Podcasts
Hacking Humans
Ep 125
Hacking Humans 11.19.20
Ep 125 | 11.19.20

The public's expectations are changing.

Show Notes
Transcript

Bill Coletti: I think what we're seeing now is that as companies are getting better, the public's expectations are changing.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Bill Coletti. He's a crisis communications and reputation management expert at a company called Kith, and he's author of the book "Critical Moments: A New Mindset for Reputation Management" (ph). 

Dave Bittner: All right, Joe, let's kick things off with some stories this week. I'm going to start things for us. This comes from a company called Egress. It's built around their 2020 outbound email data breach report. Now, Egress is a company that specializes in protecting your outbound email, so... 

Joe Carrigan: Right. 

Dave Bittner: ...They have an interest (laughter) in this report. With that in mind, they're in the business of selling you this sort of protection. 

Dave Bittner: But they hired a research company that is not them to do a survey. They interviewed 538 senior managers responsible for IT security in the U.K. and the U.S. across several vertical sectors, including financial services, health care, banking and legal. And so, really, what this report talks about is the security risks of your outbound email. 

Dave Bittner: And I don't know. I guess I don't really think about this that much - the stuff that you could inadvertently send out or get tricked into sending out. 

Dave Bittner: The other thing that fascinated me about this was that notion of when you're putting a bunch of people's names on an email, and your email client accidentally autofills someone else's name. 

Joe Carrigan: Yes. 

Dave Bittner: So it could be like, you know, I could be wanting to send, you know, Joe, my CPA, all of my financials, and it accidentally gets autofilled to Joe Carrigan. 

Joe Carrigan: Right. 

Dave Bittner: And all my financials go to you. And it's like, Dave, why'd you send me your financials, you know (laughter)? 

Joe Carrigan: What's interesting, Dave - it's funny that you mentioned this because yesterday, I noticed something in my Outlook autofill. You remember a couple of months ago, I said I got tricked by a phisher who was impersonating my boss, Dr. Dahbura? 

Dave Bittner: Yeah. 

Joe Carrigan: And I was sending my boss an email. And I started typing his name, and in the list of possible names, of possible email addresses was that phishing email address. And I'm like, I got to take that out 'cause that's... 

Dave Bittner: Yeah, that's interesting. So it - yeah, it grabbed it automatically and put it in there. 

Joe Carrigan: Yeah, it presented it as an option. It was a far-down-the-list option, but it was... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Still an option. So I've got to remove that. 

Dave Bittner: So there's a bunch of numbers here, and I don't want to get bogged down in numbers and stats and things. I mean, they talk about 93% of organizations who responded had experienced data breaches via outbound email in the past 12 months. 

Joe Carrigan: Yup. 

Dave Bittner: They reported an average of 180 incidents per year where sensitive data was put at risk. The most common breach types were replying to spear-phishing emails at 80%... 

Joe Carrigan: Yup, yup. 

Dave Bittner: ...Emails sent to the wrong recipients - 80% - and incorrect file attachments. That's interesting, too. You think you're sending one file, but you accidentally send something else. 

Joe Carrigan: Right. That's a common human error. 

Dave Bittner: Right. And that, I think, is one of the things that this report points to - is that very much of this is human error. And they talk about people being tired and stressed out. And I don't know about you, but the past nine months have been a cloud of being tired and stressed out... 

(LAUGHTER) 

Dave Bittner: ...I think, for a lot of us, as we've been... 

Joe Carrigan: Yes. 

Dave Bittner: ...Living in these - in the - you know, the pandemic situation. That's an extra mental burden on all of us. 

Joe Carrigan: It is. Absolutely. 

Dave Bittner: And so it's easy to make these mistakes. 

Dave Bittner: A couple other interesting things here caught my eye. They talked about how were the security team - how were the IT leaders likely to find out about the data breach? And 20% said they'd be alerted by the email recipient. So I send you something accidentally, and you reply and say, this is - I don't think you meant for this to go to me. 

Joe Carrigan: Right, yeah. So 20% of these end in somebody being honest and going, oops, I'll destroy all these copies for you. 

Dave Bittner: Right, right. And lucky for you that this landed on the desk of someone who's honest, right? 

Joe Carrigan: Right, exactly. 

Dave Bittner: Eighteen percent felt another employee would report it, and 24% said the employee who sent the email would disclose their error. So think about that. 

Joe Carrigan: Right. 

Dave Bittner: The flip side of that is three-quarters don't... 

Joe Carrigan: Right, yeah. 

Dave Bittner: ...Think the person is (laughter) going to (ph) disclose the error. 

Joe Carrigan: Exactly. Three-quarters of people are being like, ooh, we'll just hope nobody ever notices. 

Dave Bittner: Oh, boy. Yeah, I'm just going to whistle past this graveyard. 

Dave Bittner: And so what it gets down to is that there are tools available. And this company, Egress, happens to be one of the companies, I suppose, that sells those sorts of tools. But you can have these tools that are looking over your shoulder that are looking for patterns, you know? So it's using artificial intelligence and machine learning to say, OK, you know, once a month, Dave usually sends the financials out to his CPA. I see Dave is sending out the financials, but why would he be sending them to Joe Carrigan? That doesn't make any sense. 

Joe Carrigan: Right. 

Dave Bittner: So it could flag that and stop it and put up an extra alert, kind of, you know, check - protect you against yourself, right (laughter)? 

Joe Carrigan: Yeah, yep. This is a data loss prevention tool. There are tons of data loss prevention tools out there. And this one obviously targets email. There are probably other solutions out there like this as well. 

Dave Bittner: Yeah. 

Joe Carrigan: One of the big things is the spear-phishing attack on HR. I've heard stories about this before, where somebody impersonates - from an external email address, impersonates the president of the company and says, I need all of our records for all of our employees, and I need you to send them to me right now. Can you do that? 

Dave Bittner: Right. 

Joe Carrigan: And the HR person goes, sure. Here you go. Here are the records. And what they've just done is committed a data breach. 

Dave Bittner: Yeah. And we've seen, I mean, I want to say probably - I don't know. Once or twice a month, we see a story over on the CyberWire where someone has - there's been a massive data breach, and it was just because an employee accidentally sent something to the wrong email address or cc'd everybody. 

Joe Carrigan: Right, yeah. That's another form of... 

Dave Bittner: You know, like one of those - one of those blunders that we've all done. 

Joe Carrigan: Right. Somebody clicked reply all with an attachment. 

Dave Bittner: Right. The last thing I want to touch on here is the impact of the breaches with what happened to the employees. If someone did - you know, accidentally did something like this, they said that employees received a formal warning in 46% of the incidents, were fired in 27% of the incidents, and legal action was brought against them in 28% of the incidents. 

Joe Carrigan: Wow. 

Dave Bittner: Yeah. 

Joe Carrigan: Legal action being brought against the employees? 

Dave Bittner: That's what it says. I don't know. I don't know how I feel about that. 

Joe Carrigan: Yeah, I don't know. First off, I'm not sure that's going to stand up. One of the things about operating a business is that you are, as the business owner and perhaps as a business organization, you are assuming the risk of your employees' behavior. I don't know that bringing legal action against an employee, or former employee in this case, probably - I don't know that you're going to get anywhere with that. I don't know. Actually, I'm not a lawyer. So what do I know? Maybe this is a good question for Ben. 

Dave Bittner: (Laughter) Right, right. Yeah, yeah. I guess one of the... 

Joe Carrigan: Maybe you guys can get into this on "Caveat." 

Dave Bittner: Yeah. One of the other take-homes here, you know, again, back to that thing about being tired and stressed out, is just check in with your employees... 

Joe Carrigan: Right. 

Dave Bittner: ...Or check in with your colleagues, your co-workers. Just, how you doing? How you feeling? Because it seems to me like, you know, giving your employees the extra time to do the things they need to do, to being easy on them, not, you know, really riding them hard right now is going to pay dividends because you're going to be much less likely to have these sort of costly mistakes happen that can happen from people being tired and stressed out. 

Joe Carrigan: Yeah, I think distraction's a big factor in a lot of these mistakes and a lot of these errors. 

Dave Bittner: Yeah, absolutely. 

Joe Carrigan: You've got to encourage your employees to slow down, take their time and focus on what they're doing. I've been making the point now for - in some of the talks I've been delivering, don't demand multitasking. When employers are looking for multitasking, they're really - they really don't want someone who can multitask. They want someone who can task switch, you know, switch between tasks and manage their time appropriately. 

Joe Carrigan: And you really want your employees working on one thing at a time and concentrating on that. You don't want them worrying about other things and having those other thought processes interfere with the actual work that they're doing. 

Dave Bittner: Right, yeah. Absolutely. All right, well, that's my story this week. We'll have a link to that report in the show notes. Joe, what do you have for us? 

Joe Carrigan: Dave, my story this week is about a fake company called Ecapitalloans. And this story came to my attention via Angie Barnett, who is with the Better Business Bureau of Greater Maryland. And the BBB has an article on their website about this company, and we'll put a link in the show notes. 

Joe Carrigan: The national Better Business Bureau received several hundred complaints from 11 states about this company, Ecapitalloans. And Ecapitalloans had an online loan application that was a little bit too personal, right? It asked way too many questions. And they would ask for information like driver's license numbers and Social Security numbers. 

Joe Carrigan: And once you applied for a loan, they would call you, and they'd say, hey, you've been approved for a loan that is, you know, $3,000, but in order for us to give you the loan, we need your banking information - you know, your routing number, account number, your banking username, your banking password and security questions for your bank account for your logon. 

Dave Bittner: Wow. 

Joe Carrigan: And they claimed that this was necessary to process the loan. The company used a phony address in Texas and was calling from a fake number based out of Texas. And they were actually also displaying - one of the things that angered the Better Business Bureau about this was they were displaying fake BBB trademarks on - you know, like BBB-approved, right? We're good. 

Dave Bittner: Right, right. Oh, dear. 

Joe Carrigan: We're all good here. 

Joe Carrigan: What's interesting is there's another site out there that lets users log complaints, but I'm not going to list that site because I'm not sure what that site is all about. But they definitely do let users log complaints. There was a common theme here that when the scammers called, they already had all the victim's details, right? 

Joe Carrigan: So it looks to me like these guys set up a webpage on the internet, and then you would enter your information as thinking you were applying for a loan. And then once they had that information, they would call you and try to scam you into giving them access to your bank account. They would try to say, OK, in order for us to process your loan, we need you to take the money we just deposited and go out and buy a gift card, right? 

Dave Bittner: Oh, really? 

Joe Carrigan: Yeah, or send us that money back with your cash app. So there are a number of people out there who have lost thousands of dollars to these guys. 

Joe Carrigan: Not only have they lost thousands of dollars, but another side effect is in three or four of these complaints I was reading, the banks noticed that this was fraudulent activity, and they shut the accounts down, which means now these people don't have bank accounts - right? - and they have to wait for the process of opening a new account. And one of the complaints - after this person had been scammed out of $1,800, the bank was asking the person, so when do you think you can get the money back to us, right? 

Dave Bittner: Oh, wow. 

Joe Carrigan: The Better Business Bureau and I have some really good recommendations here. No. 1, when you're applying for a personal loan, understand what that application process looks like. A lot of times, they really don't need your entire Social Security number. They just need the last four and your birth date. That's sufficient for a legitimate organization to find your record in their database 'cause they have the records in what's called an infile credit report system that doesn't actually hit your credit report until they actually do a hard hit. 

Joe Carrigan: But another aspect is they will almost never ask for your driver's license. They don't need that. That's something you need when you're opening a bank account. And there are reasons for that that have to do with, like, the Patriot Act and anti-money-laundering laws as well. 

Dave Bittner: Right. 

Joe Carrigan: No legitimate company is ever going to ask you to repay a loan or pay a service fee via cash app or via gift cards. That's just... 

Dave Bittner: Right, right. 

Joe Carrigan: That should be a red flag for everybody. 

Dave Bittner: Right, right. 

Joe Carrigan: If this company says, we need this paid back in gift cards, hang up. You're done. We're over here. 

Joe Carrigan: The other side of this is not only are they trying to scam people, but they've collected this information on you. Now they can do all kinds of things, especially once they have all the information like your driver's license number. Now they can go out and commit identity theft as well. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's another big concern. 

Joe Carrigan: The Better Business Bureau and this other website had a website for Ecapitalloans, and that website has now been shut down. There are no files on it. The server's still up, but the site is gone. 

Joe Carrigan: That doesn't mean this risk is gone, though. These guys are going to still be out there, and they're still going to be trying to operate. And if this scam - this scam was successful, so guess what's going to happen. There's going to be more of these scams like this one. 

Dave Bittner: Yeah. I mean, this is going to be an ongoing whack-a-mole kind of thing... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Unless somebody tracks them down and throws some bracelets on their wrists, right (laughter)? 

Joe Carrigan: Right, which is probably not going to happen because these guys are probably not operating within the United States, right? 

Dave Bittner: Yeah. 

Joe Carrigan: So we're probably not going to get them. 

Dave Bittner: Yeah, I can imagine somebody having that emotional feeling of having that money dangling in front of you by saying, you've been approved. Congratulations. Good news. 

Joe Carrigan: Right. 

Dave Bittner: You know, you're going to get that money that you need for whatever you need it for, and all you need to do to have it is give us - just answer a few more questions, and then here it is. 

Joe Carrigan: Yup, yup. Absolutely. 

Dave Bittner: That's a tough thing to resist. 

Joe Carrigan: It's like that sunk cost fallacy. You keep putting effort into things despite the fact you're not going to get it. You start - maybe you start to think this is a scam, but because you're - maybe you're desperate, you need this money to make some bills or something - I'm not a big fan of personal loans. I'm also not a big fan of, like, payday loans or car title loans. I think those are just usurious and abusive. Sometimes people really need money to make ends meet. 

Dave Bittner: Yeah. And these scammers make it harder for the folks who are doing legitimate businesses... 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: ...You know, who are out there trying to do - in good faith try to help people when they... 

Joe Carrigan: Right. 

Dave Bittner: ...Need a little help. 

Joe Carrigan: Right, absolutely. 

Dave Bittner: Yeah. All right, it's a good story. We will have a link in the show notes, of course. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named Max (ph). He says, I know we like to make fun of scammers, but this one looks pretty decent. I recently got a work phone, and whoever had my number before me was not careful about who had their number. I've been getting texts from email addresses - about a hundred an hour - gigs, he says. 

Dave Bittner: Oh, man. 

Joe Carrigan: I'd ask for a new work phone if that were the case, right? 

Dave Bittner: That is - yeah, that's awful. That's awful, yeah. 

Joe Carrigan: But he got this one. It's a standard old practice. But why don't you read it, and we'll let our listeners understand as they go along? 

Dave Bittner: All right, it goes like this. 

Dave Bittner: (Reading) Hello. I'm a professional coder, and I hacked your device's OS when you visited adult website. I've been watching your activity for a couple of months. If you don't understand what I'm talking about, I can explain. My Trojan malware lets me get access to my victim's system. It's a multiplatform software with hVNC that can be installed on phones, PC and even TV OS. It doesn't have any AVs detect because it is encrypted and can't be detected because I updated signatures every four hour. 

Dave Bittner: (Reading) I can turn on your camera, save your logs and do everything that I want, and you won't notice anything. Now I have all your contacts, SM (ph) data and all logs from chats for the latest two months. But it is not very useful without something that can spoil your reputation. I can destroy your life by sending this stuff to everybody you know. 

Dave Bittner: (Reading) If you want me to delete this stuff and avoid any problems, you have to send $1,000 to my Bitcoin address. If you don't know how to buy bitcoins, use Google. There are a lot of manuals about using, spending and buying this cryptocurrency. You have 50 hours from now to complete the payment. I have a notification that you are reading this message. 

Dave Bittner: (Reading) Time has gone. Don't try to respond because this email address is generated. Don't try to complain because this and my Bitcoin address can't be tracked down. If I notice that you shared this message, everybody will receive your data. Bye. 

Joe Carrigan: So typical sextortion scam, right? 

Dave Bittner: (Laughter) Yeah, yeah. 

Joe Carrigan: We've seen this a lot, but this is pretty good. 

Dave Bittner: Yeah. 

Joe Carrigan: I like that he says this is a really powerful piece of malware that can run on anything, including a TV OS. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: And antivirus can't detect it because it's encrypted and he updates its signatures every four hours. 

Dave Bittner: Yeah. Now, this is a capable actor here. 

Joe Carrigan: Right, absolutely. 

Dave Bittner: This is not somebody to be trifled with, for sure (laughter). 

Joe Carrigan: Yes. I want to enter this Bitcoin address into a tracker and see if anybody has sent any money to this guy. 

Dave Bittner: All right. Well, that is our Catch of the Day. We want to thank our listener, Max, for sending that along to us. If you have a Catch of the Day, send it to us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Bill Coletti. He is a crisis communications and reputation management expert at a company called Kith, and he's also author of the book "Critical Moments: A New Mindset for Reputation Management" (ph). Really interesting stuff here. Here's my conversation with Bill Coletti. 

Bill Coletti: I think when we look at the early days of Target and Home Depot, which were kind of two of the largest, 2014 or so, I believe, kind of those larger data breaches, then ransomware, which is obviously a close cousin of that. 

Bill Coletti: So I think companies are getting better. I think what we're seeing now is that as companies are getting better, the public's expectations are changing. I think the public is - to a certain extent, their expectations have raised. They want to know more. They want to know exactly what's been lost, how has it been lost, where's it been lost. And then they've also just become a little bit numb to it, also. 

Bill Coletti: So it really makes a communications challenge. So I think the state of industry when it comes to data breach or hack in general is good, not great, but the goal line is moving because the public's expectations are changing. 

Dave Bittner: Well, let's walk through it together. I mean, an organization experiences something like this. I mean, let's use ransomware as an example. And a company gets hit by ransomware. They have to shut down, and they have to inform their customers. What's your advice? How does an organization best go about that? 

Bill Coletti: So I think that the key differentiator in any crisis - whether it's a hurricane that it's changing the physical plant or an explosion or ransomware, the basic fundamentals are the same. I think that the differentiator between good and great is speed. And the way you get fast is really being clear on your mission and values and aligning that with the chain of command. 

Bill Coletti: So let's take ransomware. Speed is important - is that we need to fill the vacuum. If we shut down our operations and our app doesn't work or our store doesn't open or our factory doesn't produce for whatever the case, or our hospital doesn't treat people, that information is going to make it into the marketplace somehow, either via the media - traditional media or social media. So our ability to fill the vacuum with a message is really, really important, and we need to do it quickly. 

Bill Coletti: The way we do it quickly is by having thought in advance, who are we and what do we stand for? If we're really private, we don't talk about very much, that's our values. That's who we are. 

Bill Coletti: Next is this notion of chain of command - inside counsel, outside counsel, is your CTO involved? Who's involved in this decision-making? Because as I walk - work with companies and watch them, it's who are we and what do we stand for? Who do we really care about - our shareholders, our customers, our employees? Too many cooks in the kitchen chain of command - that impacts speed. 

Bill Coletti: So in your scenario is that we have this ransomware. We're no longer to perform whatever the case may be - an app or a hospital or a school, et cetera - is that we need to say something. We don't have to have all the answers in Moment 1. So the initial statement really needs to be, we are aware, and we are working on this as hard as we can, and that's OK. You don't have to be perfect and don't need to wait for a solution because speed matters because someone else is going to answer for you if you don't answer yourself. 

Dave Bittner: Is it better in that initial communication to be vague than to be wrong? 

Bill Coletti: It's better to be honest that we don't know, and that I don't know is OK. Here's what we know. We know that, you know, we had a this type of incident. Here's where we stand right now, and we are working with authorities to get to the bottom. And we'll report - we will share again an update in three hours or 30 minutes, whatever the situation dictates. We'll share an additional update in three hours. 

Bill Coletti: So I think it's - to your paradigm of being vague versus wrong, I would love for us never to be wrong. But if we just share what we know and when we're going to update people again, it just demonstrates that we're on top of it and that we're being transparent and authentic. And I do believe that people - there is a semblance of grace that the public is going to give us if we communicate like that. 

Dave Bittner: What about having a playbook in place, you know, being able to practice this sort of thing so that if it comes to pass, that you're not getting sort of blindsided by it? 

Bill Coletti: Yeah, critically important. So I make a distinction - practice and a playbook. I think playbooks are good. But just in the nature of this conversation, you know, Dave, you've framed it as ransomware. You could've picked a half a dozen, if not a dozen, other types of scenarios - OK? - that may be thornier or less thorny. So that's the case in point. 

Bill Coletti: A playbook is good that outlines some broad parameters, but writing a crisis communications plan for every perceivable permutation of what could go wrong, that's unnecessary. That's a mistake. But a broad playbook that outlines that this is who we care about - mission and values - here's who needs to be in the room - chain of command - and some basic talking points, just like we talked about, that's great. 

Bill Coletti: More importantly, even if you can't do a playbook, more importantly is practice. And it can be simple. Is it a weekly or a monthly staff meeting? Regardless of what kind of company you are - and we're talking about the data world right now - pull out the newspaper. And, Dave, if you're the CEO, you pull out the newspaper and say, if this had happened to us, how would we respond? And make it a 10-minute conversation. 

Bill Coletti: That type of practicing and that type of muscle memory is really, really valuable for organizations, whether we're talking about data security and data protection or we're talking about even physical security or force majeure natural disasters. Just say, what if this had happened? What would we do? So practice is critical. 

Dave Bittner: What about the emotional component of this? I mean, I imagine that for a lot of folks in an organization, this is a really bad day that they're in the midst of. So I suspect that affects their ability to make their way through a step-by-step sort of playbook or to function, you know, in a way that they hoped or predicted that they would. How do you prepare people for that element of it? 

Bill Coletti: Yeah. Boy, fabulous, fabulous question. Take a CEO of this hypothetical company that we're talking about of a ransomware. Not only are they trying to make decisions in the best interest of their customers, but potentially, they're watching their personal reputation and their personal career potentially crumbling in front of them from no fault of their own. 

Bill Coletti: And so absolutely, because these are human beings making human decisions, and so that EQ and IQ of how leaders show up during a crisis is as much about what I do as it is about small dogs versus puppies in the press release, you know, how we articulate words and things (ph). It's really about how do you coax the leader to get through this and a real EQ understanding of the impact that this crisis is having on individuals. 

Bill Coletti: And then specifically, let's talk about, you know, a chief information officer, a chief technology officer. Everybody's looking at them and saying, how the hell did you let this happen? And that's a pretty personal affront, as you can imagine. I mean, you're a pro in this space. 

Bill Coletti: This is the one area - if I'm the CEO, this is the one area of my business that I got a full-time team doing nothing but protecting me, and you're telling me we screwed it? How does that happen? 

Dave Bittner: Yeah. 

Bill Coletti: So that gets very personal very quickly. 

Dave Bittner: And so what's the solution there? Do you have people assigned to the communications who aren't, you know, the people who are going to be in the heat of battle? 

Bill Coletti: It takes a team, goes back to chain of command. It takes this collaborative team because very few communicators have the level of sophistication to be able to explain the intricacies of what is or isn't happening, and so you need the subject matter experts to. And you need, then, the communicators to sort of simplify and storytell around those realities. 

Bill Coletti: The first and foremost thing, when I've seen great leaders do it and what I try to do with the organizations that I work with, is let's just acknowledge the elephant in the room. Guys, this sucks. This is a horrible situation, OK? We'll deal with the repercussions of it on us personally later. But we need to make sure that we get whatever the problem is we're solving - get back to business or find our customers' data or protect our customers, et cetera, et cetera - whatever we need to do. But address the challenge. 

Bill Coletti: And for when - I've been so impressed when great leaders will say, you guys, you need to park your ego at the door. This isn't about any individual. We'll have plenty of time to lay blame. Now's the time to get to a solution. So it's very much a leadership messaging about how a leader shows up in a crisis. 

Dave Bittner: What about things like rumors or disinformation? You know, I could imagine, you know, folks from within an organization talking to their friends - that gets out - or even maybe a competitor out there who's trying to sow some seeds of doubt. 

Bill Coletti: In the context of a ransomware situation or just in general? 

Dave Bittner: In a crisis situation that, you know, you could imagine there'd be people out there who might want to capitalize off of that. 

Bill Coletti: Yeah, you know, it's a reality. I think the big three that we focus on are communities, customers and critics. And community represents your employees, your stakeholders, you know, people that matter to you intimately. Customers - people who write your checks. And critics is kind of people that aren't necessarily invested in your success, which is where I put competitors in that space - is that all three of them have a stake in the outcome of this situation. 

Bill Coletti: And so I think it's really important to, in these situations that we've been involved in, is be really transparent, fix the problem, move forward and get back to normal as quickly as you can and try to really sort of distinguish smoke from fire. 

Bill Coletti: I think a lot of this, you can really get distracted by this person said that or this person said the other thing. That's an easy distraction. I really think organizations should focus on fix the problem and get back to business, get back to normal - whatever that is - as quickly as possible. If you're chasing ghosts or chasing rumors, I don't think that's a very - a good best practice. 

Bill Coletti: If they become significant, one of the things we recommend is stand up two separate teams. Stand up a team to manage the challenge in front of us, and then someone to kind of run around as firefighters, you know, kind of tamping these things out as necessary. But I - my primary advice is focus on the business, getting back to business, getting back to normal as quick as you can. 

Dave Bittner: Once an organization is on the other side of an event like this, what sort of things should they be doing in terms of communicating with their stakeholders after the fact? 

Bill Coletti: Yeah. So that's where this huge distinction comes in about reputation. You know, what is the long tail reputational impact? And you know this as well as anybody. There's a lot of really, really good studies out there. You know, what are CIOs and what are CEOs really worried about? They're really worried about data protection and PII and things like that. They're worried about it from a reputation standpoint and the significant harm that reputation can handle. 

Bill Coletti: So I think it is - what you do after the fact is directly related to what you do during the fact. And so the way you manage the event - clear messaging, articulation of the facts, it's OK not to have every answer, but get to the bottom as quick as you can - and then to continue to act that way, and don't go silent, but acknowledge the challenge, acknowledge the situation for the - over the long term - those are some of the best practices. 

Bill Coletti: And then, also, what did we learn? How - this is how we're going to improve. We identified that there was a gap or a vulnerability or whatever the case may be, but here's what we're doing to learn and improve. 

Bill Coletti: Some people want to just kind of, let's just kick the third quarter under the rug and hope that just never happens again. I think that there's a lot of people that can value, and it builds your reputation with the ability to be honest and truthful. And what we believe in is ABC, always be communicating, telling your story, even on the darkest day, the same way you tell it when the sun is shining. 

Dave Bittner: Based on your experience, do you have any advice in terms of, you know, no matter what you do, don't do this? 

Bill Coletti: You know, there's a couple of them - the don't-do-this. Don't lie. If you don't know the facts, you don't know the facts. 

Dave Bittner: Yeah. 

Bill Coletti: Try to avoid speculation. You know, I think we've seen - gosh, we've seen so many people in a small world of saying, you know, well, my Twitter account was hacked, and that's why I said what I said and silly things like that, which is so ridiculously easy to prove to be false, I mean, so don't do silly things like that. 

Bill Coletti: I think don't blame somebody else if it was your organization's fault. And so throwing a third-party vendor under the bus or the subcontractor or something like that - if it legitimately was their fault, that's fine. But seeking out a scapegoat rarely works. People just want to know that we're getting to a solution. Get - let me know what the solution is. Let me know what we're doing to fix it. Let me know that you've got my data or my whatever protected. So I think that's really more important. So don't automatically look for a scapegoat. If you mess up, fix it and try to move on as quickly as possible. And usually, owning it is the best way to do it. 

Dave Bittner: What are your recommendations for folks to get started on this, to head down this path of preparation? 

Bill Coletti: Well, I think the simplest one, a little bit that we chatted about, is at a staff meeting, periodically say, what would happen if this had happened to us? 

Dave Bittner: Yeah. 

Bill Coletti: I mean, that's the simplest thing that someone can do. And you can do it every Monday morning or quarterly or whenever you have a staff meeting. 

Bill Coletti: I think after that, it's really putting a serious-minded leader behind this notion of our reputation, OK? I'll take it for granted that someone in the technology office or the CIO office or whatever the case may be - that they're really thinking about this stuff at a practical, technical level and that they're installing the right patches and they're doing all the right things - again, things you're the expert at, not me - they're doing all of those things. 

Bill Coletti: But I think from a reputational standpoint, that you're putting a serious-minded leader that is looking at the consequences of various outcomes and the implications that that have - has on our reputation. And what are we not only going to do about it after the fact, but how are we going to build a deeper reservoir of goodwill? How can we issue a annual report? How can we speak at the right conferences? How can we find third-party experts like you that when there is something negative, that you can say, well, hey, that's not the company I know because that CIO I know was really on tip of the spear on these issues. 

Bill Coletti: So those are just a handful of ideas. But a really serious leader to think not only about the technology part - that's the CIO, CTO - but to really - someone in the reputation space to think same - in a similar sort of series, how do we mitigate, get ready? And then how do we explain when and if these situations happen? 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, that was an interesting interview. We haven't had a lot of interviews like this on here. 

Dave Bittner: Yeah. 

Joe Carrigan: This is an important topic to talk about. Reputation management is very important, and your reputation is going to be damaged in a lot of situations. 

Joe Carrigan: It's interesting what he said here about customer expectations. They've been raised while, at the same time, customer numbness has increased as well. So in other words, customers almost expecting that their data's going to be breached, but they're also expecting something else, some better information when that happens, right? So I find that interesting. 

Joe Carrigan: Speed is key. Nothing is worse than getting no feedback in a lot of situations. We as people want to be informed about things that impact us, right? Have you ever worked for a company where you think something's up, but nobody will tell you anything, you know? 

Dave Bittner: (Laughter) It's a terrible feeling. 

Joe Carrigan: It is a terrible feeling. Even if you're in a personal relationship, like you remember back in high school when you'd be dating a girl, and then all the sudden, she'd, you know, stop talking? Now they just call it ghosting, right? But... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Not getting any information is a terrible, terrible feeling. I think it's just part of the human condition that we hate that, right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Bill is 100% right about this. If you don't fill that vacuum, somebody will. People are going to start speculating wildly and start guessing. Why aren't they talking? Why aren't they saying anything? And you've got to get out in front of that as a company. 

Joe Carrigan: Your question about being vague versus being wrong - I think it's better to be wrong. When you're in the kind of a situation where you have an incident and you have to address your public or a group of people, set that expectation right away. Say, you know, we're very early on in this. This is what we think happened. We may be wrong about what happened, but this is what we know right now or what we think right now. 

Joe Carrigan: Later on, the interviewee says - when he's talking about the don'ts, he says, don't speculate. So try to keep it as minimal as possible when you're talking about these things. Don't speculate. 

Joe Carrigan: Practice is key for preparation. I say this about other things, like when you have backups. You have to try to restore those backups and test it. That's practice, right? But Bill's suggestion here is a great idea. I love this idea. If you're in a meeting as an executive team, just grab the newspaper and find out the latest cyber event or look up one that has occurred this week. There's going to be one that happened this week, right? It's always happening. 

Dave Bittner: Yup. 

Joe Carrigan: And then ask your team, what would we do if this was us? That is a great idea. That's a great way to start thinking about this and start exercising your mind, building that mental muscle memory, if you will, to be prepared for this. 

Joe Carrigan: There's a great discussion also on the emotional aspects of these attacks when there's a lot of personal investment in these situations. 

Joe Carrigan: And the idea to solve the problem first and then worry about assigning blame later, I think that's very - a very good idea. And a leader would have to take the position, look; we're not going to be pointing fingers. All we're going to be doing is getting back up and running, OK? We're going to worry about everything else later. But right now, let's solve the problem. 

Dave Bittner: Yeah. 

Joe Carrigan: And then what you do after the event is directly related to what you do during the event. I liked when he said that as well. That's pretty cool. 

Joe Carrigan: His list of don'ts for an event - don't lie and don't speculate, don't find a scapegoat - I would add don't try to cover it up. If you're suffering a security incident, be as transparent as you plan to be. When he starts off the interview, he says your culture is going to define what level of transparency you're going to have. So meet that expectation. Do not try to cover up, like, particularly a data breach. That only makes people hate you twice. 

Dave Bittner: (Laughter) Right, right. No, and I think it's a good message for taking a look at your culture and saying, what sort of norms have we established here, and are they in our best interest or not? 

Joe Carrigan: Right. Yeah, absolutely. 

Dave Bittner: Yeah. 

Joe Carrigan: It may be a time to evaluate your culture and whether or not it's time for it to change. 

Dave Bittner: Right. Well, our thanks to Bill Coletti. Again, he's from a company called Kith, and his book is titled "Critical Moments: A New Mindset for Reputation Management" (ph). Really appreciate him taking the time for us. I thought that was just a fascinating conversation. 

Dave Bittner: We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.