Steve Rivera, CRO @ Logically
Tiffany Ricks, CEO @ HacWare
October 2, 2023 | 53 mins
October is cybersecurity awareness month. In this week’s episode of Logically Speaking, we welcome special guest, Tiffany Ricks, Founder and CEO of HacWare, to share her experiences in IT and Cybersecurity and the major challenges facing businesses today. Here’s a hint … it’s human error. Steve and Tiffany cover the importance of having the right support within an organization, and how easy it is to be compromised. Dive in to learn more about the importance of training your employees and positive impacts it will have for you.
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
- Cyber criminals use AI too, but there are still ways to protect yourself
- Prevent disgruntled employees from turning into insider threats
- Discover how to cultivate a culture of security in an organization
- Top current and emerging threats facing businesses today
Trained to Protect: Creating a Culture of Security with Tiffany Ricks at HacWare – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.
This is Logically Speaking.
STEVE RIVERA
Today we’re speaking, we have the pleasure of speaking with Tiffany Ricks, who is a former or recovering ethical hacker, I guess we could say, former ethical hacker. She’s worked with companies to protect them from phishing attacks and other malicious attacks. She’s led many simulated hacks, and she’s built a company that serves that market to help prevent breaches, data leakage, exfiltration, things of that nature. Tiffany, thank you so much for joining us today. I’m going to start out by just asking you if you could share your experience in cybersecurity, what led you to cybersecurity? I always find that some of my previous guests have very interesting paths that have led them into this phenomenal career that we call cyber. So maybe we could start there and talk a little bit more about that.
TIFFANY RICKS
Awesome. Well, Steven, thank you so much for having me and the Logically team. I’m really excited to be here. My journey started out, at the time my journey was very standard. The exciting part about being in cyber now is there’s so many ways that you can get in and you can, it’s so broad and so vast. There’s so many ways that you can contribute to try to solve this problem that we’re solving for companies everywhere, but my path was through software. So I am a software engineer, went to school for that, for trade, and then I got a job working for one of the big four defense contractors. At the time they were called L3 Technologies, and they work with the Department of Defense. So they did contracts with the United States Air Force, the United States Navy, where I worked the Air Force, we were on an Air Force base. And what I did was I started out as a software engineer, and then as an engineer working for the government, that is one of, at that time, that was one of the top three cyber targets. And so as you’re building for the government, they teach you that you need to make sure that your software is resilient, which means you’re looking at it from a secure coding standpoint, trying to make sure that you’re not creating bugs that could allow a cyber criminal to get access to their software and do harm. And so that sparked my curiosity into cybersecurity.
Then I moved into security engineering, which was focused on making sure that we engineer software from a security standpoint, and then moved into security research and then ethical hacking. And really, that was where showing the military how cyber criminals could break into their infrastructure and then left started a consultancy, which we had managed services as a part of our offering. But working with companies of all sizes, they wanted to know how a cyber criminal could target them, and they wanted to be prepared to make sure that if someone did target them, they had the infrastructure to protect themselves. And so my job was to try to break their system so they can rebuild and fix it. And the systems that were easy to break were our human systems, our people that were on the front lines doing their job, but easily accessible. And you could send a phishing email to them, lure them in and lure them into giving you information that is closed and locked down behind some secure networks. And so I saw that that is a huge problem. It didn’t matter the company size, the people were one of the easiest vulnerabilities. And what I wanted to do was build a software that can automate the workflow of these phishing exercises, but really make it a data driven approach. And so I built the HacWare platform to solve our internal problem in-house and then decided that this is a platform that can be used by many companies around the world. And so decided to deploy that out and been having fun with this, solving this problem ever since.
STEVE RIVERA
I love the fact that you said, use the word curious, because I got into cybersecurity what feels like ages ago, but I got into cybersecurity in the 90s. And it was a curious nature, like I would look at systems or even machines and try to see how I could take advantage of them and circumvent certain things. And whether it was a computer, whether it was a payment system, whatever it was, a security closed circuit system, how can I gain access just to play? It was more of a curiosity. And then also, there was a part of me that was a generational paranoia that was passed down by my parents. I grew up in New York City. And so you always walk around New York City as looking over your shoulder.
I took those two things and made a fantastic career out of it. So I love the fact that you started out with talking about curiosity. I wanted to ask you because my daughter, I’m a girl dad, and I’m always encouraging my daughter, I find that she apologizes often for when she asks for things from an employer that she believes she deserves or that she feels like are due to her. And it’s almost like societal pressure for women. And so I have to ask, have you ever faced that in cybersecurity? And how did you handle it? I would love for our listeners to learn, especially those who maybe have daughters or women trying to learn how to be successful in the industry. What kind of golden nuggets can you share with us?
TIFFANY RICKS
This was a great topic because it took time. And I definitely understand. And actually, what helped me is sort of what you’re doing for your daughter is that I had an ally. I had a coworker. And I’ve always been the first. I’ve always been the first. I was the first in my family to go to college. I was the first to grow in corporate America.
My family doesn’t come from that, so they couldn’t help me, but I’m glad that you can help your daughter. But what helped me was men because I was the only woman in these rooms. It was those who actively helped me and then also me watching. So I would watch how men would operate and how they would ask for certain things and how they would. And it was because they just knew that they had the confidence and the skills to go after that. And I think so that was passively. But then I had great leaders who were men who were champions, who sometimes saw things in me that I didn’t see, who would tell me, I think when you like you want to make sure when you go for this review that you are prepared. So you go in there, you talk about all the things that you have done. Do not be shy about it. Come with facts and that and it’s not a brag if it’s back.
So if you’ve done all of these facts, you lay them out there. And so that helped me switch my mindset because I think because I’m from the South and because I am a woman and probably because I am black, bragging and trying to feeling like I needed to brag was something that just wasn’t in me. And I just didn’t like the way I felt. But when my leader told me just lay the facts out there, I can I can do that. I can lay the facts out there. I can communicate all the great things that I have done and you can go check and find out. And this is why I need to get this type of salary. The facts are that this person at this salary makes this amount of money. And so I felt comfortable operating in that. True. So that kind of helped me in the beginning feel comfortable doing it. And now that I own my own company, I am that champion for my team members across the board. I am telling them I am I am excited when I see women that are coming to me asking for what they deserve. And I know when they watch this because in the meetings, I am smiling. I am smiling because, yes, I want to make sure that we are creating a culture where you should get what you deserve. You should feel confident doing that. And there’s no shrinking and hiding because if the work that you’re doing is facts is not a brag.
STEVE RIVERA
Yeah. No, I thank you so much for sharing that. I think when we first met, I was sharing with you as a Hispanic leader, business leader, I tried to bring about that same being that champion because I’m in a position that I can actually have some – some impact. And I know that we’re talking about cybersecurity, but in the realm of cybersecurity, I had a conversation with one of our women employees recently who was asking for an increase. And I coached her. Don’t apologize for it. If you deserve it, we’re going to get it for you. And it was this I had to coach her to it’s OK to self-promote. Just like what you said, if you’ve accomplished these things and by all means, ask for it. So thank you for sharing that.
Really, I really appreciate it. You know, I’m also I like to pivot and talk a little bit about cybersecurity and the industry that you believe may need more investment. Like from looking at the industries that have traditionally invested in cybersecurity, is there one industry that is lagging that you believe ought to invest more in cybersecurity? Like when you think about the industries like financial services, you think about retail hospitality, you think about manufacturing, oil and gas, you know, those verticalized industries, which one do you feel needs more investment in protecting their infrastructures?
TIFFANY RICKS
Yeah, just at a talk on this, I was at Black Hat and I kind of broke down. I broke down the attacker journey and I broke down the industries that they are targeting now. So when I got started, there was three big industries that cyber criminals targeted. They targeted the government, they targeted health care and they targeted financial institutions.
Now what I’m seeing is there is a trend where finance institutions are at the top. So they’re targeting financial institutions. They’re at the top. They – they have access to – to capital and data. And so they’re at the top and that trend has not went away. And so companies who operate in that space definitely should be making an investment in cybersecurity and they should be looking at all levels of where they need to protect themselves because, as I mentioned before, the easiest level to gain access into an organization is through their people. So they should be strengthening their people with continuous education.
But now we need to also look at when we talk about the network, we need to make sure that the networks are resilient. We need to make sure that if the financial industry, if they have applications inside of their systems, that those applications have been scanned for vulnerabilities and fixed. And there’s so many different layers that then financial industry, fintech, they have to definitely make sure that they are continuously looking at their vulnerabilities and trying to mitigate that because bad actors are the other industries that I’ve seen that I saw that was a target was, believe it or not, software based software companies, SAS companies, they are a big target this year. They’re a big target. They’re getting targeted quite frequently. And it could be that SAS software companies are growing rapidly. So there’s a lot of movement and change that’s happening in these software companies, although they are they may have tech talent.
Tech talent has been highly vulnerable, has caused more vulnerabilities than any other group because there’s a little bit of they are educated, but they’re not taught in school about how to have a good cyber posture like that isn’t taught at engineering disciplines, how to be how to have great cyber posture and how to build resilient applications. And so they make a lot of mistakes in cyber criminals are targeting them. And then the other industries that I’ve seen getting targeted is the so a new one is there’s organizations in so organizations that focus on proprietary data like tax, tax organizations, those are getting targeted.
Of course, the health care organizations are getting targeted. And then there’s some new entrants that came in at the start of the pandemic were companies that are are focusing on cryptocurrency. So they’re getting targeted quite frequently. So yeah, there’s there’s a lot of cyber criminals are definitely targeting industries that have access to financial resources. It could be data. We have cyber criminals that are hacktivists of this. So what does that mean? If you are managing or if you are working for a potential political campaign, there are cyber cyber criminals that will target your organization because they may not agree with your stance or if you’re if you are protecting the cyber security and posture of a foundation, which could be doing some good in the world, there are hacktivists who don’t care about trying to steal the foundation’s money.
They’re just trying to take those that industry or that organization down. So there’s a lot of motivations out there, but we have to make sure that we’re diligent to know what our gaps are, which is what I love that what you all are doing. And it’s a difference. It’s a it’s a gap between knowing and doing. So we have to actually do put those things into motion to protect ourselves.
STEVE RIVERA
Yeah, I like the point you made about software developers and SAS companies because and I look back on my career, you know, I started out programming back in the mid 90s and it was all about user interface, ease of use access. That’s what developers we want. We want that security was not even a thought or an afterthought. It was all about user experience and making sure that the application had access and it was fast. And I know that we’ve come a long way since then. But you’re right. I think that there’s still that inverse relationship between access and security. And that’s a challenge in that industry.
What we have seen recently has and you touched on it with with FinTech and those softer targets that we’re starting to see law firms that specialize in mergers and acquisitions become that soft target because the hackers can then get inside information that they can actualize on the stock market. And it’s we get a lot of law firms coming to us going, this is what we need. We’re very concerned about that IP, that intellectual property that our clients have. So really great stuff. Let me let me ask you about the impact because you work your business is specific on, you know, protecting against phishing attacks and things of that nature. What are some of the unknown results and costs associated with a breach? Right. Can you speak to some of the unknown impacts of a breached or an impacted network due to ransomware or what have you?
Because oftentimes some of our listeners think, well, it’s just about getting back up and running. But then there’s these ripples that I’m hoping that you could kind of clarify and these ripple effects of that impact.
TIFFANY RICKS
Definitely. And this is a great question because you’re right. Initially we’re thinking about this one moment in time, but also that one moment in time could be costly because that one moment of time of being down, what does that mean? If you are a hospital and you are down for an hour, two hours, a day, three days, you have you could potentially have customers who are in life threatening situations where they could lose a loss of life could happen or we could have the other impact is yes, financial loss. But the other thing I’m thinking about is we what happens after ransomware attack on the dark web is though that data, once you pay that ransom and you believe you’re made whole the cyber criminal does not have although they may not use it, they are dumping that data six months later onto the dark web. And now this data could be used by another cyber criminal to go back. And so what I have seen is after a breach, yes, we have to notify if we’re in a certain state, we have to notify the Secretary of State that we’ve been through a breach, we have to make sure that we are putting doing the proper steps of making sure that we make our organization whole. If we have to pay the ransom, we’re paying our ransom. And so that’s a moment in time. But what I have seen is that organizations have left the hole open after they have paid the ransom.
They have not closed that hole. And I can guarantee you the cyber criminal six months to 12 months later has dumped that data. Another bad actor is going to go back to this same organization and try it again. And if the door is left open, now we have another incident. And so yes, the cyber criminals are going to go through they’re going to if the first time work, they’re going to try it again. And so that’s the that’s the impact of once you’ve been a part of a breach, you’re going to keep get consistently getting tried again. And then the other thing that I’ll say from an end user perspective, because for me, cyber security, people have to make sure that they were we have to think about how this is affect me personally for us to really care and make changes. And so what I’ve seen is when we’ve had users who have been a part of a breach and their data has been compromised, and it has been used in a where their identity has been taken, I have seen people go through so much work of trying to clear up their clear up these charges and clear up their credit and freeze their — social security account, I have seen them have to continuously battle with their different creditors to tell them that it wasn’t them and it was a cyber criminal in these.
And once that battle is done, as I mentioned before, the cyber criminal may go back to the organization, but a cyber criminal may also try again to take your identity again. And then the battle starts over again. And so you just want to make sure that you’re thinking about this long term because it could be a lengthy endeavor. It’s not just that one moment in time that you’re trying to resolve yourself from.
STEVE RIVERA
Yeah, it’s you mentioned something that made me think of a quote. You mentioned about how they keep coming back and it’s. You know, I think it was I think it was the famous bank robber Willie Sutton who said when asked, why do you rob banks? He goes, well, that’s where the money is.
And people ask, well, why do why do malicious threat actors come back? It’s like because you haven’t patched a hole. You haven’t you haven’t stopped. You haven’t developed the countermeasures and policies, procedures and set up the proper ways to detect and then mitigate that that threat.
And it’s – it’s just one of those things that we can’t educate this community enough. So really great points. Thank you for bringing that up. I want you to take out a crystal ball and think about what’s going to happen over the next five to 10 years. And I won’t hold you to this, but how do you think the cybersecurity threat landscape will change over the next five to 10 years?
I mean, I’ve been doing this now 25 years. I would have never thought that we would be challenged with things like A.I. being used by malicious threat actors, state sponsored, because when I got into cybersecurity, the biggest threat was website defacements. And so now we the threat landscape has evolved so quickly. Let’s think about the future. What do you think the next five to 10 years will bring? On the bad actor side or on the bad actor side?
TIFFANY RICKS
Yeah, I think so. I think we have to think about bad actors. We have to think of them as people like you and I. We are and and we’re we continuously evolve. We continuously adapt. We’re continuously curious. And we’re always looking to. Find ways to improve. And so I think that in my mind, I think about bad actors as engineers who are just there. They’re utilizing technology for me. I love to use technology to solve problems, but for good. And I’m always I’m excited. I’m always looking at what’s new, what’s interesting and how can I use this tool to solve a problem that I’m trying to that I’ve been trying to solve for a very long time. And so I think that we have a lot of great tools that these engineering bad actors have to solve their problem, which is they want to get access to if their goal is to get access to data, I mean, to get to get access to data, they have access to so much data. And so they’re going to be using AI to be able to build these large data sets and to be able to have an intelligent and more of an intelligent understanding of how we operate as people. They will be able to surveillance us and have and be able to understand more about our trends.
So if we’re talking about a big fish, which is some cyber criminal is targeting a high profile individual, then I see them utilizing machine learning to be able to pull data to understand this person typically goes to these different locations without them leaving their home back in back in the day. You would have to have someone who would verify or you would have to be there to see that these are their trends. But we – they would have access to data to understand how these people operate, where do they go? Who do they talk to build this profile, which is going to allow them to make to allow them to get access to whatever data or information that they want. And so I definitely see cyber criminals using artificial intelligence to understand our trends and our patterns. I see them I see phishing evolving as it already has where phishing is no longer about misspell words and easily to identify and someone not speaking our language and we can identify that that is someone from somewhere else. We have large language models that can allow them to communicate with us without those cues. And I just think it’s going to continue to to to evolve and get better. I think for us as individuals, as as AI evolves, I think we’re going to move towards trying to find spaces in the physical space because we’re not going to be able to trust if we’re on this zoom call that you haven’t created a deep fake of me to be able to get on this zoom call and talk to you. And so I think we’re going to be moving more into as people trying to move more into physical spaces to try to make sure we’re actually speaking to who we thought we were talking to.
STEVE RIVERA
Yeah, you know, it’s interesting you brought that up because one of my previous guests, we talked about that about podcasts and webinars and these, you know, especially during the pandemic, we were doing everything virtually and recordings and and how quickly through AI you could easily impersonate someone. And we’re starting to see this trend. I see it in various ways where folks will get scammed because it’s the voice of someone that’s actually calling them. So it goes from a text to a voice to and it becomes harder and harder to validate. And it speaks to and we had a situation recently, you’ll get a kick out of this, where our CEO texted me, allegedly from a brand new cell phone. Hey, this is Josh. I got a brand new cell phone. Can you let me know that you got this? And of course, I screenshotted that and sent the text to the actual cell phone and we had a good kick out of it.
And I was like … but imagine if I would have called that number and his voice picked up. Yeah. I would have gotten really confused, but it’s this culture that we are trying to foster that it’s OK to question. And I think that that’s the challenge, because oftentimes. New employees or field level employees will get a text from their CEO and snap to attention. And instead of questioning, I had a client who actually sent fifty thousand dollars in gift cards to that person they thought was the CEO on the other line. And so it’s creating a culture where it’s OK to question, slow down, let’s not rush into and trying our best to validate that because it’s becoming more and more challenging. And it’s frightening to me that someone could take my voice and try to extort my mother in law, who’s eighty four of money because she thinks, you know, I’ve been kidnapped or the police have me and I need bail money. Those are some of the scenarios I’ve heard recently.
TIFFANY RICKS
Yeah. I mean, because it’s so much in your public facing. So we have you on all of these podcasts and then getting your voice. It’s going to be easier and easier to to to pull off these types of these types of scams.
STEVE RIVERA
Yeah, yeah. I’m interested to know a little bit more about some of the creative approaches that you’ve taken to solve some of these tough cybersecurity problems. You know, when it comes to spear phishing or whale phishing, these what are some of the ways that you’re tackling those today?
TIFFANY RICKS
Great question for us as a data driven approach. So we’re using generative AI before it was a thing. We we’ve used it to try to simulate how attacks are happening today. So as I mentioned before, phishing emails and we do phishing text messages as well, but they have moved past these misspelled words because cyber criminals are using chat GPT to generate these emails.
And so what our platform does at HacWare is it minds and it finds these phishing emails and then we have a classifier that will allow us to determine what type of phishing attack this is. And then what we’re also doing is we’re integrating into the email platform. And so we’re trying to give our customers insights into understanding what are their six risky behaviors you talked about before about the impact of a breach. We’re trying to help you to understand what would the potential cost be with these six risky behaviors?
And so what our platform then does is it will generate a spear phishing simulated email that’s based off of attacks that are happening today versus what happened a quarter ago or a year ago. We’re making it 100 percent automated where we can test these users with this type of spear phishing. Everyone gets a spear phishing simulation versus the reason why I created this platform is because I just didn’t have the time. And so I would only have time to create a spear phishing simulation for 10 percent of the population. And that was typically the C-suite or it was where the money was, which was in the accounting team and the rest of the department got generic phishing emails and they went out at the same time.
- But what I’ve done with this platform is we’re looking at when is the best time to send this email to you as an individual.
- What is the best content to train you on?
- And then we’re also looking at insights on have you been a part of a breach before that’s on the dark web?
- Our platform will simulate and impersonate that brand to see have you closed the doors?
- Have you are you suspiciously looking at emails that are coming from this brand knowing that your information is on the dark web?
So we’re continuously automating and testing and then we train the user on what they need to learn in three minute or less videos to change their risky behavior. So we’re trying to make it super easy for security teams to train their human work.
STEVE RIVERA
I love that. I’ve got I’ve got a couple of follow up questions that are running through my mind here because in my past, we’ve done ethical hacking and designed some of these campaigns as well. And I’m always wondering what there’s always in my experience, there’s always a percentage of people that will click on a link no matter what you teach them, no matter what the stick or the carrot is. But in your experience, what percentage is that? I mean, it is a continuous clicker clickers. Yeah, yeah.
TIFFANY RICKS
I think it depends on the level of the fish because they could also it depends on because we have three levels. So on a phishing level, which is a generic phishing email that has the cast a wide net for everyone to try to see who’s going to respond in lure for those repeat offenders. I typically will see typically around it depends on the organization, but I’m going to say between five to 10 percent. I see repeat offenders on those. But I’ve also worked with organizations who have come up with different programs to try to get them to understand the why, why this is important, how to create that pause, how to create this relationship with the security team where the reason why we’re doing this is because we want to make sure that we create an environment where you know what to do if an attack happens. And even if you make a mistake and you click on something, trying to educate the team on what to do after that versus being afraid of communicating with your security team and you’ve clicked on a link and you’re exposing your organization to a malware outbreak, but you’re just going to be quiet and not say anything that’s not helping the organization either.
STEVE RIVERA
Yeah, I know it’s it’s all really great points. Is a hundred percent compliance a realistic goal? Oh, sure, that no one clicks on. I mean, is that even realistic or is it ninety five percent realistic? You know, and then you just mitigate for the other five. Do you know how do you …
TIFFANY RICKS
… it depends on how long you have that you have that one hundred percent compliance because that could be also an indicator that your users have. It’s like going to the gym. Your users have gotten their bodies have gotten comfortable and adapted to this layer where they’re not growing anymore. They’re just they’re just going with the flow. They’re not being challenged to go to that next level.
And for us as people, we have to continuously understand that we’re here to continuously grow and evolve. And when we’re at a level where we have one hundred percent compliance and this is happening over two to three campaigns, depending on how frequently you’re having campaigns, then you should look at it as an indicator that I need to make some changes. I need to shock the system and try to move to our next level of security maturity because we’ve already hit a certain level of maturity and it’s not good to stay there.
STEVE RIVERA
That’s wow, that’s that can be a whole another podcast is this mindset of continual growth. Right. Like I do my very best to educate our customers that that security is not a point in time destination. Right. Because if you view it that way, then you’re going to buy a product, you’re going to buy a software and you’re going to think that you’re safe. And realistically, it’s more of a journey and it’s never really a sprint. It really is a marathon. And you’ve got to stay in this and constantly evolve with because the threats will continue to evolve. And that that is, you know, that is the challenge, I think, in educating the community. I’d like to shift and maybe talk a little bit about the insider threat and what your experience has shown you on how to handle it. And I think there are two things.
One is, is the malicious insider threat that is looking to purposely do harm to a business operations. And then there’s the simple what we call misuse, like like innocent misuse. I’m not talking about that. I’m talking about that like the malicious. How does how does your experience how do you handle something like that, like an insider who is maliciously trying to either steal information or cause harm to an organization?
TIFFANY RICKS
Yeah, this one is definitely one where it’s all about creating. You have to create the security team definitely wants to make sure that they’re keeping an eye on this. But it’s also important to to communicate with the entire organization where – because security is getting lean, security has a lot to manage and they can’t be omnipresent and everywhere. And so it’s really important to make sure that we’re educating everyone to understand what to look for in an insider threat. Like your co-workers should be trained on looking out for people for co-workers who are in places that they shouldn’t be or in systems get trying to get access to systems that they their job as I work for the military, they don’t have a need to know they don’t have a need to know and to have access to this data. But they want you as a co-worker to give them access or they’re asking for data that you have access to for you to email it to them and they have no reason for their to be able to do their job successfully to have that. So you have to train your team members to look out for that to be able to also create a pause and ask this co-worker is this something that you need? Why do you need it? And then it’s really important as well just to just to make sure that we’re creating this culture of I want to make sure that I am protecting – it’s not about me ratting out a co-worker, but we all are here to do a job. I need to make sure that I’m not putting my company and myself at risk by letting this co-worker gain access to information that they need that could potentially harm our company and my livelihood. And so it just I think what’s really important is just to train all co-workers on what to look out for insider threats.
And then the other insider threat I think is sometimes the security team – we have to make sure that we are creating an environment where our employees know how to be successful with cybersecurity and sometimes when an organization has a negative reinforcement strategy when employee makes a mistake with phishing or just different or handling data they made a mistake by emailing company proprietary data to a third party. I think it could also create an insider threat when we’re not communicating to these employees about why we have these policies in place, how what role they have in place, what could be the negative outcome if they don’t follow these policies, if there’s a negative reinforcement type of culture. So we don’t have disgruntled employees that are upset who feels like their security team is out to get them and now they’re going to potentially create make things tough for the security team by clicking on links intentionally because they’re upset.
STEVE RIVERA
That’s an interesting thought. I in all honesty have not considered the security team as a potential yes as an insider threat but like that they could cause an insider disgruntled because that employee satisfaction is an indicator of whether or not you have someone that is either protecting your data and being a good steward of that data or is loosey goosey and will leave their laptop on the front seat of their car as they go out to lunch. Those things are yeah that’s a great – I hadn’t really thought about that but that is a really good topic and thank you for mentioning that.
I would like to ask what you might be seeing or your team might be seeing with respect to emerging threat vectors now in the threat landscape. Is there anything that is of particular interest that’s an emerging threat that could be that should be considered here?
TIFFANY RICKS
Yeah I think just thinking about what is happening today that is emerging. So there was a there and this is regard with regard to phishing but during the pandemic there were phishing attacks that would they were on the trend of you made this purchase it was a big purchase it was from a brand and they were just trying to shock you into you know complying and reaching out and saying you didn’t make this purchase or clicking on the link to say you didn’t make the purchase.
So that was a trend in 2020, but now I see that they are doing more hybrid phishing which what you alluded to before which means they are bringing back that trend of saying that you made this purchase from a brand but they are also following it up sending you an email following it up with a call from the same number that’s in that email and acting as if they’re there that brand trying to trying to make sure you know you made this purchase or you didn’t make this purchase and trying to create urgency around that.
So seeing that happen, I think the other trends I’m seeing is definitely cyber criminals are using chat GPT as a way to make their emails a little bit harder to spot and then smishing smish text message based phishing is more disarming so I see more cyber criminals using that as a way to lure people in and then yes the emerging trend is that we’re doing more phishing voice simulated attacks and that is when they are using when they are using your voice or something to sound like your voice to try to pull off their attack and then outside of phishing I think the the other thing that we’re seeing is just cyber criminals are trying to look for weak supply weak chains in the supply supply chain and so trying to figure out this organization where they fit within to help them get access to this big fish and so they’re potentially going to target like you said a law firm so a law firm who has access to a lot of M&A information and lawyers as I talked about engineers lawyers are a big target because they get a lot of outbound information they have a lot of data that is sent to them they have to be accessible to their email but also they have a high education like they’re very educated and so you have to train lawyers differently with new content bite-size because they’re busy in order for them to be able to get the security awareness training that they need they need that’s tailored to them.
STEVE RIVERA
Yeah no that’s a great point because you mentioned health care earlier and it leads me to physicians yep surgeons these are these are the I mean they’re brilliant they’re they’re highly intelligent but they’re also apologize any listeners who are they’re prima donnas
TIFFANY RICKS
… right I was gonna say that but I was I’m glad you said it
STEVE RIVERA
Yeah they’re the they’re the moneymakers for the health care system so they want ease of use and when you know that inverse relationship between ease of use like we mentioned before in security the easier it is to use the less secure inherently oftentimes it is and and our health care clients they’re challenged with that because the doctors want a certain level of access they want access to things they want they don’t want to have to remember or to have to change passwords they they don’t want to have to be restricted in what they can send and what they can’t send and it patient privacy you’ve got security concerns HIPAA concerns all of these things kind of come into play and it sometimes can encumber their patient care and so making it easy while securing it is a challenge in that industry I know that kind of firsthand with some of our clients but you know what you mentioned is really important.
You know I think I think about how threats evolve and we are constantly in this cat and mouse kind of game if I can call it a game it’s – so it’s it’s much more important than that but it feels oftentimes like we are reactive if you could give our listeners like two or three recommendations to try to get ahead of the next kind of wave what would they be like if they could accomplish two to three things by the end of the year and feel like this would absolutely help me be more secure and prevent phishing attack ransomware breach what would those two to three things be?
TIFFANY RICKS
(49:00) The two to three things and I think these two to three things are what could help across it’s been a test of time like this is a class these are classic things that I think can help it has helped organizations in the past if they’ve done it right and if they do this in the future I feel like they will be able to be able to manage some of the evolving threats – but first thing and foremost is you want to make sure that you are continuously training your people on the evolving threats. Because this is an area that is continuously changing these as we mentioned I call them engineer bad actors they’re continuously changing their attacks they’re looking for opportunities to win and so we need to continuously educate our employees our end users on what’s happening today.
And so it is like we are behind but when we’re when we were at war we have to understand our attackers like we have to understand our opponent understand our opponent we have to understand what are they doing now what did they do in the past what are they emerging in doing potentially in the future we have to understand our opponent to be able to prepare ourselves on how we’re going to move forward so education is key and then also because we are in different systems having a password manager or password strategy that you’re continuously improving and evolving having a password manager and then the the master key that you’re using if you’re not continuously updating that working with your security team to update different policies around safeguarding passwords is something that continuously should be looked at.
And then the last and final thing is looking at device security like understanding the devices that our users have these devices will continuously evolve but the systems that our users are using we want to make sure that we’re continuously updating those with what we have but you know the thing that I always tell people is that we we’re because we are on the good side we can’t do what bad actors are doing like we can’t you know simulate a phishing simulation that’s going to take down our customers network and have them off for days – and so we have to operate within the within the environments that we can and continuously train to do that.
And we can’t when we’re sending a phishing simulation we can’t send things that are going to make a promise to people that they’re going to get a raise or some incentives so we can’t I would say another word but we can’t create an environment where our employees are upset with us after the phishing and training exercise because that could create a whole sabotage type of a environment after that, so we have to think about you know those are the three things that I think organizations should do and continuously evolve but we also have to we also have to operate in this environment where we’re not the bad actors we can’t be like them but we have to know what they can do and prepare ourselves to try to make sure that we don’t fall victim to them.
STEVE RIVERA
That is great and Tiffany thank you so much for your time. This has been a fantastic conversation – I’ve thoroughly enjoyed it.
That is all for this episode make sure you tune in next time to Logically Speaking and stay cyber first and future ready.