speak, to, you know, our cybersecurity awareness training and our phishing training and whatnot. And we go into it kind of begrudgingly. We go into it. We have to do it. We know we have to do it. I think we all know in our heart of hearts that it is the right thing to do. But we all treat it like a task that has to be done, rather than as an important lesson that we should really focus on. I see so many people who just want to get it done as quickly as possible, and just get it out of the way, like taxes, it comes up once a year and you just have to do it. You don't like it, you know it's there. How do you get people to shift their thinking around that? Because I'm sure you've encountered that exact behavior any number of times.

I have heard more times than I can count. Um, you know, most security awareness training is dry, dull, boring, fear-based and, you know, or it's a, you know, criminal or former criminal who or a hacker that has seven chips in his body and he's doing parlor tricks and all that stuff is good and well, and security awareness is obviously necessary, but check the box. Compliance is dry, dull, boring. Get me through that mess as quickly as possible so that I can get in, get out, get back to work. But the reality is, is that security affects all of us in so many different ways, day to day in our personal lives, that if we address that issue of security awareness first making security personal, then the learner, the employee, when he gets to work and he has to engage in some form of phishing, simulation training or compliance or whatever the case is, or even engaging with risk on a regular basis at work, they're going to be more attuned to what those risks are because it begins to mean something and matter to them when they get their own security in place first.

You know, it's funny you say that because like, at the same time, we're all human beings outside of work and we all have, you know, Gmail, Hotmail, Yahoo, whatever the case may be. We've got our personal email addresses in addition to our work ones, and we see the phishing attempts and we see the number of, you know, bogus links and fake, you know, you signed up for this service. Oh, no. Your cloud storage is going to be deleted. Update your credit card now. We all get these things on a regular basis. So we should be aware that cybersecurity is personal. And yet somehow there's this disconnect. How do you get people to kind of bridge that gap and remember that there's like, you know, there's work you, there's personal, you both need to be secure.

So whenever I start off one of my presentations, um, nine out of ten times, you know, I, I, I walk in, uh, they walk in and they're sitting down and they're like this, their arms crossed, you know, they're, they're looking at me with a scowl on their face and they're like, okay, security guy, what is it you're going to tell me that I already know? And one hundred percent of the time I've got some people, multiple people coming up to me at the end of the event saying to me, you know, I'm here because I was supposed to be here. My boss told me I had to be here. I didn't want to come here. I didn't think I needed to be here. I frankly didn't want to come, but I'm so glad that I did because it's not what I thought it was going to be. And frankly, I wish that my spouse was here because he or she needs this too. And that's what security awareness training should be or could be.

Because right now, like security awareness training, as you, as we look at it today, cyber is what, twenty, maybe twenty five years old, like, it's a relatively new thing in our lives and our species for that matter, whereas security has been around for thousands of years. And if you treat security as all security is personal. Yeah. And you begin with the individual where they're at in their lives and what their fears are, their worries are their concerns are in regards to their own data and dollars and identity and family and so forth. Then the arms go down and they're going to lean in and go, okay, yeah, this is good. Like, I didn't think this was going to be like that, but okay, so now what do I got to do? Because this is important to me now. That's what it should be. And that's what you know, it's lacking. And I'm asking, you know, to change the conversation or at least amend the conversation so that we begin to actually address the learner where they're at in their lives. And that's what needs to be done. That's what I do. But nobody else understands that concept because most security awareness training is do this, don't do that, or else you check the box, you're good for a year and you move on.

Yeah. And it just feels so impersonal and people are just not clicking links at all. Like if that's the whole point of phishing simulation training, okay, you solved that problem, but you know, the rest of it, we're going to there is so much fraud being perpetrated today. Now, more than in the thirty years that I've been doing this. I've never seen more high dollar losses in such a concentrated period of time by individuals like me and you, like, like by our parents. I'm seeing millions of dollars lost by regular everyday people. It's getting worse. It's not getting any better because we have not made any progress in solving the problem because we're not addressing the human.

Yeah. So how do you how do you start that process? How do you start to take it from this annual check a box, do it because I got to do it to, oh, this is real, this is human, this is human level. And, you know, I think to your point, one of the other things you said before we started recording is that like our default state as humans is trust. You know, that's how we evolved in society. We evolved society on the basis of trusting each other that we could work together, we could partner we, you know, two people together can be more people more productive than two people as individuals.

How do you start that shift in mindset? So it's important to talk about, you know, why we as humans, how we're wired, why we react the way we react and so forth. And so I talk about, you know, what I call the human blind spot, right? And the human blind spot is essentially that psychological instinct to trust the familiar, right? The, the the cognitive gap, right. Where biological trust overrides digital suspicion. Okay. Okay. That's leaving the door open for all kinds of frauds and scams. AI deception. Every single time the phone rings, an email comes in, you get a text message, right?

And so when you break down security in such a way where, what security is and what security isn't. Then for our whole lives, we start to look at security in such a way where we never understood it as that perspective. So for example, right when I asked my audiences at the very beginning of the presentation, like, I'll raise my hand and say, okay, so just to get a sense of the room, how many of you and this is every presentation that I do, how many of you are using a different passcode across all your critical accounts, including email, in both your personal and professional lives? You're using a different passcode across each account. Raise your hand if if I get fifteen percent of the room. That's a lot. That's that strikes me as being very high as a percentage of that room. I would say I would have guessed, you know, five percent or less.

It's it's yeah, yeah, yeah, ninety four percent of all the passwords that have been exposed and all the various breaches are all like relatively the same thing. Okay. Yeah. Okay. And then the next question is like, you know, how many of you are using two-factor authentication for all your critical accounts, including email in your personal and professional life? If I get twenty percent of the room, it's usually a little tick higher. That's a lot. So that stat right there, that's like eighty to ninety percent of the room are like so wide open to email attacks, just that one thing. Okay. Yeah. And then from there, like you can go to Have I Been Pwned and show them like, you know, how many people are using one, two, three, four, five, six, which is like millions, right? And they're like, oh, this is ridiculous. Okay, now we're beginning to understand. And then you show them how there's been like fifteen billion passwords compromised on the dark web, fifteen billion. And they're like, okay, yes, I'm beginning to understand this now. You know. And then from there, you start talking about like, what security is and what security isn't.

So for me, like I say, okay, and I'll ask you this question, you know, and I tell my audience, like, okay, so I'm a guy that's got like twenty plus security cameras and I do, I have twenty plus security cameras both inside and outside my house in total. So like, let's just say you don't know what I do for a living, but you hear like, okay, this guy's got twenty plus security cameras. What would be like the general public's observation of somebody who has that many cameras, like what might be my disposition be my, my worldview when I wake up in the morning, I am what?

Yeah, you are alert. You are aware. You are watching everything that's going on around you, that that would be like the first things that would come to my mind. Second things, by the way, might be like, what's going on over there? Like, why does he need so many security cameras? But that's maybe the second thought that comes up.

Yeah. Well, you're a security professional. That's why your brain goes there. Most of the audience says paranoid. That's what they say. He must be paranoid. And that's what most people view security as. So in that same line of questioning. Right. And just let me break down paranoia really quick. So paranoia is in fact a mental health disease and that's what it is, you know? And if you've ever engaged someone who actually has that disease and I have a first cousin, um, I think she might be living in her car right now. I mean, the poor kid is like, I love her to death, but she's just like, she just, she was stricken with this and she's constantly at odds with her universe. She truly does believe that people are out to get her.

Yeah, yeah, that's that's her her reality. And yeah. And so she's had me come to her house and sweep it for bugs and, and like it's, it's, it's disheartening, right? That's what, that's what paranoia is out of control. Security, of course, as we know, is in control or gaining or, you know, seeking control. Right. And, and then in that same line of questioning, I asked, okay, so how many of you actually have like a home security system? You know, if I get fifteen to twenty percent of the room to raise their hand, that's a lot, right? And I say, well, interesting. You do know, right? That like fifteen, but one point five to two million homes are burglarized in the US every single year. And they're like, oh, I really didn't know that. I'm like, yeah, that's like a real stat, right? And so then I go, so I got a question for you. Like, why don't you have a home security system? Right? And the answers start to come out like all the reasons why they justify that.

And the most popular reason is, well, I don't have a home security system. Like my husband and I talked about this and my husband says, like, if they're going to break in, they're going to break in anyways, which is, number one, a fatalist attitude, which is never a good idea, right? Or he might say the husband or the wife might say, well, we have insurance, so the insurance is going to protect us. Well, is it going to protect you at three o'clock in the morning when some whack job comes in with a knife? Not really. So they haven't really been well thought out in those two responses. And then the other one is like, well, mainly the reason why I don't have a home security system is because I don't want to live like that.

So what does that mean from your perspective? Like what, what changes about, you know, the, the, the mindset or the attitude that you hear from people? Like when you dig in on that because I imagine you do, I imagine you follow up question like, I don't want to live like that. What does that mean?

That means that they don't want to have to worry and they say it. I don't want to have to worry. I don't want to live in fear. I don't want to be paranoid. I just want to be free. They say all those things as justification for not engaging in risk management because there's fear involved there. There's worry involved there. There is the acknowledgement of sociopaths and psychopaths, predators and thieves that this bad people out there. And I don't want to have to think about that. Therefore, I'm not going to I don't want that constant reminder in my life. Yeah, yeah. That is most people. I'm telling you, I see this, I experience it.

You know, after you explain it. I'm actually not as surprised as I was initially because I've also, you know, I've worked in business-to-business, you know, B2B cybersecurity for most of my career. And I've talked to any number of teams where you talk to them about whatever the case may be, whether it's vulnerability management or endpoint protection or whatever it is that they don't have. And you present to them like, hey, I think you have a much bigger vulnerability risk than you realize. And I can prove it to you. And I've seen the attitude of, yeah, but if I know about it, I have to do something about it. So I can see that being kind of parallel to what you just described there from that, from that mindset perspective. Interesting.

Yeah. And part of that process is that what we do as a result of this, you know, these mind games we play with ourselves is that we, we, we settle into a form of denial. Okay. So yeah, think of it like this. Like if you're watching the six o'clock news, and I bring this example up all the time, and there's like something bad and tragic happens in a neighborhood somewhere. And so the, the local news station comes in with the, with the, with the reporter and a microphone and a and a camera guy. And they get the neighbor, you know, to come like outside and they put the microphone on her face. What does that neighbor often say about what happened?

Uh, either I didn't see anything or I never would have expected this or some variation on one of those two comments.

I never thought it would happen here. Right? Nobody ever wants to think or believe or plan out that it could happen here. And so what we choose to do is we function in denial. So instead of actually installing that home security system or that password manager for that matter, or two-factor authentication, well, it's not going to happen to me. You know, why would they choose me? They just function in denial and do nothing about it and make up all these excuses. We choose to do that. Yeah. That's more natural and more normal than proactively engaging in risk management, because proactively engaging in risk management is recognizing that. And this is what I've come to the conclusion of, is that ninety-seven percent of the people that you will ever meet in the course of your life, ninety-seven percent are worthy of your trust.

That means that the generally good people with good intentions, and I've come to the conclusion that probably about two to three percent. And it's about two to three percent of the world's population. And the, the, the, the, you know, doctors, you know, American medical Society will say it's, it's called antisocial personality disorder. And those are the sociopaths and psychopaths that, you know, they're in prison, they're sex offenders. And there's a lot of them out there, about two to three percent. They are the sociopaths and psychopaths, the hardcore narcissists that look at you and I as their natural prey. They are the wolf or the lion. We are the bunny rabbit or the gazelle. And they don't have empathy, sympathy, guilt or remorse. And they'll go after your mother. They'll go after your father, they'll go after your daughter. They don't care. You are their natural prey. We are their natural prey. And most people have never even thought of that or want to think of that. That's scary. That's fear. That's worry. That's bad guys.

Yeah. Interesting. So how are you supposed to engage an employee in phishing simulation training if they don't know the importance of security in their personal lives first? Yeah. And so the, the worst thing you can do is walk in a room and just scare the hell out of everybody. Which, which you never do because that's the worst thing you could do. Fear-based tactics do not work. They don't work. But the same way that you express empathy and sympathy and in dialogue with the loved one, with a family member, with a child who's who's growing up and navigating the world is the same, is the same way that you converse with your audience or your your employees. And I don't know that many of us have time for that.

And I'm not asking anyone to take your fifty-year-old coworker by the hand and give him a hug and tell him it's going to be all right. I'm not asking for that. I'm asking to change the conversation in such a way where you meet them, where they're at in their lives, because that fifty-year-old has got a seventeen-year-old who's going off to college in the next couple of years, and he's concerned about her going off to frat parties and getting into situations, but he doesn't know what to do because he's never had an effective conversation about how to prevent his daughter from being a victim of crime. But if you engage him in such a way where now he has the tools to have that conversation, that becomes kitchen table talk, that is the the the ultimate success of a security awareness training that they take what they've learned and now they go back home and they, they explain it to their friends and their family. It becomes like a dialogue that they have with the people in their lives. That's what security awareness training should be.

Yeah, that makes a ton of sense. And it's interesting, you know, as you were talking through that, another kind of parallel to to the B2B world really popped in my head, which is something that we hear from a lot of companies very often is aside from what I said earlier about, you know, they don't want to know about it, so that then they have to feel like they have to do something about it. But it's also very much the, well, we're not a target. And I just think that that's a very naive way of thinking. You know, for your physical security at your house. Okay, someone's got to come to your house for your digital security. Anybody from anywhere in the world effectively has access to try to get into your email account, your bank account, your social media accounts, whatever the case may be. Right? There's very little that most of the providers do on a regular basis other than, you know, maybe there's like a few kind of anomalous anomaly detection flags where they're like, huh, you just logged in from, uh, from the Northern Virginia, Washington, D.C. area where I am now. It's very unlikely that you're logging in from Kiev, Ukraine. Ten minutes later, right? You know, there's maybe a little bit of that that goes on.

But, you know, if I take that, if I draw that parallel out a little bit, if you're coming to my house, the bare minimum I can do is lock my doors to, to protect myself, my family, my belongings. In fact, applying those cameras makes me gives an additional deterrent and makes it a little bit less likely. And what we tell organizations is, you know, you got to do the basics. Yes. You're not a target specifically, but everybody is a target. And so you do the basics so that you are not part of the quote-unquote low hanging fruit. That's super easy to compromise. And I think from a personal security perspective, okay, like a camera in front of my house reduces the likelihood of any, you know, burglar coming in or whatever the case may be. There's just this kind of like friction that I feel it's like you wouldn't. I wouldn't tell somebody that you shouldn't lock your doors. Everybody assumes that locking their doors is a safe thing to do. But where? Like, why there is a line, a mental line between locking your door and putting up cameras kind of baffles me. Like, why is one a more severe action that gets in people's heads around? Well, I don't want to live like that when the other is just like good basic common sense denial.

You know, I am, I say all the time that, you know, we are essentially adults that are handling adult situations in an adult world. And of course, you know, I look at all the world's strife and complications in drama as adults that are handling adult situations, as our five-year-old kicking and screaming selves, because we're still holding on to a lot of these emotions, a lot of this worry and, and fear from when we were children. And that carries throughout our lives. And when it comes to things like security, again, it's about bad actors that could potentially mean to do harm. And that's not something that we're just prepared for. Our baseline is that we are what is considered an interdependent species. And as an and as an interdependent species, that fundamentally means that we depend on each other for our survival. And without that's biologically hardwired into us, right? And what is biologically hardwired is the fact that we have to and need to trust each other.

Yeah. And that trust is fundamental to our dialogue with each other all day, every day. When you're engaging someone face to face, when they send you a text message, email or phone call, you want to and need to feel that this person has my best interest in mind that this isn't a predator on the other line or the other end of the line. That means to do me harm. Nobody wants to think those things. We don't want to believe that. You know, essentially like what I call the human blind spot, that psychological instinct to trust the familiar, right? It's that cognitive gap where biological trust overrides digital suspicion, leaving the door open for all forms of deception. And we don't discuss that aspect of personal security in security awareness training because we're not making the time for it.

Yeah, yeah, it's very true. I've been through, I don't know how many iterations of security awareness training in my day job at, I don't know, ten companies over the course of my career. And you're exactly right. Like there's no emphasis on personal security in there. It's, hey, phishing is a risk to the organization. Here's best practices. Let's look at a couple sample emails that does this look like a suspicious email? Does this look like a suspicious email? And, you know, in larger organizations, every now and then you get one out of the blue and it's, you know. Did you just delete it? Did you report it? Did you click the link that gets maybe measured by somebody who's in the security awareness training team or the team that's responsible for that within the organization, but making it, you know, personal at the level that we've just been talking about. Uh, you're right, I've never experienced that in any of the iterations that I've gone through.

Yeah. And so like just to define it, right? So, so all security from my perspective is personal when you come from the background that I do with, you know, really coming from the Boston area, twelve years old, getting beat up by five kids when I was, you know, twelve years old. And that had a profound effect on how I viewed the world. And then like, even worse, when I was thirteen, I met a girl that I liked. I was fond of her. She was fond of me. We held hands. We went to summer camp together. And one day after camp, we get off the bus and we're sitting on her stairs and she says to me, I think you should know my mother's boyfriend raped me and I didn't. And I looked at her face and I saw that she was upset. And so, you know, I gave her a hug. And I left shortly after that. And I go home. And now this is like we're talking forty-something years ago because I'm fifty-seven. And I say to my dad, dad, what is sex? What is rape? I had no idea what she was talking about. I literally had no idea what she was talking about. I just knew it was bad based on her body language.

Yeah. And so my perspective goes back to that and that like, we have been dealing with all of this trauma and drama and sexual assault for thousands of years, and it's still a problem because we're not having what I would consider uncomfortable conversations with certain people in our lives that we should make comfortable by explaining risk and what your options are to reduce that risk. You know, my girls, I've been talking about this stuff since they were young and like, they know how to mess somebody up. But when I have these conversations with them, I'm speaking to them as if they are, you know, young adults in such a way where like, you got this, like, this is what you got to do in order to reduce that risk. And this is how you pay attention and this is how you hurt somebody and so forth. And like, while that may not feel comfortable to some people, I think it's a necessary dialogue that we learn to have.

Mhm. Yeah. It's such a good point. The more we can talk about things, the better we can get at them. That's true in general, like of almost anything in life, the more we can learn to talk about cooperation, the better we get at cooperating, the more we can learn to talk about, you know, secure password practices, the better we get at them. I would agree with that one hundred percent. I really like that tenet that you just described, that all security is personal. It really resonates with me. You know, one of our lead investors talks comes from the national defense space. And he's very fond of saying that cybersecurity is national security. And I think that the way you describe that strikes me as being a very close parallel at a personal level for thinking about securing your own lives and your own assets.

Yeah. All security is personal means that the core belief that people protect what they love, right? Yeah. By teaching someone to secure, say, their child, their child's, you know, digital footprint, their identity, right? You know, your bank account, you create a more secure employee at work. Mhm. We are a selfish, self-interested creature. And the word selfish kind of gets a bad rap, and I understand that. But we have to be selfish. It's important that we are selfish. And what that fundamentally means is, like Abraham Maslow's hierarchy of human needs, at the base of that triangle is, you know, your physiological needs. It's getting a good night's sleep, it's consuming fluids, it's it's foraging, it's eating foods. Like you have to do these basic things for survival. And if you don't do those basic selfish things, you're not going to be able to function and take care of anybody else, right? And then right above that is safety, stability, structure and protection. And without these baseline things, issues, solutions, you're not going to achieve any other aspect of, you know, self-actualization, love and belongingness, all that stuff, which is like, you know, necessary, of course, for a well-balanced, developed life.

But, but we don't take security seriously. Primarily, I think in the US because we take it for granted, you know, like we are relatively safe and secure. We're relatively insulated. Like, you know, I mean, certainly, you know, all of the chaos and drama in the world literally being on fire and active shootings, like you look at all that stuff. And, and, but most people's first response to that is, oh, it's not going to happen to me. It doesn't happen here. Those things only happen on TV to other people in those neighborhoods and those places. Yeah. You know, like that's what we that's what we default to. But you don't have to sell this concept by saying all these active shootings are happening and therefore, if you don't do this, you're gonna. No no no no no. Would you do that to your child? Would you do it to your daughter who's going off to school? No. You'd want to, like, sit her down and have a conversation with her and that. Sorry. Go ahead.

No, you. Please. Please. I was just going to say something you said in there really stuck out to me as you were talking through it. But this conditioning of kind of like the, the norms that we experience and grow up in and get used to really shape our thinking, you know, not only on the human trust level and kind of that being our default behavior, but just what you said around us being living in a relatively safe society. You know, I've been lucky enough in my life to live in a number of countries, and my wife is of Colombian heritage, and I visited any number of others. And I was just thinking about some experiences as you were talking about it. We were visiting her family in Bogota, and I wanted to go out and get a coffee from just, you know, a neighborhood cafe. And we were the one of her aunts or uncles or cousins. I don't remember exactly who said, you know, bad idea. And I said, well, y you know, it's just a couple blocks away. They said, look, you know, it's probably fine. But the truth of the matter is you stand out like a sore thumb. And this neighborhood has had a number of issues with foreigners getting pickpocketed. You know, little things like that. Nothing violent or dangerous.

Similarly, I lived in Singapore for five years, and the level of awareness around personal security is actually really, really low because the crime rate is just so low in the country to the point where the government had to engage in a public service advertising campaign, that low crime doesn't mean no crime. And they put signs up all around. And true to fact, as digital scams have risen, Singapore is one of these countries that is highly, highly targeted, highly targeted, and any number of Singaporeans have fallen for, you know, bank account takeovers and email scams and any number of things like that. And so I totally understand this conditioning. I mean, it's really like as we're talking through it more and more, I really see the connections using like Israel as an example, right? I mean, they, they are, you know, they've got their own set of issues, right? Yeah. And they are probably the most security conscious people on the planet. They have they there since the early nineties. Their building codes require them by law to install safe rooms in every single house. You know, that's that's the building codes. So security is of of importance to them. It's paramount. It's part of their culture. They serve, you know, out of out of high school. You know, it's, it's, it's ingrained into their culture. Whereas, you know, it's not going to happen here. It's not going to happen to me. It doesn't happen in Boston. It only happens in Chicago or LA or no, it's not like that's no like, but but look, this is all easily solvable if we just make the effort, you know?

Yeah. Yeah. Well, on that note, I want to change gears for a second because I know some of the areas that you've got a lot of experience and expertise are in. What about when stuff goes wrong? What then? You know, what advice can you give the audience for like, okay, something did go wrong for you or one of your kids or one of your relatives? What are the immediate kind of triage steps? What do you need to do when something happens to you on a personal level, not, not in your, you know, business context, but to you as an individual? Maybe it's one of your accounts getting breached. Who knows? What are the steps that you recommend for people to take?

Well, of course, that's all relative to like, what kind of account was compromised, right? Sure. And, and I can't talk about like reacting to a vulnerability or a breach without talking about being proactive in preventing it in the first place. Okay. And of course, you know, like all that dialogue, like right now, like if, like, if your Facebook account gets compromised, you're out of luck. Facebook's not going to help you out. I mean, they've been trying to push two-factor authentication on you for the past five years. Same thing with Apple. You know, like they all want, at a minimum two-factor authentication, device identification, device reputation, you know, etc.. And so if you're not doing all of those basic one-on-one security protocols, you're just next in line. You know, with fifteen billion records out there in the dark web. It's just a matter of time until they get to you. And using the same password across multiple accounts is, of course, the kiss of death. But so many people are doing that exact thing because they don't think it's going to happen to them, or they're lazy about it, or they're just saying, you know, I don't know how to use it. Oh, what if the password manager gets hacked? It's like, okay, you know, like that's the low hanging fruit.

And so, so by being proactive up front and doing all the basics, you should avoid all that stuff. You know, like I, I mean, I don't know that I've been hacked in, in, in twenty, thirty years. You know, I might have had credit card breaches, which is not being hacked, but only because like I've engaged in the absolute one on one hundred and one stuff. And, and I will guarantee you that ninety-five percent of your audience is a thousand times smarter and more secure than I am, you know? And, but the reality of it is, is that all the stuff that I talk about to all the one-on-ones out there is that like, if it's not easy, they're not going to do it. If it's not within their wheelhouse, they're just not going to engage at all. It's got to be simple. It's got to be easy. It can't be complicated. You know, once you make things complicated, it's over for them. They're just going to move on to something else. Their brains aren't wired for that. Where where just overwhelm. To begin with, we're completely overwhelmed with just life in general. You know, what's happening in the world is a lot.

And so if you start to to throw other things at them that they got to do, they got to do, they got to do, or else you're going to shut them down because people are overwhelmed and security doesn't have to be that security can be very one on one and very simple. And like, you know, it's amazing to me still to this very day, every single presentation that I do, every presentation that I do, the an audience member will ask me, okay, so when I'm searching on Google, like, how do I know it's okay to click a link? Yeah, that's where people are at. That's most people, you know, and I know that like, you know, I'm talking to a sophisticated audience. You don't see it like that at all. I mean, you're just so separated from that. But that's a lot of people. And, you know, and I often speak to law enforcement as well. And I speak to cops, you know, I do law enforcement training, and you would be amazed at how many cops have said to me, like, and I would say to them, like, do you know why? Do you know why? You know, your, your, your, your constituents, your, you know, your, your town residents are, you know, get hit by all these various frauds I hear almost every single time because they're stupid. Like the cop actually says that. You know, and it's like, okay, they may not. I don't know if they're stupid. I think that they're just they just don't know. I don't know that they've ever been told. I don't know that they've ever had this basic one-on-one information. You know, I don't know that they've ever taken the they've had an opportunity to engage with a with a CISO who's been doing this for thirty years, who understands all of it, who can actually sit them down and walk them through this process of like, this is what risk management looks like. This is why you resist it. This is why it's easy to overcome that resistance. And this is all the basic things you got to do. And now they're like, oh, I did not know that. I did not know it was this easy. And now they're like your partner, your, your partner in, in securing the perimeter.

Yeah. It's funny, that attitude of blaming the user. I hear far too often. And you know, to your point, we, you know, our audience is cybersecurity practitioners, but I know for a fact that many of them, you know, have been in organizations that have been breached. And their first thought is, user did something stupid. And I genuinely believe that most, most people, they want to do the right things. But to your point, they don't know. They don't know what are the risks of some of the things that they do. Sometimes they get tricked, don't get me wrong. Like sometimes people get legitimately tricked by a phishing email by a malicious file download. Like those things happen. But a lot of the times I would argue actually the vast majority of cybersecurity breaches are human error. Like I just did something and I misconfigured it or whatever because I just didn't know better, or I didn't realize that that was actually how it was configured, or I didn't understand that this little switch two-thirds the way down a page of a hundred little options of how to configure a virtual, um, uh, software defined network or something like that was going to make it public to the world. You know, I genuinely believe it's, it's human error for lack of understanding. Not because of malicious. Not even because of like, not wanting or not thinking or not caring. So interesting.

We've got just a couple of minutes left and I want to get on to a couple last topics. I want to fit them in. Time permitting here for us, there's a couple of things that I think are really crucial to think about right now as we get into twenty twenty-six, as we record this episode. We've gotten, I think like thirty-some minutes into the podcast without really talking about AI, which is probably a record for us on modern cyber in the last year or so. But what do you tell people right now? Because I think a lot of people hear a lot of hype and they hear a lot of, oh my gosh, deepfake scam, blah, blah, blah. The phishing emails are getting so sophisticated. We had a guest on the other day from Estonia. And Estonian, like Finnish, is a notoriously difficult language for foreigners to learn. But he said the quality of the phishing emails, it's now, you know, perfect grammar, it's now perfect vocabulary, you know, so you can't rely on telling people, well, just look for the bad Estonian or the bad Finnish anymore. Like that just doesn't work, right. Hackers have access to ChatGPT as well. I always tell people, hackers have access to all the same systems that you have, whether it's code, whether it's cloud, whether it's automation, whether it's AI. They might use stolen credit cards to use it, but they've got access to it.

So what do you tell people with regards to things like deepfakes and AI generated threats or risks in air quotes?

Yeah. Well, so, you know, I've been doing what I do for thirty-plus years and I've been saying to my audiences at the conclusion of every single event, listen, don't worry about anything that I'm saying here. Really don't worry about it. There's nothing to worry about. But as long as you do something about it, you're good. You know, I've been saying that for thirty years. I am now officially worried. I'm worried. Okay? And the reason why I'm worried is because most companies aren't doing what they're supposed to do to engage the learner, the where the learner is in their lives. Most. They're just you're not addressing that person who is in denial, who doesn't really care or want security in their life because they think it's going to happen to them. Nobody's doing that. That's number one. Number two, the AI with the deepfakes and the voice cloning is making fraud perfect. It's making it perfect. We are incapable, as you know, of telling the difference between a real voice in a a AI deepfake. We are voice clones. We are we are incapable of telling the difference. Technology can tell the difference, but humans can't over the phone and so forth.

And then of course, you know, with the, um, you know, deepfakes themselves, consumable video, whether it's in real time or pre-recorded is just about perfect. Now, um, the majority of it bad guys have access to just like you said. And, uh, it's hasn't been widely, widely deployed in such a way where it's really wreaking like tremendous problems, but it's, it's, it's, it's pretty much here. Um, and the worry is that, you know, twenty-five percent of us wake up every day lonely. Twenty-five percent of us wake up out of bed lonely. That is our default. That's a real thing. Just like hunger pains. Hunger pains are designed in our evolution so that we graduate. We go towards food. We, we we we forage, you know? Yeah, yeah, yeah. If you didn't have pains, you wouldn't eat. Yeah. Loneliness, they call it the pain and the ache of loneliness. And that is there because if without loneliness, we wouldn't gravitate towards others as a social creature and procreate without loneliness, we would just be by ourselves and we would just fail to exist.

Okay, yeah, bad guys understand this now. They get it. Now they they incorporate all of this into all of their scams, and they know twenty-five percent of your employees are lonely. They know this now. And so they know that we make bad decisions and sometimes desperate decisions. When we're lonely, that's what we do. And they know that. Like when they send out the wrong number text message. Okay. And that you respond to it. Hey, Robert, are we supposed to have lunch tomorrow? And you're like, ah, I'm sorry. Who's this? And oh, I'm sorry. This is Gloria. And Gloria is beautiful because she sends this wonderful picture of herself. And if Robert is lonely, Robert's like, oh, Gloria, I. Hey. Nice to meet you, Gloria. And now they start talking, and Gloria is, like, pretty simple, actually. She just says, good morning, dear. How are you today? I hope you slept all right. I'm going to yoga this morning with my girlfriends, and then I'm going to have lunch this afternoon. What are you doing? And she engages in dialogue with, you know, your employee all day, every day. And it's like, you know, what did you have for lunch today? And she sends you pictures of her grocery shopping. I know this because I engage all these scammers, you know, and, and then she's like, good night, dear. I hope you sleep well. And this goes on day after day after day. Yeah.

And over the course of a couple of weeks, she says, hey, let's get on WhatsApp. Let's, let's, let's meet each other on video. And you're like, really? You want to get on video? And what you're, who you're corresponding with now is generally a, a, often a young, um, Asian, in my case, young Asian female, that, that has the face overlay of a beautiful Russian model, you know, and like the whole idea behind this interaction is to gain my trust, right? And this is being perpetrated right now by organized crime that has figured it all out. And the UN estimates that there's probably somewhere around two hundred to three hundred thousand victims of human trafficking right now whose job eighteen hours a day is to scam us.

Yeah, yeah. That's what we're up against. Yeah. And we're just banging everybody on the head with phishing simulation training. And I don't know that that's going to solve the problem of that. I mean, there's such different problems. You know, clicking a bad link versus solving the loneliness in your life are, you know, they're not even two sides of the same coin. They're not even the same coins or the same currency. They're so far from each other as being two things. So to think that, you know, giving you this phishing simulation training is going to make you connect the dots to say, don't fall for this romance scam by somebody in an industrial scam center in Southeast Asia. Like, you know, it's a complete disconnect. I totally get what you're saying there.

So for the first time, you're worried, is there any optimistic note that you can close today's episode on or is there any practical advice?

Yeah. You know, um, everything that I've just said, y'all can steal, you know, like you can do this. This is easy. I've been doing this for thirty-something years and there isn't a presentation that I haven't concluded where like I've had multiple people come up to me and say, you know, like, I'm here because I had to be here and I didn't want to be here. And then I'm but I'm so glad I came. And like, that's an easy sell. You know, like it's, it's, it's doable. You know, it's just a matter of making a bit of a shift. That's it. That's all it is. Like I've done programs where I was in, I was, you know, in a room, uh, you know, facility, uh, speaking in front of, you know, maybe like fifty or one hundred employees being broadcast throughout the company network to like five thousand employees. So it's doable, you know, and the dialogue that I'm having with those fifty or one hundred employees is the exact same dialogue or questions or concerns that all four or five thousand employees have. So, you know, this doesn't need to be a difficult process to to get everybody drinking the Kool-Aid of what security is. Right? Right.

Awesome. It doesn't have to be hard. I think that's a great message to end today's episode on. We're right up against time. Robert Siciliano, thank you so much for taking the time to join us today on Modern Cyber. I've really enjoyed today's conversation, such a different way of framing this problem that is so important to every single one of us in personal and business lives as we go forward into twenty twenty-six. For our guests, for our audience, you can find Robert in more of his work at Safr.me. S-a-f-r dot m-e and Protect Now LLC. We'll have both of those linked in the show notes. Until the next time, like subscribe, rate review and please, please, please share this episode, share it not only with your work colleagues and your, your coworkers and people that you know from your professional networks. Share it with your friends. Share it with your relatives that you're always having to help with their own IT and cybersecurity problems. I know all of our audience does that. I do it as well. So I'm sure that this is relevant for every single one of us in all of our lives.

Robert, thank you again so much for taking the time to join us on Modern Cyber. We will talk to you next time. Until then, goodbye. Thanks.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.
Schedule Demo

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!