Subscribe to the Next Level BizTech podcast, so you don’t miss an episode!
Amazon Music | Apple Podcasts | Listen on Spotify | Watch on YouTube
Transcript is auto-generated.
Josh Lupresto (00:00)
Welcome to the podcast designed to fuel your success selling technology solutions. I’m your host, Josh Lupresto SVP of sales engineering at Telarus And this is Next Level Biz Tech.
Everybody welcome back. We are deep into Cyber Security Awareness Month today. We’re talking shadow IT isn’t the villain sort of is, but complacency is also a bigger villain on back with us today. VP of Cyber Security at Telarus Mr Jason Stein. Welcome back on buddy.
Jason Stein (00:34)
Thank you. How are you, Josh? Good to see you.
Josh Lupresto (00:36)
Hey, I could complain about back pain and all that good stuff, but everybody hears enough of that, so I won’t do it on this episode. But if you have pain in your back, I understand for all those listening. So, all right. If you wanna hear more about Stein’s background, awesome, interesting background, he’s been on a few prior episodes, go back into the Spotify playlist. You can hear about how he thought he was gonna be a bartender, he thought he was gonna be a reverend.
He came back from working with the Russian spies and we’re excited to have him on the good side. I think, I don’t know. don’t trust anything, but.
⁓ and chess prodigy. I tell you, I love people’s windy, weird backgrounds into this space. So if you want to go listen, a lot of good episodes that we’ve done historically, go check all those out and you’ll get a little more color on what we’re talking about today. So let’s kick this off, bro. ⁓ So it’s Cybersecurity Awareness Month. You know, we talk a lot about phishing and shadow IT, but the theme today is it’s about complacency. So why is complacency, not that those things aren’t villains,
But why complacency? Why is this such a thing?
Jason Stein (01:49)
Yeah, it’s super hard. First off, I’m super excited for Cybersecurity Awareness Month. We have so much going on. We’re going to release so much content this month. So please go find us on social media. The flip side of that is being complacent. know, a lot of organizations and people within organizations tend to just be too busy. They’re running around trying to react to different things. They have their priorities that they want to accomplish for the year. But in all in all, we just don’t have the bandwidth.
We’re always having something else come up that fills our calendar, fills our schedules, fills our priorities and complacency ends up being the biggest thing that drives cybersecurity ⁓ breaches.
Josh Lupresto (02:34)
And is that, I mean, we’ll get into it a little bit, but is that, ⁓ I guess maybe let’s think about an example here. Let’s get into a story. ⁓ Give me an example. We see a lot of these things. We hear a lot of crazy stories. We’re in a lot of deals, conversations, data, but maybe walk me through something where it wasn’t the rogue app per se. Where did complacency really show its ⁓ ugly face?
Jason Stein (03:00)
So was interesting, I was actually presenting at a lunch and learn and this whole team was there and back before Amazon, you know, really cornered the market, there was a company that sold a lot of different technologies from a hardware standpoint and whatnot. And so was talking to the CIO and I said, how are you doing with cybersecurity? What are you doing to better your organization? And he said, verbatim, I don’t want to know what I don’t know because then I have to do something about it. And I was like, what?
I was like, first off, that’s, that’s an interesting philosophy. was absolutely crazy to see then what happened. He ended up getting breached because he didn’t put the security measures in place. He became the biggest target ever. And I thought that is just karma right there at its finest.
Josh Lupresto (03:29)
Yeah. You said it out loud.
You know, it’s funny, but it’s also sad. And it’s also this kind of thematic of imposter syndrome amongst the end customer base. And I think we get into these conversations and we think, my gosh, we’re gonna be talking to a director of cybersecurity or whatever person. Surely they’re gonna have it all figured out. And I think the reality is there’s that little voice in the back of their head that says, dude, something’s wrong here.
this Cisco ASA is like 18.3 years out of date, you should probably pay attention to that instead of taking a lunch break early today or maybe stay till 5.30 and take a peek at it. But I mean, but it’s a, how many times have we heard that over and over again? ⁓ Like I don’t want to pull my head out of the sand, but sadly your boss and the company’s data want you to pull your head out of the sand, but we hear it over and over again, right?
Jason Stein (04:44)
We have so many IT decision makers that have been in their role for so long and the technology’s changed. You can’t just think that AI is just gonna fix everything and you’re just gonna dabble and prioritize that to help solve your problems and fix your organizations. A lot of their IT staffs have been together for a long time, but if you have an older team, they’re not used to embracing some of the new tech that’s out there and they fall into these bad habits.
that they end up developing and then they don’t know how to hold employees accountable. And then you still have C-level that have been around for many, many years, sometimes decades. They just don’t, they weren’t around when cybersecurity awareness training was a thing and they don’t want to do it because they have other priorities or they’re going to go play golf and that’s the way that they do business. And it just doesn’t work anymore. You have to have security experts on your staff that prioritize all the things that need to be prioritized.
or you’re gonna probably be breached.
Josh Lupresto (05:44)
Okay, so this theme of ⁓ complacency and you think about imposter syndrome amongst the IT security crowd and the things that we make assumptions on but we don’t wanna say out loud, sounds like that guy did. ⁓ If I’m an advisor though, and I’m trying to step deeper into security, I’m trying to get my customers to consider me as, I can help you with security now. How do I take this theme that I know
hey, some customers are complacent. How do I take that and turn that into a conversation starter to just open the door on somebody that I haven’t cracked in yet with security?
Jason Stein (06:24)
Yeah, it’s a good question. I think that really sitting down with customers and asking them what are they prioritizing this year? How is their staff able to do a good job of making sure that they’re putting security as a priority? And then how does security play a role in some of these decisions? The problem is we’re all super busy. Attackers are getting better and better. And so we need to make sure that we’re ⁓ understanding that
The attackers are targeting the smart people in our organizations. They’re going after the ones who post all over social media. And so we have to ask them, how do you protect against your C-level? Who don’t prioritize cyber? How do we do a good job of sitting down and making sure that you’re covered in all the ways that you don’t know you’re not covered? So one of the great things is utilizing the engineers and the architects that we have, because they’ll sit down and they’ll whiteboard an environment.
and show where there’s gaps, show where an organization hasn’t thought about all the different security measures that they’re unaware of because we do it every day. But the flip side is either the TA becomes complacent or the company becomes complacent. And then next thing you know, we’re reading about them in the news because they’ve been compromised.
Josh Lupresto (07:44)
So to take that maybe a layer, take that a step further, if I, I love objection handling. ⁓ I love kind of preparing for objection handling, right? Like playing this 4D chess in a conversation like this. Hey, you can relate to that because it’s chess. ⁓ How do I, when I asked that question, think you gave some great questions a second ago of, you know, what are some of the projects that I’m paraphrasing, but like what are some of the projects that you’ve got cooking?
Jason Stein (08:00)
Yeah.
Josh Lupresto (08:13)
from a security perspective. how do I detect here what the culture is and kind of what the broader appetite is, either from the person that I’m talking to or what kind of infer that might be the culture more broadly at the company with related, you know, with these kind of inputs related to security that I might get back. Like, do I, ⁓ what can I glean? Like if they say this, I should probably think like, whoa, security is not super important with these guys. Like what’s the second level of that?
conversation.
Jason Stein (08:45)
First off, there’s no silver bullet. Everybody’s DNA and the employees that they have underneath them is all different. So you can’t sit there and say, hey, this question is going to work 100 % of the time and this one’s not going to work at all. I like to sit down and really catch them off guard and say, tell me a little bit about your team. What’s their DNA? What kinds of things and technologies are you focused on? How is security playing a role in that? Does compliance fall?
within your organization’s purview and risk. And then tell me what you really love about your team. What are you most proud of that they do that really makes you brag about them internally and externally to your peers? But then start to tell me a little bit about what are some of the challenges that they face? What are the things that they complain most to you about that they wish weren’t on their plate?
Then when they start to share about that, you’ve given them a chance to brag. You’ve then given them a chance to talk about what they complain about. Those are the ones that I attack. Okay, so you just said that they don’t like compliance because they didn’t go to school to be compliance experts. They don’t know how to take a look at risk within an organization. They don’t know how to get people to do cybersecurity awareness training because it’s too much. They don’t have the time for it. They don’t want to listen to it. They don’t want to take the test.
and they literally will sit there and take the test 50 times. How do we get those companies to gamify it and make it better? But to your question, I think that you just need to start with, talk to me about your team. What do you love about them? What do they complain about? How do we help be a resource for them? And then let’s talk about some of the priorities that you’re looking to do. And then how does cybersecurity play that role?
Josh Lupresto (10:37)
I like, I love that. I love the team. I hadn’t heard that angle before. I love that. I would love to see people start using that, testing that out. You know, the other thing that I’m curious on is, suppose if we ask some of these types of questions and we say the, what are the projects that you have? And it seems to me like we’re either gonna get one response or we’re gonna get another response, right? There’s two divergent paths here. If it’s response A and it’s a, eh, we’re gonna have like a whole lot going on.
you know, ⁓ like we’ll get to it probably later this year, like we’re gonna get back to security then. Okay, then we know there’s a lack of maturity there and there’s probably ripe for, okay, let’s dive a little deeper in that of what are the things that you have done in security prior to today? Like what are some of the last things? And that’ll also allow you to just listen. But then I suppose the other path is, well, you know, we’ve got an initiative to redo this piece of technology. We are looking at firewalls, we’re looking at.
you know, web applications, or, know, so you’re going to get this kind of like junior level of maturity or no, we’re taking this seriously. And I think they do create two divergent paths. But I love, I love your tactic. I love all these different tactics. I think that’s a way, a couple of unique ways for people to go a little bit deeper and just listen, just ask those questions and listen. And I think what you’ll find is that it just get, it’s a trust thing.
Once you can establish yourself into that conversation a little deeper and people go, okay, this person really wants to help. I can trust them. And people just will get much more open to share whatever the auditorium for that sharing is. These are the things I think that will open up those secrets.
Jason Stein (12:26)
Yeah, there’s definitely a lot of focus more on the users. 90 % of all breaches are still caused by humans. Humans are too busy clicking on things that come in. Things are getting more targeted. had ⁓ one friend of mine that actually was in the middle of getting ready to sell his house, got an email. It was targeted around ⁓ title, clicked on it too quickly. And unfortunately it was a bad actor who
ended up getting access to their crypto account and siphoned off all their cryptocurrency. know, so they’re getting so good. So how do we figure out how to protect the users who need help? So we need to do a better job of providing the tools, providing better analytics, helping them with passwords. Let’s just face it. mean, nobody wants to come up with 50 unique passwords just to get into every single thing.
that they have in their life. So they’re repeating and reusing some of these passwords. then we need to get into better password management tools or using more facial recognition like we do with our phone. That helps. mean, have ourselves, we get targeted all the time. And how do you not click on stuff like that that looks like it came from the person that it was supposed to come from? Everything looks legit. So we got to hover over it. We need to do a better job of.
going to that website or calling that person and asking if they’ve sent stuff. But a lot of it, it really depends on the company and what their strengths are and what their priorities are. A lot of times they’ve become complacent or they don’t know the tech that’s out there. And that’s where I think our team can really help say, hey, have you heard about this technology? I like to focus on trends because trends, if you get an organization that says, we don’t know what’s a prioritizer, we’re focused on these things.
And then we say, hey, most people, according to Gartner, Forbes, Deloitte, or even our internal engineers are focused on AI. They’re focused on CMMC because you need to have CMMC by March. They’re focused on outsourcing some of their help desk or their employees because they don’t have the right expertise in-house. If we give you those talk tracks, you know, use those and then pause. And I think that’ll help open up the door as well.
Josh Lupresto (14:49)
⁓ I like this focus on the end user. I think what’s funny, we talked about it a little bit before this, I don’t know if we’ve mentioned the stat, what’s the percentage of ⁓ breaches are human related or people accidentally clicked, what’s the percentage?
Jason Stein (15:06)
Yeah, depending on who you ask, it’s over 90%. Some say 98 % of all breaches are still caused by humans in some way, shape, or form.
Josh Lupresto (15:15)
Yeah. So, so if we, if we play to that theme a little bit here, I mean, we look, we’ve, we, we keep trying. We keep trying to improve and the bad guys want to try to improve faster. So we say, okay, MFA is great. We’ve moved to MFA. So then what happens? We get, we get these fake MFA prompts now, right? Whatever MFA tooling you’re using. Now we’ve got to be on the lookout and we’ve got to educate our people to look out for fake MFA stuff. ⁓
We think about some of the things that are happening. I get these all the time and I know everybody else does too. Hey, I’m such and such looking to buy a home. Is this end when my address is right? Maybe I am, maybe I’m not considering selling. Is this home still for sale? I think we’ve graduated or not always, but we’re somewhat graduated from a bad guy perspective to better grammar in text. I’ve always said.
if these guys get a little better on grammar, their hit rate is going to go up. And look, I do a lot of marking and red is junk and I do a lot of reporting and I hope some dude sitting in a corner in a basement with a stapler going, all right, we’re going to blacklist that one. ⁓ But they are getting better. ⁓ And I think it’s not just what’s fascinating to know here is it’s not just the texts with links in them with, you know,
horribly worded FedEx links that are like, duh, that’s bad. That’s, that’s not real. But it’s the fact to know that this isn’t about somebody trying to buy my house. This is about a pool of, ⁓ mass pool of people sending out texts to warm up numbers to be used for something else. Like this is the attack before the attack. So these guys are an inception level thinking forward about what these numbers are going to be used for next. So somebody simplistically replying, no, cool. Your numbers warmed up.
You just fell into a trench that will be incubated and used again later. All this to be said, these are things that happened to all of us on a personal level and us personally are part of a business in some capacity. And so are all the end users and employees of the businesses that our partners are looking to help. And what’s one of the cheapest security solutions that we can sell? Arguably the most beneficial security and awareness training. ⁓
It’s, my boss tells me that, you have sales in your title, so those numbers need to keep going up and to the right. Security and awareness trainings, what we want on those reports is to see the users of clicks every month go down and down and down across the organization, right? Those are the acceptable down into the right trends. And so I love continuing to hear focus on the user and maybe it just comes back to one question of, are you doing anything? What are you doing?
to help your users get better. So I love that.
Jason Stein (18:11)
So it’s interesting because Graham Scott and I have been doing a lot of events together. And so we’re focused on the network. Then we’re focused on mobility. And then we’re focused on internet of things and OT, all the ⁓ hardware devices that are out there, like an MRI machine and stuff. So we’re doing some statistics. And 85 % of all websites now are created to go target after mobile users.
with some kind of vulnerability or exploit that’s in them. Then if you look at ⁓ IoT and OT, do you know one out of every three breaches is caused from an IoT device, which is crazy. So all the devices hitting your network that you don’t know about. OT, like an MRI machine, you have the fire suppression systems. That’s all these hardwares now that are able to be compromised. And then also from a mobility standpoint,
Most applications, I think it’s over 75 % of applications have some kind of vulnerability already embedded in them, even the enterprise ones. So all the apps that we’re using can take us down. And it wasn’t our fault. All we were doing was downloading an application that we’ve heard about over and over and over. So to your point, security awareness training makes us aware of all those things we should be thinking on. Not just email security anymore, it’s the text message.
So whenever I get those text messages from someone random, hey, I miss you. It’s been a long time. I’m always sending back, who dis? New phone, lost the number.
Josh Lupresto (19:39)
Yeah.
Yeah, yeah, it’s getting better. ⁓ Everybody’s getting one step ahead. We’ve just got to help the businesses be two steps ahead, three steps ahead. And I think this amongst the other things that we’ve talked about already, I love these is kind of just simple things that people can do to help this. This is about your attack surface, your data and your core, you know, your crown jewels are at the center of that. We’ve always talked this is resiliency. This is a layered approach. ⁓
And what’s the biggest, if the boat is sinking or if the boat has leaks, how do we patch the leaks the easiest? Let’s clean up that attack surface and your people present so many holes in your attack surface, right? So much data could be getting exfiltrated unintentionally, pure, don’t, most people don’t have, ⁓ you know, negative intent, right? There’s a lot of positive intent and they just don’t know.
And so everybody wants to, bad guys want to take advantage of that. So let’s help the attack surface. Let’s address what people are doing with their end users. And let’s just play that into the broader strategy of some of the great things that I think you mentioned earlier. So good talk track. ⁓
Think about, let’s think about for a second, let’s think of the future here. ⁓ If we think of the future, and we talked about on the previous episode, Sumer and I, talked a lot about quantum and what’s coming and what new problems that’s gonna present that we wanna get ahead of, right? From an encryption perspective and all those things. So let’s think for a second about AI, right?
We know that the bad guys are using the tools that we’re using and they’re using them before us and they’re using them at bigger scale and more exponential. So where does complacency creep in with AI and maybe some of these next gen threats? How do we need to be thinking about that as we’re talking to prospects?
Jason Stein (21:39)
So interesting story. A month and a half ago, a company in the financial industry was tasked to come out with a new large language model, AI, to help their customer experience, which is the priority on everything that we’ve seen in our trends reports. And so they had these deadlines to hit, 1,500 employees. They had a decent team. They went in and they cut some corners with some authentication tokens.
they ended up actually ⁓ compromising their organization without knowing about it. Bad Actor saw it, used an exploit to get into their authentication token, which was connected to their CRM. So now these bad actors created a user account and then created their own token, got themselves in and started siphoning off all the data for the customers, for the company.
They had all of this data and they were using it to their advantage. Turns out two and a half months go by and AI doesn’t find it. An auditor found it. Usually we’re going to be combating AI with AI, but in this case, an auditor said, why do we have all these new accounts being set up and why do they have access to the level that they do? Why can they see everything? Ended up absolutely costing this organization a ton. Money, resources.
They let a bunch of their team go. You know, and it’s because you think that AI is going to better your organization and most of the time it will, but if you’re not following the right steps, right framework, the right roadmap, you know, you need that help in order to implement those things. And that’s where our team can come in. Still only 12 % of organizations are following a or a roadmap today. It’s like trying to take apart a car engine.
and building it yourself or trying to build a computer from scratch with just a bunch of parts. If you don’t have an instruction manual, you’re gonna probably have something that doesn’t work properly or has vulnerabilities or is gonna shut down. And that to me is a story that we see repeated all the time. Everyone wants to implement AI. They don’t have the resources. They have timelines and things that they need to meet. And so they just rush it at the country company’s detriment.
Josh Lupresto (24:05)
Yeah. No, ⁓ it’s a good point. this is just a simple thing. Obviously, there’s a much bigger picture here. But I mean, people are, when employees are going and grabbing GPT-5, if they don’t, at a personal account, if they don’t check that setting that basically says, no, I don’t want to improve the model, it’s worded kind of funny, where a lot of people don’t even catch it, where
What’s really being said is everything that you are saying and sending in is going to one, help us learn more about you, but also going to feed the mother, you know, to feed the core foundational model. So, A, ⁓ don’t forget to check that box or uncheck that box in that case. But B, this is a broader message for the organizations to go, wow, what really is back to the people again? It’s the people clicking on stuff that they don’t.
know the full extent of what it is. just like, Ooh, this is shiny and fun. I want to play here, which is great. Like people should be inquisitive. They should want to learn and they should play, but we also have to ⁓ play within within reins, right? And understand risk. Everything is a risk. What risk are we willing to accept and what are we not willing to accept? And so exactly to that point, to me, that’s the next rush. If I’m the bad guys.
That’s the next rush. Chasing after people that are trying to do some sort of subpar implementation, whether it’s tokens, whether it’s this, whether it’s data cleanliness and readiness or whatever, right? Let’s see who’s skimping out on model creation and let’s see who’s skimping out and not making it a priority. So great points there.
Jason Stein (25:41)
You know, it’s interesting because not only is that a priority, but then you have to think about now the compliance and the risk of the data. So what’s the first thing that happens when I tell my entire organization that they can’t use chat GPT, they can’t use copilot on their personal, on their work laptop or their work computer. They pick up their phone and they go to chat GPT on their phone. And then they’re releasing company data, company information. They’re, you know, the tools that they’re using aren’t protected.
And so they’re leaking all these things that end up compromising the integrity of their organization could potentially cause fines. And they don’t even realize it’s happening because it’s happening on mobile devices or a non-work computer. And that stuff’s scary to think about. So we need to do a better job of educating that there’s going to be stronger compliance. There’s going to be stronger ⁓ things that are going to come down from a government fine perspective.
that if you don’t adhere to protecting the data and the tools that employees are utilizing to connect to that data, it’s going to absolutely have repercussions.
Josh Lupresto (26:50)
All right, so let’s think final couple thoughts here. Maybe one final secret and then we’ll close it out. So if I’m an advisor, how do I frame that AI risk in a way that earns them the second meeting? mean, is it doubling down on kind of what we just talked about? How do I make them understand? I’m always falling back to the questions, but ⁓ how do I frame that AI is a risk that needs to be considered just like everything else?
Jason Stein (27:20)
So most of the time when you get all these amazing technologies like AI, let’s face it, does IT sit around one day and say, hey, you we should do? We should implement AI. I think that’ll make our lives so much easier. Or is it being pushed down from a board of directors or C level that maybe might not be technical? They said, hey, I think if we embrace AI, make it a priority, we’ll differentiate ourselves. We’ll have a better customer experience. We’ll be able to save money. We’ll be able to reduce headcount.
You know, there’s a lot of benefits from it. Then it gets pushed down to IT. So one, you need to realize that I don’t think AI is being driven by IT as much as being driven by other parts of the organization. So then if you think about risk, a lot of CIOs have this burden of risk, but risk falls on the board, the financial advisors and PE firms on the CFO. And so
Now 42 % of risk is being outsourced because they realize IT is not equipped to handle it. And then 60 % of organizations are putting together a committee to advise the board on IT, on risk, on compliance, on AI. They’re tired of a CIO coming in and three-letter acronyming them to death. We got MFA, EDR, you name it, from an acronym perspective. They want somebody to say, have you thought about your risks?
Are you looking to implement AI? Here’s some of the gotchas that we see as organizations that deal with other entities all the time. We have a deep bench of industry experts that can sit down with your team, lean on our engineers, lean on our architects to talk about what are some of the gotchas that people are experiences and organizations are seeing happen that are potential threats to the company. And then.
Let us help you put together that roadmap, that framework so that you do implement things in a good capacity.
Josh Lupresto (29:26)
I love ⁓ it. Let’s think here. Final thoughts. So harness your inner magic wand, as my little one would say, bibbidi-bobbidi-boo. If you could wave this kind of magic wand. ⁓ What is one thing that you could give from a behavior shift for Security Awareness Month? The end employees, one behavior shift for the employees, what is it?
Jason Stein (29:52)
You know, it’s probably the theme. Don’t be complacent. There’s a lot of information out there. Make the effort to learn what to do, what not to click on, how to take an extra step and, you know, think about the organization. You definitely have an ability to learn security and AI. There’s so much data out there. We’ve released a ton of content. You’re going to see four blogs. We’re going to have a cybersecurity playbook.
We have a guide out there to help navigate cybersecurity and breaches. Take the time to do the cybersecurity awareness trainings and listen, be present to those. know, use some of those things that we have in our university, which we have a ton of trainings on, both from a sales perspective and a technology perspective to learn the different tech that’s out there. Don’t sit around and be complacent. It’ll absolutely watch everybody else pass you by.
Josh Lupresto (30:52)
I love it. All right. Good stuff. Lots of good pro tips. Here we are deep into Cybersecurity Awareness Month. Mr. Stein, thanks for coming back on, buddy.
Jason Stein (31:01)
Thanks for having me, appreciate you as always.
Josh Lupresto (31:04)
Awesome. All right, everybody that wraps us up for today. This has been Shadow IT Isn’t the Villain, Complacency Is. Just be sure wherever you’re listening to Spotify, Apple Music, wherever you’re coming to us from, subscribe so you get these every Wednesday when they come out. I’m your host, Josh Lupresto Jason Stein, VP of Cybersecurity at Telarus Until next time.