A

And you use tools like have I been pawned? To show them how many millions of people use the same passcode across multiple accounts and how many millions are using 1, 2, 3, 4, 5, 6. They're like, oh, yeah, yeah. What? Kind of silly. Yeah, I need to make some changes. Oh, yeah. This is actually really good. I didn't think this was going to be like this, but yeah, I want to know more. So that's how you get them to drink the Kool Aid to engage in security awareness.

B

Welcome to Embracing Digital Transformation, where we explore how people process policy, and technology drive effective change. This is Dr. Darin, Chief Enterprise architect, educator, author, and most importantly, your host. On this episode, I'm continuing my conversation with Robert Siciliano, cybersecurity expert and analyst on personal cybersecurity and its effects on corporate cybersecurity. So let's talk about the virtual world, because I want to kind of shift over there. I actually think in the virtual world, we're more exposed. In the physical world, locality means quite a bit, right?

A

Sure.

B

No one can attack me, typically individually, from a distance. In the physical world right now, countries can attack each other from a distance, but generally speaking, no one's going to rob me from a distance physically. They can't steal things from my house without coming into my house, virtually in the digital world, that's not true. Someone can steal all of my money. They can steal my identity. They can steal things that are digitized by Google from, you know, 15,000 miles away.

A

Yeah. And they do.

B

Yeah. So to me, it's. It's even probably more critical to. To have some kind of training or guardrails put into place and security. So how do I do that individually? Because as you said earlier, if we can train the individual and get them to think about security without being paranoid, but actually, because to me, paranoia means lack of action. Right, Right. So, but if. If I have a plan, then I won't be paranoid. I'll. I'll feel safe and secure. Is that the. Is that the idea behind it?

A

That's the whole point. Because every single presentation that I do when I. When I walk in the room, you know, and they introduce me, 95% of the audience, they're like this. Arms up like that.

B

Try and tell me what to do. Yeah.

A

Okay. And as I ask questions, they respond with answers. And they ask me questions, I respond with answers. As we're getting into a dialogue, which is what we do versus a lecture telling people what to do, we actually engage in a conversation and discuss all the societal and cultural myths and misnomers and why we are, how we're wired and trust and denial and everything else in the physical universe and everything else. And before you know it, like, we start talking about like all the different, like risk reduction strategies. The arms go down and they start to lean in. They're like, oh, like this is good. Like, I didn't think that this was going to be that. Like, I thought this was going to be you yelling at me and telling me that I'm, you know, if I don't do this or else, and these are the consequences. It's like security is about worry and it's about fear, it's about predators, it's about thieves and it's starts in the physical world. But, but the. Primarily, yes, it is. Our most significant vulnerabilities are our identities and our bank accounts and, and our, your customer information. And so you can't really address the learner to engage in cybersecurity risk mitigation until they have their literal house in order, until they have their own security in order, their own identity is protected. Like we are a selfish, self interested creature. Which is which the word selfish kind of gets a bad rap. But it's, you need to be selfish. Like we have to get a good night's sleep and eat good foods and consume fluids in order to be healthy.

B

And mindful and in order to help other people, you have to make sure you're in good shape. Yeah.

A

What are they, what is the, what are the instructions that the flight attendant provides you on the airplane regarding the oxygen?

B

Put your mask on first.

A

And why is that?

B

Because if you're dead, you can't help anybody else.

A

Yeah. I mean, you need to take care of yourself in order to help others. And, and like that is the basis of all security is personal. It begins with you, Adam.

B

That makes sense.

A

Yeah. And so from there, once the employee, let's say, understands risk in their own life, everything else is, yeah, I got this. This is, this makes sense to me that I can do that. And as you probe the audience, you know, at the beginning, because the idea is to like break them down to get, to challenge their belief systems, to get them to understand why and how and risk. But you also have to kind of like point out the obvious, you know, and the obvious is, and I ask questions, how many of you are using a different passcode across all your critical accounts? Raise your hand.

B

No one raises their hand.

A

If I get 10% of the audience to raise their hand, that's a lot. If I get 10%.

B

Yeah.

A

So statistically, like as many as 94% of us are using the same passcode across multiple accounts.

B

And how many are using password 1, 2, 3. Right.

A

Hundreds of millions, actually, like literally hundreds of millions. Okay, that said, like, you asked similar questions, like, how many of you are using two factor authentication for all your critical accounts, including on email? If I get 15% of the room to raise their hand, that's a lot. So statistically, with the absolute basics, the absolute fundamentals, 85 to 94% of the room is using the same passcode across multiple accounts and not using two factor authentication. That's the majority of the public. And less than 10% of the public uses a password manager. I mean, this is so 101. And so when, when, when they begin to see how silly that is, and you use tools like have I been pawned to show them how many millions of people use the same passcode and across multiple accounts, and how many millions are using 1, 2, 3, 4, 5, 6. They're like, oh, yeah, yeah, what kind of silly? Yeah, I, I need to make some changes. Oh yeah, this is actually really good. I didn't think this was going to be like this, but yeah, I, I want to know more. So that's how you get them to drink the Kool Aid to engage in security awareness.

B

So this first, this first tip that you're giving is probably the biggest and probably the most effective. Right? Use a, use a password manager. Use multi factor authentication. And my son's all into cyber security and he helped my parents with their, you know, they're using a password manager. My parents can't wrap their head around it though. They still can't do it. Yeah, right there in their 80s. And my dad keeps wondering. I keep getting hacked and people keep withdrawing money from my bank accounts. I'm like, dad, just basic, simple stuff. But why, why, why, why is there still resistance? Even though, Is it because it's still difficult to use? Because even myself, when, when I'm like, oh, I need to log into my podcast and upload another, another video or whatever, oh, I have to get a code from my phone or I've got authenticator on there that I've got to do a thumbprint, I got to do all these things to get into that. It's like, gosh, this is a pain in the butt. Why?

A

I don't know that the past companies that provide password managing software have ever done an effective job of selling the product to begin with. That's number one. I don't know that the general public has had any basic 101 cybersecurity training other than phishing simulation at all. Like, I speak in front of white collar professionals for a living and these white collar professionals that I speak to don't do the basic things because they've never been told or trained or it's all figure it out for yourself. And so how is the employee going to effectively manage risk on the job if they don't know what to do in their own personal lives? And when you actually engage a password manager, it is the absolute best piece of software that you will ever, ever possess for the money and for the time that it saves you.

B

Yeah, absolutely. I totally agree. You know, so that's our number one tip. That's number one tip. What do I do next? All right, so password manager multifactor authentication.

A

Yeah, basically.

B

Is that it? Is that all I need to do?

A

No, no, no, no, there's more, yeah, basically there's more. So like, but easy stuff, you know, like nothing that I speak to is, is beyond the capacity of your parents.

B

You know, I don't need to go spend a million dollars. I don't need to go take a long, you know, drawing out, you know, six week course on cybersecurity. No way. Nope, nope, got it.

A

I. Remind me, we do need to talk about your parents in a bit. Let's talk about that.

B

All right, I'll make sure we bring that up.

A

Yeah, and, but like identity theft is a huge problem. And it's, it's, it's not as big of a problem today as it was, say 10 or 15 years ago. But I mean, I've had criminal hackers email me my own Social Security number. Hey security guy, here you go. Haha. Basically flexing their mouth to show me how cool they are. And that's a real thing, you know, and so you've got to lock down your identity. And so few people have what's called a credit freeze. And a credit freeze is this tool that's available to all of us for free through the three major credit bureaus. And basically what the credit freeze is, is it's this free tool that you sign up to the credit bureau, you set up an account and you fill out an affidavit. You know, you have this login now and going forward your credit's frozen. And what that means is you can't.

B

Get a credit card, can't get a loan, can't do anything like that until.

A

You temporarily thaw it. As simple as that. So now you have control over who can access your credit, when or why. And so this free tool's been around actually since 2008, which is when I froze mine. It's been around for free since 23, 18 or 19. Since the Equifax data breach. After the Equifax.

B

Yeah, I remember that.

A

Oh, I remember it. After the Equifax data breach, that was it. Like the government says, Congress voted and says, no, no, no free. And so now it's available. But lenders, creditors, you know, credit bureaus, they all lobby to not have a credit frozen across the board, which it should be, otherwise we're on our own. And so everybody should freeze their credit, Their kids credit, their parents credit. So once the bad guy gets their social, which look it, there's been 175 billion records compromised in the past 15, 20 years. 175 billion with a B. And that's names, addresses, phone numbers, email addresses. About 15 billion passwords are exposed. 15 billion, right. That's like almost everything. And all that data is being sorted and sifted and cataloged and used against us. And so it's just a matter of time until they get to you or I. But if your credit's frozen, you become a tougher target, you know, and that's what all this stuff is about. It's becoming a tougher target. It's about putting basic 101 systems in place so that when the bad guy does come upon you that you are now a hardened or a tougher target.

B

And they're not going to waste their.

A

Time, they're going to move on because there's so much opportunity out there.

B

Yeah, gotcha. It's. It's like if you're being chased by a bear, you just have to run faster than your friend next to you. It said that's the same concept, right?

A

Really is, you know, like if you're.

B

A tougher target, they'll ignore you to move on.

A

Yeah. Like if you got 10 houses in a culdesac and you know, one of them has beware of dog sign, this house is protected by adt. They've got motion sensors. Like it looks relatively like the guy or the family. Like they've got their security in order. Now the burglar's got nine other houses to choose from.

B

Yeah, yeah, yeah, yeah. So that's the same thing in the site, in the cyber world. That makes sense. Yeah, that makes sense. All right, so credit freeze, password, multi authentic multi factor authentication. I can't even speak anymore. What's next, Robert?

A

So from there you know, your devices, which of course are, you know, your direct access to the world.

B

Yeah, that's true.

A

Obviously. You'd be surprised how many people don't password protect, say their mobile phone. And that's such an important thing. I mean, just, just please password protect your mobile phone. You know, if your phone is lost or stolen, what does the bad guy have access to?

B

Everything.

A

Everything. So password protect your mobile phone, which should just be like a no brainer. And then it's not just password protecting your mobile phone, it's password protecting every device in your house too. Well, Robert, why do I have to password protect my desktop? It's in my house. Yeah, but 80% of you don't have a home security system, you know, so password protect all your devices. And then beyond that, like the basic stuff's like update everything. Update your software to the latest operating system. I mean, at a minimum right now I'm really not even sure what operating system Mac is on because, you know, I just do it and don't pay attention to it. But it's just so much easier to understand the Microsoft world because you should be on 11, and you should be.

B

On 11 and take those security patches, right? I, I, I talked to my, my kids about this and my wife and everything. When that little circle in the bottom says update available, click on it. Don't ignore it. Well, it's been there for three weeks. You know, I'm like, yeah, you should click on it. It's, yeah, it's important.

A

So update your software, which, which ultimately means that you are likely going to need to eventually everybody does update your hardware. And what does that mean? It means that if you're functioning on a 2019 Dell laptop that started off maybe with Windows 8 or 10 and we're already at 11, that device probably might download 20, Microsoft 11, but it's going to be a dinosaur. It's going to be slow. It's really not going to work like it's supposed to. Like that hardware needs to be updated in order to engage with current security software. Okay, so update your hardware in order to update your software, which means making investments in your technology, you know, and that includes printers, you know, endpoints, it includes mobiles, modems and routers. It includes, you know, mobile phones. Like, we got to make these necessary investments in our technology in order to protect our information.

B

Okay, so my PhD dissertation is on cyber security and operational technology. And it, so let's talk about the house, because this is where physical and digital come together. Like in my house right now, there are almost 80 devices hooked up to my Internet. Right? Because I got smart cameras, I've got smart lights and switches and you know, all these things. Our ice maker has. We have an ice maker and it's hooked up to the Internet.

A

You're in a mesh network.

B

Yeah. Oh yeah, all this stuff. So what about those devices? Do I need to update those devices? How do I do that? Because there's no keyboard hooked up to the light bulbs in my office.

A

Yeah. Okay, so what I'm about to say people may not agree with. Okay, but you know, look at security needs to be easy, it needs to be accessible. It can't be overwhelming, it can't be difficult, it can't be confusing or people aren't going to do it.

B

Right.

A

Most people aren't doing the basic, basic stuff like password management, two factor authentication, heck, locking their doors. So to get into like, and we will to get into, you know, endpoints and firmware updates and updating your hardware because it's just so old and it's vulnerable, and updating your camera system, certainly if you wanted to take the time to update the firmware and go through all the various devices in your home, you can do that. And there's ways to do that and you probably should do that. I don't do that. I replace my technology probably every five years. I replace everything probably every five years. If all I do is replace my technology every five years, is there a gap, is there a window where I am functioning with a vulnerable hardware that's going to open up my home security cameras to others who can see in? Probably, yeah. But at the same time, there's only so many hours and minutes in a day. You know, like if, if I've got enough time just to making sure that my backup is working as it should. And so yes, you can and should update all your firmware. Spend the time, maybe have a spreadsheet that goes over, you know, when you purchased it, maybe have links to the manufacturer's site where you can download the firmware updates and spend the time with it, go for it. But generally in know when we see expose that the baby camera got hacked and, and this and that, I say, yeah, that happens. And yeah, there's a vulnerability there. Generally those equate to like privacy issues versus security issues. And certainly privacy is a concern. Not my first concern. My concern is, you know, security, which is generally, you know, life and limb. It's, it's, it's, it's finances versus, you know, embarrassment or whatever might, you know, that all that Being said like, yeah, you have options. If you want to invest the time and effort, go for it. Otherwise they say, don't worry about it.

B

Okay, all right, so. So there's some reason, there's some reasonability. Is that the right. Yeah, reasonability here. Because when I've talked to other cyber security experts, they say, hey, the most secure system is not connected in a concrete bunker. Like, okay, so not useful. So we don't want to get into the, in, into the case where we're hyper vigilant in that I'm spending all my time and I'm not living life. Right. So there has to be, there's always risk involved. I have to calculate what level of risk I'm willing to accept.

A

It's got to be practical. I mean, it's 20, 26, the world is on fire. You know, like you've, we've got only so many minutes in a day. People are overwhelmed, people are tired, they're overwhelmed. Like they just want to get home and in one piece and pick the kids up from school and back and forth from soccer practice and get the dinner on the table in time to watch Dancing with the Stars. Like that's all they have the energy and effort for. I get all that. So it's got to be practical, it's got to be consumable, it's got to be make sense. It can't be overwhelming, oh, we're not going to do it. And we in. The fact is we don't do it.

B

Is my point, because it's overwhelming. I just give up. I just say forget it and we.

A

Don'T want to or think it can happen to us. And you know, and often, like I will say to my audience, like when we're talking about things that might be like a little, a little complicated or a little over the head, I always joke and I say, hey, you know, just find yourself a 14 year old, they'll take care of it for you. And they all laugh. They all laugh. In my responses after they all laugh, my response is, you know, that is funny. But here's the deal. I don't know that we should continue to joke about that. I don't know that we should continue to kind of look at that as being a funny thing. I think that at this point where we're at right now with cybercrime, cybercriminals being organized in such a way that we are all, you know, vulnerable targets because they, they've figured it out now. I don't know that it's okay that your 14 year old knows more about technology than you do. I think it's time that we take charge of this and, and get it figured out and get our house in order in such a way where we understand what risk actually is and we do something about it.

B

No, that makes sense.

A

And I've been doing what I do, like I said, for 30 plus years. And for 30 years I've concluded at the end of every single presentation, listen, don't worry about any of this stuff, but do something about it. Put these systems in place, exercise risk management. And you know, it's not unlike putting a seatbelt on. You put that seatbelt on to give you control because it's the smart thing to do. And as long as you do that, you're going to be good. Don't worry about it. But the reality of it is I'm a bit worried now. And the reason why I'm worried is because the stakes are a lot higher. AI has flipped it all on its head.

B

Oh yeah.

A

And like talking about your parents. Right? Like deep fakes, voice cloning. We are incapable of, of telling the difference between a, a, a, a cloned voice and a real voice. We are incapable. Human beings do not have the ability to do that.

B

No, we don't.

A

Technology can do it, but humans do not, cannot decipher real from fake. It's, it's, it's, it is impossible. Okay. Deep fakes. Right now, the majority of the consumable tools that are available and you know, what people have access to on Google Play and Facebook and itunes and such, all those downloads for face overlay, like you can kind of tell the difference.

B

You can kind of. Yeah, but it's getting better.

A

Yeah. Yeah, but the tools are available that are perfect. They're just not widely available.

B

Right.

A

And the tools that are available are perfect. You pretty much can't tell that it's, you know.

B

But machines can. Great. Yeah, there's, there's some great technology out of intel, who I work for, where we can actually detect deepfakes. Highly reliable, over 99.9%. We can identify deep fakes pretty easily. So. You're right.

A

But how does that help when you, how does that help when you're, when you're, when your dad gets a phone call with, with your voice in the background.

B

Exactly.

A

And they've spo. Caller id.

B

Yeah, yeah, that's the problem. So how do, how do we overcome that? Because that's a, that's a huge fear. I know what I've done with my kids. Each one of my Kids has a passcode, right? That all that I know, they know it. It's ingrained in them. They know my passcode. That's how we solve that. If there's a deep fake situation, all I have to do is ask for the passcode.

A

And generally that's all you should need to do. Problem is, you know when you hear your loved ones, when you hear or potentially even see your loved one in distress, you hear their voice. Oh, I know.

B

Yeah.

A

Your body goes into fight or flight mode. Your body, your DNA shifts in such a way where you are all about you, you turn into papa bear. You're all about protecting that loved one. Like your first inclination is not going to be. Yeah, this is probably one of them, you know, deep fake voice clones. This is, this has just got to be fake. Your, your, your being breaks into a sweat. Your entire body goes into, okay, what do I got to do to get my loved one safe? And your intellectual understanding of risk flies out the window. And your, your, your, your, your biological being kicks in. And bad guys know this.

B

So, Robert, this is the same thing though that you probably taught in physical security, right? Because if someone approaches you physically and attacks you, you have to have training in order to do the right thing. So are you saying that with this because this turns into a physical type of thing, right? In the digital realm.

A

Yeah, it's emotional.

B

We have to train ourselves on what our responses are going to be. Yeah, we have to role play it. We got to do like, like personal self defense. You can't just talk about it. You can't, you gotta actually run through some role plays where it's safe. Right. Where you know it's safe.

A

Risk is risk and the body responds to it the same way in the physical world as it does online, as it does over the phone. You know, and I don't know that that any, any elearning, any pre recorded animated talking head is going to solve that problem. I don't know that fishing simulation training is effective enough to move the needle, to allow the human to react and respond effectively to risk the way that they could or should. Because it is a lecture. It's a, it's a, it's a, it's a. I'm telling you, this is the problem and these are the solutions and you've got to do this. I don't know that that is effective enough. What I do know is that prior to Covid, my business was doing great on the road. Airplanes, hotels, you know, and then Covid hit flatlined and compliance training. 100% kicked in. No need for live interactive engagements. 2023, 2024 comes around 2023. Halfway through, my phone starts to ring in such a way where it was interesting to me because I started to hear from company officers saying, listen, we've kind of reached a plateau with our training and we just want our people to care about security. You know, like we just want them to care. Like, we just want them to engage. Like we, like, we don't see any of that. Which, which requires not a lecture, but not a talking head, not an animation. It requires a dialogue. Yeah, it requires a conversation. You know, it requires communicating with humans as if they are humans versus your employees who are required to do this or else.

B

Right, right, right.

A

And if you engage them, then they're going to be like, yeah, like I, I, I've never had an opportunity to talk to a security expert ever in my whole life. Like that. This is what they do all day long, every day. I got questions. No, ask those questions and actually like feel heard. And I don't mean to get like all touchy feely or anything, and that's never my point, but it's like, and I'm not asking the CISO to, you know, grab your employees and hug them and hold their hand and walk them through this process, but I am telling you that if you don't, if we don't change the conversation, if we don't engage the learner differently than we have been, then I don't know that we're ever going to fix this problem. Because every single presentation I do from people who are smart, they say, well, okay, so, but when I do a search on Google, this is the questions I get. And this is everybody, maybe not you or you know, those who are digitally literate, but they ask like, okay, so when I do a search on Google, how do I know what links I should click?

B

No, yeah, no, this is a, this is a very valid concern that people have. Hey, Robert, we, we are way out of time.

A

Sorry man, don't get this time.

B

No, this has been. You're enthralled. You're a great speaker, great information if people want to engage with you. And how do they do that?

A

Well, you can Google me if you know how to spell. Robert Siciliano. I'm easy to find. There's only a few of us. One of us is an HIV researcher, which is not me.

B

That's what I own.

A

I own like the first three pages of search. Because you don't know many Sicilianos beyond that. Protect now llc.com. protect now, llc.com is where I, you know, hang.

B

Okay. That is awesome. Robert. Thanks for coming on the show. This has been wonderful. I. We could talk for hours. I already know that. And maybe we'll have you back on the show again.

A

Hey, I appreciate you and what you're doing. And I worked with intel for many, many years as McAfee's brand ambassador. It was a good time. Oh, yeah.

B

When we owned McAfee. That's awesome.

A

It was a great time on my life. I've been to your headquarters. Love Vintel. Love McAfee.

B

Yeah. Well, thanks again, Robert.

A

Pleasure. Thank you.

B

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com embracingdigital where we share bonus content. And you can always connect with other change makers like yourself. You can always find more resources at embracingdigital.

A

Org.

B

Until next time, keep embracing the digital Transformation.