You may think that because you’re only an individual or a small company, human vulnerability doesn’t matter to you, but today I want to give you some reasons why it does and why large enterprises aren't the only people who need to worry about cyber security.
Watch the full episode below or listen on Apple/Spotify Podcasts. (Check out more episodes on our Gone Phishing page!)
Episode 17: Listen on Apple
Full Episode 017 Transcript:
00:00:00:12 - 00:00:23:20
Connor Swalm
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO, Phin security, and welcome to Gone phishing.
00:00:28:22 - 00:00:54:14
Connor Swalm
Hey, everyone, and welcome back to another episode of Gone phishing. I'm your host, Connor, the CEO at Phin Security. And today we're going to talk about a topic that is near and dear to my heart. We're going to talk about why human vulnerability matters for everyone. So why should it essentially, why should you care that people, including yourself, are vulnerable to security breaches and I'll talk about some other areas as well.
00:00:54:14 - 00:01:15:13
Connor Swalm
Why should businesses care about this? Why should society care about this in general? I don't know. Maybe we'll get a little philosophical today, but I'll try to keep it as applicable as possible and out of philosophy. So I would be remiss if we were talking about human vulnerability management and I didn't mention Verizon is data breach and investigation report.
00:01:15:23 - 00:01:54:02
Connor Swalm
So for those of you that don't know Verizon's DVR, that's the acronym is basically an enormous report on cybersecurity breaches and other matters in cybersecurity. There's a lot of data that goes into it. So it's pretty well renowned and pretty I won't use the word accurate, but very well debated in terms of security reports. So there's a statement, though, that often comes out of that report, specifically the 2022 report, which released last year, which is 88% of data breaches involve and I'll put air quotes here, quote unquote, the human element.
00:01:54:16 - 00:02:22:02
Connor Swalm
So what does that mean? Well, if you dig into actually what that statement means and you look at the data and Verizon CPR, it's not just people like clicking on phishing emails. That's not just people giving away their credentials. That also includes misconfigured firewalls or poorly implemented security tools or it's just humans making mistakes in any way, shape or form, whether that's just a normal employee who's going about their job, or whether that's a security practitioner who made a mistake.
00:02:22:02 - 00:02:46:16
Connor Swalm
The creator of vulnerability. So when when I hear people bring this up, I always draw attention to that fact as well, that it's it's not just people getting phish. It's not just social engineering happening. It's all sorts of mistakes that human humans make at every level of technical prowess or security understanding or background or anything like that. So when that statement is 80% involves the human element.
00:02:46:16 - 00:03:18:18
Connor Swalm
It is all humans, not just people who don't practice don't practice security on a daily basis. So I always draw attention to that. So humans, we interface with technology and as a result, we become, in a lot of ways the easiest source for those technologies to get misused. That's just why that 88% number makes sense to me. It's also why I like to caveat that number with, you know, it's all humans making all mistakes, not just people clicking on things or giving away stuff.
00:03:19:06 - 00:03:49:03
Connor Swalm
So another, another common misconception by a lot of people is my business is too small for me to worry about this or I'm too small for you to get hacked or breached or targeted or X, Y, Z or anything like that. And the reality is you don't even need to be targeted today in order to be the victim of a security breach or the victim of identity theft, as some of you have probably been through at some point in your life, you could just randomly get swept up into a data breach.
00:03:49:03 - 00:04:14:16
Connor Swalm
Let's say it was now, you know, common news, LastPass, let's say your master password got leaked. I know that's not exactly what happened in this time with LastPass, but let's say you got swept up into a larger company where you use their services and your accounts got leaked, and as a result, somebody bought them hundreds of thousands of them at a time and then ended up attempting to misuse those accounts for other purposes.
00:04:15:00 - 00:04:42:02
Connor Swalm
So you can be an individual, you can be a small business, you can even be a large business. And you getting breached might have might have been a result of just a tool or a service or a company you use that got swept up into a larger breach or a larger security incident that happened. So when I hear people say things like, I'm too small to be targeted in reality, that might be true, right?
00:04:42:02 - 00:05:00:23
Connor Swalm
There might not be enough juice, so the squeeze might not be worth it for most malicious individuals. But we live in a world today, specifically this incredibly interconnected world where you don't need to be targeted in order to be a victim. And so that's kind of what I say is, okay, we should change our perception of if I get breached, too.
00:05:01:14 - 00:05:31:22
Connor Swalm
Let's let's talk about when I get breached. And, you know, I know that might not make an incredible amount of sense for individuals, but at least for every single business, it is an incredibly healthy mindset to employ to to think about the when, not if mentality. And then you can be complaining because the worst thing in the world that I see not only from some companies that I've worked with in the past or just folks that I'm very good friends with in the industry that tell me stories is the worst thing that can happen is when you end up getting breached and you're not prepared.
00:05:31:22 - 00:05:54:09
Connor Swalm
You didn't go through those tabletop exercises or you didn't go through the necessary steps and processes to, you know, safeguard your information and make sure that in the event that a horrible, horrible thing happens, that you would be easily able to remediate that. So on the I mentioned a little bit of philosophy at the beginning, so I kind of like to go into this.
00:05:54:17 - 00:06:27:02
Connor Swalm
I view cybercrime as an inefficiency of capitalism. And what I mean by that is let's we live in a world today where there are companies that are founded in foreign nations that are funded by those foreign governments with the sole purpose of stealing money from U.S. based organizations. So their entire you know, if you want to say business plan or modus operandi is to quite literally just find a way to steal money, access and information from U.S. based organizations that's well documented today.
00:06:27:13 - 00:06:48:12
Connor Swalm
It exists. It's affect to think we're just going to have to deal with. And so this is what I said. The reason that those companies are able to exist and the reason that they are started is because if they spend $1 and they're able to steal $10, that's incredibly profitable for them to do. So I'm just using really simple pedantic numbers here.
00:06:48:23 - 00:07:12:00
Connor Swalm
You know, don't quote me on those numbers. But here's the principle. If they spend $1 to provide an actual good or an actual service to other organizations and they make $2 instead of the ten they got when they when they were stealing. Well, you can see quickly how companies would be incredibly incentivized to feel as opposed to actually provide a good service.
00:07:12:10 - 00:07:35:07
Connor Swalm
And when you exist in a certain you know, in other areas of the world where there isn't going to be necessarily some legal repercussions or there isn't going to be repercussions in general because maybe your government is very supportive of the theft that you were doing or maybe they're willing to turn a blind eye to it. Then you're going to do that because it's more profitable to do so.
00:07:35:07 - 00:08:04:03
Connor Swalm
So when I say that cybercrime is an inefficiency in capitalism, it is just for in some cases easier for companies to make money by stealing it than it is if they provided a good or a service. So that is just flat out like a, you know, a monetary benefit for them to do it. So that's why I think it should matter to everyone, not just us based organizations as well, is at the end of the day, theft impacts us all.
00:08:04:03 - 00:08:29:16
Connor Swalm
If business becomes more, business becomes more expensive to do, and if providing a good or or a good or a service becomes more expensive, typically the consumer is left holding the bag for that. Typically, the person who ends up wanting to buy the good or the service has to deal with it and so, you know, this can there's examples of this at all levels.
00:08:29:16 - 00:08:51:08
Connor Swalm
So the fact that cyber insurance has to exist and a lot of companies, at least here in the US, have to pay for it, is directly a result of the reality that cybercrime costs an incredible amount of money and that being ransomware or being breached in some other way, shape or form actually has an incredible monetary impact to the organization and could help business operations completely in some cases.
00:08:51:20 - 00:09:16:09
Connor Swalm
And so the fact that companies have to spend money and have to budget for cyber insurance, which from the policies that I've I've had the pleasure of taking a look at, can sometimes be incredibly, incredibly expensive. And so that's just another example of, you know, it's a way to combat theft by transferring the risk. However, it's still the consumer, quote unquote, paying for it, you know, in some way, shape or form.
00:09:17:01 - 00:09:44:06
Connor Swalm
So a thing that I think about a lot as well is what would this world look like if social engineering didn't exist? So for those of you who haven't looked at other podcasts or just joining us right now, social engineering is the act of somebody or an organization impersonating another organization, another person or something that they are not with the intention of deceiving you so that you give them money, access or information.
00:09:44:13 - 00:10:18:13
Connor Swalm
It is the attempt of them to deceive you, to steal money information. And that's it. That's it. That's social engineering. The most common form of social engineering is called phishing, where you send emails pretending to be other people or other organizations, but that that's what social engineering is. So if cybercrime is worldwide, one of the largest sources of not only theft, but right, let's say breakage, the cost of doing business and some would say if social engineering, if humans are part of 88% of that cybercrime in some way, shape or form.
00:10:19:08 - 00:10:39:07
Connor Swalm
And a lot of that is a result of social engineering. Well, then we could quickly see how living in a world where social engineering isn't profitable to do because we've gotten way better at detecting and preventing it would reduce the cost of goods, create, allow a lot of people to make an incredible amount of more companies, more businesses.
00:10:39:14 - 00:10:55:07
Connor Swalm
And we would just see a world that, you know, offers better things at better prices to a larger amount of people. And that's, you know, maybe that's a pipe dream of mine to be able to create something or create a world where that's a possibility. But it's definitely something that I am incredibly invested in trying to bring about.
00:10:55:12 - 00:11:18:09
Connor Swalm
And that's one of the reasons that I ended up starting Fen and one of the reasons why we see ourselves moving into a lot of different directions as well with how to teach people to recognize what's going on around them and prevent it. So it's going to be all for this episode. But on our next episode, I'm definitely going to want to describe a little bit more about human vulnerability.
00:11:18:15 - 00:11:41:15
Connor Swalm
I'm going to explain why is it so difficult? You know, it seems like a really simple concept of let's just teach people to recognize things before they become theft. But I'll go into some of the nuances and some of the reasons that it's actually incredibly hard to do that correctly and not only yourself, but also organizations. So my next few episodes that that you join me on, we will be talking about that and I can't wait to see you all there.
00:11:41:23 - 00:12:02:16
Connor Swalm
I once again, I'm Connor CEO of Insecure and your host at going phishing and I will see you next time. Thanks so much for tuning in to on phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits. Then check us out.
00:12:02:18 - 00:12:16:08
Connor Swalm
Phin Security at Phinsec.io That's in essence Ethereum or like all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.
