podcast

I really wanted that shed.

Joe shares the story of a woman losing her life savings to a scammer claiming to be from the FBI. Dave describes the $139 shed scam. The catch of the day is another threat of revealing compromising photos. Carole Theriault speaks with Chris Bush from ObserveIT about security threats from employee burnout.

Links to stories:

Transcript

Chris Bush: [00:00:00] We're constantly connected. And there's an expectation for the workforce to be constantly on, constantly responsive. 

Dave Bittner: [00:00:08]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:26]  Hi, Dave. 

Dave Bittner: [00:00:27]  We got some good stories to share this week. And later in the show, Carole Theriault has a story about employee burnout and how it could present a security risk. 

Dave Bittner: [00:00:35]  But first, a word from our sponsors, KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK. We exaggerate, but you know what we mean. Stay with us, and in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training. 

Dave Bittner: [00:01:15]  And we are back. Joe, you want to start things off for us this week? 

Joe Carrigan: [00:01:18]  I do, Dave. My story comes from Sarah Krouse over at The Wall Street Journal, and it's a story about a woman named Nina Belis. Nina is an oncology nurse in her 60s, and she got a phone call from the FBI. And our listeners can't see my fingers doing the air quote things here, but they are. 

Dave Bittner: [00:01:34]  (Laughter) Yeah. Yeah. 

Joe Carrigan: [00:01:34]  And of course, he sounded official on the phone, gave Nina a badge number and said her identity had been compromised. 

Dave Bittner: [00:01:40]  OK. 

Joe Carrigan: [00:01:41]  And he told Nina that her Social Security number had been stolen and that crimes had been committed under that Social Security number. 

Dave Bittner: [00:01:47]  Yeah. 

Joe Carrigan: [00:01:47]  And they were bad crimes, like drug deals and money laundering and things of that nature. And of course, the FBI agent goes, well, I know you didn't do this, so - but you've got to help us with this, right? And it's a scammer. And he convinces her to transfer her life savings to an account under the auspices of protecting the money from being lost to a scammer, right? And the whole time he's on the phone with her, he is coaching her on how to answer compliance questions at the bank and what to do and telling her, stay on the phone with me. So he's filled her mind with fear and all this other stuff. We'll get more on that later. But she transferred her life savings of $340,000 to this guy. 

Dave Bittner: [00:02:28]  Wow. 

Joe Carrigan: [00:02:28]  And I say guy, but it's probably actually an organization of people because the article goes into how it works. They left a voicemail message for her, and when she called the number back in the voicemail, she told them her name and was transferred to the scammer. So it's obviously an organization that profits from doing this. The ease with which the money was moved out of these accounts is why these scams continue to persist, according to this article. 

Dave Bittner: [00:02:53]  OK. 

Joe Carrigan: [00:02:54]  They work on people who think they won't even fall for one. And of course, we talked about this many times, but this scammer kept Nina in a state of complete isolation and, of course, clouded her judgment with all this fear about her Social Security number being used for all these illicit purposes. Law enforcement, telecommunications executives and psychologists have all paid attention to this case because it's unique in the amount of money that she's lost. Generally - I think we've talked about this - the average loss for someone, an older person, might be in the $4,000 to $5,000 range, and this is two orders of magnitude beyond that. It's big. 

Dave Bittner: [00:03:28]  Yeah. Yeah. 

Joe Carrigan: [00:03:29]  And it's an asymmetric problem. It's inexpensive for these fraudsters to make these calls out, and it's very difficult for law enforcement to trace them back and follow them all up. 

Dave Bittner: [00:03:38]  Yeah, especially these days... 

Joe Carrigan: [00:03:39]  Yeah. 

Dave Bittner: [00:03:39]  ...With all the voice-over IP stuff and all that, yeah. 

Joe Carrigan: [00:03:41]  Exactly. And that's how these guys are doing it. They're using internet-based phone calls so they can make it even appear as if they're coming from your area code or even your prefix - is what the first three digits of - after the area code, is called the prefix. 

Dave Bittner: [00:03:51]  Right. 

Joe Carrigan: [00:03:52]  There is an interesting quote in here from a psychologist who says, what's being played on is a habitual or socially-imposed reliance on people in authority. That uniform or that representation of authority, presumably, elicits trust in a situation where you might be less likely to trust. So just the fact that someone says they're from law enforcement makes you more susceptible to believe them. 

Dave Bittner: [00:04:16]  Yeah. 

Joe Carrigan: [00:04:16]  Particularly if you have this ingrained in your psyche. Now, I don't know, I tend to think that I have a lack of respect for authority. 

0:04:23:(LAUGHTER) 

Dave Bittner: [00:04:26]  OK. 

Joe Carrigan: [00:04:26]  So maybe for me, this might not be the trigger. But, you know, we've talked about what my triggers would be before... 

Dave Bittner: [00:04:31]  Yeah. 

Joe Carrigan: [00:04:32]  ...And things that would get me to fall for things. I think most of us have this inherent trust of law enforcement, particularly at the federal level. 

Dave Bittner: [00:04:40]  Yeah, I think so. I'm just trying to imagine if someone - if a police officer knocked on my front door... 

Joe Carrigan: [00:04:45]  Right. 

Dave Bittner: [00:04:46]  ...And said, hi, I need your help. Something has happened in the neighborhood. Can I ask you a few questions? I would be inclined to help. 

Joe Carrigan: [00:04:54]  Would you? 

Dave Bittner: [00:04:54]  I would, yeah. Yeah. 

Joe Carrigan: [00:04:55]  See - that whole situation terrifies me. 

Dave Bittner: [00:04:57]  (Laughter). 

Joe Carrigan: [00:04:58]  And I don't know that I would be inclined to help. 

Dave Bittner: [00:04:59]  I think a lot of people justifiably have skepticism or fear of the police. 

Joe Carrigan: [00:05:05]  Yeah. 

Dave Bittner: [00:05:05]  There's plenty of stories about why that's justified. I do not - just, you know, who I am, how I've grown up and all that sort of stuff. I guess there's a certain amount of deference, I suppose, that would be automatic in me. I am not automatically adversarial with law enforcement or people within that kind of a power position. 

Joe Carrigan: [00:05:23]  Yeah, I do not get adversarial. But I would be - and I would probably ask - the next question that would come out my mouth is, what are we talking about here? And to, I guess, assess whether or not he's looking - I don't know. I'm just always suspicious of these things (laughter). 

Dave Bittner: [00:05:36]  Yeah. But... 

Joe Carrigan: [00:05:37]  Maybe it's just me. 

Dave Bittner: [00:05:37]  Well, I mean, but in this specific case... 

Joe Carrigan: [00:05:39]  Right. 

Dave Bittner: [00:05:39]  ...This alleged law enforcement person... 

Joe Carrigan: [00:05:42]  Right. 

Dave Bittner: [00:05:42]  ...Came to her and said, I'm here to help. 

Joe Carrigan: [00:05:44]  Right. 

Dave Bittner: [00:05:44]  You're in trouble. 

Joe Carrigan: [00:05:46]  Yep. 

Dave Bittner: [00:05:46]  I'm trying to protect your money. Someone's doing all these bad things in your name. 

Joe Carrigan: [00:05:50]  Yep. 

Dave Bittner: [00:05:50]  And I'm here to make sure that all this money you spent your life saving... 

Joe Carrigan: [00:05:56]  Is protected. 

Dave Bittner: [00:05:56]  ...Is protected. 

Joe Carrigan: [00:05:57]  Right. 

Dave Bittner: [00:05:58]  And boy, that pushes a lot of buttons. 

Joe Carrigan: [00:06:00]  It does. It absolutely does. And unfortunately, the trust of the law enforcement plays into that. 

Dave Bittner: [00:06:05]  This is a pretty common scam that's making the rounds these days. It's... 

Joe Carrigan: [00:06:08]  It is a very common scam. It's actually - the article has a very interesting graph about how much it's increased in terms of reported incidences of calls and reported loss. It is paywalled, unfortunately. 

Dave Bittner: [00:06:20]  The article? Yeah. 

Joe Carrigan: [00:06:20]  But it's a really good article. It has a great graphic about the map of her conversation with the guy over time - really enlightening. If you have a subscription to The Wall Street Journal, you should definitely look at it. And I think The Wall Street Journal should make this public, like they do for some of their other long-form articles. This would be a real public benefit. 

Dave Bittner: [00:06:36]  Yeah. All right. Well, we will have a link to that in the show notes. My story this week actually comes from a YouTube video that I happened upon. This is from a YouTuber. His screen name is Gold Shaw Farm. He raises ducks. 

Joe Carrigan: [00:06:50]  OK. 

Dave Bittner: [00:06:52]  (Laughter) He's posted a video titled "The $139 Shed Scam." Now, here's how it works. You or me are on Facebook, and we're scrolling through, and some ads are going by, as they do, peppered throughout the content in these social media platforms. 

Joe Carrigan: [00:07:07]  Right. 

Dave Bittner: [00:07:07]  And an ad comes by for a shed, $139 shed. 

Joe Carrigan: [00:07:12]  Is this an ad in the Facebook Marketplace? 

Dave Bittner: [00:07:14]  No, it's just an ad, you know, a targeted ad. 

Joe Carrigan: [00:07:17]  OK. 

Dave Bittner: [00:07:17]  Yeah. Comes by, says great deal, you know, blowout sale, whatever. 

Joe Carrigan: [00:07:21]  I would like to have a shed for $139. 

Dave Bittner: [00:07:23]  Well, that is where we're going with this... 

Joe Carrigan: [00:07:25]  All right. 

Dave Bittner: [00:07:25]  ...Joe. So $139 shed. 

Joe Carrigan: [00:07:27]  See - law enforcement comes my door, I'm suspicious, but somebody offers me a nice shed for a cheap price, I'm in (laughter). 

Dave Bittner: [00:07:32]  There you go. See - we all have our things. 

Joe Carrigan: [00:07:33]  Right. 

Dave Bittner: [00:07:34]  (Laughter) So you see this shed, and you're interested in this shed, and you look around and you poke around to see what does this sort of shed go for. There are photos of it. And this is usually a shed that's much more expensive than this. 

Joe Carrigan: [00:07:46]  It's a nice shed. 

Dave Bittner: [00:07:46]  It's a shed that goes in hundreds of dollars - it's a quality shed. And so you click through to the website. Everything looks legit on the website - lots of legalese and things about shipping and setup and return policies and so on and so forth. And so you decide, all right, I'm going to buy myself this $139 shed, yeah. Where can I go wrong? 

Joe Carrigan: [00:08:08]  Yeah. What could possibly go wrong? Yeah. 

Dave Bittner: [00:08:09]  So you order the shed. And almost right away, within 24 hours or so, you get an email that says, good news - your shed has shipped. It's coming from China, as things do these days. 

Joe Carrigan: [00:08:22]  OK. 

Dave Bittner: [00:08:22]  It's on a boat. It's going to take probably a couple weeks to get there. But it is on the way, and here's your tracking information for your new shed. 

Joe Carrigan: [00:08:30]  Ah, OK. 

Dave Bittner: [00:08:30]  So everything's going great so far. You're just imagining your lawn mower safe and sound inside of this... 

Joe Carrigan: [00:08:36]  Get it out of garage and into the shed, yes. 

Dave Bittner: [00:08:37]  ...Handy new shed. Yes, you're going to be a hero. 

Joe Carrigan: [00:08:40]  (Laughter). 

Dave Bittner: [00:08:40]  So some time passes, couple weeks go by, and you've been keeping an eye on your tracking link. And sure enough, your shed is on the way. You can see it. And then you get a package in the mail, and it is not a shed. 

Joe Carrigan: [00:08:54]  (Laughter) Is it a model of a shed? 

Dave Bittner: [00:08:56]  It is not a model of the shed. It's probably nothing looking or related to a shed at all. Might be a couple pieces of plastic or some industrial parts or a couple of bolts or something or - but it is most definitely not a shed. 

Joe Carrigan: [00:09:10]  OK. 

Dave Bittner: [00:09:10]  In fact, it is a small box, most likely without a shed. So you think, uh-oh, this is not good. 

Joe Carrigan: [00:09:17]  Right. 

Dave Bittner: [00:09:17]  Where's my shed? 

Joe Carrigan: [00:09:18]  This just doesn't look like a shed. I can't even make a shed out of this. 

Dave Bittner: [00:09:20]  (Laughter) Right. Exactly. This isn't even, like, an IKEA shed where I have to put it together myself. So you contact the folks who sold you the shed. And they say, oh, my goodness, I'm - we're so sorry. This is terrible. We must have made a mistake in shipping. We will now ship you your shed. 

Joe Carrigan: [00:09:38]  Right. 

Dave Bittner: [00:09:38]  It's going to take a couple more weeks, but your shed is on the way, rest assured. 

Joe Carrigan: [00:09:42]  Now, how much time has passed already? 

Dave Bittner: [00:09:43]  Probably about three weeks. 

Joe Carrigan: [00:09:44]  OK. So what's happening? Can I guess what's happening? 

Dave Bittner: [00:09:47]  You sure can. 

Joe Carrigan: [00:09:48]  What's happening is they are slowing this transaction down so that your time to contest the transaction has elapsed. 

Dave Bittner: [00:09:54]  Precisely right, Joe. Precisely right. 

Joe Carrigan: [00:09:56]  All right. I see where this is going. 

Dave Bittner: [00:09:58]  (Laughter) So a couple more weeks go by, nothing shows up, and you try to get back to these people. And chances are they may even be gone at this point. 

Joe Carrigan: [00:10:06]  Right. 

Dave Bittner: [00:10:06]  But they are no longer going to be responsive. So you go to your credit card company and you say, hey, I'd like my $139 back. And they say, well (laughter), it's been a couple of months now. 

Joe Carrigan: [00:10:17]  Right. 

Dave Bittner: [00:10:18]  I'm sorry. This is between you and the company. 

Joe Carrigan: [00:10:20]  Yep. 

Dave Bittner: [00:10:20]  We can't get involved with this anymore. 

Joe Carrigan: [00:10:22]  Yeah, you should've let us know within the 60-or-whatever-day period. 

Dave Bittner: [00:10:24]  Whatever the limit is, yeah, they've exceeded that. And of course, the company itself is not responsive. They're overseas and might not even be where they used to be. Their website might be gone. 

Joe Carrigan: [00:10:34]  Yep. 

Dave Bittner: [00:10:35]  So you're out your $139. You probably think to yourself, well, that was a tough lesson learned. 

Joe Carrigan: [00:10:41]  Yep. 

Dave Bittner: [00:10:41]  But it's not a huge amount of money, either. 

Joe Carrigan: [00:10:43]  It's not. 

Dave Bittner: [00:10:44]  So your chances are you're not going to go to the ends of the earth. You're not going to order a plane ticket and go over and confront these people in person... 

Joe Carrigan: [00:10:52]  No. 

Dave Bittner: [00:10:53]  ...For $139 (laughter). 

Joe Carrigan: [00:10:53]  That would cost way more than $139. 

Dave Bittner: [00:10:55]  Exactly. Exactly. So at the end of the day, you're probably just going to give up and chalk it up to learning a hard lesson... 

Joe Carrigan: [00:11:03]  Yep. 

Dave Bittner: [00:11:03]  ...A $139 lesson. 

Joe Carrigan: [00:11:05]  Yep. 

Dave Bittner: [00:11:05]  And you don't get your shed. 

Joe Carrigan: [00:11:06]  Yes. Sad. 

Dave Bittner: [00:11:07]  So - it is. 

Joe Carrigan: [00:11:08]  I really wanted that shed, Dave. 

Dave Bittner: [00:11:10]  (Laughter) Couple things - yeah, and now your wife's mad at you because the lawn mower's still in the garage. 

Joe Carrigan: [00:11:14]  (Laughter) Right. 

Dave Bittner: [00:11:14]  So a couple of things I thought worth noting here - the online component of this, that these folks are able to precisely target likely shed-purchasers via Facebook. 

Joe Carrigan: [00:11:27]  Right. Well, that's part of the Facebook business model. 

Dave Bittner: [00:11:30]  Exactly. 

Joe Carrigan: [00:11:30]  Facebook knows that you have a house with a yard in it. 

Dave Bittner: [00:11:33]  Right. Or you're a farmer. Or like this guy who made this YouTube video, he has a small farm. He raises ducks. 

Joe Carrigan: [00:11:39]  Right. 

Dave Bittner: [00:11:39]  He has a lot of sheds. 

Joe Carrigan: [00:11:40]  Yes. 

Dave Bittner: [00:11:41]  So they're able to efficiently go after potential marks. 

Joe Carrigan: [00:11:46]  Right, thanks to Facebook. 

Dave Bittner: [00:11:47]  Thanks to Facebook. Yeah. 

Joe Carrigan: [00:11:48]  Yay. 

Dave Bittner: [00:11:49]  Another thing - part of this is, to me, I wonder how much this is almost like gambling. In other words, if you were going to go buy a $139 shed... 

Joe Carrigan: [00:11:59]  Right. 

Dave Bittner: [00:11:59]  ...And you went and you did your homework, and you saw this shed normally goes for $800, and it usually costs - I don't know - $139 just to ship it... 

Joe Carrigan: [00:12:08]  Yeah. 

Dave Bittner: [00:12:09]  ...You're going to be skeptical. At the same time, $139 - you might... 

Joe Carrigan: [00:12:14]  I could see a shed that would normally cost $800 - or something that normally costs $800 coming out of China for $139. 

Dave Bittner: [00:12:20]  But I'm thinking something in your mind might say, you know what? I'm going to roll the dice here. 

Joe Carrigan: [00:12:24]  Right. Yeah. 

Dave Bittner: [00:12:24]  This is - I'm going to gamble. In the back of your mind, you're probably thinking, this is too good to be true. 

Joe Carrigan: [00:12:29]  Yeah. 

Dave Bittner: [00:12:29]  But it's not a whole lot of money, right? 

Joe Carrigan: [00:12:31]  Right. 

Dave Bittner: [00:12:31]  I mean, in the grand scheme of things... 

Joe Carrigan: [00:12:33]  And it's a bet I've got to take because what if I actually do get a shed? 

Dave Bittner: [00:12:36]  What if I get this great - what if it turns out - yeah. And you can just picture yourself (laughter) with this brand-new shed. 

Joe Carrigan: [00:12:43]  Standing next to a shed. 

Dave Bittner: [00:12:43]  Right. Standing next to your new shed, yes. Your wife... 

Joe Carrigan: [00:12:46]  Confetti falling down. 

Dave Bittner: [00:12:47]  Yes, your wife's swooning... 

Joe Carrigan: [00:12:49]  (Laughter) Right. 

Dave Bittner: [00:12:49]  ...Because of how masculine you look standing next to your brand-new shed. And also, she's so happy because with all the money you've saved... 

Joe Carrigan: [00:12:56]  Right. 

Dave Bittner: [00:12:57]  ...Now there's many other things that you can - you can go on a lovely vacation. 

Joe Carrigan: [00:13:01]  Like a second lawn mower. 

0:13:02:(LAUGHTER) 

Dave Bittner: [00:13:02]  Exactly. That's probably not what she has in mind. But - so I don't know. It just struck me as an interesting one. There's a lot of components here... 

Joe Carrigan: [00:13:10]  There are. This is a... 

Dave Bittner: [00:13:10]  ...That make this scam work. 

Joe Carrigan: [00:13:12]  This is a good one. It's an interesting business model for the scammers. What really strikes me as a standout thing here is that they send you something. So they incur some kind of cost. Probably not a big cost; it'd probably cost them $5 to send that to you, maybe another $5 to ship it. Actually, I'll bet - I will bet that it cost them nothing to get those parts. 

Dave Bittner: [00:13:29]  Yeah. 

Joe Carrigan: [00:13:29]  That, essentially, what this is, is a way for people to move garbage out of China into the U.S.... 

Dave Bittner: [00:13:33]  (Laughter) Right. They're sending our recycling back to us. 

Joe Carrigan: [00:13:34]  ...And making them pay for it. (Laughter) Right. 

Dave Bittner: [00:13:37]  (Laughter) Yeah. Yeah. 

Joe Carrigan: [00:13:40]  Very clever, very clever indeed. 

Dave Bittner: [00:13:42]  Yeah, I think so. So if you're out and about on social media and you're in the market for a shed, be mindful. 

Joe Carrigan: [00:13:48]  Yes. 

Dave Bittner: [00:13:50]  (Laughter) As always, if it seems too good to be true, it probably is. 

Joe Carrigan: [00:13:54]  It probably is. 

Dave Bittner: [00:13:54]  And it seems like this one is not worth gambling on. So go buy your shed locally (laughter). All right, that is my story. It is time to move on to our Catch of the Day. 

0:14:06:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:14:09]  Joe, our Catch of the Day actually came to me. 

Joe Carrigan: [00:14:12]  This is something that arrived in Dave's inbox. 

Dave Bittner: [00:14:14]  Came to my inbox. I was actually surprised to see it because, you know, many things don't make it through to your inbox these days. 

Joe Carrigan: [00:14:21]  Yeah, a lot of spam gets filtered out. 

Dave Bittner: [00:14:22]  Yep. Yep. But this one did so - this is a good one. It goes like this. 

Dave Bittner: [00:14:28]  Good evening. We made a data processing seizure for act of pornography, perverse and procuring pedophile on the computer network. This constitutes an infringement on the computer network and an offense punished by the law within sight of Article 706-35-1 and 706-47-3 of the Criminal Procedure Code. It should be known that we have just undertaken deepened information. We have in our possession several evidence concerning your infringement. I make a point of telling you that this is not a joke, if you do not take account of it, as you think it, knowing you adopted attitudes in pornographic matter with minor. Those laws prohibit that. For your good and your family, we make a point of telling you to return in contact with our legal institution. We are in charge of this business. As a person in charge, like you, I advise you not to flee your responsibilities. I am not there to blame your reputation and harm your life. But if you force me, I will be obliged to proceed by the strong manner. In order to put your naked photographs on the table of the ambassador, like all parts justifying your incrimination, with respect to this business, so that a legal proceeding is launched against you, whose gendarmerie of your city will undertake your arrest for a firm judgment. Your information will be put on the net and will be transmitted to the press for the publication of your photographs. P.S. - your colleagues will be with the perfume of what you do on the net with the minor ones... 

Joe Carrigan: [00:15:38]  (Laughter). 

Dave Bittner: [00:15:38]  ...Because they will have your naked photographs on the net. They will have access to your information. Please receive our best greetings. Byrgen (ph) Stock Bureau Dechief (ph) Brigade. 

Dave Bittner: [00:15:48]  Joe, I'm in big trouble (laughter). 

Joe Carrigan: [00:15:49]  Yeah, you are. I can already smell the perfume from here, Dave. 

0:15:55:(LAUGHTER) 

Joe Carrigan: [00:15:55]  This is obviously something that went through a translation engine. 

Dave Bittner: [00:15:58]  I don't know what a gendarmerie is. I guess it must have been French at some point, I guess. 

Joe Carrigan: [00:16:01]  It's French police. 

Dave Bittner: [00:16:02]  OK. 

Joe Carrigan: [00:16:03]  Yep. 

Dave Bittner: [00:16:04]  All right, very good. 

Joe Carrigan: [00:16:04]  It's actually a French police station. 

Dave Bittner: [00:16:07]  Ah. All right. Well, a good one. Not worth a whole lot of time. Pretty straightforward what they're after here. 

Joe Carrigan: [00:16:12]  Right. 

Dave Bittner: [00:16:13]  But I did not reply. 

Joe Carrigan: [00:16:14]  You did not? 

Dave Bittner: [00:16:14]  (Laughter) I did not. Right to the trash bin, this one went. 

Joe Carrigan: [00:16:17]  Away you go. 

Dave Bittner: [00:16:18]  Away it went. All right, that is our Catch of the Day. Coming up next, Carole Theriault has a story about employee burnout and how that could present a security risk. 

Dave Bittner: [00:16:27]  But first, a word from our sponsors, KnowBe4. And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. 

Dave Bittner: [00:17:32]  And we are back. Joe, Carole Theriault has a story for us. Always great to have her back on the show. She speaks with Chris Bush. He is from ObserveIT. He's been on our show before. And they're talking about employee burnout and how that can lead to security risks. Here's Carole Theriault. 

Carole Theriault: [00:17:49]  So we keep hearing about employees burning out - long hours, constant connectivity, intense monitoring of online and offline activities. I mean, it's exhausting just thinking about it. Now, I've invited Chris Bush, CISO at ObserveIT, to help us better understand how employee burnout could be affecting companies across America. Chris, first, thank you so much for joining us today. 

Chris Bush: [00:18:10]  It's my pleasure. 

Carole Theriault: [00:18:11]  So now, talk to me about burnout. Apparently, even the World Health Organization has it now classified as a bona fide syndrome. 

Chris Bush: [00:18:19]  Yeah, it's quite prolific. And I think we're seeing this today, and you mentioned it - you know, we're constantly connected. And there's an expectation for the workforce to be constantly on, constantly responsive. With the increased digitization comes this expectation of always on and always operating. That human element has been decreased in the workforce, right? It's, like, work, work, work, get things done. I'm sending emails at 1:00 a.m. Why aren't you responding at 1:10?

Carole Theriault: [00:18:45]  Yeah. I mean, I think the thing that I've noticed throughout my career - like, when I started, we had to basically man the landline and email, right? And then mobiles and text messages came along, and then all the apps. 

Chris Bush: [00:18:57]  Right. 

Carole Theriault: [00:18:57]  And now there's hundreds you have to monitor. 

Chris Bush: [00:18:59]  Not only monitor, but the expectation - you know, as I said, the expectation of always being armed and ready, so to speak, to respond. 

Carole Theriault: [00:19:08]  Are we seeing this having any impact on business operations? I mean, surely it must. 

Chris Bush: [00:19:13]  So one of the primary risks or indicators or threats with kind of the insider situation - so we're certainly seeing increase in insider threats - right? - to the point where Verizon has carved it out as a primary thing to be looking at. But one of the factors there is this accidental insider threat, right? It's - it means that it's really not malicious; it's people making mistakes. 

Chris Bush: [00:19:37]  You know, you have folks who are trying to meet the demands of the work that's been imposed on them, and their jobs, the business, constantly being connected and operating, and they're trying to operate at 200%, and they're trying to be as efficient and effective as possible, so they're taking shortcuts. They may be, you know, bypassing controls that have been put in place just to get the work done, or now the perimeter has disappeared and so now the perimeter of data and protection is in the employees' hands. They're taking their work home, so they're dropping their work on USBs. And if a company doesn't have a good security capability to monitor that, you don't know where that data's going. So this is how you end up with breaches, misconfigurations, people working long hours and misconfiguring things, right? And the data's out there. 

Carole Theriault: [00:20:24]  You know, it's interesting. It's kind of like a push-me, pull-you - the idea of security and productivity. So if the employee is constantly focused on produce more in less time, use less resources, get the job done, they are, of course, in their brain, going to start looking for shortcuts. And they may not know enough about security, for example, or information security to even think that that shortcut actually harms the company and lowers the whole risk profile of the organization. 

Chris Bush: [00:20:51]  That's right. And if you look at the Verizon data breach investigations report, which I mentioned earlier, they attribute 30%, so approximately one-third of the insider incidents, related to these employee errors, which I would attribute to this burnout and exhaustion, disengagement that employees are experiencing today. 

Carole Theriault: [00:21:11]  Right. So you think that the fact that people are being driven too hard is actually having a direct impact on the security profile of an environment or an organization. 

Chris Bush: [00:21:21]  Absolutely. Absolutely. I would say there's a direct correlation to the added stress. 

Carole Theriault: [00:21:26]  And what can employers do about this? I mean, this is - you know, it could be scary for normal employers thinking, look - my job - I've got serious competitors out there. I need to drive my lean company as hard as I can to stay alive, to stay afloat. 

Chris Bush: [00:21:39]  Yeah. What organizations need to do, in my opinion, is not make it a security issue. I mean, everybody expects the CISO to be talking about security issues. I think it has to go deeper into the organization. It has to affect the culture and the operations of the organization deeply. So you have to engage your HR leaders, your finance leaders. They all have to be in tune and be speaking the same thing, and that's really focusing on connecting the dots between the employees' well-being and being security-aware. And the good news is companies are starting to take proactive steps to address this and kind of rise to this challenge, but it's a lot of work because it literally takes a village. 

Carole Theriault: [00:22:21]  So what are the steps you're seeing companies take at the moment? 

Chris Bush: [00:22:24]  It varies, depending on the resources and the size of any organization. When you see kind of your Fortune 500 companies take an approach, they'll add an employee assistance programs to their workforce, where employees have an outlet with HR, with their managers to have conversations and communicate often about the stresses at work. These large organizations have the opportunity to put these, you know, programs in place to relieve employees from stress, which ultimately reduces the potential for an insider event. 

Chris Bush: [00:22:54]  But you're seeing smaller companies also engaging in opening up lines of communications for organizations. Comes down to communicating frequently, giving your employee base an avenue to have these conversations about how they're feeling at work. You're trying to relieve the emotional impact that the stress is having on an employee. And you're starting to see these programs pop up even in small- and mid-sized companies. So that's important. 

Chris Bush: [00:23:19]  Also, having good policy and procedure in place that's human readable - right? - making sure that companies are writing their policy and procedures in a way that the employees can understand them and digest them and live by them. Traditionally, organizations write policy and procedure for lawyers, not for employees. So having good, clear, understandable policies and procedures for your employee base is important, and we're starting to see kind of a shift there in how these things are written. 

Carole Theriault: [00:23:48]  I imagine it's quite hard for your typical employer as well because it's only been - what? - a decade or 15 years that technology has really spiked in terms of how easily it would be to get in touch with your employee out of hours. I mean, you just easily can send a text or give a phone call. So it makes sense to me that employers would naturally try and take advantage of that a little bit. But actually, the end result of that whole environment is that you've got disgruntled, burnt-out employees. Productivity and stress don't have to be aligned; you can have a very productive, happy workforce, presumably. 

Chris Bush: [00:24:23]  A lot of people forget many of us work for organizations, you know - whether there's 100 people or 100,000 people - but no matter what size, the organization tends to stop at your manager, right? It's like, your perception of the organization is what your manager is essentially kind of revealing and portraying to you, as the employee. And so making sure that your managers and your directors and your vice presidents, you know, all the way up the chain, are well versed in kind of the issues that exist and how to, at a - even at a high level, how to address them with their employee base is key. So it's - clear communication and support at that level really will go a long way in the general population and employee base of an organization. 

Carole Theriault: [00:25:10]  And all go a long way to actually make it a more secure environment as well, right? 

Chris Bush: [00:25:14]  Right. Ultimately, right, this can all translate into some sort of an event within the organization - a breach, whether action or malicious. And having the ability to reduce that is key, whether it is in these kind of more soft areas or with technology and policy and procedure. You kind of take that holistic approach to reduce your threats and risks. 

Carole Theriault: [00:25:37]  Thank you, Chris, for joining us on "Hacking Humans." 

Chris Bush: [00:25:41]  It's my pleasure. 

Carole Theriault: [00:25:42]  The takeaway is pretty clear - if you're pushing your employees too hard, they may start making mistakes that can impact your security. And to me, this is a bit of a no-brainer. In 2018, money and work were the top two sources of stress, according to the American Psychological Association. And recently, we've been hearing about Microsoft trialing the four-day workweek in their research lab in Japan. And guess what they found? A happier and more productive workforce. Dare I say it, I imagine they were more secure as well. 

Chris Bush: [00:26:12]  (Laughter). 

Carole Theriault: [00:26:12]  Anyway, it's food for thought. That was Chris Bush, a CISO at ObserveIT. And this was Carole Theriault for "Hacking Humans." 

Dave Bittner: [00:26:22]  Joe, what do you think? 

Joe Carrigan: [00:26:23]  Interesting. The Verizon report said that the accidental insider threat is responsible for one-third of the breaches, which is - I find remarkable. 

Dave Bittner: [00:26:31]  Yeah. 

Joe Carrigan: [00:26:32]  One-third are accidental breaches. Chris talks about people using USBs to take work home, that you don't know where that data's going. Not only that - you really don't know where those USBs have been. 

Dave Bittner: [00:26:41]  Yeah. Yeah. 

Joe Carrigan: [00:26:41]  You know, that's kind of a vector for getting a lot of things on to a network that might be even air-gapped. 

Dave Bittner: [00:26:46]  Yeah. Well, I mean, what strikes me, though, even more than the specific device, like the USB device... 

Joe Carrigan: [00:26:51]  Right. 

Dave Bittner: [00:26:51]  ...This whole notion that all this work is taking place outside of the moat, right? 

Joe Carrigan: [00:26:56]  Right. Yeah. 

Dave Bittner: [00:26:57]  (Laughter) Outside the castle walls. And so you don't have the - necessarily have those security things in place that you have to protect your business. 

Joe Carrigan: [00:27:07]  Right. 

Dave Bittner: [00:27:07]  But that's the shape of things these days. 

Joe Carrigan: [00:27:08]  It is, unfortunately. Security does have to be part of the organization's culture. I can't agree with that more. It has to be part of what we do. And to that point, Chris also points out that policies and procedures are no good if people can't or won't read them. Don't write these things for attorneys, right? 

Dave Bittner: [00:27:27]  (Laughter) Right. 

Joe Carrigan: [00:27:27]  Write them for the people who are going to be implementing them - almost like a work instruction, really. It's got to be written at that level. It shouldn't be written so that somebody without a law - you don't have to have Ben Yelin sitting here telling you what this means. 

Dave Bittner: [00:27:39]  (Laughter) Right. Right. Right. Yeah, I think that's so important. And it also strikes me that you need to keep those lines of communication open, but you have to encourage communication when it comes to these things. In other words, not just say to your employees, hey, are you using all the security things that we have in place? Make sure you're checking in and saying, is there anything that's getting in the way of you getting your work done? 

Joe Carrigan: [00:28:00]  Yeah. 

Dave Bittner: [00:28:00]  Is there anything that's just a big, old pain in the butt? 

Joe Carrigan: [00:28:03]  Yep. 

Dave Bittner: [00:28:03]  You know, if there's something we could do to improve your workday, to make things easier, what could we do? And if they start coming up and saying, you know, these security things are really slowing me down... 

Joe Carrigan: [00:28:14]  Yeah. A security solution that gets in the way of work is - you're running the risk of that being circumvented. 

Dave Bittner: [00:28:20]  Yes. Yes. 

Joe Carrigan: [00:28:21]  You know, one my favorite stories that I've told many times on this show and other shows is that there was a hospital who had a duty nurse whose job was to go around and wiggle the mice on the computers so that the machine wouldn't lock. 

Dave Bittner: [00:28:31]  Right (laughter). 

Joe Carrigan: [00:28:31]  So that when somebody needed to walk up to it, it was available for use and they didn't have to waste time logging in. The part of their work procedure became circumventing the security practice (laughter). 

Dave Bittner: [00:28:41]  Right. Right. And because there was a greater need. 

Joe Carrigan: [00:28:43]  Right. 

Dave Bittner: [00:28:44]  The doctors had to access... 

Joe Carrigan: [00:28:45]  Absolutely. 

Dave Bittner: [00:28:46]  ...The computers to save lives (laughter). 

Joe Carrigan: [00:28:48]  In a hospital, if your security solution gets in the way of providing health care, it's out the door. 

Dave Bittner: [00:28:52]  Yeah. 

Joe Carrigan: [00:28:52]  It's gone. 

Dave Bittner: [00:28:53]  Yeah. 

Joe Carrigan: [00:28:53]  That's not so life and death - literally, life and death - in regular businesses that aren't medical businesses. But in a hospital, it is. 

Dave Bittner: [00:29:01]  But it could be the life or death of your company. 

Joe Carrigan: [00:29:03]  Yeah. 

Dave Bittner: [00:29:03]  A security breach... 

Joe Carrigan: [00:29:04]  Yes. 

Dave Bittner: [00:29:04]  ...Big enough - type thing. 

Joe Carrigan: [00:29:05]  Oh, absolutely. A security breach can end your company. 

Dave Bittner: [00:29:08]  Yeah. 

Joe Carrigan: [00:29:08]  Especially small business. Sometimes when I give talks, I say, name for me some data breaches, and people always say Target, Equifax - all these things. But nobody ever says the Broadway Grill - right? - which was a small business that was put out of business by a carder from Russia who had compromised their point-of-sale system and was harvesting cards. And they got sued by the cardholders and the card companies, and they had to shut down. 

Dave Bittner: [00:29:30]  Right. 

Joe Carrigan: [00:29:31]  Nobody ever talks about them. 

Dave Bittner: [00:29:32]  Yeah. Well, I think this is really a good food for thought here. If you're someone who's responsible for these things in your organization, it's good to take stock and make sure that you're not inadvertently causing some potential security situations by just trying to do the right thing. 

Joe Carrigan: [00:29:48]  Right. 

Dave Bittner: [00:29:48]  All right. Well, thanks to Carole Theriault for bringing this story to us. Thanks to Chris Bush from ObserveIT for being on the show again. And we want to thank all of you for listening. That is this week's show. 

Dave Bittner: [00:29:59]  We want to thank our sponsors, KnowBe4. Their new-school security awareness training will help you keep your people on their toes, with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. 

Dave Bittner: [00:30:16]  We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:30:38]  And I'm Joe Carrigan. 

Dave Bittner: [00:30:39]  Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire