Artwork for podcast Data Driven
Dana Mantilia on Why Humans are the Weakest Link in CyberSecurity
Episode 220th November 2020 • Data Driven • Data Driven
00:00:00 00:50:20

Share Episode

Shownotes

In this episode, Frank and Andy interview Dana Mantilia on Why Humans are the Weakest Link in CyberSecurity.

Watch Original Livestream

https://www.linkedin.com/posts/frank-lavigne_data-driven-live-with-dana-mantilia-activity-6735628251328204800-Qjwq

Show Notes

Coming soon!

Transcript

AI Generated

00:00:05 BAILeY

Hello and welcome to data driven.

00:00:08 BAILeY

The podcast where we explore the emerging fields of data science, machine learning and artificial intelligence.

00:00:16 BAILeY

In this episode, Frank and Andy speak to Dana Mantilia about cybersecurity and why companies are not investing their time and attention where they should be.

00:00:26 BAILeY

This episode was originally recorded on a live stream and this was the first time we had a guest join us on the life stream for a show.

00:00:34 BAILeY

Season 4 just keeps the innovations coming.

00:00:38 BAILeY

Without further ado, here are your hosts Frank Lavigna and Andy Leonard.

00:00:44 Frank

Alright, thanks for tuning into data driven. If you're watching this live, thank you for taking time out of your day. I realize this being the lead up to the Holidays. Things are kind of hectic. I know in Chateau Lavigna things are very hectic today.

00:00:59 Frank

We

00:01:00 Frank

Andy and I are happy to announce a new guest that we have with us. I first saw her on LinkedIn when she would do these really cool training videos.

00:01:10 Frank

On basically security topics.

00:01:14 Frank

An with with Black Friday, literally a week from now Cyber Monday and the just the The Creativity alarmingly creative and flexibility of scammers that we've had in light of the kovid, pandemic etc etc.

00:01:32 Frank

I figured it would be worth having kind of a good discussion about just the basics of cyber security and why it's important my wife happens to be in the cyber security field, so I'd like to think that I'm better prepared, but I know if you think you're better prepared, that's probably a vulnerability.

00:01:50 Frank

So welcome to the show, Dana.

00:01:52 Dana

Well, thank you for having me nice to be here.

00:01:55 Frank

So this is you are actually the 1st guest. We're going to have on the show that we interviewed live on a live stream first on video.

00:02:02 Dana

Very honored, very.

00:02:03 Frank

Honored so awesome. We're trying to push the boundaries for season four, so tell us a little bit about you and your company for those that haven't seen your videos on LinkedIn.

00:02:15 Dana

OK sure yeah. My name is Dana Mantilia an I am the founder of identity Protection Planning an we tried to help educate people in very layman's terms on how they can protect themselves from identity thieves and cybercriminals. And so we have a variety of different kinds of training. Either you know, training data, webinars, some videos or we have an on line.

00:02:35 Dana

Platform that's short little videos that everyone is required to watch.

00:02:38 Dana

And just to kind of start spreading the word, I mean cybersecurity is not going away and unfortunately the the frontline workers are the people that really are maybe not educated on it and they also are the ones that are clicking on things they shouldn't be clicking on so.

00:02:54 Frank

No, so that's a good point. So one of your most recent videos, and this is the one that made me think we should have her on the show.

00:03:00 Frank

Was the one the gift card scam and how?

00:03:04 Frank

Somebody in your organization got snared up in this.

00:03:08 Dana

Yeah, I mean it's.

00:03:09 Dana

It's crazy, I mean that the way that I did that little video is how exactly how it happened. She came to my office door with her codon and I said, well, why do you have your code on and she said, oh I'm going to get that stuff you need and I said well, what stuff are you talking about? And she said this stuff, we were just messaging back and forth about. I said I was. I've been sitting here at my office just doing work I didn't.

00:03:28 Dana

Message you about anything.

00:03:30 Dana

So then she showed me and they they person initially sent an email that looked like it was kind of from my email very similar, which is always usually what they do. And then you know the urgency factor. I always tell people when there's a sense of urgency. We have to stop and say, is this really a big big emergency here to go buy gift cards? But people want to please their boss so they get these emails and they act upon them.

00:03:50 Dana

So she then then the person said, can you give me your email? I mean your cell phone. I wanted to text you this. So then the conversation jumped over to her cell phone and now they're texting back and forth and she said, well, how am I going to pay for these?

00:04:02 Dana

And then he said, well, you know what? Just when you get to the store, read off the numbers in the back of the card and then when you get back I'll reimburse you. So they were. I mean, it was just back and forth and back, but anybody would have fallen for this anybody.

00:04:13 Frank

Wow, the thing that struck me is the most insidious part.

00:04:17 Frank

It's how they moved away from email pretty early in the process, because maybe I mean it was a good. I mean, there's a I don't know. As a data scientist, I I hate giving out statistics, but let's say it was a 5050 chance that that person had your cell.

00:04:30 Frank

Phone number.

00:04:31 Frank

Millimeter like an an. It's a good gambit for them because I guess they didn't have your number already saved in their phone, so they could have this whole conversation with you, right? Yeah, an I would assume that folks in your organization are well trained.

00:04:46 Dana

Well, we're at least talking about this stuff right times. That's that's a startling factor, is that?

00:04:52 Dana

You know we're talking about all these things all the time and we we totally almost fell for it so.

00:04:57 Frank

Well, I never disclosed this publicly.

00:05:00 Frank

Until I'll do it now is that one time Microsoft? I work for Microsoft, they they pay the mortgage, they pay for the electricity and it goes through the my little monitor display there.

00:05:12 Frank

But they will routinely send out kind of phishing emails.

00:05:16 Frank

And it will be like urgent you have to, like, you know, do this because your expense report or something like this. And I shouldn't admit this publicly, but I did I was driving. I see this like emergency thing come through. I'm like the screen and I'm like.

00:05:30 Frank

So I didn't think I clicked on it and it it got it. It it it got a there was there was there should have been an animated GIF of like somebody?

00:05:38 Frank

At the company doing this, but it was like this. It was this like badge of shame of like hey you fell for this uh huh.

00:05:45 Frank

You know, and I was like crap and I was like I learned. 2 lessons one.

00:05:51 Frank

Pull over first.

00:05:53 Frank

If I can't mouse over the link.

00:05:56 Frank

Probably shouldn't click on it, right?

00:05:58 Frank

And three is just.

00:06:00 Frank

That sense of urgency.

00:06:01 Frank

Um was what really like, and maybe there's a psychological thing to this where it just tricks off like this. The primordial brain, or I know there's the three brain model and Andy and I go off on tangents a lot. Dan, I should warn you, but not us. Ultimately the idea is that once you're kind of anxious about something right, your higher brain functions are going, if not shut off kind of be pushed aside.

00:06:24 Frank

And all you have to do is click the link to get your answer or whatever I mean.

00:06:28 Frank

It seems like these folks are well versed in this type of psychology.

00:06:33 Dana

Yeah, and they also know too that you know every when you're on your mobile, everybody is rush rush rush rush rush for rushing on the mobile phone all the time and that is a little scary because sometimes even when you look on the mobile you can't even see who it's from. It'll it'll you know. Just say a name or something like even some of the Apple ones that come out. Don't say oh it's from Apple, but that's not the exact. Doesn't show you the phone number or whatever it is. It's just.

00:06:55 Dana

Summer has put up there. As you know The Who it's from kind of thing, so yeah.

00:07:00 Dana

There's a lot of things we need to all.

00:07:01 Dana

Start doing or not doing.

00:07:03 Frank

Right, it's it's an interesting. It's just fascinating that with all this advances in cybersecurity, and I've seen a lot of the things that the technical we're not going to go into.

00:07:14 Frank

Humans are like the weak link.

00:07:16 Dana

Yeah.

00:07:18 Frank

That's crazy.

00:07:20 Dana

Yeah, definitely, and that's the frontline to most of the stuff and you know the urgency factor just to go back to that real quick one. Scam that that that is targeted at seniors.

00:07:29 Dana

Is the grandparent scam, and So what they do is they will call up and pretend that there's someone's grandson or granddaughter and something crazy happened like there's held hostage in a Mexican jail or something and they need to have money right away wired to them so that they can, you know, get out of there. So then to make it even sound more valid, they put the prison guard on the phone and they say, you know who?

00:07:49 Dana

This is the information. This is where you need to send it to, and he's a very stern person and these people really do fall for this and a lot of the people Western unions around the country. They they know that this.

00:08:00 Dana

Time is running rampant, so they'll try to stop people. I did a speech to speech the other day or whatever. I talked the other day and they were about probably about 1000 people on there and nobody said anything when I brought this up. And then at the end when we had the Q&A, there had to at least be 25 to 50 people. That said, my my mother fell for this and she would not believe that it wasn't my son. You know another one.

00:08:20 Dana

Edit There there there's a scam was that they said that their grandson was had drugs in the car and was with some guy that he was going fishing with and it was just one after the.

00:08:30 Dana

And a lot of the time that seniors won't even admit that this happens because they're embarrassed by it, and then they're afraid that their children, their adult children are not going to let them manage their finances. So again, it's a whole play. An urgency plan, emotion, and you're not even thinking straight. I mean, if somebody came up to you and said your grandson is in a Mexican jail right now.

00:08:50 Dana

And we need to give money. You do stop and think a little bit, but the way we act on line is very different than the way we act when we're here. We act on the phone when somebody calls, we want to believe them. Then we would act.

00:09:00 Dana

As if they were standing in front of us, so that's kind of some of the awareness that I like to to spread is safe. Just ask yourself if this person was standing here and this conversation was happening, would it sound crazy, you know?

00:09:11 Andy

So Dana, we talked a lot about the problem and how do we make ourselves shift gears like that? How do we engage, you know, Mentale in a way that maybe defeats the Sergeant.

00:09:25 Dana

Well, you know cybersecurity training has been, you know, going on over the years. The problem is getting bigger and bigger and bigger and we're throwing more and more money at it. And it's not getting any better, right? Yeah, so I say we need to approach it. I look at things a little bit differently, so usually it's the IT department that's responsible for putting together a program to teach the regular, non technical people.

00:09:46 Dana

You know?

00:09:46 Dana

What they need to do and not do so, they're forced to sit through an hours worth of training. They're about to fall asleep. All they want to do is be able to get through it so they can check off the box that they actually went. They did it, that's it, and I don't think that's the best way to teach people what I think we should do is we should start teaching them how they can protect themselves, their families, their homes. There's going to get some interests are going to say hey, you know that's.

00:10:10 Dana

I better call my mother and tell her to watch out for that, or I better make sure my son's not doing that and there's a there's a buy in there. So now once you get that buy in, there's an awareness that we need to start protecting things.

00:10:20 Dana

And then when you're talking about the at the company, you've already educated them on how they should be looking at their emails. Then now they know how that they need to be looking at the emails with the company, 'cause emails is pretty much where most of the problems are starting from, so so I just think it's if we looked at it a little bit differently, maybe we would be getting through to people a little bit different.

00:10:37 Andy

Well, I like your approach because we've already kind of walked through a lot of this, and we've said that it's not a technical issue at all, an.

00:10:45 Andy

Being a night person and Frank just Frank admitted earlier that were high functioning. You know, savants. Basically Frank and I were both 80 D and you know. And it's.

00:10:58 Frank

A normal account cards in Vegas though, which I totally feel shaded. I'm sorry, alright cut off, that's OK, it was funny.

00:11:06 Andy

Yeah, but you know it.

00:11:08 Andy

Having the app when you were just describing that I was imagining people that you know, even my you know my cellphone Frank doing this and we're like I said kind of high functioning but normal IT people and nothing against normal IT people I love you, I mean it but having them try to explain something nontechnical. 'cause if if we've identified that the issue is not really a technical.

00:11:31 Andy

Problem and we throw money at it and bought deer. Develop software that others have built and all of that really what's happening here is very psychological.

00:11:39 Andy

So I would. I would think that that that approach you just described having a non technical person walk through this, which sounds to me very emotional scenario that comes at you. You know on.

00:11:55 Andy

People you love an urgency and it's on your phone. And it's like every card that the scammers have is being played against. Especially older people who are not familiar but not as familiar with the technology as some of us.

00:12:08 Dana

Uh-huh absolutely absolutely. So I just think it's a different way to approach things and it it comes across as if you're giving the employee a benefit as opposed to forcing them to sit down because you need to protect the company.

00:12:20 Dana

Yeah OK, great.

00:12:21 Dana

So that's what I have to do, you know, kind of thing.

00:12:24 Andy

So we'll just envision mandatory training. Sorry, I just had a vision of office space of.

00:12:30 Andy

Well, you know, is this good for the company that banner?

00:12:33 Frank

Friday is Crazy shirt day.

00:12:39 Frank

There's a movie reference for the show, Andy, that could you?

00:12:45 Frank

I don't have my sound board.

00:12:46 Andy

You don't have your sound.

00:12:48 Frank

Now that's one of the disadvantages of switching to LinkedIn. Live will fix it. You know us where engineers Andy?

00:12:55 Frank

So the the question I guess is.

00:13:01 Frank

How do so? Yeah, I mean I think it was really insightful. Was you know my wife bought a bunch of studies of books to study for the CI, SSP and all that. And it's like a I mean, it's a it's a book and.

00:13:15 Frank

It's not technical, you're right. I mean, people are the weak link and I think.

00:13:20 Frank

People, and then that whole like you brought out the whole shame factor. Like I'm not going to admit like I mean that thing would happen to me. I got caught by our internal team, right? I was a year ago and I'm just admitting it now. Like you know. And and I did that on purpose because, well, I didn't hide it on purpose. Well, I guess I did, but I wanted to.

00:13:40 Frank

To point out is that there's not a lot of shame. I mean, the shame of this, I think is a big barrier, isn't it? To protection, isn't it?

00:13:47 Dana

Yeah, definitely it is. Yeah, we all have to get over that. Oh my goodness, I don't wanna be the one that you know.

00:13:51 Dana

Took the company down. I don't want to be the one that you know did this or let this in or what you know, whatever. Whatever the case may be, it's definitely a shame factor is is a big thing and and recognizing that the people are the biggest thing and one thing is that cyber security training, right? So it's going on a little bit here and there. The big companies much more so some of the smaller companies and medium size companies. There is nothing. It's like the Wild West going on out there so you know whatever you think your secretary is comfortable clicking on.

00:14:16 Dana

That's what she's clicking on.

00:14:17 Dana

So that's where we need to say, OK, this is a whole new industry and it's you know, it's it's it's it's. It's exploding right now and I think over the next three to five years cybersecurity training is going to be. It's going to be everywhere and everybody. Even the small companies are going to have to going to have to do something along those lines, but.

00:14:34 Dana

That being said, so because it's so new again, going back to the IT department, if you said to anybody five years ago, you know something about cybersecurity, they probably don't even really know what you're talking about. They say you need to talk to the IT department.

00:14:46 Dana

So we always just that pass up. Oh, that's a night thing we don't get involved in that. It's a night thing and like you we've all just been talking about it's not it's it's the people that IT thing might be perfect. You know maybe they have at the firewall or whatever all that stuff they need to do. But it's the people are just clicking on it, downloading things, you're going nowhere.

00:15:04 Frank

No, that's true. I mean, you can have the best firewall and all that packets like lock down to the teeth, but I mean if if somebody behind the firewall clicks on the.

00:15:13 Frank

Clicks on the link.

00:15:16 Frank

It's kind of like if you want to imagine like this is. This is the image I have is well, First off. I think the problem might be the term cyber security, right? 'cause when you hear the term cyber security I think of like somebody like with this type of monitor setup. You know like yeah right. You know like hacking away at the matrix or something like that like yeah.

00:15:35 Frank

No, it's not. It doesn't have to be. I mean, there's a....

Links