Ep 127: The Future of Security for Social Engineering

December 20, 2023

John W Verry (00:01.369)

Hey there, and welcome to yet another episode of the Virtual SESA Podcast. With you as always, John Ver, your host, and with me today, Gabe Friedlander. Hey, Gabe. Or Gabby.

Gaby (00:02.003)
Um.

Gaby (00:05.17)
Yeah, I saw it, yeah.

Gaby (00:11.111)
Okay.

Cool.

Gaby (00:29.378)
Hey, thank you for having me. Oh, I go by Gabe, Gabby, or Gabriel. You know, all work for me. I honestly, most people call me Gabby if that helps.

John W Verry (00:31.121)
I should have said that.

John W Verry (00:35.793)
Which do you prefer? There’s an important question. All right, so I’m gonna go with Gabby.

Let’s start easy. Tell us a little bit about who you are and what is it that you do every day.

Gaby (00:50.062)
Okay, so I’ll give you the short version without going back to the beginning of my career, but for about 14 years almost, I was a founder of a company called Observe It. It was an insider threat company that we eventually sold to Proofpoint. After selling the company, I became a stay at home dad. And, you know, that’s changed.

was big for me from 100% pitching companies and talking all day long to looking at my kids. So I started to pitch them about cybersecurity and I realized that for almost 14 years I had three insider threats at home while I was pitching other companies about this idea of insider threats. And actually school was making it even worse because I learned that they got from school

like a single password they had to use everywhere. So at that point I realized that I wanna test something. I started to reach out to content creators online like TikTok and Instagram and I just for fun I created content that my kids would love to sort of convey the message and basically share with them cyber hygiene, right? They gave me the stamp, they approved it.

I started sharing it online on social media. It blew up. I figured, hey, there’s something here. And then I, that’s when the idea of like building Wiser, which is the company that I am running now, sort of like formed in my head. I figured out that security awareness is something that has to be done on a mass scale for everyone. And a lot of people connect to what’s in it for me. People wanna learn about security awareness.

when it’s more about their personal life. So I created a learning management system. I hosted the videos on top of that. We offered it for free at the beginning. I didn’t have any business model. People started to subscribe, companies subscribed. They started to use it for compliance. And again, blew up. We created a Boost version later, about almost a year in. We created a version that has a paid component to it.

Gaby (03:12.246)
which is called Now Wiser Boost. And yeah, four years later, millions of views on our content, it’s still going viral. Companies are using both the free version and the paid version. And that’s what I do day to day. I’m trying to, you know, my mission is, I know it’s hard, but you know, hopefully I can contribute a little bit, but my mission is to make security awareness a basic life skill. So that’s where I hope I’ll be able to contribute to this world.

John W Verry (03:44.459)
I hope you’re successful because I can tell you that we certainly are. So I always ask, what’s your drink of choice?

Gaby (03:46.989)
Ha ha.

Gaby (03:53.006)
Oh, so I’m a big, big coffee lover. I love coffee. I actually have, I call it a lab. So, you know, I have a scale and I have different beans that I order directly from the farm. And I play around and I have a lot of recipes and stuff like that. So I’m very, very big into coffee. Love it.

John W Verry (04:16.475)
Are you a French press guy?

Gaby (04:18.834)
No, I’m espresso, you know, more into the espresso and quartado and, you know, stuff like that. But even the espresso, like there is so much variation. People don’t understand. It’s not just clicking a button. You know, there is the grind level, the water pressure. There’s a lot of stuff going on there.

John W Verry (04:36.773)
You get the same thing even within coffee, right? So we grind our own coffee and play around with beans and we French press because you get, and even what’s also really interesting is whether you filter or don’t filter it changes many things about it. Technically the oils that come off of it, and one of the interesting things about the oils is that for some people, the coffee bean oils, if you don’t pass them through a filter, increase your cholesterol levels. So.

Gaby (04:41.566)
Yeah. Exactly.

Gaby (04:51.671)
Oh yeah.

Gaby (05:03.185)
Oh, I didn’t know that.

John W Verry (05:04.185)
Yeah, which is kind of crazy. So, bye.

Gaby (05:06.846)
Yeah, but it’s fun, you know, and you develop it, you know, those taste buds. So I can easily tell, you know, how it was made just by like, you know, trying it out. So, yeah.

John W Verry (05:18.865)
I’m not that sophisticated, but I very much enjoy a really good rich, dark roasted level of coffee. And I do enjoy espresso, had never really drank espresso until I spent some time in Italy. And if you’ve drank espresso in Italy, then it’s something that, okay, I get it now.

Gaby (05:40.246)
In Italy, coffee is espresso, right? Cappuccino is like a different drink.

John W Verry (05:47.473)
Yeah, exactly. So thank you for coming on today. Obviously the security awareness education component is really why I’m excited to have you on. I was looking over the Verizon data breach impact report, the IR, and I was shocked when I saw that it said that, for last year, 74% of all breaches involved some form of social engineering. So from my perspective, I found that remarkable because-

Gaby (06:01.005)
Mm-hmm.

John W Verry (06:16.689)
That number is still very high and many, many organizations have made fairly significant investments into education. But yet it’s still a significant issue. So let’s frame the conversation first. Can you define social engineering and can you explain why it’s so challenging in general to mitigate?

Gaby (06:30.882)
Okay.

Gaby (06:39.346)
Okay, so great. I’m glad that you split it. So we do something called Wiser in the City. It’s usually we go to either Times Square or we go to, in New York usually, different spots. And we just interview people on the street, you know, we ask them security questions, we do cash caps, stuff like that, like fun activity. And whenever, like one of the first question is like, what is social engineering? You know, this is like basic questions we like to ask.

And it always surprises me what people answer. It actually makes a lot of sense. What they’re usually saying is, that’s for the average person, social engineering is building social media apps. That’s what social engineering is. So first of all, I think it’s framed wrong. If people that are not educated about this specific topic think that social engineering is building social media apps, I’m with them. I think you know.

We are sometimes too technical in how we try to word things in the cyber security space. Basically it’s just the same old con men tricks, you know. It’s not more than that. You’re being tricked. It’s a scam. It’s just a scam. It just happens on digital, right? And the same old techniques. You’re being lured into a scam.

You’re being tricked to think that you have an amazing deal. You’re being tricked to think that they’re your friend. You’re tricked to think that this is somebody official from a company you work with. It’s just the old same thing, just digital. And I think we’re just over-complicating it with trying to make it sound more sophisticated. And I think that’s also why a lot of people fail, because…

It’s not about, and I’ll talk about it in a second a little bit more, but it’s not just about, you know, we make it sound like, hey, look at the email address, you know, if there’s a spelling mistake, that’s, you know, a social engineering attack. And I actually posted about it earlier today. You know, it happened to actually, it happened to my wife, and I’m also proud that she didn’t fall for it. But she booked, she booked a hotel with her friends.

Gaby (08:54.934)
She haven’t seen them for like over a year and she booked a hotel through one of those popular, you know Hotel apps like booking.com and stuff like that. I won’t mention exactly which one it is and What happened so she put in her credit card? Everything looked fine she got a notification and I think it was about a day before she She was supposed to go to the hotel she got from she got an

in-app notification from the app itself. From the app itself. She got a notification that there was a problem with her credit card and she needs to pay in order to, you know, to verify the room, basically to get in. So it didn’t sound right to her. She called the hotel. Sure enough, this was a scam. And what happened in her case was that the criminals hacked the hotel’s account.

and they used their hotel account to basically send notifications through the app and through email to her. So it’s not a technical thing. She didn’t look at technical aspects. She didn’t look at the email address or all. It just didn’t make sense. I talk about it so much at home, and that’s something that she had that digital scam instance, I call it, to figure this out. So I think…

One of the things we’re failing is that we’re trying to make it a very, you know, black and white thing, you know, very technical. If you do this and you do this and you do this, you’re good. But at the point in time, it’s more an emotional thing. You know, your judgment is clouded when you are in that context. So that’s just high level. I think from a company point of view, if you think go wrong in general.

with security awareness, not only specifically social engineering, but it contributes. I think, first of all, security teams sort of look at people like devices, you know, like the attitude they have to fix the problem is very similar to the attitude they have to patch a device or something similar. They think they can fix it, you know. And you can’t…

Gaby (11:17.294)
fix people, right? You can’t like the expectation that I’ll do something and I’ll put an endpoint security solution and if, you know, it doesn’t detect a malware, I’ll call the vendor and I’ll say that something is bad with their system, you know? When it comes to people, you have to have different type of KPIs, not zero click rates, you know? It’s just unrealistic. So I think, you know, it’s how you go about it. We can talk about it also.

How do you basically, what do you, what does security awareness can do, but you can’t just like totally fix people. That’s sort of one thing. Change is something that takes time and you have to be patient. You have to be patient about.

John W Verry (12:03.587)
Yeah, I guess the way I look at it too is that…

John W Verry (12:08.701)
Like you said, it’s tricking and people are good at exploiting and manipulating other people. And what’s crazy about social engineering is that they tend to exploit both the best and the worst of people’s natures, right? You know, people want to be trusting by their nature, most of us, at least anyway, or many of us. People want to be helpful, right? And people also have certain fears and they have certain respect for authoritative figures and things of that nature. So

Gaby (12:15.661)
Mm-hmm.

Gaby (12:21.396)
Absolutely.

Gaby (12:25.358)
Mm-hmm. Yeah, yeah, yeah.

Gaby (12:36.737)
Yeah.

John W Verry (12:38.393)
something comes from the IRS, you’re worried. So, you know, somebody’s, you know, and some of us have greed, right? Hey, you know, we’ve got this vacation for you. So it’s, you know, then the old classic Nigerian prince and who wouldn’t want $23 million? And maybe it’s real, I don’t wanna miss it. So I think that’s really, like you said, you can’t fix people. It’s because these are just fundamental human natures. And what they’re doing is they’re exploiting human nature. Right?

Gaby (12:44.588)
Yeah.

right?

Yeah.

Gaby (13:06.034)
And it looks real so Because we share a lot of about what’s happening in our life like I checked into hotel. I checked out from a hotel then Surprisingly you’re getting a bill from your hotel Everything makes sense, you know But that file is a malware because you just notified on Facebook the whole world that you checked out. So like People don’t connect the dots yet That you know

what they share seems harmless. Oh, so I just checked. They don’t think about the scam that will follow up. Even when people file for victim, they become a victim of like a Roman scam or any type of scam, they will go to Google, they will search, you know, I got a, how do you recover from ransomware? And they will see ads. And those are recovery scams. Now you get scammed again because criminals target victims. You know, it’s, if you don’t,

John W Verry (14:02.505)
again, because you’re in a desperate, you’re in a, you’re exploiting human nature again, right? I mean, they’re in this desperation state where, and there’s an urgency to what they’re doing. An urgency will usually get you in trouble when it comes to social engineering.

Gaby (14:03.143)
Awareness is like

Exactly.

Gaby (14:11.329)
Yeah.

Yeah. But you don’t think about it, right? Like where you are under pressure, if somebody calls you, you know, if your teacher, if the teacher of your kids calls you and says, you know, there’s a problem with the kid, at that point, you don’t think this is phishing, this is voice cloning, this is like, you just wanna deal with the situation because usually it doesn’t happen, that’s the thing. I think people, they hear about it, right? They hear about people being scammed and all of that, but it never happened to them.

So if it never happened to them, it’s very hard to think about it on every call, on every click because it doesn’t usually happen. So they don’t practice that memory skill, sort of those, you know, those awareness muscles that this type of stuff can happen. So it’s.

John W Verry (15:01.789)
So we kind of talked about what the issue is, right? And we’ve talked about that, despite organizations putting security and risk education programs in place, we still see more social engineering attacks than we would like to. So, you know, you do this for a living. What are organizations doing wrong that you see most often?

Gaby (15:06.239)
Mm-hmm.

Gaby (15:09.986)
Mm-hmm.

Gaby (15:14.103)
Right.

Gaby (15:20.91)
Yeah, so I think what they’re doing mostly wrong, if we look at, you know, there’s a saying, I don’t know who said it, but I like to use it. It’s basically culture eats strategy for breakfast, you know? I think what organization is doing wrong, and it’s going back to what we spoke about, like treating people as devices that need to be fixed. People are threatened usually by the security team. It’s sort of like the policing, you know, that like they’re being policed.

So what happens is once you have a culture that is sort of threatening employees, whether it’s being punished, fired, even extra training for failing for fishing, you know, I don’t want to, I don’t want extra work as well. I don’t want to be, I don’t want to lose my job. So if I made a mistake, you know, what would I do? Would I report it or I would just let it slide? Hopefully nobody will notice. I can just always say, you know, it wasn’t me.

I think the biggest problem is not using people for your own defense because if you flip the story and you tell people, look, you know, we understand that anybody can be scammed. Like nobody is, even in the security community, there were security experts and bloggers that ended up being, you know, criminals and they contributed to the security community and they collaborated with other security guys and eventually they hacked them. So…

It can really happen to anyone. I think the big message, if you want to flip things around and do it the right way, is tell people, look, if you click, you click, you know, it’s not good, but it’s not the end of the world as long as you report quickly. And, you know, very quickly, because we can take out the fire while it’s small, but if you wait too long or you don’t even report to us, it’s a mess. So…

And in order to do that, you have to build a security culture that requires sort of like an open door, right? So people can feel comfortable reporting. You have to celebrate people who reported. You have to celebrate successes. I would say more carrot than a stick. And I think right now, we’re still more in the stick versus carrot. We’re still there.

John W Verry (17:45.025)
So culture is one thing, right? And that’s sort of what’s right and what’s wrong, right? Pro and con. What else do you see right, wrong? What are some of the core tenets of mistakes not to make or approaches that will help you be successful?

Gaby (17:50.538)
Yeah.

Gaby (18:03.43)
Another approach, I have a few things actually, is skill-based. So if you think about who is the best communicating with people, what skills do they have? Because security awareness is about communication, it’s about engagement, it’s about people, right? So not always the security team are the best at communicating, are the best at engaging, are the best at capturing attention.

all of those things that are required for security awareness. So where I see awareness programs successful is where they incorporate, for example, the marketing team. People that have skills or hiring a security manager, a security awareness manager, a person that is skilled in specifically with communicating with people. So I think that’s just the, you know.

another aspect and as you can see I’m talking a lot of things that have nothing to do with technology right? It’s not about just the features. I can talk all day long about you have to have this feature enabled, you have to lock this down, but in reality it’s more an approach versus technology. So I think you need to have the right people to do this and today it’s also it’s another problem is because the expectation because it’s driven by compliance usually.

The approach is obviously to get 100%. So, right? So, how do you get to 100%? By nudging people forever, reminders, having talk with managers, and I get it, right? I get it because you have to have that 100% for PCI or whatever, but we’re shooting ourselves in the foot because we are not measuring progress. We need to be at 100% all the time. So,

And we’re also making easy for us because it doesn’t matter what the content is, which is another problem. A lot of vendors don’t really invest a lot in the content because we’re just going to like remind you forever until you watch it. Like there’s no empathy, right? Like, so people are bored by it. They are tuned out. They don’t learn because the KPI is not whether you learned whether you watched it. That’s the KPI and they’re going to invest in tools.

Gaby (20:26.53)
that are about, they’re gonna invest more in reporting just to make sure how fast we get there and how much pressure we put on the team versus creating just like amazing content that people wanna consume on their own.

John W Verry (20:40.389)
Yeah, you know, it is interesting because, you know, that’s that old compliance versus security challenge. And I think you’re right. I think compliance has another negative association that we see with security awareness education programs is that it’s training. It’s not a program, right? You know, it’s something that has to happen. It has to happen once per year and everyone’s got to take 30 minutes or one hour or whatever it might be. And the focus is on getting it done.

Gaby (20:46.263)
Yeah.

Gaby (20:52.299)
Mm-hmm.

Gaby (20:59.585)
Yeah.

Gaby (21:03.338)
Yeah.

Gaby (21:08.926)
Exactly.

John W Verry (21:10.309)
instead of actually looking at this and saying, what are we trying to accomplish? It’s not a matter of complying. It’s not a matter of giving the ISO auditor, the SOC 2 auditor, or the regulator a report that shows it. It’s more about what are we trying to accomplish? What’s the best way to pro, you know. And then the other side of that is, again, if you’re compliance focused, you’re gonna do something once or you’re gonna do it twice. You know, there’s that old adage that says, unless somebody’s heard something seven times, they haven’t heard it.

Gaby (21:19.753)
Yeah.

John W Verry (21:36.337)
You know, to me, I think security awareness education, that ties to your culture idea. Not only do we need a culture that’s, I call it forgiving or understanding, but we also need a culture of security awareness, right? And the only way you could create a culture of security awareness is if it’s more of a continual, a continual process, right? Not a once a year exercise that we gotta go through.

Gaby (21:36.648)
Yeah.

Gaby (21:43.766)
Yeah.

Gaby (21:53.126)
Mm-hmm. Yeah. So the things that can work well is, and those are the things that we’re trying to do within that framework of compliance because you can’t get away from the compliance companies, need that anyways. So the things we’re doing a lot, and it goes back to why I started Wiser, is making it personal. You know, like what’s in it for me? You want people?

to want to consume this content. So when we create content, if you remember like when I started creating it, I reached out to content creators online, you know, like I said, like TikTok and stuff like that. So we’re adding emotional hooks at the beginning, you know, which titles, like we want people, we tell a lot of stories, we love storytelling because it keeps people engaged. The videos are short, they’re a minute and a half on average, we never go over two minutes.

So it’s very much in line with the way they consume content on social media. So it feels the same. They have the same fast pace where they can swipe and move on. It’s storytelling, it’s engaging, it’s emotional. So I think this is sort of what sets Wiser apart, that we focus more on being great for the employee.

versus being great for the security team. Even though the security team are the ones that are buying our software, we treat the employee as the customer. And we want the employee to be super excited. And that’s why we also closely, we allow, first of all, we allow all of our content, for employees at least, they can share it with their families. And…

I’m talking about a direct link, doesn’t require them to sign up, you know, they can send it on text message, WhatsApp, you know, however they want. They can also share it on social media because we want them to become sort of ambassadors at home. If you’re now taking what you’ve learned and you send it to your family, you’re becoming an advocate of security awareness. And that means a lot from a culture and a behavior change because now you care about this. Now you go home.

Gaby (24:10.742)
This is something you talk over dinner, how important it is. And because you’re talking about it, you’re believing in it, and it also comes back to work. Because the same way you behave at home is how you behave at work eventually.

John W Verry (24:25.821)
Gotcha, now this is a tough question to ask a guy who develops security awareness education and sells it. So if you’re working with an organization, very high risk, a level of complexity to the environment, let’s say they’ve got high compliance requirements across multiple standards, can they use a commercial off the shelf piece of software like yours and be done with it?

Gaby (24:27.755)
Yeah, go ahead.

Yeah.

Gaby (24:37.697)
Yeah.

Yeah.

John W Verry (24:54.921)
there are situations where producing some internal content that is specific to the context of the organization is either going to be valuable and or necessary.

Gaby (25:06.274)
So there are some benefits and disadvantages for creating custom content. I think, but there’s some, I don’t think you’re very effective if you just buy software, you hit the button and hit send to everyone. I don’t believe that’s a good, but not because of what you said. I’ll tell you in a second what I think needs to be done. But in terms of content, what happens, and I’ve tried that in the past. I was, you know, working with companies and I was, okay, let’s go.

creates custom content that you know very specific to you guys. What happens in I would say 99% of the cases is because they have no idea about how to create content the company and it becomes sort of a project you’re now creating content based on you want to satisfy them so you’re starting to create content and the project manager is a security guy and they are

They always want to add more, they make it more lengthy, they want to have more detail, and it ends up being, again, lengthy, not attention grabbing, because they just don’t have the DNA of creating viral content. And they sort of like mix skill-based training versus awareness. You know, skill-based is, yeah, you want to make it detailed and you want to…

because you’re learning a specific, you know, job or something. Like if you’re a developer, it’s not awareness. You need to learn to code. With awareness, the name says it, you know, it’s awareness. You don’t have to learn the entire history or the exact, exact definition of social engineering to the T. It doesn’t matter, right? What matters is other things. So, again, whenever it comes to custom content that the customer is leading, I think you, or at least involved.

usually they take down the quality of content, at least from my experience.

John W Verry (27:05.265)
Yeah, it’s a question for you. So if you think about like our environment, we’re ISO 27,000 certified as a security company. Obviously we process a lot of sensitive data, right? So we call it client confidential information, CCI. We have a definition of CCI and we have some very specific requirements about what can and can’t happen. And if you’re storing data in this location, what needs to happen and, you know, that it can’t go out this way and that way this can be delivered in this way.

Gaby (27:09.876)
Yeah.

Yeah.

Gaby (27:17.206)
Yeah.

Gaby (27:23.444)
Yeah.

Gaby (27:27.074)
Uh huh.

Yeah.

John W Verry (27:32.549)
Your advisor or any other tool out there is not going to have a piece of content that says hey If you work at if you work at see this pivot point security and you’re moving client confidential information Here’s a cute clever way of knowing what to do with it, right? So like how would you recommend if we don’t produce content, right? That goes into our security program that date that information gets people

Gaby (27:34.411)
Mm-hmm.

Gaby (27:38.092)
Right.

Gaby (27:42.524)
Yeah.

Gaby (27:53.878)
Right. So here is what we usually do because that happens all the time, what you’re suggesting. What I try to avoid is involving the customer in the content creation. However, you come to us, for example, and say, this is sort of what I need, okay? We come back with a video. We don’t involve you. We don’t involve you in the content creation. We understand what you need.

And we come back with what you need. That’s it. So again, but usually we do that. If you have something very, very specific only for your company, usually what we do, because we try to make content that is applicable for everyone. So we’re always looking for new ideas, for a new type of content to create all day long. We’re releasing about once every two weeks new videos. So we’re always looking for new material.

John W Verry (28:23.017)
I didn’t know that, okay. Cool, so that’s an option.

Gaby (28:50.198)
But what we will do sometimes, if there’s, for example, a specific directory that they need to store things in and stuff like that, when the video ends, in order to make it flexible, and we mentioned that in the video, as listed in the last slide or something like that, so that part is customizable, but we’re trying to make the actual video and the concepts applicable for all of our customers.

John W Verry (29:17.345)
Cool, and then to that end, do you recommend or does the training address, so different people within an organization would be subject to different types of social engineering. So accounts receivable clerks, you wanna educate them a little bit different than a help desk individual. So does the training kinda have components to it that would be specific to roles and do you recommend that, the best practice?

Gaby (29:28.478)
Oh yeah. Yeah.

Gaby (29:34.679)
Yes.

Gaby (29:42.022)
Yeah. Yeah, I absolutely recommend that role-based. Again, it’s all about context, right? Because there’s so many scams, so many attacks, endless. So you want to at least learn the ones that are more relevant to your function. So if you are in finance, probably wire fraud is a bigger one. If you are a developer, then always

10. You know, like, what would a developer deal with wire fraud? Not only that, it will, they will be upset that they have even to do this because they’re never being asked to wire money. So like, why waste their time? Just, you know, in general, people don’t want their time to be wasted. It doesn’t matter what their role is, you know, it creates antagonism. And again, it hurts the culture. If you’re now starting to talk to people about things that don’t really affect them. So like, be going back to this empathy, always

Go back and ask yourself, like, is this relevant? You know, very, very easy to follow under, like, let’s just train them as much as possible.

John W Verry (30:51.685)
Now I know that you have a very sophisticated phishing capability within the WISER. Do you think that phishing is the most effective way to measure the efficacy of a security awareness program? And if so, why? And if not, what would be?

Gaby (30:58.005)
Yes.

Gaby (31:11.252)
Yeah.

So yeah, so we have a very, even though we have a very, very sophisticated fishing simulation, there’s two sides to the coin, right? I think it’s being abused too often. I think it’s a game that security teams love to play. And, but if you take the employee side, they’re being attacked basically. So now the question is, how often are you going to attack them, right? If you attack them too often,

a few things will happen, right? And I’ve seen that. There are some smart employees that start to attack back. Basically what they do is they start to report every email that’s phishing to overwhelm the security team or the IT team. It’s like a game, if you’re gonna do this to me, no worries, you want me to report every other email, I’ll do that. And yeah, they’re enjoying it until somebody will tell them stop, right?

So they’re just reporting every email. I’ve seen employees that just become nervous. So they either don’t open emails, don’t click on anything, don’t reply on anything, because they’re being attacked. You have to use it in a reasonable manner, in my opinion. And I’m not even talking about things like that happens where you try to mimic the attackers to the T.

For example, you know, like there was this train company, I think, in the UK where they, during COVID, they offered bonuses to employees that worked hard during the COVID. It was a phishing attempt. And not only people worked hard, you know, now they got this email appreciating them. So, and they failed the phishing because they were so happy that the company is recognizing their effort.

Gaby (33:06.514)
And now they’re basically being punished or feel bad that they failed, right? Even feeling bad is it. So that hurts culture and goes back to what we said earlier that, you know, if they’re feeling attacked, they won’t come to you when something real happens. So I think in general, it’s sort of like a spice. You need to do it to remind people.

But sprinkle it over the year. Don’t do it every two weeks for sure, in my opinion, even though there are some companies that do that. I actually seen companies do it the other way around, which I think is really cool, where they have an opt-in fishing simulation, where people get to choose to get fishing simulation and it’s gamified, and then you get prizes. And then what happens is that they’re actually looking for fishing and they’re identifying real fishing. So now you have like 100 people in the company, even if it’s out of a thousand, 10%.

join this program and now what they’re doing you have 100 eyes actually looking for fishing all day long. So that’s actually a better approach in my opinion. So and the last thing is expectation. If you think you can keep on taking down the click rate to zero, you’re fooling yourself. So I think the best indicator is the ratio between how many people clicked and reported. So if you clicked and you didn’t report, that’s bad.

But if you clicked and you report, that’s fine, you know? So like root those out. Don’t even talk to them maybe, you know, or even sell them. Hey, good job, you know, you clicked, but you reported. Again, build on top of that. So it’s really about what you measure and how you approach it.

John W Verry (34:44.637)
Gotcha. If you didn’t use phishing, is there another way, you know, like in your mind to kind of age if security is effective?

Gaby (34:49.202)
Yeah. So we have a few things. So on top of our phishing simulation, in order to sort of mitigate that issues that we spoke about, what we’ve done, we developed a game that, and I even didn’t, with phishing simulation, just keep in mind that usually about 20% of the company is participating because a lot of people don’t open their emails regardless if it’s phishing or not. They may be late. They got a lot of emails.

So they’re not even aware if it’s phishing or not. You haven’t tested them because they just didn’t open the email. So we created a game that has, and people know it’s a game. They have 10 emails and they see those emails. So they have two jobs to do. One is to figure out which one is phishing and which one is not based on the things they’ve learned. So we cover 10 different scams at every time. So they get to practice more things. But even more importantly,

John W Verry (35:40.114)
Mm-hmm.

Gaby (35:44.746)
We ask them, if it is phishing, we ask them as part of the game, what would you do? Would you call and verify? For example, we haven’t even spoken about it, but a lot of the things you can’t even simulate, like wire fraud, how do you simulate wire fraud? Do you send people a fake bank account? How do you simulate like gift card scams? You send everybody to Target or spoofing? Would you spoof Microsoft? You know, good luck with that. So.

With the game, it really allows you to practice different types of scams, including wire fraud. And then you practice what would you do if you get this type of email. And then you get a score based on how accurate you were in detecting which is phishing and which is not, and how good you were with how do you verify if it’s phishing or not, like call and verify, check the official app, stuff like that. So that’s for the social engineering aspect. But there’s other soft KPIs.

that companies can measure, for example, how often people come to them with new projects to the security team asking them, hey, we’re starting this new project, what do we need to think about from a security point of view? So like, if you look at, yeah.

John W Verry (36:57.925)
that security culture idea, right, is if people start to think about security, then they’re going to engage security more proactively in places where they wouldn’t have done that prior.

Gaby (37:04.862)
Yeah, exactly. And there’s many points like that, right? How often do people reach out to the security team and involve them in different aspects? Even if something is not working for them, instead of finding a workaround, like a cloud app, like using their own box or their own good G drive to get around a security control, instead of that, how often they come to the security team asking for a better solution or a more secure solution?

So there’s a lot of soft type of KPIs that can be used to gauge the security awareness efficiency.

John W Verry (37:46.225)
The game idea is a cool one. I like that because like you said, you’re.

proactively and positively engaging people in education in a way which there is no negative consequence associated with the activity. So that’s a pretty cool way to do it. So you did mention, and I couldn’t agree with you more, your click rate is never going to go to zero. That doesn’t exist. People are people.

Gaby (37:55.746)
Mm-hmm.

Gaby (38:06.198)
Yeah.

Gaby (38:15.22)
Yeah.

Yeah.

John W Verry (38:20.033)
I’ll ask you a question. I’ll give you a hard question to reply to here. So literally, yesterday, I was on the phone with a client that we act as the virtual CISO for a bank. And we were reviewing the results of their most recent last month’s worth of phishing. And their click through rate was like 7.4%.

Gaby (38:34.881)
Mm-hmm.

Gaby (38:45.238)
Mm-hmm.

Gaby (38:49.312)
Okay.

John W Verry (38:50.631)
How would you, like as a practitioner and somebody who does this every day, how would you respond to a 7.4% click through rate? Would you say your program is good or would you say, guys, we got to work on this?

Gaby (39:04.658)
I would say who clicked? And you know, there is a difference if you’re a CFO, for example, clicked on allow MFA, for example, and there was an MFA bombing and they clicked versus someone in the company clicked on an Amazon gift card. So like you have to take the approach of a risk. You know, you have a group.

that is potentially more risky, they have access to sort of your crown jewels, there are people that don’t have. So that goes back to this number. The number doesn’t mean a lot. I need to know who clicked. It can be even one person that clicked that is enough, you know, and what they clicked on. So that’s sort of what I would do.

John W Verry (39:47.366)
Yeah.

John W Verry (39:56.165)
Yeah, that’s an interesting response, right? Because I have to plead a little bit guilty that I don’t typically drill into it. Because 7.4 to me is a high rate. Like, I mean, I would say, I mean, often you see people that are saying they’re down in the 4% region, right? I mean, I think that’s a fairly standard. I think if you see someone who’s below that, you start to wonder whether or not that it’s actually real data anyway.

Gaby (40:08.492)
Yeah.

Gaby (40:14.732)
Yeah.

Gaby (40:18.038)
Yeah.

Yeah.

John W Verry (40:22.801)
But that’s an interesting approach, because what you know, and it makes sense, it’s a risk-based approach, because what you’re saying is, clicking on a link is a vulnerability, and measuring the vulnerability, a vulnerability in and of itself doesn’t mean anything, right? It’s, can that vulnerability be exploited, and if the vulnerability is exploited, what is the impact to the organization, right? That same vulnerability, like you said, on a desktop where they don’t have administrative level access.

Gaby (40:30.324)
Yeah.

Gaby (40:39.209)
Exactly.

Exactly.

Gaby (40:49.975)
Mm-hmm.

John W Verry (40:51.433)
where the network is properly segregated, where they’ve got good configuration of patch management on that laptop, it probably doesn’t matter, where if it was on, like you said, something that’s associated with an attack against accounts payable, that would have a more significant, that’s a cool idea, a cool answer, thanks.

Gaby (40:55.86)
Yeah.

Gaby (41:06.465)
Yep.

Gaby (41:11.914)
And also did they report? You know, like, did they report and how fast they reported?

If they didn’t report at all, if they clicked and didn’t report, then that’s a big no-no because it can evolve to be exploited. Even a low-level, you know, access that got into the organization, if they haven’t reported it and your SOC didn’t identify it, that can eventually be escalated. So I think what really matters is, again, who clicked? Did they report? And how quick?

John W Verry (41:45.417)
Okay, I like that. So, you know, you can’t, as the old adage goes, you can’t, I wouldn’t say, you can’t not talk about artificial intelligence these days in the security community. I was gonna use an expression that might have, that some people might not like. And I thought better of it. So, so how will, how is or how will AI change

Gaby (41:56.787)
Oh yeah, let’s talk about it, yeah.

John W Verry (42:15.269)
social engineering and or how is or how will it change security awareness education.

Gaby (42:16.718)
Mm-hmm.

Gaby (42:22.626)
So first of all, it’s changing it rapidly, at least the attack surface, you know, more and more voice cloning. And we think about voice cloning sometimes it’s like to pass the bank authentication, but no, like I’m talking about, you know, your granddaughter is calling you, she’s been in an accident, she needs, she’s in the hospital or whatever, or your grandson is in jail and needs to get out.

This is the type of stuff that is happening day to day. Every day it’s happening. People are getting phone calls from people that sound exactly like their family member, just you know, exactly, and they have no clue that they’re talking to a criminal. And that’s off the shelf products that can do voice change in real time. And all you need is like a three second voice sample from their TikTok, from their, and that’s it, their apps, like.

with free versions out there that can do that. You don’t need technical skills. You need motivation only to do that. That’s all you need. So, you know, if we’re talking here about like maybe what to do against this, I would suggest families to have like a safety word, sort of like what we had in the past, you know, when we were little. If somebody says, you know, mom sent me to pick you up, like what’s the safety word? So, if you’re.

kid is calling you and they’re in like huge trouble and something like that, you can just ask them, you know, what’s your safety word? So that’s something that I would advise, but it’s happening right now. The same goes for deep fake. And I’ve seen Instagram accounts with not a lot of followers. I’m talking about the thousand followers, right? Attackers, first of all, taking over, you know, account takeover on social media is happening like a lot because a lot of

people just don’t have MFA on their accounts and they have simple passwords or passwords from a different breach, they’re sharing it. So it’s not hard to take over an Instagram account unfortunately. But now you can do a deep fake. It’s called face swap. You know, you just do a face swap or something like that with their face on your face. You talk and you tell people do this, do that, you know, buy Bitcoin or go there or click on this link or so all of those things.

Gaby (44:40.978)
are happening now and criminals are sort of like puppeteers, right? Controlling our face and our voice, especially if we don’t protect our identity online. So unfortunately that’s happening and there’s much more and you know, it’s on chat GPT and it’s basically taking personalized scamming on scale. It’s just like becoming at scale. Security awareness, first of all, a lot of what we’ve learned.

on you know scams need to be augmented you know we are so much focused on email look at the email look at the email even phishing simulation right it’s email everything is email no it’s phishing and we see that also because of the better technology gets right like the better technology is that identifying phishing emails and phishing links then criminals start asking people to call them back

You know, they’re using Best Buy, not Best Buy, eBay, or QuickBooks to send you an invoice, or all type of things where, or PayPal, you’re absolutely sure that you’ve been charged. And basically they’re asking you to call back. So you have to change. I think security awareness on the one hand needs to adapt and refresh a lot of its content because it’s way more sophisticated than it was. That’s on one hand.

On the second hand, security awareness can take advantage of AI to create really cool content, right? So you need to speed up the content creation. You need to think like going back to, you know, how we at least sees content creation, we’re creating a lot of content, you know, it’s not just a big, long, boring, high production, you know, video of somebody explaining to you everything about social engineering. You have to create snappy, quick.

all the time. Awareness is like marketing. You have to have multiple touches. So you can take advantage of AI to help you with that. Tons of stuff you can do.

John W Verry (46:43.645)
Yeah, I think I saw a recent article that had the examples built into it of how AI is positively influencing social engineering via email. And just like in old days, you could tell a malicious email through poor grammar, poor spelling. Now these guys are able to use, you know.

Gaby (46:57.185)
Yeah.

Gaby (47:02.77)
Yeah.

John W Verry (47:06.769)
tools of simplest chat, write me an email, a compelling email, trying to convince somebody to, and like, you know, the content that comes out is frightening and then they can put sequences. So if you do respond, you know, the logical answer to that and they can, they can either already have the answer ready where they can dynamically use your response, but is a prompt into the, into the GPPT to write a, you know, a compelling response. And again, because we’re trying to play on

Gaby (47:09.825)
Yeah.

Gaby (47:29.32)
Yeah.

John W Verry (47:36.91)
human nature, if we prompt CHAC GPT to produce content that does appeal to said nature, some of the stuff that’s coming out is really, really scary.

Gaby (47:39.028)
Mm-hmm.

Gaby (47:49.746)
Yeah. And even if you look, you know, we have to remember that personal life and work are intertwined. So it can start with, you know, an AI bot in a dating site that eventually gets you, you know, gets your account taken over or phish you and then from there they can sort of enter your employer. So just thinking that email,

Is the way to like we have to protect that. Yes, we have to protect that. But I think we’re like overly investing there without too much thinking about all the other attack vectors just because we don’t have those tools to measure, then we don’t invest there because we just invest in email. And I think, you know.

John W Verry (48:33.809)
Yeah, even, yeah, and it’s even worse than people might think because as organizations go to BYOD, right, what you’re actually doing is blending, you know, home devices, whether it’s a phone or whether it’s a home base PC with that. So we just, we’re seeing that right now with another client that we were the virtual CISOS for, where they, I don’t know how they did it, but they’ve sort of mapped a multi hundred person organization.

Gaby (48:43.07)
Exactly.

Gaby (48:47.026)
Yeah?

John W Verry (49:03.449)
And they not only know reporting structure, but they know the phone numbers. I suspect that somehow they got into the Verizon account for corporate devices. But, and then they must’ve gotten onto devices of individuals within, you know, whether it’s the iCloud or there was an Android and they know reporting structure. You know, they, and they, and they’re, I mean, they’re just, I mean, it’s, it’s been a two month barrage.

Gaby (49:14.189)
Mm-hmm.

Gaby (49:32.895)
Yeah.

John W Verry (49:33.777)
of really interesting, I don’t know what we want to call it, vishing, smishing, some combination there of both.

Gaby (49:38.822)
Yeah. You know, you may find out that it was like a Google Doc that somebody didn’t know how to share correctly. You know, like it’s, this goes back to security awareness.

John W Verry (49:47.613)
Well, we’ve been doing a lot of, yes, how we found out that we think that a Verizon account might have been taken over is we found, you know, we did some dark web reconnaissance and we found some evidence to support that. We have not found any evidence to support leakage of like an internal document of some sort that showed the, like the equivalent of an org chart. But even if they had the org chart, I mean…

Gaby (50:09.346)
Gotcha.

Gaby (50:13.579)
Yeah, yeah.

John W Verry (50:17.101)
how they’ve mapped all of the personal, the BYOD personal cell phone numbers. Like it’s almost like they had to have gotten hold of the document, but we can’t find any evidence to support that. And they don’t believe that a document of that completeness exists. So it’s kind of, yeah, it’s really interesting. And of course, needless to say, it’s sort of the equivalent of.

Gaby (50:21.684)
Mm-hmm.

Gaby (50:24.971)
Yeah.

Gaby (50:35.538)
Mm-hmm. Wow. So they did a…

John W Verry (50:44.145)
vishing, spear fishing, spear fishing, I guess you’d call it, where the people that they’re going after are the people that are the executives of organizations, people with access to money, people with decision-making power. Yeah, crazy stuff. I guess the good news of all this stuff is we have job security, right? Exactly. Is there anything that we missed, sir?

Gaby (50:46.731)
Yeah.

Gaby (50:52.097)
Yeah.

Yeah.

Gaby (51:03.506)
Yeah, oh yeah. Fortunately and unfortunately, yeah.

Gaby (51:13.726)
I can talk about this for ages, you know, so I guess there are a lot of things we’ve missed. Yeah.

John W Verry (51:19.429)
I don’t think people will listen to this podcast for ages, so I’ll suggest you don’t go for ages. Something short of ages.

Gaby (51:28.094)
No, I don’t think we I think at the core I think We spoke about the most important things I think the main message is Security is not about the company. It’s about the person. It’s about culture It’s about home and it’s about something like every person If I have to like leave with the message my security awareness shouldn’t be a chore it’s a benefit and the fact that it’s perceived as a chore is

because we’re doing something wrong. Because why wouldn’t anyone want to learn how to protect themselves and their family online? There is like zero reason that I can think of that somebody wouldn’t wanna learn the basics of how to be safe online. Whether it’s their elderly parents, whether it’s their kids, whether it’s their friends, whether it’s their spouse. And the fact that we’re at a point in time where people perceive security awareness as a chore.

It’s just sad because it shouldn’t be like that.

John W Verry (52:30.905)
So security starts at home is the subject line for this podcast. And it really does make sense. When you think about what we bring to the office as people is fundamentally the net of what the company is. So if we’re bringing a non-educated security component, a fishable social engineerable component, yeah.

Gaby (52:33.086)
Exactly.

Gaby (52:36.777)
Exactly.

Gaby (52:49.309)
exactly as

John W Verry (52:58.961)
the net security posture of the organization reflects the people that work there, right? Interesting. So I don’t know if you did your homework. I don’t know if you read the whole agenda, but we’ll see if you prepared for this one or not. Give me an amazing or horrible see-saw, a fictional character, real-world person that would make an amazing or horrible see-saw.

Gaby (52:59.062)
Yeah.

Yeah.

Gaby (53:21.334)
So do you remember that character, you know like the coyote in the Road Runner? You know, Mik Mik?

John W Verry (53:27.793)
Yeah, yeah, unfortunately, I, no, I’m not old. Oh, my grandparents told me about that one. I never saw it, but I’ve heard about it. No, I’ve never, I’m not old enough, Gabby, to Gabby to have seen that. I mean, is it still on? No, no, listen, the road, Wiley Coyote and the Roadrunner, of course, you know, with the end always dropping an anvil on him and somehow he never always recovered, right?

Gaby (53:35.909)
Oh, you never saw it? So, I love cartoons. I don’t know, I love cartoons. I’m watching them even in my age.

Gaby (53:53.586)
Exactly. Yeah. So I think that’s sort of like the bad type of CISO. I think, you know, when you forget about the basics and you’re trying all these crazy technologies to stop stuff and you sort of like skip the basics, it’s not just security awareness. I think it’s in general, you know, taking care of the basics. I think that’s sort of like the bad type of CISO.

John W Verry (54:22.461)
So.

Gaby (54:22.466)
Take care of your basics. Don’t come with those heavy lifts, huge raw. There’s no need for like, yes, they’re always lacking budget, but sometimes lack of budget makes you focus. So I think trying to come up with those heavy tools and huge budgets to solve something, sometimes it plays against you. First of all, make sure you got the basics covered.

John W Verry (54:48.785)
Okay, so I think you’re saying Road Runner would be a bad seesaw, is that right? Oh, the coyote was the one who always dropped the anvil.

Gaby (54:55.302)
No, the coyote. Yeah, yeah, the roadrunner is running. The roadrunner is like, the roadrunner is like the, you know, the one you try to catch. So you’re the seesaw, the coyote. You’re trying to catch the roadrunner, but you are, you’re always failing. You’re always failing to catch the… Yeah.

John W Verry (55:03.088)
Uh…

Okay

John W Verry (55:09.466)
Alright, yeah.

John W Verry (55:15.662)
I’m embarrassed. My memory failed. My memory failed. All kidding aside, it probably has been 30 years since I’ve seen one of those episodes. Now I’m going to have to go on like Nick at Night or the Cartoon Network.

Gaby (55:24.343)
Yeah.

Gaby (55:28.775)
I just that’s what I remember I haven’t watched it for a while well, but you know when you asked me I was like Mikmik, you know Always getting away always getting away, you know

John W Verry (55:33.713)
Hehehehe

John W Verry (55:41.059)
If someone wants to get in contact with you or with Wiser, what’s the best way to do that?

Gaby (55:48.174)
So first of all, I’m on LinkedIn. I’m very active on LinkedIn. Gabriel Freelander on LinkedIn. You can find me over there. You can DM me. Our website is wiser-training.com. And in terms of sales or anything like that, just sales at wiser-training.com. You can subscribe for free to Wiser with a Z, by the way, W-I-Z-E-R-training.com.

So if you want to use Wiser, the free version, don’t even need to call us or ask for anything. Like you subscribe. Unlimited amount of users. It’s limited in the amount of content, though. And you don’t have phishing simulation and some other stuff. But the core basics is there. So you can give it a go. And always feel free to DM me. I’m very active in the community. I love answering questions. I love talking, as you can see.

So yeah, feel free to reach out to me.

John W Verry (56:51.409)
Gave you thanks, man. Appreciate you. Appreciate you coming on.

Gaby (56:54.446)
Great, thank you very much.

John W Verry (56:58.469)
One second. You should see.

Pivot Point is now part of CBIZ. Click Here for more information.

Ep 127: The Future of Security: Unraveling the World of Social Engineering

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What are the 5 Key DevOps Research & Assessment (DORA) Metrics and Why Should I Care?

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How can we help you?

Services

Compliance

Insights

Pivot Point Security