With Evan in Bulgaria, Brad is joined in-studio by recurring guest Ryan Cloutier. Together, the three guys discuss cybersecurity liability and the correlation between security and liability. After, they dive into Ryan’s mission—helping “humans” (non-security people) secure themselves better.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:24] Brad Nigh: All right, Good morning. Today is uh, monday september 9th. This is episode 44 of the unsecurity podcast. That’s 10 months now. We’re doing this. Uh, I’m Brad Nigh, your host today in studio with me is Ryan Cloutier, I was close and joining us by phone from Bulgaria is Evan Francen. Good morning everybody.
[00:00:52] Ryan Cloutier: Good morning.
[00:00:54] Evan Francen: You know from Bulgaria, there’s bound there’s bound to be a delay. So my apologies.
[00:00:59] Brad Nigh: Well, if you saw on my tweet that fights the Vrad and Ryan show V2 with Evan chiming in. Thank you to the last time. I enjoyed it too.
[00:01:11] Evan Francen: No. What’s the deal? I don’t know something against Ryan. I don’t know what it is
[00:01:16] Brad Nigh: Yet. So, uh, yes, episode 44. Um, you know, Evan cassette is often Bulgaria for the week and doing all kinds of world traveling because you know, he’s an author. Uh, so today joining me in studio as I mentioned is Ryan, Oh man, my method of club Claudia claudia at some point we’ll get it right. Uh, so you know, Ryan is an amazing info sex expert on a mission that I really do agree with back on episode 27 in May. Seems like a lot longer ago than that. Um, yeah, he was joining joining me in studio. So welcome back. Thanks for having me back guys,
[00:02:02] Ryan Cloutier: appreciate it. Glad to be here. So
[00:02:04] Brad Nigh: Evan, you’re in Bulgaria. What’s going on over there, Evan?
[00:02:08] Evan Francen: Uh, just a bunch of Bulgarian things, I think. Uh, no, I’m actually here. We have a team of 10, Bulgarians who worked for us on security studio, so this is an opportunity to come and uh, you know, show some good will hang out with them for a few days. Uh, they just moved into a new office, so they’re pretty excited about that. Uh, so we get to see that break bread, you know, that kind of thing and then try to find internet somewhere so I can get some work done.
[00:02:41] Brad Nigh: Well, good luck with that last piece. The uh, Jose, having seen what they’ve done in the latest release, give them a round of applause for me that the tools, amazing what they’ve done with it.
[00:02:57] Evan Francen: Yeah, I agree. And they’re just, they’re awesome people, man. You know, I say that about a lot of people, but uh, they’re all committed. You should see this old office that they’re moving out of. I mean, it’s like uh, almost seemed like a sweatshop, you know, I mean, offices here are very smart and they’re all just, you know, pounding out awesome code. Uh, so bought into the mission of, you know, fixing the broken industry and now they get to go into this new office where there’s air conditioning. It’s like, you know, I finally feel like you’re doing them right.
[00:03:33] Brad Nigh: I’ll be good. It’s always nice to take care of your people. Yeah. All right. It’s early. Well not for you. You’re probably all jet lagged. So it’s three o’clock
[00:03:48] Evan Francen: in the afternoon here
[00:03:51] Brad Nigh: sustained. All right. So uh we’re moving on. We brought Ryan on the show again because you know, we love this perspective on helping the quote unquote normal people or as you like to call them humans. So uh you know, it’s a great mission. But before we cover that, let’s talk about some common questions we get about liability. So first of all, disclaimer, we’re not lawyers that does not qualify as legal advice. This is not officially legal advice. We I don’t know what else I can say to disclaim that we’re
[00:04:22] Ryan Cloutier: Not lawyers. Nor do we play one on TV.
[00:04:24] Brad Nigh: Yes. And I did not stay at a Holiday Inn Express last night. Uh But we do work with lawyers a lot. We were working on on breaches. So Evan I know uh specifically had a couple of things around the liability you want to get started with that.
[00:04:43] Evan Francen: Yeah, sure. Absolutely. I so last week I wrote an article about uh what is an information security assessment do for you in terms of protecting you against liability. Uh You know, information street assessments aren’t you know, the sexy part of security per se. Uh But they go a long ways towards protecting you, uh, from my ability for one, it shows that you took security seriously enough uh to diagnose what your problems are. And I think, you know, it’s like trying to fix a car, you know, you don’t fix the car without diagnosing issues first, but it brought up a whole series of other questions so we can kind of start the debate there if you want.
[00:05:26] Brad Nigh: Yeah, I think that’s a good point, right? With when we’re working on this, lawyers are always gonna ask school, what did you know? And when did you know it going? I didn’t know, doesn’t that they don’t like that.
[00:05:40] Ryan Cloutier: It doesn’t seem to be a viable excuse anymore. Right, ignorance, ignorance to the problem is not
[00:05:45] Brad Nigh: an excuse. Yeah. When’s the last time you saw even just looking at him? Because that’s kind of the most common place. You see this, when’s the last time you saw that lowest tier where it was? Like, I didn’t know basically you don’t see that anymore from fine, you
[00:06:01] Ryan Cloutier: don’t, and I think, um, I forget which circuit court it was, but a judge had ruled that an employer had a common law obligation to protect their employees data. So, to to, you know, see us moving in that direction, you know, to have it referred to as common law. That’s big, that’s a that’s a huge issue. And its definite indicator that as a society, I think we’re we’re getting to a point where we are going to start holding folks more accountable to data privacy to security. You know, we have that expectation, uh, if we’re using their product or service.
[00:06:35] Brad Nigh: So unless unless your Equifax and now they’re trying to get out of having to pay $125, sorry.
[00:06:44] Evan Francen: Uh, and there’s certainly liability in, you know, in the courts, but there’s also a liability. Uh you know, when I think a lot of people haven’t been in a breach before breach situation, and when you think about it, now, I have to defend myself against uh, customers against the, you know, the board is going to be asking questions I have to answer to uh, you know, the court of public opinion. So there’s a lot of things that are just outside of even being sued in civil court. You’ve got administrative law to where regulators are issuing fines and you don’t have really a recourse to that. When you appeal an administrative fine, you’re appealing to their course with their jury with their judge.
[00:07:29] Ryan Cloutier: Uh, So I think a lot of people
[00:07:31] Evan Francen: think about that.
[00:07:33] Ryan Cloutier: I’ll build on that last night. I was having dinner with a friend of mine and he runs a pretty successful business, um, doing software development out of India and he had a third party. So he was adjacent to a breach, but during the investigative period of about eight months, all payments to him were frozen by the affected party. What while they figured out whether or not his company was liable for this for this ransomware about or whether they came in through, you know, a vehicle of his companies, you know, utilization of their systems and you know, all told, I think he said they backlogged almost half a million
[00:08:12] Brad Nigh: dollars. It’s a tough
[00:08:15] Ryan Cloutier: thing to, you know, the float and exactly to try to float that and keep his staff going. Ultimately he was vindicated and you know, they really stall all payments. But you know, for about eight months his payments were frozen and his brand was negatively impacted because well, why why is this company you know that you do business with now, right? Not paying. So, um,
[00:08:36] Brad Nigh: well, and even, you know, even mentioning the board and the current breach, we’re working on your there definitely are contacts are definitely starting to feel the heat. You can, you know, you can hear it in their voices, the stress and you know, their questions there. It’s not a fun position to be in to go. Well I thought we were protected but we’re, we were wide open and how did we not know because you didn’t do anything?
[00:09:05] Ryan Cloutier: Right. Well, and I think it’s hard for um, executives right now to understand just how far to go. They hear a lot about what’s going on. The security folks will come in and we’ll try to tell them what’s going on. But sometimes we don’t speak english or human, um, you know, and so they don’t they don’t understand exactly what we need to do. Sometimes the protections that we asked for as maybe too much not a good financial investment until after the fact they see that a lot as well
[00:09:38] Evan Francen: one. And you know, I wrote this article last week and it will be published sometime probably this week. And you know, I sort of started the article out with, you know, some people say there are no guarantees and information security and and that’s not true. There are guarantees. One guarantees that you’re going to have a breach. So that’s an absolute no matter what you do, that’s a guarantee. And then the second guarantee comes out of that. You’re going to need to defend yourself. It’s just who you’re defending yourself against. And so if you kind of play that out, because many people, like I said, haven’t been through this before, but we’ve been through enough times where we know what’s the first question that’s going to come out of their mouth? Or at least one that we better have an answer to is what did you do to prevent this? You have to you have to have a good answer. You know, saying I don’t know. Well, or I went out and bought a bunch of blinky lights? Well, great. Did you do an assessment. Do you know what your most significant risk is? If you don’t have answers to those questions, then that opens up a whole another line of questioning that I don’t think people are protected or people are ready for.
[00:10:48] Brad Nigh: Yeah, well, and I think unfortunately a lot of people aren’t ready for that first one. Even right. I think that’s the problem is, you know, and then they get to that next level and they’re just
[00:10:58] Evan Francen: drowning. So I was doing some kind of back back into some research. You know where I was funny because I was, you know, we’re raising money for security studio. I was trying to figure out what’s the total adjustable market for information security assessments and what’s the market today? So the market today, there’s about a billion dollars spent on information security assessments. That market is expected to grow to 6.5 million in the year 2025. The total addressable market, if you assume about $6,000 per assessment, which is actually low is $24 billion. So if you work through all that math, you sort of come to this conclusion that 90 to 92% of all companies in the United States don’t do an information security risk assessment. So I guess I mean that 90% of companies aren’t ready to answer that first question.
[00:12:00] Ryan Cloutier: Well, you know, it’s interesting you bring that up to and I think the insurers have a role to play here. A lot of the insurance companies, you know, aren’t holding that bar they’re not, they’re not saying you have to do an assessment of a particular framework,
[00:12:14] Brad Nigh: there’s three page paper they send out for the millions of dollars of coverage. It’s
[00:12:18] Ryan Cloutier: all cover everything. No, and, and here’s worse yet a lot of times it does cover or well, which then just perpetuates the problem that we,
[00:12:27] Brad Nigh: that’s what they’re using, but it doesn’t actually give you a good
[00:12:31] Ryan Cloutier: right. You know, And what I see as a trend is that we have all these insurance providers that are, are cutting these policies that either are not adequate and protection Or they do, you know, provide good money’s, but don’t set good boundaries right? And it’s the only area and insurance and again, full disclaimer, not a lawyer, not an insurance agent, not a licensed representative of any uh, insurance entities in Minnesota or other 50 states. But the point is is that they cut these policies of multiple millions of dollars of coverage with little to no expectation that the policy the person being covered or the entity being covered does a darn thing to change their security posture. Uh, maybe it asked for some security awareness training and we all know how how lovely uh, that is these days. Right. It’s, you know, maybe we can get Eddie Murphy to help us do some security awareness videos, but uh, the one and done approach. Well then you, you know, then two months later after that training, somebody, something that clicks, something they get blackmail, whatever that is and because the insurance company pays it. I see two things I see it encouraging more ransom and I see it encouraging a lackluster attitude in the leadership of these organizations because and I quote Ryan we don’t have to worry about that.
[00:13:52] Brad Nigh: We’ve got cyber insurance. Right. Well I think it was interesting is that
[00:13:58] Evan Francen: and then what’s the number one thing that if you asked that question, what have you done to prevent this breach? Which again is a guarantee given it’s a function of time? The answer you get more often than not. Well we spent X. Number of dollars on security last year which speaks nothing to whether those were good dollars or bad dollars because I would think it would almost make you more negligent if you spent information security dollars on things that weren’t significant risks. So I think it’s a dangerous and we need to shift this paradigm from How many dollars I spent two where I sent them. I
[00:14:36] Brad Nigh: agree. And I was gonna say I had a conversation I 36 months ago with an insurance uh there’s a lot of silence. His uh
[00:14:49] Evan Francen: huh
[00:14:51] Ryan Cloutier: are you still with us?
[00:14:54] Brad Nigh: Mm I may have lost him. So uh anyway, what? It’s got really quiet there. Uh the conversation I had was the guy was saying, you know we won’t we would not ensure a building without physically walking through and doing an inspection of it, but we’re writing millions or tens of millions of dollars for cyber insurance and have no idea what we’re ensuring there’s just nothing there.
[00:15:18] Ryan Cloutier: Well, you know, that’s interesting. You bring that up. I have several bodies in insurance as well and they have matrices for every other risk. They can tell you how likely it is for a tree branch to fall in a 2700 I in southeastern Minnesota on a particular day. Exactly, exactly. At a particular time of the day. Right? Uh, but they have no quantifiable measures. No, no qualitative measures. Even for what is, what is cyber is. Right? How do you, how do you effectively measure and, and then, you know, price that,
[00:15:54] Brad Nigh: right? Yeah, I think that’s going to be interesting, especially as they start having their staying out a lot more ransom where, You know, it goes seven, and the insurance companies don’t like paying out if they don’t have to. So they’re gonna wanna,
[00:16:09] Ryan Cloutier: and it’s crazy because ransomware is the only crime where the victim has to be complicit after the fact in order for it to be a
[00:16:16] Brad Nigh: crime. And, and as evidence said, it’s, it’s actually pretty easy to prepare for a good backup. Air Gapped.
[00:16:26] Ryan Cloutier: Yes. Yeah. Take them off, line him up back him up. You know, I was just talking about that last night actually, uh, there’s, there’s a project’s folks are working on and they were asking me about how best to defend those projects against ransomware and I said it’s old school guys make a backup and then take it offline thumb drive tape disconnect then as something
[00:16:49] Brad Nigh: just have it in a different
[00:16:51] Ryan Cloutier: Yeah, just offline away from that network. Exactly,
[00:16:56] Brad Nigh: yeah. Okay. So I guess we’ll take out of that, you know, as it says, the key to is to do things that a quote unquote, reasonable, reasonable person would do in your circumstance. And that’s, you know, another can of worms will address it another time is what’s reasonable, but I think, I think we can agree that not doing anything is not going to be good. At least start with an assessment and understand where you’re at, where your risks are.
[00:17:24] Ryan Cloutier: You know, I completely agree it is. You have to be able to see what you want to protect. And an assessment is where we start getting that visibility and that’s what I, you know what I tell
[00:17:36] Brad Nigh: folks. And it’s not the be all end all ever right. It’s not one starting point somewhere. At least you can say I’ve done something, identified my risk and I’ve got a plan of action, here’s what I’ve done.
[00:17:48] Ryan Cloutier: Absolutely. In some cases, it’s for smaller organizations, it’s the first time they’ve identified their assets. Yeah. So, you know, it can, it can have multiple benefits,
[00:17:59] Brad Nigh: not necessarily small. Alright. So we’ll switch gears a little bit um, so Ryan, you’ve got, you know, humans secure themselves, you know, and it is something that we share here at are secure. So you recently posted an open letter to the security community on Evans blog and you’re speaking to crowds all over the US. Let’s talk about that. Um first of all you’re going to talk just a little bit about your post on Evans blog.
[00:18:29] Ryan Cloutier: Yeah, so a few weeks back, I decided to uh we craft an open letter to the embassy community. Um but really I t in general and the intent of this letter was to help folks understand that you know, and Evan likes to talk about it as normal and abnormal. I generally say you know speaking human or or speaking not human tech knees right. Uh what I noticed is there is a generational barrier and gap in communication analog has trouble speaking to digital. So our analog humans, Those of us foreign before 1980 speak a slightly different language than those of us born after 1980 and it gets worse once you go past born after 1990. And and this communication gap is allowing these scammers to scam or because we can’t have a community conversation at the dinner table where we’re all speaking the
[00:19:25] Brad Nigh: same language. And
[00:19:27] Ryan Cloutier: and uh the other thing I notice is the cognitive dissidence if you will in some of the analog humans when it comes to the physical impact of digital technology use. So that’s what kind of inspired me to write the letter and really it was a plea or cry for help if you will to the info second. And I. T. Community to say we’ve got to stop with the tech jargon similar to how we expect our medical professionals to be able to explain it to us. In terms we can easily understand uh you know most of us go to the doctor. They don’t they don’t open up with the latin right? They don’t start telling you all the medical terms. They don’t you know they say it’s an arm. They don’t you know use the medical term to to explain your body parts a lot of times. Right? Or they use a colloquial term. Uh and if you don’t get it they work with you until you do. And that really is the big ass to the to the info second in I. T. Community is in regular plain non technical jargon and work with your user until they have that aha moment. And if all of us started to do that. I think we could actually get ahead of ransom where we could get ahead of some of the cybercrime because we’d be able to create an environmental health healthy skepticism.
[00:20:41] Brad Nigh: Yeah. So one of the things I think we talked about last time I do is the isc squared has that safe and secure online. So I volunteer for that. And I think they have a really good way of putting it. Its digital immigrant and digital native. Yes. Right. It’s the exact same thing. It’s just another kind of way to phrase it. Um actually had a uh saw somebody, I’ve done the parents presentation back in february. I saw him over the holiday weekend and the mom comes up and just starts, oh you did that, you know, and she remembered those things and she’s like I changed my passwords now, they’re all this and I’m using whatever last password actually I don’t remember which one, but it was so like encouraging to hear like 67 months later that she was still so excited like that if you can connect to the people and get them that, that aha moment sticks with them.
[00:21:34] Ryan Cloutier: Absolutely. You know, I’ve had folks come up to me even several years. I’ve to the fact uh, to, to tell me the impact had one lady, she unfortunately was dealing with some early passing in her family, one of her family members had passed away a little bit earlier than folks would have wanted and helping her navigate how to deal with the decedent’s identity and the security you need to have around a decedent and the decedent’s identity. And while it’s probably one of my toughest moments in information security, it’s also one of the most rewarding. Um, she came back about it was the next year, the year after some one or two years later and let me know that you know, based on what she learned in my seminar that I had given, you went back and checked and remind you this, the family member of hers had only been passed for maybe a week and a half, two weeks Found. Uh I believe she said five open accounts of new credit since asked. Um, and so, you know, as the person who is ultimately responsible for their state, they were very grateful, you know, work through that, but Just raising a general awareness that that’s something to take care of now, you know, 10 years ago, that wasn’t a checklist on the, what do we do when a family member passes away? And now it needs to be and and and same with when they’re born, you know, maybe maybe the day a child is born isn’t the day to get a Social Security
[00:23:01] Brad Nigh: number well or do you know, to put
[00:23:05] Ryan Cloutier: exactly exactly,
[00:23:06] Brad Nigh: you don’t want them to do it. You know, You know, we’re sitting here and with Evan, you know, in Bulgaria, kind of, it’s the same thing as speaking of foreign language really, we wouldn’t go Evan goes to Bulgaria, he’s not going to, I expect to be able to tell them in in english or interesting what there there’s got to be that translation. It Especially like you said, it said, it’s somewhat in the 80s really, the 90s and I mean anything, anybody born after 2000, it’s they’ve only ever known a world basically with smartphones and tablets and
[00:23:44] Ryan Cloutier: yeah, one of the one of the things I like to say is you know if you’re not fluent in an emoji you need to get there. If you’ve got kids, you better be fluent an emoji because they speak a different language. They use hieroglyphics, we use, you know, spoken word. It’s a very different form of communicating. And you know, I will say as well because we don’t speak their language and this is part of the cry for help and I hope to start with the community because I think they’re going to be most receptive to um understanding why they need to make these changes. But it’s it’s about helping to keep the kids safe to, it’s about you know, a lot of parents when I do my talks don’t understand that the chat inside of video games is a primary vehicle for people to get to their Children. Right? And and and that, you know, the chat feature on roadblocks for example right? Not to pick on roadblocks was very popular app among among young kids and a lot of parents don’t even know it has a chat feature, right? So uh and part of that is is they stopped listening to us. I joke that uh everybody was super into what the I. T. People had to say until they heard what they had to say.
[00:24:55] Brad Nigh: It’s almost like I think they feel like you’re talking over for them. Right? Well, again they don’t understand it? And Georgian? Yeah, and I catch myself doing it, you know, because you’re in it all day and you start using the acronyms and you just said like second nature, my wife even the other day. It was like I was telling her something about this bridge and she’s like, I have no, I didn’t understand a single thing you just said and I’ve been talking for like 10 minutes.
[00:25:22] Ryan Cloutier: Absolutely. You know, it’s so easy to happen, you know, at home for me, it’s my wife’s pretty cute about that. I’ll get to go on and she’ll just kind of look over and go, I don’t know what any of that was, but it sounded really great.
[00:25:34] Brad Nigh: That’s basically the response I
[00:25:35] Ryan Cloutier: got.
[00:25:37] Brad Nigh: Did you with Ryan and I have been kind of going on Evan, did you join back in?
[00:25:43] Evan Francen: I had
[00:25:45] Brad Nigh: anything bad will get you in the morning.
[00:25:51] Evan Francen: Yeah. These uh, Bulgarian telcos is funny. It’s almost like Mexico, but I don’t know if it’s better or worse. Uh, no, it’s you’re exactly right. I mean, the key to communication is understanding, right. It doesn’t matter if I’m using the right words or if I’m using the right uh, you know, punctuation. It’s do you understand what I’m saying? You know, are you getting the message that I’m giving off as it’s intended and we miss the boat oftentimes on that. I mean we might be using the right words, but if it’s not being received by the people were communicating with, then it’s wrong and they have to figure it out. You see that they figure it out what we do. And I think the onus is on us to do that.
[00:26:36] Brad Nigh: Yeah. You know, and you know, kind of the next thing is what can we do or what ideas for solving the problem? And I think, you know, what brian what you’re doing and speaking. And I’m actually going to be speaking at one of the local pos in a couple weeks same thing. The mom went to the one in february and said kim, can you come speak to all the parents at the school and, you know, getting out there and talking, I’m going to speak at the American Association of School business officials into october the same thing. Absolutely. People that don’t get it, you’ve got to get out there and well, and
[00:27:15] Ryan Cloutier: they’re the decision makers. You know, and I’m glad to hear you’re doing that because that’s where the message needs to start making its way back into the community. I’ve got a, what I’m doing here, I don’t know, I think january time frame or something with the Minnesota school board association and I go out and talk to schools, you know, with back to school the last few weeks, I did a few Kickoffs. Um, I was down in Houston a couple weeks ago doing a very large school district down there. I think over the course of five days I probably spoke to about 16,000 givers and the core thing was each individual has an individual responsibility and they all kind of perked up and when we do
[00:27:53] Brad Nigh: right. Yeah. And and and it’s that
[00:27:56] Ryan Cloutier: we haven’t Evans point the onus is on us because we have failed to get them to understand that they’re participating to we failed to explain their role. And I’ll go back to the doctor analogy, you go to the doctor to get something taken care of that. Doctor says, these are the things you need to do when you get home. So yes, I stitched up the leg and yes, I’m gonna, you know, uh, here’s some medications, but if you don’t take these antibiotics as prescribed, your legs are gonna fall off, right. If you don’t take the pain medication, you’re going to have a very miserable time. So, even though I might not understand the ins and outs of how my leg is built or what the medical terms for all the parts of my legs are. I know enough about how to use it to get where I’m going. And the doctor describes to me in simple enough language my role in participating and I’m arguing that we need to do the same and I would agree in all of technology. Let’s simplify it, make it work. Like my iphone, you know, I hear that all the time. Make it as easy as my iphone. So I think you know it, that’s our challenge. But I also say the hardest thing in the world that you can do is make something easy.
[00:29:08] Brad Nigh: Yeah, especially in it or security. It’s not, these aren’t simple systems, right? They are very complex. They are a lot of moving parts, but
[00:29:19] Ryan Cloutier: they don’t have to be complicated. I think we can have complexity without complication,
[00:29:24] Brad Nigh: especially when you’re translating it right. You’re right. That’s and that’s going to be the key is getting people to to understand, hey, we can’t do this if we don’t have all these people on our side at the end of the day we’re outnumbered. We cannot. They’re the first line of defense. Well, I’ve got to get to united
[00:29:43] Ryan Cloutier: say the security folk too. Don’t worry about being right. Stop worrying about being right. Start start checking for understanding. It doesn’t matter if you described ahead of engineer. Light me up once for speaking about something in an engineering context. I said I wasn’t talking to engineers was talking to regular humans. I needed my message to land and nit picking to death. The specificity of this was not going to get the message
[00:30:14] Brad Nigh: to land with the some sort of minor.
[00:30:17] Ryan Cloutier: I was absolutely in the wrong and engineering context. I had screwed up order of operations, which meant nothing to my end user that I was trying to get to change behavior was simply using an analogy an example to explain it enough to where they went, okay, I get how that works like this other system. I understand. So now I can have my ah ha moment and it’s it’s always the I. T. Guys that want to you know jump fonda. You misspoke that it wasn’t 100% perfect. I’m going yeah, I had 10 seconds to change this person’s opinion on something and it wasn’t going to do it by time.
[00:30:51] Brad Nigh: four and 5 of 10. Yeah.
[00:30:54] Ryan Cloutier: So I would say that’s that’s a big part of it is is kind of we got to stop when it comes to trying to behavior with our users. Focus more on the message unless on beating them up for poor behavior
[00:31:07] Brad Nigh: go and I think yeah, you’re right and going we get to low
[00:31:14] Ryan Cloutier: level, right? We’re
[00:31:15] Brad Nigh: just so right. Yeah, exactly. You got to go higher level. You’ve got to yeah. Like you said, simplify it. The majority of the users are not those digital natives at this point. It’s starting to transition well and doesn’t need another.
[00:31:32] Ryan Cloutier: I don’t, you know, I have a friend of mine, he’s a he’s a financial actuary. I don’t ever want to know what he knows. I have no interest in it. I don’t I don’t care to know those things. I’m never going to be that expert nor do I want to be but there’s a few things he knows about finance that are very applicable to my daily financial life that I was right. So talk to me like I’m like, I’m a second grader. I’m okay with that, explain it to me. And I wanted in a sound bite, we live in a sound bite world. I can’t get it in my 30 seconds of tell me exactly what I need to do right? And sometimes we boil the ocean, let’s give these folks 12, maybe three things and then let them get good at that and then let’s come back around
[00:32:16] Brad Nigh: well. And that’s the other thing is if you get somebody who wants to know more, they’re going to ask absolutely go high level and let them drill down, not start 15 levels down where they’re going. I missed something and they tune out
[00:32:31] Ryan Cloutier: right well and Evan curious about your opinion on this as well. But what I’ve noticed is as soon as somebody starts to have an aha moment, there’s, there’s a bit of a delay uh when they start to process all this in because it’s like an ocean wave hit him in the face and they’re like, oh I never understood, oh, now I understand. Oh right. Yeah. And you know, so it can be, it can be overwhelming. Would you say bread and Evan that that’s been your experience as well as you kind of work with folks out
[00:32:59] Evan Francen: there. Yeah, absolutely. I think as soon as you get that level of understanding where they’re getting what it is you’re saying and they can personalize it, you know, especially at home, you know because people care about protecting themselves more than they care about protecting companies usually, you know their employers. Uh so when you put it in those terms, yeah, there’s that moment and then yeah, they there’s a little bit of a freak out period and then once you kind of come down from that, it’s like okay what do I need to do? It’s funny because when we did a study, uh we did a study of 500 some odd I called, you know like you said, I call them normal people, we asked them uh one open ended question which was what can we do as security professionals to make your life better? And uh overwhelmingly the keyword was simple, make it simple and that’s cool because we know that complexity is the enemy of security. So we have a win win situation here if we can do it right, make it simple and win, you know with with reducing risks. So yeah, same thing Yeah,
[00:34:16] Brad Nigh: I you go back just because it’s fresh, is this current I are we’re working and when the ceo had that, I thought we were protected like that process, you could hear in his voice that I thought we at it and then exactly what you just said, oh, oh there, oh okay, you could just hear him process saying okay, how bad Exactly. Like he finally, you know, it took, it took about a week. Sure. And then he kind of got it and it was, Yeah, exactly. And now he’s very much unhappy with how things were, but understands and you know, in the credit, they’re doing the right things now to move forward, which is good. But I think it goes back to, I think he was being fed high, like not the right information well,
[00:35:17] Ryan Cloutier: and I think I blame a little bit of society and the consumer, right? So because the average human in technology right now is frankly unaware of how their data is being used right there, ill informed. And if they were informed better on the topic, I think people would feel a lot different. So we demand that these companies innovate. Well, innovation almost always happens at the expense of security. Right? The two don’t play together as well as they could or as they should. And, and so because of that, I think folks feel like maybe they need to feed some bad information or they need to cut a corner here there because you know, we got to hit that release date and you know, if we actually fix the holes we found, we’re gonna blow our release state by six weeks, we can’t have that. Let’s just get it out and then we’ll patch it on the back end.
[00:36:16] Brad Nigh: I wonder how much of it is. Also, I know I’ve seen this as you bring it up is, but they’re not going to get it. So if I just tell them whatever, they leave me alone,
[00:36:25] Ryan Cloutier: Yep. And 100%.
[00:36:26] Brad Nigh: And that’s they’re not doing things correctly or whatever. Right. And those questions will be useful.
[00:36:32] Evan Francen: Yeah, it’d be nice if we could almost, you know, you can’t do it, but turn back the clock and sort of do this over again. Uh, you know, where things were simpler because it was easier to secure things. And then as we add new technologies, sort of built security into it, build education into it. But we went too fast and we’ve gotten so far down this road now that, uh, we’ll need to get really creative on how we’re gonna sort of real this thing back in. I know that there’s, you know, you see in the news all the time about, you know, apples pushing for a new privacy regulation on the federal government and so is google and Microsoft and but these are the biggest offenders. So, you know, you wonder, can you trust them because they continue to kind of put us in this whole, but then again, they’re sort of pushed towards that by the consumer. So It’s definitely a catch 22 that we’re going to have to address at some at some point.
[00:37:31] Brad Nigh: It’s a big challenge. I mean, I think we’ve got a lot of, there’s a lot of good people out there working on this, but it’s an uphill battle.
[00:37:44] Ryan Cloutier: Well, it comes down to, you know, what is the consumer want at the end of the day, the consumer is what drove all of this. Why do you have seatbelts? Why do you have air bags? Why do you have? Right? Because the consumer using their vote voice and wallet, that’s what drives this, at least in this country. That’s that’s what drives us, right? If you stop giving money to apple, Apple stops making product. So I think we have to, you know, to Evans point, we have to be creative. But I think it’s it’s a it’s a larger conversation that says as a society, are we willing to pump the brakes a little bit on tech, Right? We’re starting to get into, you know, as my non 80 buddy describes it. You guys are going to start the apocalypse with your ai terminators, right? I mean, we’re we’re actually getting to that point in tech and then, you know, what have we done to secure the infrastructure that powers these things? These surgery robots, These other things that are becoming more commonplace every day. Right? And, you know, unfortunately, I think it is going to take a mass event. I don’t think a company losing data, therefore some dollars, therefore being embarrassed is going to adult society. I think unfortunately going to come down, uh, active
[00:38:58] Brad Nigh: or at least in the fine is more than their process.
[00:39:02] Evan Francen: Yeah,
[00:39:04] Brad Nigh: they don’t care if they million on billion of relative writers.
[00:39:09] Evan Francen: Well, we’re in, uh, you know, the three of us and others, many others are sort of in this grassroots effort. And I think, you know, we will, we will be better when we sort of unify. And so I know that we’re starting kind of down that path and there’s many organizations, but really getting a single sort of voice. We’ll go a long ways. One of the things that I had had a meeting last thursday with a guy who’s, uh, he’s got a significant investment from facebook and Zuckerberg Foundation to combat, uh, Sex crimes in the combat, uh, you know, sex trafficking, you know, there’s promise there because that’s the one that’s the one thing that, you know, I have a, I have a daughter, I have a 14 year old daughter and I can kind of live a little bit with the privacy issues. Maybe I can sort of live with the financial issues because I’m not really held liable for that anyway. But one of the things that I can’t ever accept is, you know, the whole safety issue in the sexual, uh, you know, sex trafficking piece. So if nothing else motivates people, hopefully that will.
[00:40:22] Ryan Cloutier: Yeah. You know, I think you’re absolutely right of it. And frankly, we’re seeing more of that. And I think there’s a gap, uh, and that’s parents. So Just think about birds and bees for a second and how vastly different that conversation is from 10 years to go, well the cell phone makes parenting harder, hands down, right? And unfortunately, I think a lot of parents use it as an excuse to not be involved in their digital lives. You know, we had to invent backseat reminders Because people kept leaving their kids in the car. Well let’s talk about what they’re really doing, that’s got them so distracted that they’re leaving their kids behind in a car. nine times out of 10, you’re going to see that they were responding to their phone,
[00:41:07] Brad Nigh: you know, something, they do
[00:41:08] Ryan Cloutier: Check it 10 years ago. I don’t remember there being a huge rash of people leaving their kids and cars, right? I mean, let’s think about some of those digital problems, that to Kevin’s point raising a teenager these days and and and navigating digital dating,
[00:41:23] Brad Nigh: Oh, what
[00:41:24] Ryan Cloutier: a nightmare. Yeah,
[00:41:25] Brad Nigh: that’s one of the parts that did that parents uh talk, I do, it’s, it’s uncomfortable, I mean really comfortable because you, you know, we know and have seen the stories of what happens and these parents just, you can just see the color drain on their faces and, you know, jaws drop and almost that panic set in behind, you know, in the back of the, you know, in the eye, you can see see this and, you know, there’s a lot of parts of that, the presentations an hour hour and a half feet down talk and the the For that being, you know, five or 6 slides of this, it gets by far the most Q and A. Because they they, it’s like uh oh
[00:42:15] Ryan Cloutier: well it isn’t that ah ha right. Yeah, if you don’t know, you know, you don’t know and that’s more os my right. Uh huh. Yeah.
[00:42:24] Evan Francen: Well, and we all, we’ve all talked to parents guys, I mean, your gut feel what percentage of parents do you think actually know what their Children are doing on ipads and iphones and Androids?
[00:42:37] Ryan Cloutier: Less than two.
[00:42:38] Brad Nigh: I was gonna say less than 10,
[00:42:40] Ryan Cloutier: less than two
[00:42:41] Evan Francen: percent. That that’s scary as hell when you think about it because you’re bringing the dangerous world of the internet into their bedrooms at night and you’re not putting the proper restrictions because you don’t even know how big the problem is. I mean, it goes back kind of what we’re talking about with, you know, liability and companies if you don’t know what the problem is, how the hell are you going to fix it? And so uh, you know, if that’s the scary part for me is just parents don’t even know what their kids are doing. I remember when I was a kid, my father, I told this to Minnetonka school district, you know, when I was a kid. Uh, my father had playboy magazines like most fathers probably did and I’m a kid, I’m curious, I do things that kids do. All kids that they still do it today. And I would go into my dad’s closet and knew where they were and I would look at them. Well nowadays you’ve got to let your fingertips kids have it on their phones. They can do it and you know, and it’s hard core stuff. I mean devious stuff. So then they get desensitized to all this and then you just raise a generation of sexual deviance. I mean it just gets worse.
[00:43:48] Brad Nigh: Yeah, you do. One of the positive was out of that speak the speech. The lady is talking to you over the holiday. She said now she used to let her take the phones and tablets and everything. Now they have a charging station downstairs. Everybody had to leave their phone downstairs, let me go to bed. And then she goes, I never even thought of it until that. And so it works like people won’t, I think parents overall want to do the right thing. They just don’t
[00:44:21] Ryan Cloutier: exactly, they don’t know, you know, my house, it was a little bit different. Um, and if you’re t mobile customer, they have this, I think all the other phone services now finally have it as well. We would put schedules. Those data plans would shut off, You know, there was a restriction on the wifi, it it it went dark at a certain point. We, you know scheduled it he had uh, you know, his Mac address, right? For the tech folks that were in the unique identifier right? For for his device. So I knew which was the phone and which was the playstation and all that. There was no internet access. I just was
[00:44:58] Brad Nigh: revoked. My daughters have netflix and prime video until like from bedtime until you know, when they go upstairs for about an hour and a half. Sure. And that’s it. Everything everything else is, nope. And they’re totally okay with it. They don’t need that other stuff there watching, you know, the office, which I can’t argue with parks and Right. Right. So they’re getting into fun shows, but it’s scary. You don’t know what they’re doing
[00:45:29] Ryan Cloutier: well and and they don’t need to be exposed to that garbage right before bed. Let’s just be honest. You go through a comment section, Pick a social media. I don’t care what it is. Never read the comments. You know. Well, it could be the most entertaining part of your day. Could be the first depressing part of your day, Right? And it could be in the same posting. So I think it’s
[00:45:50] Brad Nigh: uh pulled in heaven with my uh huh.
[00:45:53] Ryan Cloutier: Okay. Sorry. Um, but I think, you know, that’s the other thing we’re not thinking about is the long term psychological and sociological impact of this trash dump of behavior,
[00:46:04] Brad Nigh: right? And I think it’s so still so new. We don’t, we’re just starting to understand it takes years to study this stuff. What is the impact, You know, it doesn’t, it doesn’t,
[00:46:14] Ryan Cloutier: I’ll say it this way, the way that we behave online, we would never even today absolutely never do in person
[00:46:25] Brad Nigh: that anonymity gives people,
[00:46:27] Ryan Cloutier: oh, it’s a keyboard courage. It’s insane. And then, you know, and the problem is unfortunately, human beings love sensationalism. They love shiny objects if you will, right? We’re still very primal in that regard. So the trashier, the content, the more inflammatory, the responses, the more attention it gets, a positive post is not as likely to go viral as a, as a negative post tearing somebody down. Right? And the kids mentally aren’t mature enough to make some of that discernment, you know, and so what do they see? They see popularity is equal to negative being nasty and you know, to Evans point about raising a generation of sexual deviance. I don’t want to raise a generation of giant flaming a holes
[00:47:15] Brad Nigh: either. And that’s, that’s what you think. You need to wait, did you see that story of uh, the University of Tennessee? There was a, like 1/4 grader that made his own shirt and was bullied at school. No, I was hand drawn shirt and it looks like, you know, a kid drew it and he’s getting just bullied about it and uh, ut licensed it and they sell an officially licensed shirt. That’s what exactly. We need to see more of that, get that publicized versus all the, yeah, the negativity that’s out there. And I
[00:47:51] Ryan Cloutier: think part of the conversation is uh, this all fits back into security as well. Well, because it’s how we’re conducting ourselves on social media that’s giving the bad guys what they need to be able to victimize us. Right?
[00:48:04] Brad Nigh: Yeah. I’ll show you this here in a second after the, after the show. Uh, so we are down to about 10 minutes or so left. So let’s talk about the news real quick. Um, couple of things uh, on the register dot c o dot UK. Uh, massachusetts city tells rates of were scumbags to riot cough. Alrighty staff will handle us easily. Uh, and the image that they picked for that story is fantastic. I love the register. It’s just the guy give them to the computer. So the city of New Bedford Massachusetts, uh, they shored up their defenses restored from backups and are rebuilding systems and That was it. Uh, they, over the 4th of July uh, they found some unusual activity. Um, once they determined it was riot, they were able to limit the impact. They said there was about uh, we’re going, I just headed up 150 ISH Machine, 158 machines out of 3500 that were used were compromised, minimal impact. No sis, no major systems were impacted. It’s like we were talking about, you can see these stories actually happening. It’s doing your backups, right? You’re air gapping, you have good monitoring in place. You know what’s out there. You have a good s inventory. It’s not that hard to be able to mitigate and minimize that damage.
[00:49:31] Ryan Cloutier: Yeah I would say you know ransomware isn’t quote unquote preventable yet because we haven’t gotten the behavior change we need uh but being laid out for days or having to pay the ransom is preventable to your point, make a backup, have it offline. You know, It’s going to save you, it’s going to save you 100% of the time
[00:49:55] Brad Nigh: show and it almost did audio or auto play at which by the way are infuriating. All right. Evan do that there
[00:50:06] Evan Francen: I agree
[00:50:08] Brad Nigh: go do evidence that ransomware readiness out on our website that I’ll tell you where you’re at. Okay. Uh This one was off off of ice dot com. The mvs are selling data to private investigators. Uh And this one is uh because it surprised me, I didn’t realize it because you think right the D. M. V. S. The government, they don’t sell that, you know, that would be the one place that wouldn’t necessarily do it. And it seems like it’s a It was a good law back in the early 90s that had unintended consequences.
[00:50:45] Ryan Cloutier: Well and having read that article, the quote that says well at least we’re not selling your social security number I think is what stood out most to me. Um It’s this attitude that you gave us the data, therefore it’s ours because we don’t have a privacy law in this country that says otherwise. The attitude of these institutions be a government entities, be a corporate entities uh is you gave it to us and therefore it’s now ours. And we’ll do with it as we see fit Real Quick. I’ll tell you look at 23 and me and what they did, they swore they’d never sell data. Well we see them having now sold data
[00:51:21] Brad Nigh: money talks. That’s right, yeah. Yeah. So you’ve got laws from you know, early 90s before the Internet was a thing before privacy of the thing that uh need desperately need to be updated to be relevant now. And well we won’t won’t make this a political show but it might be a while. Um Next one was off of G. B. Hackers uh unpatched android zero Day vulnerabilities that hackers escalate and take escalate privilege and take control of device. This was a you know, you read that article, the headline, you’re like oh my goodness, well you actually have to download a package first in order to execute it to get it. So it’s not quite as bad. But then I remember how easy it is to get people to click on things and go oh yeah that’s
[00:52:15] Ryan Cloutier: right. Well you know and part of that is the sensationalism right Yeah is not necessarily helping us um in the music industry.
[00:52:24] Brad Nigh: Well and I think for me, what was frustrating is, so the company founded ZDI, they initially reported it to Google on March 13. Google confirmed it on June 28 and nothing. So since, you know, in the last two months, they’ve been trying to get an update what’s going on, what’s going on? Hey, we’re going to release is the word that there’s a zero day nothing, nothing okay here it is. Right. Why hasn’t google done anything about it?
[00:52:53] Ryan Cloutier: Well, you know, it’s funny because it’s in their own backyard is my opinion. Um, because they were quick to say Apple had some problems.
[00:53:00] Brad Nigh: Oh yeah, they mean, and they do a lot of really good research around, They do, uh,
[00:53:05] Ryan Cloutier: back to sensationalism if you really read the story behind the Apple, uh, exploit and, and the narrow scope in which it actually existed versus in the wild. But the headline that was out there and what, you know, what the talking points were from Google’s release was very much pointed at Apple. What becomes interesting is when two competing companies start doing security inspection on each other. You know, the arms where’s the truth
[00:53:33] Brad Nigh: lie? Yeah, very true. You have to be able to read between the lines, but from a security perspective, I mean, we, we do benefit from it when they started, you know, really digging in and finding these things, but there is that as long as they actually address them and fix them
[00:53:50] Ryan Cloutier: right? Because if it’s too juicy it gets turned into a cyber weapon and we don’t get to hear about. True
[00:53:54] Brad Nigh: that’s a good point. Yeah. Uh Next one again off of G. B. Hackers like this. I’ve seen it all over the place uh massive data leak 419 million facebook users phone numbers exposed. And I like how facebook’s response was. Well we even use that for like a year we disabled that but the database has been updated like two weeks prior to the thing so it’s like okay come on. At what point how many leaks does facebook have to have before? There’s some sort of repercussion.
[00:54:26] Ryan Cloutier: Facebook can have limitless leaks until we stop playing God is not participating in giving them our money in our in our data.
[00:54:35] Brad Nigh: I did see uh who was that Senator White And I think who was saying that you know he thinks that Zuckerberg and the executive should face jail time because they intentionally misled during the investigation of the initial breach. Is that if a financial ceo had misled on the financials and all that is similar to what he had done right that he they would be facing criminal charges in jail time. I think it’s going to take something like that for some of these companies to actually care
[00:55:08] Ryan Cloutier: it is um the challenge there though is I mean let’s not get political but let’s just just just realize that accompanied that big and, and the people and players and the donations and such. I think it takes some time to, uh, for that change to happen. Um, facebook got in a ton of trouble. They paid the largest fine in history.
[00:55:33] Brad Nigh: There was a, a fraction of what they profited off of five billion
[00:55:36] Ryan Cloutier: dollar fine. Right? And they were like, yeah, whatever. Moving on. Right, Well, what’s a campaign contribution? Right. Right. So I love that. I see folks going triangle. It’s to do that. I think, you know, I just look back to what happened, what we lived through in 2008 who really paid for that whole disaster. Right?
[00:55:57] Brad Nigh: I think you’re right. I think, you know, the consumers are the ones that are going to speak, we got to speak with people, quit using it. And you already seeing that. I think to some extent, but
[00:56:06] Ryan Cloutier: well, you know, facebook is now getting into dating. So maybe another topic for another show, but there’s a very large amount of very, uh, well, digital, use your language, your parents. Uh, we’re now entering the world because first marriage has come in and maybe, you know, someone’s passed on the platform,
[00:56:33] Evan Francen: get your assets, get your ass off the couch and date the old fashioned
[00:56:38] Brad Nigh: way.
[00:56:41] Ryan Cloutier: I don’t know these days. Uh, talking to the single guys Evan, it sounds like that might not work as well as the
[00:56:48] Brad Nigh: way,
[00:56:50] Evan Francen: stop being lazy if you want to find the right mate, get out, find her,
[00:56:53] Brad Nigh: I joke with my wife. There’s no way, you know, I’m never gonna leave because I’ve never really dating, that’s not the reason I win. But yeah, it’s seen with the people people go
[00:57:06] Ryan Cloutier: for, it’s different out there. My buddy tells me, he says, you know, if she doesn’t swipe right, you know, it’s not right.
[00:57:15] Brad Nigh: I know, yeah, but I’m not speaking a different language. Right? Uh, wow. All right, Well, that was a lot. Um, you know, thank you for joining. Right? So I could, uh, glad here to talk about it. And even though Evan apparently has something against you, Evan, come on, man. I delay.
[00:57:37] Evan Francen: Hey, I love Ryan, I just, you know, I don’t like the smell.
[00:57:42] Brad Nigh: I will say it was very nice of you to come in. So that, you know, I did have somebody here. It’s a lot of fun to have. It’s a lot easier to do these when you’re, when you have somebody face to face them. Absolutely glad to be here guys. I appreciate it. Sure we do it again and then have a great time in Bulgaria. Um, bring home something Bulgarian for me. I’ll give
[00:58:03] Evan Francen: you something,
[00:58:04] Brad Nigh: I’m a little nervous. Yeah, Seriously. So, uh, special thank you to all of our loyal listeners. Love the feedback. Um, really and truly do appreciate everyone listening and every week, you know, seeing the numbers grow is just, it’s very humbling. Um, and you know, having people say, hey, listen to you every week because it blows my mind. So thank you very much. You send it, send us your feedback at firstname.lastname@example.org. And you can socialize with us on twitter. I’m @BradNigh Evan’s @EvanFrancen and Ryan, you are
[00:58:43] Ryan Cloutier: @cloutiersec
[00:58:45] Brad Nigh: All right, thank you all. And we will talk to you next week.