Lessons - Fixing Human Error in Cybersecurity | Theresa Payton - Former White House CIO

In this lessons episode, discover how predictable human behavior creates vulnerabilities in cybersecurity and why conventional defenses often fall short. Learn why routine security measures can be exploited by sophisticated social engineering and understand how innovative personalized protocols can disrupt attackers and strengthen digital defenses. When, um, and just you met like again, like the human experience we're trying to face because I've had other security experts on this show before and they do speak about the human, the human problem and the phishing attacks and you just mentioned something that's very interesting. Like, everybody hates these super complex passwords but we know we got to do them and everybody, uh, two FAs annoying but we got to do it and I guess, you know, you have your like Google auth that seems to work well and I personally hate doing like the the texting two FAs not for like sim swap reasons but mostly because sometimes it doesn't get it. I don't get a text just the pain in the ass and it just seems like it's a lot of effort and again, if I got a phone call from an AI voice that said, you know, we, it's your brother and it sounds like him and I'm stressed out and he says he was arrested and I've heard stories of this kind of fraud and then it just like pulls out your, you know, your heartstrings and you feel stressed out and you want to help the person and you go wire the money or whatever. I mean, there's a million different types of fraud that I've even, I hope they haven't haven't fallen victim to but people have tried to target me for a variety of different reasons. I've had employees with spoofed emails emailing me that they want to change your banking information. Like I've had a whole bunch of different things, right? Um, however, you said that you made a good point so the fraudster is going to understand there's a complex password. They're going to understand there's two FAs and they're just going to layer on a human component and they're going to try and trick you at doing something but and the answer is not blame the human but then how like, how do you solve that? Because humans are humans and they're always going to have an emotional reaction to these like the social engineering that a fraudster is going to put together. Absolutely. So one of the things that, one of the principles that I have is if you study the profile of cybercriminals and fraudsters, nation states, you start to see they have a pattern of how you know, attack the different chinks and the armor if you will. And so the goal sometimes, you know, you want to do the basics. You know, I mean, you want to have good digital hygiene practices. You want to invest in tools. You want good processes. But really oftentimes the best thing that stops the bad guys is designing something they didn't expect. So for example, having a passphrase that's not easily guessed. So if you're sitting on, you know, there was a recent wire transfer fraud where the employee heard of their protocols, you get on a video conference with the CFO or the CEO or somebody else and you have proof of life and the employee was on a video conference and was told to do the wire transfer. Did the wire transfer? If part of the protocol had said, so good to see you, what's the passphrase and the passphrase was like something ridiculous that nobody else would know. Yeah. Then you probably would have had somebody hang up and it was that from happening. You can use this in your personal life. So you were mentioning like the virtual kidnapping type thing. Yeah. I, I don't know about you, but like I grew up, my sister and I, my dad would play a little game with us. When we walked into a room, restaurant, wherever, I need to say, okay, without turning your end, where are the exit doors? Where were you hiding if something bad happens? What were your weapon day? Did you grow up and play that game? Yes. Yeah. Exactly. So my dad was in the, I'm Canadian, and my dad was in the RCMP and then he moved into Ceasis. So he was, he was always adjacent to a lot of all Ceasis's Canadian security intelligence, right? So yeah. So it was very aware. You had a similar childhood experience and then it just became muscle memory for you. Yeah. Probably even today, I know I do. I can walk into a room and without really looking, I know where everything is. I literally was giving a talk, huge place I'd never been there before and the fire alarm went off long enough that I said, hey, everybody, I know where the fire exit is, please follow me until the fire alarm because stuff. So I get off stage and everybody follows me orderly out and the place was like, we cannot, we've never seen anybody do that. Mike, well, my dad trained me. So my point in bringing that up is, is have this passphrase, play the game with your, your family, by the way, on where the exits. It's really important. A lot of you will really underestimate that. But the same thing with the passphrase. So I'll just like in the kitchen before dinner, like anybody know the passphrase. I'm like, well, then you're not getting rescued if you call me and tell me you're in jail or somebody's got you, like you have to give me the passphrase. So that's something you can apply in your personal life as well. And again, each one of these things are typically just studying what's our process. How will criminals and fraudsters try to interject themselves into the process? And how do we do something completely unexpected? That's really it. It's about removing, it's about removing the routine out of, you know, our, our, our activity or day to day, so that it can't be guessed. That's really it. Something that can never be the hacker, the fraudster. There's no way they're ever going to be able to know this. That's the bull. That's really the bull. And make it simple. Make it simple. Not a strong password. Because of the purpose is for, it doesn't matter really what the word is. It's just, it's just that it's there. That's really the, that's really the goal. Um, I want to ask you some more, uh, just questions about some of the, some of your time in the White House, because I find that fascinating. And obviously you speak about what you can speak about and, and don't get yourself in trouble. But I am curious about some of the, when you, when you walk into the White House, you say the general public is not aware of really the threats that are going on. So what are some things that the public should know about that they're kind of oblivious to? Like what is coming at the US? Why, are we in trouble? Why you, like I think he mentioned at some point, like, it's not, it's not, you know, unicorns and rainbows when it comes to cyber security. And people know about how their nation states and they understand that, you know, China exists and Iran exists and, and Russia to an extent exists. And, but maybe a little bit more clear as to what is actually happening that we have no clue we don't pay attention to. Yeah, well, I mean, for example, uh, cyber criminals, like, especially nation states and then people who are loosely affiliated because for the record, China, Russia, Iran and North Korea say they don't have nation state operatives hacking into American infrastructure. So they say that so I'm just going to give that disclaimer from them. But what's interesting is is they first primarily focused on what's referred to as the defense industrial base. They would go after the US government, US military departments and agencies, White House, then they'd go after the vendors. You know, the big vendors that provide, you know, airplanes or weapons or, you know, anything else, um, to the government. But then they realized, you know, that might be leaving money on the table. Maybe we should steal, I don't know, intellectual property trade secrets and then reverse engineer and manufacturer own stuff and compete with the US. And you know, kind of even the playing field, we'll just steal their R&D, we'll skip that process and we'll just reverse engineer it and produce it here. And China for one is really good at doing that. And so that was something that was very eye-opening to me at that time because that wasn't really being discussed. And if any companies at that time were falling victim to that, they weren't talking about it because they were worried their competitors would take advantage of it. So I think that's something, you know, that was a big aha moment for me. You know, many people may not realize this. I'm sure most people assume attacks against White House are constant, it's a constant barrage and that is correct. But what's interesting is, is like, I learned, for example, because we have White House stuff up and White House stuff up is not connected like to anything. Like there's not like, hey, the president's secret briefing is just right behind White House stuff. It's really just meant to be sort of, here's where the executive orders are. And like, hey, look at President Bush's dogs, Barney and Miss Beasley. And watch Barney run around the White House. One of the favorite videos of my kids was Barney at Christmas time watching things get decorated and running around with a little Barney cam on. Probably the paint and household was the like biggest consumer of Barney, but the president's dog. And it's really meant for that, but for whatever reason, if there was like a visiting head of state from another country who had a beef with somebody else or different things that were going on, we would sometimes, according to our vendors and routers and our own monitoring, be the most attacked website in the world on certain days. Now, if the website goes down, it's incredibly embarrassing, but the website isn't like where people get money. And the website's not like, it's not connected to classified systems or anything like that. But for whatever reason, that was a kind of a digital representation of public face, if you will, of the White House. So a vitally important page to not have commandeered and defaced, which was very popular thing at that time. Let's take over this department and agencies webpage and put, you know, long live Iran or, you know, something like that. So those are, you know, some of the a little bit of an inside ball without giving too much away of the types of things that you have to think about and deal with that shape, my thinking when I work with companies and people today. Thanks for tuning in. If you found this valuable, don't forget to hit that subscribe button so you never miss an episode. And if you want to dive deeper into this conversation, check out the links in the description to watch the full episode. See you in the next one.