Lessons - Fixing Human Error in Cybersecurity | Theresa Payton - Former White House CIO

Scott

Today's Success Story podcast is brought to you by Vanta. Now listen up. This matters for your business. In today's digital landscape, security isn't optional, it's essential. Without it, deal, stall, sales, cycle, stretch out and scaling becomes really difficult. Why? Because investors, customers, partners, they all expect businesses to demonstrate strong security practices before they commit to anything. And if you can't prove trust, you lose opportunities. So whether you're a startup founder trying to land that first big client or an established company scaling your security program, Vanta helps businesses of all sizes prove they're trustworthy by Automating compliance across 35 frameworks like SoC2, ISO 27001 and HIPAA. The exact certifications your prospects, your customers are demanding. And here's why you need to pay attention. Vanta gives you back precious time you're currently wasting on compliance. Their platform automates up to 90% of the tedious compliance work, and it helps you respond to those endless security questionnaires up to five times faster. And, and they also connect you with experts to get your security program running immediately. And the results, they speak for themselves. A recent IDC report found that Vanta customers achieve over $535,000 per year in benefits, and the platform pays for itself in just three months. So join over 10,000 global companies like Atlassian, Quora and Factory who use Vanta to manage risk, improve security in real time, and don't miss this for a limited time, only my listeners can get $1,000 off Vanta. That's real money back in your pocket. Visit vanta.comscott now before this offer expires. That's V a n t a dot com Scott for $1,000 off in this lessons episode, discover how predictable human behavior creates vulnerabilities in cybersecurity and why conventional defenses often fall short. Learn why routine security measures can be.

Guest

Exploited by sophisticated social engineering and understand how innovative personalized protocols can disrupt attackers.

Scott

And strengthen digital.

Guest

When and and just you met like again like the human experience that we're trying to fix because I've had other security experts on this show before and they do speak about the human, the human problem and the phishing attacks. And you just mentioned something that's very interesting like everybody hates these super complex passwords but we know we got to do them and everybody 2fa is annoying but we got to do it and I guess you know you have your like Google auth that seems to work well and I personally hate doing like the the the texting 2fa not for like sim Swap reasons, but mostly because sometimes it doesn't get it. I don't get a text. Just a pain in the ass. And it just seems like it's a lot of effort. And again, if I got a phone call from an AI voice that said, you know, we, it, it's a, it's your brother and it sounds like him, and I'm stressed out and he says he was arrested and I've heard stories of this kind of fraud and then it just like pulls out your, you know, your, your heartstrings and you feel stressed out and you want to help the person and you go wire the money or whatever. I mean, there's a million different types of fraud that I've even, I hope, haven't, haven't fallen victim to, but people have tried to target me for a variety of different reasons. I've had employees with spoofed emails emailing me that they want to change their banking information. Like a whole bunch of different things. Right. However, you said that you made a good point. So the fraudster is going to understand there's a complex password, they're going to understand there's two fa and they're just going to layer on a human component and they're going to try and trick you into doing something. But, and, and the answer is not blame the human, but then how, like, how do you solve that? Because humans are humans and they're always going to have an emotional reaction to these, like this social engineering that a fraudster is going to put together.

Expert

Absolutely. So one of the things that, one of the principles that I have is if you study the profile of cybercriminals and fraudsters, nation states, you start to see they have a pattern of how they attack the different chinks in the armor, if you will. And so the goal, sometimes you want to do the basics. I mean, you want to have good digital hygiene practices, you want to invest in tools, you want good processes. But really oftentimes the best thing that stops the bad guys is, is designing something they didn't expect. So, for example, having a passphrase that's not easily guessed. So if you're sitting on, you know, there was a recent wire transfer fraud where the employee, part of their protocol is you get on a video conference with the CFO or the CEO or somebody else and you have proof of life, and the employee was on a video conference and was told to do the wire transfer, did the wire transfer. If part of the protocol had said, so good to see you. What's the passphrase? And the passphrase was like, something ridiculous that nobody else would know.

Guest

Yeah.

Expert

Then you probably would have had somebody hang up and it was that from happening. You can use this in your personal life. So you were mentioning, like, the virtual kidnapping type thing. Yeah, I. I don't know about you, but, like, I grew up, my sister and I. My dad would play a little game with us when we walked into a room, restaurant, wherever, and he'd say, okay, without turning your head, where are the exit doors? Where will you hide if something bad happens? What will your weapon be? Did you grow up and play that game?

Guest

Yes. Yeah, exactly. So my. My. My dad was in. I'm Canadians, and my dad was in the rcmp. And then he moved into csis. So he was. He was always adjacent to. Well, CSIS is Canadian security intelligence. Right. So, yeah. So it was very aware.

Expert

You had a similar childhood experience, and then it just became muscle memory for you.

Guest

Yes.

Expert

Probably even today. I know I do. I can walk into a room, and without really looking, I know where everything is. I literally was giving a talk. Huge place. I had never been there before. And the fire alarm went off long enough that I said, hey, everybody, I know where the fire exit is. Please follow me until the fire alarm goes up. So I get off stage, and everybody follows me. Orderly out. And the place was like, we cannot. We've never seen anybody do that. I'm like, well, my dad trained me. So my point in bringing that up is, is have this passphrase play that game with your. Your family, by the way, on where the exits. It's really important. A lot of people really underestimate. But the same thing with the passphrase. So I'll just, like, in the kitchen before dinner, like, anybody know the passphrase? I'm like, well, then you're not getting rescued if you call me and tell me you're in jail or somebody's got you. Like, you have to give me the passphrase. So that's something you can apply in your personal life as well. And again, each one of these things are typically just studying what's our process? How will criminals and fraudsters try to enter themselves into the process? And how do we do something completely unexpected?

Scott

A huge shout out to bank on yourself for supporting today's episode. Entrepreneurs. Here's the retirement secret that Wall street doesn't want you to know. While you are pouring everything into growing your business, they want you gambling your Future in their 401k casino with no guarantees. As a business owner, you already take enough Risks. Why gamble with your retirement too? It is time to discover the financial strategy smart entrepreneurs are using to protect their wealth. Bank on Yourself is the proven approach that gives business owners what they need most, certainty, flexibility and control in their retirement. Unlike traditional retirement accounts, bank on Yourself gives you predictable guaranteed growth that isn't at the mercy of market crashes. A liquid cash reserve you can tap anytime to seize new business opportunities or weather downturns. There's zero penalties or restrictions and tax free retirement income that shields your hard earned wealth from future tax hikes. For entrepreneurs who understand the value of financial leverage, here's the game changer. When you access your money, it continues growing as if you never touched it. This means your capital works twice as hard just like you do. You can get a free report that reveals how you can bank on yourself and enjoy tax free retirement income, guaranteed growth and control of your money. Just go to bankonyourself.com Scott and get your free report. That's bankonyourself.com Scott bankonyourself.com Scott that's really.

Guest

It, it's about removing, it's about removing the routine out of, you know, our, our, our activity, our day to day so that it can't be guessed. That's really it. Something that can never be the, the, the hacker, the fraudster. There's no way they're ever going to be able to know this. That's the goal. That's really the goal.

Expert

And make it simple. Make it simple.

Guest

Not a strong password because the purpose is for, it doesn't matter really what the word is. It just, it's just that it's there. That's really the, that's really the goal. I want to ask you some more just questions about some of the, some of your time in the White House because I find that fascinating and obviously you speak about what you can speak about and don't get yourself in trouble. But I am curious about some of the, when you, when you walk into the White House, you say the general public is not aware of really the threats that are going on. So what are some things that the public should know about that they're kind of oblivious to, like what is coming at the US Why are we in trouble? Why like I think you mentioned at some point, like it's not, it's not, you know, unicorns and rainbows when it comes to cyber security. And people know about other nation states and they understand that, you know, China exists and Iran exists and Russia to an extent exists and, but maybe a little bit More clear as to what is actually happening that we have no clue or we don't pay attention to.

Expert

Yeah, well, I mean, for example, cyber criminals, especially nation states, and then people who are loosely affiliated because for the record, China, Russia, Iran and North Korea say they don't have nation state operatives hacking into American infrastructure. So they say that. So I'm just going to give that disclaimer from them. But what's interesting is they first primarily focused on what's referred to as the defense industrial base. They would go after the US Government, US Military departments and agencies, White House. Then they'd go after the vendors, the big vendors that provide airplanes or weapons or anything else to the government. But then they realized we might be leaving money on the table. Maybe we should steal, I don't know, intellectual property, trade secrets, and then reverse engineer and manufacture our own stuff and compete with the U.S. you know, kind of even the playing field, we'll just steal their R and D, we'll skip that process and we'll just reverse engineer it and produce it here. And China, for one, is really good at doing that. And so that was something that was very eye opening to me at that time because that wasn't really being discussed. And if any companies at that time were falling victim to that, they weren't talking about it because they were worried their competitors would take advantage of it. So I think that's something, you know, that was a big aha moment for me. You know, many people may not realize this. I'm sure most people assume attacks against White House are constant. It's a constant barrage. And that is correct. But what's interesting is I learned, for example, because we have White House.gov and White House.gov is not connected like to anything. Like there's not like, hey, the President's secret briefing is just right behind whitehouse.gov like it's really just meant to be sort of here's where the executive orders are and like, hey, look at President Bush's dogs, Barney and Ms. Beasley and watch Barney run around the White House. One of the favorite videos of my kids was Barney at Christmas time, watching things get decorated and running around with a little Barney cam on. Probably the Peyton household was the like biggest consumer of the Barney idiot. But the President's dog. And it's really meant for that. But for whatever reason, if there was like a visiting head of state from another country who had a beef with somebody else or different things that were going on, we would sometimes, according to our vendors and routers and our own monitoring be the most attacked website in the world on certain days. Now, if the website goes down, it's incredibly embarrassing. But the website isn't like where people get money and the website's not like it's not connected to classified systems or anything like that. But for whatever reason, that was a kind of a digital representation of public face, if you will, of the White House. So a vitally important page to not have commandeered and defaced, which was very popular thing at that time. Let's take over this department agency's webpage and put, you know, long live or on or, you know, something like that. So those are, you know, some of the. A little bit of an inside ball without giving too much away of, you know, the types of things that you have to think about and deal with that shape my thinking when I work with companies and people today.

Guest

Thanks for tuning in. If you found this valuable, don't forget to hit that subscribe button so you never miss an episode. And if you want to dive deeper into this conversation, check out the links in the description to watch the full episode. See you in the next one.