A

But where most corporations are feeling the brunt of these attacks are on the human element. Right? Because at the end of the day, we are humans. We're going to make mistakes. And that's, I think, where we're seeing, again, majority of the attacks happen. So absolutely on the human element.

B

Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective changes. This is Dr. Darren, Chief Enterprise architect, educator, author, and most importantly, your host. On this episode. AI is supercharging cyber attacks. How do we defend ourselves? With Senior VP of Consulting Solutions, Amit Patel.

C

Amit. Welcome to the show, Darren.

A

Thank you for having me, sir. I appreciate it.

C

Hey, before we dive into cybersecurity and our. In our teams and things like, I think we all agree the weakest leak in cyber, weakest link in cybersecurity are people, primarily. I think everyone knows that, right? We can't get rid of people. People are important. But before we dive into all of that, everyone that listens to my show knows that I only have superheroes on the show. And all superheroes have a background story, an origin story. So, Amit, what's your origin story?

A

I love that intro, by the way. Thank you for that, Darren. You know, my. My origin story, you know, I would say I'm. I'm truly probably a tech nerd at heart. I love technology. I love everything about it. You know, over the last several years especially, I think technology has rapidly changed with the admin of OR and really the adoption of AI Right. And so I'm excited of where things go. I've. I've been in the tech field my entire career, but I'm also an entrepreneur at heart. I love working with organizations. I love working with people. I've, you know, been fortunate enough to see a thousand different environments, a thousand different personalities, and so, you know, I feel like I've got a good grasp on all different avenues across the board. So I've been very, very fortunate from that perspective. I'm also a father of three little girls. You can see some of their artwork on my wall here.

C

Three little girls, man. You're outnumbered, man.

A

I am. It's. It's a tough job, but I wouldn't change it for the world. I love every minute of it. And, you know, they definitely have me wrapped around their little fingers. So.

C

Girls do. It's amazing that girls do that, but they absolutely do. Cause I got four girls and. And six boys. And the. The boys you just kind of rough and tumble. They don't have me wrapped around their finger. But my girls, whatever they want, they get that, and they all know that. So they all come to daddy, you know, what? What do you want? And they're. They're all adults now, and they still get whatever they want from me. So, Darren, is that.

A

Is that 10 that I heard?

C

Is that 10?

A

Yeah.

C

10.

A

Kudos to you and your wife.

C

Yeah, it's been a little bit of a crazy craziness, but we survive. So. Hey, all right. We could talk about families all day and raising children, which is almost like handling cybersecurity in an organization.

A

Right?

C

You got personalities, you got a lot going on. But before we dive into, like, the personal thing, I want your take on AI's role in. In cybersecurity. Have you seen that it has changed anything in this realm at all? Or is it just the same things over and over again, maybe faster, or are we seeing any fundamental changes?

A

No, I think the last several years, we've seen a lot of changes. I think AI, there's pros and cons to it, right? We, as the defenders, we have access to the same tools and capabilities that the threat actors also have access to.

C

Right?

A

Right. So email spiffing, you know, and phishing emails, the sophistication has skyrocketed. Right. You know, before.

C

Right.

A

You and I probably all, you know, some of the annual cybersecurity training that we've done.

C

Right?

A

Hey, look out for, you know, grammar issues or, you know, changes in font and things like that.

C

Right?

A

Just the normal stuff. And now, you know, these sophisticated email campaigns, I mean, they're. They're skimming through LinkedIn, they're looking at the way you and I write our emails, the tone that we typically use, and they're able to mimic, you know, to the T, and sometimes write emails better than you and I would write them. Oh, yeah, absolutely.

C

Yeah.

A

These threat actors, they have access to these tools. These things are getting so sophisticated that just the average human, I mean, we're having a tough time, and I. I'm not the world's greatest expert by any means, but I'm. I'm, you know, relatively tech savvy, and so. But even I get fooled by some of these. These campaigns. And so it's getting a little bit more complicated. These. These campaigns are getting more sophisticated, and, you know, they're. They're using AI to their advantage. And so pros and cons, do you

C

see that they're primarily doing this in the phishing attacks? So it's really, is. It's really a attack on. On the human Nature of things. Right. I mean, are we seeing AI really attacking, you know, frontal attacks on. On machines and technology itself, or are they always trying to come back through the back door through humans?

A

I think, you know, majority, if you look at majority of the cyber attacks is always through the human element side of the house. You know, are our threat actors, you know, spending time and leveraging AI to go through deep encryption and all that good stuff? Yes, absolutely. But where most corporations are feeling the brunt of these attacks are on the human element. Right. Because at the end of the day, we are humans. We're going to make mistakes. And that's, I think, where we're seeing, again, majority of the attacks happen. So. Absolutely. On the human element.

C

Since these attacks are becoming more sophisticated on the human element, what. What do we do? I mean, I even had, on my show, it's been about a year, I had a cybersecurity expert on the show that cloned my voice. Right. Captured my domain name.

A

Yep.

C

I mean, took over my domain name, sent emails as me to me saying, hey, check out the voicemail I sent you. I have some important things to ask you in that voicemail. So then they sent me a voicemail and says, hey, I need the account number to our bank account because we're making deposits and I've got a digit wrong. It won't go through.

A

Yeah.

C

I'm like. And it was my voice.

A

It's your voice, right? Yeah.

C

Right. So, I mean, these attacks are getting highly sophisticated.

A

Extremely.

C

So what do I do?

A

Yeah, it's. Darren, you bring up a great point. These attacks are so advanced, it's tough for the average human to decipher what's real and what's not these days. And so I think I tell all of our clients, at the very least minimally, start with behavioral education. Right. And it's not just about awareness. Right. You know, I think previously.

C

Right.

A

A couple years ago, it was all about, you know, you have a typical annual cybersecurity training. Right. And it's.

C

And then phishing attacks, simulated phishing attacks all year long. Right. I got all the time.

A

Exactly. Right. But those annual cyber attacks or cybersecurity training, right. It's. It's largely theater.

C

Right.

A

Because employees will just kind of click through those 45, you know, minutes of slides, and once a year they'll do it and they'll forget 80 to 90% of it within a month. Right.

C

And so.

A

And meanwhile, like you mentioned, AI powered phishing campaigns, they evolved. I mean, they're evolving weekly.

C

Right.

A

Which means that once a year static training, it's fighting a dynamic threat.

C

Right.

A

And so, you know, again, used to talk about bad grammar and suspicious fonts, but now again, AI writes better emails than you and I do and it's, it's crazy where things are going. I think again, we've got to get better at dynamic scenario based training that builds long term memory instead of just checking the box for compliance. And so what we recommend is these short monthly, almost micro sessions, maybe 5, 10 minutes or so sessions that they're far more effective than the annual marathon long training sessions. So that's one part of it. I do think that simulation campaigns are great, but make them contextual based. Right? So finance team, for example, they'll see a lot more invoice fraud issues, right. HR teams might see attachment fraud issues. Right. The dev team might see DevOps or access fakes and things like that. Right. So make it contextual to the employees and kind of create the awareness around that. Actually go through that, you know, again. And employees always. Right. Should be trained to pause and verify. Right. And especially if it's, it's, if it's asking for urgency, right? Like hey, I missed this digit, I need this right away right now. Okay. It's asking for urgency. Let's take a quick pause, let's verify before we do something.

C

Right.

A

Because again, that human element I think is some of the area that needs to be, is the biggest vulnerability. And I think we've got to figure that out. But it starts with that behavioral training. Not just the annual.

C

I really, I really like that behavioral training thing where once a month, five to ten minutes, it ends up in the frontal cortex, right. Like it's in the front of my head going, oh yeah, cyber security is important. Right. I need to take care of that. I need to watch out, out for that. It's almost like reminding when you work with ChatGPT or anything. It's like dropping in, hey, we're going to talk about this, you know, at the beginning of the chat, Right? Right, we're gonna talk about this. Okay. So let's make sure we focus on this. It just brings it to the forefront so that it's in the front of my, my brain. Yeah.

A

The good thing about those types of behavioral training is you can also meet the training know, advanced and more sophisticated as time goes on. So it just builds and builds and builds as well. And again, it's not a one and done, it's not a once a year thing as well. Yeah, it stays in front of people. Right. Again, it's like that out of sight, out of mind mentality as well.

C

So. No, I really, I really like that approach. I, I, I think that's, that's smart. But how do I, that means that my training has to be constantly being updated.

A

Right.

C

Because the attacks are becoming more and more sophisticated every day.

A

Yeah, a hundred percent. I mean, there's some great tools out there. We, even internally for our organization. I mean, we're an IT consulting firm, but yet we still leverage internal training for our own employees.

C

I would hope so.

A

Yeah, yeah, same thing. But it's about, it's once a month, it's five to 10 minutes of these sessions that our employees watch. Maybe there's a little bit of quiz at the end or throughout the, the engagement as well. But now these training sessions, I mean, they're like a, you know, a Hollywood blockbuster movie almost. And it just builds and builds, the scenarios build and it's, it's, it's fun almost now because you want to see what happens next. And intuitively you're also building your cybersecurity awareness at the same time. So it's kind of a great 1, 2.

C

You made cybersecurity training fun how? I got to see examples of that. Well, and, and do you have some of this out on YouTube so people could take a look at it?

A

Yeah, absolutely. Now I'll, I'll actually, I'll send you some links as well. Darren.

C

Send me some links up on the website. Yeah. Because I'm interested in seeing this because right now I take a lot of training because I do a lot with governments all over the world.

A

Yeah.

C

And they want me to, to take their data privacy, data handling training. Right. And it's, it's like a snooze fest, man. I mean, it's like some of them even talk about fax machines. Can you believe that? When you get a fax, I'm like, what? Right. Didn't you get a fax? What am I doing with a fax machine? Right.

A

Yeah. You know, we were still in the 70s, right?

C

Yeah, yeah, exactly. So, I mean, so if, if I want to upgrade my cybersecurity behavioral training, where do I start? Do I just have to go to you guys or is, are there some tips and tricks that I can start on my own?

A

Yeah, I mean, honestly, there, there are a couple of great organizations out there. You don't necessarily need to come to us. There are some fantastic organizations out there that your listeners can also reach out to as well. And nowadays it's, again, it's getting relatively cheaper. So even the small to mid size businesses that don't have an unlimited budget, right. They can start layering in some of these training and these tools as well. So that way they can protect their own organization and their employees as well. So. Absolutely. There's a multitude of ways out there. There's several organizations that do, I think a phenomenal job at it. And again, happy to get that list over to you as well, Darren.

C

Oh, that, that'd be great. So for the listeners, go ahead and go to embracingdigital.org and you'll see that we'll put that list up on this episode. So that'd be great for everyone.

A

Yeah, perfect.

C

Because yeah, I think this is important. We've got a lot of mid and small businesses that are now in the crosshairs of these big conglomerate cyber bad actors. Right. And there's nothing worse than waking up to a, a ransomware attack when you know, hey, maybe my revenue is only 10 million and they're asking for, you know, $500,000. I'm like lots. Right. For, for a small company. Right. That would be devastating. Yeah.

A

And it's funny because majority of the attacks are actually towards the smaller and mid sized businesses because again the threat actors, they, they also believe that maybe they're just, they just don't have the resources or the money to put these tools in place or the training in place.

C

So. Soft targets.

A

Yeah, they're soft targets. Exactly.

C

Absolutely. That's pretty rotten.

A

It is.

C

Aim on you guys, you bad guys. All right, so let's, let's pivot a little bit into creating a cyber defense now because we handled, we handled kind of the behavior thing for all of my people in my organization. What are some tips that I can, I can have a better cyber position.

A

Yeah.

C

For my organization, a training. Great. I think we covered that one. And, and that's probably my biggest hole is that is training my people. But beyond that, what else can I do to protect myself?

A

Yeah, absolutely.

C

I think dar.

A

I think the non negotiable is access governance and kind of these role based controls. I think every organization, regardless of your size needs to because we all know human error is inevitable, it's going to happen. But catastrophic damage, right, that can be isolated, right? Yeah, exactly. Right. That doesn't have to be, you know, you don't have to have it blow up. Right. So. But access governance is kind of what makes that difference happen. And so you know, most breaches again don't, they're not caused by these amazing elite hackers that are breaking, you know, crazy encryption. It's, they're caused because people are, you know, have over privileged access. Right. Or over privileged accounts or even stale permissions. Right. And you see these at some of the largest and most sophisticated organizations out there.

C

So mind boggling to me that this is still an issue because when I first started computing beyond a PC, right. I got my hands on the Unix operating system in the 80s and it had access control. And it drove me crazy because I was used to working on a PC, right? What do you mean I can't access that file? I used to be able to access all files on this machine. So access control has been around for a really long time, all the way back into multics. And even the IBM mainframes all had access control. So why are we so bad at it now?

A

You know, a full transparency? I think it's because it's just easier if I just give everything.

C

I just open it up to everyone.

A

Yeah, it's just then it's easier for me. I don't have to, you know, keep giving your permission every day and every hour.

C

Right?

A

So yeah, that's true. Yeah, that's. And that's, I think that mentality was okay years ago when attacks, you know, didn't happen every second or every minute.

C

Right.

A

I mean again, Fortune 50 companies, we've had a client of ours, they record about 10,000 pings on their network by threat actors on a daily basis. 10,000 pings, that's a lot. Yeah, it's mind boggling where things are going.

C

Right?

A

But if somebody with excessive access makes even one small mistake, because again, human nature, it's inevitable that that blast radius could turn into this massive financial headlines in the news. Right. And so I think the, the principle of least privilege is extremely important. And that just means that employees should only really have access to what they need right now.

C

Right.

A

And that not why you put the

C

time element on there? Because I mean that's a zero trust. That's a zero trust principle, right? Access for a certain period of time, Correct?

A

Yes.

C

Which is, which is really critical. But that means I've got to hire a person to handle access control or I have to spread that across the whole organization saying hey, you know, hey, you, least privilege is a philosophy we adopt here at this company. Is that, is that kind of what you're saying?

A

I think that that's a, it's a cultural thing, which is another topic that I'm extremely passionate about. But I think, you know, access should also be tied to roles and not to the individual as well. Right. Because if you tie to individuals then it's Band Aid on top of band aid on top of band Aid. And that just increases risk exponentially as well. But if you attach it to different roles, then you're able to, you know, you have a little bit better control over it. It doesn't get overburdening to the actual IT team themselves as well and you're able to have better control over. So I think that's one thing. Obviously having quarterly reviews that should be mandatory as well. Don't just do annual reviews or anything like that. I think annual reviews are just way too long. And then also especially these privileged accounts.

C

Right.

A

They should never become permanent. People have admin accounts all the time or they walk around with unrestricted access like it's just a badge, Right. That they walk around with. And that is the case. Totally.

C

Badge. I have root access. Right, Right, right. I mean that when I was a sysadmin I, I was like, yeah, I got root access. I have keys to the whole kingdom. Right, right. And, and with that become, comes responsibility that sometimes I messed up. Like I, I blew away our whole email server on accident, like completely destroyed. Because I had rude access.

A

Yep.

C

Did I need root access? Probably not.

A

Probably not.

C

Right.

A

And also it's, you know, just because you might need root access one time a year doesn't mean that you should just have that access all the time. Right. And so I think again, some of these things are non negotiable. Everyone should do it, even some of the smallest organizations, minimally. Again, multi factor authentication is an absolute must have.

C

Here's another good one. Multifactor authentication, right?

A

Absolutely. Even, you know, for our organization, if you're logged into email, especially nowadays with a lot of work from home or remote work travel, I mean these, a lot of networks, especially in hotels, airports, right. They're unsecured and so always log into vpn, have MFA active. That is a non negotiable as well. So.

C

All right, you brought, you brought up something interesting because I've seen a trend on the role based access. So rBoach, right. We hear the term rbach. What about attribute based access control or abac? Have you seen, do you see that as a viable solution or is that just more complex? Because there's been some debates and I'm wondering, I mean you're an expert in this area. What have you seen? Have you seen the emergence of abac or is it just too complex? You don't think it's going to go in that direction.

A

I think eventually, especially with the advent of AI and able to do that. I think it's going to get there as well. It is a little bit more complex. It's easier for organizations to start with role based because again, it's simplified. It's easy. Again, even the smallest organizations that have very little budgets can, can do this, can do that. Right. Start there. But AI honestly is also making it a lot easier. I think that's, you know, in the, that next topic is, you know, from these automated safety nets and AI detection tools I think is also a no brainer, especially with where our world is going to.

C

So okay, so you moved right into detection. I do need that too. So I put up my wall. I have great access control. Multi factor authentication is must. Maybe we'll move away from passwords completely. That would be wonderful. So now defense, defense through detection, right? Detection is the next major thing that we need to talk about. So detection is expensive. I've always heard that. Right. I've got all these system logs, I've got my network logs. Do I need to go buy Elastic to do this? Do I need Palantir? Everyone says I need Palantir to do this type of work. Right. I mean, are there solutions out there that give me some. I mean detecting people hitting my network is important or, or infiltrated my systems is important.

A

I think it's super important, Darren, especially with where the world's going. And again, we've, I think we also have to acknowledge the fact that people are busy, they're distracted, they're juggling 20 tabs, right, at once. And so, you know, security needs to operate at machine speed as well. And you look at even modern email security, right? For example, it shouldn't just detect spam, but it should look at tone shifts, right. It should look at impersonation attempts, you know, abnormal payment language. Right. All those things it should automatically do and especially when sometimes we're going to miss it, we're not perfect by any means. And so AI helps in front of that. And the good thing about AI also is that where I think it differentiates us at the corporate level versus the threat actors is that it baselines how employees behave.

C

Right?

A

So it can baseline how executives typically write emails, for example, or what type of languages they use or the behaviors of your employees. Hey, they, you know this, hey, Darren specifically logs in typically 99% of the time between these hours or here's what he typically does, right? So we can baseline that and if there is an abnormal change in behavior AI can automatically detect that, put a stop to it all.

C

That's pretty cool.

A

Yeah.

C

I mean, but that's what these larger England models are great at. Pattern detection. Right. So if I get an anomaly, it can automatically go, this is not what we normally behave. We normally don't behave this way.

A

Yeah, right, exactly. Imagine if somebody in accounting all of a sudden downloads, you know, 50 gigabytes of data at 2 in the morning. Right? That's a little bit of an odd behavior. Let's maybe put a stop to that. I'm sure you heard about this breach that a very large organization had. About a year ago, somebody came in through a slack A communication channel and they downloaded a bunch of data that they weren't supposed to. But had some of these things been turned on, they could have said, hey, downloading terabytes of data, it's a little bit out of the norm. Let's quickly put a stop to it, let's investigate it. Let's figure out if this is supposed to happen, and if it is, great, we'll unlock it. It's a little bit of time wastage, not the end of the world. Right. But at least we can stop these attacks before they happen. So I think so.

C

Isn't that always the. The friction between cybersecurity experts and, and users of the systems? You're just getting in my way of me doing my job. You're slowing me down. Right. I mean, I, I've done this myself, right. As I'm not a cybersecurity expert, I play one on a podcast sometimes and. All right, my PhD is in cybersecurity, but that's. I'm not a cybersecurity expert. It does slow you down. It does. Let's be honest.

A

No, you're right. I think there is. And that's a fair concern, Right. Because especially if it's poorly implemented security practices and principles, I think that could definitely create friction. Absolutely. But the goal isn't about more friction. It's about almost like smarter friction. Right? Because I like that.

C

Smart friction.

A

There's smart friction. I'm going to coin that. Darren, please don't steal it.

C

All right? You got to hurry, man, because at

A

the end of the day, right, security, to me, it should. It's. It's embedded intelligently. If it is embedded intelligently, then a lot of the protections are invisible.

C

Right.

A

Most people shouldn't see it and most people shouldn't deal with it. Right. Because again, a lot of these AI detection that runs in the background, I mean, they're not really Interrupting workflow for. For at least again, 95, 98% of the use cases or 98% of the. The employees out there. So that. That's the way I look at it. I think, again, I think the real question is not necessarily about does this add friction?

C

Right.

A

But more. Does this add less friction than a brief?

C

Right.

A

Because.

C

Yeah, I think you hit it on the nose. I'm. When you were talking there, I was thinking, when I come into my house, I have a lock on the front door.

A

Right.

C

Right. Now, where I grew up, I grew up out in the country in central California, out, out in farm fields, we never locked our house. In fact, when my parents sold the house, they couldn't find the key to the front door because the lock hadn't changed in 30 years. And we never locked the house. Right. So, you know, so I was used to just opening the door, coming in. The house was never locked. But now I live in the suburbs, I lock my house, and it takes me, you know, 15 seconds to unlock the door. Right. But, you know, that's a whole lot better than coming home to a house that's been completely ransacked.

A

Exactly, exactly. Same analysis.

C

I guess I'm willing to take a little bit of that smart friction.

A

Right.

C

Of cybersecurity. But if it took me a. If it took me a whole five or ten minutes to unlock my house, I would stop locking it, right?

A

Yes, exactly. And I think to that point, I think it's got to be that smart friction. Otherwise your employees are not. They're not going to adapt to the technology. They're not going to adapt to those principles as well. And so it's got to be seamless, it's got to be frictionless. It's got to be more in the. The background, and it can't really disrupt their workflow. I think, you know, to that point also is if you lead, and this is maybe even another topic, but if you start leading with that culture, especially from the top down, then it becomes second nature, right? It's.

C

Yeah, because now I go click, click. I don't even have a key to my front door. It's all, you know, all computer. Now I can open it with my phone or with the keypad on the door, and it's all second nature. Yeah. We just changed our lock combo. So all the listeners that already know the lock combo to my house, because it's been mentioned before, we changed it so you can't come in. But now when I go, I go to hit that first number, it's not the same number. And I'm like, oh, crud. I got to remember what the new lock combo is. It's like changing your password. It's painful for a little tiny bit until that muscle memory gets. So I. I get that. That frictionless concept. That's pretty slick.

A

Exactly. And I think, again, when you. When you develop that culture from leadership, then again it becomes second nature. It's not just an IT initiative or an IT led, you know, nuisance. Right. It is. Hey, this is. This is what we do. We, regardless whether we are in healthcare or finance or any other industry, we're a security company, and that's what we're going to be doing.

C

That's great. Hey, Amit, if people want to find out more besides just coming to the website, how do they reach out to you or how do they engage with your company? I mean. Yeah, tell us more about your company and how you guys engage.

A

Yeah, perfect. Thank you. Our company is called Consulting Solutions. We are extremely large IT consulting firm. We help a lot of our clients with a lot of their IT challenges or initiatives. Anything from cybersecurity, AI development, ERP program, project management, anything that they themselves may not want to necessarily take on themselves. We've probably done it a dozen or two dozen times. And so we know the pitfalls, we know the nuisance, we know the issues, and we could probably help successfully deliver these initiatives for them. And so consultingsolutions.com, check out the website. And I'm also on LinkedIn. I think it's amitpatel1, 2, so feel free to.

C

I was gonna say, do you know how many Amit Patels there are?

A

There's a lot. There's a lot. I think I have maybe a dozen in my phone alone, I'm sure.

C

Very, very popular. So. Amit Patel. One, two.

A

I. I believe that's it. Yep.

C

All right, There you go. You're number 12.

A

I was number 12.

C

You're number 12. That's awesome. Again, thanks for coming on the show. This has been wonderful.

A

Likewise, sir. I appreciate you having me. I love your show and thanks for letting me be part of it.

B

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com to embracingdigital, where we share bonus content. And you can always connect with other change makers like yourself. You can always find more resources at embracingdigital org. Until next time, keep embracing the digital transformation.