In this episode, Frank and Andy interview Dana Mantilia on Why Humans are the Weakest Link in CyberSecurity.
Hello and welcome to data driven.
The podcast where we explore the emerging fields of data science, machine learning and artificial intelligence.
In this episode, Frank and Andy speak to Dana Mantilia about cybersecurity and why companies are not investing their time and attention where they should be.
This episode was originally recorded on a live stream and this was the first time we had a guest join us on the life stream for a show.
Season 4 just keeps the innovations coming.
Without further ado, here are your hosts Frank Lavigna and Andy Leonard.
Alright, thanks for tuning into data driven. If you're watching this live, thank you for taking time out of your day. I realize this being the lead up to the Holidays. Things are kind of hectic. I know in Chateau Lavigna things are very hectic today.
Andy and I are happy to announce a new guest that we have with us. I first saw her on LinkedIn when she would do these really cool training videos.
On basically security topics.
An with with Black Friday, literally a week from now Cyber Monday and the just the The Creativity alarmingly creative and flexibility of scammers that we've had in light of the kovid, pandemic etc etc.
I figured it would be worth having kind of a good discussion about just the basics of cyber security and why it's important my wife happens to be in the cyber security field, so I'd like to think that I'm better prepared, but I know if you think you're better prepared, that's probably a vulnerability.
So welcome to the show, Dana.
Well, thank you for having me nice to be here.
So this is you are actually the 1st guest. We're going to have on the show that we interviewed live on a live stream first on video.
Very honored, very.
Honored so awesome. We're trying to push the boundaries for season four, so tell us a little bit about you and your company for those that haven't seen your videos on LinkedIn.
OK sure yeah. My name is Dana Mantilia an I am the founder of identity Protection Planning an we tried to help educate people in very layman's terms on how they can protect themselves from identity thieves and cybercriminals. And so we have a variety of different kinds of training. Either you know, training data, webinars, some videos or we have an on line.
Platform that's short little videos that everyone is required to watch.
And just to kind of start spreading the word, I mean cybersecurity is not going away and unfortunately the the frontline workers are the people that really are maybe not educated on it and they also are the ones that are clicking on things they shouldn't be clicking on so.
No, so that's a good point. So one of your most recent videos, and this is the one that made me think we should have her on the show.
Was the one the gift card scam and how?
Somebody in your organization got snared up in this.
Yeah, I mean it's.
It's crazy, I mean that the way that I did that little video is how exactly how it happened. She came to my office door with her codon and I said, well, why do you have your code on and she said, oh I'm going to get that stuff you need and I said well, what stuff are you talking about? And she said this stuff, we were just messaging back and forth about. I said I was. I've been sitting here at my office just doing work I didn't.
Message you about anything.
So then she showed me and they they person initially sent an email that looked like it was kind of from my email very similar, which is always usually what they do. And then you know the urgency factor. I always tell people when there's a sense of urgency. We have to stop and say, is this really a big big emergency here to go buy gift cards? But people want to please their boss so they get these emails and they act upon them.
So she then then the person said, can you give me your email? I mean your cell phone. I wanted to text you this. So then the conversation jumped over to her cell phone and now they're texting back and forth and she said, well, how am I going to pay for these?
And then he said, well, you know what? Just when you get to the store, read off the numbers in the back of the card and then when you get back I'll reimburse you. So they were. I mean, it was just back and forth and back, but anybody would have fallen for this anybody.
Wow, the thing that struck me is the most insidious part.
It's how they moved away from email pretty early in the process, because maybe I mean it was a good. I mean, there's a I don't know. As a data scientist, I I hate giving out statistics, but let's say it was a 5050 chance that that person had your cell.
Millimeter like an an. It's a good gambit for them because I guess they didn't have your number already saved in their phone, so they could have this whole conversation with you, right? Yeah, an I would assume that folks in your organization are well trained.
Well, we're at least talking about this stuff right times. That's that's a startling factor, is that?
You know we're talking about all these things all the time and we we totally almost fell for it so.
Well, I never disclosed this publicly.
Until I'll do it now is that one time Microsoft? I work for Microsoft, they they pay the mortgage, they pay for the electricity and it goes through the my little monitor display there.
But they will routinely send out kind of phishing emails.
And it will be like urgent you have to, like, you know, do this because your expense report or something like this. And I shouldn't admit this publicly, but I did I was driving. I see this like emergency thing come through. I'm like the screen and I'm like.
So I didn't think I clicked on it and it it got it. It it it got a there was there was there should have been an animated GIF of like somebody?
At the company doing this, but it was like this. It was this like badge of shame of like hey you fell for this uh huh.
You know, and I was like crap and I was like I learned. 2 lessons one.
Pull over first.
If I can't mouse over the link.
Probably shouldn't click on it, right?
And three is just.
That sense of urgency.
Um was what really like, and maybe there's a psychological thing to this where it just tricks off like this. The primordial brain, or I know there's the three brain model and Andy and I go off on tangents a lot. Dan, I should warn you, but not us. Ultimately the idea is that once you're kind of anxious about something right, your higher brain functions are going, if not shut off kind of be pushed aside.
And all you have to do is click the link to get your answer or whatever I mean.
It seems like these folks are well versed in this type of psychology.
Yeah, and they also know too that you know every when you're on your mobile, everybody is rush rush rush rush rush for rushing on the mobile phone all the time and that is a little scary because sometimes even when you look on the mobile you can't even see who it's from. It'll it'll you know. Just say a name or something like even some of the Apple ones that come out. Don't say oh it's from Apple, but that's not the exact. Doesn't show you the phone number or whatever it is. It's just.
Summer has put up there. As you know The Who it's from kind of thing, so yeah.
There's a lot of things we need to all.
Start doing or not doing.
Right, it's it's an interesting. It's just fascinating that with all this advances in cybersecurity, and I've seen a lot of the things that the technical we're not going to go into.
Humans are like the weak link.
Yeah, definitely, and that's the frontline to most of the stuff and you know the urgency factor just to go back to that real quick one. Scam that that that is targeted at seniors.
Is the grandparent scam, and So what they do is they will call up and pretend that there's someone's grandson or granddaughter and something crazy happened like there's held hostage in a Mexican jail or something and they need to have money right away wired to them so that they can, you know, get out of there. So then to make it even sound more valid, they put the prison guard on the phone and they say, you know who?
This is the information. This is where you need to send it to, and he's a very stern person and these people really do fall for this and a lot of the people Western unions around the country. They they know that this.
Time is running rampant, so they'll try to stop people. I did a speech to speech the other day or whatever. I talked the other day and they were about probably about 1000 people on there and nobody said anything when I brought this up. And then at the end when we had the Q&A, there had to at least be 25 to 50 people. That said, my my mother fell for this and she would not believe that it wasn't my son. You know another one.
Edit There there there's a scam was that they said that their grandson was had drugs in the car and was with some guy that he was going fishing with and it was just one after the.
And a lot of the time that seniors won't even admit that this happens because they're embarrassed by it, and then they're afraid that their children, their adult children are not going to let them manage their finances. So again, it's a whole play. An urgency plan, emotion, and you're not even thinking straight. I mean, if somebody came up to you and said your grandson is in a Mexican jail right now.
And we need to give money. You do stop and think a little bit, but the way we act on line is very different than the way we act when we're here. We act on the phone when somebody calls, we want to believe them. Then we would act.
As if they were standing in front of us, so that's kind of some of the awareness that I like to to spread is safe. Just ask yourself if this person was standing here and this conversation was happening, would it sound crazy, you know?
So Dana, we talked a lot about the problem and how do we make ourselves shift gears like that? How do we engage, you know, Mentale in a way that maybe defeats the Sergeant.
Well, you know cybersecurity training has been, you know, going on over the years. The problem is getting bigger and bigger and bigger and we're throwing more and more money at it. And it's not getting any better, right? Yeah, so I say we need to approach it. I look at things a little bit differently, so usually it's the IT department that's responsible for putting together a program to teach the regular, non technical people.
What they need to do and not do so, they're forced to sit through an hours worth of training. They're about to fall asleep. All they want to do is be able to get through it so they can check off the box that they actually went. They did it, that's it, and I don't think that's the best way to teach people what I think we should do is we should start teaching them how they can protect themselves, their families, their homes. There's going to get some interests are going to say hey, you know that's.
I better call my mother and tell her to watch out for that, or I better make sure my son's not doing that and there's a there's a buy in there. So now once you get that buy in, there's an awareness that we need to start protecting things.
And then when you're talking about the at the company, you've already educated them on how they should be looking at their emails. Then now they know how that they need to be looking at the emails with the company, 'cause emails is pretty much where most of the problems are starting from, so so I just think it's if we looked at it a little bit differently, maybe we would be getting through to people a little bit different.
Well, I like your approach because we've already kind of walked through a lot of this, and we've said that it's not a technical issue at all, an.
Being a night person and Frank just Frank admitted earlier that were high functioning. You know, savants. Basically Frank and I were both 80 D and you know. And it's.
A normal account cards in Vegas though, which I totally feel shaded. I'm sorry, alright cut off, that's OK, it was funny.
Yeah, but you know it.
Having the app when you were just describing that I was imagining people that you know, even my you know my cellphone Frank doing this and we're like I said kind of high functioning but normal IT people and nothing against normal IT people I love you, I mean it but having them try to explain something nontechnical. 'cause if if we've identified that the issue is not really a technical.
Problem and we throw money at it and bought deer. Develop software that others have built and all of that really what's happening here is very psychological.
So I would. I would think that that that approach you just described having a non technical person walk through this, which sounds to me very emotional scenario that comes at you. You know on.
People you love an urgency and it's on your phone. And it's like every card that the scammers have is being played against. Especially older people who are not familiar but not as familiar with the technology as some of us.
Uh-huh absolutely absolutely. So I just think it's a different way to approach things and it it comes across as if you're giving the employee a benefit as opposed to forcing them to sit down because you need to protect the company.
Yeah OK, great.
So that's what I have to do, you know, kind of thing.
So we'll just envision mandatory training. Sorry, I just had a vision of office space of.
Well, you know, is this good for the company that banner?
Friday is Crazy shirt day.
There's a movie reference for the show, Andy, that could you?
I don't have my sound board.
You don't have your sound.
Now that's one of the disadvantages of switching to LinkedIn. Live will fix it. You know us where engineers Andy?
So the the question I guess is.
How do so? Yeah, I mean I think it was really insightful. Was you know my wife bought a bunch of studies of books to study for the CI, SSP and all that. And it's like a I mean, it's a it's a book and.
It's not technical, you're right. I mean, people are the weak link and I think.
People, and then that whole like you brought out the whole shame factor. Like I'm not going to admit like I mean that thing would happen to me. I got caught by our internal team, right? I was a year ago and I'm just admitting it now. Like you know. And and I did that on purpose because, well, I didn't hide it on purpose. Well, I guess I did, but I wanted to.
To point out is that there's not a lot of shame. I mean, the shame of this, I think is a big barrier, isn't it? To protection, isn't it?
Yeah, definitely it is. Yeah, we all have to get over that. Oh my goodness, I don't wanna be the one that you know.
Took the company down. I don't want to be the one that you know did this or let this in or what you know, whatever. Whatever the case may be, it's definitely a shame factor is is a big thing and and recognizing that the people are the biggest thing and one thing is that cyber security training, right? So it's going on a little bit here and there. The big companies much more so some of the smaller companies and medium size companies. There is nothing. It's like the Wild West going on out there so you know whatever you think your secretary is comfortable clicking on.
That's what she's clicking on.
So that's where we need to say, OK, this is a whole new industry and it's you know, it's it's it's it's. It's exploding right now and I think over the next three to five years cybersecurity training is going to be. It's going to be everywhere and everybody. Even the small companies are going to have to going to have to do something along those lines, but.
That being said, so because it's so new again, going back to the IT department, if you said to anybody five years ago, you know something about cybersecurity, they probably don't even really know what you're talking about. They say you need to talk to the IT department.
So we always just that pass up. Oh, that's a night thing we don't get involved in that. It's a night thing and like you we've all just been talking about it's not it's it's the people that IT thing might be perfect. You know maybe they have at the firewall or whatever all that stuff they need to do. But it's the people are just clicking on it, downloading things, you're going nowhere.
No, that's true. I mean, you can have the best firewall and all that packets like lock down to the teeth, but I mean if if somebody behind the firewall clicks on the.
Clicks on the link.
It's kind of like if you want to imagine like this is. This is the image I have is well, First off. I think the problem might be the term cyber security, right? 'cause when you hear the term cyber security I think of like somebody like with this type of monitor setup. You know like yeah right. You know like hacking away at the matrix or something like that like yeah.
No, it's not. It doesn't have to be. I mean, there's a....