Amit Patel

But where most corporations are feeling the brunt of these attacks are on the human element. Right? Because at the end of the day, we are humans. We're going to make mistakes. And that's, I think, where we're seeing, again, majority of the attacks happen. So absolutely on the human element.

Darren

See?

Podcast Host

Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective changes. This is Dr. Darren, Chief Enterprise architect, educator, author, and most importantly, your host. On this episode. AI is supercharging cyber attacks. How do we defend ourselves? With senior VP of Consulting Solutions, Amit Patel.

Darren

Amit. Welcome to the show, Darren.

Amit Patel

Thank you for having me, sir. I appreciate it.

Darren

Hey, before we dive into cybersecurity and our. In our teams and things like, I think we all agree the weakest leak inside weakest link in cybersecurity are people, primarily. I think everyone that knows that. Right. But we can't get rid of people. People are important. But before we dive into all of that, everyone that listens to my show knows that I only have superheroes on the show. And all superheroes have a background story, an origin story. So, Amit, what's your origin story?

Amit Patel

I love that intro, by the way. Thank you for that, Darren. You know, my. My origin story, you know, I would say I'm. I'm truly probably a tech nerd at heart. I love technology. I love everything about it. You know, over the last several years especially, I think technology has rapidly changed with the admin of and really the adoption of AI Right. And so I'm excited of where things go. I've. I've been in the tech field my entire career, but I'm also an entrepreneur at heart. I love working with organizations. I love working with people. I've, you know, been fortunate enough to see a thousand different environments, a thousand different personalities, and so, you know, I feel like I've got a good grasp on all different avenues across the board. So I've been very, very fortunate from that perspective. I'm also a father of three little girls. You can see some of their artwork on my wall here.

Darren

Three little girls, man. You're outnumbered, man.

Amit Patel

I am. It's a tough job, but I wouldn't change it for the world. I love every minute of it. And, you know, they definitely have me wrapped around their little fingers.

Darren

So girls do. It's amazing that girls do that, but they absolutely do because I got four girls and. And six boys. And the. The boys, you just kind of rough and tumble. They don't have me wrapped around their finger, but my Girls, whatever they want, they get that, and they all know that. So they all come to daddy, you know, what, what do you want? And they're. They're all adults now, and they still get whatever they want from me. So, Darren, is that.

Amit Patel

Is that 10 that I heard? Is that 10? Yeah.

Darren

10.

Amit Patel

Kudos to you and your wife.

Darren

Yeah, it's been a little bit of a crazy craziness, but we survived, so. Hey, all right. We could talk about families all day and raising children, which is almost like handling cybersecurity in an organization, right? You got personalities, you got a lot going on. But before we dive into, like, the personal thing, I want your take on AI's role in. In cybersecurity. Have you seen that it has changed anything in this realm at all? Or is it just the same things over and over again, maybe faster, or are we seeing any fundamental changes?

Amit Patel

No, I think the last several years, we've seen a lot of changes. I think AI, there's pros and cons to it, right? We, as the defenders, we have access to the same tools and capabilities that the threat. Threat actors also have access to. Right? So email spiffing, you know, and phishing emails, the sophistication has skyrocketed, right. You know, before, right. You and I probably all, you know, some of the annual cyber security training that we've done, right? Hey, look out for, you know, grammar issues or, you know, changes in font and things like that, right? Just the normal stuff. And now, you know, these sophisticated email campaigns, I mean, they're. They're skimming through LinkedIn, they're looking at the way you and I write our emails, the tone that we typically use, and they're able to mimic, you know, to the T, and sometimes write emails better than you and I would write them. Oh, yeah, yeah. These threat actors, they have access to these tools. These things are getting so sophisticated that just the average human, I mean, we're having a tough time, and I. I'm not the world's greatest expert by any means, but I'm, I'm, you know, relatively tech savvy, and so. But even I get fooled by some of these. These campaigns. And so it's getting a little bit more complicated. These. These campaigns are getting more sophisticated, and, you know, they're. They're using AI to their advantage. And so pros and cons.

Darren

Do you see that they're primarily doing this in the phishing attacks? So it's really, is. It's really a attack on. On the human nature of things. Right. I Mean, are we seeing AI really attacking, you know, frontal attacks on. On machines and technology itself, or are they always trying to come back through the back door through humans?

Amit Patel

I think, you know, majority, if you look at majority of the cyber attacks is always through the human element side of the house, you know, are threat actors, you know, spending time and leveraging AI to go through deep encryption and all that good stuff. Yes, absolutely. But where most corporations are feeling, the brunt of these attacks are on the human element. Right. Because at the end of the day, we are humans. We're going to make mistakes. And that's, I think, where we're seeing, again, majority of the attacks happen. So. Absolutely. On the human element.

Darren

Since these attacks are becoming more sophisticated on the human element, what are, what do we do? I mean, I even had, on my show, it's been about a year, I have a cybersecurity expert on the show that cloned my voice. Right. Captured my domain name.

Amit Patel

Yeah.

Darren

I mean, took over my domain name, sent emails as me to me saying, hey, check out the voicemail I sent you. I have some important things to ask you in that voicemail. So then they sent me a voicemail says, hey, I need the account number to our bank account because we're making deposits and I've got a digit wrong.

Amit Patel

It won't go through. Yeah.

Darren

I'm like. And it was my voice.

Amit Patel

It's your voice, right?

Darren

Yeah. Right. So, I mean, these attacks are getting highly sophisticated.

Amit Patel

Extremely.

Darren

So, Amit, what do I do?

Amit Patel

Yeah, it's. Darren, you bring up a great point. These attacks are so advanced, it's tough for the average human to decipher what's real and what's not these days. And so I think I tell all of our clients, at the very least minimally, start with behavioral education. Right. And it's not just about awareness. Right. You know, I think previously. Right. A couple years ago, it was all about, you know, you have a typical annual cybersecurity training. Right. And it's.

Darren

And then phishing attacks, simulated phishing attacks all year long. Right. I got those all the time.

Amit Patel

Exactly.

Darren

Right.

Amit Patel

But those annual cyber attack or cybersecurity training, right, It's. It's largely theater.

Darren

Right.

Amit Patel

Because employees will just kind of click through those 45, you know, minutes of slides, and once a year, they'll do it and they'll forget 80 to 90% of it within a month. Right. And so meanwhile, like you mentioned, AI powered phishing campaigns, they evolved. I mean, they're evolving weekly.

Darren

Right.

Amit Patel

Which means that once a year Static training, it's fighting a dynamic threat. Right. And so, you know, again, used to talk about bad grammar and suspicious fonts, but now again, AI writes better emails than you and I do and it's, it's crazy where things are going. I think again, we've got to get better at, you know, dynamic, you know, scenario based training, right. That builds like long term memory instead of just checking the box for compliance.

Darren

Right.

Amit Patel

And so what we recommend is, you know, these short monthly, like almost like micro sessions, right? Maybe five, ten minutes or so sessions that are, they're far more effective than the annual marathon long training sessions. So that's one part of it. I do think that simulation campaigns are great, but make them contextual based. Right? So finance team, for example, they'll see a lot more invoice fraud issues, right? HR teams might see attachment fraud issues, right. The dev team might see DevOps or Access, you know, fakes and things like that. Right. So make it contextual to the employees and kind of create the awareness around that. Actually go through that, you know, again. And employees always. Right. Should be trained to pause and verify, right. And especially if it's, if it's asking for urgency, right? Like hey, I missed this digit, I need this right away right now. Okay. It's asking for urgency. Let's take a quick pause, let's verify before we do something. Right. Cause again, that human element I think is some of the area that needs to be, is the biggest vulnerability. And I think we've got to figure that out. But it starts with that behavioral training. Not just the annual, I really like

Darren

that behavioral training thing where once a month, five to ten minutes, it ends up in the front frontal cortex, right. Like in the front of my head going, oh yeah, cyber security is important. Right. I need to take care of that. I need to watch out, out for that. It's almost like reminding when you work with ChatGPT or anything. It's like dropping in, hey, we're going to talk about this, you know, at the beginning of the chat, right? Right, we're gonna talk about this. Okay. So let's make sure we focus on this. It just brings it to the forefront so that it's in the front of my, my brain.

Amit Patel

Yeah. And the good thing about those types of behavioral training is you can also make the training, know, advanced and more sophisticated as time goes on. So it just builds and builds and builds as well. And again, it's not a one and done. It's not a once a year thing as well. Yeah, it stays in Front of people. Right. Again, it's like that out of sight, out of mind mentality as well.

Darren

So. No, I really, I really like that approach. I, I, I think that's, that's smart. But how do I, that means that my training has to be constantly being updated. Right. Because the, the attacks are becoming more and more sophisticated every, every day.

Amit Patel

Yeah, a hundred percent. I mean, there, there's some great tools out there. We, even internally for our organization. I mean, we're an IT consulting firm, but yet we still leverage internal training for our own employees.

Darren

And it's, I would hope so.

Amit Patel

Yeah, yeah, it's the same thing, but it's about, it's once a month, it's five to 10 minutes of these sessions that our employees watch. Maybe there's a little bit of quiz at the end or throughout the, the engagement as well. But now these training sessions, I mean, they're like a, you know, a Hollywood blockbuster movie almost. And it just builds and builds, the scenarios build and it's, it's, it's fun almost now because you want to see what happens next. And intuitively you're also building your cybersecurity awareness at the same time. So it's kind of a great 1, 2.

Darren

You made cybersecurity training fun how? I got to see examples of that. Well, and, and do you have some of this out on YouTube so people could take a look at it?

Amit Patel

Yeah, absolutely. Now I'll, I'll actually, I'll send you some links as well. Darren.

Darren

Send me some links up on the website. Yeah. Because I'm interested in seeing this because right now I take a lot of training because I do a lot with governments all over the world.

Amit Patel

Yeah.

Darren

And they want me to, to take their data privacy, data handling training. Right. And it's, it's like a snooze fest, man. I mean, it's like some of them even talk about fax machines. Can you believe that? When you get a fax, I'm like, what? Right. Didn't get a fax. What am I doing with a fax machine? Right. Yeah.

Amit Patel

You know, we were still in the 70s.

Darren

Yeah, right. Yeah, yeah, exactly. So, I mean, so if, if I want to upgrade my cybersecurity behavioral training, where do I start? Do I just have to go to you guys or is, are there some tips and tricks that I can start on my own?

Amit Patel

Yeah, honestly, there are a couple of great organizations out there. You don't necessarily need to come to us. There are some fantastic organizations out there that your listeners can also reach out to as well. And nowadays again, it's getting relatively cheaper. So even the small to mid size businesses that don't have an unlimited budget, right. They can start layering in some of these training and these tools as well. So that way they can protect their own organization and their employees as well. So. Absolutely. There's a multitude of ways out there. There's several organizations that do, I think a phenomenal job at it. And again, happy to get that list over to you as well, Darren.

Darren

Oh, that'd be great. So for the listeners, go ahead and go to embracingdigital.org and you'll see that we'll put that list up on this episode. So that'd be great for everyone. Yeah, because yeah, I think this is important. We've got a lot of mid and small businesses that are now in the crosshairs of these big conglomerate cyber bad actors. Right. And there's nothing worse than waking up to a, a ransomware attack when you know, hey, maybe my revenue is only 10 million and they're asking for, you know, $500,000. I'm like lots. Right. For, for a small company.

Amit Patel

Right.

Darren

That would be devastating. Yeah.

Amit Patel

And it's funny because majority of the attacks are actually towards the smaller and mid sized businesses because you know, the threat actors, they, they also believe that maybe they're just, they just don't have the resources or the money to put these tools in place or the training in place.

Darren

So those are soft targets.

Amit Patel

Yeah, they're soft targets, exactly.

Darren

Absolutely. That's pretty rotten.

Amit Patel

It is.

Darren

Aim on you guys. You bad guys. All right, so let's, let's pivot a little bit into creating a cyber defense now because we handled, we handled kind of the behavior thing for all of my people in my organization. What are some tips that I can, I can have a better cyber position.

Amit Patel

Yeah.

Darren

For my organization. A training. Great. I think we covered that one. And that's probably my biggest hole is that is training my people. But beyond that, what else can I do to protect myself?

Amit Patel

Yeah, absolutely. I think, Darren, I think the non negotiable is access governance and kind of these role based controls. I think every organization, regardless of your size needs to because we all know human error is inevitable, it's going to happen. But catastrophic damage, right, that can be isolated, right? Yeah, exactly. Right. That doesn't have to be, you know, you don't have to have it blow up. Right. So. But access governance is kind of what makes that difference happen. And so you know, most breaches again don't they're not caused by these amazing elite hackers that are breaking, you know, crazy encryption. It's. They're caused because people are, you know, have over privileged access. Right. Or over privileged accounts or even stale permissions. Right. And you see these at some of the largest and most sophisticated organizations out there.

Darren

So mind boggling to me that this is still an issue because when I first started computing beyond a PC, right, I got my hands on the Unix operating system in the 80s and it had access control. And it drove me crazy because I was used to working on a PC, right? What do you mean I can't access that file? I used to be able to access all files on this machine. So access control has been around for a really long time, all the way back into multics. And even the IBM mainframes all had access control. So why are we so bad at it now?

Amit Patel

You know, a full transparency? I think it's because it's just easier if I just give every, I just

Darren

open it up to everyone.

Amit Patel

Yeah, it's just then it's easier for me. I don't have to, you know, keep giving you permission every day and every hour.

Darren

Right.

Amit Patel

So this is true. Yeah, that's, and that's, I think that mentality was okay years ago when attacks, you know, didn't happen every second or every minute.

Darren

Right.

Amit Patel

I mean again, Fortune 50 companies, we've had a client of ours, they record about 10,000 pings on their network by threat actors on a daily basis. 10,000 pings, that's a lot. Yeah, it's mind boggling where things are going.

Darren

Right?

Amit Patel

But if somebody with excessive access makes even one small mistake, because again, human nature, it's inevitable that that blast radius could turn into this massive financial headlines in the news. Right. And so I think the, the principle of least privilege is extremely important. And that just means that employees should only really have access to what they need right now.

Darren

Right.

Amit Patel

And that not why you put the

Darren

time element on there? Because I mean, that's a zero trust. That's a zero trust principle, right? Access for a certain period of time, Correct?

Amit Patel

Yes.

Darren

Which is, which is really critical. But that means I've got to hire a person to handle access control or I have to spread that across the whole organization saying hey, you know, hey you. Least privilege is a philosophy we adopt here at this company. Is that, is that kind of what you're saying?

Amit Patel

I think that that's a, it's a cultural thing, which is another topic that I'm extremely passionate about. But I think, you know, Access should also be tied to roles and not to the individual as well. Right. Because if you tie to individuals, then it's Band Aid on top of band aid on top of band Aid. And that just increases risk exponentially as well. But if you attach it to different roles, then you're able to, you know, you have a little bit better control over it. It doesn't get overburdening to the actual IT team themselves as well and you're able to have better control over. So I think that's one thing. Obviously having quarterly reviews, that should be mandatory as well. Don't just do annual reviews or anything like that. I think annual reviews are just way too long. And then also these, especially these privileged accounts, right. They should never become permanent. People have admin accounts all the time or they walk around with unrestricted access like it's just a badge, right. That they walk around with. And that is totally a badge.

Darren

I have root access. Right, Right, right. I mean that when I was a sysadmin, I, I was like, yeah, I got root access, I have keys to the whole kingdom. Right, right. And, and with that become, comes responsibility that sometimes I messed up. Like I, I blew away our whole email server on accident, like completely destroyed because I had rude access.

Amit Patel

Yep.

Darren

Did I need root access? Probably not.

Amit Patel

Probably not.

Darren

Right.

Amit Patel

And also it's, you know, just because you might need root access one time a year doesn't mean that you should just have that access all the time. Right. And so I think again, some of these things are non negotiable. Everyone should do it, even some of the smallest organizations, minimally, again, multi factor authentication is an absolute must have.

Darren

There's another good one, multifactor authentication, right?

Amit Patel

Yeah, absolutely. Even, you know, for our organization, if you're logged into email, especially nowadays with a lot of work from home or remote work travel, I mean these, a lot of networks, especially in hotels, airports, right. They're unsecured and so always log into a vpn, have MFA active. That is a non negotiable as well.

Darren

So. All right, you brought, you brought up something interesting because I've seen a trend on the role based access. So rbach, right, we hear the term rbach. What about attribute based Access control or abac? Have you seen, do you see that as a viable solution or is that just more complex? Because there's been some debates and I'm wondering, you're an expert in this area, what have you seen? Have you seen the emergence of abac or is it just too complex? You don't Think it's going to go in that direction.

Amit Patel

I think eventually, especially with the advent of AI and able to do that. I think it's going to get there as well. It is a little bit more complex. It's easier for organizations to start with role based because again, it's simplified, it's easy. Again, even the smallest organizations that have very little budgets can do this, can do that. Right. Start there. But AI honestly is also making it a lot easier. I think that's, you know, that next topic is, you know, from these automated safety nets and AI detection tools I think is also a, a no brainer, especially with where our world is going to.

Darren

So, okay, so you moved right into detection. I do need that too. So I put up my wall. I have great access control, multi factor authentication is must. Maybe we'll move away from passwords completely. That would be wonderful. So now defense, defense through detection, right? Detection is the next major thing that we need to talk about. So detection is expensive. I've always heard that.

Amit Patel

Right.

Darren

I've got all these system logs, I've got my network logs. Do I need to go buy Elastic to do this? Do I need Palantir? Everyone says I need Palantir to do this type of work. Right. I mean, are there solutions out there that give me some. I mean detecting people hitting my network is important or, or infiltrated my systems is important.

Amit Patel

I think it's super important, Darren, especially with where the world's going. And again, we've, I think we also have to acknowledge the fact that people are busy, they're distracted, they're juggling 20 tabs right, at once. And so, you know, security needs to operate at machine speed as well. And now you look at even modern email security, right. For example, it shouldn't just detect spam, but it should look at tone shifts, right. It should look at impersonation attempts, you know, abnormal payment language. Right. All those things it should automatically do and especially when sometimes we're going to miss it, we're not perfect by any means. And so AI helps in front of that. And the good thing about AI also is that where I think it differentiates us at the corporate level versus the threat actors is that it baselines how employees behave.

Darren

Right.

Amit Patel

So it can baseline how executives typically write emails, for example, or what type of languages they use or the behaviors of your employees. Hey, they, you know this, hey, Darren specifically logs in typically 99% of the time between these hours or here's what he typically does, right. So we can baseline that. And if there is an abnormal change in behavior, AI can automatically detect that, put a stop to it all.

Darren

That's pretty cool.

Amit Patel

Yeah.

Darren

I mean, but that's what these larger England models are great at. Pattern detection. Right. So if I get an anomaly, it can automatically go, this is not what we normally behave. We normally don't behave this way.

Amit Patel

Yeah, right, exactly. Imagine if somebody in accounting all of a sudden downloads, you know, 50 gigabytes of data at 2 in the morning. Right? That's a little bit of an odd behavior. Let's maybe put a stop to that. I'm sure you heard about this breach that a very large organization had. About a year ago, somebody came in through a slack A communication channel and they downloaded a bunch of data that they weren't supposed to. But had some of these things been, you know, turned on, they could have said, hey, downloading terabytes of data, it's a little bit out of the norm. Let's quickly put a stop to it, let's investigate it. Let's figure out if this is supposed to happen, and if it is, great, we'll unlock it. It's a little bit of time wastage, not the end of the world. Right. But at least we can stop these attacks before they happen. So I think so.

Darren

Isn't that always the, the friction between cybersecurity experts and, and users of the systems? You're just getting in my way of me doing my job. You're slowing me down. Right. I mean, I've. I've done this myself, right. As I'm not a cybersecurity expert, I play one on a podcast sometimes and. All right, my PhD is in cybersecurity, but that's, I'm not a cybersecurity expert. It does slow you down. It does. Let's be honest.

Amit Patel

No, you're right. I think there is. And that's a fair concern, Right. Because especially if it's poorly implemented security practices and principles, I think that could definitely create friction. Absolutely. But the goal isn't about more friction. It's about almost like smarter friction.

Darren

Right?

Amit Patel

Because I like that.

Darren

Smart friction.

Amit Patel

There's smart friction. I'm going to coin that. Darren, please don't steal it.

Darren

All right? You got to hurry, man, because at

Amit Patel

the end of the day, right, security,

Darren

to me, it should.

Amit Patel

It's. It's embedded intelligently. If it is embedded intelligently, then a lot of the protections are invisible.

Darren

Right.

Amit Patel

Most people shouldn't see it and most people shouldn't deal with it. Right. Because again, a lot of these AI detection that runs in the background. I mean, they're not really interrupting workflow for. For at least, again, 95, 98% of the use cases or 98% of the. The employees out there. So that. That's the way I look at it. I think, again, I think the real question is not necessarily about does this add friction?

Darren

Right.

Amit Patel

But more. Does this add less friction than a breach?

Darren

Yeah, I think you hit it on the nose. I'm. When you were talking there, I was thinking, when I come into my house, I have a lock on the front door.

Amit Patel

Right.

Darren

Now, where I grew up, I grew up out in the country in central California, out in farm fields. We never locked our house. In fact, when my parents sold the house, they couldn't find the key to the front door because the lock hadn't changed in 30 years. And we never locked the house. Right. So, you know, so I was used to just opening the door, coming in. The house was never locked. But now I live in the suburbs, I lock my house, and it takes me, you know, 15 seconds to unlock the door. Right. But, you know, that's a whole lot better than coming home to a house that's been completely ransacked.

Amit Patel

Exactly, Exactly. Same amount.

Darren

I'm willing to take a little bit of that smart friction.

Amit Patel

Right.

Darren

Of cybersecurity. But if it took me a. If it took me a whole five or ten minutes to unlock my house, I would stop locking it, right?

Amit Patel

Yes, exactly. And I think to that point, I think it's got to be that smart friction. Otherwise your employees are not. They're not going to adapt to the technology. They're not going to adapt to those principles as well. And so it's got to be seamless, it's got to be frictionless. It's got to be more in the. The background, and it can't really disrupt their workflow. I think, you know, to that point also is if you lead, and this is maybe even another topic, but if you start leading with that culture, especially from the top down, then it becomes second nature, right? It's.

Darren

Yeah, because now I go click, click. I don't even have a key to my front door. It's all, you know, all computer. Now I can open it with my phone or with the keypad on the door, and it's all second nature. Yeah. We just changed our lock combo. So all the listeners that already know the lock combo to my house, because it's been mentioned before, we changed it so you can't come in. But now when I go, I go to hit that first Number. It's not the same number. And I'm like, oh, crud. I got to remember what the new lock combo is. It's like changing your password. It's painful for a little tiny bit until that muscle memory gets. So I. I get that. That frictionless concept. That's pretty slick.

Amit Patel

Exactly. And I think, again, when you. When you develop that culture from leadership, then again, it becomes second nature. It's not just an IT initiative or an IT led, you know, nuisance. Right? It is. Hey, this is. This is what we do. We, regardless whether we are in healthcare or finance or any other industry, we're a security company, and that's what we're going to be doing.

Darren

That's great. Hey, Amit, if people want to find out more besides just coming to the website, how do they reach out to you or how do they engage with your company? I mean. Yeah, tell us more about your company and how you guys engage.

Amit Patel

Yeah, perfect. Thank you. Our company is called Consulting Solutions. We are extremely large IT consulting firm. We help a lot of our clients with a lot of their IT challenges or initiatives. Anything from cybersecurity, AI development, ERP program, project management, anything that they themselves may not want to necessarily take on themselves. We've probably done it a dozen or two dozen times. And so we know the pitfalls, we know the nuisance, we know the issues, and we could probably help successfully deliver these initiatives for them. And so consultingsolutions.com, check out the website. And I'm also on LinkedIn. I think it's amitpatel1, 2, so feel free to.

Darren

I was gonna say, do you know how many Amit Patels there are?

Amit Patel

There's a lot. There's a lot. I think I have maybe a dozen in my phone alone, I'm sure.

Darren

Very, very popular. So, Amit Patel. One, two.

Amit Patel

I believe that's it. Yep.

Darren

All right. There you go. You're number 12.

Amit Patel

I was number 12.

Darren

You're number 12. That's awesome. Amit, again, thanks for coming on the show. This has been wonderful.

Amit Patel

Likewise, sir. I appreciate you having me. I love your show, and thanks for letting me be part of it.

Podcast Host

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com embracingdigital where we share bonus content. And you can always connect with other change makers like yourself. You can always find more resources at embracingdigital. Org. Until next time, keep embracing the digital transformation.