Why Cybersecurity Is Really About People - Robert Sicilian

Hi, everyone, and welcome to Behind the Numbers. This is the show where we go beyond the data to explore the people, the stories, and the insights that really drive business success. I am Dave Bookbinder, and I'm known as a business valuation expert and best-selling author. Cybersecurity has evolved from a technical concern to a business survival point. My guest today, Robert Siciliano, is a security analyst, best-selling author, and the architect of the Strategic Human Firewall. That's one of the world's most recognizable educators in the personal and corporate protection space, he is the straight talk voice for digital age. You've seen his expertise on CNN, Fox News, CNBC, and Anderson Cooper 360, and you've read his insights in the Wall Street Journal, the New York Times, and Forbes. Robert, welcome to Behind the Numbers. Thank you. Very happy to be here. It is great to have you here. I want to tell the audience anything I didn't cover about who you are. I'm a dad to Victoria and Isabella and dog dad to Minx, and I'm married for 25 years. All good accomplishments, my friend. Let's go after it then, as they say. You've written extensively about identity theft, online, broad, and personal security. What drew you to the field and what made you decide to start writing books? Yeah, so I have been doing what I do for 30 years professionally, really for 40 years since I was And, when I started my small business back in the early 90s, my first computer was an IBM PS1 consultant with a Windows 3.0 operating system. We're on 11 now. And I had 150 megabyte hard drive and I had to buy an extra card so I can have dial up connection to AOL. And within a month of connecting to AOL, I got hacked. I did not know that that was a thing. And my business at the time, and even still today, is about, you know, it's always been security, personal security as it relates to violence and theft prevention. And back then, theft prevention was just, you know, getting mugged, getting robbed, your house being burglarized. And I got robbed via AOL. I lost thousands of dollars in credit card fraud. And as upset as I was, I was intrigued by what happened. I wanted to learn about it. And since then, I've been speaking about it, writing about it and, you know, publishing about it. And the problem just keeps getting worse and it's not getting any better. And that's primarily because humans, whether they're small businesses or just consumers, don't really care about security. That's the whole thing, which I'm happy to talk about. Oh, we're going to unpack that extensively here today. And sorry about that hacking thing. So early on in AOL. I remember back in the early days of the internet, it was just exciting to get online and explore despite hearing those annoying sounds of the modem at the time. Yeah. So, Robert, across your books and your speaking engagement, you've got a consistent theme that cybersecurity is fundamentally about human behavior, and you just alluded to it here. Why do you think that message hasn't really resonated inside organizations like that? Yeah. So when I get in front of a live audience, it's often because the chief information security officer, the company security guy or gal, calls me in to say, listen, our phishing simulation training, which is like, their 101 security awareness training that they offer once a year, isn't quite working the way we want it to. We just want our employees to care about security. Like that's what they, that's why they hire me. Just make them care. So I get in front of a live audience and I ask them qualifying questions, like, you know, knowledge-based qualifying questions that are designed to challenge their belief systems. So like how many of you have a home security system is like one of the first questions I asked them. If I get 15% of the room to raise their hand, that's a lot, which means 85% don't. And then I say, okay, so why don't you have a home security system? And the most common answer I get is, okay, we don't have a home security system because I don't want to live like that, they say to me. And I go, what does that actually mean? Well, I don't have a home security system because I don't want to live in fear. I don't want to have to worry all the time. I don't want to be paranoid, they say. Which is very telling, actually, and very, you know, unfortunate. It just shows that we as consumers, we as citizens, we as Americans have a very unhealthy relationship with security. We look at security truly as a bad thing. Security is about worry. It's about fear. It's about being paranoid. People think that if they install a home security system as if it's going to make them paranoid, like that's what we think. And that right there makes it very difficult for people to embrace risk management because they think it's a bad thing. And so it's always been like that. And it was like that 30 years ago. And it's like that today. Let's unpack that a little bit. There's a lot of psychology going on there. That's probably way above my pay grade, but you live it day to day. So maybe talk us through some of that. What is going on there? You know, that really is a very simple cultural, societal, psychological, and truly a biological issue, okay? And doing what I do for as long as I have, I've come up with the understanding that we all, human beings, all of us worldwide, have what I call the human blind spot. And the human blind spot is our biological want and need to trust each other. Okay. So human beings are what is considered an interdependent species, which means we depend on each other for our survival, for our procreation. Man needs woman, woman needs man. And without each other to procreate, the species would fail to exist, right? So the basis of that is we've got to trust each other. And so throughout the day, week, month, year, people that you come in contact with, phone calls, emails, text messages, you want to trust that that person has your best interest in mind, that they don't want to hurt you. We want to trust people. Not trusting others is kind of like a learned behavior. We learn to not trust others because they may actually physically hurt us or they may deceive us or they may steal from us. And so that learned behavior that not all people are worthy of our trust. The lessons as a result of that trauma, we don't necessarily learn from those lessons. We just kind of like, I don't want that to happen to me again. I don't want to have to think about that ever. And we do nothing. And we function in a state of denial. And we look at security as a bad thing. Oh, I don't want to think that people are going to hurt me again. Therefore, I am going to do nothing and function in denial. I mean, it's like that everywhere. And that human blind spot essentially makes it very difficult for us to embrace, security. And here we are today. Most of us don't effectively manage our passcodes. We're using the same passcodes across multiple accounts. Most of us aren't using two-factor authentication. Most of us don't lock the doors to our homes. Most of us don't have home security systems. Most of us think that security is somebody else's responsibility and don't take responsibility for it in our personal lives, never mind at work. Yeah. And for folks who are listening and thinking, well, you know, I've got antivirus and I've got a firewall. I'm good. But you talk about the psychology here and cyber criminals are so sophisticated and it's getting worse and worse every day, manipulating your fears, your urgency, emotions and things like that. Speak some more about that. Maybe some examples of what people should be listening for and looking out for beyond what you described with your AOLs. So pretty much nine out of 10 of the inbound communications that we get today, phone calls, text messages, emails that are scammy in their nature, have an element of what we call manufactured urgency. So within that dialogue, that inbound dialogue, like you get a text message from your state's registry of motor vehicles. This is the Michigan registry of motor vehicles. And we have are in the process of suspending your driver's license because you didn't pay a fine. Here's a link to pay. If you don't pay today, you're going to lose your driver's license. Manufactured urgency, right? They're manufacturing a ruse. And if you don't do it today, urgently, you're going to lose your driver's license. I see that in pretty much nine out of 10 phone calls, emails, text messages that I get and that I see elsewhere that are designed to get you emotionally involved in the fraud. And, you know, we generally trust to a degree our registry of motor vehicles. We generally trust our banking systems in our cryptocurrency Coinbase. And we generally trust, you know, colleagues and co-workers. So when we get inbound communications from these entities or these humans that are worthy of our trust, we, and they're urgent in their nature, we are compelled to do what it asks because, you know, we don't want to get in trouble. We want to satisfy our co-worker. We don't want to lose our money or whatever the case is. And that's been going on for quite some time. But what, what hasn't changed is most consumers recognizing of risk. They don't look at these inbound communications or at least too many of them don't as, okay, this is manufactured urgency. This is designed to scam me. I am just going to delete it. Most of us don't do that. Most of us actually fall prey, fall victim to it. And I'll tell you, like I work with victims all the time. And what I hear every single time is like, I kind of knew something was wrong is they, they say, but like, you know, I wasn't quite sure. And then they get scammed and they say, I can't believe I was so stupid. And I'm like, I don't really think you're stupid at all. I think it's like the criminals truly understand our biology at this point. They understand our human blind spot. They understand manufactured urgency works. And they understand that security, most of us have an aversion to security. We want to believe. Therefore, we get hoodwinked. And that's not going to change until, consumers, usually at work, begin to take security, what I call appreciation training, where we begin to appreciate the value security has in our lives, which isn't taking place. Yeah. And that's a good segue because we talk a little bit about there, are the personal communications. And maybe, I emphasize maybe, we're a little more alert when it comes to our personal stuff. But when that email comes from an account that looks like it was your boss telling you that you need to do something, and here's a link to accomplish a task, maybe you're just a little more lacked because it's internal. And you assume that the organization has all the appropriate tools in place to prevent that sort of thing. So in that vein, we talk about the human element as being a weak link, but it also can be the strongest sense, right? So what separates those organizations that are really successfully creating what you refer to as the human firewall? Yeah. So, you know, look, look, when I'm hired, I'm a speaker, right? I'm an orator. I get on a platform. I get in front of hundreds of thousands of people and I'm hired because the CISO, the chief information security officer says, listen, our people like are good at the metrics regarding what we call phishing simulation training, but we just want them to be better. We just want them to care. Okay, great. And so I get on the platform and I look out at the audience. I'm introduced, I look out the audience and I'm looking at, you know, a hundred people or so with their arms crossed, looking at me with the scowl on their face, they're checking their watch, looking at their phone and they're like, okay, security guy, tell me something. I don't already know. Like, like I'm wasting their time, they're forced to be there. And so once I start asking all of these, you know, challenging questions and I start, you know, pointing out, did you know that, you know, there are 2 million homes burglarized like every year, which means like in the next 10 years, that's 20 million homes, which is why you should have a home security system. They're like, whoa, I didn't know that. And then we asked the password question, like how many of you are using the same passcode across multiple accounts? And it's like 85% of the room. And I'm like, okay, did you, did you know that there are like 20 billion of your passwords on the dark web? They're like, whoa, I didn't know that either. You know? And so as you like kind of reveal what's going on out there, they be like their, their arms begin to kind of go down by their side or on their lap. And they kind of lean into the conversation. The scowl kinds kind of goes away and their eyes open up a little bit. Now they're like interested in what I have to say, because I'm talking about them. In their security and their own identities and their child's digital footprint. Because what I've learned is, is that all security is personal and people truly protect what they love, what's most important to them versus, you know, like the company client data. Okay. And so as I'm, you know, kind of weaving their personal security into this presentation. As the arms go down, the hands begin to go up because they have questions, questions that they've always had regarding their own security. And so I say, okay, sir, you had a question. And he asks the question. And then there's a woman like sitting 10 feet away from him. I go, ma'am, you had a question. Oh, he just asked the question that I was going to ask because they all have the same questions. You know, consumers all have the same concerns. And so the successful companies are the ones that like realize that. Successful security awareness training is the type of training where it's about them. It's about the employee and their concerns. And the effect of that is what I call the kitchen table effect. And the kitchen table effect is when successful training ends when the employee goes home and they talk about what they learned at work today and they teach it to their family, cementing those lessons for life because it's been made personal. That's successful security awareness training. Yeah, all security is personal. Write that down out there, gang. So if you were hired to protect a multi-generational business, you've got obviously different generations with different perspectives and different levels of technological awareness. How do you get them all to pull in the same direction to create that security environment? viral. You know, like every one of us has loved ones that keep falling into the same traps. Every one of us, like my dad calls me, Hey, you know, I got a pop-up from Amazon and it had the Amazon phone number saying that like, I owed them money. So I called the number and I'm like, dad, what are you doing? I kind of like yelled at him like, and I was like, I'm sorry. Like I didn't get to yell at you, but dad, you should know better. Cause you know, this is what I do. And I've told them about this a thousand times. We all have like somebody in our lives that like just keeps getting hooked on that stuff. You know, no matter what age you are, whether it's you or your spouse or your parents or your kids or your, you know, sister or brother. And so when we relate it to our existing situations, then people begin to kind of like, you know, sit on the edge of this seat. Okay. So this is how I talk to my mom. This is how I talk to my dad. This is how I express these issues to my sister who lost her husband last year. And she's kind of lonely and she's susceptible to all these romance scams and so on. So as you relate the information to what concerns them, again, making it all personal, like it just, it's what people want. It's how people relate. You know, it's, it's how they learn, especially with this particular topic, because this topic is about. Predators. It's about thieves. It's about sociopaths and psychopaths. It's about hardcore narcissists that intentionally do harm. And like in my years of doing what I do, I've come to the conclusion that as much as 3% of all humans are bad actors, like 3%, that's a lot. The medical communities will basically tell you that, yeah, as much as 3% of women and really as much as 6% of men worldwide could be diagnosed as sociopaths and psychopaths. They don't experience empathy, sympathy, guilt, remorse at all. You know, these are the true predators amongst us. They're the wolves and the lions. We are the gazelles and the rabbits. And once you kind of frame it like that, they're like, whoa, I didn't know that. Like I knew that there was like bad actors out there, but not that many. I was like, yeah. I mean. Truly, 97% of all the people you will ever meet are worthy of your trust. But that 3%, they make a lot of noise and they do a lot of harm. And so once you frame it like that, you relate it to them. This is how it affects you. This is how it affects your family. This is what you can do to manage that risk. And these are the bad actors that are doing it. When you tell that story, it begins to make a lot of sense to people. And that story isn't at all being told in a corporate environment through things like phishing simulation training. Yeah, really well said. And man, you are delivering a cybersecurity wake-up call. So folks out there are getting a great lesson from you. I really appreciate it. Let me talk to you a little bit about AI because obviously it's on everybody's mind. How dramatically has AI changed at the threat level, especially when you start talking about deepfakes that are becoming so increasingly more convincing? AI is awesome and awful all at the same time, like with what it is capable of, right? I love it and it concerns me, right? It really has stripped away the clumsy red flags of traditional fraud is what it's done. In the past, criminals relied on what we would call blunder force phishing, mass blasting emails riddled with scammer grammar. Today, generative AI allows for high-precision impersonation, essentially at scale. Criminals now use what we call neural puppetry to create perfect lies. By scraping just seconds of audio or video from social media, they use voice cloning and deep fakes to impersonate a trusted source, like a spouse, a CEO, a co-worker, an attorney, you know, a loved one with 95 to, I would argue, 100% accuracy. And what this does is, is it weaponizes, it weaponizes our biological default to trust. It just does. Making the deception essentially feel and really be 100% human. And furthermore, what's worse is that AI I automates the grooming process, basically using normalizing dialogue to build rapport, exploiting the loneliness loophole. So all those wrong numbered text messages that you get, hey, Dave, are we supposed to have lunch tomorrow? And you're like, I'm sorry, who's this? And you get a response. Oh, this is Gloria. And Gloria sends this picture of a beautiful Gloria, right? And she's like. Hi, Dave, do I have the wrong number? Where are you from, Dave? And you're like, you know, I'm, you know, in Boston, Massachusetts. And she's like, oh, I'm in Coral Gables, Florida. And the dialogue begins. And if Dave is lonely, and I don't know if you know this, but like 25% of all humans across the planet today will wake up lonely. Which is natural and it's normal. Loneliness is designed. They call it that the pain and the ache of loneliness. Loneliness is designed to get us to gravitate towards other humans to procreate. That's its whole point. It's like hunger pains. Hunger pains, we gravitate towards food to eat, to consume, to live another day, to procreate. Loneliness, same thing, to procreate. And hackers, criminals, organized crime understands this, and they groom us via phone calls, emails, text messages. And basically, AI is removing the manual labor of what we call social engineering, allowing a single predator to pilot thousands of digital puppets. The criminal is the puppeteer piloting thousands of digital puppets simultaneously, bypassing technical firewalls and hacking the human's biology. Yeah, as you were telling that story, I was reminded of a story that somebody recently shared with me. A neighbor told us recently that they got phone calls saying that their son was in the hospital. He was in a very serious accident. And the whole thing was a scam. And they were alert and aware of this thing. And she called bullshit and texted her son in real time as this conversation was unfolding. But in that moment, they're playing on your emotions. Dave, I just saw a story where same exact thing happened to a mom and that her mom was actually the daughter, her daughter was being kidnapped, right? So the guy calls her, I have your daughter and she hears her daughter screaming in the background and it's her daughter's voice. Mom, I'm so sorry. I didn't mean for this to happen. I'm so sorry. Please forgive me. Just, just do what he asks you. If she hears her daughter screaming in the background, what is going to happen to a mother who hears her daughter in distress. Her heart is going to beat out of her chest. Her palms are going to sweat every cell in her body. Mama bear is going to kick in. And the guy's like, okay, this is what needs to happen next. I'm going to kill her unless. And this guy, this SOB sent this mom all over town over five hours to every bank and Bitcoin ATM, withdrawing money, wiring money, right? And like over the course of five hours, she wired like 50 grand. And at the end of the five hours, okay, we're going to meet you at this particular grocery store with your daughter. She goes to the grocery store. She's waiting. She's waiting. She's waiting. And her daughter doesn't show. She's waiting. Nobody shows. She picks up the phone and she calls her daughter. Where are you? Where are you? I'm at the grocery store. And the daughter's like, well, what are you, what are you talking about, mom? And she's like, I'm at the grocery store. Are you okay? And she's like, yeah, I'm at work. What's going on? Like literally. Like, and the mom never picked up the phone to call the daughter, like from the very beginning. Why? Because she heard her daughter screaming in the background, AI, deep fakes, voice gloating. That has completely taken over fraud and scams at this point. And it's awful and it's awesome. But it's like, what's the likelihood of your daughter getting kidnapped? I mean, really? But it doesn't matter because when you hear her screaming, all bets are off. Yeah, you're not kidding. Thank you for sharing that. Hopefully folks are getting the message here loud and clear. For leaders who are listening, what are the most important conversations they should be having internally with their teams right now? So look, all of the hardware and software and technology and security technology is available to any organization right now to lock down, right? Companies provide everything, anything and everything that any company needs in order to protect their network, you know, manage security service providers, manage service providers. I mean, everything is out there. Most companies at this point are 99%, you know, hack prevent proof. But it's the human element where that's where the vulnerabilities are. I think I've seen as recently as 75% vulnerabilities occur as a result of human error. People on the inside, falling prey, misconfigurations, etc. And we're treating most security issues as technology problems when those who are perpetrating the frauds are humans and those who are essentially the targets are humans. And we've taken the whole human-centric element out of the security equation, when that truly is where the vulnerabilities still lie. Because yeah, the technology to secure your networks is there, bulletproof, but the human element bypasses that. And so understanding that and knowing that like when that, CISO, the chief information security officer, the CTO recognizes that they need to train their humans effectively regarding risk management beyond phishing simulation training. And they need a budget to do that, have a conversation with your chief operating officer or your CEO in regards to, hey, you know, like in my own life as a chief information security officer, I can't get my dad to stop clicking links. I can't get my mom to stop responding to scammy text messages. Like our own employees, every time they get a text message or an email from Amazon that their PayPal account was compromised, they still respond. Because the human is still vulnerable. And when you talk about that as from your own perspective and say, I bet COO, I bet you have the same stuff going on in your life too. Well, yeah, my mom is still responding to text messages. Well, that's all of our employees as well. So we've got to kind of like shift things up a little bit. In addition to our existing training, We've got to like actually train our people where they're at because all security is personal. And once you present it from that perspective, we are all still vulnerable. 25% of our workforce is lonely. Our parents keep clicking links, you know, where we still see vulnerabilities because of human centric risk. Then they say, okay, here's your budget. And now we begin to actually provide training that actually moves the needle, because you are addressing the human where they're at. You're teaching them to protect what's important to them and what they love. Yeah, big takeaway here from this program for me, all security is personal. Robert, we're just about out of time, but I want to give you the last word, man, and I'm going to give it open-ended to you because is there something that I didn't ask you today that you want to make sure the audience knows? Look you actually mentioned and we spoke to like the human firewall well basically the strategic human firewall is is a methodology that i've developed over 30 years and it's what i, is what is what i want everybody listening to be essentially it is the ultimate defense against deception it's a proactive governance it's a mindset that transforms us consumers employees moms and dads, right? From passive targets into active detection layers. It marks the shift from I trust what I see by default because of the human blind spot to I verify everything. Most security awareness training is a monologue. The learner is talked at rather than with. It relies on the hammer approach, a barrage of don'ts or else, and ultimately it breeds resentment and apathy. I think that if you're listening to this podcast, Dave, I'm betting that you already have most of the elements of a strategic human firewall. I know why I do, but even still occasionally, I receive an email and I click a link that like, oh, whoa, I shouldn't have done that. And then I like, you know, backtrack a little bit, run antivirus. Okay, I'm good because I'm still human, you know. But as you navigate the world, as you pay more attention, engage in situational awareness. You're walking down the street. You're looking ahead of you. You're checking out what's going on behind you, looking to the right, looking to the left, seeing if anybody's paying any unwanted attention to you in the physical world. You do the same thing. When the phone rings, you get a text message, an email, or a pop-up. You're on a Zoom. Is this person real? Pay attention. Situational awareness. What is the situation that I'm in right now? Is the motivation of the person on the other end of this communication and so on? You do that. Change up your passcodes. Engage in two-factor authentication. Heck, lock your doors. Install a home security system. You're in the top 10% of secure Americans. You know, when you talked about the situational awareness, I have to comment on the people that are walking through the city streets with their earbuds in, totally oblivious to their surroundings, even traffic. Dave, do you know we've had more pedestrian deaths like in the past 10 years than ever? It's because people are like on their phone, stepping off the curb and just walking into traffic. And the driver is on their phone blowing off the red light. Like yeah you know we're just not paying attention and that is literally killing us and it is literally emptying our bank accounts, and yeah robert i wish i could go longer but we're out of time here today but before i let you go tell the audience how they can find you connect with you and maybe get you to come speak to their organization. So i'm on linkedin like most uh i'm always putting it out there uh my newsletter i get like tens of thousands of people that follow my newsletter for free and read me there. So look up Robert Siciliano on the Google and connect with me on LinkedIn. Otherwise, my website is protectnowllc.com. Again, that's protectnow. Robert, I can't thank you enough for joining us today. I appreciate you sharing all these great stories and insights, and hopefully folks out there are going to start paying attention. Thank you, Dave. Appreciate you. All right, man. Back at you. And thank you out there for listening to Behind the Numbers with Dave Book Finder. I appreciate you for making this one of the top hot guests in the country. So thank you so much. Until next time, I am Dave Book Finder reminding you that the number of tell the story people bring it to life. Take care, everybody. We'll see you next time.