So, our speaker today, for some reason, refused to give me his personal information. Not his social security number, he wouldn't talk about his mother's maiden name. So I did a little research on the World Wide Interwebs. What I found there was a blockbuster movie trailer, and I feel like it's the perfect way to welcome him to the stage. So, take a look with me. Crashing down, charged with a crime he swears he didn't commit. I don't think I did it. Publicity he never asked for. Security expert, John Cilio. Privacy expert, John Cilio. John Cilio. Cyber security expert, John Cilio. Well, I won it a little bit. A crime that could put him in jail for life. I don't have time for this. I'm hungry. From the people who brought you something kind of similar that you really enjoyed, comes the story of a man who could lose it all. The loving wife who mostly trusted him. The wide-eyed daughters who inexplicably idolized him. His subway rewards card. The true story of John Cilio, only slightly dramatized to make him look less like a doofus. Coming to a stage near you in less than 15 seconds, John Cilio as John Cilio in John Cilio. Please help me welcome the man we believe to be John Cilio. Thank you so much. Hello, Napa. Hello. I'm guessing that between the pandemic and the new administration, it has been a calm, quiet couple of years for you all. No panicked midnight phone calls. No questions about stimulus payments. No angst over crashing 401ks. Would you like me to start all over? Hello, Napa. Seriously, this last couple of years has been exceptionally odd. But I'm guessing that like my advisor, Bob Morrison, you haven't been left alone for five minutes. I know that you have probably put in more hours in this last couple of years than ever before. Thank you for that. Thank you for being a bright spot. For me, who has done all my work traveling, it has been a little bit more like an extended, no expenses paid vacation at the Overlook Hotel, where the only other guest is Jack. All work and no play. Listen, that silly little teaser that you just watched was completely intentional, because every cyber threat your firm faces should be approached like the plot of a blockbuster movie. The power of the blockbuster is that it follows a predictable, memorable, tightly organized storyline that creates an arc from failure to victory. Even on TV, stories teach us by example how to lead better lives and avoid the disasters of others. Take Breaking Bad, for example. I'm guessing that you abandoned your dreams of building a crystal meth empire after watching that show. I know, me too. Today, I'd like to show you how the simple structure of a blockbuster movie and a dose of disaster can change the course of your life, protect your clients' lives, and help you avoid and defeat the cyber crimes that just about destroyed mine. Now, all of you already understand the basic blockbuster formula. The movie has a hero whom we are all rooting for, right? Just as an aside, the hero in your firm's cybersecurity story should probably not be the data itself. I mean, we don't go to a movie theater and cheer on the well-being of a social security number or an investment portfolio, do we? Unless maybe you went to MIT down the road here. No. The hero has to be human, has to be the people you are protecting, your stakeholders. For you, that means your clients and customers and coworkers, employees, executives. Now, the hero is fighting for something of great value, something with life-altering stakes. But they exist in a setting that is chock-full of risk. By a show of hands, how many of you have seen the movie It's a Wonderful Life? Okay, most of you. The rest of you, I want you to skip the cocktail party I know you're all already thinking of when I let you out of here. Go back to your room and watch that movie because it's a classic. In the movie, our hero, George Bailey, is playing a high-stakes game to save his own life and determine the fate of his little town, Bedford Falls. But George exists in a setting filled with an enemy named the evil Mr. Potter. No relation to Harry. So, to summarize the framework we're going to use to look at the threats that face your firm regarding cybersecurity, Act I introduces a hero, your stakeholders, with something very important at risk that exists in a setting that is full of it. Now, compared to George Bailey, my story is much more normal, probably a lot more like your stories. However, my story actually happens. So, if you'll indulge me for a minute, I'd like to give you a little bit of background. It seems like it doesn't have that much to do with cybercrime, but it has everything to do with it. I know some of you were here several years ago. I don't remember, maybe Phoenix, and you all have heard the story. We're going to use it in a different context today in terms of the framework that we're talking about. So, I fell hard for the star pitcher on my older sister's sixth-grade softball team. Her name was Mary, and I was just a scrawny, chicken-legged third grader when I became the team's kind of overly eager bat boy. But I didn't want to be the bat boy for Mary. I wanted to be that boy for Mary. So, I was incredibly persistent. And 17, yes, 17 years after retrieving her last bat, 17 years after making my final assist on that field for Mary, she agreed to go out on a date with me. And she has been my best friend, my wife, and my number one hero ever since. Oh, I know. Thank you. It's like a movie from the Hallmark Channel. When we gave birth to our daughters, correction, when Mary the star gave birth, and I once again got the assist, my body chemistry went completely wonky on me. No, I did not start lactating. That would just be weird. But I did begin experiencing something I called postpartum expression, meaning that I started tearing up even at the mention of our girls' names, Sophie and Mikayla, my fireflies, as I call them. I fell so in love with those two little bundles of light that when they were still little, I started taking time away from work, Tuesdays away from work, that I loved so much just to be with them, to hike and swim and eventually paint our nails together. And that's how I can tell you from experience that Sally Hansen Miracle Gel nail polish is the bomb. So what was this work I loved so much? My job was to take over and revive the family computer business that my dad had started out of his garage as a TV repair shop in 1964, and that grew to become a beloved company that employed hundreds of people and made an amazing life for my sister and I. But the business was struggling at the time I took over because of these big box stores that had come to town. So I started up an internet software division with my good friend and rock climbing partner, Doug, who quickly swooped in as the superhero of our turnaround. Now, Doug is like the Tasmanian devil, all five foot two of him. He rarely sleeps, barely stops working, and it turns out he's an evil genius when it comes to coding software. Together, Doug and I, as entrepreneurs, built a multi-million dollar internet software company, and yet it was always those Tuesdays with my fireflies that I lived for. And that's when a cyber crime ring stole my social security number out of some unshredded trash I'd thrown out at work the day before. In my case, get this, a woman, Rosemary Serrano, purchased my stolen identity off of the dark web and used it to buy herself an oceanfront home cross-country in Boca Raton, Florida. You are all cordially invited to Mary's and my second home, should you ever be in the neighborhood. So there's Doug, my rock climbing partner. Okay, that's slightly Photoshopped. So what happened after my identity was stolen? Rosemary drained our life savings, defaulted on that loan, and declared bankruptcy in my name. I found out when security guards physically escorted me out of my bank one day for crimes Rosemary was off committing as me. Now, you might all recognize this story from the blockbuster movie, Identity Thief, which was loosely based on our story, and I consulted on early on. So in the end, there's me, I guess, Jason Bateman. There's Rosemary, Melissa McCarthy. The story takes place in Denver. She steals his. They go to Florida. It's the whole same story. Unfortunately, the producers left us out of any of the credits, didn't give us any credit whatsoever, and I didn't get bitter because I got even. Using my newfound skill set, I hacked into Rotten Tomatoes and I gave the movie a terrible score, 19%. I did not do that. I'm kidding. I try to use my superpowers only for good, not evil. So what's the point? The point is this. While I'm joking about this stuff now, I want you to know dead serious that this is no joke. Data theft is no joke. As entrepreneurs, we will continue to be the victims of cyber crime until you decide to become the author of your own story and rewrite the ending. You see, all security is personal. It begins with you and me as human beings, not as employees or executives or as an organization. If you don't first emotionally connect to what you have at stake in the game, if you don't engage your people, whether it's one or hundreds in your firm, to care about their own personal identities first, you will never, ever create an organizational culture of security. That is the biggest mistake that I see in companies, small and large. They forget the people aspect. They go straight to the technology. Peter Drucker, the business guru, once famously said that culture eats, somebody said it, strategy for breakfast. Culture eats strategy for breakfast. Culture always dominates over a simple, single strategy. I am saying that personal connections to this crime, personal stories like mine, are the eggs and bacon on your cultural training plate. If you want ownership among your people, your family, feed them stories of what happens, of consequences like mine, and the culture will begin to follow. Now, like so many organizations, after getting hit, I finally started to pay actual attention to this crime, and I upgraded my setting. I built a technological fortress around everything that we had at stake as a business. Now, the fortress was a great metaphor for how data defense used to work, especially before the pandemic, but it falls far short today. In the fortress model, we responded to the enemy by surrounding and fortifying our high-stakes information with rigid, castle-like defenses that centralized our data all in one safe place. Encryption and antivirus, intrusion detection, all within the internal network. The hackers, however, became less rigid and more adaptable, so we all dug moats to keep the enemy out. We called this perimeter security, and it was made up of early firewalls and virtual private networks. We had never really solved the underlying weakness in our setting. We had simply created a giant game of hacker whack-a-mole. Plug a technological hole over here, and they would exploit human weakness over there, and that has been the arc of cybercrime since I saw you three or four years ago, from the technological to the human. And that human exploitation was about to play a major role in my next act. It's Tuesday, August 12th. My girls were still quite little at the time. When the doorbell rang that morning, I was just sitting down for a tea party with Sophie and Michaela, Sophie's stuffed dog Scrappy, at the fourth place setting. When I opened the door that morning, standing there was 6'4", stubbly-faced Special Agent Brad Wymura from the Economic Crimes Unit at the district attorney's office. Certainly he was there to tell me that they'd captured Rosemary, recovered our money, resolved my bankruptcy. I no longer have to stress out about being held responsible for crimes. Rosemary was off committing as me. And it was in that moment that Wymura handed me the subpoena and explained that I was about to be charged for electronically embezzling, for hacking $298,000 from my own software customers. He said the DA's office had enough digital DNA to put me in jail for a decade, and then he left me there shaking in front of my girls a teacup in my hand. Fast forward two years through the criminal trial, fighting like hell to keep myself out of jail for crimes I had absolutely nothing to do with. Our multi-million dollar software company is gone. The family business, ruined. And Tuesdays with Sophie and Michaela, stolen from me by a cyber criminal who had absolutely nothing to do with my first case of personal identity theft, or Rosemary Serrano. This time, some of you already know it, many of you have already guessed it, the enemy was masquerading as a hero. Doug, my best friend and business partner, a man I loved and trusted like a brother, stole and used my banking login credentials to embezzle from our clients, fund his sick habits, and use my identity to cover his crimes. And then Doug let go of the rope and let me take the fall for it. But there was still at least an act to go. It's two years into my criminal trial, I spend every free minute in my little basement office working on the case. It's just before the girls' bedtime. Sophie, who's five years old, peeks into my downstairs office. She's carrying Scrappy in one arm and her favorite bedtime book in the other. Daddy's her for catching fireflies. I don't know if you've been there as a parent, but I was so preoccupied. And she could tell because she was whispering, Daddy, it's story time. Daddy, read me a bedtime book. Papa, Sophia, not now. This, this is so very important. When you're done, Daddy, can I be so very important? My own daughter was asking me why I was spending her childhood in the basement. I don't know if any of you have ever been there where even momentarily you lose track of what's so important to you. Listen to me. What we are putting at stake here is so much more than just data. We're fighting for everything that the data represents, everything that the information ultimately connects to. For me, that was so much more than customer records. It was the real-life implications for our clients, the loss of a business that employed hundreds, unbearable stress on my star pitcher, and two completely unrecoverable years with my fireflies. What are you playing for? What client data? What health information? What is so very important to your customers? So many organizations that I consult to, especially of the small and medium size, start throwing money at this problem before they accurately identify who is at risk, the heroes, and what is at stake, the business outcomes, the data. Instead, they force the data itself into the role of the hero, and they make the theft of that data what is at stake. And ultimately, nobody inside of your firm cares because there's no emotional human connection to the information itself. As if defending client records were somehow more important than living, breathing human clients. You see, at its heart, cybersecurity is not a technological game. It's a human game. It's a social game. And that's where it's being exploited. Design your strategies, even if it's just you or your family, around the human aspect, around the human elements of cybersecurity, and that culture will follow. Now, act one, we've got our hero, your stakeholders, your employees, with something, a critical business outcome of yours that is at stake, and their information on the other end of it, that exists in a risky setting. A setting that you help control. So let's take a look at setting. Because COVID-19 changed virtually everything about the technology that powers your organization. Even before the pandemic, in order to compete in the information economy, we all started to dig tunnels underneath the moat. Tunnels to enhance customer interaction and partner seamlessly with our vendors. Tunnels to leverage the power of cloud computing and to connect to our data from any place, anywhere, anytime, using any type of device. We began to shift the high stakes information off-site because it was convenient and scalable and profitable. And then COVID-19 came to the kingdom, and we rapidly shifted to a work from home, and then a work from somewhere, anywhere, everywhere, all the time environment. And overnight, every device, every internet connection, every employee became a poorly guarded tunnel into the fortress. The setting which represents the technology inside of your organization has changed. We no longer operate in a tightly guarded fortress surrounded by an electronic moat. We exist in a widely distributed computing environment where the enemy now naturally just lives among us. Traditional perimeters that we've all been used to, like firewalls and virtual private networks, are no longer sufficient. Because like that 70s horror flick, the enemy is attacking from inside our own house. Once inside, like a virus, the hackers spread from castle to castle, from device to device. The solution here, the only solution, is to vaccinate at every level of the kingdom. Every smartphone, every laptop, every home Wi-Fi network that allows access in, every operating system, every piece of data. We call it zero trust architecture. Something you should keep in mind. We're not going to talk about it today. Keep in mind for later, because that's what's coming, is trust nothing, verify everything. The problem here for you all is that you are a conduit. You are a stepping stone to bigger fish, to companies that they want inside of. You are finding out what's going on inside of you. You are financial partners. They want to use you as a backdoor in. To your clients, many of whom are of great wealth. And to your cloud providers who host other companies. You have become this back tunnel into other companies. And you're being held liable for it. That's why, even more so, it's important what you do. Here's the point. Every company out here has a different security maturity. Your setting is a different spot. I can't say it's like this for you. Now when we're doing Q&A next door afterwards in the deep dive, I can help you individually. But you all have a different setting. Here's the biggest problem that I see in companies of your size, is that you have not recently brought in an outside expert to ethically hack, to white hack, your systems according to this new kingdom that we're living in. We think that we're doing it, but it's not regular enough, even though we're small. Now this is not a sales pitch. I do not do this type of work. If I was doing a sales pitch, I'd say, hey, come to the back of the room and get one of my books when we're done. This is not a sales pitch. I'm simply saying that those assessments that you think about doing, you've thought about doing, maybe you did before the pandemic, they have got to be as regular as your digestive system. OK, maybe not that regular. That's kind of gross. As regular as your annual physical. Because like those COVID variants that we're battling, cybercrime constantly, constantly mutates. Now I've spent some time weaving my story today together with the framework for a very intentional reason. It's because stories are universal. And that makes them the most powerful way to analyze, and then organize, and then communicate the change you need to make in your cybersecurity strategy. But when organizations pigeonhole cyber threats into a technology only quadrant, when they hand it over just to the IT people, they are missing eight ninths of the overall story. When you ask the questions that I'm going to give you at the end for all nine aspects of the story, that's when you start to rewrite the plot to your own ending. Now I don't want you to skip level one. That's what big organizations do. They go straight to the threats. But they don't know what they're protecting. And they throw money at stuff that they don't have to. Because we can't protect it all. We have to protect the right stuff. In act two, we finally have our hero meet the adversary, the enemy, who launches some sort of a targeted attack that initially in the story leads to defeat. That's the point at which a wise guide, not a wise guy, but a wise guide, hatches a plan that leads to victory. This framework is set in our minds. Every employee already understands it. And it has been used since the beginning of the spoken word to frame and solve problems. So let's take a look at an ancient blockbuster to finalize the framework and start to look at your threats. Rocky III. We have Rocky Balboa, our hero, who is fighting for the heavyweight belt title of the United States. But Rocky in Rocky III lives in a world where he has grown soft and vulnerable because of his success. That allows Clubber Lang, Mr. T, to verbally and physically intimidate him and defeat him in the second act of that movie. That's when Apollo Creed, his former enemy and now his coach, hatches a plan that we all know about. And that leads to victory. That is the basic framework. You can apply that to almost any blockbuster story and to any type of cyber threat to think through it clearly. So here's the issue. The average organization, like mine, like me, doesn't pay attention until they reach defeat. They wait for the problem to come to them. When you rewrite the story, you write it in the way that an author does. You rearrange things and you think about the defeat first, not once it happens. You think about what's the worst thing that can happen to my firm in terms of cyber attacks. And you go from there. And you fund from there. Now, I've got to take a quick second. This is called a victory arc. When you think of it from defeat to victory, rather than jumping straight to the setting or straight to the attack, it changes the brain chemistry. All of these illustrations, by the way, were done by a grown-up Michaela, my daughter, who does all the artwork for my stuff. I wanted to give her credit for that. So let's move on to the attacks. It's the adversaries I'm less worried about for you all. It's the attacks that we need to look for. And the most likely ones are the human ones that we make the decisions on. I hope I'm making that perfectly clear that it's more about the humans this year than it is about the technology. Passwords are a great example. So we're going to do a little exercise here to see the strength of your passwords, because that is a proxy for how safe you have your business. And it's the password on your phone. Now, how many of you have not seen me speak before? Raise your hands. OK, a decent amount, great. So we're going to keep it limited to that crowd. And only people who, well, of those people who have not seen me, how many of you use an iPhone? OK, so I'd say a majority of you. OK, so I want only iPhone users. If you've got an Android, you're going to sit out because it's a different type of test. Here's what you're going to do. Take your iPhone out. I want you to get to your calculator function. Your calculator you get to from a, generally, a right swipe down from the top, or on older phones from the, I think, from the bottom up. When you have it, raise your hand when you're at the calculator. OK, good. Now, if at some point something doesn't work for you, you can just drop out. We'll test it next door or whatever. Here's what I want you to do. I want you to zero out the calculator. We're going to calculate the strength of that password. That's going to be a proxy for the strength of the security inside of your organization. And I'm going to ask you privately to type in your password three times to make the calculation. Now, I don't want any of these getting out, so keep it close to the vest. Don't let anybody else see. If your password is 1234, that's what you'll put in. Now, you'll notice some of you already have an alphanumeric password. That makes it so long the calculator can't calculate it. So you're only in if you've got a four- or six-digit alphanumeric password. Raise your hands if you're still in. OK, so we've still got some people. And raise them high so I can see how many that is. OK, good. Here's what I want you to do. In that calculator, I want you to type in your password, not 1234, but your four- or six-digit password, the multiply sign, multiply it by your password, type in the plus, and add your password. And then I want you to hit the equal sign. And I want you, you don't have to write it down. I just want you to note, how big is that number? Is it bigger than a million? Is it like, did it air out? It's like e to the 10th or whatever. It's that big? Great. Just remember how big that is for me. Now that you've got that, I want you to tap the Clear button. I want you to hit the Lock button so it's locked back up, right? So there's no way to get in. And raise your hand if it's larger than a million. Raise your hands high for me if it's larger than a million. OK, good. Larger than two million, three million, four million. OK, can I borrow your phone for a second? That is a cute picture. Who is that? Jack. Oh, that's a little bit strange. OK, will you answer a quick question for me? Maybe. Will you tell me the year you graduated from high school? No. Come on. Let her play along. No, no, no. The year is 2004. OK, and can you tell me the, did you ever And can you tell me the, did you ever have the chance to know your mom's dad, your grandpa on your mom's side? Yes, and what was his name? John, OK. Last name? Brackenier? What's that? Mother's maiden name, right? OK. You're not failing too bad. OK. We're locked up. Can't use facial recognition from here. I'm going to type in five of the six. You have a six digit, right? And tell me the year you graduated from college. OK. Can you see it? I'm into the phone, right? Am I in? I'm into the phone. I've just hacked into the phone based off of some information. Now, that's not all, because I can do a down swipe, and I can type in the word bank. And I can see where you bank, maybe, synchrony. The answers aren't coming. I'm sorry, tell me your name. Stephanie, a little bit more information. Stephanie, clearly, if you were here last time, everybody else knows I stole a purse and I did something similar. But this is much more fun. If you would kindly come up here and get your phone, I will let you know that that wasn't a hack, right? A hack is technological. That was a human hack. Do you see how much control I have over the internet? Do you see how much control I have over the employee? Are there stairs over there? Yeah, come on up. Look at how much control I have over this. This is how they're getting into your systems. I get this hack every time, whether it's CIA agents, or security people, or financial people like us. It's not just her. It's every time. And it's a human aspect. I would like to give you, Stephanie, five copies of my little book. Your data is showing this is meant for your clients. Give them away. It's the personal stuff like this that gets them to buy in. It's terrifying. I know. Thank you so much. You can have a seat. I love my job. Give her a hand. I'm telling you, all this technology stuff, and all it is to get in at your firm is a human being who hasn't been trained on what we need to talk about. If you can pump the volume up a bit, please. We're going to have some videos. So hack the audience. That's what I just did, right? A lot of you knew it, who had been here before, that I was actively hacking there. Before you even know it, you think you're doing your calculation or whatever. Because the human aspect is going to be where they hack first. And that's more true than it was when we trained on it four years ago. You've got to look at the humans. You've got to have the training. I know you're small. There's ways to do it, even though you don't have the huge budgets. Online, in person, just talking to them about this stuff is huge. Of course, we're talking about social engineering, about puppetry, right? Manipulating the humans to get the data rather than hard hacking your systems, which is so much more difficult. All we need to do is build in a reflex that says, hang on. I'm not sure what we're doing here. I'm going to show you a video that will be very familiar. It's the IRS phone call. And we're then going to apply that reflex to everything else that is allowing human exploitation. Have you ever gotten one of those threatening calls from someone claiming to be the IRS, that you owe money and are about to go to jail because you didn't pay? Well, I just did. Hi. My name is Dennis Gray. And I'm calling regarding an enforcement action executed by the US Treasury. Ignoring this will be an intentional attempt to avoid initial appearance before a grand jury for a federal criminal offense. So when Dennis Quaid calls you, hang up, right? You ignore it. You already know that. Your employees already know it. It's a reflex that you've got. But you have to build it in for all the new stuff that has come since the last time that we were here. We're going to build a reflex now. I was trying to pick up the son of a friend of mine at a party not that long ago. His name is Gerald. He was like 12 months old. Gerald didn't know me, didn't trust me. And the face that Gerald gave is the face, is the reflex that I want you to build in right now. Anytime somebody requests a phone or a password or information, that's what Gerald looked like. Complete distrust of me as a person. The word that came to Gerald's head, I'm certain, was BS, man, or hogwash, like we talked about last time. BS, which doesn't stand for before Cilio. Before Cilio, I might have given away that phone without asking lots of questions or shouting out like that person did, don't do it. It stands for be skeptical. We have been engineered out of our skepticism for free stuff, for gimmies, everything else. And this is how they're doing it. It's how they're gaining the trust. This is the work of Daniel Kahneman, who taught us about system one and system two thinking. System one is our autoresponder. System two is our deliberate thinking. Cyber criminals hack our system one thinking. Before we have time to think about what's happening, they are gaining our trust and going after our information. When we change the trigger response method, when it becomes always BS, bull, whatever you wanna put to it, hang on, everything in fraud immediately changes. That human trigger is the most powerful thing that you can give to your people when they get an email, when they get a call, when there's a USB drive they could plug in from the parking lot. So where does this come to be? Well, of course, in phishing, which is the most predominant form of social engineering and 80% of the way they're gonna get into your systems. Now, phishing, which is clicking on the link and downloading the malware into your system or uploading your credentials so that they get into the phone or the software application, gave way to spear phishing, where they go to your social media profile and your org chart and your website and they know something about you, where you went on vacation and then suddenly it's easier to socially engineer because they've got some background. That has since given away to something called hybridized spear phishing, where they use artificial intelligence to collect all the data on you, they use artificial intelligence sometimes to even make the calls, write the texts and the emails, and they use human beings for that nexus event where they need to. We're gonna go through an actual example of what's called concierge in the next session. We started a little bit late, so I'm gonna cut that out and do that in the next section. So they take the IRS call, which we all know, and they change it. And the most common one that we get now is a email or something that says, hey, there's been an emergency alert about your COVID vaccine. Whether you get it or not, they've figured out they don't wanna get in the political game. They just want you to think that there's something emergent about that. 21% of the people inside of your firm are clicking on that email because nobody's told them that 99.99% of them are completely fraudulent, that their reflex should be BS, I'm skeptical, I'm gonna call the end whatever, doctor, healthcare provider, whatever. I'm not gonna click on that link, I'm not gonna download that file. Criminals exploit the headlines. So if you see something that is now big in the headlines, the elections or whatever's coming up, educate on that specifically. The one that affects you a ton because you get calls on it, I called my advisor on it, is, hey, your unclaimed tax credit, your unemployment benefits, your stimulus payment, your PPP, whatever it is, that's what they're gonna utilize. I just got this one this last week. It says, this is the Employment Development Department of Pandemic Unemployment Assistant. Right, bad grammar? it's not always bad anymore. And you know what? 15% of people are clicking on that one or making that connection because they're confused, right? They don't know what's still being given out and what's not. They just want a piece of the pie. The advanced child tax credit. Again, we see it with that. Every time there is a new policy or procedure or regulation that you know better than I do, that's where the fraud goes. That's what they use to piggyback on because they bank on our confusion and the change that we go through. Again, I'll do this at the round table next door afterwards. Let me show you the end of the video to show you, you already actually have these skills and your people have them. You have to apply them to the new threats that are emerging. Are you ready for this incredibly sophisticated 100% foolproof strategy? Wait for it. When the IRS calls, hang up, hang up. It's not the IRS ever, never. The IRS will never call you ever for anything. Our tax dollars don't pay for that kind of customer service. In fact, you couldn't get the IRS to call you if you left a message telling them that you owe them money. The IRS will also never email, Facebook, or text you. They have your physical address and they like to communicate the slow way through the mail. So the point there is use what people already know, apply it to what they don't know, give it a little bit of humor so that they remember it. You gotta make it more than a dead PowerPoint. Now phishing, spear phishing, hybridized phishing grew up into whaling, which affects the financial community a ton. Whaling or CEO fraud or business email compromise, this is a huge one that takes directly from your firm, not just from your clients, though I recommend that you educate them as well. This is a case study of Ubiquity. Ubiquity is a networking firm out of Palo Alto and here's what the cyber criminals did. They Facebooked the CEO's travel schedule to see where he was gonna be at this time so they know he's out of the office. They phished his address using one of the schemes we've talked about. They actually took over his email so it wasn't just one character different, it was actually his email. They linked in to his assistant so they knew how they communicated with each other. They imitated the CEO in an email to the assistant so she thinks it's him writing, it's from his email. They engineered her with the China crisis. Hey, this is the CEO talking, hey, I'm in China, we are trying to close this deal, we didn't pay our last vendor bill, I need you to immediately wire transfer $47 million to this bank account you've never seen. And without a moment of BS, no reflex whatsoever, she transferred $47 million to an unknown bank account. Step seven in this case of course is that the cyber criminal retires. We believe this was a 15 year old Russian kid who spent about three weeks during the reconnaissance to net $39 million that could not be gotten back through the banking system. This happens to your clients and this happens to your firms and partnerships all the time. I know because I get the calls. The answer of course is in addition to policies and procedures about when you pay money that you need two people to approve it or verify it, it's that reflex that says I'm not gonna believe this until I prove it beyond a shadow of a doubt. Now when we click on that stuff, most often about 50% of the time, and this is all matriculated since I saw you last, it is now ransomware that is put on your systems. Just a side note, I know we read a lot about ransomware in these big companies, 60% of it happens to small and medium businesses, we just don't hear about it in the press so we think it's not gonna happen to us, but it is happening to us more than it is to them. Ransomware is simply encryption, right, it's the good stuff that freezes up your system, worms its way, especially in this new widely distributed kingdom, to the other systems and inside of the fortress itself. Here is a case study of a company called CNA Financial. CNA lets play a game, if you don't pay, your files go away, and exactly, and it gives you a countdown clock, something scary on the screen. Now CNA is a pretty large company. It says, hey, you need to pay $50 million, $50 million in Bitcoin to get your data unfrozen. If you pay the money, 50% of the time you get the data back and it's not corrupted. Now, it says here to pay in Bitcoin, which you don't know how to do, so it's got a chat box, to the criminals. It's giving you better customer service than your cable company. And when you pay that money, 50%, you get it back. When you don't pay it, they bring something emotional up now, like your photos, your Excel files, your client files. They do a countdown, and they delete it in front of your eyes. They're trying to make you panic to not do what you should do, which for most small businesses, probably turn off that computer, disconnect from the network, and call your IT person. That may not be for you, and for big companies it's a little different, but for most of us, that's what it is. They want you to react before you think about it. CNA Financial ended up paying $40 million to regain operations. JBS, the meatpacking company, $11 million. Colonial Pipeline, $4.5 million. And it's because that the company didn't have a robust data. Every one of you at this point should already have it. We're gonna go through what that means. Again, next door, we're gonna go in depth of what it means to have a robust data backup, because there's all kinds of mistakes that small and medium businesses, and even large businesses, make. The ransomware gangs have raised the stakes, especially in the financial sector. Number one, it's pay or get breached. If you don't pay, they put the data out there. Then they call the regulatory agencies and the press, and they report it, so that you have to pay the fines, and you have the reputation damage. They leverage these fines and the publicity, and then they divide and auction the data, user by user, client by client. We saw this individual blackmail recently at a firm called Grubman Shire, where they demanded $42 million. They're the people who do a lot of the work for Madonna, LeBron James, Lady Gaga, so high-profile people. It's their addresses, it's their phone numbers, it's their contracts, it's what they make. Well, Grubman refused to pay it, which is probably a good thing, so they divided up the data by celebrity, and they ransomed, they blackmailed each celebrity for $600,000 to a million dollars. Now, we know that quite a few of those celebrities paid that under the table. They'd never announced it, of course, but that was the only way to keep that data private for them, and it was worth that kind of money. And most of these attacks, in addition to being about the human BS reflex issue, are... the game of knowns. Known vulnerabilities that we all have that we have not fixed. This is the good news, because they're all fixable. Hypothetically, this is a case study. Think about this, though. Your company has been 100% operational for 50 or so years, but you reuse a password on a travel website and on your work login, maybe a portal or the software that you use. That is breached by hackers and sold on the dark web, the one at the travel site, where it's bought by the dark side ransomware gang who happens to be actively supported by... not Darth Vader, Emperor Putin. Dark side determines your workplace through LinkedIn, because they know enough about you from the hack. They log into your system inside of your company with your credentials. In this case, it was in the operations room of this company. They download the ransomware onto your computer, because they've got full control of it, and using one breached password, in this case of a company with more than 10,000 employees, one breached password, they trigger a complete operational shutdown of what? Who knows? 45% of the oil that goes to the East Coast. One password. That's how important it is for people to know what they're doing in terms of password hygiene and known vulnerabilities. Colonial Pipeline, $4.5 million, some of which they got back. Six days, no operations, because of a password. These were the lines in Florida to get gas. It was almost as if In-N-Out Burger and Krispy Kreme had merged. All because of a layer of things, any of the five of which would have solved the problem. Number one, a successful backup plan, so that they could restore over the ransomware. Properly training on password hygiene, which either they did, and the person didn't listen, or they never did. They didn't decommission the old login. That was a login that got breached of an employee that no longer worked there. They had not enabled, they'd bought, but not enabled two-factor authentication, so that even if the password was leaked, the person wouldn't have that second factor on the phone or the key fob or whatever it might be. And as you saw from the Wall Street Journal article, they did not conduct a security assessment post-COVID to see that all of this stuff was at risk. Same things we've been talking about for years. And of course, your answers, and we'll go over these again in the breakout, are just to do those things. Same things I might have said three or four years ago. Now, I'm gonna give a list of about 10 to 12 of the known vulnerabilities for you as advisors in that session. But again, I'm gonna pull that out of now so that we can try and get back on schedule. And let's go through one more thing. Congratulations. How do you feel? I got it. I believe he said he had to go pee. Deep fakes and disinformation. Most of the speeches I give, I don't know how this is gonna affect your industry. Your industry, I know this is how it's gonna do it. A deep fake is simply a video that is created by artificial intelligence to replace faces or bodies or voices. This is not a deep fake. It was done by hand. It took about a year to insert Tom Hanks into that JFK video. We as humans tend to think we're really good at detecting what is real and what is fake. So we're gonna play a quick game show. Fake or fact. I'm gonna show you two videos side by side. When I raise my hand after the video's over, I want you to tell me if the left or the right is the fake video, left or right. It's gonna be super easy on this first one. It's Family Matters. It's a teaser for a TV show. When it's done, I'll ask you which is fake. ♪ It's so rare conditions this day and age ♪ ♪ To read any good news on the newspaper page ♪ ♪ Loving traditions of the grand design ♪ ♪ Some people say it's even harder to find ♪ ♪ Well then there must be some magic clue ♪ ♪ Inside these gentle walls ♪ ♪ It's all I see is a tower of dreams ♪ ♪ Real love bursting out of every seam ♪ Which one is fake? Left. Do you know who that is? Mike Tyson. He was, right, digitally implanted on every character in that. So, you know how to play the game. Let's do this one. Spock and Kirk. Which one, left or right, is the fake? In the event the Federation is ever invaded by a superior force, we were to fly through the galactic barrier. Granting you superior powers. Effectively weaponizing you. The Federation isn't in the business of weaponizing its citizens. Which one is fake? Right. Right is fan fiction, filmed. Those are the real people. Left is a deep fake. Digitally implanting those images of Kirk and Spock onto the ones on the right. So again, it's a little bit how the setup is. You think because it doesn't look quite right that it's the fake one. Not necessarily the case. You'll do better on Tom Cruise. T-shirt on the left, jacket on the right. I wanna know which one is fake. What do you mean the honors? Here's the finger point. Oh, it's a privilege, man. It's an honor and a privilege. It's an honor and a privilege. Yeah, wow. Hey. How you doing? Good, how are you? I'm Jake. Nice to meet you. Nico. Hey, Nick. Good to meet you. Which Tom Cruise is fake? Right? Mostly saying right. Both of them are fake. Again, another setup. I tell you one's real, one's fake. If you're already believing it, the BS has got to be strong in this. Final one. This is filmed at the UN. All I wanna know if it's real or fake.

cybersecurity

human aspect

skepticism

phishing

spear phishing

ransomware

deep fakes

employee training

data backup

multi-factor authentication