Defending the human firewall: a conversation with The White Hatter
In this episode, Paul and Ty chat with Brandon Laur of The White Hatter. They talk about security awareness training and the human firewall, drawing attention to the rise in social media phishing.
They also chat about how different generations respond to online scams, intensifying business risks due to the recent shift to remote work, password management and much more.
A lot of remote workers are using their own personal devices at home, which brings up security issues, legal issues, privacy issues, where especially here in BC, given, let’s say, you are an organization…collecting personally identifiable information on clients, and you have a remote worker who’s saving that data on their own personal laptop, in their own personal possession, that is a recipe for disaster.
Click here for the full transcript
Paul: Well, you guys were talking about the term the human firewall, what five, six years ago, and Brandon when did that term appear?
Brandon: I don’t know when the term actually appeared, but I guess social engineering attacks have been in existence since the beginning of security, it’s the most rudimentary basic level security out there that has been existence since we’re all human. So I don’t know, I wonder what Google ngrams says about that.
Paul: I actually have an analogy for social engineering and the human firewall which I like to use when I give my security presentations, which is your IT company builds a moat around your castle, and it fills it with alligators and sets up arches one on every corner of the castle, protecting it and social engineering is the guy on the inside that lowers the gate and let’s the bad guys in, right. Everything you possibly could do to try to stop is being done on an IT level, and it’s the people on the inside that are being manipulated by the bad guy’s pretending to be who they’re not.
Brandon: It will always be that way. I don’t think how hard any of us try, I think there’s always someone who would try to sell you snake oil, no matter how hard we try, there’s always going to be someone who will…
Paul: Well, and for small business owners, what they really need is they need their staff to realize that these threats exist. I mean, that’s really what it comes down to. Starting at that point, if they realize the threats exist, the chances of them falling for the scam are so much lower.
Brandon: Right. But it’s a hard sell. We’re in a hard business. In order for us to sell to a business of, “Hey, let’s help increase your staff security consciousness” where no one wants to pay for that. Who wants to pay for that? No one wants to pay for that.
Paul: It’s the life insurance of the IT world.
Brandon: No one likes life insurance, you only pay for because you have to.
Paul: It’s not even that it’s worse than that, you don’t even want to think about life insurance, because life insurance means you’re going to die, there’s a reason they don’t call it death insurance it’s all about branding, right because ultimately that’s really what it’s about.
Paul: When you’re talking about security awareness, what you’re saying is, there’s a lot of bad stuff that’s out there and we want to tell you about it, nobody wants to hear about the bad stuff.
Brandon: No they don’t… Okay, so I pull it in gram and apparently 00006% was talked about human firewall and let me pull it up here in 1992, right here.
Paul: Oh wow that early.
Brandon: So that was the first, apparently according to Google’s ngram system, that was the first mention.
Paul: We are recording in the early days of January 2021. This is the first podcast of 2021 and joining us is Brandon Laur who is….your brand that I think of now is the White Hatter, thewhitehatter.ca. But obviously, you’re still part of Personal Protection Systems, which is the company has been on for a long, long time doing… I guess what you tell me, what is it?
Brandon: We’ve had quite the transformation. So, we’ve been existence since 1993, and originally back then, and we still are called Personal Protection Systems, however, people know us more nowadays by our trademark, which is the white hater, but back in the arda, the company was all about physical safety, so kind of hand-to-hand safety, if you’re being attacked, what do you do, how to stay aware when walking home from work…That kind of thing.
Paul: Okay, I didn’t realize that was the origin, but yeah, that makes sense.
Brandon: It’s a family business, my father and my mom started the business, and my father’s background is in law enforcement, and he was a Use of Force instructor with Victoria Police Department many years ago, and that was his specialty. And so he brought that experience into the business realm not to just convert teaching what you teach law enforcement professionals, but now also teach the average consumer. And then around 2000…How many years ago was that? Probably, well, I guess 2009-ish I began getting really interested in cybersecurity, white hat hacking, learning what vulnerabilities exist on the internet. And then my father, who had all this experience presenting to thousands of people, basically took what I was learning as a young individual, hacking legally, following to law. Let me make that very clear.
Paul: Considering you come from a law enforcement family…I should hope so.
Brandon: Only hacking my own thing and no one else’s. So learning how that all works and he took that and he built programs out of what I was learning and then what I finally was ready to be a part of the organization, it was kind of an easy fit because I’d already kind of built material in a way, being such an integral part of the content, and now we are so, so busy working with mostly schools. We work a lot with younger individuals, schools will bring us in, talk to their students about how to stay safe, cyber bullying, sexting concerns, all the type of things that come with digital safety, privacy, literacy, and then additionally, taking what we learn there and applying it too small to medium-sized businesses to make sure that their lowest level employee understands how not to be fooled by some of the scammers that exist on the Internet.
Paul: This is great. I always love chatting with you, Brandon, and we’ve known each other, I guess, just probably about a decade or so, actually a little longer than a decade now. And yeah, and I’ve been sort of following as you’ve been changing and evolving with the security world. And of course, at Smart Dolphins, we think about security an awful lot. And on that note, we decided this week to bring Ty Hedden, who is one of our VCIOs who’s long been specializing in security for business as well on the call as well. So welcome Ty to the podcast. Ty has been on with us before, of course.
Ty: Hello, good morning.
Paul: And for those who are listening, I’ll give you the two-minute version of the white hat and the black hats are the two different types of hackers. You correct me when I’m wrong on this Brandon…and actually, there’s grey hats too, right?
Brandon: And red hats. There’s a lot of hats.
Paul: But primarily the black hat hackers are the ones that are trying to cause all the problems, and the white hatters are the ones that are listening in to what’s going on in that world and then trying to help people prevent being hacked and taking that hacking knowledge and putting it to good use, and I guess at some level to helping companies identify vulnerabilities too. Like a lot of are in the business of cracking networks for customers so that they can show them what their own vulnerabilities are right. I don’t know what you do in a lot of that yourself?
Brandon: Not a lot on our plate. We’re a small team, although we’re a mighty team, we are a small team. We’re focused more on the preventative side of things, so more of the education side, literacy, some legal concerns, privacy issues, copyright issues. It’s all about literacy. We have some people on our team who have done penetration testing, but that’s not necessarily our main focus, that’s not specific in what we do. Honestly, we do have training in that field, and I think that’d be kind of cool to explore that a little more, because let’s be honest, that’s kind of the fun side security you get to break things.
Paul: Well, it’s also a very sophisticated niche, and the fact of the matter is there’s a lot of companies that specialize in penetration. Companies that are very, very good at what they do. So it’s a tough area to crack, but obviously very relevant to what you do on a regular basis, just being able to do that so you can have the knowledge so you can continue to grow and expand. Man, what a challenge in IT, just keeping up with everything that’s going on in the world, but within the security niche, I mean, you must spend a considerable amount of your time, just educating yourself it, just learning what’s new and what’s evolving.
Brandon: Yeah, I think that’s kind of one of our main challenges as an organization that primarily deals with understanding what are the scams, what are the phishing mechanisms, what will people say? How do they say it? How to identify and how to deal with it? Because those things change all the time as technology changes. Where it once was looking out for suspicious looking emails, which still by the way is the number one main security vulnerability out there is your email and clicking on things you shouldn’t click on. But apart from that, additionally, is you’re seeing more of these messages being spread through social media as well now. It was a good, good article last month, I think, where a research team was identifying how a scammer was essentially squatting on the username, I think it was on Instagram, Instagram support, and that was the name they chose for their account. Now, this wasn’t the official Instagram support account, just someone took the name…
Paul: Was that on their birth certificate?
Brandon: Yeah, exactly, and they were using this name and they were sending messages to other…Well, they were targeting celebrities saying, “Hey, we are Instagram support, click this link, verify your account with all that stuff.” And then obviously people see, “Oh, Instagram support must be legitimate.” So people need to start expanding the idea of manipulative messages can occur on any platform where you can talk to people.
Paul: And it’s really, there’s so many threat vectors around that Ty…Obviously, email is a huge one, but text messages come in, instant messenges through Instagram and Facebook and that sort of thing. There’s also the telephone, people will call and pretend to be somebody that they’re not in order to manipulate you, and they can be very, very convincing. I know you can go on YouTube and do some quick searches. And you’ve probably seen dozens of these Brandon of people recording their calls from scammers and man, they are sophisticated, they really know how to manipulate people. Ty?
Ty: I think the manipulation is what gets my brain going and to manipulate technology in order to reach more people, and I think any technology or system that is scalable is one where you’re going to see this type of action, that’s why email is so popular because you can send hundreds of thousands of them and reach many people, and you just need a few people to click on it, you need a very small percentage to get a pretty good return. But any system that comes out Twitter, any social media platform, those are all going to be vectors and it’s amazing how creative some of these bad guys get like the Instagram support, that’s one I hadn’t heard of, but that’s been done on just about any platform you can think of. And not just impersonating official accounts, but impersonating family, friends or just appearing to just be another normal individual. This stuff’s been around for a long time.
I think for me, what I find most challenging is that it’s still such an issue, and I think it’s probably always going to be. What I try and do when I’m talking to business owners and their teams when we put on our presentations is really get people to treat any social interaction the same way they would an in-person interaction, it just kind of feels a little bit off. If somebody walks up to you off the street and proposes something or tries to sell you something, and it seems a little bit strange, usually alarm bells go off and there are social cues there, there’s all kinds of stuff we pick up on and it just doesn’t feel right. But trying to translate that skill set over to the digital world and your digital interactions, I think it’s really challenging, but I think it’s also really important to try and keep encouraging that, because that’s where people tend to get tripped up, we tend to be much more trusting or you just don’t apply the same sort of scrutiny to those interactions I think.
Paul: And technology can be kind of daunting for individuals too. They’re already overwhelmed with the power of what’s in their fingertips, and so they get a message from Instagram support and they go, “okay, well, this is something I guess I’m supposed to do.” And nobody told them not to do this or that. This isn’t a thing that happens, so there’s probably some really hot tips, we should go around the table here, and what’s one or two things that an individual should watch for that should send off alarm bells. And I think the big one for me, I’ll go first since I brought up the topic but the big one for me is sort of fundamentally which Brandon referred to is if somebody is reaching out to you unexpectedly, it’s probably a scam, right. First of all, Microsoft or Google are not going to phone you ever, unless you phoned them first, and you can say that for almost everything. You’re not going to get at some random message with on a platform from a support account because it’s probably not real. Right, and you’re probably not going to get an email from your bank telling you they’re going close your account in 24 hours if you don’t click on the link and fill out the form, right? These are things that are just probably never going to happen, and so I think that would be one thing is people should just…if you have an unexpected communication, take a deep breath, stop, pause, read it carefully, and really look at it with a skeptical eye. I don’t know, what have you got Ty? How can we help people here?
Ty: The stopping and pausing is a really, really important mechanism, especially in business, a lot of us are quite busy. We answer a lot of emails every day and we’re just kind of trying to get through them and get through our inbox every day. Just taking an extra moment to kind of check something out and just apply a little bit of extra scrutiny it, not just thinking through it, like you mentioned, sort of asking, is it likely that this company would reach out to me like this. But maybe reaching out to them directly outside of that email and confirming that this communication came from them. That takes time though, right? And when we’re busy, we might not do that, but I think it’s really important that we do.
Paul: And don’t use the link to do that!
Ty: And don’t use the link to do that! Exactly if you get an email from your bank and it wants you to confirm some information, call the bank or go through their chat support directly, don’t follow the email to whatever site it might lead you to. It’s slowing down. I think, again, which kind of ties back to any interaction, just taking a moment to really think through it and being careful and it’s tough to do sometimes.
Paul: Brandon, how can you help the people listening today?
Brandon: I think tying onto this whole story that building here is that no one’s going to, no legitimate IT support or company is going to call you and ask for your password because one, they already have all your information, they don’t need your password, and that’s the red flag. And you’d still be surprised how many people, especially when I deal with younger folks who might believe that Instagram support handle because I guess that generation is more used to conversing and dealing with people through social media rather than email or over the phone, so I think we’re going to see a generational shift, most certainly in these attacks. Yeah, so basically, if someone’s asking for your password, that’s the red flag. I mean, like Ty was saying, don’t click the link, go to your actual www. whatever your bank is dot-com, because if there’s an issue with your account, you’re going to find the issue when you log through the main dashboard. It’s going to be right there when you log in big red letters, you’re account has a problem or something, right?
Paul: Or, you’re not going to be able to login…
Brandon: Exactly. I think there’s this whole narrative that we’ve now built organically here in the podcast is this happens every day, every minute, all the time. This is nothing new that we’re talking about, and I think when I’m talking to groups, businesses or students or anyone talking about the social vulnerabilities, the phishing, the scams, I don’t like talking about that stuff, people are tired of hearing about that stuff, but I have to talk about it, why? Because it happens all the time and people don’t necessarily take what we say and listen necessarily.
Paul: Well, and potentially it’s worse than that because we’re in the situation now where people are working from home on computers that may or may not have the same level security that they used to have on their work networks and that sort of thing, and so there’s…We’ve opened up this brand new world of a threat factor, and people are sitting at their desk by themselves, they are not sitting around with their colleagues, so when they do get phished, they can’t…There’s nobody looking over their shoulder that they can nudge and say “what do you think of this?” Right, and so really the dynamic, I think has changed a lot because of that whole remote work situation and just the fact that people…You don’t want be lower impact in terms of how they affect other staff and stuff, because people are typically suffering in some way, and you don’t really want to be a big burden to your co-workers, so maybe just sort of, “Oh, I’ll just deal with this myself.” Right, and I think there’s a lot of that going on, and I think the hackers know this, right, the hackers are taking advantage and it is funny, right because there’s no…obviously, you’re a hacker in the sense of a white hacker with ethical standards, but for the bad guys, it’s very low, it’s a very low bar on the ethics ladder. They will take the cancer charity for every penny they have if they can, and damn the consequences. And so why wouldn’t they do that with anybody else who’s listening and they will drive your business into the ground and not blink on the way out because they’re in the business of doing that, right? So, we went quite a weird tangent there, but…
Brandon: A good tangent because the last year has certainly brought up a bunch of not only physical safety concerns given the last year, but also the digital concerns working from home, I think of how many reports that we’ve all seen in the last year talking about the increase in scammers buying up Zoom-related domains or to make a fake zoom website to get your login credentials, or the reports talking about how remote workers will be using (a lot of them) some businesses don’t have the infrastructure to pay for a company laptop to give to a remote worker. So a lot of remote workers are using their own personal devices in home, which brings up security issues, legal issues, privacy issues, where especially here in BC, given, let’s say, you are an organization, you’re in charge of collecting personally identifiable information on clients, and you have a remote worker who’s saving that data on their own personal laptop, in their own personal possession, that is a recipe for disaster. Not only disclosing that to the client, how many clients would like to hear that? But depending on your interpretation of the law, that might be something you have to do is disclose where the data is being saved. So I think, not trying to add more concerns this last year, but we’ve seen an increase in challenges with remote workers and businesses quickly having to switch to this new standard of business.
Paul: And at the same time, privacy laws are finally maturing and the pandemic hasn’t changed the expectation that companies are beginning to come into compliance with privacy issues, Brandon, why should individuals care about their privacy? Because you know, I got a Facebook, I got a social media, who cares about me? I’m going on a fishing trip and I put that on Facebook. Nobody’s going to care about that. Right, am I right?
Brandon: In most cases, people don’t care about that. I think a lot of people focus a lot on Facebook owns everything and knows everything. And that’s just the way of life nowadays. A lot of people point fingers at the Netflix drama/documentary, the Social Dilemma and all that stuff. It’s more about the narrative that you build about yourself. So you went on fishing trip…Fantastic. But maybe if someone necessarily is maybe takes a video, for example, of the doing something in the fishing trip that may not be that savory. Who else will see that? So it’s not necessarily that Facebook knows what you’re going to think next morning and they are going to send you ads for that. It’s more so for entry-level workers or even people who are professionals who are leaving university, leaving college, and now they’re looking for a job. And how organizations are using social media to build a narrative on “are you that person I want working for me?” And we see that happening more and more, and it can be as simple as a Google search. For example, and even low-level employees in a lot of businesses and who we’ve talked to do a quick Google search. “Have you done anything I should be worried about? If I hire you” and people think, “well, if I’m just a low-level employee who cares, well, who cares if you’ve posted a tiktok two months ago of you washing yourself at a Burger King, giant basin.” That’s a viral video (for those of you who know what I’m talking about) and your name is attached to that, “Well, why would I hire you for this job? If I’ve seen you do something on tiktok with your previous employer. Why would I want that?”
It’s the brand image that I think a lot of entry, but even managerial level staff need to kind of pay attention to, and also with the privacy given today’s world is, do you really want your data saved on this employee’s personal laptop to keep at home? And that’s a challenge. We’re seeing nowadays. I’m sure we could talk with this for hours, but in gest that’s kind of it.
Paul: Yeah, it’s an interesting topic and Ty, I know you have some things to say on privacy as well. I’ve come full circle in part because of the influence of Ty and having conversations over the past few years. I used to just not care about privacy at all, and so I was being a little facetious when I posed the question. Your example is great. To your point, Brandon, they used to have stats of the percentage of companies that would Google search prospective employees before they hired them, and then they stop making those stats because presumably it’s 100%. Nobody does not do that. Right, you know what I mean?
Brandon: I think the last official stat that I’ve seen was 75, that’s a couple of years ago, and I know from experience working with businesses, I know it’s higher than that, but some businesses are hesitant to say yes or no because some people argue certain privacy laws and such but there’s some gray areas.
Paul: There’s what incognito windows are for.
Brandon: Yes, of course. There’s the solution. We’ve solved privacy. You heard it on this podcast. Incognito. No, just don’t do that.
Paul: Sorry, anytime you have the privacy guy in the room, you got to talk about the incognito. That’ll solve everything, right?
Brandon: Of course, that’s why I love working with students because we get questions…When I finish a student presentation, I don’t know, I think I have to change the presentation to ask this directly or address it directly because I get questions all the time from students. There’s the question “what about incognito? Does it actually work?” So I mean that’s given me an indication that I think there’s still needs to be education and knowledge around how much control you have. That’s why I like visualizing with both businesses, consumers and younger folks, how the data’s handled and giving them the workflow necessarily of how data is handled and controlled to show: okay, this is what incognito does, this is what it controls, everything else, pass this is free game.
But once you talk technical with individuals, you’re going to cut some people out who just don’t want to hear the technical. So that’s a challenge I face, is how do I communicate with anybody privacy and security challenges, but not be too technical. Which I love the technical, but the average person isn’t going to hear it, they’re going to forget, so that’s a big challenge in the education field, is how do you do it so people understand and want to listen.
Paul: Ty what do you have to say about the privacy? And in particular with businesses who are, of course, mostly listening today?
Ty: A few thoughts actually. What I always tell people is that incognito is great if you want to discreetly shop for Christmas gifts for your family and not have to find out what they’re getting, anything beyond that, though really? It’s not helpful. That’s kind of about as powerful as it is.
I want to touch on something, Brandon, about a moment ago as well, with that sort of reputational damage, you go on the fishing trip and your buddies have a bunch of pops and you make a post that doesn’t sit well with most people. We’ve seen that over and over, somebody sends out a tweet and they try and pull it back. There’s a permanency to anything you do online, whether it’s as an individual or as a business, or it’s one of your employees, and not just through communications, but things that happen.
If you’re lax and you have a data breach because you rushed to work from home, and somebody is storing that PI that personally identify and identify helpful information on a home laptop and that gets breached, that’s likely to follow you around for a long time, long after the fines, long after you’ve put in the right security measures and you’ve remediated everything. If a serious enough with the Office of the Information Privacy Commissioner can tell you to publish what happened, that’s going to be out there and it’s going to be Google-able, and it’s going to affect future business prospects. The impact can be very, very long lasting and very damaging to your reputation.
Paul: And that goes for businesses and individuals.
Ty: Exactly, it’s that permanency. These things have happened, they’re going to be out there for a very, very long time and easily found, so yeah, really important, I think to keep that in mind and assign the right type of risk management to these risks. They are serious.
A conversation I had actually with a cyber security insurance expert in town a couple of years ago is quite interesting. And they were talking about fire insurance for businesses, you’d be crazy not to have it. If you’re building burns down, you need it to be insurable… People’s livelihoods are on the line, so we all have it.
Cybersecurity insurance isn’t quite as prevalent yet, but there’s a very big difference between those two types of disasters. If a local business has a fire happen, it’s a tragedy, everyone feels terrible for them. It’s this awful thing that happened to a business, and there’s a lot of sort of empathy around that. If you have a data breach, it might not be the same reaction from the community, and especially those whose information has been breached, it’s not always so empathetic, and there’s a lot more scrutiny applied to what happened. If you are left naked without insurance on top of that, you’re going to have a really tough time navigating it, you’re going to have a really, really tough time dealing with any remuneration, so you may need to pay fines or pay for identity theft management for hundreds of thousands, tens of thousands of people, all of these things come out of it. So linking it back to a real risk that we’re all very used to, like fire, it’s just as real and it’s actually potentially more damaging, I think to businessed. You can rebuild the burned down office, but a reputation is a lot harder to rebuild after that.
Paul: And it’s interesting because you could even extend that a little bit and say if there was a data breach and you did everything within your power to prevent that, that people might be more sympathetic, but I don’t even know that that’s true. At the end of the day people are still ticked off because their information got out and it was only because it was in your custody and you failed them. The equivalent would be, I didn’t bother getting my routine maintenance done on my gas pipes in my restaurant for the last 12 years and then the fire happened. You’re not going to see as much sympathy in that scenario as the fire that happened completely unexpectedly and without some sort of negligence on your part. But I do feel like you could be completely lacking in negligence and still be culpable it’s still going to hurt your reputation, but at the very least, you should make those efforts to try to…If your company is in charge of people’s data, people or company or other people, you need to be taking that responsibility incredibly seriously and that’s really what the legislation the underlying motivation of the legislation is really getting people and companies to take that extra level of responsibility, really think about that and how they should be doing it.
There’s a bunch of best practices around that we owe could go down a long pathway there, but it’s really obvious ones worth mentioning, like: do you need to collect all the data that you are collecting in the first place, and if you are collecting it do you need to retain it the way you’re retaining it? Do you really need to have credit card numbers on file for 12 years, or can you purge them after a month? So there’s all these sorts of questions that businesses should be asking themselves to limit the data that they have in their custody and purge that as quickly as they don’t need it, and obviously there’s going to be lots of exceptions to that, there’s medical histories and things like that, that people have to retain, organizations have to retain for years and years and years, according to other standards and legal requirements for maintaining that information. Right, but if you’re not following under that, then get it out, just don’t have the data, and that way, if it gets breached, the impact of it is way less severe than if you had a mountain of data you’ve been collecting for the last 30 years that suddenly is sitting on the dark web for sale to whoever wants it.
Paul: Is that how it works Brandon? The dark web? A just “for sale” sign.
Brandon: Oh boy, let’s not get into that. We could be it for hours talking about how that works. To continue on with what you guys are both talking about, you kind of alluded to it there’s a bunch of exceptions to the data retention. I think a lot of businesses, definitely smaller organizations have a harder time of understanding what’s the examples? Because there’s so many different businesses that have so many different niches and functionality that…Who determines (obviously the privacy commissioner does) but who determines what you keep and what you shouldn’t? But there are exceptions, there’s differences in how your organization runs, so I think that’s a challenge that I get asked all the time from organizations when I talk to them is do I need this or do I not need this? What if I need this data for this reason in the future? Right, so I think…a lot of people have the hoard mentality when it comes to data management anyone who’s in data, generally, would say to you, more data, better information. And I think that that’s why Facebook exists, right? More data, the better it functions. And now we have these legislations that say, “okay, you can have all this data, but what data do I keep or not?” And I think it’s hard for us as professionals as well to talk about that because ultimately, we could be wrong. What we might think is acceptable amount of data to maintain and retain, the Privacy Commissioner or any of their staff members could see otherwise.
And that’s a challenge that even I face and say, “yeah, keep that, don’t keep that, here’s what you retain, here’s what you don’t.” Because ultimately, my word is, I have an educated guess essentially, but until someone in authority comes and says “yes or no,” it’s kind of…I think that’s the challenge with the current legislation and how it’s kind of functioning is there’s no hard set examples of…
Paul: That’s right.
Brandon: Or even if you ask a government body, it doesn’t matter if it’s the privacy commissioner or not, if you ask them, they don’t give you “yes, no” answers to your questions. The here to do that, they can’t do that. They only say “yes and no” when they’re actually doing an investigation or when they’re doing a report.
Paul: And then it’s too late.
Brandon: Yeah. That’s right. And that’s just government. That’s bureaucracy as it is and that’s a challenge itself. I don’t know, not about privacy, but other concerns, I’ve asked a government body, “okay, this legislation says this, if I do this am I okay?” And I’ve done that to many different branches of government, and every time it’s “we can’t talk about that unless we’re acting on a investigation.” Well, then, what am I to do. Am I following the law or am I not following the law?
Paul: I think the key there, and it’s frustrating, you really tapped into something, the key there is, first of all, there are privacy, they’re very knowledgeable and we know some who we can always introduce people to…There are knowledgeable privacy consultants who specialize in that area, and they’re going to do a little bit of the same too, but they’re going to look at your specific information and they’re going to give you advice based on their knowledge of the law and also with their experience, and so you can pay for that.
The other thing that the Privacy Commissioner of British Columbia in particular, they’re pretty open about the fact that they will be happy to sort of give you advice but oftentimes, as you know, Brandon, they’re not going to give you highly specific stuff like “you should absolutely do this. You should absolutely do that. We’ll put it in writing and say that we told you to do this if you ever get in trouble.” And so it’s really up to the business to show that they’ve done their due diligence, and that’s the key and document that, and that’s what any privacy consultant is going to tell you as well, they’re going to say. “You need to look at how are you regulated?” So are there other requirements you have, obviously, like if you’re an accountant, you have a certain number of years,
Brandon: Health care.
Paul: There’s all sorts of other regulations you need to look at that first, make sure you’re in compliance with that, and then secondarily, you need to look at…the privacy, your data collection, are you collecting too much and are you retaining it too long? And those sorts of things, and really a bit of guess work on that, but if you can demonstrate that you went through a thought process to reduce the risk while still giving you the ability to function as a business and serve those customers effectively, and then you have a data breach and you can point back to it and say, “well, you know what, we did go through a due diligence exercise, we reviewed all this, and we considered all the risks and this is what we came up with.” I think from a legal perspective, and again, don’t take this as absolutely firm legal advice from Paul on this podcast, but I think from a legal perspective, you’re going to be a lot more solid position in any legal situations. However, that still doesn’t change the reputation risk, and that’s still the bigger issue. Maybe the Privacy Commissioner gives you a pass and maybe the court case gets thrown out, but your business could still be ended because of the massive data breach, and so it still comes down to really taking care of the information that you do keep in your custody, so…Wow. What a massive topic we just opened up there. Did we know we were going to talk about privacy Ty?
Ty: Almost always when I get involved. I think, for me, I actually look at personal and business privacy almost under the same lens, right. I think the risks to an individual are probably just as important as the risks to a business. And we’ve seen that, we’ve seen people utterly destroy their lives because they didn’t do that simple due diligence, they didn’t clean up those old accounts, they weren’t careful with the information they put out there. And that really does scale up to the business world. And it’s scary to think about. I think that’s probably one of the reasons a lot of people don’t want to…they don’t want to address this head-on because it’s not very fun and it is quite terrifying. There’s this sort of void, I think, or vacuum within the dialogue around this. I think a lot of businesses probably aren’t as open about their concerns and risks as they should be. I think if we talked about it more, and shared strategy and shared experiences, I think we’d probably be a little further ahead than we are, so trying to encourage that, I think is really, really important.
And we see that with personal computing as well. We talked about people that are at home in a bit of a silo right now on their personal computer, just working, how likely are they to share that really convincing phishing email with their co-workers and ask whether they think it’s legitimate? I don’t think anybody wants to look like they’re not knowledgeable.
One indicator I’ve seen of this over the years is it’s actually quite rare that we see somebody bring one of those to us. And the odd time they do, they’re almost always apologetic about it they’re like, “oh, I’m really sorry to bug you guys. I just got this email and I’m just not quite sure I should click on it or not.” And our reaction is always, “don’t apologize, I consult us more on that, we’re happy to help confirm this with you and sharpen your toolset so you can identify them more easily.” I think that holds us back a lot and just being shy and maybe a little embarrassed to talk about this stuff.
Paul: I think it’s partially that Ty, but I also think it’s (and I’m dating myself here because I’m the oldest one in the room) but back in the old days when you got an email and you had an attachment on it, and the attachment had a macro that would run in Word, that would wipe out everything on your computer or some install some virus or whatever, that’s less common now. There’s still a risk, but it’s a lot less common in Microsoft filters and Google filters and that sort of thing, are really good at catching that sort of stuff. So you don’t see that as often now, but I think for older folks like myself, we are afraid to forward it because if we forward it, maybe we’re spreading it to you now.
And so I think people need to be a little bit less cautious by that when dealing with their IT people. Their IT people, if they’re good, which we are, but if they got their tool set organized, that’s not going to be a risk, and so maybe if you’ve been reluctant to forward that in the past and you’re listening right now, you should be less reluctant. Still don’t open those attachments please, but Bob sends you a resume, it’s probably not a resume, it’s probably something else, so be very cautious about that, make sure if you weren’t expecting an attachment that you call them and say, “hey, did you just send me an attachment?” But all the sorts of good things we should be doing, but yeah, I think that’s definitely one of the other things as well. And Brandon, do you have more thoughts around email safety?
Brandon: I think we were saying about, you don’t see those types of attacks happening nowadays, I agree. Sometimes there’s vulnerabilities in Microsoft or excel sometimes something is exploited, but it gets fixed the next week. So we do see those things pop up from time to time, but when your thinking about the criminal element, they’re rare in regards to how many bad people actually out there on the Internet compared to good people I mean, that’s a very small portion of the internet, so if you looking at just the numbers, chances are, you’re probably not going to be attacked if you’re doing the basics of having security and privacy standards in place, like Ty was saying, low-hanging fruit. Right. Those hackers, if you’re not doing the basics, the bare minimum even, then you’re probably going to be more vulnerable. If you’re doing the bare minimum, if you’re doing the basics, then your biggest threat is going to be someone who’s purposefully trying to target you. Now, if that’s happening now, there’s definitely an increased risk because now you’re being targeted by one of those small portion of individuals, chances are won’t happen to you, but if it does happen, there are a lot of particular…
Paul: I’ll just interrupt for a second Brandon and if you’re listening to this podcast and you’re a member of the business community in Victoria, you actually are probably more likely to be a target then maybe your general audience normally, because the people that do get those direct attacks, those spearphishing, and the ones where they’re actually being attacked they tend to be the C-level people within companies, they tend to be the finance people within companies, and so we actually will have some of those people listening today. So just to sort of earmark what Brennan was saying, if you’re listening today, you may actually be more of a target on this point, but I’ll turn it back over to you, Brandon.
Brandon: Definitely, C- level. We’ve definitely seen an increase, there have been bunch reports the last two years talking to how C-level executives have been targeted often times, because levels don’t necessarily want to spend the time dealing with it or they subvert in place security practices in order to get something done.
Brandon: And that’s definitely… If you’re someone in the leadership position and you have someone coming to you going, “you know what, it’s not how we do things necessarily.” And that’s a challenge of someone below you trying to tell you how things should be done, which is a whole different situation itself. But I think when I talk to organizations, I try to inform individuals that no matter what your level, if they are security practices in place and someone following them, that person could put the clients, the staff and the whole organization at risk. And that’s definitely a challenge as well, so yeah, well…
Paul: And that you’ve hit the nail on the head. If you’re going to target somebody to subvert the financial controls that are in place in an organization, the CEO is a great place to start. Because if the CEO goes to the finance director and says, “please don’t follow your 17 protocols on financial controls, I need this very urgent thing done right now.” That financial person is going to be going… “The boss is breathing down my neck here, I know I’m supposed to do follow these protocols” but and that is a genuine…And we’ve seen this, this is a very genuine social engineering trick, because authorities can override rules.
And so I think the best thing you can do if you really want to prevent that in your organization is just put it out there as a leader and say, “everybody follows the rules, including me, there’s never going to be a situation where I’m going to approach you and say, you know, don’t follow the financial protocols, or don’t follow the privacy rules, that’s never going to happen.” And than you can prevent that as a leader in your organization…Sorry to interrupt again, Brandon, my brain is exploding.
Brandon: I mean if there’s any lawyers listening, law firms have been a particular target for these types of attack because oftentimes law firms are usually one lawyer maybe an office admin and it’s usually a small team who may not have a tech infrastructure behind them or acknowledge or experience because they’re focused on law, and there’s been a bunch of stories and reports, even in our own experience where a lot of law firms have been targeted because one, they control data, they control money often times, so they do become a target, so…Yeah, I guess you’re right.
Let me rephrase my original statement of if you are controlling a lot of money or a lot of personal information than you are at a higher likelihood. But if you’re just an average business, doing average stuff, the risk is lower, but there’s always risk, and that’s anything we do in today’s world with anything. You go to the grocery store, there’s some risk of things happening… Right. So there is always risk, it’s managing the risk, that is really where we come into play.
Paul: Guys, I want to talk about passwords.
Brandon: Oh I love in the final passwords.
Paul: In the final part. Passwords, the bane of everyone’s existence. And something that the science of passwords, the nerds got wrong for a long, long time. They thought upper case, lower case, symbols was good enough security and discovered that in fact, shorter passwords that even follow those protocols can be hacked really quickly, and changing your password regularly was important and what they discovered was people would just change them in a pattern, so my password this week is the name of my cat followed by the number one and an exclamation point, and then next week is going be the same cat followed by the number two and the excretion point, and once one of those passwords gets hacked, it’s in a database somewhere, and guess what? Hackers are smart enough to know that if you use fluffy one explanation mark, you might also have used fluffy two exclamation mark. And so what science has shown now is that people follow patterns and like to keep things simple, and so they’ve really changed… They’ve really changed the game on passwords. And Ty, I’m going turn over to you to tell us what is the best way to set up passwords now?
Ty: It’s a big topic. It’s a big discussion. There are a few different opinions on it. But just going back to what you were talking for a moment there, one thing that I think we’ve learned over the years is that some policies can actually encourage really poor behavior from users having overly complex password policies while those can generally be pretty good to stop the computer, it’s not so great if it encourages your employee to use the same password everywhere to make it easier or to write it down and put it on a sticky note on their monitor because they have to change it so often and it’s so complex that they can memorize it, right.
So what we’re really trying to do is strike this healthy balance between length and complexity, but also make it something that people will use in a healthy way. So some of the newer thought on this, and this comes out of a body called NIST in the United States, which essentially consults to government organizations and helps them determine what type of security to use, they’re moving more toward a system where used a longer password, which might be a little less complex, but again, that’s sort of up for debate. But what we do is we take that password and we check it against the database of known breached passwords. So as long as your password is good, it’s good and we don’t expire it, it’s not to say that that’s the right fit for every single business, but what we can do usually is we can get people to make better passwords that they can actually memorize, and then we put some other layers in place.
So part of that is using multi-factor authentication, which is absolutely essential at this point, and I think as Brandon mentioned using the right kind of multi-factor authentication is really important as well, if you have that good password and multi-factor, then we can make the policy I think a little bit more approachable and easier for people to use. There’s other layers that we can bring in, password managers have become a lot better than they used to be, and some of them are really, really well-tailored to business now, where they could be centrally managed, you could have many employees in them, you can grant employees the access to only the passwords they need, provoke that access…It’s come a long way.
So as we layer those, yeah, we can kind of get away from those old policies, which I think sort of encouraged not so great habits in a lot of people.
Paul: And a password is really a factor of authentication.
Paul: So your email address is a factor of authentication, your password is a factor of authentication, and when we’re talking about multi-factor authentication, we’re talking about adding additional layers of authentication to that, so Brandon, the most common multi-factor authentication, addition beyond the password is the text message with six numbers or seven numbers in it. So if you put that in place, I own my phone. It’s sitting here in front of me. I’m 100% secure, right? Nobody can ever hack that, right? Is that fair?
Brandon. I feel like that’s a leading question. What are you wanting me to say? I have mixed feelings over text-based multi-factor authentication because on one side, it’s good in that, it’s better than nothing, but it’s not without its problems. First off, the criminal element knows that this is a method people use to verify their identity with account. So we have seen some smartphone-based viruses, particularly on the Android platform that particularly looks for those text messages and sends it back to the hacker. Now that is at a higher level process, so it’s not a big risk to the average person. But we have seen some phishing attacks where a hacker talks to someone and “give me your password because I’m your IT support and then, oh yeah, you’re going to be sent a number, please tell me on the phone what this number is.” So we’ve seen phishing to subvert two-factor through text. And then additionally, you can call up your cell phone carrier, pretending to be you, because they know your main name, they know your pet’s name, because social media because they’ve just scoured your social media presence, they know your favorite fishing spot, that lake behind you or something… Right. And then they get access to your phone company account, and then they basically forward or they port your phone number to their phone, and now every text message is being sent to their phone, so now they’re getting the message. Or let’s say you are on a fishing trip you’re in the middle of nowhere and you drop your phone in the ocean, now you can’t log into your stuff. And there is this whole process of trying to contact the account holder, you’re a provider to be, “hey, I lost my phone, I need a two-factor number” and that’s a whole process that people have experienced and it’s not pleasant.
So, yeah, no, I don’t like text-based, multi-factor authentication, I prefer the app-based methods, which is basically you download an app it could be a Google Authenticator, although there are some problems with that one too. I prefer the Lastpass authenticator.
Paul: Yeah, I like that one too.
Brandon: Because you can use it on any device and you can forward them because the issue with the Google one I found is that if you are getting a new phone, it’s a bit of a process to take your two-factor numbers from the Google authenticator app onto a new phone, and I’ve had some people I’ve worked with who are like, “okay, I’m using this app, but now I’ve lost on my two-factors and now, I’m logged out.” So Google is working on a solution, and I think there was a recent update I saw on my version of the app that I think they’re working on, but I prefer the Lastpass.
Paul: Lastpass actually backs it up into your Lastpass database, right? When you log in with your master password again, you get all your two-factor authentication back again.
Brandon: Precisely. And LastPass (I’m not sponsored by them or anything) but LastPass also has the password management function as well.
Paul: Which Ty talked about.
Brandon: Exactly. So I’m very happy with what that organization has done and they’re not the only one, there’s other ones out there 1Password and other ones like that, so they just have the best free version, I think.
Paul: I agree.
Brandon: They’ve done some fantastic work at Lastpass. So that’s why whenever I’m talking to an organization or individuals, I always work hard to convince them to use an app-based solution because it just avoids all the other troubles with text because texting is a super old technology, which isn’t necessarily all that secure.
Ty: Yeah, well, what Brendan just described about the Google Authenticator issue, I actually went through that. It wasn’t very fun, so I switched over to Lastpass as well.
But there was something else that you kind of built there when you were talking about somebody basically profiling you and using little bits of information from kind of all over the place to be able to maybe impersonate you. I think that for me is the main reason that both individuals and business should really care about privacy, and it’s that aggregate information that gets out there. And what I mean by aggregate is that you can have a whole bunch of little breaches all over the place, and by themselves, they might be actually fairly benign, let’s say like a company has a breach and a bunch of people’s phone numbers are exposed. Okay, well, cellphone number, not terribly impact for me, right my phone numbers out there. Okay, and there’s another breach and your name gets exposed to another company. And again, a lot of people can get that still on the phone book, but another breach happens and that’s your social insurance number and your name, and then another breach happens and that’s an old password. And so over years, all this aggregate information starts to get exposed and it gets out there, and then you’re putting out little bits of information like you mentioned, you your pet’s names and you’re doing the quizzes online with the name of the street you grew up on, and all this stuff builds and builds and builds, and individually, maybe not that impactful. But people are getting better at taking all this information, putting it together building profiles and using that against people.
Paul: Well. I would add just to that, it sounds like a lot of work, right, like there’s going be a bunch of people sitting down doing all this work trying to figure out who you are. And the average person is going to go, “oh, well, they’re not going to bother with me because I am really boring, I don’t have a lot of money or whatever.” Right, so people discount that. But the reality is, a lot of that process is automated, right? They just scrape data from all over the web, and then they put it together into a beautiful little databases with all the fields filled in with maiden names and puppy dogs, and of course, your last vacation and everything else available for sale. Am I right?
Ty: Exactly, and it’s only getting easier. Right, and then this database is really sold, so when we won’t get more into the dark web too much, but you can go online and you can buy big chunks of information that have credit card numbers and names and addresses and everything, kind of just ready to go.
But what I want to circle back on, is I think the reason everyone, individuals, businesses, everybody should really care about this, is the more we add to this mountain of exposed aggregate information, it actually undermines a lot of security systems and practices. We’re trying to put in place SMS or text message-based MFA used to be not too bad, it was kind of what was out there. But now it’s not great at all because it’s really easy to go and get all the information you need to call a phone carrier and impersonate somebody and get their phone number ported. That whole system’s basically just been undermined because there’s enough data there. And that’s going to become true of other platforms as well, so it is quite damaging and as slowing that trickle down in treating all data as if it could potentially be PI is probably the best practice. Because it on its own, you be not so bad, but with everything else, it’s a puzzle and the more pieces you get, you start to build a picture and that picture can be very damaging.
Paul: So when I have multi-factor authentication on everything, it’s better than not having it, but it’s not perfect because in theory, somebody could hack my phone company, in theory somebody can manipulate me, they can call me up and say, “hey, you know, this is Joe calling from Microsoft, I need you to tell me the six-digit number that just came in on the text.” Right, so it’s not perfect, but it’s better. There’s all these new things emerging as well, Brandon, like facial recognition and fingerprints and all that, it’s also another form of authentication. What are your thoughts about that?
Brandon: I think those forms are just fine. I mean they’re great. You don’t necessarily see it being used for your bank necessarily, unless you’re using to the app for your bank and you can connect your face ID to the app or the bank.
Paul: I’m doing that on my phone right now, should I be doing that on my phone right now?
Brandon: Honestly, I think banking apps have come long way since they first came out many, many years ago, and I think they’re totally fine, and using your face ID to log in is totally fine. You still have to make sure you still have a really good password because ultimately you still need the password if you’re not using your phone with face ID. So yeah, sure. Could someone hack that? Could someone build a 3D model of your face and log into your phone if they steal your phone and get access sure. Anything can happen, but this is not mission, impossible. If you’re working for a super secret government organization… Okay, maybe, right? But for the average consumer or even the C-level executive, I think using those security tools, there’s nothing inherently wrong against them. Ultimately, I prefer passwords up here, depending on where you are on the world, your face is public information, depending on where you are. In Canada you are fine. In the US, there is some issues with law enforcement per se taking your finger and putting on your phone, Canada not necessarily. In other places around the world….I guess it depends on what kind of business you’re running. But yeah, no, those security methods they’re fine, but they’re only really set to your phone and nothing else, so they’re limited.
Paul: So we should wrap up pretty quick here guys, but maybe final thoughts. Let’s go around the table to start with you, Brandon, knowing our business audience is listening today, what is your parting wisdom for them moving forward into 2021?
Brandon: Parting wisdom? Number one would be password management. If you’re going to get hacked, you’re going get breached, if something wrong is going to happen, it will probably be because of passwords, either because you gave someone a password who shouldn’t have your password, you reuse the same password everywhere, so it’s easy to guess your passwords, your passwords is just easy to guess as is (it’s only four characters and it’s your pet’s name). The biggest issues I see for businesses, there’s other ones, but the biggest concern for data breaches and whatnot is password management, and people are tired of hearing me talk about it, but it still is the number one most important thing that you need to do as any working professional is secure and manage your passwords.
Paul: Alright Ty wisdom for 2021.
Ty: I think what I’d really love to see is people really actively trying to build a security and privacy culture in their businesses, but also in their personal lives and at home, really taking stock of the information that they are entrusted with. Again, whether that’s in your business and that’s client information or whatever it is, or even your personal email account because you’re spouse emailed you their T4, and you have 15 years of email going back and containing them, who knows what you’ve probably forgotten about… Just how sensitive it is. Encourage that security culture, face the risk head on and talk about it and take a little bit of time to put these things in place. Get a password management app. It’ll take you half an hour on the couch one evening to go through your accounts and enroll them, and it’s not too hard. Same with MFA. It may take a little bit of time to get that set up. Talk about it at home. Keep it top of mind. It will probably save you a lot of headache one day and you won’t even realize it.
Paul: Yeah, and I would just… My parting wisdom for 2021 is do this stuff for yourself too, not just for your business, getting your staff thinking about this, this extends to their personal life as well.
Yeah, so this is great. Great guys, thank you so much. Ty always a pleasure to see you and wishing you and your family happy new year, it’s going to be a good year of 2021, certainly hopefully, better than 2020. And Brandon, it’s always a pleasure to see you. It’s been a while, actually, and your knowledge is incredible, people can find you at TheWhiteHatter.ca, and of course, check out the YouTube channel as well, where Brandon and his awesome dad do a weekly show as well, and say hello to your dad for me as well, it’s been a while since I’ve seen him. Thanks for joining us.
Brandon: Thanks for having me. Pleasure, a lot of fun. I always love talking with you, Paul and Ty, who we have a history of attending conferences and talking to each other, so always a pleasure talking with you both and yeah, hopefully this year turns out best for everybody.
Ty: Awesome, Island thrive.