Transcript
Gonna be talking a little bit today about managing human risk in an AI driven threat landscape. Now, you know, AI has absolutely taken off. It's a very, very popular subject at this point. And quite frankly, everywhere that I speak, it's just like one AI talk after another, after another. And that's great, but not all of them, as a matter of fact, sadly, very few of them actually show you how that this is working about the human side of things and dealing with human risk when it comes to this. And I decided I wanted to go ahead and talk about that a little bit, because, you know, one of the things that I think we realize and have realized for a number of years now, but is often forgotten around cool, shiny new objects, is the fact that humans tend to be our most targeted resources within our organization. And because of that, they end up being the number one initial network access way that bad actors are getting in, right? So I think it's important to understand how the AI thing is impacting those attacks that are going after your people. Yeah, they're doing some crazy coding, they're being used in ransomware, they're doing all that, but they're also being used heavily, especially in the social engineering side. So we're gonna talk a little bit about that. Now, my name is Eric Krohn, I'm a CISO advisor here at Nobifor. I've been here over nine years now, which is just crazy. I love it. I've worked for Nobifor for this long because I really believe in the human factor. Now I'm a geek, I'm a nerd, I have a little single board computers on my desk here. Like I love technology, and I've probably never been happier than those times when I'm in a data center, in a server room somewhere, just sitting there with the sounds of fans and no people around. But I had to realize during my career how important it was to deal with the people problem because it was the one thing that kept getting exploited over and over again. And technology is fantastic, does a great job blocking things getting there and helping if something goes wrong, but we can't ignore that middle part, right? And the human is where it pivots from being proactive, our controls are proactive, keeping things from getting there to reactive, which is reacting to when things go wrong. But we've talked a lot in the past about things like security awareness training, which is an important thing, but the fact is security awareness training isn't everything. We need to have more of a holistic human risk look in our organizations and a whole human risk management process needs to be around that. So we're not just talking about teaching people how to spot phishing, we're not just talking about that, we're talking about credentials and why it's important not to reuse credentials or use bad credentials. Like that kind of stuff is important to make sure people understand the why behind the things we ask them to do. Because if you think about it, if you tell a person that for years has been logging onto their computer and doing their work every day that all of a sudden now they have to log into their computer and then they have to get out their phone and they have to open up an app and they have to get a code from that app, which is of course gonna reset time-wise and go through all this trouble and add these extra steps and friction and they don't understand why that's actually important to do that, they may be a little resentful and frankly, they're gonna try to look for workarounds. So it's important to deal with that and give people the reasons why a whole lot more. Now again, been in IT and security since back in the 1990s and wow, it's really changed over the years, but we've got better defenses but the offenses are also good. So what we're gonna talk about today is some of these things on the agenda here, right? How bad actors manipulate behavior. What about AI? Like how does this play into things? And then we're gonna talk about defending against the attacks. So let's start with how cyber criminals manipulate behavior. Well, again, I mentioned before, humans are the target, they're the primary targets of cyber criminals for the most part. I mean, there's your typical, usual, just whatever going on scanning things or you know what I mean? Like that stuff, but that doesn't really count. I mean, people are the lead way that bad actors are getting in the network and we do see that time and time again. Sometimes it's phishing, sometimes it's not securing data or misconfiguring permissions. I mean, let's think about this, right? How many times have people downloaded data from your organization in an effort to do their job? They're not trying to do anything malicious or do anything wrong. They deal with that data, that spreadsheet, whatever it is, it's relatively, you know, maybe a little bit sensitive, but they do that and then they forget that that file's on that workstation. So what happens? Well, eventually something happens and that workstation gets compromised and lo and behold, these people have that data. That's just a mentality. That's a thought process that the humans don't realize how important it is to clean up after themselves. That's just one example, but kind of my point when it comes to securing of data, and I mean, we've all seen the Amazon S3 buckets get left unsecured, right? Over and over and over again, that was going on for years. That's accidental a lot of times too. And why does that happen though? Well, I think the stress level on people is way, way up. We're expected to do more with less faster. And unfortunately, that's really putting the pressure on employees and it's fine to, you know, want employees to work hard, but you know, we mix this stuff up with finances and stuff at home and like personal lives and all that stuff that's going on these days. It's no wonder with all this stress on people that sometimes things go wrong, bad decisions are made. People don't think something through. And one of the big misnomers that I hear and have heard throughout my career kind of comes around to that, you know, humans are the weakest link part. And I hate that, I hate that phrase. I don't like to state it that way at all. Humans are just humans. We're here to do what we're doing and we're here to generally not be cybersecurity experts. I mean, some of us are certainly, but we hire accountants to do accounting, right? They're not hired because they're cyber experts. That's kind of our role as the experts to help them understand things, come alongside them and help them make better security decisions every day. That I think is what our role is really important for. Now, a few years ago, this guy wrote a book. It's a guy named Sun Tzu. He wrote this book called Art of War. I think it's been printed a couple of times, I'm not sure. But in that, he says this, all warfare is based on deception. And that's incredibly true. Now, deception is a key part of this. And the word warfare though is probably one that's a, I don't know, it can be a little harder to swallow here, but let's think about this. When it comes to cybercrime, Bloomberg had an article and in that article, they showed that if you took all of the proceeds from cybercrime and you made it into a GDP, a gross domestic profit and treated it like a country's gross domestic profit, it would be number three on the planet behind the US and China. Now, that's pretty significant. I mean, we're talking about a lot of money here when we're talking about GDPs like that. So what does that mean? Well, it means the attackers are well-funded. They have money to do things like search engine optimization, things like that. Like there is actual money out there for them to invest in these attacks to generate more money. The other thing that it really drives home is the fact that, well, these gangsters these groups, these attackers, they run their thing like a business. They have to, when you're talking about that kind of money, this is not loosey goosey type stuff. They have to run it as a business. So they know what they're doing. They have smart people. They know psychology. They know how to deceive people. And the root of deception really comes back to just how we're wired as humans. We're super smart. We really are. We're amazing. I mean, you think AI is smart these days, but honestly, it's not. It's a prediction machine. It's statistically what is the next words that should follow this, right? It feels smart, but it's really, really not. Our minds though are amazing. Our brains are incredible. And one thing they do that a lot of people don't realize or think about is our brains filter, interpret and present reality. Now, I don't have a lot of time to get into it in this particular talk, but if you look into, there's a TV series out there called Brain Games. And I gotta tell you, it will show you how many places that our brains actually plug in things and fill gaps for us. And it's easy to manipulate that. Very easy to manipulate that. So check it out, Brain Games. But just know that it's a way we're wired. We're physically wired this way. It's a way our brains work. We filter, interpret and present reality. Well, that interpretation, those filters and the presentation of reality can get tweaked. And it's really hard to tell these days what's real anymore. I mean, this picture is clearly of me. No doubt about it. I mean, come on. I work out like once a year, whether I need to or not. And usually on accident in an airport because I'm about to miss a plane, right? That's why I have to run to the next gate. But no, seriously, folks, like we don't know anymore what we can and can't believe. And here's where it gets really ugly. If we're already kind of prepared to believe something, AI is being used to reinforce those biases. So think about this. You think it's an executive calling you because that's what caller ID says. And then you get on the phone and it sounds sort of like them, but maybe there's something else going on. They're like, hey, I'm in a busy subway or airport or something like that. Okay, cool. Well, I see this. The caller ID says it's a CEO, right? And it almost sounds like them. We tend to forgive those sorts of things because we're already prepared to believe that. Now, the fact is too, these sorts of things are easy to create. These manipulations, these deep fakes, these things like that. After the LA protests and the Air India crash, these things were circulating like that afternoon. There were supposedly videos of people getting on the plane like, hey, here's my family getting on the plane, right? Well, how many times, now I've traveled for nine years on the road a lot, okay? And I had a job before that I flew every single day of the week, different places, fixing cancer diagnostics equipment. I have never seen people stop at the entrance to the airplane and do selfies with each family member as they get on the plane, right? That is not a realistic thing. But it was being sent out after the Air India plane crash almost immediately. To get clicks, to drive people there, to get engagement because people get paid to do that. Now, that's not necessarily a cyber crime thing there, but you see how quickly these tools can move and how fast and easy it is for people to create this kind of stuff these days. So we've got to be on our toes all the time. Now, deep fakes and stuff are definitely a problem. I don't think it's one of these things we need to, and we'll talk about this. We don't need to be afraid of everything, but we need to be aware of them, okay? What does concern me is the efficiencies that bad actors are picking up through AI. And when I say that, when I talk about efficiencies, I'm talking about like data gathering. I'm talking about things like this. And if you haven't heard of it, OSINT is called Open Source Intelligence. And this is the information about us out there that's publicly available, okay? So it could be grabbed from your county or state or whatever's website sometimes, like property ownership, things like that, some of those kinds of property tax records. There's info we have out there on us from social media, just things like that. Like that information is out there, it's publicly available. Generally speaking, it would be used against things like executives and in whaling and things like that, where they're really going after a targeted attack for somebody because it takes a lot of time to put these things together. And unfortunately, what's happening these days is with AI, we're being able to do that much quicker. So what's happening is even the lower level employees are being targeted with things that are a lot more focused on them individually. So they may know their hobbies, they may know some stuff. And I always joke that with the way these AI tools are working these days, we can build a dossier on a person that honestly the CIA would have been super proud of like 20 years ago. That would have been like a really cool thing for the CIA, but they can generate it in a couple, maybe an hour or so or less these days. And that's what's scary. great. So they build a pretext. A pretext is the idea behind the attack. In other words, I know somebody is really, really big into animal rescue, for example. Well, my pretext may be I'm with the Humane Society or I'm with the No Kill Shelter, or I'm with something like that, that's going to tug at their heartstrings. And this stuff here is absolutely things that can be used against you. And it's being made so much easier through AI. Now, we got to understand what they're after. And ultimately, the TLDR on this is it's money. It's almost always money. Now, they'll get money different ways. They may steal intellectual property. They may steal some information to sell. They may try to get people to wire money or run some malware, like some ransomware, things like that. This is their sole targeting. This is what they're after, but they get it through different things. Now, that's not to say that every attacker is like this. There are some nation states out there, but frankly, most of us are not going to have to worry too much about nation states that want to come in and mess with us. Now, if we're in a critical infrastructure role or something like that, we absolutely need to have concerns about that. But your typical small business is not going to see the kind of chaos attacks that you would expect from a nation state. Now, of course, ransomware is a chaos attack, but it's not quite the same because the goal is making money. And unfortunately, they're making a lot of it. Last I saw, it was like 2.7 million, I think, was the average ransom payment, I think, in 2024. That's crazy. That's insane these days. So, what it is also being used for, though, is on an individual level, things like catfishing. And I thought this picture was interesting because what you have is you have an AI model that is replicating the facial expressions from the individual there. And you can make some realistic stuff. If you've ever known anybody get involved in a romance scam, man, this stuff here is dangerous when you see stuff like this. Now, they're being used all the time, these deep fakes, this kind of stuff like that. And they're not just being used by criminals. There's been a couple of times now that individuals... There was a teacher, I think he was an athletic director that was getting canned and was mad at the principal. So, what did they do? Well, they ended up creating a deep fake of this person saying horrible things. I may talk about that a little later if we have time for it. But this kind of stuff is even happening on individual levels. This isn't like rocket science these days. Now, it's changing how we go about our daily tasks. And I always like to say, this is like when the internet first came on the scene and it changed how we fundamentally work as individuals, how we live our lives, how we do all of that. And AI is absolutely going to fundamentally change how we do things. But that doesn't mean we should be afraid of it. It's going to be very helpful for us. Things will adjust. I promise you they will. Now, the thing is, it's a tool for good. It does some really cool stuff. You can do a lot with AI. But like any good tool, you can expect it's going to be misused. It just happens. So, I want to look real quickly at some of these common attacks that we see. And let's talk a little bit about how AI is going to play into them. We've got the ishings. And the ishings come there because we're so clever, right? We started with phishing, which of course was email-based attacks. I'm reasonably convinced the second email ever went out on the internet was a phishing email. But then we realized they're calling people. So, what do we call that? We called it vishing, phone or voice phishing, right? See how clever that is? Voice phishing. And then there's smishing, which is SMS or text message phishing. Again, super clever with that. And the final, my least favorite word I think I've ever heard, quishing. I mean, come on, guys. At this point, we need to come up with something better. But those are QR code-based attacks. Now, the thing is, these can be used together to make them more effective. Like I've seen situations where somebody gets a phishing email and it's followed by a text message that looks like it's from the same person saying, I just sent you a critical email. I need you to take care of this now. Well, that can help lower people's defenses. So, we got to be careful with stuff like that. I've absolutely seen that going on. But they can be combined to do stuff like that. Now, when we talk about phishing, again, long favorite of attackers, right? Now, email filters are fantastic. I love it. We have an email filter that I really, really, really love here at KnowBe4. And they'll stop so much. I mean, there's 6.4 billion fake emails that go out every day. So, the filters, they can't stop everything or work stops because we start blocking the good ones. But the good ones now, they let about 3% to 5% through, which is amazing that they catch that many of them. The side effect of it though, is most of the time, that means that that percentage that's getting through is actually higher quality. So, people who are receiving them really need to be able to defend against them better. Now, the problem or one of the problems I see is we're seeing AI generating a lot more traffic, especially in the polymorphic side where not every email is the same. They all change it up a little bit trying to get around email filters. I mean, that's why good email filters look at things like context. What is an action that's in this email? What's it asking you to do? I think that's a great way about going at it. And like I said, if you don't know here at KnowBe4, we are absolutely in that space as well. So, we'd love to tell you a little bit more about that. Now, the thing about the phishing though, and them using AI to generate phishing emails, it is a problem. This was done by X-Force. It's an IBM team that does penetration testing and stuff. And here's what's interesting. Their average phishing click rate was 18% on the simulated ones that X-Force does. They had AI put it together, it was 11% in green there. Now, you're thinking, well, it's way better to do it by hand. Yeah, it absolutely is. The difference is to get to that 18% click rate, it took them 16 hours to craft that email. And the AI one did it in five minutes. That's how much more efficient it was. And that's crazy. That's really crazy. So, if you think about that, yeah, are you willing to give up 7% of a click rate knowing that they may have hundreds of employees to target? Are you willing to give up 7% for the savings of time like that? I think most bad actors are. And that's an important thing to understand. Remember, they run like a business. Time is money for them as well. Okay. So, the next thing is phishing. Now, phishing is becoming really popular with cyber criminals because it works very well. For whatever reason, if it's done correctly, people don't have their guard up against it nearly as much as they do simple phishing. Maybe because it's a little bit less common. Now, yeah, we do get those phone calls that are like, hey, this is the IRS and you owe us money, you got to pay us in gift cards. Yeah, those are definitely out there. But when I'm talking about phishing, I'm worried about the really targeted stuff. I'm worried about the stuff like what's happened in a couple times in the news stories that we've been seeing where attackers essentially get in and they socially engineer help desks, do some things like that. This is where it's really starting to get dangerous or it's a very targeted call that sounds like an executive or a leader who's asking you to take an action. Okay. Phishing is on the rise. It's something that we're going to see much, much more of. And the AI use cases in this, what AI is going to be used for is in many times the voice changing, right? That's a key thing. It sounds like somebody you know. They can also use it to maybe add or remove accents. I've even seen phishing done where it was tied to some other tools such as an AI driven chat bot for support and actually ran full on phishing scams without a person ever touching anything beyond the go button. It's amazing. And it's not very expensive to do. Now, some of the scary stuff at home, we're seeing things like we've kidnapped your family member. Now that's a scary one. And it's really happening out there. So they'll get a person's voice off Instagram or YouTube or something like one of the kids' TikTok or any of that. And then they'll say, oh, well, we've abducted such and such. And you hear them in the background saying, help me, help me, help me. That's scary. That's terrifying for people. But that's going on out there. And it's something we have to worry about with the AI. Now, smishing, of course, the text messages. These have been around for a while here. I always think these are interesting ones like, hey, or if you have time tomorrow. These are actually off my phone. Those are designed to get you to communicate with them. And if you're on an iPhone with iMessage, it'll actually lower the protections once you engage in a conversation with an individual through iMessage. So that's what they're trying to do is engage you like that. Now, AI is very much like phishing in these ones. It's just a different medium for the distribution. It can be used to generate those messages. It can do translations, which are fantastic. And it can build that profile on people. It can also be used much like the phishing ones where you have a chatbot on the back end that initiates the conversation. Then once you get to a certain hook point, they'll hand it off to a human to continue the scam that way. So it becomes much more efficient for those people. Now, QR code phishing or quishing. I hate that word. I just don't like that word. Getting more and more popular. It's a little bit more limited where it's being used. But of course, we're definitely seeing this stuff out here. And here's an example of it. Parking meters. We see this all the time where people are doing it on parking meters, bad actors go out, they redirect somebody to a fake parking payment site, and then steal their credit card information when the people use that. It's bad news. And the AI is being used to generate those parking websites quickly. They'll monitor, they'll see when a takedown notice has taken one down, they'll automatically spin one up, update some DNS records and redirect attacks now to wherever the new site is hosted. So yeah, this is kind of ugly. It's kind of crazy how this is being used. Now, let's talk a little bit more in depth about AI and some of the big stuff we've seen happen. Like deep fakes. I mentioned, I think deep fakes are definitely something to be aware of. But ultimately, if you understand the scam behind them, it really doesn't matter as much what the lure is. Now, this was a very tricky thing that was done. Live deep fakes are still a problem with... They get glitchy. We're not there yet. Anytime now, we will be, but we're not there yet. So what they did here is they actually scripted this entire attack. Top to bottom, they scripted this entire attack. And an individual, there was one individual on here that was not actually an AI scripted and recorded person. And they just kind of sat in the background, listened to these executives talk about this $25 million they needed to transfer. They ended the call a little abruptly and early, and then reached out to the person and said, Hey, you heard us talking about it. We're not going to spin up the Zoom meeting again. Just let's take care of that 25 million I heard us talk about. And they did. They wired out $25 million due to a Zoom call. And that's crazy. What do you do about that? How do you trust that? Well, I think there should be policies in place. And we'll talk about that in a minute. Another one that was interesting to me is the Qantas attack here. Now we're wondering, we don't know for sure. I don't think there's been confirmed, at least last I checked it wasn't, if AI was used here, but it is very possible. This was done by Scattered Spider, which has been involved in a lot of interesting things. which has been involved in a lot of interesting things. They do a lot in the vishing side of things. And one of the reasons they're very successful is they have a very Western accent. So they're Canadian, they're US, they're maybe even British. And people tend to be, for whatever reason, trusting there. Well, what they did here is they called up and said, hey, I'm such and such, and my phone got wrecked or whatever, I got a new phone. I can't get into my email, can't get my passwords or anything, I need help. And they were like, okay, cool. So they walked through some things, they got the passwords and the email and stuff set up on the phone, essentially, like they were getting everything lined up. And then they were like, oh, my MFA doesn't work because that was all tied to my old phone. And the person there in the help desk was like, yeah, no problem, we'll fix you up, they got the MFA. The problem is it wasn't that individual that the guy thought he was talking to. So they basically gave this account to somebody through a phone call that was done purporting to be a user in trouble. We wanna be helpful, especially on help desk and things like that. Unfortunately, it caused a major deal. Now, we don't know for sure it was an AI generator voice. If it was, I almost feel like it would have been used to add an Australian accent, but I'm not 100% sure on that. It's just one way that it could be used, but something to think about. I mean, these are coming in through help desks. Okay, over here in the US, we also saw Marco Rubio getting faked through a fake signal account. And what they did is they were essentially like leaving voicemails with his voice on things, saying, hey, I need you to contact us back. And they were gonna probably talk about some sensitive government things. Pretty interesting way of doing that. Cloning his voice, leaving a message saying, hey, I tried to call you, just message me back. I wanna talk about some things. Think about it, that's pretty sneaky, right? I mentioned this one earlier, and I still think this is crazy. So former athletic director gets four months in a deepfake case, just an individual. I mean, we're talking about a high school PE teacher, basically, in Baltimore, heard his contract wasn't being renewed, got mad at the principal, made a deepfake of him saying all kinds of terrible things, and then spread the video throughout the community. Of course, the pushback for that principal was huge, all kinds of problems with that. But it turned out it was all deepfake, it was AI-driven, and it came out. But here's the thing, once this damage is done, it's never gonna be completely cleaned up. It's just not. People are always gonna be thinking in the back of their mind, or they're gonna remember this person because of that. And again, these are normal people. We're not talking nation state actors. We're not talking big deals. We're talking about a PE teacher, basically. In summary, things to think about with AI. It can be used for those deepfake videos, audio, and photos, and it can absolutely be used to reconfirm or confirm our preexisting biases. Again, if we're already leaning towards believing something, seeing even a bad picture of it, that's probably gonna convince us more. I mean, how many people out there still think Bigfoot exists, or Nessie, or whatever, right? Just because of one or two blurry photos, and they're willing to believe based on that. Now, yeah, deepfakes, you know what I'm saying there. Of course, if you do believe in Bigfoot or any of those, I'm not making fun of you at all. You can believe what you wanna believe, but you get the idea. So AI can be used for better translations, and what's important to me here is it's also being used for localizations. What does that mean? It means like, for example, I was in Germany last year. I was in Germany with my dad. He was born and raised in Nuremberg. That's parts of Bavaria, and I gotta be honest with you. I mean, I'm an American. I'm sheltered. I didn't realize all of the different dialects of German that run around the country. I had been there with a friend. We were at one of the Christkindlmarts around Christmas time, and one of the cups that we got for a drink inside had something written in German. I said, hey, what does this say? He said, I have no idea, and his girlfriend, who is a native German, she looked at it and said, no idea, that's a Bavarian dialect, and I was like, what do you mean? Like, you were born and raised here in Germany, and it's so different in some of these areas that it's kind of hard to believe. Well, what's interesting with the AI is it's very easy to take, and let's say I wanna attack somebody in Nuremberg. I'm a bad actor. This is my idea. I'm like, okay, gonna go attack this person. I may not do it in your typical high German, like the standard German that we hear about. It would be much more effective if I sound like I'm another Bavarian and have it regionalize that to a Bavarian dialect of German, and that's going to help comfort the other person a little bit more, right? It's like, oh, okay, fellow Bavarian, we're all friends here. Well, that's the stuff that scares me a little bit there is when we're doing the more regionalized stuff, especially when we're talking about things that may be mimicking a boss's voice, someone you work for, an executive, or something like that. It can sound really, really out of place if that regional dialect isn't there. Now, I also think, and we didn't really talk about this too much already, but something to remember that I try to throw in every AI talk I do is we gotta be careful, and we have to help people understand when we're uploading things to AI to be examined, documents, et cetera, et cetera, we have to remember that's someone else's computers. And for a lot of people, they don't really understand necessarily how AI works and that that information can go into a pool of learning that can and has been extracted. Well, it gets really ugly if something like this happens, and it's, say, financials being released before publicly released on a publicly traded company. Those kinds of things can be really, really bad. And who's gonna get the fine? Not the AI, that's for sure, if somebody's able to pull that information out of there. So we gotta be super careful with what we put in AI because it's just someone else's computers. And then last but not least, don't trust AI results until you can verify them. There's been several cases now where AI hallucinates, it goes a little bit crazy, and people have used the output of AI without confirming it only to find out it was very, very wrong and completely made up. I mean, in one of the earlier versions of ChatGPT, I used to be able to ask it, how many of the letter R are in the word strawberries? And it would come back and tell you two. And it would argue with you. I even had it spell it back to me, and it spelled it back misspelled just to prove its point. Finally, after about the fifth iteration of going around with it, it said, oh, you're right. There are three R's in strawberry. I thought that was crazy. But man, it was ready to fight with me all day long and argue with me about that. Don't trust those results until you can verify them. One of the things that I tell people and I do myself is, I say, any facts that you're going to give me, make sure you have a reference for them with that fact so I can double check it. And that helps a lot. So what do we do about this? Like, what do we do about these attacks that are going on? Well, first of all, I love this saying, you can't patch human nature, but you can train people to recognize when it's being exploited. Apparently, I said that according to ChatGPT. Yes, I did a ChatGPT on myself. It came up with this great quote from me. And I don't specifically remember saying it, but I 100% agree with it. So we'll just go with it, right? What this is saying though, and what this does mean, I mean, really, we can't patch human nature. We can't change the fact that a high stress situation is going to make our heart rate go up. It's going to make things happen. It's going to make endorphins release. It's going to do things like this, okay? That's just, that's a physical wiring of us. Now we can learn to deal with that. We can learn to control with it, and we can absolutely learn to recognize when it's happening or when it's being exploited. Now, where this comes into play is where bad actors use this fear, uncertainty, or doubt, pressure, that kind of stuff on people that puts us in the wrong state of mind. It scares us into a way that we make bad decisions. So understand that we can absolutely, as part of a human risk management program, we can train people to recognize when we're doing that. And one of the things I tell people all the time is, if you have a strong emotional reaction to a text message, a phone call, or an email, any of those things, if you have a strong emotional reaction to that, it doesn't mean it's a scam. It doesn't mean it's an attack, but it's certainly something we need to train ourselves to take a deep breath, step back, and look at more critically. Like that needs to be our trigger through training that we can recognize it being exploited and look at it to see if it is in fact an attack. It's what the simulated phishing is all about. Simulated phishing isn't designed to trick people. That's not the goal. It's not to make them feel bad. Simulated phishing is all about getting people to have a chance to practice. It's like when I was military, they taught us to do certain things over and over and over again until we could do it in our sleep. And that was the point. If we're under a high stress situation, a pipe burst or something like that on the ship, you need to be able to just jump in there and start doing it. A, you don't have time to stop and read the instruction manual on fixing a burst pipe. There's no way. And you need to be able to be reactive and have that muscle memory. That's what simulated phishing does for people. And again, it's not the only thing in a human risk management program, but it is a key portion that if you're not doing the simulated phishing, you really wanna think about doing that. Just remember, it's not about tricking people. It's about giving them a chance to practice. Now, things we can teach. We can teach people to pay attention to the request. Is it weird? Like, why would my boss ask me to go give a bunch of gift cards? Why would the IRS want me to go buy iTunes gift cards or buy some cryptocurrency for the sake of all that's good out there in order to keep me from going to jail, right? Is it weird? And if it is, we need to take a step back. We need to look at it super critically. We need to listen to our intuition and emotions. I can't tell you how many times in my career I've asked somebody, hey, so what happened here? And they're like, man, I got this thing and it kind of spooked me and it felt weird, but I didn't wanna get in trouble, so I went ahead and, right? And that I went ahead and is the part that the bad actors are going for. Listen to our intuition. We're smart. We realize this stuff and we talk ourselves out of it. We need to make sure there's policies in place to avoid scams and stuff. Like that $25 million one. Hey, tell you what, if I'm running a company like that and I need somebody to wire out 25 million bucks, I am very okay with them calling me or my executive assistant or something and saying, hey, sir, ma'am, I just wanted to confirm on a known good number that this was you making that request. And yes or no, right? You reply yes or no. Takes 20 seconds out of your day and could save $25 million or whatever the money is at that time, right? That would have stopped so many of these wire transfer scams throughout time. It's amazing. So don't forget your policies. Policies are a key part of managing human risk. Tells them what they should and shouldn't do and how to deal with things in certain situations and gives them some authority to say no to things. That's an important thing. Now, we wanna teach people how the scams work and the red flags around it, right? No, they don't need to understand everything about a URL or deciphering a URL or any of that, but you should be able to look at just that last little section and go, you know what? Why would Microsoft send me something from MyCoreSoft or Microsnift or whatever it is? You know what I'm saying? That's not hard. That doesn't require a technical degree. It's just a matter of learning what to look for quickly. Doesn't take much time either. Things to measure. Now, when you're looking at a human risk management program, you wanna measure some things. I think it's important to understand if people are finishing their training on time on time, and if not, why it's important that if, if you say, Hey, and if not, why? It's important. this is critical to the security of our organization and to your own security, because you can spot these scams out there in the wild. Well, that's a, that's a very important thing. So if people aren't finishing the training, why not ask them? Maybe they don't like that style of training. Maybe what you're giving them is boring, or maybe they don't relate to it or something. They'll usually tell you, if you say, why did this stink? Why were you not interested in this? And what can we do better? I mean, if you're going to have to take the training anyways, let's at least make it fun, right? Ask them that stuff. And I mean, like, if you look at our platform, there are so many different ways to train people on our platform, like different styles, different, you know, from live action to gamification, to things like the inside man, which is an amazing series. If you haven't seen it, you want to check it out, but you want to look at that. Look at if they're finishing it on time. And if not, why not? You also want to look at if employees are reporting things like phishing or just ignoring them. Now I think something like the phish alert button or one of those is absolutely important in these organizations. And I think you should look at how long it takes people to reply or to, to report and whether or not they actually did report, there's a difference between reporting, which is an action that has to be taken and ignoring an email, which is, I don't check my email anymore after Tuesday. Okay. Like there's a big difference between what's going on there. If people are actively taking an action to report those, you know, they're a lot more engaged than somebody that's just ignoring it if they're not doing it, or if they're doing it very slowly, maybe you want to understand why a little bit more and start asking some questions you want to look at are people failing the simulated attacks? And if so, how fast do they click? It's not the most important metric like that. That click rate is not the most important metric you can have, but it does tell you some things and you can use it for trending very easily. It can help determine if people are paying attention or learning from training. I mean, if you do training on like not opening documents and clicking on documents, and then you shortly afterwards send a simulated phishing one with a document that they open, well, clearly they didn't pick up the stuff from training, vice versa. You can also actually look at the click rates and say, oh, well, nobody in our company ever clicks on these things that are like open a document. So don't bother giving them the training on that portion. They already got it right. Work on something else that they don't. And then if you have a risk score available in your HRM platform, which I highly recommend you look into one that does this, look at who tops it and why. Now, risk scores are not always generated just on whether people click or whatever. Right. It can also be their roles within the organization. So like your executives, your CEO is already a bigger risk than the typical, you know, facilities manager or something like that, because they can use authority to move around money and stuff. Okay. Look at that risk score and see who tops it and why, and what you can get to kind of level that down and keep it pretty much level or reduced across the board. Now we've got to remember not to believe anything without checking. Deep fakes, all that stuff. It's here. We need to be really careful with this kind of stuff, but you know what? I don't expect Bob in accounting to be able to tell whether a video is a deep fake or not, like I'm not going to expect them to be able to tell me that every I, I have a hard time with it personally. I generate this kind of stuff all the time. I do a lot with gen AI and it's not always easy for me to tell what's real and what isn't until sometimes there's a glitch or something like that in there. So we just got to believe nothing and double check our sources on certain things. I think that's a key. So, um, pay attention to those emotions and intuition, because we will pick up on things too that were like, eh, it seems a little weird. Um, understanding your emotions. If you have that strong emotional response, deep breath, we want to be in system two thinking there's system one and system two thinking by Daniel Kahneman. We want to be in that system two thinking, which is critical thinking, not system one thinking, which is a lot of times either the, the cruise control or the fight or stuff. We need to teach ourselves our response to a highly emotional situation is to calm down and think clearly. We want people to use unique and strong credentials. Now we have to give people the tools to do that. If you tell somebody that you need, you know, different passwords across the board, all of them, 15 characters, upper, lower, et cetera, et cetera. You know, can't use dictionary words. That's fantastic. How, how, how well do you think they're going to do with that? If we don't give them things like a password vault or something to, to be able to manage all that, right? So let's remember that it's critical. One of the things that people do, I mean, as part of human risk, they reuse passwords. Bad actors know this. There's a breach in one place. They use those credentials somewhere else where they steal them from somebody. And it's, it's just over and over again. And then use MFA wherever you can. MFA is not a replacement for strong or unique passwords. It's not perfect. It's not going to stop everything. It's not going to end the bad actors. That's just not going to happen with MFA. It can only do so much. I mean, if you ask me, MFA is fantastic and wonderful, but come on, it's not Superman here. Okay. MFA will do a lot of good things and you want to MFA everything you can. I highly recommend you suggest to your employees and people, make sure their social media accounts have two-factor, multi-factor, two-step, whatever they call it on that particular platform. Tell them how important that is for them to have enabled on that. Then they have to have it at home too. It's not a big deal in the office, right? That kind of comes back also to the messaging being personal and relevant. Talk to people about that. Hey, somebody takes over your Facebook account. It seems like nothing to you, but we've seen it over and over again, where they start scamming friends and family using the trust they have of you in doing that. And that kind of gets people to go, Oh, I hadn't really thought about that. Well, this is why you want to protect that account with a good password and MFA. Still love MFA. Every chance I can get MFA all the things. So that's all I got for slide stay. If you want to connect on LinkedIn, this is a QR code, totally not a quishing link, I promise you. No, seriously, it's not. But you can connect with me on LinkedIn. I would love to chat about things a little bit. If you've got questions, comments, if there's something really cool you've seen, I would love to talk about that too, because man, this is moving fast. And I love to learn from others just as much as I love to share what I've learned as well. So thank you all for being here. I appreciate it. Hope you enjoyed it and hope you have a great rest of your day and week. Thanks.
