Transforming Cybersecurity Awareness Training

Joe Carson: Hi everyone. Welcome back to another episode of the Security By Default Podcast. I am the host of the show, Joe Carson, and it is a pleasure to be here with you all again. I am really excited, because we always look at the chaos world that we live in. It is always changing. There is always fun things, there is new technologies, and it is ever evolving. And sometimes in the security world, we live in a bit of chaos, and I try to sometimes bring clarity to that chaos so you can actually see the light and see what great things we are doing in the industry and truly make it a positive experience, because that is what we are really here to do, is make the world a safer place.

And I am really excited to have another guest for you this week. I have got Michael joining me. So Michael, maybe you can give the audience a little bit of a background about yourself, how you got into the industry, maybe some interesting things about yourself, and a bit about what you do as well.

Michael Wait: Absolutely. Thank you, Joseph, it is a pleasure to be on the show with you today, and really excited to chat about such an interesting topic.

Michael Wait here. Just a little bit of background about myself. I started my career after graduating university in the tech space, got right into consulting. And for about 10 years I worked with Accenture, and that is really where I cut my teeth in tech, doing projects with Fortune 50, Fortune 500 companies, large scale implementations, migrations to the cloud, data science, data visualization, basically anything, you name it, was doing that.

But the way that I got into the cybersecurity space is actually very fascinating. At this point, about three years ago, I was flying to Madeira, Portugal to visit a friend of mine, and I flew through JFK, and there was a major cybersecurity incident at JFK that day, so the flight was delayed. And oddly, there was only about 30 people on this flight. And so I board the plane, and it is just me and one other guy in this section of the plane. And I am quite a yapper, so I started chatting him up, I think to his chagrin, but we started talking about what we were doing, and he was like, I have been in the cybersecurity space for a long time. I want to go and start my own business. He pitched me on the version zero idea of Dune Security, and I loved it.

And we learned in this conversation that our skill sets are really complementary. I have been in tech for a long time and have built really robust and large, scalable systems. And my business partner, he had been in sales and go to market and revenue strategy. So we realized at that point, we were like, let us do this. And so, yeah, that is how I got into the cybersecurity space. And it has been a ton of fun being in this space, especially now, and everything that we are going to talk about today I think is incredibly poignant, because AI is such an incredible tool. There is so much power and utility there, both for good and for evil, and I think we are starting to see the fruits of that. So an interesting topic, and very excited to chat today. And thank you for having me on.

Joe Carson: No, it is a pleasure to have you on, and I completely agree. Sometimes it is all about being in the right place at the right time. And I have been fortunate enough to be in similar situations as well throughout the years. And so I am the same, similar to you. You know, if I am sitting next to someone, I get chatty, I have a conversation, and want to learn more about them and what they are doing and maybe why we are on the same plane. And sometimes it can change the future and change the direction and path that we are all going on, which is always exciting.

And that is a great thing about humans, is that those random acts really can change the things that we are doing. So that is really exciting. And of course, today’s topic is all about AI. How can we go through a couple of episodes without talking about AI, which is getting difficult these days. And we are seeing a lot of evolution, especially in the last year or two, where we are seeing a lot of the GPT engines really change how we interact with computers from a human perspective as well.

So what are some of the things you are seeing, the trends this year from both a defense side of things and also the attack? How is it changing the way we protect our businesses and protect the way of life?

Michael Wait: That is a great question and a lot to unpack there. I think let us start with how we are starting to see AI impact the quantity and the fidelity and the efficacy of attacks from threat actors in the wild.

If you look back four or five years ago, the quantity of attacks was overall lower, and the quality, the fidelity of them, was also dramatically lower. And I think that with the advent of generalized large language models and the ease and availability of access to those, we are starting to see that entire landscape change.

There used to be telltale signs when attacks were being launched. If you got a call, and I do not mean to sound insensitive here, but if you get a really thick accent on the other line, it might be a sign that this is a scam or this is an attack. But with all of the generative capabilities, all of that is changing. We see it in terms of attacks down the vein of vishing, where you can use real time tools out there to mask really thick accents, to do real time language translation. And so now, instead of getting a call where you can tell it is somebody calling from Russia or from China or from deep in India, now you really cannot tell.

And that spans across everything. What I just spoke about was voice, but we see it also with the fidelity of things as basic as phishing emails, where now it is not like the prince in some African country that is emailing you that he has 10 Bitcoins for you or whatever. Now they are really well crafted.

And if you take the rise of AI and you pair that with the availability of information about just about everybody that is on the dark web, those two things, when you combine them, become incredibly dangerous. And we see attacks now where hackers will find a target, they will use tools like LinkedIn, and they find somebody that is working at a company they want to attack. They will find out the systems that they have access to, they look on the dark web, and they will get basic information about them, like their address, their date of birth, their social security number. And for the vast majority of people out there, that information is just available on the dark web.

And then you pair that with a sophisticated AI model that can call into an IT help desk and present all of those pieces of information that the help desk would be looking for to verify your identity. Then they can get credentials reset, they get MFA disabled. We have seen attacks like this happening. I think the MGM attack that happened at this point is probably a year ago, or a year and a half ago, that is precisely what they did.

So the quality of attacks is increasing dramatically. The number of attacks that are launched is increasing dramatically. And I think one of the scariest things here is the number of successful attacks is also increasing. And so when you pair the sophistication and the evolution of AI with all of that data that is available on the dark web, it is a pretty wild world. And I think that we are just starting to see the tip of the iceberg there.

Joe Carson: Absolutely, I completely agree. And for me, I mean, I have been in this industry for such a long time now that even the accuracy and the authenticity of a lot of the phishing and vishing is getting to a point where it is even difficult for professionals to even detect as well.

I am based in Estonia, and I can confirm that with the Estonian language, it was always a protection for the society here, because it was a complex language. It was very difficult for attackers to automate the translation, so you could always find errors and mistakes in the phishing campaigns. And now with GPT engines, that translation is done in real time, and it is perfect. Even to a point where I think attackers are now realizing that perfectionism is not like a human, so they are adding little bits of imperfect perfection into their algorithms to make it like, let us make a few mistakes so it really does look like a human.

So it is really getting to the point where these types of campaigns and scams are getting to be perfect.

Michael Wait: Yeah, it is not just about the written text. To your point, it is about voice. It is even video. We have seen scams where they are able to real time impersonate video that might look like executives or their colleagues in the background.

And to your point, it is not just about getting credentials or credentials reset, but it is also about onboarding devices as well, and getting the ability to access more information that can then be used for lateral movement, or can be used for business email compromise or invoice fraud. We are seeing these accelerate at a really alarming rate.

Joe Carson: Since we are now relying heavily on technology, what things are you seeing to help us identify best practices to determine some of these things? The old traditional things of doing security awareness training is not really efficient today, because all the things we have been taught to detect are no longer there. What can we do in order to really reduce these types of threats?

Michael Wait: God, Joseph, that is the question of the hour, isn’t it? It is a really good question too.

I think when I look at the way that we can protect ourselves, I would say it comes down to three things: people, process, and technology. Every single one of those is essential. We work really closely with a lot of large enterprises, and this is top of mind for them.

Importantly, you need to focus a lot on technology and making sure that all elements of your IT infrastructure and your security stack are really robust, and then making sure that you have process in place within your organization that people know of, and it is simple enough that they can follow it.

And then the last, and I would say the stickiest part of this, is the people aspect of it. Because humans are infallible. We can make tech that is incredibly robust, but people are people, and they are always going to take actions, either intentionally or accidentally, that can introduce a lot of risk to the organization.

So I think that making sure people are trained on the attacks that are happening today. And the challenge is that when you look at how the market typically solves for that, it is with legacy security awareness training. And if you have worked in corporate America or a large company somewhere, you know these things. You do it once a year. It is 30 minutes. It is really generalized, and it is basically like do not click on things. And that is the TLDR of the training.

I think we need a paradigm shift in the space to really holistically understand the risk that an individual brings to an organization, understanding the implicit risk of the role that they are in. Obviously, a marketing intern, if they get breached, there is not as much business impact as if the EA to the CFO gets breached. There is a much bigger difference there.

And then actually looking at the threats that are going after that archetype of person and then training them on that. And as much as possible, dynamically adapting security controls around individuals instead of just having the castle walls built around the organization as a whole. I think it is very important to have them dynamically put around individuals to help protect the individuals that introduce the most risk to an organization.

So when you look at those three things together, the marriage of people, process, and technology, I think that is really the best way we can protect ourselves from this.

And also, I think it is important that we look at threat intelligence and understand what are the bleeding edges of attack. Because one thing we have noticed within our company and the customers that we work with is there is a shift happening. When you look back five to seven years ago, email phishing was the main vector of attack that hackers would try to get into large enterprises with. And for a time, that was tremendously effective.

But when we look at the space around email, I mean, you look at Abnormal Security, they are one of the new players in the SEG market. They are great, and they are able to build technology to protect the inbox. So we see a shift now of threat actors moving off of corporate devices and things that the enterprise has direct control of, and they are moving onto off channel and encrypted apps where they know that they can have direct access to an individual without the eyes of the enterprise on that.

So now they are finding people’s WhatsApps, their Telegram, their Signal, their Viber account, whatever it is. And they are reaching out to people there. And especially for BPO companies or people with employees in low cost delivery centers, threat actors have a lot of success going after them and offering a small bribe for customer information.

So I think really being honest with ourselves and looking at where attacks are happening today, and how do we protect ourselves from today’s attacks and not yesterday’s attacks.

Joe Carson: Absolutely. It reminds me of some of the projects I have worked on over the years. I remember a while back working with a large transportation organization, and they had a cybersecurity awareness training, and it was really static. We were looking at it from a technology perspective, and not from a human side of things. And it was very much that everyone had to do the same awareness training. It was not personalized in any way whatsoever.

And we realized very quickly that after about six months of doing this project, we were failing. And we knew we were failing because we got so much friction with the employees. They hated it. We were preventing them from doing their real job. This was a hurdle that we were putting in the way.

Ultimately, when we took all of the data that we had, we realized we had to do something differently. What we ended up doing was, we stack ranked what we could stack rank. Because in some countries you are not allowed to stack rank employees. But where we could do it, we were able to say let us do it from a risk based approach rather than targeting everyone. Some people in the organization did not have computers. Why would we give them cybersecurity awareness training? They were not operating technology at all.

So we did it from a risk based approach. And then I remember we were challenged because we were trying to figure out how to communicate. And I remember the day. Fortunately, we were sitting in this really nice conference room, and we were all standing at the whiteboard going, what do we do? What do we do? And there was a lot of noise and racket from one of the rooms down the corner, and we were like, What is all this noise? Can someone go tell them to be quiet?

And the small person that came back said, Well, today is actually bring your kids to work day. And there were a bunch of kids in the next room making a racket. So we thought, interesting, children, let us have a conversation.

We brought them into the room, we got permission, asked them questions about technology. And it was really enlightening, because they were very direct and very honest and they thought outside the box. They did not have the pre pressures that we typically have. You get so ingrained in things that you think there is no other way.

Ultimately the kids said, Why do you not do it as a comic book, because people love comics, or it is easier for them to understand from images than it is text. And we were like, Oh my goodness. So we ended up doing our IT policy as a comic book.

And then somebody else said, Why do you not put it in the bathrooms? Because everyone needs to go to the bathroom at least once a day. And we thought, Oh, that is interesting.

So it really was a moment of evolution.

Because I think what we are seeing is this evolution of awareness training to deal with all of these latest types of threats. And to your point, one of the biggest things that came out of that project was that cybersecurity does not start in the office. It does not start within the corporate walls, and it does not start with the employees. It actually starts with the social sphere and their family, the people around them.

And that was one of the things. We messaged the executives of the company and said, we are now going to extend cybersecurity to the entire employee’s family. We are going to democratize it. We are going to make it available and push the security perimeter beyond just the office walls and office computers to employees’ home computers and home devices.

Because as you mentioned, attackers often come in through personal devices. There are so many messaging apps, so many groups, and if you are just monitoring corporate email, you are missing the majority of the threats.

Even recently, this past weekend, we had major threats that went to schools through messaging apps.

We really have to start thinking about how attackers think today. What are their new ways of getting initial access? And that means we have to start personalizing security, because not all employees are equal. As I mentioned, not all employees are using technology in the company.

We have to understand data better and make sure we personalize training so that employees get the right amount of training, and specific to the role they are doing.

Any thoughts around those examples or ideas?

Michael Wait: Yeah, what you said just landed with me so profoundly, because the one size fits all approach is dead. It does one thing, it ticks the box for GRC, where you can report out to regulators that we trained everybody on cybersecurity. But it does nothing to move the needle on the actual cybersecurity posture of these organizations.

So I think it is critically important to really take a holistic look and be data driven, and put together almost risk profiles for each person within an organization. And that has so many factors that go into it. What are they working with? Do they even have access to a computer? Many people do not, or do not have a web enabled computer, or anything but internal email. The risk there is much smaller, versus someone accessing all of the corporate systems on their personal device, potentially while traveling to a different country. Very different risk profiles.

And I also think that real time intervention and really meeting people where they are is becoming absolutely essential. The relationship between the security apparatus of an organization and the actual employees has historically been adversarial. You mentioned that earlier. Employees resent the fact that they have to take these trainings. They watch it, they see the content, and they are like, This does not actually help me secure myself more. This twenty minute video just tells me not to click on anything.

So I think really understanding everyone’s risk and then training them on only the things that are pertinent to them, and doing it in a form factor that everybody is used to now, which often is short form content. It does not need to be a three hour endeavor to train people. Give them real time intervention with bite sized learning that allows them to course correct in real time.

And then also empowering the organization to have insight into where risk lies. They need to take an eyes wide open approach. That is something that has historically been challenging. A large financial institution we work closely with basically said, within our security stack, we know exactly where risk lies. We have done a lot to make it robust, and any remaining elements are on the roadmap to improve.

But on the human side, we have no insight into where risk lies. And if you look at the basic data published by the FBI and others, nine out of ten attacks happen because of human error.

So making sure we do everything to diminish the adversarial relationship and build one that empowers people to do the work they are hired to do, but also protect themselves, is essential.

Joe Carson: Absolutely. One of the things I have found over the years is that when you personalize the training and make it not about the company, but about the employee benefiting, you change the narrative. You reverse the message so the employee wants to do the training because it helps them personally. It protects their personal sphere and their family.

When you change the context to: this is for you, it will protect your family, and oh by the way, the company benefits too, everything changes. It makes it something they want, instead of a compliance chore.

And I cannot tell you how many times in my career I have had to do the checkbox training. Some people I know get their pets to watch it while they do something else. They put the pet in front of the screen. Are they really paying attention? But it ticks that regulatory box.

And attackers know that, and they probably even know the schedule. They probably target mid year or a few months before the deadline. Typically end of year, October or November, because they want to be compliant for January.

So it is predictable.

We really have to think about how we change that. How we make it something employees want to do.

Michael Wait: I think you are spot on with that. And you brought up something I want to touch on regarding making the relationship non adversarial.

One of our learnings while building the company was a distinctive moment. We were building out our vishing capability because we want to be able to replicate all the types of attacks hackers are doing. It is not just email anymore. It is deepfakes, it is vishing, it is off channel encrypted apps. We replicate all of them.

And as we were building vishing, part of that was doing voice cloning. We spun up GPUs, loaded the models, and I remember me and the engineers sitting there. We have a salesperson on the team named Kayla, and she is a delight, one of our funniest employees. We got 10 seconds of her voice off a recorded sales call, and the devs made a clone of it. Then we made it say silly things in her voice.

There was a fervor in the room, we were laughing so hard and having a great time. It was an unlock: why are we having so much fun with this but not giving this experience to end users?

Instead of them just taking a two minute training on vishing, why do we not give them the ability to record 10 seconds of their voice, put it into our model, clone it, and let them hear it say something they typed?

We have noticed huge upticks in engagement because it is fun. And there is an organic spread. One person does it, they show a friend, and then that friend uses the vishing playground too.

So yeah, let us not train people with old school long form content. Let us make it more like an interactive workshop. And after that light bulb moment, when they hear their own cloned voice, then we give them tools to protect themselves.

And like you mentioned, it is not just about the organization. It is also about their personal circles. Voice cloning is a huge problem now. You get a call that sounds like a loved one saying, I was traveling and got arrested, I need money, and it is completely fake.

We want to give individuals tools to protect themselves while working but also their loved ones. Giving them knowledge in a way they are keen to learn is absolutely critical.

Joe Carson: Absolutely. I remember the case last year in India where those voice cloning scams were accelerating so quickly that even the government had to intervene. And we do need to make our industry more fun and entertaining because it is a very scary industry.

It reminds me of phishing campaigns I have done over the years. I was always trying to make them perfect. And one organization that caught me by surprise had employees who were so talkative that the moment you sent the phishing campaign, they all chatted with each other. Did you see this? Did you get this? And collectively they realized it was a scam immediately.

When you put all those minds together, the collective mind is a better defense than individuals trying to figure it out alone. They will report it quickly. They will not be afraid. And the collective mind becomes a strong layer of resilience. And it makes it fun.

So I like approaches that broaden security into the social sphere. I like approaches that make it entertaining. We need to laugh in our day jobs.

So tell me more. Do you have resources or reports the audience can go to if they want to learn more, including tools for playing around with voice cloning?

Michael Wait: Absolutely. We actually just published a couple months ago our first threat intelligence report that we put together at Dune Security. We typically work with large enterprises, and so it is millions of end users, and we have copious amounts of data.

It is a pretty interesting report detailing exactly what we are talking about here: the evolution of the threat landscape. And I think that besides maybe when the internet was invented, we are at at least that big, or bigger, of an inflection point. The rate of change and evolution in the threat landscape is wild. We are entering the wild west of cybersecurity on so many different fronts. On the people side, on the threat actor side, and even with the technology we are building with, like MCP servers and new ways for tech to talk to other tech and the security implications of that.

So we do have a threat intel report. It is on dune dot security, and I can provide a link for you to share.

Joe Carson: Absolutely, I will make sure that in the show notes there is a link so it is easy for them to access.

It reminds me, a lot of this innovation is changing how we communicate with devices. The old times of using a mouse and keyboard, I think we are getting close to that no longer being something we will interact with. It will be our mind directly connected, or our voice, or gestures.

I was laughing the other day. I was in my shed trying to measure something, and I said, Hey Siri, and about 10 devices responded. I only wanted one of you. Every one of them started recording. I said, Stop, stop. Quite a funny moment.

And that is the world we live in. Even when we join virtual meetings, there are about three or four people on the call and about 15 transcribers and note takers. We all have this many little digital versions of ourselves. It is comical.

If the audience has questions, what is the best way they can connect with you?

Michael Wait: Absolutely. I would love to engage with any members of the audience. My LinkedIn is Michael Wait at Dune Security. Feel free to connect with me, and I am happy to continue this conversation. I am relatively new to cybersecurity, been in it for three years at this point, but I cannot think of a better time to be in this space, because every day is an evolution.

Joe Carson: Fantastic. I will also include the direct LinkedIn link in the show notes.

Michael, it has been wonderful having you on. It has been an intriguing conversation. I always enjoy having these conversations. It is my favorite part of my week, because it enlightens me and gives me different perspectives and ways that we make the world a safer place.

Many thanks for being on the show today.

Michael Wait: Joseph, thank you. Thank you for having me on the show. I appreciate it. This is my favorite thing to talk about. It is a pleasure connecting with you. Really appreciate it.

Joe Carson: Excellent. Thank you.

So for the audience, this is the Security By Default Podcast. I am the host, Joe Carson, bringing episodes every two weeks. If this has been interesting for you, please go and like, subscribe, share with your colleagues, share with friends. I am bringing you different topics to help enlighten you and give you new ideas to make the company you work for a safer place, but also the world you live in a safer place as well.

Stay safe everyone. Until the next episode, take care and thank you.