#321 Digital Personal Security: Key to corporate cybersecurity

And you use tools like have I've been pawned to show them how many millions of people use the same passcode across multiple accounts and how many millions are using one two three four five six they're like, oh yeah, yeah, what kind of silly? Yeah, I need to make some changes. Oh yeah, this is actually really good. I didn't think this is going to be like this, but yeah, I want to know more. So that's how you get them to drink the Kool-Aid to engage in security awareness. Welcome to embracing digital transformation where we explore how people process policy and technology drive effective change. This is Dr. Darren, Chief Enterprise Architect, Educator, Author, and most importantly your host. On this episode, I'm continuing my conversation with Robert Sassaviano, cybersecurity expert and analyst on personal cybersecurity and to fix on corporate cybersecurity. So let's talk about the virtual world because I want to kind of shift over there. I actually think in the virtual world were more exposed. In the physical world, locality means quite a bit. No one can attack me typically individually from a distance in the physical world. Now countries can attack each other from a distance, but generally speaking, no one's going to rob me from a distance physically. They can't steal things from my house without coming into my house. Virtually in the digital world, that's not true. Someone can steal all of my money. They can steal my identity. They can steal things that are digitized from 15,000 miles away. Yeah, and they do. So to me, it's even probably more critical to have some kind of training or guardrails put into place and security. So how do I do that individually? Because as you said earlier, if we can train the individual and get them to think about security without being paranoid, but actually because to me paranoia means lack of action. Right. Right. So, but if I have a plan, then I won't be paranoid. I'll feel safe and secure. Is that the idea of buying it? That's the whole point because every single presentation that I do when I walk in the room, you know, and they introduced me 95% of the audience did like this. Arms up like that. Try and tell me what to do. Okay. And as I ask questions, they were spawn with answers and they were asked to be questions I respond with answers as we're getting into a dialogue, which is what we do versus a lecture telling people what to do. We actually engage in a conversation and discuss all the societal and cultural myths and misnomers and why we are why how a wired and trust and deny everything else in the physical universe and everything else. And before you know it, like we start talking about like all the different like risk reduction strategies, the arms go down and they start to lean in like, oh, like this is good. Like I didn't think that this is going to be that. Like I thought this was going to be you yelling at me and telling me that I'm, you know, if I don't do this or outs and these are the consequences. Security is about worry and it's about fear. It's about predators. It's about thieves and and and and and it starts in the physical world, but but the primarily yes, it is our most significant vulnerabilities are our identities and our bank accounts and our customer information. And so you can't really address the learner to engage in cyber security risk mitigation until they have their literal house in order until they have their own security in order their own identity is protected like we are a self-ish self interested creature, which is which the word selfish kind of gets a bad wrap up. It's you need to be selfish like we have to get a good night sleep and eat good foods and consume fluids in order to be healthy and mindful and in order to help other people you have to make sure you're in good shape. Yeah, what are they what is the one of the instructions that the flight attendant provides you want on the airplane regarding the oxygen mask on first. And why is that? Because if you're dead, you can't help anybody else. Yeah, I mean, you mean to take care of yourself in order to help others in and and like that is the basis of all security is personal. It begins with you. That makes sense. Yeah. And so from there, once the employee, let's say, understands risk in their own life, everything else is. Yeah, I got this. This is this makes sense to me that I can do that. And as and as you probe the audience, you know, at the beginning, because the idea is to like break them down to get to challenge their belief systems to get them to understand why and how and risk, but you also have to kind of like point out the obvious, you know, and the obvious is and I ask questions. How many of you are using a different pass code across all your critical accounts, raise your hand. No one raises their hand. If I get 10% of the audience to raise their hand, that's a lot. If I get 10%. Yeah. So statistically, like as many as 94% of us are using the same pass code across multiple accounts. And how many are using password one, two, three. Hundreds of millions actually. Like literally hundreds of millions. Okay. That said, like you asked similar questions, like how many of you are using two factor authentication for all your critical accounts, including on email. If I get 15% of the room to raise their hand, that's a lot. So statistically, with the absolute basics, the absolute fundamentals 85 to 94% of the room is using the same pass code across multiple accounts and not using two factor authentication. That's the majority of the public and less than 10% of the public uses a password manager. I mean, this is so 101. And so when when they begin to see how silly that is, and you use tools like have I've been pawned to show them how many millions of people use the same pass code across multiple accounts and how many millions are using one, two, three, four, five, six, they're like, oh, yeah, what kind of silly. Yeah, I need to make some changes. Oh, yeah, this is actually really good. I didn't think this was going to be like this, but yeah, I want to know more. So that's how you get them to drink the cool a to engage in security awareness. So this first this first tip that you're giving is probably the biggest and probably most effective. Right, use it use a password manager use multi factor authentication. And my my my son's all done cybersecurity and he helped my parents with their, you know, they're they're using a password manager. I can't wrap their head around it though. I do it. Yeah, right there in their 80s and my dad keeps wondering, I keep getting hacked and people keep withdrawing money from my bank accounts. I'm like, Dad, just basic simple stuff. But why why why is there still resistance, even though is it because it's still difficult to use? Because even myself when when I'm like, I need to log into my podcast and upload another another video or whatever. I have to get a code from my phone or I've got a thinkator on there that I've got to do a thumbprint. I got to do all these things to get into that. It's like, gosh, this is a pain in the body. Why? I don't know that the past companies that provide password managing software have ever done an effective job of selling their product to begin with. That's number one. I don't know that that the general public has had any basic one on one cybersecurity training other than fishing simulation at all. Like I speak in front of white collar professionals for a living and these white collar professionals that I speak to don't do the basic things because they've never been told or trained or it's all figure it out for yourself. So if how is the employee going to effectively manage risk on the job if they don't know what to do in their own personal lives. And when you actually engage a password manager, it is the absolute best piece of software that you will ever ever possess for the money and for the time that it saves you. Yeah, absolutely. I totally agree. You know, so that's our number one tip. Number one tip. What do I do next? All right. So password manager multifactor authentication. Yeah. Basically, like, is that is that all I need to do? No, no, no, no, it is more. Yeah, basically, this more. So like, but easy stuff, you know, like nothing that I speak to is beyond the capacity of your parents, you know, which I don't need to go spend a million dollars. I don't need to go take long, you know, drawing out, you know, six week course on cybersecurity. No way. Nope, nope, no, no. I remind me we do need to talk about your parents in a bit. Let's talk about that. I'll make sure we bring that up. Yeah. And but like identity theft is a huge problem. And it's it's not as big of a problem today as it was say 10 or 15 years ago. But I mean, I've had criminal hackers email me my own social security number. I'm a security guy. Hey, you go, ha, ha, basically flexing their mouth to show me a whole cool there. And that's a real thing, you know, and so you've got to lock down your identity. And so few people have what's called a credit freeze. And a credit freeze is this tool that's available to all of us for free through the three major credit bureaus. And basically what the credit freeze is is it's this free tool that you sign up to the credit bureau you set up an account and you you fill out enough David, you know, you have this login now and going forward your credits frozen what that means is can't get a credit card can't get alone can't do anything like that. Until you temporarily thought it as simple as that. So now you have control over who can access your credit when or why. And so this free tools been around actually since 2008, which is when I froze mine. It's been around for free since 20. 18 or 19 since the aquafax data breach after the aquafax. I remember that. Oh, I remember it after the aquafax data breach. That was it. Like the government says Congress voted and says, no, no, no free. And so now it's available. But lenders, creditors, you know, credit bureaus they all lobby to not have a credit frozen across the board, which it should be otherwise we're on our own. Everybody should freeze their credit their kids credit their parents credit. So once the bad guy gets their social, which look it there's been 175 billion records compromised in the past 15 20 years 175 billion with the B. And that's names addresses phone numbers email addresses about 15 billion passwords are exposed 15 billion right that's like almost everything. All that data is being sorted and sifted and catalogued and used against us. And so it's just a matter of time until they get to you or I. But if your credits frozen, you become a tougher target, you know, and that's what all this stuff is about. It's becoming a tougher target. It's about putting basic 101 systems in place so that when the bad guy does come upon you that you are now a hardened or a tougher target. And they're not going to waste their time. They're going to move on because there's so much opportunity out there. Yeah, gotcha. It's it's like if you're being chased by a bear, you just have to run faster than your friend next to you. Yeah, it's that that's the same concept, right? Really is, you know, like if your tougher target, they'll ignore you to move on. Yeah, like if you've got 10 houses in a cul-de-sac and you know, one of them has a beware of dog sign. This house is protected by ADT. They've got motion sensors like it looks relatively like the guy or the family like they've got their security in order. Now the burglars got nine other houses to choose from. Yeah, yeah, yeah, yeah. So that's the same thing in the site in the cyber world. By that makes sense. Yeah, that makes sense. All right. So credit freeze, password, multi-factor authentication, I can even speak anymore. What's next, Robert? So from there, you know, your devices, which of course are, you know, your direct access to the world. Yeah, that's true. Obviously, you'd be surprised how many people don't pass or protect say their mobile phone. And that's such an important thing. I mean, just just please password protect your mobile phone. You know, if you if your phone is lost or stolen, what does the bad guy have access to everything. So password protect your mobile phone, which should just be like a no-brainer. And then it's not just password protecting your mobile phone. It's password protecting every device in your house too. Well, Robert, why do I have to password protect my desktop? It's it's in my house. Yeah, but 80% of you don't have a home security system, you know. So password protect all your devices. And then beyond that, like the basic stuff, like update everything, update your software to the latest operating system. I mean, at a minimum right now, I'm really not even sure what operating system Mac is on because, you know, I just do it and don't pay attention to it. But it's just so much easier to understand the Microsoft world because you should be on 11. And you should be on 11. And take those security patches, right? I talk to my my kids about this and my wife and everything. When that little circle in the bottom says update available, click on it. And you know, I'm like, yeah, you should click on it. It's yeah, it's important. So update your software, which which ultimately means that you are likely going to need to eventually, everybody does update your hardware. And what does that mean? It means that if you're functioning on a 2019 Dell laptop that started off maybe with windows eight or ten. And we're already at 11. That device probably might download 20, you know, Microsoft's 11. But it's going to be a dinosaur. It's going to be slow. It's really not going to work like it's supposed to. Like that hardware needs to be updated in order to engage with current security software. Okay. So update your hardware in order to update your software, which means making investments in your technology. And that includes printers, you know, endpoints, it includes mobiles and modems and routers. It includes the mobile phones like we got to make these necessary investments in our technology in order to protect our information. Okay. So my PhD dissertations on cyber security and operational technology and IT. So let's talk about the house because this is where physical and digital come together. Like in my house right now, there are almost 80 devices hooked up to my internet. Right. Because I got smart cameras. I've got smart lights and switches and you know, all these things. Our ice maker has we have a nice maker and it's hooked up to the internet. You're in a mesh network. Yeah. Yeah. All the stuff. So what about those devices? Do I need to update those devices? How do I do that? I because there's no keyboard hooked up to the light bulbs in my office. Yeah. Okay. So what I'm about to say people may not agree with. Okay. But you know, look at security needs to be easy. It needs to be accessible. It can't be overwhelming. It can't be difficult. It can't be confusing. Are people aren't going to do it? Right. Most people aren't doing the basic basic stuff like house repair management, two-factor authentication, heck lock in their doors. So to get into like, and we will, to get into, you know, endpoints and firmware updates and updating your hardware because it's just so old and it's vulnerable and updating your camera system. Certainly, if you wanted to take the time to update the firmware and go through all the various devices in your home, you can do that. And there's ways to do that. And you probably should do that. I don't do that. I replace my technology probably every five years. I replace everything probably every five years. If all I do is replace my technology every five years, is there a gap? Is there a window? Yeah. Possibly. I am functioning in a vulnerable, with a vulnerable, you know, hardware that's going to open up my home security cameras to others who can see in. Probably. Yeah. But like at the same time, you know, there's only so many hours and minutes in a day. And, you know, like if I've got enough time just to make sure that my backup is working as it should. And so, yes, you can and should update or all your firmware spend the time. Maybe have a spreadsheet that goes over, you know, when you purchased it, maybe have links to the manufacturers site where you can download the firmware updates and spend the time with it. Go for it. But generally, you know, when we see exposés that the baby camera got hacked and in this and that. I say, yeah, that happens. And yeah, there's a vulnerability there. Generally, those equates to like privacy issues versus security issues and certainly privacy is a concern. Not my fresh concern. My concern is, you know, security, which is generally, you know, life and limb. It's it's it's finances versus, you know, embarrassment or whatever might, you know, that all that being said, like, yeah, you have options. If you want to invest a time and effort, go for it. Otherwise, I say don't worry about it. All right. So, so there's some reason there's some reason of ability. Is that right? Yeah, reason ability here. Because when I've talked to other cybersecurity experts, they say, hey, the most secure system is not connected in a concrete bunker. I'm like, okay, so not useful. So we don't want to get into the into the case where we're hyper vigilant in that. I'm spending all my time and I'm not living life, right? So there has to be there's always risk involved. I have to calculate what level of risk on going to to accept. It's got to be practical. I mean, it's 2026. The world is on fire. You know, like you we've got only so many minutes in the day. Yeah. People around there. People have tired. They're overwhelmed. Like they just want to get home and in one piece and pick the kids up from school and back and forth from soccer practice and get the dinner on the table in time to watch dancing with the stars. Like that's all they have the energy and effort for. I get all that. So it's got to be practical. It's got to be consumable. It's got to be make sense. It can't be overwhelming. Oh, we're not going to do it. And we do in the fact is we don't do it. It's my point because it's overwhelming. I just give up. I just say forget it. And we don't want to think it can happen to us. And you know, and often like I will say to my audience like when we're talking about things that might be like a little, a little complicated or a little over the head. I always joke and I say, Hey, you know, just find yourself a 14 year old. They'll take care of it for you. And they all laugh. They are left true. And my responses after they all laugh my responses. You know, that is funny. But here's the deal. I don't know that we should continue to joke about that. I don't know that we should continue to kind of look at that as being a funny thing. I think that at this point where we're at right now with cybercrime cyber criminals being organized in such a way that we are all, you know, vulnerable targets because they they figured it out now. I don't know that it's okay that you're a 14 year old nose barbell technology than you do. I think it's time that we take charge of this and get it figured out and get our house in order in such a way where we understand what risk actually is and we do something about it. No, that makes sense. And I've been doing what I do like I said for 30 plus years in and for 30 years I've concluded at the end of every single presentation. Listen, don't worry about any of this stuff. But do something about it. Put these systems in place. Exercise risk management. And you know, it's not unlike putting a seat belt on. You put that seat belt on to give you control because it's a smart thing to do. And as long as you do that, you're going to be good. Don't worry about it. But the reality of it is I'm a bit worried now. And the reason why I'm worried is because the stakes are a lot higher. AI has flipped it all on its head. Oh, yeah. And like talking about your parents, right? Like deep fakes, voice cloning. We are incapable of telling the difference between a clone voice and a real voice. And we are incapable of hearing people. Human beings do not have the ability to do that. No, we don't. Technology can do it. But humans do not cannot decipher real from fake. It's it's it is impossible. Okay. Deep fakes. Right now, the majority of the consumable tools that are available. And you know, what people have access to on Google Play and in Facebook and in iTunes and such. All those downloads for face overlay. Like you can kind of tell the difference. You can kind of do it. Yeah. But it's getting better. Questions. Yeah. Yeah. But the tools are available that are perfect. They're just not widely available. Right. And the tools that are available are perfect. You pretty much can't tell that it's, you know. But the machines can. I agree. Yeah. There's there's some great technology out of Intel who I work for where we can actually detect deep fakes highly reliable over 99.9%. We can identify deep fake pretty easily. So you're right. But how does that help when you how does that help when you're when you're when your dad gets a phone call. With your voice in the background. Exactly. And they've called it ID. Yeah. No, no problem. So how do how do we overcome that? Because that's a huge fear. I know what I've done with my kids. Each one of my kids has a pass code. Right. That all that I know they know it. It's ingrained in them. They know my pass code. That's how we saw that if there's a deep fake situation, all I have to do is ask for the pass code. And generally that's all you should need to do. Problem is, you know, when you hear your loved ones and you hear or potentially even see your loved one in distress. You hear their voice. Oh, hello. Yeah. Your body goes into fighter flight mode, your body or DNA shifts in such a way where you are all about you turn into Papa bear. You're all about protecting that loved one. Like your first inclination is not going to be. Yeah. This is probably one of them, you know, deep fake voice clones. This is this is just got to be fake. Your your being breaks into a sweat. Your entire body goes into, okay, what do I got to do to get my loved one safe? And your intellectual understanding of risk flies out the window and your your your your biological being kicks in. And bad guys know this. So Robert, this is the same thing though that you probably taught in physical security, right? Because if someone approaches you physically and attacks you, you have to have training in order to do the right thing. So are you saying that with this because this turns into a physical type of thing. It is in the digital realm. Yeah, it's emotional. We have to train ourselves on what our responses are going to be. Yeah, we have to role play it. We got to do like like personal self defense. You can't just talk about it. You can't you got to actually run through some role plays where it's safe, right? Where you know it's safe. Risk is risk in the body responds to it the same way in the physical world as it does online as it does over the phone. You know, and I don't know that that any any e learning any pre-recorded animated talking head is going to solve that problem. I don't know that fishing simulation training is effective enough to move the needle to allow the human to react and respond effectively to risk the way that they could or should because it is a lecture. It's a it's a it's a I'm telling you this is the problem and these are the solutions and you've got to do this. I don't know that that is effective enough. What I do know is that prior to covid my business was doing great on the road, airplanes hotels, you know, and then covid hit flatlined and compliance training 100% kicked in no need for live interactive. 2023 2024 comes around 2023 halfway through my phone starts to ring in such a way where it was interesting to me because I started to hear from company officers saying listen, we've kind of reached a plateau with our training and we just want our people to care about security, you know, like we just want them to care. Like we just want them to engage like we like we don't see any of that which which requires not a lecture, not a talking head, not an animation, it requires a dialogue. Yeah, it requires a conversation, you know, it requires communicating with humans as if they are humans versus your employees who are required to do this or else. Right, right, right. And if you engage them, then they're going to be like, yeah, like I've never had an opportunity to talk to a security expert ever in my whole life, like that this is what they do all day long every day. I got questions. No, I'll just ask those questions and actually like feel heard and I don't mean to get like all touchy failure or anything and that's never my point. It's like, and I'm not asking the CIA so to grab your employees and hug them and hold their hand and walking through this process. But I am telling you that if you don't if we don't change the conversation, if we don't engage the learner differently than we have been, then I don't know that we're ever going to fix this problem because. Yeah, every single presentation I do from people who are smart, they say, well, okay, so, but when I do a search on Google, this is the questions I get and this is everybody, maybe not you or, you know, those who are digitally literate, but they ask, okay, so when I do a search on Google, how do I know what links I should click. No, yeah, no, this is a this is a very valid concern that people have. Hey, Robert, we are way out of time. Sorry, don't get this down. No, this has been a you're in thought you're a great speaker, great information. If people want to engage with you, how do they do that? How do you Google me? If you know how to spell Robert Siciliano, I'm easy to find is only a few of us, one of us is an HIV researcher, which is not me. That's my own I own like the first three pages of search, because you don't know many Sicilianos. Beyond that, protect now LLC.com, protect now LLC.com is where I, you know, hang my hand. Yeah, that is awesome. Robert, thanks for coming on the show. This has been wonderful. We could talk for hours. I already know that and maybe we will have you back on the show again. Hey, I appreciate you and what you're doing. And I worked with Intel for many, many years as Macafe's brand ambassador. Oh, yeah, when we owned a Macafe, that's awesome. It was a great time on my life. I've been to your headquarters. Love Intel, love Macafe. Yeah, well, thanks again, Robert. Pleasure. Thank you. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community at patreon.com slash Embracing Digital, where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources at EmbracingDigital.org. Until next time, keep embracing the digital transformation.