Skip to Main Content
 
Thought Leadership

The Justice Insiders – Human Beings: Cybersecurity's Most Fragile Attack Surface

 
Podcast

     

Episode 21: Human Beings: Cybersecurity’s Most Fragile Attack Surface

Host Gregg N. Sofer welcomes Husch Blackwell’s Erik Dullea to the podcast to explore how human error factors into cybersecurity efforts. Most data breaches trace back to some form of human error, and an approach to cybersecurity that doesn’t address the ‘social attack surface’ is likely to be a failing—and expensive—proposition.

Gregg and Erik note the recent cyber incident involving the Securities and Exchange Commission, which occurred mere months after the agency imposed wide-reaching cybersecurity disclosure rules on the public companies it regulates. Aside from being a major embarrassment for the U.S. government, the incident highlights how difficult it is to account for the vulnerabilities in digital networks created by humans, and Gregg and Erik provide some practical considerations for risk professionals, in-house counsel, human resource professionals, and others in their efforts to improve cybersecurity outcomes.

Gregg N. Sofer Biography

Full Biography

Gregg counsels businesses and individuals in connection with a range of criminal, civil and regulatory matters, including government investigations, internal investigations, litigation, export control, sanctions, and regulatory compliance. Prior to entering private practice, Gregg served as the United States Attorney for the Western District of Texas—one of the largest and busiest United States Attorney’s Offices in the country—where he supervised more than 300 employees handling a diverse caseload, including matters involving complex white-collar crime, government contract fraud, national security, cyber-crimes, public corruption, money laundering, export violations, trade secrets, tax, large-scale drug and human trafficking, immigration, child exploitation and violent crime.

Erik Dullea Biography

Full Biography

Erik is a Denver-based partner at Husch Blackwell and heads up the firm’s cybersecurity practice. A retired U.S. Navy Captain, Erik focuses on compliance requirements related to cybersecurity and data privacy, including statutory, regulatory, and consensus-based standards, with an emphasis on critical infrastructure sectors such as aviation, energy, mining, and the Defense Industrial Base (DIB). He represents defense contractors and subcontractors; companies underpinning electrical, healthcare, transportation, and water systems; and other major organizations facing extortion threats from malicious foreign cyber actors. In 2022 and 2023, Erik bolstered his knowledge of cyber threats by returning to public service in a civilian capacity, working in the National Security Agency’s Office of General Counsel as the acting deputy chief of the cybersecurity practice group. 

Additional Resources

The Justice Insiders, Episode 17, “Incidents in the Material World: SEC Adopts New Cybersecurity Rules.” September 11, 2023

Steven R. Barrett, Robert J. Joseph, Andrew Spector, Robert Fritsche and Brian Wetzstein. “SEC Heightens Issuers’ Cybersecurity Disclosure Requirements,” August 15, 2023

Erik Dullea and Andrew Spector. “Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules,” August 2023 Part 1 | Part 2 | Part 3

U.S. Securities and Exchange Commission. “Statement on Unauthorized Access to the SEC’s @SECGov X.com Account.” January 12, 2024

Shapero, Julia. “SEC, Gensler face bipartisan backlash over X account hack.” The Hill, January 18, 2024.

Read the Transcript

This transcript has been auto-generated

0:00:01.760,0:00:07.240
ever wonder what is going on behind the scenes as 
the government investigates criminal cases are you

0:00:07.240,0:00:12.200
interested in the strategies the government 
employs when bringing prosecutions I'm your

0:00:12.200,0:00:17.040
host Gregg Sofer along with my colleagues in Husch
Blackwell's White Collar Internal Investigations

0:00:17.040,0:00:23.040
and Compliance Team we will bring to bear over 
200 years of experience inside the government to

0:00:23.040,0:00:29.320
provide you and your business thought-provoking 
and topical legal analysis as we discuss some of

0:00:29.320,0:00:35.080
the country's most interesting criminal cases 
and issues related to compliance and internal

0:00:35.080,0:00:43.240
investigations welcome to the latest edition of 
The Justice Insiders I'm your host Gregg Sofer and

0:00:43.240,0:00:49.720
lucky enough again to be joined by my colleague 
and partner here at Husch Blackwell Eric Dullea who

0:00:49.720,0:00:55.120
is the leader of our cyber security practice 
group and a partner in our Denver office you

0:00:55.120,0:01:03.320
can find his bio and background and in the show 
notes we L to those uh in the show notes Erik

0:01:03.320,0:01:09.400
thanks for joining us youat I'm glad to have 
moved into the repeat offender status to join

0:01:09.400,0:01:15.440
we're happy to have you here so uh you'll recall 
that the last time you were on we had an episode

0:01:15.440,0:01:22.640
which I would recommend to our listeners about 
the sec's regulations uh that they had put out a

0:01:22.640,0:01:30.800
fairly significant robust and strict requirement 
for prompt notifications for public companies

0:01:30.800,0:01:37.480
regarding cyber attacks and on the heels of 
that edict to the world something happened to

0:01:37.480,0:01:44.360
the secc itself and in in what I would describe as 
something that's highly embarrassing to the agency

0:01:44.360,0:01:52.160
early this year a hacker was able to hijack an 
SEC staffer phone and apparently get access to the

0:01:52.160,0:02:00.840
agency's X formerly Twitter account and posted a 
tweet regarding approval of Bitcoin exch CH traded

0:02:00.840,0:02:08.320
products and my understanding is it actually moved 
the market so this was not some unknown un no one

0:02:08.320,0:02:13.760
paid attention to WR a problem in other words the 
SEC although may not have been their own mainframe

0:02:13.760,0:02:19.360
computers if you will got hacked after having 
told everybody that you'll get in trouble if

0:02:19.360,0:02:23.600
you don't tell us right away when you get hacked 
so I wanted to talk a little bit about that and

0:02:23.600,0:02:31.360
the fact that and today's episode really is about 
this that these uh these data reaches and hacks

0:02:31.360,0:02:37.320
of companies and turns out the government often 
have a human element and so that's what that's

0:02:37.320,0:02:42.400
what I'm hoping to discuss with you today you 
bet no and I think it is a good example of it

0:02:42.400,0:02:50.440
because there is a lot of inward Focus that we see 
from The Regulators and from um consultants and

0:02:50.440,0:02:57.440
Private Industry on protecting the network having 
defense in depth making sure nobody gets in and

0:02:57.440,0:03:03.120
unfortunately for the SEC they've moved from the 
those that will category to the those that have

0:03:03.120,0:03:08.120
category when it comes to dealing with an incident 
that they didn't want to have in a little bit of

0:03:08.120,0:03:13.560
egg on their face and in this case it's a question 
that criminals are Innovative and they are always

0:03:13.560,0:03:19.160
looking for ways to penetrate a network and 
to get in through a form or a method that we

0:03:19.160,0:03:25.280
didn't anticipate otherwise we would have had 
a control in place yeah so some there's various

0:03:25.280,0:03:31.760
different statistics about this but at least one 
organization has reported that 8 2% of successful

0:03:31.760,0:03:38.040
uh data breaches or can be attributed to some 
sort of human error and I think humans probably

0:03:38.040,0:03:43.120
constitute a vulnerability in most organizations 
for a variety of different reasons but the more

0:03:43.120,0:03:49.320
sophisticated uh the hackers are the easier it is 
to manipulate human beings and we'll get into some

0:03:49.320,0:03:55.280
of the ways that that's going on these days but 
the bottom line is it is very interesting that all

0:03:55.280,0:04:03.400
this money gets spent on sophisticated programs 
and and software and ways of hardening your system

0:04:03.400,0:04:09.440
Hardware even but if your human beings aren't 
properly trained and properly looking out for

0:04:09.440,0:04:14.440
trouble you might as well not waste your money 
on the rest of it right yeah I think that's a

0:04:14.440,0:04:20.360
good way to think about it and I'd Echo those 
statistics as far as the anywhere between three

0:04:20.360,0:04:29.080
quarters up to 80 80 plus percent involving a 
human being involved in the exploitation and once

0:04:29.080,0:04:35.040
they're in generally what we see are the more 
common types of threats that are exploded are

0:04:35.040,0:04:40.280
credential theft which is going to give that 
criminal the keys to unlock all the doors so

0:04:40.280,0:04:44.720
that they aren't having to break in they're 
just strolling and if it's beyond that it's

0:04:44.720,0:04:50.600
also fishing attacks or ironically even though it 
gets a lot of the attention especially for recent

0:04:50.600,0:04:56.760
cyber events vulnerabilities and exploitations of 
those because they those generally take a bit more

0:04:56.760,0:05:02.960
technical sophistication by the threat actor 
in order to take advantage of those once they

0:05:02.960,0:05:07.280
become a bit more common then those are moved 
to the ransomware as a service or malware as a

0:05:07.280,0:05:14.320
surface Market where they will sell or lease that 
code to a less sophisticated criminal for them to

0:05:14.320,0:05:19.880
put to use for a couple hours to see what they 
can gain as far as quick exploitations and then

0:05:19.880,0:05:25.400
they move on to the next Target yeah and we can 
start with the credential hacks or the credential

0:05:25.400,0:05:31.720
Acquisitions um because I think what happened at 
the SEC here s of falls into that category right

0:05:31.720,0:05:37.720
yeah my understanding for it's you know was a 
SIM card swap or a subscriber identity module

0:05:37.720,0:05:44.360
swap of the employes phone but that was done 
through a you know by an email account being

0:05:44.360,0:05:49.920
compromised that allowed the criminal to then get 
over to the wireless carrier to ask for the Swap

0:05:49.920,0:05:55.800
and that puts the criminal into the shoes where 
they are able to bypass or see the multiactor

0:05:55.800,0:06:02.960
authentication which we generally see as being the 
BL and nend all and best most common additional

0:06:02.960,0:06:09.000
security control that's being used nowadays and 
with that they're able to simulate the employee

0:06:09.000,0:06:13.760
and step in as if they were the authorized user 
and I think something our listeners uh should

0:06:13.760,0:06:19.800
know also and this something that I regularly 
saw when I was in the government and still see

0:06:19.800,0:06:27.240
is that once your credentials or information 
has been stolen not only do the hackers often

0:06:27.240,0:06:32.320
do everything they can to exploit it but as you 
point out they then sell it and make it available

0:06:32.320,0:06:38.080
on the dark web for anybody else to try to either 
do what they're doing or do something new and and

0:06:38.080,0:06:44.280
it it's amazing the community out there of people 
who are engaged in the regular course of business

0:06:44.280,0:06:49.640
of trying to steal people's money and information 
yeah you're absolutely right it is becoming a

0:06:49.640,0:06:57.600
mature economic model or industry of criminal 
activity so let's talk a little bit about this

0:06:57.600,0:07:03.600
business email compromise concept and what the 
threat picture looks like what should companies

0:07:03.600,0:07:09.560
be and individuals be looking for and how might 
you train your folks to make sure that that

0:07:09.560,0:07:16.520
vulnerability is controlled again the human aspect 
of this I think probably the the most important

0:07:16.520,0:07:23.200
tool for organizations to use would be rather than 
focusing exclusively on training which we think

0:07:23.200,0:07:31.000
of as far as sort of a once a year make everybody 
watch a video and we're taking time away from the

0:07:31.000,0:07:37.760
revenue of the company because we're losing you 
know Workforce hours and to focus on awareness

0:07:37.760,0:07:46.120
and to have the infosec teams the cios HR all of 
the folks that are interacting with the workforce

0:07:46.120,0:07:52.680
trying to find periodic ways to just keep the 
threats of fraud whether it comes through the

0:07:52.680,0:07:57.800
telephone whether it comes through the email 
whether it comes through a video screen top of

0:07:57.800,0:08:04.320
mind for the workforce so posters in the elevator 
Signs by the coffee machines ways that folks are

0:08:04.320,0:08:10.160
going to be able to see it and just remember to 
be on the lookout for suspicious activity and

0:08:10.160,0:08:16.320
you know and here at our firm I had this in the 
government also um one way to do that is to sort

0:08:16.320,0:08:21.320
of I don't want to say scare people but there's 
nothing that reminds me more of the threat that

0:08:21.320,0:08:26.640
when I get caught by our internal testing process 
and it's it did happen to me once I I was telling

0:08:26.640,0:08:31.480
I was telling you before we started recording 
today that that I thought you'd never catch me

0:08:31.480,0:08:37.880
in in a fishing attempt paranoid I for 30 years 
I spent looking at the worst of human beings I'm

0:08:37.880,0:08:44.520
very careful about my internet practice but I got 
caught our firm's own internal sort of testing

0:08:44.520,0:08:49.880
process because I was in a hurry one day and you 
know I'm aware of it but I wasn't disciplined

0:08:49.880,0:08:54.520
enough to be thinking about it at that moment and 
I click on a link that I shouldn't have clicked

0:08:54.520,0:08:59.160
on and and right then and there I you know you 
can expose your entire Enterprise to the kind of

0:08:59.160,0:09:04.160
trouble that the SEC had you're you're absolutely 
right and that it's a good example in the sense

0:09:04.160,0:09:11.360
that you can have a fabulous winning streak going 
until you until the misstep and it only takes one

0:09:11.360,0:09:17.120
and that's true across the workforce we see with 
the fishing testing metrics they are a very good

0:09:17.120,0:09:23.960
tool and I'm not trying to disparage or downplay 
the value of them but there are you know they're

0:09:23.960,0:09:29.360
oftentimes companies and Regulators will think 
about it from a check in the block compliant

0:09:30.160,0:09:35.560
mindset are you doing it and if you are okay 
great but if you really wanted to be Innovative

0:09:35.560,0:09:40.880
sometimes the people setting up those testing 
tools can be a little too sneaky or they get

0:09:40.880,0:09:46.640
blowback it used to be a popular one that I would 
talk about using out here in Colorado to say on

0:09:46.640,0:09:51.920
a Friday afternoon you send the email out saying 
that I've got Broncos tickets for Sunday you know

0:09:51.920,0:09:57.000
right now that may not be as popular or as hot of 
a topic as it would have been in years gone by but

0:09:57.000,0:10:02.080
for somebody that's in the Kansas City office then 
yeah if you've got make that email advertisement

0:10:02.080,0:10:07.360
out there you will see people because it's a first 
come first serve they're going to jump on it the

0:10:07.360,0:10:13.240
other aspect on recognizing those fishing emails 
is for a mobile Workforce do they come across and

0:10:13.240,0:10:18.720
do they look the same on your phone as they do 
on your desktop monitor sometimes that can be

0:10:18.720,0:10:24.920
another way that people bite on it and are the 
controls in place for an iOS you know piece of

0:10:24.920,0:10:29.480
Hardware as opposed to a Windows platform and do 
they come across and do you recognizeing the the

0:10:29.480,0:10:34.040
same way that's where I tend to see that I'm 
falling victim to it is when I'm looking on

0:10:34.040,0:10:39.320
my phone I tend to not have the same level of 
skepticism as I do when I'm sitting at my desk

0:10:39.320,0:10:45.320
yeah the other thing I think that is concerning 
and and particularly in the more sophisticated

0:10:45.320,0:10:55.640
against larger hacks and breaches is once in the 
hackers and the bad guys they don't necessarily

0:10:55.640,0:11:01.320
do anything for a while right they're sitting 
there off in watching that's correct you could

0:11:01.320,0:11:07.400
think about it either as reconnaissance or pattern 
of Life monitoring to put it in DOD terminology

0:11:07.400,0:11:14.600
but looking to see how the organization behaves 
who is involved in what types of transactions or

0:11:14.600,0:11:21.320
projects meanwhile the threat actor is looking 
to map out the network find out where important

0:11:21.320,0:11:26.400
information is what are typically referred 
to as the crown jewels and then figure out

0:11:26.400,0:11:34.160
which Communications threads they might be able to 
intercept and then use to exploit what typically

0:11:34.160,0:11:41.960
happens once those actions begin is rules will be 
added to employees inboxes to try and redirect or

0:11:41.960,0:11:49.000
delete and obfuscate alerts or other tips that 
the employees would receive and then I've seen

0:11:49.000,0:11:55.520
one example for a company that over the course of 
four months there was back and forth between the

0:11:55.520,0:12:02.440
thread actor and a procurement official and they 
built up the aspect of the conversations and the

0:12:02.440,0:12:07.640
discussions seated the ground with an aspect of 
uh we're probably going to be changing banks in a

0:12:07.640,0:12:13.320
month or two and then a month or two later hey 
here's the new wiring instructions and then a

0:12:13.320,0:12:18.840
month after that hey we haven't seen this invoice 
can you help get it taken care of for us and once

0:12:18.840,0:12:25.600
that money goes out the door and the criminal act 
activities discovered the organization says okay

0:12:25.600,0:12:30.600
let's look at our insurance policies the Cyber 
insurance policy that they had may have been

0:12:30.600,0:12:36.480
phenomenal they may have $5 million of coverage 
but the problem is there was no damage to the

0:12:36.480,0:12:43.200
network or activity that was defined as a Cyber 
attack the becc or that business email compromise

0:12:43.200,0:12:48.960
activity generally falls under typical fraud and 
in that case their criminal liability coverage

0:12:48.960,0:12:55.480
was only $10,000 so you have a mismatch between 
what's the value of the harm that can occur and

0:12:55.480,0:13:00.240
through what method and the levels of protection 
that the company has bought for itself yeah and

0:13:00.240,0:13:07.320
that sort of goes to another level of diligence 
which is you you almost these days have to assume

0:13:07.320,0:13:12.800
for some of these kinds of movements of money or 
movements of information that somebody else from

0:13:12.800,0:13:17.640
the outside is watching in other words they could 
have gotten in through a lower level staffer like

0:13:17.640,0:13:22.400
what happened to the SEC they're going to quickly 
turn their attention to the actions of the people

0:13:22.400,0:13:27.320
who actually are moving money or information 
or whatever else it is watch them wait for

0:13:27.320,0:13:32.640
that moment that you're describing but those 
folks have got to be diligent about the conduct

0:13:32.640,0:13:38.400
of their business as if somebody is watching 
particularly for these last minute changes to

0:13:38.400,0:13:44.160
the movement of whether it be data information 
or or cash that's where the rubber often meets

0:13:44.160,0:13:50.440
the road here right yes uh if you are dealing 
with scenarios where there are times sensitive

0:13:50.440,0:13:56.080
Financial transition so whether it's m&a activity 
whether it's closing on real real estate and other

0:13:56.080,0:14:02.720
large events everybody feels under the gun and you 
know if it's anything like you know when I've when

0:14:02.720,0:14:06.920
I've purchased homes or sold homes in the past 
there's a flurry of activity right around the

0:14:06.920,0:14:13.520
closing date and people are looking to get the 
job done so they're looking to be team players

0:14:13.520,0:14:21.200
but that's an opportunity that is right for a 
criminal to step in and ABCA with the money so

0:14:21.200,0:14:27.920
what kind of advice do you give to organizations 
and individuals to to deal with that part of it

0:14:27.920,0:14:36.480
in other words it's not just you're looking for 
the fishing but you're also protecting your own

0:14:36.480,0:14:42.040
activities and the movement of money during these 
High Press times or times when somebody would take

0:14:42.040,0:14:47.360
advantage of it at the last minute I think some 
of the practice activities that senior leaders

0:14:47.360,0:14:52.600
have to endure and hopefully they do endure it I 
mean they should look at this as a way to assist

0:14:52.600,0:15:00.480
with their risk management processes and controls 
would be to schedule tabletop exercises where you

0:15:00.480,0:15:08.880
get the senior leader group in and the general 
counsel or the CIO or the CTO have come up with

0:15:08.880,0:15:15.680
a scenario and I've run these exercises in some 
cases with clients where I mean you can game

0:15:15.680,0:15:20.240
it out to a certain extent you buy them lunch so 
everybody's at least getting food while you make

0:15:20.240,0:15:26.960
them suffer for 90 minutes or two hours and tell 
you know pick a card any card and out of that deck

0:15:26.960,0:15:32.840
there will be a typical Ransom scenario which a 
lot of companies are familiar with now but another

0:15:32.840,0:15:40.320
one can be a business email compromise event or 
I think where we'll probably see activities shift

0:15:40.320,0:15:47.760
to in 2024 25 is for larger companies where 
they have the risk of moving the market a an

0:15:47.760,0:15:54.960
AI deep fake on video you imagine if you have a 
Fortune 100 company and suddenly onto social media

0:15:54.960,0:16:01.960
there is a fake video of the CEO talking about the 
company headed toward chapter 11 utterly fake and

0:16:01.960,0:16:07.840
not affecting that company's networks or its data 
but how would you get your Communications team in

0:16:07.840,0:16:13.760
place to deal with this and what would they do 
in response to try and remediate the problem so

0:16:13.760,0:16:19.200
those exercises are not intended to give you a 
perfect answer to a given situation but it's to

0:16:19.200,0:16:24.320
allow the organization to get used to having to 
communicate across stakeholder lines and across

0:16:24.320,0:16:30.280
business units so that when the real event happens 
that will be a completely different fact pattern

0:16:30.280,0:16:35.680
from what is practiced they're used to getting 
the process going and talking and know the Deep

0:16:35.680,0:16:43.080
fake issue I think is particularly challenging 
because let's take the business email compromise

0:16:43.080,0:16:50.400
situation I know for instance law firms and real 
estate brokers and title companies have all moved

0:16:50.400,0:16:57.720
towards a system with where for instance uh you 
get on the telephone and confirm a wire transfer

0:16:57.720,0:17:04.240
before anything leads for because so many of those 
transactions were targeted by scammers and hackers

0:17:04.240,0:17:08.880
who were getting in between those transactions and 
having the last minute again change to their own

0:17:08.880,0:17:15.360
accounts but if the telephone call you make can 
go to somebody or you get a telephone call from

0:17:15.360,0:17:24.200
someone whose voice has been deep faked or even 
get on a zoom and you're staring at the CEO who's

0:17:24.200,0:17:29.520
pounding on the table saying you need to get this 
check out the door or transfer this money why are

0:17:29.520,0:17:33.840
this money tomorrow or our companies in trouble 
you know this is going to be make things much

0:17:33.840,0:17:39.000
more difficult right right no I think you're 
correct and that's one of those aspects where

0:17:39.000,0:17:45.680
brainstorming about it in a tabletop can allow a 
company to think about what processes or controls

0:17:45.680,0:17:51.080
would they want to put in place before they're 
dealing with the time sensitive project so if they

0:17:51.080,0:17:57.120
get to an aspect of and I like your approach and 
the recommendations on if you get the email about

0:17:57.120,0:18:03.200
a financial transaction switch over to a different 
communication platform and call the reminder or

0:18:03.200,0:18:07.760
the nuan piece of it as the criminals get more 
sophisticated is don't call the phone number

0:18:07.760,0:18:11.680
that's in that same email because that's the one 
that the criminal put in there that they're going

0:18:11.680,0:18:18.240
to pick up and answer you know jump onto the web 
find the main office and number for the company

0:18:18.240,0:18:23.680
that you're involved with and drill down to get 
to the person through an independent means so that

0:18:23.680,0:18:29.920
can help to reduce the risk there another protocol 
or thought to consider and again this will be

0:18:29.920,0:18:36.400
company specific and risk tolerance specific for 
each organ organization is if you've got Financial

0:18:36.400,0:18:41.520
transactions that hit certain thresholds how many 
approvals do you need to have in the process to

0:18:41.520,0:18:47.480
make it happen you know for some companies a 
$1,000 wire transfer might be a rounding error

0:18:47.480,0:18:51.800
and that may not require three or four people 
to stop what they're doing to approve it but for

0:18:51.800,0:18:58.240
a small business it could be significant and on 
the flip side if you've got $100,000 or $250,000

0:18:58.240,0:19:05.040
transaction maybe that needs three signatures 
and involvements and the cfo's always got to be

0:19:05.040,0:19:10.960
involved with his digital signature on the email 
you know companies can gain that out and figure

0:19:10.960,0:19:15.480
out what's going to work for them but it's far 
better to run that scenario in advance rather than

0:19:15.480,0:19:21.000
after the fact yeah you know this the idea again 
we're talking about vulnerability through human

0:19:21.000,0:19:27.760
beings and how do you change human beings Behavior 
to me I think one of the things that's deficient

0:19:27.760,0:19:32.880
in a lot of the training is to tell people you 
need to do this this this and this but not give

0:19:32.880,0:19:39.320
them the background of how the Bad actors have 
succeeded in the past and how people have been

0:19:39.320,0:19:45.680
actually scammed and tricked and how how they're 
able to circumnavigate that is the Bad actors the

0:19:45.680,0:19:51.200
various protections that are put in place because 
I think unless you can almost see it from the the

0:19:51.200,0:19:57.480
other side it's not real and it makes you think 
that you know here I am like you said I've got to

0:19:57.480,0:20:05.600
take this class I got to check this box but you 
don't realize that even a relatively lowlevel or

0:20:05.600,0:20:13.200
you know certainly not someone sitting in the SE 
Suite can do something which drastically affects

0:20:13.200,0:20:18.840
the the company's bottom line could actually 
be a bet the company disaster and if you give

0:20:18.840,0:20:25.760
real world scenarios like the Deep fake like what 
happened here with the SEC it brings it home a lot

0:20:25.760,0:20:30.960
more and I a lot of the trainings I see don't do 
that they speak about about the what you should do

0:20:30.960,0:20:36.520
not why you should do it or how other people have 
been able to defeat it and building on that point

0:20:36.520,0:20:42.760
companies that do try to tailor their training and 
their awareness programs to tangible examples not

0:20:42.760,0:20:48.160
only does it resonate with the employees I have 
had conversations with Regulators as we have

0:20:48.160,0:20:54.680
been discussing a data breach disclosure for that 
company and we have walk through how the Intruder

0:20:54.680,0:21:00.320
got in how we discovered it what we did in 
response and then what we did afterwards you know

0:21:00.320,0:21:07.640
I was pleased to have clients that have been able 
to say we took this scenario from June of 20123

0:21:07.640,0:21:14.920
and put it into our October 2023 new fiscal year 
training schedule and for some of the Regulators

0:21:14.920,0:21:20.640
for that industry sector they're amazed I think 
that's fabulous I grew up in the military Aviation

0:21:20.640,0:21:26.960
Community we were always talking about accidents 
and mishaps that had happened recently what the

0:21:26.960,0:21:33.280
root causes were and what we could do to prevent 
them that has for the aviation industry been a

0:21:33.280,0:21:38.480
Bedrock of how to develop a safety culture and 
I think it works well for developing a security

0:21:38.480,0:21:47.160
culture as well great Point how about the other 
human problem which is an Insider who's actually

0:21:47.160,0:21:51.760
decided so you can have all the training in the 
world but if you have someone in your organization

0:21:51.760,0:21:58.920
who's got a malign sort of mindset here how much 
of a factor is that and what kind of thoughts have

0:21:58.920,0:22:04.720
about dealing with that problem Insider threats 
continue to be a significant problem or in a risk

0:22:04.720,0:22:12.120
that companies need to think about and managing 
and in part because there are a variety of types

0:22:12.120,0:22:17.720
of Insider threats that you need to account 
for you have the malicious Insider which is a

0:22:17.720,0:22:23.520
disgruntled employee that has a bone to pick 
with the organization or is they're getting

0:22:23.520,0:22:27.400
ready to leave and they're going to go somewhere 
else and they want to take advantage of things

0:22:27.400,0:22:35.240
for competitive reason you're going to have the 
negligent Insider that literally just didn't pay

0:22:35.240,0:22:39.200
attention to the training doesn't believe in 
any of this stuff has no idea why these things

0:22:39.200,0:22:46.720
are a concern is disengaged from work and is just 
careless and then you can have compromised users

0:22:46.720,0:22:51.480
and under the compromised user I would encourage 
organizations to think about that as one of your

0:22:51.480,0:22:56.720
employees that you have a duty of care to help and 
protect they may be compromised because they're

0:22:56.720,0:23:02.320
under Financial stress they may be exploited 
or leveraged you know without even knowing it

0:23:02.320,0:23:07.960
perhaps they had an innocent mistake of using 
the same passwords on three different accounts

0:23:07.960,0:23:12.800
one of which is personal that's the one that gets 
compromised but the attacker then looks at their

0:23:12.800,0:23:17.160
social media accounts and then says let me try the 
same username and password for the work account

0:23:17.160,0:23:23.680
and they get in that way so trying to protect 
or encourage people to take those steps can go

0:23:23.680,0:23:31.000
a long way toward addressing the problem there 
are technological steps such as user Behavior

0:23:31.000,0:23:37.000
analytics that can be done to figure out and this 
sounds conspiratorial or you know Cloak and Dagger

0:23:37.000,0:23:42.880
but the steps do work of as far as figuring 
out when are people logging in are they doing

0:23:42.880,0:23:47.640
it during normal business hours or do we have a 
couple of employees that are always logging in

0:23:47.640,0:23:53.320
at 10 o'clock at night and downloading a lot of 
material those can be some of the cues updating

0:23:53.320,0:23:58.680
privilege and access rights based on a person's 
job responsibility not that they're and and think

0:23:58.680,0:24:04.880
about it both ways promotions and demotions as a 
person moves up the corporate ladder and gets into

0:24:04.880,0:24:10.800
bigger roles they may not need that admin access 
right that they used to have and you can take

0:24:10.800,0:24:16.240
and reduce your attack surface with some of those 
administrative and procedural steps I mean from my

0:24:16.240,0:24:20.880
perspective I look at it sort of the same way that 
companies should be dealing with whistleblowers

0:24:20.880,0:24:27.480
is if you know your Workforce if you are providing 
them with the right sort of cultural opportunities

0:24:27.480,0:24:33.160
to let you know when there's a problem this notion 
of signs and you if you're go around government

0:24:33.160,0:24:38.280
buildings all the signs talk about Insider threats 
you know it's the rest of the workforce that's

0:24:38.280,0:24:43.600
going to tell you that Jim's a problem he's 
disgruntled and I saw him in the office last

0:24:43.600,0:24:48.680
night on he was Green at at 2:00 in the morning 
when I couldn't sleep and checked my emails that

0:24:48.680,0:24:54.600
culture of reporting things and having an open way 
of communicating with your even your disgruntled

0:24:54.600,0:24:58.880
employees so that they have an opportunity to 
talk to you I think is extremely important in

0:24:58.880,0:25:06.000
this context as well no you know you're absolutely 
right and coordination between the IT department

0:25:06.000,0:25:11.200
the HR departments to try and have those 
protective measures in place so that people know

0:25:11.200,0:25:16.800
that they can get help and support if they need it 
but also that the workforce as a whole understands

0:25:16.800,0:25:22.080
that this is not intended to be big brother 
looking over the shoulder but there is a benefit

0:25:22.080,0:25:27.360
or a protection of the organization protection of 
their employment because you wouldn't want to have

0:25:27.360,0:25:33.560
it bet the company or kill the company event as a 
result of someone else absconding with corporate

0:25:33.560,0:25:40.200
data well Eric thank you very much as usual uh 
your insight's valuable very helpful and uh we

0:25:40.200,0:25:45.240
appreciate you coming on the show and uh again for 
folks who want to look at your bio uh we'll have

0:25:45.240,0:25:51.240
it in the show notes happy to do it thanks great 
thanks for joining us on The Justice Insiders we

0:25:51.240,0:25:56.560
hope you enjoyed this episode please go to Apple 
podcast or wherever you listen to podcast to

0:25:56.560,0:26:02.960
subscribe rate and review The Justice Insiders 
I'm your host Gregg Sofer and until next time be

0:26:02.960,0:26:10.160
well

Professionals:

Gregg N. Sofer

Partner

Erik Dullea

Partner