Transcript
Mike Matchett: Hi Mike Matchett Small World Big Data and we are here still following up on RSAC. There are a lot of people we still need to talk to get their stories in, because there's a lot happening in the cybersecurity space we've got. TrustMi here today we're going to talk a little bit about some of the big trends we saw at Rsac 2025, including AI, the convergence of security silos, and really, how do you bring that all together and use the powers of like, say, AI for good? So hold on just a second. Hey, Michael, welcome to our show. Welcome. Thanks for having me. All right. Uh, before we get too much into the stories of cybersecurity, just give me the high level. Give our audience a high level of what? TrustMi.ai is all about. Just put us on the landscape here. Michael Scott, Chief Marketing Officer: Sure. TrustMi.ai Is all about eliminating cybersecurity. Costliest problem that exploits human trust versus socially engineered fraud. Mike Matchett: Social engineering fraud. So it's not it's not ransomware we were talking about earlier. You're you have this position that it's getting phished and being and being defrauded. That's the bigger thing. Uh, how do those two problems compare? Because all we hear about in the news a lot really, is ransomware one. Michael Scott, Chief Marketing Officer: Well, you know, I look at some, you know, industry experts and, you know, reliable sources like the FBI, right? They reported in their IC3 report, it's about a $50 million problem. Ransomware. Um, that's dwarfed by BK, which is about a $3 billion problem. And BK is just a small portion of a much larger, uh, attack umbrella known as socially engineered payment fraud, uh, which is estimated by the Nasdaq. Uh, and a crime report that they published just late last year, uh, to be over 100 billion. Mike Matchett: All right. So I'm just I'm going to I'm just going to ask you this. Lots of cybersecurity vendors. There's lots of point tools talking about how to prepare and keep your people from being fished. Lots of tools talking about how to lock down your email and do email security. Uh, why did TrustMi look at this and say, hey, there's room for yet a better solution. Michael Scott, Chief Marketing Officer: Well, I think, you know, at the at the end of the day, like, we really wanted to create a product that focused on solving this problem and focus on really getting into what bad actors were after. The reality is, bad actors are not after just compromising your email. They're not interested in just phishing credentials. Don't get me wrong, Mike. Those are a means to an end. But ultimately they're after your organization's money. And yes, things like IP and data, but ultimately still, in most cases, they want to get to your organization's dollars and get away with that as quickly as possible and with as much as possible. Mike Matchett: And so it's all it's all about the money. Keep your eyes on the money. Right. Keep your eyes on the where. Show me the money here. Okay, so we're talking about social fraud. Talking about preventing social engineering from really looking at the cyber fraud, the the financial aspect of this. One of the big trends at the big themes at the shows this year was about AI in cybersecurity. We heard a lot about bad actors using AI to help do social engineering. How are. How are you guys bringing AI onto the good side, onto the good team? Michael Scott, Chief Marketing Officer: Well, I you know, for us it's about analyzing nuanced signs of of bad, right? Um, traditional approaches look for more obvious signals, you know, like malicious links or things like that. For us, the way we want to leverage AI is less about just getting links, but scanning intent and understanding in in the context of a transaction or the context of a contract negotiation or the context of whatever the business process is or thing that's happening, leveraging AI to understand intent and and really what's going on here and what is this person trying to achieve? Um, to get, you know, one, two, three steps ahead of a bad actor who ultimately wants to get to the dollars and cents. Most organizations that leverage AI or even behavioral AI, it's really table stakes. Now for tools. Um, what we really want to do is add that contextual lens. So we understand in this situation, even if in 99% of cases, hey, this is normal, may not be good or bad. We want to make sure hey, but in this 1% of scenarios, does this change or does this action or does this verbiage or whatnot. Is it bad here? That's where we want to really bring our customers. True value is adding a layer of context, not just giving them another behavioral AI tool that they slap on top of email or whatever other surface area they're trying to protect. Mike Matchett: Right? So you're we're no longer in the game of setting thresholds or looking for an abnormality of something deviating from average. We got to now look at the bigger picture of that whole process of what's going on. Uh, and then saying in the context I'm assuming is what we're talking about, the context of the larger process. But to do that, you have to now have a broader a broader also look at the what's going on in the environment. You can't just look at email now. What. So what what does TrustMi l ook at how do you bring the multivariate and multimodal signals together? Michael Scott, Chief Marketing Officer: Sure, sure. No, no. Great question. So you know, TrustMi , sort of has a 3 prong approach, right. Like we we focus on depth of coverage, breadth of coverage and continuous data correlation to identify these threats. And you bring up a good point like it's bad actors, especially now in the generative AI age, they're they're not just targeting one, you know, one surface area or one system they're talking at all simultaneously. Um, so for us, like our approach in terms of breadth of coverage is we look to not just integrate with a single point solution like, say, your email to give you coverage there. We know the attackers are going after your IP. Why? Because that's where the money is being managed and distributed. They're going after your vendor management systems, your onboarding systems, your procurement tools. They're also going after your business processes to do folks within it. And there are nuances, signals that alone may not suffice for risk scoring with traditional tools. But if you were able to correlate that data across with that breadth of coverage approach and that financial contextual lens, you'd be able to uncover these hidden signs that, hey, that number on the invoice that was modified, actually, they were calling a bad actor and they were deepfaked or, hey, that bank account that they are that they are saying is their new one. Hey, it actually belongs to a lookalike company with a recently registered domain that actually isn't belong to Acme, this company, Acme or what have you. Mike Matchett: One of the interesting things I was just talking to you. You know, one of the interesting themes that we looked at again this year at the show was this idea that your, your if you're an organization, your vulnerability, Your perimeter, so to speak, for being hacked is no longer just your organization. It's your supply chain of vendors both up and downstream. This sounds like we're talking exactly about that, because it's financial transactions between you and your clients or your vendors, right. So this is just like at the heart of what that means to be in a supply chain. Um, can you tell us a little bit then about, you know, what you're seeing in sort of this idea of having to take security and extend it out to the supply chain that you have? Michael Scott, Chief Marketing Officer: Yeah, absolutely. I mean, ultimately, you know, most organizations, you see, like fortune 100, you know, fortune 1000, global, global 2000, their security at this point is is pretty robust. Their security posture. Uh, and it's pretty broad. Uh, the, the challenges though, um, typically where they end up with losses, whether it's IP, whether it's, uh, financial losses is because a vendor is compromised, uh, duped or being impersonated. Um, you know, I'll give you a quick use case. We saw and observed a tack that was worth, uh, well over $1 million. That was one click, one signature away. It didn't start inside their organization. It was a vendor email compromise attack where bad actor compromised their vendor. Uh, this fortune 100 companies vendor was able to bypass their email security, got into their cfo's account, made changes to an existing email chain, a invoice that, uh, that aforementioned, you know, one, it was actually $1.23 million invoice main modifications and also simultaneously duped their bank. Uh, they got, uh, internal documents, uh, created, uh, some, some fraudulent changes, uh, duped the bank into creating an account for them. They package that up in a bank wire transfer request, drop that into that same email chain, instructed the accounts payable team to send it to their customer. And they did all their normal controls. They had two of the number one email security providers, but because it was coming from a trusted source, didn't have obvious signs of fraud. It was able to bypass them, even was able to bypass their callback procedures, their financial controls, uh, because unbeknownst to them, they call the bad actor, right? The invoice is modified, contact details, even the supplier site, they create a lookalike, uh, link in site. That was, if you looked at it just really quickly, it looked like their legitimate page. And they did like another control called a bank account validation. And because the bank was duped, they did a, you know, a penny drop test validate. It was real. Uh, what they didn't validate was who who had actually belonged to, um, and it got all the way to the payment batch, which obviously means, yeah, it's one click, one signature away. So again, these traditional tools, traditional approaches, uh, you know, just aren't sufficient. And unfortunately for organizations who already are budget constrained, who are already, um, you know, resource constrained in terms of headcount, have this whole gigantic attack surface area outside the organization. Um, that's coming from them. They don't know which vendor could potentially be compromised or not. So yeah, the reality is that's that's sort of the new frontier where bad actors understand, you know, especially with generative AI now and be able to do deep research, quick research on relationships, who at these accounts actually manage things, who would manage these accounts. It's very easy for them to launch sophisticated attacks on behalf or unbeknownst to the vendors that you work with. Um, which which obviously causes some, some issues, uh, because it's it's not your security that's necessarily being, you know, compromised. It's it's theirs. Mike Matchett: It's theirs. Yeah. I mean, this is really highlighting, you know, how far zero trust principles have to be taken, right? You just really cannot even trust your trusted trust your trusted partners anymore, right? It's just you never. You just have to every time be looking at this. Uh, so there's there's a lot more to talk about here. We've touched on a couple of the main themes that that I saw this year at Rsac. You guys are starting to embody all those themes, and there's a few more we could get into at some later point. Uh, but, uh, this is, I think, uh, gives people a first idea of what we're talking about. And, um, maybe you could just tell people if they're interested in looking at, TrustMi , and taking a deeper look at how do I how do they prevent social engineering, particularly in these financial or fraud contexts? Uh, where would you where would you recommend they start? Michael Scott, Chief Marketing Officer: Yeah. I mean, if you want to talk to, trust me, uh, feel free to either reach out to me on LinkedIn or go to, uh, TrustMi, www.TrustMi.ai. In terms of solving these problems, like, you know, as you look at vendors, even if it's TrustMi , you know, it is important to understand that, again, traditional behavioral AI and AI tools are table stakes. Now everybody does it. And by the way, bad actors are doing it. It's it's super important that, you know, with behavioral AI and AI in general, uh, as a security measure, as you start your process is understand what vendors can contextualize different processes and scenarios, uh, with that behavior. Because again, if you analyze behavior over 100 different scenarios, but are not looking at context. If that behavior is okay and 98, 97, 99% of the time, but that 1% of the time with this context, it's bad. Your traditional security tools will miss it because that is a traditionally normal thing. If even if it's a change like a PDF being modified, a PDF being modified 99% of the time is not an issue, unless in that 1% of time it's relating to a transaction than it is. You need that depth of coverage and that contextual lens, whether it's contract negotiations, financial transactions. As you also look at AI. You need to understand breadth of coverage. Bad actors are not focusing on a single silo. They're looking for the nooks and crannies, the gaps in between those systems coverage to get to your organization. So you need to be able to extend that coverage with that contextual layering on top of it beyond a single surface area. And then finally, you need tools, whether it's TrustMi or another similar tool to be able to correlate those data signals because they are more and more nuanced. Again, bad actors have the ability to very easily do deep research online, both on the web and dark web, to understand business relationships, business contacts, um, and really put together these heavily sophisticated threats. So you need those three layers of AI coverage, uh, or types of coverage to really, uh, eliminate these threats. Um, and as you evaluate vendors, I would definitely press them on, uh, what type of behavioral AI they have? Not that they just have it. Mike Matchett: Yeah. It's important to keep your eye on where the actual problem is. Uh, thank you so much for being here today, Michael. Uh, and, uh, that's, TrustMi with MI. TrustMi.ai. Check it out. Take care folks.
