Smashing Security podcast #407: HP’s hold music, and human trafficking

So you're on hold and you're sitting there with the hold music and you're kind of in la la land where you can actually do work and some of these channels every 30 seconds some voice comes on your call is important to us you are fourth deep in line and then gives you an ad sometimes and then goes back to music.

Yes if you're having such a great support experience you want to buy more from us, then here's other things you can have tech support problems with. Smashing Security, episode 407. HP's Hold Music and Human Trafficking with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 407. My name's Graham Cluley. And I'm Carole Theriault. 407, Carole. I know, I know. And so it goes on. You know, there are people out there who've listened to every single episode of Smashing Security. Wow. They've undertaken the odyssey.

Someone should do the math of how many hours that is. Yeah, a lot. Well, we have a jam-packed show today, so you're going to get another hour on that docket. But before we kick off, let's thank this week's wonderful sponsors, Acronis, Drata and Palo Alto Networks. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got? I'm going to be talking about when tech support is a cybersecurity vulnerability. And I'm going to see if we can squeeze out some compassion for the unfortunate scammer. Plus, I chat with Gerald Buchelt. He's Acronis' Chief Information Security Officer, and he shares loads of tips on how the security professional can get the boss on side. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, a question for you to kick off this show. What is the most terrifying sentence in the English language, do you think? I have no idea. What about, I've invited my

parent to come on holiday with us? I think Ebola might be worse than that. And that's also more than one word. Oh, you said sentence. Yeah, I think one word. Yeah, I would say Ebola. Ebola, Ebola,

Ebola would be your one. Okay. What about, don't click here to not unsubscribe from our emails? I actually think the most terrifying phrase of all is, your call is important to us. Those words you hear when you ring up a tech support line or you ring up customer service because you instantly know from that point on that it isn't important to them. You know that you're in a queue. I was going to say it's not typically automated, right? So it's not like someone's saying that to your face. but you hear those words. Yeah.

I'll admit it. That's not fun. It's not fun. And you can spend hours and hours doing it. And I think this is a waste of time. whole country some money. Did you do a little math chart to work out how much we could make? I haven't done any math chart. No, Carole. I've just imagined it. that experience better? Well, I'm imagining the answer today is AI. That's what they're all going to say to you. Like a little chat bot. My husband actually had to cancel a subscription and he went to the website. And it wasn't a very important subscription. It was a magazine subscription. And it was for somebody else, a family member. And he was like, hey, my brother-in-law wants to cancel the subscription. He's having trouble doing it. What's his name? He told them and they cancelled it all through the chatbot. Could anyone speak to the chatbot and cancel anybody's subscription? That's what we were saying. I hope that wouldn't happen at a bank.

Just close that account. Just transfer that money. Yeah, well, you could use AI. I guess that's one possible way to do it. I mean, some people are a bit wary of AI, aren't they? But I think there's other ways in which you can make a tech support line more efficient because it's a very simple equation, right? People are clogging up support lines. You need to get people off the support lines to make the support line more efficient. This is sounding revolutionary so far. Go on. Yeah, it is, isn't it? So you can do that in a few different ways. You can build a product that doesn't require much in the way of support, right? So it just works. So if you did that, then your support line would be something that would work. I suppose, yeah. You'd be able to call it and there wouldn't be anyone else clogging it up. In fact, there'd be a phone covered in dust and cobwebs, which never has to be picked up by the people who work in that particular support line. It's a lovely way of thinking about things. So that would help reduce the number of people who call support. Having a product which just works, it makes support hotlines better. The problem is that it requires some effort in building a product that actually works in the first place. Yes. And that's why companies seemingly don't do that. Now, another solution, I'm on a bit of a high horse this week. Yeah. Is that you can hire more tech support people to staff the support line, right? Just throw

people at it. I wonder if they have hiring difficulties in tech support. I imagine they might. Imagine there's burnouts quite quickly on that type of job. That's often why the support lines are based in countries where there's a large population, perhaps, and they don't cost very much. So hiring more people does cost money, obviously, for the company. have a great printer. Do you? I love my printer. It has never misbehaved once. Knock on wood. Well, I look forward to it being a pick of the week one day. because many of them don't. Many of them don't work. Well, I don't think you have to do that. You can also buy them. Well, that's

what they're pushing you to do, aren't they?

Well, along with every other business out there. Yeah, well, the thing is, your husband may have success in unsubscribing from some magazine or something. Good luck unsubscribing from an HP ink subscription. Yeah, or just not staff it like some very well-known people in the world have done, right? Keep it empty.

Right. Keep it empty, maybe. So as the register reported last month, an internal order was sent around HP. And I'm going to tell you exactly what it said, and then I'll try and explain what it means. Okay. It said, we want to inform you of a change in the NL IVR, that's the natural language IVR, in some countries and languages for consumer print and consumer PC customers in EMEA effective today. Now, IVR is the interactive voice response. That's their phone menu system. But they don't actually say that anywhere. No, they don't mention that anywhere. So you have to know the lingual. So the natural language IVR is their phone menu system. That's their digital phone system, which you ring up and you press a button and you get things played at you and you're put in a queue. And they carried on. They said, objective is to influence customers to increase their adoption of digital self-solve as a faster way to address their support question. This involves inserting a message of high core volumes to expect a delay in connecting to an agent and offering digital self-solve solutions as an alternative. Have you followed that?

No, what I'm wondering is, is it written like this because they're turning something on by default and they're trying to obfuscate that or so you just get bored out of your mind? I think

It's just corporate speak. I think this is just how they talk inside large organizations. What do they want? What's the bottom line? Well, I've decrypted it. Rather like the Rosetta Stone, I've taken a look at it and I've tried to work out what that actually means. What they are actually saying is that they've changed the way their tech support phone system works. When they say their objective is to influence customers to increase their adoption of digital self-solve, what they mean is they want more customers to fix their own problems by looking up the answers online. How are they going to do that? And they say this involves inserting a message of high call volumes to expect a delay in connecting to an agent and offering digital self-solve solutions as an alternative. In short, at the beginning of the call to tech support, they are playing a message stating we're experiencing longer waiting times and we apologize for the inconvenience. Feel free to look at our website. The next available representative will be with you in about 15 minutes. And what they were doing was they were putting a mandatory, compulsory 15-minute wait on their support lines.

Oh, like they're throttling it to try and force people to go to the self-serve.

Exactly. So even if there was no one in front of you, you would have to wait 15 minutes. And every fifth minute or 10th minute or the 13th minute, the recording message comes in again and said, we're still experiencing longer waiting times than normal. We apologise for the inconvenience, an inconvenience they have manufactured themselves artificially.

Can I tell you, that is my pet peeve, actually. You just triggered me. So you're on hold, right? And you're sitting there with the hold music, and you're kind of in la-la land where you can actually do work. And some of these channels, every 30 seconds, some voice comes on, your call is important to us. You are in line. And then gives you an ad sometimes and then goes back to music.

Yes, ads for other services. They cross-sell on the channels. If you're having such a great support experience, you want to buy more from us, then here's other things you can have tech support problems with. So I found this extraordinary that they put in this compulsory 15-minute wait. Did you try it out? No, I haven't tried it out. You crazy? I would rather enter Hades than ring up HP's tech support. So it's not just HP which can be guilty of this kind of thing. Way back in 2000, for instance, credit reference agencies like Equifax, TransUnion, Experian, they were fined $2.5 million because the FTC found that they were failing to maintain their toll-free telephone lines for consumers seeking information about their credit score. They were blocking millions of consumer calls. They were leaving them on hold for excessive amounts of time, a bit like HP was. So imagine that you had called HP, but you're on the line for a long time and you do seek help elsewhere. Well, that's where the problem comes from the security point of view. As veteran journalist Bob Sullivan pointed out in recent days, HP's move has inadvertently exposed consumers to cybercrime. Because, of course, these frustrated users who just can't get their HP printer to work often will turn to unreliable third-party websites and potentially download malware instead of legitimate printer drivers.

Has this happened or is this theoretical?

No, this is happening all the time. According to Bob, he's got a theory about this. He says poor customer service creates a significant cybersecurity vulnerability and more companies need to think about this because criminals can exploit the desperation of consumers who are looking for help with a product or a service.

Something they pay for every single month if it's a service. That drives me nuts too. But anyway,

Absolutely. And it's not as though HP printers work.

Again, I know you have issues. Not just me. I've done searches on the line. I'm sure there's lots of happy people out there. Feel free to write in and wind Graham up with your happy HP stories. If HP, by the way, wants to sponsor the podcast, then we can remove this entire story from the episode. All the time, you're having problems because your printer's updating, there's software updates, maybe your computer's updating, there's out-of-sync printer driver, you find yourself screaming in frustration. And sometimes users can't find the printer driver they want on HP's website, but they find something elsewhere on the internet which claims to be the driver they need. And that, of course, might be legitimate, might be malware. Useful for people who actually managed to get to the legitimate website.

Security researcher Jerome Segura from Malwarebytes, he's recently blogged about what he saw when he went to Google and searched for HP printer help. And what Google did was, of course, before the genuine HP printer support page, he got four sponsored links, all claiming they could fix your HP printer problem online. And all of them were scams.

Now, look, I know my mum listens to the show. I'm just going to interrupt. Mum, pay attention to this, the whole sponsored thing. OK? Yeah. It's not the legit page, and people don't realize because it's written quite tidily. Well, it's designed to look like a regular link more or less, isn't it? Which is gross. Why don't you just back color it a bit, you know, make it obvious? So you go through to one of these sponsored links which Jerome found when he looked for HP printer help, and you try to install the driver via their installation wizard on the web. It all looks very friendly and suddenly goes, oh, fatal error occurred, it says. But you can start a live chat with a support agent. Maybe they should parallel that with this is your chance to take 15 minutes for yourself and maybe meditate. Maybe that's what I need.

Maybe. But there's some good news, Carole. There's some good news. Because after The Register publicized HP's 15-minute directive on their support lines, the company went into an urgent reverse ferret. The press picked up on it. The company caved into the pressure. And they said, oh, what were we doing? Oh, we've stopped that. We've stopped that now.

You know what, though? It also sounds to me like it might have been one particular director's idea, right, to try it out and maybe didn't have the upper echelon's involvement in this. And then, you know, when word got out, shit hit the fire. Well, it was across Europe, Middle East and Africa they were doing this. So maybe they were trialing it on us Europeans and the Middle East and Africa before they were going to do it in the Americas as well. I'm not sure. Yeah, have a snooze while I talk. Perfect. What topic have you got for us this week? So, I want you to meet X. I'm calling them X because they're anonymous. And like many others, X struggled to find a job after the whole COVID pandemic thing. And he had a dream of studying to be a hairdresser. And to study to be a hairdresser, you need some money, but jobs were scarce. And one day, he hears about a job through an acquaintance. Now, when you're waiting for work, and this happens to be in Northern Vietnam, by the way.

Oh, okay.

But I think, you know, most of us might have been in the situation where we're really hungry for work and nothing is about. So you start keeping your ears to the ground. Yeah. And maybe you first ask your closest friends, then your close friends, then your not so close friends, and then acquaintances. Because you never know. You never know when you're going to luck out. Right. So X does luck out, right? And he checks out the job description his buddy sends him. And it promises, most important thing, a decent salary. And it's a six-month contract in Thailand. And X is told that the work would involve using a computer and typing.

As many jobs do these days, yes?

As many, many jobs do. Yeah, seems reasonable. And, you know, you can imagine X. He's not an old lad. He's young. You know, he's a little scared. He's probably going to be abroad on his own for the first time.

Yeah, that'd be daunting, yeah.

He's also excited. His mom's really proud. So when they land, the sitch quickly goes belly up because he's kidnapped and thrown into one of these spam cells. Well, hang on. He's kidnapped. Kidnapped and thrown into a spam factory. That's a more accurate term where he's forced to carry out online cryptocurrency scams.

OK. When you said spam factory, I thought you meant the manufactured sort of processed meat product. But you're actually talking about...

It's from England, I think, not Vietnam.

Who knows where they outsource the manufacture of it these days? Okay, so X has just gotten in. He says he starts getting threats of physical beatings and starvation makes him feel like he has no choice but to engage in the scams. So he says starved for 15 days, offered only occasional scraps of food for failing to meet the scam quota. It's just horrific, isn't it?

It's unbelievable. And this worker was apparently forced to approach men in the Middle East and lure them into transferring funds to fictitious investments. And so using AI, the scammers made him appear on screen to be an attractive young woman, altering his voice, et cetera, et cetera. So I'm going to pause here quickly because typically we are concerned about the end victim. The person who gets scammed into investing into crypto or falls for a romance scam or whatever. Yep. And when you realize you've been scammed, you are furious with the cyber assailant. Yes, yes. The one that whispered sweet nothings in your feed or the one that gave you the not so hot crypto tip. But what if that person you hate so much and wishing the worst karma on is actually someone who had simply wanted a job to get some money to study hairdressing?

And is being held against their will and punished and beaten. Yeah,

No passport, working all hours. And obviously not seeing the money that is coming in, right? This is going all to the bosses. So this problem has been mushrooming since COVID times. And for the last few months, Thailand has intimated that it's committed to cleaning up this mess. So in February last month, BBC reported that more than 250 people from 20 different nationalities were rescued from a so-called spam warehouse in Myanmar by an armed group. Weeks later, another BBC report that thousands more have been rescued from these spam compounds along the Myanmar border. I've seen a number of reports say 7,000 plus have been rescued. Wow. Now, it seems that this cleanup effort kicked off soon after the Thai prime minister met with Chinese leader Xi Jinping and promised to shut down the scam centers which have proliferated along the Thai-Myanmar border. Most of these are reportedly run by Chinese fraud and gambling operatives who have taken advantage of the lawlessness in this part of Myanmar. Yeah. And you can, you know, readers, feel free to do some reading on a character called Broken Tooth. This is a Chinese gangster of sorts with ties to this whole operation. There's a really good piece in The Washington Post. I'll put the link in the show notes. Sounds Bond villain, Broken Tooth. Yeah. There is a movie. I think he directed or starred in a movie. I think it's called Broken Tooth. Oh. Yeah. I digress. So, yes, as you were saying, wonderful that thousands have been saved, right? And I'm saying saved here with invisible quote marks, because this could be the end of the story, except for two things. One, the UN says that hundreds of thousands were forcibly engaged by organized criminal gangs into online criminality across Southeast Asia. So from a human rights perspective, we might just be scraping the very surface here. Yeah. Two, many of these worker scam victims who have been rescued are not really free yet. Many of them are still being held in makeshift processing centers along the border. So Thailand insists it's moving as fast as it can to process these workers and get them home. But these centers are run by armed militia groups, seem to have very limited capacity, which means that basic hygiene health requirements are not being met. So one detainee told the BBC that he got two very basic meals a day and that there were only two toilets for 450 people.

Yeah, not pleasant conditions, presumably better than when you were being beaten and electrocuted by broken teeth.

It's interesting because there seems to be some suggestions in the latest days of press saying it's really bad in these camps. Like, really bad. So the question is, what's taking so long? So one of the suggestions, some countries are perhaps not scrambling to get their people back. So the BBC has been told that some African countries will only fly their people home if someone else pays. Some countries don't even have embassies in Thailand, so that whole back and forth into verifying a person is difficult. And remember, these freed workers have nothing. Their passports have likely been withheld by the compound bosses. And of course, those in camps just want to go home, right? And it sadly might turn out to take a lot more time than anyone ever really probably considered. But some do and have made it home, sometimes through rescues and sometimes through escape. And this includes our man X from Vietnam. He eventually made it out. He chose not to divulge his details of his escape, but he said it was an arduous journey on foot. And he's now working in his dream field of hairdressing. So here is to many more happy and speedy homecomings.

It's just unbelievable. I mean, I do believe you can't. I have read about this a bit. And it is astonishing that it has become this industrialized. And effectively, it's the same kind of gangs who may be involved in people trafficking. What I find amazing is a lot of companies that do shady business in the cyber world seem to treat their employees with some respect, I feel. You know, not all, but some. many of us outside of that part of the world are completely oblivious that this is going on. If I take a Western point of view, there's plenty of people over this part of the world who might go to those parts of Asia, for instance, on a backpacking holiday and may want to make some money while they're out there and think, oh, you know, I'd like to stay out here for a year so I'll get a job or something and could be lured in. And you can't help but think if some of those people ended up in these camps, that maybe the Western media would take a bit more interest. But of course, there are countries whose citizens are being impacted, who maybe don't have the resources of financial might and are less keen to spend the money getting their people home again.

One of the problems here is Thailand shares the border with Myanmar. Myanmar suffered last year a kind of coup. It's not a very happy and lawful place at the moment. It's not a place you'd go on holiday or backpacking. No. But Thailand is. And it seems that they use Thailand as a lure and then sneak them over into Myanmar. So Thailand is saying is trying to deal with the borders. I think they've even shut power off at the borders.

That's right. They've turned off the power to entire villages because they thought, how can we deal with these camps? But of course, that's going to have an impact as well.

Yeah, really fun for the innocent people that live there. Yeah. Anyway, so my cheery story for this week. You're welcome.

Data loss and downtime can be devastating to any organisation. Acronis delivers natively integrated cybersecurity, data protection and endpoint management built for managed service providers. You see, your Microsoft 365 services are only as valuable as your ability to protect client data. Are you doing all you can? With Acronis Endpoint and extended detection and response, MSPs can protect against modern threats, easily comply with modern cyber insurance requirements, all with complete protection, spanning the NIST framework and enabling MSPs with data governance, compliance, and the ability to identify, protect, detect, respond and recover from threats.

Plus, Acronis also offers MDR so that MSPs can offer their clients a fully managed service with minimal resource investment.

Designed for MSPs and IT teams to simplify security management, find out more at smashingsecurity.com slash Acronis. That's smashingsecurity.com slash Acronis.

As you know, our show often touches on complex security issues that deserve deeper exploration. That's where Threat Vector, the podcast from Palo Alto Networks, comes in.

Threat Vector offers in-depth discussions with industry leaders and security experts, provides essential insights for decision makers. Each episode delves into topics from emerging threats to innovative solutions.

Threat Vector gives listeners valuable perspectives on the evolving cybersecurity landscape, equipping them with the information needed to better protect their organizations. New episodes are released regularly on all major podcast platforms and is free to subscribe and listen.

So if you want timely analysis of current security trends and challenges, listen to the Threat Vector podcast. Visit paloaltonetworks.com slash threatvector to learn more and start listening today. That's paloaltonetworks.com slash threatvector.

If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.

But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals and strengthens security. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance and scaling your program.

With Drata, you can automate security questionnaires, evidence collection and compliance tracking. You can stay audit ready with real-time monitoring and you can simplify security reviews with Drata's Trust Centre and AI-powered questionnaire assistance.

Instead of spending hours proving trust, build it faster with Drata. Ready to modernise your GRC programme? Visit drata.com slash smashing to learn more. That's drata.com slash smashing. And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to say and they like. Could be a funny story, a book, that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. My Pick of the Week this week is a font.

Like a font that you write? Yeah, yes. Like Gil Sans?

Exactly. Like Arial? It's that kind of thing. Not a font you might find in a church, but fonts you might use in your word processor or on your web page. Now, Carole, have you heard of the Scunthorpe problem?

Don't know. Remind me and I'll tell you.

So, Scunthorpe is a place in the United Kingdom. Yeah, a town. And historically, there has been a problem with the name Scunthorpe because some rudimentary spam filters have triggered on a sequence of four letters which are contained within Scunthorpe, which they consider offensive.

I did not know about this problem. That seems so lame.

It has caused big problems in the past for Scunthorpe Council when they've emailed people and other organisations. Of course, if you're in the United States, you may not know that Scunthorpe exists. And so you just be, whoa, whoa, you know, we don't like that kind of language. Now, that has been a problem. But what I want to choose as my pick of the week this week is, as I say, a font. Because I have discovered a font called Scunthorpe Sans. And what it does is it automatically redacts any rude word which you write in. So when you type in, for instance, I'm going to have to bleep this out. It will replace it with a black blob instead.

I just think if you're going to blank it out, there's no need to actually say the words to me. You know, just saying.

OK, Carole, go to the link which I've put in the show notes right here for Scunthorpe Sans. OK, this is a web page which is using this font. And there's a little box there where you can type in any smut and filth that you like. And it should, in real time, censor it. And the thing is, you could install this on your computer. Funny, it doesn't mind poop, but it doesn't like the S word. Right. Now, this font contains a special exemption for Scunthorpe because they feel that it's suffered enough. The way in which this font is working is it's taken advantage of ligatures. So in fonts, when a letter combines, so for instance, you know when you get A and E sort of squashed together in an encyclopedia or Aesop? That is a different character. So what they've done with this font is they've crunched together the letters of various rude words and they then blank them out. They then redact those letters. So it's a pretty neat little feature. So you could install this. Maybe you'd find it useful or put it on your web page if you ever wanted to do that. So my pick of the week is Scunthorpe Sans. Links in the show notes. Very good. Carole, what's your pick of the week?

So my pick of the week is a weird memoir. Weird in that it's written by a person who could be categorized as a sociopath.

Oh, yes.

So ever since she was a small child, Patric Gagne says she knew she was different. Although she felt intense love for her family and her best friend, these connections were never enough to make her be good or to reduce the feelings of apathy and frustration. So she hits her teens and 20s. Her behavior escalates from petty theft through to breaking and entering, stalking and worse. And only as an adult, she realizes that she is, in fact, a sociopath.

Oh. So in a few pages in the book, she writes, I'm a liar. I'm a thief. I'm emotionally shallow. I'm mostly immune to remorse and guilt. I'm highly manipulative. I don't care what people think. And she's now a PhD, having studied sociopathy in her life and has written this memoir. I found it fascinating to experience because, of course, I had it as an audiobook and it was read by the author, which gives you a little extra, you know, when you have the author read the thing and it's a memoir. How many of them has an HP printer? Because that could have driven them to it, couldn't it? Well, I know more than 20 people. And my question is, am I hanging out with one and don't even know it? Have you put them in an ordered list? Just count them down. I should make you start doing that. So there you go. That's my book, my pick of the week. Sociopath, a memoir by Patrick Gagne. Fantastic. Now, Carole, you've been chatting to the chaps at Acronis this week, haven't you?

Yes, CISO, Gerald Buchelt, he talks about security strategies and how to get the boss to buy in. Check it out. So, Smashing Security listeners, today we are speaking with Gerald Buchelt. He is the Chief Information Security Officer, or CISO, at Acronis. Now, Gerald is a recognized thought leader in the cybersecurity space, having served on multiple boards, including the National Cybersecurity Alliance and the ID.me Cybersecurity Board. And today we are going to be talking about a topic close to my heart, how to get the bosses to see the need for improved security strategies. So welcome to Smashing Security, Gerald.

Thank you so much. And thank you for having me here, Carole. I really appreciate it. Like you, this is a topic that is very close to my heart. And I actually believe it's close to everyone's heart who's working in security. I can't recount the many times we've been discussing over the last 20 or 30 years how security is going to get a seat on the big table.

Right. Oh, I can't wait to get into all this. But first, let's maybe learn a little bit about you. So how did you end up being the CISO at Acronis?

The journey of my life, essentially, right? I started out in pre-sales at Sun Microsystems way back in the days, which, by the way, was a wonderful company, but it was also a most excellent experience that I still draw from today. Having had the opportunity to work with salespeople in the sales field, it does give you a completely different perception point on what is important and why we're doing certain things the way we're doing them. I actually went over to MITRE for those who are familiar with the MITRE framework, really got sucked into security in that role. It is exciting, I mean come on, it's awesome, it's fantastic. It was a lot of government work though and guys we all know government work can be sometimes a little bit slow. So I got the itch and decided that I wanted to do something different. Took a couple of different roles in public companies as CISOs for Demandware. I was working with different companies, with different boards, different executive teams in order to really drive security across the board. I ended up here at Acronis. I think there's a lot of good fun things that come with that for me as a CISO. Working as a CISO at a security company is definitely something that's particularly exciting for a number of different reasons.

Totally. And you really are perfectly positioned to help us understand the importance of getting boss buy-in when you're trying to protect any organization from the plethora of insider and external threats out there. Because of course they hold the purse strings, right? I mean, they're the ones really with the money. Or is that unfair of me to say that?

No, no. I think it's fair. If we do security, we do that with a particular purpose. I remember a discussion, why are we doing security? The answer I got from that particular person was, well, we're doing security because of security, which in my mind is probably the worst answer you can give. Because at the end of the day, this is not an end to itself. This is something that we really need to contextualize in the larger mission of the particular organization we're in. And when we do that, it becomes a lot easier to put yourself into the shoes of some of your peers, some of your bosses, in order to drive understanding for the program.

Well, I'm going to warn you now, I'm going to ask you in a moment about strategies that you can share with our listeners on how they can deal with this. But maybe first you can tell us what typically goes wrong in your experience. So I'm imagining you've got a team of people in security or in IT that have an idea in their head of where they want to go, but it falls over, it falls down somehow.

There are so many things that can go wrong, but some of the cardinal sins.

Yes, that's what we want. So I mean, even there, there are so many different things that can go wrong from that end as well. What I found is, to some extent, learned through the School of Hard Knocks, being too deep into your technology, being too deep into your vernacular, being too deep into security. When you talk to other leaders, when you talk to the board, when you talk to peers in some form or another, because at the end of the day, you're the specialist. You're the one who everybody else looks towards for managing that security thing or dealing with that security thing in some form or another. Okay, so let's get to the meat here. What strategies can you share with our listeners who may have a plan, but are also nervous about facing the C-suite? The first and most important thing is really to understand the organization that you're working for. And what those organizations' goals are. If you have a company, if you have a nonprofit organization, if you're a part of the government, you typically have a mission, right? For companies, it's simple — it's usually to make money in meaningful ways. Nonprofits and governments can sometimes be a little bit different.

I love that because bosses always understand risk, right?

100%, yeah.

Yeah, so you're using their language. I think that's very clever. And then you're using the risk concerns to back up your purchasing or your security strategy posture.

Yeah, it turns into a balancing act between the different kind of risks that you identify from the security side versus other risks as well. Now, what's important in this kind of context is to really understand the risk hierarchy that you want to look at. You can formulate risks at a very, very technical level, right? What is the risk of not patching a particular vulnerability within SLA, but having 15% of vulnerabilities of a certain concern level, not patched, etc. Those things are not really risks that are useful, right? That really does not help you to communicate to other leaders what your concerns are. What is much more interesting is what is the current overall risk of a data breach. You can think about a risk such as business discontinuity. What is the risk, essentially, that we would associate with the company not being able to conduct business due to a security incident?

That'll make the bosses pay attention.

That's exactly what they pay attention to. So you really want to formulate your risks that you use to communicate with those leaders in a way that makes sense to them. And that means thinking about the enterprise, thinking about the goal of the enterprise and how you get there, instead of thinking about where you want to patch something or run a penetration test or something similar.

And you know what? My father was a doctor, right? So he had loads of doctor vernacular he used all the time if he was talking about something medical. And often as kids, we were completely lost. We had no idea what he was talking about. I was thinking about that when you were speaking. And it's basically, he didn't really judge his audience very well. It seems to come down to that, you know, that the fact that we were eight or something, we couldn't understand his language, and we didn't understand the concerns. So basically the warning he was giving us just bypassed us. Know exactly what you mean because my dad was actually also a doctor. He tried to explain things sometimes, but it's obviously sometimes much more comforting to speak in the language that you're used to because you can communicate faster, you can communicate more precisely, and you don't risk quite as much questions coming back at you. Yeah, I couldn't agree more. Do you see any of this changing anytime soon? I think no. I mean, this will be going on forever, but let me hear what you have to say, see if I'm wrong. Do you have anything to add because we're fast running out of time? I could listen to this all day. Oh, I love this. I love talking about this in general. There's a couple of key things that I really would love people to take away from this. Number one would be to really engage with the organization that you're in but also the people that you're in. I love making a point that when looking at security, we obviously have the confidentiality, integrity and availability which is one way to slice and dice things. But the other one that is also very important to me is people, process and technology. If I look at those, every time that out of those three you got to secure the people. You got to work with people to get an understanding of what goes. Then you need to tell them what to do. That's the process, essentially. And ultimately, you deploy technology in order to make it efficient, to have force multipliers, or to unlock new capabilities. But without people on board, you end up being in a situation where it really doesn't help you moving forward. And I think that's pretty critical. The other thing is to truly understand the landscape that you're operating in. And that includes essentially also the threat landscape. Are you defending your organization against script kiddies who occasionally try to download Metasploit and try the latest scripts that they can find or are you dealing with in the worst case a nation state level adversary which you will probably not fully be able to defend against anyways? That really drives a lot of the decision making down the road, a lot of the assessments with regards to what is important for your organization or not. But that's one of the ways where I'm really happy working for Acronis. We have an excellent threat research unit that also provides publicly accessible intel on that. It's really good for us, but also for the community to understand where we are. And I think that's pretty important. Absolutely. I couldn't agree more. Acronis Threat Research Unit, also known as TRU, this team of cybersecurity experts specialize in threat intelligence, AI and risk management.

Thank you, Carole. It was wonderful. And looking forward to chatting again sometime. Brilliant. Thank you.

Fascinating stuff. And that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts.

And thank you to our episode sponsors, Acronis, Drata and Palo Alto Networks. And of course, to our wonderful Patreon community. It's their support that help us give you this show for free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than 405, six episodes. Check out smashingsecurity.com. Until next time. Cheerio. Bye bye. Bye. Thank you.