Join us as we explore the world of comprehensive protection for executives, transcending both digital and physical realms, with industry experts Roland Cloutier and Chris Pierson in this Brand Story episode with BlackCloak.
In this engaging podcast, cyber-security leaders Roland Cloutier and Chris Pierson discuss with Marco and Sean the rising digital threats that executives face. With recent advancements in AI, phishing attacks and cyber crime have become sophisticated and harder to spot. The podcast underlines the importance of protecting the "executive digital space" —not just at the individual executive's level, but also their families, considering the potentially detrimental impacts they can have on organizations at large.
The two experts point out that being aware of cyber threats and diligently safeguarding precious data isn't enough. They propose a holistic approach to security, noting that the minimal knowledge most executives have about cyber threats plays to the advantage of cyber criminals. The alarming yet enlightening discussion encompasses physical security, AI-assisted scamming, artificially-created voice calls, and more.
A practical solution offered in the conversation is to outsource security measures to a reliable third-party for monitoring and immediate response to threats, thereby safeguarding everyone linked to the executive. The unique aspect here is the emphasis on a personalized, bespoke defense strategy that takes into consideration the differing security requirements of individuals. Ultimately, the mission here is to provide a safer cyber environment for executives and their families without impacting their personal lives.
Join this intriguing podcast and learn how to fortify not just your organization's, but your executive's life from cyber attacks.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guests:
Chris Pierson, Founder and CEO of BlackCloak [@BlackCloakCyber]
On Linkedin | https://www.linkedin.com/in/drchristopherpierson/
On Twitter | https://twitter.com/drchrispierson
Roland Cloutier, Advisor at BlackCloak [@BlackCloakCyber]
On Linkedin: https://www.linkedin.com/in/rolandcloutier/
On Twitter: https://twitter.com/CSORoland
Resources
Learn more about BlackCloak and their offering: https://itspm.ag/itspbcweb
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Beyond the Boardroom: Safeguarding Leadership with Dual Front Executive Defense | A BlackCloak Brand Story with Chris Pierson and Roland Cloutier
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco. Sean. Uh, I'm thinking of a new denial of service. Yeah, what's that? Not, not as a service. I mean, it might be as a service, but denial of, it's, it's the executive denial of service. If I can take the executive out of the equation and the business can't run without them. I've taken out a company.
[00:01:00] Marco Ciappelli: I thought you gave up cybercrime.
[00:01:02] Sean Martin: I didn't. I, uh, I took a side job, sorry.
[00:01:05] Marco Ciappelli: Or you just do red, red teaming. You're just thinking like that.
[00:01:08] Sean Martin: I'm just pretending to think about stuff like that.
[00:01:11] Roland Cloutier: Team one, go, go, go.
[00:01:15] Sean Martin: Exactly.
Now, of course I would never. Never do such a thing. But I do think about that kind of stuff because, uh, I worry about those that I think about those executives that don't understand that they're at risk and, uh, and therefore their business is at risk.
And in many ways, not just from them being offline and not able to work, but. In fact, the entire operations could be compromised if, if things go the way the hackers or the attackers, I should say, like them to go.
[00:01:48] Marco Ciappelli: And you never know where they come from. Uh, we're going to do an official introduction here.
But the last time I was on with, uh, Chris here, Chris Pearson, we talked about how the cars are now taking all the information about you and we have no idea. We just thought we bought a car and there we were.
[00:02:06] Sean Martin: I missed that episode, and I was renting, I was renting a smart car at the time. I was thinking, ah, geez, all my info off to the rental car company and the car manufacturer as well.
Thank you very much.
[00:02:19] Marco Ciappelli: Yep. All right, Sean, let's do the
honor.
[00:02:22] Sean Martin: All right. So we have, uh, our good friend, Chris Pearson from Black Cloak and, uh, Roland Cloutier. Thank you guys for being on.
[00:02:30] Roland Cloutier: Hey, thanks for having us guys.
[00:02:31] Chris Pierson: Great to be here. Great to be here. And I do remember the car conversation.
[00:02:37] Marco Ciappelli: I had some follow up question on that.
[00:02:41] Chris Pierson: We'll take care of you.
[00:02:43] Sean Martin: And it's good, good to have you both on again, uh, together this time. And, uh, you both, Chris, you've been on a number of times, Roland, you've been on before as well. So it's a pleasure to have you back. And So I kind of alluded to, we're going to, we're going to talk about the connection of the executive's digital space to the business and, uh, that as a vector, right, for, for bad things to happen, not just to the individual and their family, but to, uh, to the organization at large and Chris, you and, and Roland decided to pull some information together and pull some stats and stories together.
And you presented. At a conference not too long ago, um, what, what prompted you guys to kind of join forces to do that?
[00:03:31] Chris Pierson: I mean, I mean, for, for us, I mean, it's, it's, it's, you know, obviously a passion of love and labor and all the rest, but it's. We specifically gave a speech at this year's ASIS conference, the GSX conference in Texas.
Now, that is predominantly attended by folks that are, right, CSOs, Chief Security Officers, folks that have a physical security mandate, executive protection mandate, or kind of double hatted and wearing both those hats on both the The cybersecurity side, as well as the physical world. And, you know, of course, Roland being, you know, former CSO of ADP wore that hat for many, many years.
And what we wanted to do was take the conversation, take the discussion, uh, strategically out to the audience of folks that is more used to physical security, physical controls, a lot of them occur right in a digital realm, but folks that are. More paying attention on executive protection, overall safety of employees, safety of their families, safety of those within the company, and have really, really broad remit.
And so for us, it was, uh, it was actually September 11th when Roland and I, I mean, couldn't have been a more fitting day. Um, but we gave that speech over in Texas on this topic and it really was, you know, targeting of corporate executives in their personal lives. But it was done on a very executive protection bent.
So kind of getting out of the cyber realm and thinking a little bit more about the folks that actually have these roles and responsibilities, the CSOs, there's so much there that they're tackling. How can we actually talk to them a little bit about the risks? How can we actually tell them some stories?
How can we actually talk to them about how you might be able to mitigate those things? For their end customer and, and really not, not just the, like the executive or the employees, but it's also their families. I mean, the, the Nick gets thrown really, really widely when you're talking about. Executive protection or physical executive protection.
So, um, it was great to partner with Roland on that, uh, quite honestly, always great to see him in person and then great to partner with them on it. And I mean, he's got 15, 20 years worth of CSO stories and, and you can find some CISO stories. It's just, you know, matched me in heaven.
[00:05:48] Sean Martin: I love it. And as the, uh.
Uh, CEO of Black Cloak. It's been fabulous, uh, seeing you grow, Chris, uh, the, the team and the business and, uh, the success you've had thus far. And, uh, Roland, Chris alluded to it. Uh, you, you've held a number of roles. You had a different role last time we spoke. What, what are you up to? Maybe give a, give a snapshot of what Roland's up to now, where you've been.
So folks know who you are in case they don't know.
[00:06:17] Roland Cloutier: Yeah. So, uh, you know, after spending 20, 30 years between, uh, law enforcement and, uh, corporate operations and protection, uh, through, uh, EMC, then 10 years with ADP and then three years building the national security program for TikTok, um, it, you know, I, I decided to take a little bit of a break and, and start to.
Uh, go back and kind of redevelop some of these key areas that were major gaps, um, from my perspective that we as practitioners were missing because we're so busy with the day to day and the ops and the, you know, the field issues and the new threats coming our way. And, you know, I was, Shanna, I was lucky.
Um, I've been a converged security, uh, executive in my last three positions, meaning that, One single umbrella for, uh, resilience around security, risk, privacy, enforcement, physical security, executive protection, and all of that. So, you know, but I've seen what my peers have gone through on both sides of the house, right?
Uh, neither shall these two, you know, touch. I, I find myself fortunate coming from 20 years of being a converged security expert, meaning I had all of the, you know, uh, critical security, risk, and privacy enforcement functions rolling up into my organizations.
Um, and so that goes from everything from cyber defensive operations to public safety and executive protection. So, I didn't have to have this argument of what was in place or what isn't in place. But often what organizations, and especially on the CISO side, find is that. There's a, there's a hard block when it comes to thinking about the executive outside their desk or outside their computer.
And, and so you, there has to be an integration with the people who are responsible for protecting the safety of those individuals in a much broader context. And one of the ways to really bring them together is to educate and make them understand on both sides. How technology risk puts the executive at risk, which impacts the resiliency of the organization.
And they both have responsibilities in that context. So, one of the things Chris and I were trying to do at AZZ is bring those two sides together and share, I mean, realistic stories of where families were impacted. Um, uh, you know, not just the executive, but the executive's spouse or kids, um, were impacted as target of the targeting of the executive, either for direct, you know, attempts to access the infrastructure for financial crimes or, you know, for worse.
Um, really attempts at threatening the executive through the use of technology means to get what an Indi individual wanted for criminal purposes. So, um, those things are real and they happen every week. Uh, from business, you know, uh, email compromises to, um, you know, you know, willful tunneling and connections into, you know, home environments to attempt to piggyback into corporate environments.
Those are just real things that happen. And so our, our hope is, is that we get to keep to do this, is bring those sides closer to Gloucester. So they understand the criticality of having a holistic. Protection plan for the executive leadership team.
[00:09:29] Marco Ciappelli: Yeah. And, you know, Chris, we talked about this a few times.
We've known each other for a while. And, uh, I'm wondering now that you go to these, uh, events nowadays, is there already a Do you have any knowledge about this? Are people approaching you and not just falling down from the sky like, Oh, never thought about that. I mean, because everything Roland said, it, it, it's kind of common sense once you fix your head on it.
But, um, what's the, what's the pulse now on talking about these things?
[00:10:03] Chris Pierson: So it's, it's, it's really interesting. Um, there was a, we did a Poneman, a report study, uh, March or April of last year, and something like 46 percent of, of, uh, CISOs, so Chief Information Security Officers, report that their executives have actually been targeted in their personal lives and it somehow has impacted them and the company and all the rest.
And what's important about that is when those events happen, it's not just an event that's happening against the executive, their family, and all the rest, but it's tying up resources, time, money, and efforts of the CISO to actually get stuff done. When we were at ASIS, when we were there at the conference, the same things from the CSOs.
They're the trusted individual that is there to holistically make sure that the executive, the key personnel, other folks within the company. are protected in their personal lives, you know, sometimes it's the physical and cyber sense. But they're the ones that get the incoming. They have those that trust with the individual.
They have that trust with their family. They're really tied in. And as a result, it's a pain point for them. What we're finding right now is that people are coming up to us and saying, this is amazing. This is great. This is going to so change our team's life in terms of you taking this off of our hands.
We need a partner to do it on the outside. We need a partner to do it in their personal lives. It's almost like that. But, uh, you know, it's almost like concierge health. It's like, you need a partner to actually effectuate the change. You need that medical professional on the outside to take care of it. Um, because the company is not, not enabled to, right.
They're not set up for success there in terms of taking care of the personal life. And that's very much where Black Cloak plays. We also, our, our mission is we protect digital lives. So it's always lives. It's all these people and family and all the rest. But what we're finding is that people really have this as a pain point.
They don't want the incoming back to them. They don't want the private nature of anything that's discussed. They're coming back to the company and they're constantly getting tapped for more and more things. As scams rise, as phishing rise, as threats rise, all right, as doxing and swatting rise. Um, those resources are really drawn thin.
And so really they want to partner and that's really the keyword. They want to partner with someone. To go in and protect those other 12 hours of the day, but lots of incoming mostly due to pain.
[00:12:23] Sean Martin: And Roland, your perspective on this, because you talk about bringing the groups together and having that conversation.
Um, I've already had a couple of conversations today where I'm looking at IT connecting OT and bringing security into that mix and. Developers and AppSec, bringing those two groups together, right? We, we continue to talk about that CISOs in the business, there are these gaps. We try to bring, bridge those gaps and, and have meaningful conversations over and over and over.
I still feel it's a bandaid onto something else. And I'm wondering when, when the CSO has these conversations, is it the executive protection from a cyber perspective, baked into the overall. Here's what we need to do, or is it still, we have all this stuff we really care about, and oh, by the way, I want to tack on the, the cyber piece.
Is it, is it still a, a sticker?
[00:13:25] Roland Cloutier: You know, I'm not an attorney, and I don't normally play one on the weekends either, but here's where I get to go. It depends. Uh, it, it, yes. It really depends on the organization. It tend, it depends on the people involved here. Here's what I'll say. For those organizations that have, um, segmented service delivery internally to their organizations for physical and, and technology security or risk management.
Yeah. Yeah. It typically is like, and we'll do it two, um, you know, as needed. But here's the issue. Um. If you're going to do it, you have to do it, and you have to do it right, which may actually seem more intrusive than, you know, if I'm going to do a physical security assessment at a executive or key personnel residence, we go around, we look at the house doors, locks, the windows, we look at the alarm system, we look at cameras, we look at the generator, we look at the lighting, we look at the bushes, you know, leading up to the house, um, we do physical penetration tests, you know, we do the holistic thing, and then we apply Bye.
You know, ADT or whoever to come in and do the fixes and the, and the, and we walk away, you know, unless it's a, you know, higher level, but predominantly that's kind of what an assessment looks at. Well, technology. Am I on your home computer? Am I on your kid's PS5? Am I on your wife's Samsung phone? Like, that, that changes the discussion.
And it doesn't matter if you're a CSO or you're a CISO or you're an EIEIO, it really doesn't matter, right? Like, what matters is now you're, you've crossed the threshold. Deeper into their personal life of their things and their information and the stuff they do, their banking on, and their personal emails, and you're part of the corporation.
So it's always a difficult discussion. Doesn't matter if it's the CSO or the CISO, it's always a difficult discussion when you want completeness. Because if you really want to look At the digital shadow of the individual and the digital footprint of the family. It it's, it's not just the router and the switch and the house coming from, you know, Verizon or whoever it it's the technology that's in their house, how they've set up their wireless infrastructure.
Um, and, um, and the education of those, of those people. That's, that's another big part of it. It's like, you know, these, these things can happen. Giving your 10 year old a device that's connected to the internet is pretty close to dropping them off, you know, at, at Broadway and seventh. You know what I'm saying?
It's like it, you're, you're in the eighties.
That's that's bad. But, you know, so providing that level of education and understanding, and then, and then for the leader, either he or she, and, and how, how that can go back to the organization, um, and educating them is, is also another tough discussion. So the whole point. Here is that there's, there's a level of, uh, of deep personal contact you have as another corporate officer running a program to another corporate officer that doesn't always work well.
Um, which is how Chris and I met, you know, obviously saying, how do you insert a third party to do some of this that becomes a trusted entity, independent of the company. Uh, but that is the holistic approach.
[00:16:46] Marco Ciappelli: And this is kind of in my, in my corner when I talk about society, right? There is the, the virtual world and the analog and digital.
I don't make distinction anymore. We're living our life, especially the people that are, you know, kids are native into smartphone and all of that. It's not that it's not life. It's not like a virtual reality everything is interconnected right now. So, I can't see this being something that you think in silos.
It just doesn't make any sense.
[00:17:15] Roland Cloutier: Well, that's because you're a paid professional and you're paid paranoid like me, and you understand technology and the application of technology in society. Right. Even smart people don't get the concept of someone being able to reach out and touch them in a very personal way through a handheld device.
Like until it happens to them, they don't think about it.
[00:17:37] Sean Martin: And let's talk about this a bit as well, because I, I mean, I can think of a number of scenarios. You said threshold. Cool. And it's figuratively and literally crossing the threshold, right? To come in and see what's going on there. Mind you, these devices and travel with them cross back outside the threshold, but, um, people might have a hard time inviting somebody in to expose.
Yes. You're going to look at. The router and their PS5, but also see the underwear drawer that you're exposing yourself a bit. And so you don't want to do that necessarily just because, and I can look at other situations, rats or mice, right? Nobody, nobody looks at their house to see if, if they can prevent mice from getting in until they have a mouse get in.
And then it's all about closing the house up to get, keep the mice out. Or, um, same thing. I had, I had rented a place in Malibu Canyon that had scorpions. They were coming in and into the house. And I was like, I got to find the place. I didn't think about it until scorpions are on the ground. I'm like, I need to find where the scorpions are coming in.
[00:18:52] Roland Cloutier: Sean, that was a feature. That was actually a feature.
[00:18:54] Sean Martin: It was a feature. Yes. Yeah, they ate the, uh, the other stuff that I didn't want to know. The wild west experience.
[00:19:00] Roland Cloutier: It was a wild west. Full experience.
[00:19:02] Sean Martin: Yeah, full on. So Chris, it's a sad reality. A lot of, I don't know how many, but certainly some of your.
Partnerships are driven by something, something bad has happened. A mouse has entered the house, right?
[00:19:18] Chris Pierson: Yeah. I mean, you know, what's interesting, what's interesting is this is when we take a look across the entire spectrum of those corporate relationships we have. We have individuals that are CSOs that are saying, Hey, we want to, if you feel like we have a good handle hold on our physical security risk assessment, we have a good handle hold on the hold up alarms and the safe rooms and.
You know, all these other different, uh, measures that we've implemented. Um, but, but we're not sure about their personal digital life, especially that of their family. Um, and, and so we're able to partner there. Um, on the CISO side, it's a, you know, my gosh, you have the SEC breathing down on solar winds, you have the SEC, uh, guidance that actually, right.
We're taping this on December 15th. 15th and the 18th, you have two major, major, uh, uh, things that come to the SEC in terms of the actual four day notice taking effect, as well as the describing, uh, uh, in your annual report, what material risks you have and what you're doing from governance perspective about them.
But you have that on top of 12 years worth of LinkedIn breach from 2012, where, you know, that's how they got in through an external engineer the last past incident year and a half ago, two years ago, they got in through an engineer. And it just keeps on coming. The CISOs are saying, we have to go ahead and close this off.
We now are on active knowledge. We've been on active alert for the past year and a half, two years, that this is how cyber criminals are actually taking advantage of us, our people, our company and all the rest. And so it becomes one of those, it becomes one of those great places for the symbiotic relationship, that partnership to exist.
CISO, take care of the inside of the four walls of the company. CSO, take care of the four walls on the inside. From a technology perspective, you, from an executive protection, you take care of that, which is on the outside. But let's partner, let's have a relationship. Let's go ahead and collectively, you know, tackle that digital life, right?
Really the digital persona of the executive and their family. I was, it's like, sometimes I always just say executive, but it's the husband, wife, spouse, kids, significant other. It's gen one, it's gen two, it's gen three. It's that whole thing. The whole thing is the footprint we've seen, you know, we saw Rob Lee.
There was the story of, you know, a few months ago where the cyber colonels reached out and contacted his wife and young kid. Um, look, it just, it is what it is. People are going to target folks where the defenses and the walls are the thinnest, where they're the shortest. It, you know, castles, you can keep on building a high wall and a high wall, but at some point in time, the king and queen do go out down to the river.
They do go out to the pub. They do go out to a summer cottage. Um, right. For a lot of folks, a lot of cyber criminals, the amount of data that is out there that we, the U. S. exposed are allowed to be exposed is so incredibly high. The treasure trove of intelligence information out there on the dark web is high, and you bundle that with a great juicy corporate target or the lure of a target that you can jump into like a last pass.
Um, it just really proves fertile ground to go ahead and attack. And so the partnerships that we have there are super special. Because they're all built off of trust. Trust with the CSO, trust with the CSO. They're built off of massive amount of trust with the individuals on the inside because we don't have or collect any of their private information.
We don't want it. We don't market it. We don't rent it. We don't sell. We don't do any of those. We actually don't collect it. We don't care. All we need is name, address, phone number, email address. That's it. That's what we want in order to actually provide the services. So it really starts out on that trusted, really starts out on that trusted platform of how can we trust each other?
How can we work together to go ahead and decrease those risks? But a lot of the folks, as you asked, they're coming in hot. They're coming in through corporate ransomware and extortion. We've had several years, right? We've actually had those corporate extortion attempts happen in the company life. And then they've actually jumped over to the personal life.
They've actually sent threatening messages to the husband and wife. They've actually targeted the kids. They've actually targeted their personal email addresses, right? To kind of speed up the payment, speed up the ransom, and apply pressure. We actually even had one company where they actually attacked the incident response team.
We're not talking about the third party incident response team. We're talking about the actual incident response team on the inside of the company. What better way to take down the company's response and make sure that they can't respond? And that they can't go ahead and reconstitute systems, then by taking them down, and then, right, making it more likely they might pay their ransom.
Um, these are all new techniques, you know, a few weeks ago we saw the Alpha V with Meridian Link. They went ahead and filed SEC, right, filed notice of, uh, of a breach with the SEC because they ran out of time in terms of paying. Um, cyber criminals, you're going to push the envelope. They're going to go ahead and try to, uh, you know, speed up that time clock.
And as a result, yeah, a lot more folks are coming in, right? A lot more folks are coming in because they haven't had that. Holistic view, and they have some type of a problem in front of them.
[00:24:10] Roland Cloutier: Yeah. You know, I get getting, you know, to Sean's point as well is that there's nothing like an emergency, right?
You know, we, we, we say as practitioners, like, you know, uh, you know, always, uh, always using an emergency for, uh, you know, for all it's worth, but is nothing like. When, um, the, the senior executive in an organization, um, gets an email from his personal email to his work email, um, or someone publishes a document that came out of a senior executive's, uh, personal email account to, um, you know, a Reddit page or, or something else with sensitive information about their taxes, or a child gets a message, you know, through their PS5, um, Um, about their parents and, and, you know, how bad their parents are, uh, to scare the kid, right?
Like, when those things happen, um, which happen more frequently than people understand, that's typically, you know, that, that tipping, um, when people say, okay, come on in, help us, help us fix this and get this fixed.
[00:25:22] Chris Pierson: I mean, things go straight to DEF CON 5 at that point in time. I mean, they go, yeah, there's, they're straight in there.
The bells, the alarm. I mean, they really, really is one of those things where folks are, you know, full blown, full reaction, um, always better to solve on the front end. I think the SEC guidance is going to prompt a lot of that. Yeah, things just go really, really fast when that executive team is being impacted.
And when things move even faster when the significant other is being impacted and on the phone with you telling you that you're impacted or you're, uh, right. You might be the root cause of this and making then the company move even faster.
[00:25:59] Marco Ciappelli: You know what? Almost 30 minutes in and we haven't mentioned artificial intelligence.
I am very disappointed about that because AI, you know, but so my question goes there. I mean, is AI getting involved into this? We know we could create it. Yeah. Um, phishing that are way more credible than what they used to be. Any, any other thing that you're thinking ahead of 2024 here and, uh, and then you can kind of do a prediction.
[00:26:29] Roland Cloutier: So I'll hit a couple of mine, Chris, and hand it off to you. I think, you know, what we've seen in AI, you know, voice recreation, uh, for twofold, for, for, uh, criminal financial crimes, targeting, um, family and family members with like use of voices. Um, of, of family members is, is one. Um, and the attack on, um, call center defense capabilities with, with AI.
Um, so both from a voice and a reconstruct standpoint, um, as well as the, the ability, uh, that we've seen now with, uh, generative AI, which I didn't think it would come this quick, which is command and control over. Malware popped devices to be able to answer questions or, or key responses back from, um, you know, a, uh, an assured device, uh, back into an infrastructure.
Like that's crazy. That's already happening. And we're 10 months into open IA capabilities for public consumption. So now what we've done is we've brought the barrier of, of access or club access for bad guys down to. To a very low level in comparison to the level of capabilities you needed to have a, a multi vector targeted attack for a sophistication like that.
We've brought it back down to the, you know, the 16 year olds in his boxer shirts and his parents basement doing stupid stuff. And, um, that is only going to increase with, um, the automated capabilities around. Um, creating code and creating scripting capabilities, um, and manage architectures using AI. So, uh, we've seen that happen, um, and we've seen the voice stuff happen.
The voice stuff gets really, really close to people's hearts, right? Because that's, so, by the way, happened to me once. I'm a chief security officer of a multinational company. I get a call from my mother, um, who's hysterically upset because my daughter called. saying, um, that she was hurt and, and needed, you know, money to, to, to get help and couldn't reach me.
My daughter was unreachable at that time and they knew through research, um, what she did for activities. So they, they were able to layer that in. I finally got a hold of her. Um, uh, she was at university doing the job, you know, that she was doing. And, um, but for that, 30 minute window, you know, I'm, I'm ready to call out you like team six and say, Hey guys, can you get a helicopter over here?
Like, I mean, like, and, uh, you know, and I do this for a living and knew 90 percent of my heart that it was, you know, it was a phone freaking, uh, you know, person trying to, scare her, but, um, Like that, when that happens, you know, it, it really, it, it changes you and it changes, it changes the, the executive.
So I think we're going to continue to see that it's, it makes people easy targets. Um, and those are the two we should be really looking out for this year.
[00:29:42] Chris Pierson: I love them. And I didn't know what Roland was going to say. So this will be interesting. Absolutely. A hundred percent agree. Let's go through them. But first it needs to be really, really set up front.
All of the current old low and slow methods. are 100 percent still in place. And why? Because they require no change whatsoever. You can keep on doing what you're doing. People are still getting duped. People are still paying. People still doing romance scam, the crypto scam, this scam. They're doing all of those things all the same way.
So it's, that's the big, massive, uh, grouping of things. However, for those people that are super special, for those people that are on the about us leadership page, for those people of a, of a company, for those people that are in those key positions, You know, the cyber criminals in nation states are actually expending money.
They're actually expending money on things like making sure the emails are written better, looking, uh, you know, looking, uh, looking better and all the rest to try to do people, not just in terms of the, oh, we're turning off your Netflix account. Talking in terms of like more sophisticated emails. They're being used in terms of, uh, uh, the, uh, language learning models there.
We've seen it. We know it's happening. I think it's being used in, uh, more, uh, more and more each day. And it actually has hit the masses. The phishing emails that we're seeing now are much, much better for just the regular, low and slow stuff. Um, they're going to keep on using that. Second one is voice, uh, clients, uh, clients of ours, uh, clients that come to us.
They are being impacted by, uh, voice, uh, calls that are fake, that are fake generated. A lot of them are actually around the, Hey, child's been kidnapped. Somebody screaming type of thing, something that actually triggers a human emotional response, uh, within that person and they trigger over from left brain to right brain because there's enough of a recognition over a phone line, which might not be the clearest way of communicate.
over a phone line that that is someone that sounds like your son, your daughter, your grandson, your granddaughter. Um, we're going to continue to see that a lot more. The video stuff, right, that'll be more in terms of like election interference type of stuff. Not really in terms of pure scam right now. The voice stuff, really easy to do, uh, much easier to do.
The other one that we're seeing is a third thing that we're seeing is much better OSINT and automation around the OSINT. It's pretty right. The ability to actually take the 10 executives that are on the website, put them through the hopper, go get the dark web information out about them, figure out who their husband and wife or spouse is and stuff like that, have that come back into an attack pattern and then actually automate that process so you can hit more people, more targets.
That's good business. It's good business for the cyber criminals to be able to do that, to shorten their research time, get deeper levels of research. And we know that they are actively using that. The example that Roland said, we've seen that a number of times, mostly from like a social media, uh, post. You know, so and so is doing a soccer game, a football game, a, you know, swimming competition, whatever.
The parent knows that they're out of, out of contact. The cyber criminals know that they're going to be out of contact as they're doing their activity. Um, and they take advantage of those situations. So they're stitching together different pieces of data in a live real time format and taking care to look for interesting opportunities to pounce.
Um, I think artificial intelligence is only going to make those more effective on the research side. More effective on the attack side and more effective on, why not say on the collection side of it because of the speed, uh, to market that they're able to do those and also change those. Um, I, I'm waiting for what happens from this year's IC3 report.
It'll be interesting. Last year was 10. 2, 10. 3 billion. So now drop the bucket. It's probably more like a hundred because people don't know who to report to, but I think you're going to see a marked increase, uh, this, this next year as well, uh, from, uh, from prior trends. So, and I think. As I said, for criminals latch on more to, uh, more to AI, uh, and it just becomes so much easier to use.
Uh, you're going to see a lot more of the attacks get that of the old attacks. Get layered on with a new twist or get polished off. And it's that polishing. Business email compromise. Tried and true. Polished off in terms of English vernacular. Going to be made much better. The, uh, tech support scams will be made much better through AI.
The, uh, uh, you know, kidnapping, virtual kidnapping, virtual accident type of thing, right? Going to be made much better through AI. It's almost like It's almost like back to 2014 2013 Roland RSA. You remember it was like intelligence inside, intelligence inside. It's like cyber criminals are really going to be looking for the old scams that they're doing, running the tables on them, but each one adding AI inside to enhance, uh, the front end of it, the deployment of it, or the tech side of it.
[00:34:22] Sean Martin: And is extortion a big thing? It must be.
[00:34:27] Chris Pierson: Oh, we see, we see extortion. All the time. And it isn't just extortion in terms of like corporation ransomware pay now, or we release it. Yes. That extortion is happening. And the personal side, it's a, we've got your emails. We can see your trust and estate documents.
That's, that's one of the big ones. We can see your tax returns. We can see all the communications with your attorney. Privileged and confidential communications with your attorney on how to go ahead and save five million, seven million, all the rest there. And you know, always in those communications is a, I want to pay as little money as possible.
Somewhere appears in writing from the individual. I mean, you have that, you have other things in terms of just family situations and moments because people are Right, using devices that are all interconnected. Um, and so you see a lot of those texts and text messages. You see all the pictures, private, personal, family moments.
All of that is for gain when there's been an intrusion in the personal life. Um, and that gets really, really, really nasty really quickly. Nothing impacts a family. Nothing impacts, uh, uh, um, even, you know, executives, nothing impacts them more than some type of issue or incident at the home that they then have to respond to.
[00:35:37] Roland Cloutier: Yeah. And we should talk about protection too, because I think it's important, you know, having been there and seeing families extremely. You know, um, affected by, by threats. I mean, I mean, truly, you know, sometimes you have people that really, really mean it and really, really want to do harm. And other times they're just really upset and, and want to mess with, you know, the executive that they feel did them wrong and in the process of that, doing all the things that Chris just mentioned about background research, their kids, they insert themselves technically into these executives lives in different ways.
To terrorize, to, to, you know, um, make them extremely scared for the wellbeing and safety of their family, um, which affects them affects, you know, their, you know, their capabilities at work. It, uh, you know, it affects a lot of things and, um, it's. If they are not appropriately defended, um, in their personal lives at that technology level, they don't understand their digital exhaust, their digital footprint that they leave and what is available to anybody in the outside world with, with a little bit of skill.
They leave themselves open to that terror in a way. And, and I think it's incumbent on us to explain that. Um, and it's incumbent on us to show it to them to say. This didn't come from inside. This came from a open source, you know, Intel review about you, and your family, and your three kids, and their soccer game tomorrow, and the PTA meeting your wife is chairing, right?
Like, this is your life. on the internet. And so this is why this is important. And, uh, sometimes it's a hard discussion and obviously you want to have the right program set up and say you're going to be doing these things and, and that sort of thing. But the education is so important because again, that, that barrier of entry is lowering itself.
So our ability to protect them externally has to go up subsequently.
[00:37:42] Marco Ciappelli: Well, that's an incredible point too, because I'm going to What you said, like we, we hear, we talk about this all the time, the societal part, the psychology part that come in, but I go back to, if you don't understand the technology, it sounds like magic to you.
And the reason why I'm saying this is because if you are not even aware that, uh, artificial intelligence, generative artificial intelligence can recreate your daughter voice. And you still freaked out your story, right? And you know that imagine not even knowing that there is that possibility. It's it's a completely like,
[00:38:19] Roland Cloutier: I can't even put myself there.
Like, like, I know how freaked out I was. I can't put myself in a person. That's a sales. That's a sales guy. You know that, you know. Um, downsize his entire group and all of a sudden he's being threatened over the internet or his, his, you know, 14 year old daughter is being threatened over the internet where their mind goes, right?
Like it's, you know, um, and it's scary and, and you're right. It, people that, and it's, it's not that they're not educated, they just don't understand it. And when you don't understand it, your mind goes to some really dark places.
[00:38:51] Marco Ciappelli: And education, Chris, we talked about that a lot. It's a big part of what you do.
[00:38:57] Chris Pierson: Absolutely. 100%. The education, the education allows for the opportunity for the mind to move back from a passionate, uh, you know, uh, uh, side, you know, kind of the fight or flight back over into a logical thinking context of how do I actually verify this? How can I actually think about this more? What are some steps I can take?
And really the education just helps you flip the train track. Once again, it takes the element of time and it elongates it. Cyber criminals, right? All want to shorten time. What it does is it elongates time, allows you a chance and opportunity to think through things, allows a chance and opportunity for other people to get involved and influence your thinking, and allows you to get back on that lot more logical track, uh, thinking.
But I mean, it's, it's like issue it's issue spotting. I mean, it's, it's absolutely issue spotting. I mean, law enforcement enrollments, personal life, it's muscle memory. It's issue spotting. And once you do that and see that a lot, we see that a lot in this industry. But right when it transcends out to other areas, they don't, they don't see that as much.
And so that's what you really want to do. Harden the human.
[00:40:03] Sean Martin: So when, when the understanding comes, and I don't know if you have any stories from the event that you can share with how, what feedback you got after you presented to folks, I'm really interested in what are those next steps, right? How do you, how do you begin that engagement beyond the conversation to come to a common understanding of what.
What's necessary. What are those steps?
[00:40:29] Roland Cloutier: I, you know, I think I'll start on the On the business side and then, you know, how, you know, it can be handed off and the real work that can be done. I think, um, I, you know, it's funny because we got done speaking and a bunch of people that came up after and there was like lines and they were like, you know, this happened to us and this happened to us.
I had a very, very large, a wealthy family of a multinational, um, company, the, the, uh, EP director for the organization came up and said, we've been going through this issue. Where, um, they, you know, essentially bad guys infiltrated the entire family at the same time in their emails. And, and there was, uh, there was corporate information and they had, you know, they had corporate infrastructure in their house and, you know, it had just been an incredible, uh, nutshell for them.
Uh, for months, trying to get it cleaned up, trying to investigate, find out what they were trying to do, where they were at, you know, there was malware involved, there was, uh, money transfers involved, there was, I mean, it was, it was, it was craziness because, and we've been dealing with it for months. So I, I think the opportunity here for us, for my peers out there is to take a step back and say, okay, what do we, what are the, what are the services we have?
And what don't we have and how complete are they and where they're not complete. And they're in, especially around the digital life of an executive or a key personnel. Um, how do I start a process that either we can manage and maintain, uh, some portions of that internally or outsources to partners like Chris, um, who can manage the whole thing and have a good segmentation of duties and responsibilities.
So there's. There's no weirdness there from a corporate environment. And then how do I explain it? Like, how do, how do I sit down and do a four page or five page deck for the ELT that says, this is what's happening. This is what could happen. And here's an example. For an example, I would use my personal life.
I'd have an OSNET or Chris's team or someone do a deep dive on me saying, here's Roland's life. You know, I'm a security person, but here's my life outside and that of my children, my wife, everything else, based on the little information that I gave them, imagine what yours looks like. What we want to do is help clean that up.
We want to help make sure that you're protected and we want to introduce a service that you can opt in or out. You let me know personally, and we'll get that started, right? Like, I think that's a great starting point to have that discussion inside companies through education. A little bit of shock and awe, and an ability for them to, to manage it personally and separately from the organization.
[00:43:21] Chris Pierson: I love everything Roland just said. I mean, it's, it's, you know, showing and providing value. Showing what is actually happening at time 1. Showing what can happen in terms of a holistic solution to mitigate the privacy issues, the cyber issues, the home issues. And then really what people want is they want that trusted concierge.
They want someone to call. They don't want to have to sit there and go on Google. Hey, you know, is my Amazon Alexa safe and how do I know? And how do I, whatever, and then read through 20 articles and figure out which ones are telling the truth or not, or, or which ones are accurate and how to actually take action on it.
They want someone to help them on their journey and their digital life. Um, so yeah, all starts good on the risk assessment side. You know, proactive protection, remediation, shrinking things down. So you become a harder target. Um, but, uh, you know, it's like, uh, it's more times than not. What actually really goes in for the win is making sure that in somebody's time of need, whether it be in terms of an incident or an issue later on, or just in terms of their questions, uh, tons of questions every day, the concierge team handles tons.
That's where people really find the connection. They don't want to read a blog. They don't want just some email back. They want to literally talk to someone, have them show them, have them fix it, have them work with them. It's that human element re imagined into the process. And that's what people really love.
And we know, we know CISOs and CSOs love it because that's what they hear back from their executives and their families. But we know more so that that's what the executives and families want. They want that trusted. Uh, third party, they want that trusted advice and guidance. And so. Um, totally agree with Roland and then some.
[00:45:03] Sean Martin: And it's a family engagement, right? Oh, absolutely. Full on. Yeah, absolutely. Because it's family, family culture, not just that one person.
[00:45:12] Chris Pierson: It's, it's, it's, it is really that familial unit that needs to be protected. But, but here's the cool thing. They all need to be protected differently. And the husband might be, hey, I don't care what information is out there about me.
And the wife might say, well, I actually do. They have different settings on their iPhones and all the rest. It has to be bespoke. And it has to be done per person, not per family, per person, per individual, per device, and it has to change, right? Children that are 12 years old, you're going to have some different settings than the 16 years old that are different than the settings that are the children that are 22 year olds that might be coming back from college and all the rest.
It really takes that bespoke aspect of it to the next level.
[00:45:52] Marco Ciappelli: Yeah. Well, you're definitely, it's kind of like, uh, thinking in terms of, we're not going to stop your life. We're not going to take the device away from you. You're still going to live your life, but we're not going to stop replying email to stop the phishing, right?
We're just going to. Try to make it safer. So this was a fantastic conversation. I think it got a lot of thing in my head, especially the whole AI thing. I pretty sure that people listening here, they will be interested in learning more about it. There will be links to connect with you guys. And of course, learn more about Black Clock in the notes.
And, uh, Sean, I think you'll learn a lot here, so stop, uh, stop, like, telling things around everyone.
[00:46:37] Sean Martin: Well, I think, uh, the response to executive denial of service is executive resilience. Right. That's it. And, uh, so I think that's the, that's the main point here is, and that doesn't happen magically. You need to take, take some action to understand what the risks are and what those gaps are between the organization and that personal life and, and to close them.
And that's where, that's where Chris comes in.
[00:47:05] Chris Pierson: Absolutely.
[00:47:07] Marco Ciappelli: All right. Well, thank you very much, everybody. Looking forward to our next chapter. Oh, yes. More stories coming from Chris Black Cloak and Roland. Excellent. Excellent conversation.
[00:47:20] Sean Martin: Thanks for having me on, man.
[00:47:22] Chris Pierson: Thanks, guys. Appreciate it.
[00:47:24] Marco Ciappelli: Bye, everybody.
Thank you.