Stay Informed with the Gone Phishing Podcast | Phin

3 Things You Can Do to Be More Cyber Secure | EP 021

Written by phin | Jan 17, 2024 4:22:50 PM

 

Transcript:

Connor Swalm:

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing.

Hey everyone, and welcome back to Gone phishing. I am your host, Connor. I am the CEO at Phin Security. And today we're talking about what I think is a really awesome topic, which is, how does human vulnerability management tie into your everyday life.

So let me start this with a few anecdotal conversations I've had with some. Folks, which is a lot of people. Ask specifically about cybersecurity. Hey, I'm a nobody. I'm putting words in their mouth now. But I'm not important enough to be targeted, right? Or I'm not important enough for this. To be an issue for me. I don't have enough money to steal. Enough information to steal. I don't have x, y and z. So of course, why would people be. Looking to steal from me? Because there's nothing to steal, or whatever it is, they perceive that there's no. Value in their own information. So kind of that branches into an.

Overarching question that a lot of people have in their heads, which is, how does this tie into my everyday life? Why should I worry about it? And I'm going to try, at least by the end of this conversation here that you and I have, I'm going. To try to convince you that you. Should care about it. So first thing, human vulnerability management is basically about getting people to recognize social.  Engineering, to recognize when somebody is attempting to steal information, access or money from. Them or from their business or from something or someone they're affiliated with, and attempt, the management part is attempting to get them to understand what's going on. So they can stop it.

So if anyone has ever had money stolen from their bank accounts or had. Their identity stolen or been impersonated or had their wallet stolen, even, that's sometimes a form of social engineering. If somebody impersonated someone else to get into your home or your place of. Business, and so this can tie into. Every aspect of your life, not just your organization. And the first thing I'd like to. Mention here is everybody is vulnerable to cybercrime. It's not just the people at an. Organization who aren't incredibly, technically savvy. 
It's not even just the people who. Are very technically savvy. I can't tell you how many software. 

Developers and security technicians and cybersecurity experts. That I've talked to that have said. There's no way I'd be vulnerable to anything like that. And at all levels of technical prowess, at all levels of cybersecurity, understanding, everyone is vulnerable. And as a result, everybody should take. Into account and everybody should attempt to. Practice some amount of hvm vulnerability management in their life to prevent theft of information, access or money. If anyone has ever had their identity stolen, sometimes it's of no fault of your own. It's maybe a company you work with. Who had your Social Security number that got breached, but sometimes it is of. 

A fault of your own and you should have recognized when something was happening. But having your identity stolen is quite possibly one of the most. Frustrating things. You can deal with. Not only because of how hard it is sometimes to prove you are who. You say you are, but also to get everything unwound, to get bank accounts unmade, and to get, I guess, debt erased. I don't know. I've never had my identity stolen, so I'm not quite well versed in this area. But from those that I've talked to and, I don't know, family members and friends, it sucks. It's a hard thing to stop.

So everyone is capable of having that happen to them, regardless of how good or how careful they think they are. That's the first thing, is everyone is capable of making mistakes, everyone is capable of being vulnerable. Second thing, scams exist in your life every day, not just in the context of the company you work at or the business that you do, like scams that somehow target individuals do exist. Has anyone listening ever gotten a phone call from the IRS? I mean, I've done many webinars where people. 



I'll ask this question and people in. The audience, you know, I get those. Scam calls from the IRS every day. There's a reason they keep happening, because. Somebody, somewhere, at least in the US. I guess, is paying for this. Pay this fee, or you're no longer in good standing with the IRS and we're going to put you in jail. Or whatever those voicemails say these days, I just block them right when I see them. And so individuals could somehow get targeted. Even though they may not be targeted.

Just based on the fact that they are a person. They just could get swept up into a larger source of information that got breached in an earlier episode. I gave an example of this where, let's say you're working with an organization. Where you use, I don't know, let's say YouTube. Let's say you have a YouTube account, a Google account. And I'm not saying this has happened. But I'm saying, let's postulate for a second that YouTube got swept up into a breach and a bunch of the personal information of all of their people. With other accounts, whether that was their. Browsing history or their YouTube videos or. Personal information that they stored in Google Drive, because it's all on Google, whatever. It is, let's say all of that.

Information and hundreds of thousands, if not millions of accounts got somehow stolen and then sold on the dark web or via some other kind of means that was end up being leveraged by a malicious individual. Well, of no fault of your own, you got swept up into that, right? You may have multifactor on authentication on every single account. You may have rotated your passwords every six minutes, right? It doesn't matter at that point, you. Got swept up into a breach and that information was bought and sold, and then you could be targeted unintentionally as a result of that information being available. And bought by some other malicious actor. So when people tell me it's like.

Oh, I'm not a target. Well, it doesn't matter. Everyone who's connected to the Internet is. Capable of being targeted of no fault of their own. That's what I've started to say to folks. Another thing, third point here is all sorts of scams. Can not only, I don't want to. Say, like, cross the blood brain barrier. But cross the personal life, company life barrier, right? So if you have a work device. On your home network, or vice versa, a personal device on your work network. If there is a risk in one of those environments, you could technically bring. That to the other by introducing your. Own devices or introducing your work devices.

In your home environment. And if you read any recent breaches, a lot of them are a result. Of employees working from home, and then they have personal devices with personal software. That is somehow vulnerable. And as a result, malicious actors get access to that personal device, find work. Related materials, work related information, work related access through accounts that are automatically logged. In on those devices, and then they. Use that, and they leverage that to their advantage. So even if you believed that the. Only context with which you were vulnerable was through the work you do for. Your organization, that can still translate to stuff you're doing in your own personal. Life as a result of how interconnected.

People's work and people's personal life is to this day, and so, as a. Result, what I say to folks is. Don'T just think that the second your. Nine to five is over, the second. You close your laptop shell from your work laptop, at the end of the day, that your risks as a human. Are done, are gone, because you're no longer, quote, unquote, the source of a target, because you're no longer on company time, and you're no longer in those. Accounts and doing company related stuff. That's just not the world we live in anymore. We're way too interconnected, not only with. Our companies, but as a society. For us to ever really be untargetable.

I don't know. Unless you lived in the woods, in a log cabin, and had no devices. And no place to mail things either. And nobody could call you. That's the only scenario that I could. Think of where you couldn't be the. Victim of cybercrime is just because you wouldn't exist. But even then, you have an identity out there on the Internet that could. Get leveraged if you had no idea that it was getting stolen. So even then, there are scenarios where it's like, this is just something we're going to have to live with and. Understand, and it's not something that we can segment into our professional lives and. Pretend that it's gone. When we're at home watching Netflix, it's. Always present, it's always there. It's not that you should be like, I don't want to give anyone anxiety over this. It's just a reality we live in, right.

That everyone is capable of being targeted. And there's a lot of cross functionality. Between your job and your personal life and your work. And sometimes you take it home, sometimes you don't. And so that's kind of the third. Reason that it impacts ties into your. Everyday life, is there's just a lack. Of separation at this point. We live in a world where there is very little separation between your job, unfortunately, I would say between your job. And your personal life. So what are some things you could be doing in your everyday life to prevent this? I give a presentation to small business development centers. Those are like SBDCs for short, where.

I go through common tips and tricks. That individuals can do in their personal life in order to be a little more secure. So I'll give you a few of them here first. And what I would recommend, it's also. A little bit controversial. Use a password manager. I can't tell you how many friends.

How many family members, how many people, even those of you listening right now, how many of you right now use a Google Doc, a Microsoft Word doc, a physical file with loose leaf paper in it to store your passwords and to keep track of all them? And the fact of the matter is you as the individual are way worse at securing that and making sure you don't lose access to it than a company like keypass or any other password manager really for that matter, is going to be. Now I know this is sounding rich. Coming off of a few months ago. Lastpass getting breached and having some issues, but a statement I'll make, and I guess I would stand by, is I. Truly believe that having a password manager that rotates your passwords regularly, manages it. All for you, and all you got. To do is remember your one master. Password or keep it in a safe place. I truly believe that is more effective at making sure your accounts are secure.

Second piece that goes along with passwords, always. The sting. Never say never and never say always. I'm saying always here. So this is how you know it's really serious. Always use multifactor authentication. Always do it. And in the presentation I give, I'll. Go over a few ways. Long story short is any amount of. Multifactor authentication, whatever kind of multifactor authentication. It is, whether it's a text message, an app, your thumbprint, I don't know, a blood test. I don't know what people are doing. These days for multifactor whatever it is. Any kind of multifactor authentication on every account you have is an infinite increase. 



In the level of security that account now has. Because in order for that password and. Account to get actually misused and stolen. They would also need access to your. Second form of authentication. Whether that was a little key fob. Your thumbprint, your phone, whatever it is, they would need two things as opposed to just one. So I would say those are really two things that. If you just did those two things, you'd be incredibly more secure than the average individual. And I would say if you want a third, it'll give you a little bonus. Third one, learn to recognize phishing emails. The quickest way to do that is hover over links before you click on them. And if they're not going to the tried and true Microsoft.com or facebook.com or Google or whatever these links they're trying. To tell you to go to, if.

These URLs are not sending you to the tried, true and trusted web address for those organizations, just delete the email. And if you're really concerned, this is. What I say people who are concerned when they get emails like, hey, your. Bank has been compromised with your account has some suspicious charges. Please log in, call your bank, go to your local branch, open up the. Website in a separate browser tab and log in and verify for yourself. But don't ever follow the links. And follow the directed actions that are. In those emails because they're designed to get your brain to shut off and. For you to say, oh, wow, I'm worried, I need to go handle this right now. These emails are designed for that to. Happen, for you to take that direct action, and for you to actually be. Insecure enough to go do that.

So I would say recognize phishing emails. So those are the three things. So I would say if you actually. Do those three things right, password manager, multi factor authentication, recognize phishing emails, you. Are the superman of cybersecurity. Well, not quite. He's invincible, and no human is invincible, but you'd be incredibly. 
I can't even tell you how much more secure you'd be than the average individual. So just do those three things. So everyone, thank you for joining me once again.

I'm Connor, I'm the host of gone phishing. I'm the CEO at Phin Security as well. We talk about everything, human vulnerability management, making sure you are safe and secure in this super interconnected world that we have. And so please join me next time on the next episode of Gone Fishing.

Thanks so much for tuning in to Gone Fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at phinsec.io. That's P-H-I-N-S-E-C IO. Or click all of the wonderful links. 



In our show notes. 




Thanks for fishing with me today and we'll see you next time.