As cybercrime grows more sophisticated day by day, so do technical defenses. But great technology is no match for an employee clicking on a simple phishing email. Psychological security is designed to protect the human mind from manipulation that leads to compromises.
Today’s guest is Adam Anderson. Adam is chairman of the board for Hook Security and a serial cybersecurity entrepreneur. He is one of the founders of the Psychological Security Movement. Psychological Security or “Psy-Sec,” was born to create new technologies and processes to help build resilient human minds that can resist manipulations through technology.
- [1:10] – Adam introduces himself as a serial cybersecurity entrepreneur who has launched 21 companies over 20 years. He is passionate about this topic.
- [2:24] – The human part of cybersecurity is always the weakest link.
- [4:01] – Chris and Adam discuss how when you work in IT, you look at things through an IT lens, but there is a human side.
- [5:21] – Security is typically an afterthought which comes after an incident.
- [5:51] – Adam breaks down the meaning of security and what types you will see within a company or corporation as being physical security and info security.
- [6:42] – Adam says that both types of security are vulnerable to social engineering.
- [7:31] – Hook Security was created after Adam worked in frustration for 20 years. He is chairman of the board and hired a successful educator as CEO who is an expert in how people learn.
- [9:23] – Adam is a firm believer that “Psy-Sec” needs to be a separate department of professionals who can work to build resilience in human brains to resist manipulation.
- [11:15] – It is unreasonable to expect the IT department to be proficient in the human interface as it is not in their skillset.
- [12:42] – Adam states that systems are 95% safe from compromise which is a great improvement, but when you have a large company, 5% is still too much.
- [13:12] – Right now, Adam is working with the cognitive brain function and explains the details on how this works in regards to psychological security.
- [15:10] – There are two ways to lay down memories and “fight or flight.” One is through fear and one is through humor.
- [16:27] – People are better at remembering something that made them laugh and Adam trains people with this in mind.
- [18:26] – Hook Security provides Security Awareness Training that people actually enjoy.
- [19:06] – Hook Security is being very careful with how they present their findings and taking their time with the science elements involved so that it is used for good and not as a tool for attackers.
- [21:54] – Social engineering is no different from simple marketing. Marketing is there to show you something that you may find valuable and hope that you click on it. Social engineering is the same, but “with a different punch line.”
- [22:56] – There’s a database. You’re in it. You are a product. If you are getting something for free or are paying something low, you are the product. Adam uses a Netflix example to demonstrate this.
- [24:52] – With the way YouTube and Netflix work, you are trusting big corporations to have your best interests at heart.
- [25:52] – We are all wired to help others. These hard-wired responses allow marketers and attackers to take advantage.
- [27:16] – Chris and Adam discuss that the way marketing works is not a bad thing because they want to see the recommendations based on their interests. But they can be used negatively.
- [28:39] – Fake news and “echo chambers” that we find ourselves in are designed to polarize people to different extremes.
- [30:02] – Just like marketers who know who they are targeting to sell to, cybercriminals know what your triggers are to manipulate you into a compromising situation.
- [31:46] – There are different types of triggers that cause us to fall for scams.
- [32:08] – These triggers are wonderful when they happen organically and to help others but are terrifying when they are used against us.
- [33:53] – Learning how to pause and evaluating whether something is true or not is crucial. If you can’t do that, Adam says to “reprogram your auto-pilot.”
- [36:14] – Your perception of the phone is that it is something that you get a lot of value from but it is also a place where people will call you and text you with fraudulent stuff. Some people can pause and question it and some cannot.
- [38:12] – We all have blind spots and we don’t know what they are, so always have a support system to get others’ opinions on the matter before making certain choices.
- [39:50] – It is imperative that we treat this seriously. We are throwing a burden on our “nerds” by having them try to understand the nuances of the human brain.
- [41:39] – None of this science is new. We just need to apply it.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Hook Security
- Adam Anderson on LinkedIn
- Adam Anderson on YouTube
Can you tell our audience who you are and how you got to be where you're at?
I am Adam Anderson. I am a Virgo. I used to enjoy long walks on the beach, but I am getting older and I like those walks to be shorter. Sometimes I just stare at the water. I am a serial cybersecurity entrepreneur. I've launched about 21 companies and I've done the cybersecurity thing for a little over 20 years. My first gig was this little thing called Y2K back in 1999. You're welcome. I'll take all the credit I deserve. Let's not dig into it. I am just wildly excited about cybersecurity because I think cyber security's role in our world is to make sure that it functions as intended.
We got all these bad guys trying to disrupt what we're doing, take what we have, and I think that we make a better planet and a better world by organizations doing their mission, and cybersecurity is what steps in to really enable these folks to do their jobs without having to worry about the disruptions that they might face. It's a heavy burden that we're carrying, but I believe that if we do the right things, we might even have a chance of eradicating cybercrime as we know it in 30 years. It's a thing and it takes some time.
It will definitely take some time because there are humans involved and humans are almost always the weakest link when it comes to security.
The human part of it is exactly what we're talking about today. That was my conclusion. How many of us have built cyber fortresses? It's glorious. We're doing 72-hour straight installs, we're doing all the things, and we finally go home, and our spouses are proud of us. You did it, you secured the company. Then somebody in accounting clicked on an email they shouldn't and they lowered the drawbridge and you're like, “I don't even know what I'm doing here anymore. What was that 72 hours for?” It's not that they're stupid. I don't resonate with the ID10T error or the “there's a problem with the interface between the chair and the keyboard” comments anymore.
I remember back in the day we used to call the business side “end losers” not “end users” because it always seemed like they were making silly mistakes. It’s taken me a very, very long time to realize that's not the case at all. They're actually producing a crazy amount of value for the organization and security is an afterthought to them. They're busy doing the mission and I think that's an important distinction. At least it was for me on how I began to see the overarching problem of cybersecurity and what my role in that was.
I've spent a great many years in IT as well. We, in the IT field, look at everything through an IT lens. “Why don't you understand how computers work?” “Why don't you understand how the technology works?” “There must be something wrong with you.” When those on the other side are saying, “Why don't you understand how people work,?” “Why don’t you understand how to be nice?”
That’s right. Where are your social skills, brother? Bring them to the table. We really would appreciate it.
There are definitely two viewpoints on this.
Right. I wrote a book called Emotional Intelligence for Cyber Security Professionals, which my mother thought was great. I don't think anyone else has read it, and that's fine. I'm good enough here. I don't need to. The whole premise was the number one cybersecurity risk facing the world was the nerd’s inability to have a conversation with a CFO and win budget. Because we can't communicate clearly and effectively for human-to-human, you don't get the funding to do the projects to reduce the risk. I think it is just that simple. Human interaction is the key to security and being safe.
Unfortunately for lots of large institutions and probably even smaller ones, it's the security incident which raises awareness of security issues. It's some failure that happened and it's either been a financial loss to the company or a PR nightmare, because, “Oh gosh, we spilled 100,000 names, addresses, Social Security Numbers, banking info to the public. Now we are dealing with the backlash.”
Let’s take a step back and I know that there's something that you want to add to our security. What are the kind of existing colors of security as you see it?
Security is traditionally broken into two things. You have your corporate security, which is often referred to as physical security. Think guards, gates, guns, booths, all that kind of stuff. You have the physical deterrents that are set up to stop a human being from walking into a facility, walking into an organization, and doing something they're not supposed to.
Then you have info security which is all about how we protect data. How do we protect all of the cyber infrastructure, the digital infrastructure? You have cybersecurity also known as InfoSec and then you have physical security. What we were finding is that both of those were super vulnerable to social manipulation or social engineering. You can think of physical security as the conman. Somebody who is just wildly slick, very charismatic or OK enough that they trigger your desire to help them. Then they're able to manipulate you through that.
The same thing's true on the cyber side. As we talked about these giant cybersecurity fortresses that these folks build, then you have somebody click on this thing. That's due to a manipulation of the person and not the technology.
After about 20 years at this being very frustrated, I realized that we had to do something about that. I founded a company called Hook Security. I built it up a little bit and immediately fired myself because I start things, I don't run them. Now, I am chairman of the board of Hook Security, and I've got an amazing team who's doing the things.
By the way, I have to brag for just a moment. I didn't hire a cybersecurity person to run this company. I hired a guy who was a successful educator, who had launched two high schools and middle school, and was on the cutting edge on how people learn. This goes into the third sphere or the third pillar of psychological security, which is how do you build a resilient brain that resists manipulation through technology, or through coercion, or any of these social engineering platforms.
We've been depending on the cybersecurity guy to handle it because it's often through the technology that we get attacked. So we say, “Well, that must be a cybercrime. You need to handle that, Cyber Security Guy.” Meanwhile, I'm over here saying, “I’ve got these firewalls, and I've got patch management, and I've got all these things. I'm blocking and tackling them like crazy. How much more budget are you going to give me? Are you going to give me more resources?” “No, no, no, you got it. You're fine.” We're just asking so much, but what I realized, nobody asks a cybersecurity guy to carry a gun and guard a gate. Why in the world are we asking them to take over the responsibilities of securing the human mind? It just makes no sense.
That’s my mission right now: to say, “Yes, we have physical security, we have info security, and now we need psychological security.” We need PsySec. My posit to the world is it's time to have that be its own market, its own pillar, its own resource, put it in the new standards, let's focus on the human mind as its own thing.
That makes a lot of sense that you want physical security people to keep working the physical security. You wouldn't expect those guys to be doing firmware patches and things like that. You wouldn't expect the cybersecurity guys, like you said, to be carrying a gun walking around the building in the middle of the night. Although, they probably do walk around the building in the middle of the night, but they just don't carry a gun.
Oh yeah, it’s Red Bull or some kind of energy drink going, “How do I fix this problem? More caffeine.”
Somehow, IT guys always end up working nights, weekends, and holidays when everybody else is off.
I heard no bitterness in that or personal experience.
This is my rant, this is my vent. I think probably the closest one of those that I had was coming in with a team of people to do some server migrations Friday morning after Thanksgiving and we worked all the way through until everybody rolled in the office Monday morning.
But they got you pizza.
It was sandwiches, I think. They fed us, but it was one of those things. Everybody else was like, “I had this great Thanksgiving weekend.” All the rest of the IT guys were like, “I just want to go home.”
That's exactly right. Sleep on the floor. Nope.
It makes sense that you don't want the IT guys trying to train on the human interface, so to speak, and that’s not their skill set. It's unreasonable to expect that they would be the right person to do that.
I love the way you put that: the human interface. If you look at that example of somebody clicked on something that they shouldn't. Let's pretend the dude's name is Bill and Bill is in marketing, and what Bill is really good at is marketing. He is amazing at creating copy, amazing at all of this stuff. For us to say we want you to be less amazing and put this awareness in your brain about how cybercrime works, and we try to train that person to be a cybersecurity expert, that just doesn't work. That’s the wrong thing.
When you look at it as the human brain is a computer and the interface, and we tried to put IT methodologies to play on how to train and how to educate people, we are successful to a certain point, but there is no company or organization out there where that strategy is getting them below 5%. It’s still 95% safe, 5% not safe, but if you have 100,000 employees, they're coming in.
Five percent mistake is too high.
Without a doubt. And that's OK. It's all right because before we had 100% vulnerability. The fact we brought it down to 5%, I am not throwing shade at what we have done up to this point. All I'm suggesting is it's time to take that next step.
How do you envision that next step being taken?
Let's get into the brain. What we're doing right now is training the cognitive processing part of the brain, and that brain only has a certain amount of bandwidth. I'm going to get the number wrong, but I think it's about 128 bits of processing power. That's your cognitive brain and then you have to teach it and learn it. That's exactly what we did through school with rote memorization. There's a lot of effort that goes into cognitive brain functions before you put it back into muscle memory.
We're all very familiar with that. “Here's your vocabulary wordlist. Memorize it.” “Oh crap.” Some of us are really good at it. Most of us are not. Even after repetitive training, you get to about 80% of people get it 20% don't.
They often get it three days after the test.
Exactly. You keep on doing it boom, boom, boom. What we say and what we're looking at, the science actually is pretty old. We want to move it from the cognitive training that happens in the brain’s frontal cortex and we want to move it back into the older parts of the brain, the amygdala. This is one of the lower parts of the brain and this is the part of the brain that doesn't have the capacity for language. It has the capacity to act, though. This is what gets triggered when you see a snake and you jump before you even know that there's a snake there.
It’s the fight, flight, or freeze response?
That is it. That's exactly it. What we are trying to do and what we believe we succeeded at—now what we're trying to do is apply this to PsySec—is that studies have been done, there's research, and there are methodologies for training that fight or flight response without having the frontal cortex cognitively know what's going on. This new approach is to apply these kinds of sciences to the fight or flight response.
This is my favorite part of it. There are two ways to lay down memories and lay down these fight or flights. It's usually between humor and horror. You either scare the crap out of somebody or you make them laugh. We tried this before. Yes, scare the crap out of you and eventually, you become desensitized to the fear. I think back to World War II, London's being bombed, and eventually, the Londoners just walk around like their normal day because they just reach a capacity where they can't process the fear and they just throw it away. That's what happens. I might get budget the first time I tell you that we need it and scare the crap out of you, but I'm probably not going to get it the fifth time.
The idea is the same thing with training. When you can get a humorous response and you can entertain a person, they become so much more receptive to being trained. We say that cybersecurity and psychological security are far too important to be taken seriously. You’ve got to have some fun with this.When you can get a humorous response and you can entertain a person, they become so much more receptive to being trained. - Adam Anderson Click To Tweet
What I hear you saying is people are better at remembering what happened on a Friends episode.
What's that funny thing Joey said that one time? Right?
I'm going to steal that. I'm going to use that in my next talk. I’ll be like, “Now, you can remember what happened in episode do-do-do, right?” Humor is sticky, horror is sticky, but we don't want to live on the other side. You don't build healthy cultures inside of organizations when you scare the crap out of people. What you do is if you can encourage someone to have an entertaining experience while they're in the middle of training, and then they share that funny thing with somebody next to them, you end up getting a trainee to a trainer and you spread a healthy culture as a side effect of security, which I absolutely love. Again, I believe security’s job is to facilitate the operations of the organization and prevent disruption. If we could be the guys everyone wants to hang out with at the Christmas party, how cool would that be?
That would be awesome.
Chris isn't in the corner anymore; he’s at the cool kid table. Here comes security, we love you, come in. Your jokes are hilarious. That's the kicker there.
The progression from where we are is almost every company on the planet right now on the Fortune 500, Fortune 1000, has some kind of cyber awareness training that is shoving information into the frontal cortex and trying to take up that amazing talented marketing person’s bandwidth for producing the genius that they're hired for by forcing them to become a cybersecurity expert.
We're heading with the new sciences and then the new technologies that we're getting from other people's research is how do we get that fight, flight, and freeze program the way it needs to be in that lower brain.
Is that what Hook Security does? Do you do training for people?
Yeah. We are in that cyber awareness training vertical, and we're doing the same kind of things that everybody else is doing because the new sciences and the new technologies aren't actually produced right to the point where we're ready to go with all that. That's what's in the hopper. As we get ready for that, we apply a lot of the different sciences as we're still doing some of that frontal cortex training because you still need to have some of that. It's really designed to be a platform where when the science is ready to go, we can launch it.
Let me be clear, the science is ready to go, but we have to be very, very careful how we use this because as soon as we have something out there that says, “I can subconsciously reprogram a human being through entertainment….” Did I say Facebook? I didn’t mean to say that. You get where I'm going. We're being very, very careful with the thing that we're dealing with, because it's a powerful tool that if you don't use it correctly, it can be abused. This isn't a rush-it-to-market thing. This is to get it right and get it safe so that we do good in the world and not provide tools for harm.
Do you have this specific list of cybersecurity elements that you're wanting to address? Let's say spear phishing.
Yeah. I want to do all of the social engineering. Eventually, what we do is we will provide this training through all of the attack vectors. We’ll have people doing phone calls, we'll have text messages, you'll get emails, you'll go on social media platforms. People will walk through the front door and try to get all of the social engineering terms.
What we eventually want to do is find a real direct way of saying that no matter where this is coming from, it's all the same training. By the way, I want to take this one step further. I want to give this to my kids. I want them to be able to detect fake news. I need them to be able to detect manipulation through marketing. When PsySec gets solidified, we're going to be able to apply it to an awful lot of places.
It's interesting. I have hired a business coach and one of the things that we had talked about early on was just kind of like, “What are you doing on your regular day? When do you do this? When do you do that?” And he was like, “Do you use Facebook?” I’m like, “Yeah, I use Facebook.” He goes, “Do you have notifications turned on?” “Yeah, I have notifications turned on.” “How many notifications are you getting a day?” The wonderful thing is the phone will tell you that now. I was like, “I got 45 notifications.” That means that was 45 times that I prairie-dogged or whatever they call it. A meerkat stood up and looked at something. I was like, “Oh my gosh.” You don't realize how—I don't know if insidious is the right word or invasive is the right word. Maybe they are. I don't think there's evil intent behind it. They're just trying to make sure that you come back to the platform.
I think you're really hitting on something here, because social engineering is no different than typical marketing. Marketing is there to introduce you to a concept that you might find valuable and then encourage you to take the next step. Social engineering is exactly the same thing, it's just that the punchline is different. Marketing, hopefully, you find a product, service, or experience that enriches your life. For social engineering, you're enriching someone's life. It’s just not yours, it’s the organization.
When you were talking about that, I was thinking about Netflix. Netflix has gotten to the point where it will change the thumbnail picture for the movie or show depending on your other experiences, whatever else you're watching so that you'll be more likely to click on that movie with a different thumbnail. If your listeners can take one thing away: there’s a database, you're in it, you're a product. And if you're getting something for free, you're the product. If you're paying something low, you're a product. The amount of interactions we have online are fueling these business-intelligent engines using machine learning to customize your experience.
I want to be real clear. I'm thankful for it because I am watching a lot more cool shows on Netflix. However, there's so much happening behind the scenes that I don't understand. What I want is not to disrupt and stop marketing from working. I don't want jobs to stop happening. I want somebody to be able to recognize that it's happening and choose to be thankful or not, to choose to participate in the manipulation, or to have control and resilience against it. I don't want to stop the behaviors, I just want the person in control of it.There’s a database, you're in it, you're a product. And if you're getting something for free, you're the product. - Adam Anderson Click To Tweet
I think some of that is a result of machine learning and artificial intelligence. It's not so much that someone is saying, “I think you should, that you will find this valuable,” but it's just an aggregate. Everybody went down this really squirrelly rabbit hole. I think they call it the YouTube conspiracy theory rabbit hole that regardless of what you watch on YouTube, the recommendations will tend towards some sort of extreme, some sort of conspiracy, and then the more of those that we watch, the more of an echo chamber that we get in. The system feeds itself and if you're not paying attention, you don't realize that you're going down this rabbit hole leading you astray, so to speak.
In each one of these things you are outlining a psychological warfare vector. Let's back off psychological warfare. That's different. We’re going to leave that to the military. Let’s say that you are describing the YouTube rabbit hole, with Netflix being able to do the thinking. What we're talking about here is that people are understanding how your brain works and they're giving you triggers. The idea that it's happened passively, you're trusting big corporations to have your best interests at heart.
I truly don't believe there are evil people sitting around a boardroom going, “We are going to make them, blah, blah.” What I think is going on is we have a responsibility to deliver profits to our shareholders and what is the way we can maximize this product launch. There are good people solving problems using technology that's at their disposal.
The problem is when the bad guys who are trying to cause harm to use the exact same techniques, use the exact same plays. They're already playing into the “we’re all wired to help each other.” That's how we exist as a human race, is that if you say, “I need help,” I'm going to immediately ask you what's going on. If you show up authentically, vulnerable, and ask for help as a human, we could get triggered by that. It's these hardwired responses that marketers and cybercriminals are able to trigger and take advantage of. Again, take advantage of the strong. I love marketers. Bless your hearts, you're great.
It's the whole thing. I don’t want to say when it works the way it's supposed to versus when it works the way it's not supposed to. I don't know that that's necessarily the right phrasing, but like you said, I love it when Netflix recommends stuff that I would like. I love it when Amazon recommends other books that I might like.
When the technology works right and is recommending entertainment that I will enjoy, I like it. I don't even mind Google ads and ads being marketed towards me. Trust me, I'd rather see ads for technology than for shoes or draperies. If I'm going to have to see an ad, I'd rather see an ad for something that's of interest to me. Maybe I'll buy it, maybe I won't, but at least I'm not saying a red pen? Why are you marketing a red pen to me? I'm not a calligrapher. Why are you wasting your time and effort on me?
Hey, you might be really good at this. Why don’t you give it a shot?
Maybe I would be. What I don't like is when we talk about it when it leads us down these dark or echo chamber-y things where we don't realize that we've siloed ourselves.
That's the problem in the joy of the internet, isn't it? Never before have we had the ability to find echo chambers. We can find the people who believe what we believe and only hang out with them. I feel that this is a mission that is super important because yes, I want to stop cybercrime, and yes, I want to do all these things. But when I think of my 12-year-old daughter and I think of her having access to technology. What I'm most afraid of is she doesn't have the ability to do critical thinking about what she's seeing and hearing to determine what she believes and take control of that.
The fake news, all the manipulation through technology, it's a real strategy that is being deployed to polarize into extremes because people who are in extremes act. People who are not in extremes are very comfortable and don't do anything. If I need you to do something, I need horror or humor. I need you to go to some kind of extreme.
I'm just thinking of commercials. Commercials very much work that way. We’ll talk about the positive one. My wife and I always joke whenever we see a Subaru commercial, where's the dog? If I buy a Subaru, are you going to give me a free dog? I really like Subaru commercials because they're working family, community, taking care of one another. You never see “We've got the best fuel economy.” They might have good fuel economy. They're not promoting, “Hey, we’ve got, you know, 15 of these Whiz Bang awards.” They're promoting family.
Think about that marketer. They know exactly who they're selling to. They’re selling to your wife who is absolutely focused on family values and all that. She's assuming the car is safe, otherwise, it's not on the road. The marketers understand her triggers. You go to a cybercriminal who’s doing the exact same thing. They decide they're going to do a spear phishing-focused attack on the chief financial officer of Mega Corp ABC. They have the same kind of data to know exactly what to put on that person's table.
I have a real-world example. Financial controller CFO of a company gets an email at 4:50 PM on a Friday from the CEO saying, “I'm about to take this trip. I'm going to be out of pocket. I’m about to get on a plane. I need to send the money wire to blah, blah, blah, blah, blah.” They do because there is enough information in that email. Yes, the guy is going on a trip. Yes, there is this, this, and they know enough because they’ve done the market research or they’ve done the intelligence gathering to make it very difficult to detect what's not happening. It’s internal culture and awareness that these things do happen and it's OK to say, “Is this really you, Bob?” You should have called him.
If you can't get it, then the wires are not going through. The CFO needs not be punished to not send the wire if it's outside of normal operating procedures or if you can't validate it in some other form or fashion.
I interviewed a psychologist. Kind of like why we fall for scams. A couple of things that she talked about was there's an emotional trigger, there's an urgency trigger, and there’s an authority trigger.
If you combine all three of those, whether it's the lizard brain in us,—you’ve hit all my little bells and whistles and so, therefore, I'm going to willy-nilly just walk into this without even thinking about it. It can be scary.
It’s our autopilot. It's how our society works and how humans interact with each other. I love it. It's magical when it happens in an organic way that helps everybody. But you hit it on the head there. It can be terrifying when somebody knows how all those triggers work and then applies it against us. It’s heavy stuff.
It's almost as if your training is to teach people to almost have an out-of-body or out-of-mind experience, to be able to disassociate from the situation and evaluate. Is there an emotional trigger? Is there an urgency trigger? Is there a greed trigger? Is there an authority trigger here? “Oh gosh, there's all those triggers. Let me take a breath and escalate and have an appropriate response because of that.”
That is the appropriate response. If you could just pause for a moment and say, “Wow that hit everything. That was well-crafted. Is there meaning behind this well-crafted message? If so, what are they actually trying to do?” That is literally it. If we can get the human race to pause after those triggers occur, when we have fight or flight, we freeze, we have some emotional trigger that is happening and we're on autopilot, if we can just pump the brakes on the autopilot for a split second and just look one step farther.
Now, I don't believe that this can happen all the time. I think that's completely exhausting. That's why we have to do the work to rewire autopilot. If you can do anything, learning how to pause and to question, “Is what I'm seeing and what I'm believing about what I'm seeing correct?” That is fantastic. If you can do that, that's what you should do. You should then also work on reprogramming that autopilot.Learning how to pause and to question, “Is what I'm seeing and what I'm believing about what I'm seeing correct?” - Adam Anderson Click To Tweet
It's funny. I think you nailed it on the head there. I think I have reprogrammed the autopilot when it comes to phone calls. I can recognize the voice of my friends and family and people that I know. When I get a phone call from a number I don't know, it’s just immediately, I don't want to say I assume that it's a scam. I have no sense of fear about it. I'm aware of it and I pick up the phone and I’m immediately thinking, “This is ideal for the scams and stuff.” I immediately start thinking, “What's the scam? What are the hooks they’re trying to use?” I’m doing the evaluation of how good of a scam is this when they call.
I've been getting more calls or text messages these days where people know my name. Interestingly, I've been getting two text messages a day with my name and occasionally for the username that I've used in the past. Unfortunately, broad enough that I don't know what source it came from saying, “This is the US Postal Service. We have a package that we tried to deliver. It needs your signature. You weren't there when we tried to deliver today. Click on this link.” Of course, it's whizbang.info. I’m like, “That's not the US Postal Service.”
“The package ID is A513.” And I'm like, “US Postal Service is like 16 digits and that's all numbers, no letters.” I'm a geek. I know these kinds of things, but lots of people don't. Every time I get one of these I'm thinking, “Is this a good one? Is it a bad one?” I’ve had some pretty darn good ones.
You’re raising up something I think is super important. Your perception of the phone is that it is something that you get a lot of value of, but it's also a place where people are going to be calling you and texting you with fraudulent stuff. Before, we're like, “Is that a telemarketer? Is that a cybercriminal?” You can pause in the middle of it because of your perception. Part of rewiring autopilot is changing what you believe.
I’ll give you a real quick example. When my wife gets cut off in traffic, she is furious. She's like, “That jerk. He thinks he has the right of way.” She’s southern. She has a very colorful vocabulary when it comes to curse words. Because she believes that and he cuts somebody off again, that just doubles down, so now she's absolutely right. However, when I get cut off in traffic, I think, “That poor guy. He probably has to poop. I hope he makes it. I've been there.” Now my perception is there's somebody in trouble and neither one of us knows if we’re right or wrong. All we know is that guy cut me off and cut another guy off.
From my wife's point of view, he’s a horrible human being and anger. From my point of view, he's really got to use the bathroom and I hope he makes it on time. The same thing is true with technology. Part of this whole journey of PsySec is understanding your own beliefs about what's happening and then being able to take control of your perception of what's happening at the moment. You are great at that because you're in the middle of all this and you can see it, but I'm sure you've got blind spots in certain parts of your life.
That's the worst thing: we don't know where we have blind spots.
Yes. That's why having external help from organizations that say, “This is an important thing that we're going to need to address” is just so valuable. Some of it is what I like to call security theater. Security theater, to me, is stuff that makes you feel safe but it doesn't actually reduce the measurable risk but without that emotional feeling of safety. You don't actually cross the finish line and become ready to be made safe. I can see that there's a lot of stuff that has to happen on multiple levels for security theater and actual security working well together.
For the listeners, in the green room, we were talking about how my dog has a particular time of the day where he has decided it's time for me to eat, and regardless of what I'm doing, he will get up out of his bed, shake, you can hear his dog tags rattle. Within the next five minutes, he'll be pawing at me saying, “Dad, it's time for dinner.”
I've never had the dogs say, “Adam, that's enough. You need to stop.” It's fantastic, though. In summary, it is absolutely imperative, I believe, that we treat this seriously. That it's not just another cyber-security problem. It's not just another thing and we are throwing a burden on our uber-nerds and our super-smart people who are keeping us safe on technology by having them try to understand all of the nuances of the stuff we just talked about. This should be a psychologist and HR problem, not a cyber-geek problem.
I totally agree. Allow people to work in their areas of expertise. Let the marketer be a great marketer. Let the IT guys, the security guys, be great at what they do, and bring in psychologists and people that can help us rewire our brains in positive ways. Not negative ways. We don't want that. No Kool-Aid.
Intentional with good in mind.
Yes, with good intention in mind. I love that you're thinking that way for your daughter. “OK, how can I train her?” It is incredibly a valuable skill to be able to step out of the moment and evaluate the situation. I think lots of people, the lizard brain kicks in and they're on autopilot and they don't even think until afterwards, “Why did I do that? Why did I say that? Why didn't I just hang up the phone? Why did I engage with the scammer?” I think there's a lot of benefits just even outside of cyber security or a security construct. It just helps us in a whole lot of areas of our lives beyond.
None of this is new science. It's just we need to apply it in a way that makes a lot of sense for today's day and age.
That's really cool. This is a field I'm definitely going to be watching.
If people want to learn more about what your company's doing, how do they find it? How do they find you?
You go to hooksecurity.co. Hooksecurity.com was taken by a very nice guy in Tennessee who owns a private guard system and we’re just like, “You know what? He gets it.” It’s hooksecurity.co. If you want to find me, I'm available on LinkedIn or you can find me on my YouTube channel, Adam Anderson CEO.
Great, Adam. Thank you so much for sharing with our audience today.