All security is personal. It’s important for each individual to understand the risk of predators so we can protect ourselves, our data, and our finances. Today’s guest is Robert Siciliano. Robert is a security expert and private investigator, number 1 Amazon best-selling author of five books, and an architect of the CSI Protection Certification, a cyber-social identity and personal protection security awareness training program. He is a frequent speaker and media commentator and the CEO of Safr.me. Robert has been featured on CNN, Fox News, and in The Wall Street Journal.“Trust but verify.” - Robert Siciliano Click To Tweet
- [1:02] – Robert shares his background and career, beginning with self-defense training in the 90’s.
- [2:40] – At the start, Robert operated his business through a catalog and through live training. Once he offered credit card payments, he was hacked.
- [3:58] – There will always be a criminal element out there looking for a target.
- [5:01] – All security is personal, including both physical and virtual.
- [5:55] – Chris shares an experience of owning an online bookstore.
- [7:32] – Regardless of the value, there are people who are motivated to steal anything.
- [9:27] – Some people have the mentality that they don’t have anything valuable to steal. Humans are born with the innate ability to trust.
- [11:31] – It is also human nature to lie.
- [12:52] – It is getting easier and easier for people to make fake social media profiles that are very believable.
- [14:52] – Every time someone reaches out to you, be suspicious. It’s not paranoia.
- [16:55] – There are signs in communicating with others that may indicate that they are trying to do you harm.
- [18:20] – Most people are not doing even the basics of security.
- [19:30] – Some people believe that taking precaution is living in fear.
- [21:47] – Robert describes denial and why people live that way.
- [24:17] – Robert’s career is built on selling the concept of security.
- [25:32] – There is no such thing as a safe neighborhood.
- [26:52] – Once we get the basics down, we can make advances in security.
- [28:35] – Most cyber security awareness training only includes content about phishing. This is to meet compliance but doesn’t solve many problems.
- [30:18] – Security awareness makes it important to individuals.
- [32:12] – For many organizations and security companies, they treat security as business.
- [34:40] – Teaching security through fear is not effective.
- [36:00] – It is important to have uncomfortable conversations regarding security with your family from time to time.
- [37:16] – Robert explains the future impact of the Equifax data breach if security strategies have not changed for an individual.
- [40:25] – Robert has frozen his credit since 2008.
- [42:53] – The “Grandma Test” is asking yourself if something is manageable by everyone.
- [45:36] – Robert uses the example of wearing a seatbelt as decades long to make it the norm.
- [47:12] – CSI Protection is a 6 hour course that Robert offers that includes interaction with experts.
- [49:03] – These courses are geared towards those in the service industry.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Protect Now LLC Website
Robert, thank you so much for coming on The Easy Prey Podcast today.
Thank you so much. It's an honor to be here.
Thank you. Can you give me and the audience a little background about who you are and what got you started?
I'm Robert Siciliano. I'm Boston-based, which means I have never parked a car at Harvard yard ever. I have been teaching, training small businesses, men and women, homeowners, large corporations, on security awareness since the mid-90s.
Security awareness training is what I do. It's how I feed the family. My company is protectnowllc.com. We provide online, live learning, pre-recorded e-learning, and of course, on-site security awareness training, full-day workshop, the whole thing.
I speak to all things cybersecurity, social media security, online reputation management, identity theft protection and prevention, and personal security as it relates to violence and theft prevention, which is really how I got into this. Teaching women self-defense is how I started back in 1995.
I was about to say, it's got to be a pretty significant change in that personal protection going from the '90s of, “Hey, here's how to keep someone from grabbing you,” to, “Now you've got to worry about your accounts being hacked and your devices being taken over.” It's quite a shift.
Yes and no. For me, it was a process that was evolutionary. It evolved. Back in '95 when I started my small business, it was a mail order catalog business selling pepper sprays, stun guns, and educational videos on self-defense. Eventually, I started teaching live programs.
Once I had the ability to accept Visa, MasterCard, and American Express, merchant status back in ’96, I was hacked. I had an IBM PS/1 consultant, Windows 3.10 PC with 150 megabyte hard drive, and I got hacked. I had thousands and thousands of dollars of credit card fraud occur. I was beside myself.
Back then, thousands of dollars of credit card fraud, for me, was a huge loss, and I wanted to know how they did it. That was my first foray into any type of digital fraud. I essentially investigated how it occurred, actually found some of the people that perpetrated that fraud, and I became highly interested in how they did what they did.
Going forward, my focus revolving around personal security became more than physical violence. Really at this point, still to this day, personal security is violence and theft prevention in both the physical and virtual world. It was back then and it still is today, even more so.Personal security is violence and theft prevention in both the physical and virtual world. -Robert Siciliano Click To Tweet
That makes sense. It isn't as big of a shift as I was thinking it might be.
There always has been, there is, and there always will be a criminal element out there seeking their next victim. It's always going to be like that. Bad guys are always looking for their next hit.
In the physical world, that might mean somebody breaking into your home, somebody assaulting you on the streets, somebody pickpocketing you. It could mean a phone call, someone posing as the IRS—the FBI for that matter—or the Social Security Administration.
It's a knock on the door, somebody posing as the local alarm company that wants to check out your house and turns into a home invader. Or it's a criminal hacker in the Eastern Bloc who has compromised a database of 70 million Social Security numbers and uses that to open up new accounts under your name. It all, in the end, is personal security.Our philosophy is all security is personal. It all begins with the individual. -Robert Siciliano Click To Tweet
Our philosophy is all security is personal. All security is personal. It all begins with the individual. Once the individual, you or I, understand what our risks are and how to protect ourselves individually, how to protect our bodies, how to protect our identities, how to protect our money, our families, that's when we become capable of protecting, as an employee, the data in which we are entrusted with. That's for frontline employees all the way up to the CEO of the corporation.
If the CEO of the corporation is using princess as a password, then his entire company is going to fail because he is setting up a highly poor example. It really begins at the top and it works its way all the way down.
I know. I think my first experience similar to yours was not being hacked, but back in the early 2000s, I decided that it would be smart to try to compete against Amazon. I had a little online bookstore. A big month I'd maybe do a couple of $1000 in sales, but it was a good business to be in. It was while I was kind of going to college and whatnot.
I remember one Christmas, I got this one order that was about $5000. I'm like, “Oh, this is awesome. I finally made the big time. I'm a real reseller now.” I ran the credit card and they said, “Hey, can you ship it here?” It was a big order. “We'll pay for it with our FedEx number.” I'm like, “OK, that's great.”
I box it up and take it down to FedEx. FedEx happily takes it under that person's FedEx account number. They shipped it out and about a month later, my merchant account got shut down. I'm like, “I'm trying to process these $10 or $20 orders and it's like, ‘No, this merchant account doesn't work anymore.’”
I called up the merchant company. I'm like, “What's the deal?” “Oh, you had a fraudulent order. That $5000 order was fraudulent. It was a stolen credit card. We've decided that you're too much of a risk and we're not going to do business with you anymore.”
Of course, they reversed the charge and it took the $5000 out of my bank account at that point. That was all my profit for the last three or four months. I thought, “OK, this is not the business I want to be in.” It was very much a rude awakening of like, “Oh, gosh. Fake orders. Why would someone want to steal thousands of dollars of books?”
Steal a car. Steal something that has value, but $10 books seemed silly to me. It was that realization that scammers and crooks will steal anything they can possibly steal, regardless of how small the value seems to be.
Yeah, and they are heartless bastards, that's what they are. They're sociopaths. They have no feelings of empathy, sympathy, remorse, or guilt. There's a percentage of our population, we call them the one-percenters. They just come out of their mama bad.
Their entire motivation on this planet Earth is to take, steal, hit, and hurt others. Again, there always has been and always will be. Our job really, ultimately, is to live our lives civilly. But you also have to have a certain level of awareness as to who these individuals are, what their motivation is.
Seek them out in such a way where you recognize when they're targeting you, whether that's walking down the street or, again, the phone rings, or an email comes in. It's just knowing that in some way, they're going to be contacting you at some point in your life. When they do, recognize what is occurring in real time so you can do something about it.
The problem with that is that most people live under the myth that it can't happen to me. They function in the state of denial throughout the course of their life and take no interest in learning about what it means to protect yourself or your family, for that matter. Don't read up on it, don't watch anything on it, don't take a class on it, and they just risk not knowing what the fallout could be. That's most people, actually.
I'm going to use a different version of 1% here. “I'm not a one-percenter. I don't have millions of dollars in the bank account. No one's going to try to break into my account because I don't have anything.” Do you think that's the mentality? “I don't have anything worth stealing therefore it's not worth doing anything”?
That's a big part of it: denial. What it really boils down to is human beings, at birth, are born by default to trust. We have no choice at birth but to rely on others for our survival. From the very beginning, we rely on our family, our parents, our mother, our father, even our siblings in order for us to survive.
As we grow, as we become civil, we learn to not hit, hurt, and harm, keep your hands to yourself, be kind, cordial, and be respectful of authority. This process of trust by default makes us think that, basically, we should trust essentially almost everybody. If and when we encounter someone that means to do us harm, whatever that might be, physically or digitally, by default, we still trust that person. Until they actually scam us or hurt us, that's when we realize, “Oh, we shouldn't have trusted that person.”
The bad guys twist the truth ever so slightly up to the point where they take from you or do harm. That's when we realize, “Oh, I've just been bamboozled.” P. T. Barnum once said, of course, that there's a sucker born every minute. The reality of it is that every single one of us are suckers. Every single one of us, essentially, have been suckered or will be suckered. Meaning, we trust in someone else and they do us harm in some way.
That could be something as simple as you were dating somebody who cheated on you. I don't know anybody who hasn't been cheated on. It's devastating. It's a form of betrayal that is very hurtful. People just do that to one another. People lie.
Lying is a natural ability. It's just what we do, but some people do it obsessively. It's what they do. It's how they function. It's their nature. Those individuals, those one-percenters, essentially, are those sociopaths—antisocial personality disorders—that we have to make ourselves aware of and know what to do should they choose us.
Are you saying that we should go beyond? What's the saying? Trust, but verify. Should we go beyond that?
At a minimum. That is a term coined revolving around information security. That is true with everything. You're dating somebody or you meet somebody online. Trust, but verify. Learn as much about this person as you possibly can. No matter what they say, no matter what they do, don't just automatically trust.
Give it a significant amount of time before you open yourself up in such a way where you are putting yourself at risk. We've seen all the documentaries revolving around romance scams. They're getting that much more sophisticated because it's that much easier today to create an online persona that is believable.
You create an Instagram account. You create a Twitter account, a Facebook account. You create a YouTube account, for that matter. You can even publish your own blog. You can be published anywhere really, at this point. All of that collateral, essentially, makes you look more and more legit.
With a romance scam, that's what a website that's selling firearms or selling pocketbooks. You see Black Hat SEO for fraudulent web properties all day, every day. People just automatically trust because it's the written word, because they found it on Google, or because it's online.
“It was the number one search result on Google. It must be legitimate.”
Yeah. Of course, there is some standardization to a Google search and what's real and what's fake. But it's when you go deeper into search that that stuff shows up on the third and fourth page based on researching information that is maybe a bit more obscure that you end up in this website where you end up dropping a credit card or really wiring money, which is really where they get you. You end up being scammed out of, potentially, thousands of dollars. That could point to hundreds of examples that I've uncovered all on my own just by searching my own wants and needs.
Let's talk about that. You reference back to trying to figure out how to know when people are targeting you. How do we do that?
First, every single time the phone rings, be suspect. Every single time an email comes in, be suspect. Every single time there's a knock on the door, be suspect. When I say that people go, “Oh, you must be paranoid.” Or they say, “You have to live paranoid.” No. Paranoia is a mental illness. It is a dis-ease. It is somebody who is completely and totally overwhelmed with their environment. They are incapable of processing the world in a functional way where they have a healthy level of perspective. That's what paranoia is. It's a mental illness. I know I have met plenty of people that are paranoid. I have people in my family, actually, who suffer from paranoia and schizophrenia. It's a very unsettling disease. It's unsettling to be around people that are like that because they're just so overwhelmed.
I think most people, at some level, have met somebody who's paranoid. Of course, party drugs can do that to you. We might have met somebody that was a little too high, they got off on a bad trip, and they will be paranoid. That's kind of scary too.
Recognizing risk every time the phone rings, every time an email comes in, every time you get a text message is scrutinizing that incoming communication and making an educated decision revolving around risk. How far should you go before you stop providing information, credentials, currency, whatever it might be, opening up that door to let somebody in, and so on?
The person who's executing that potential fraud, that's their job. And they should be good at it. It's our job to look inside, look at them, and process what's happening. When parts of us sense something is wrong, it is to pay attention to that, to do something about that, and to react to that. If you've lived long enough on this planet, you've met enough people.
You've experienced enough of life, that you should be able to, at some level, if somebody means to do you some type of harm, whether it's how they present themselves—is it too good to be true, is it something in their facial expressions, eye contact or body language, is the language in this particular communication, something about it is off to you, and then process that and make the right decision. That's what you should be doing with every single inbound communication.
Beyond that, doing some basic research and finding out, “Is that phone number using any other scams? Is that email used in any of the scams? Is this particular language used in any of these scams?” Maybe taking the email itself and highlighting aspects of it to see if there's any hidden copy. It's maybe clicking on a link with your antivirus, obviously—usually on a Mac or on an iPhone because there's less risk there—and seeing where it might take you and what type of information it’s looking for. It's just doing basic due diligence.
How many times have I been scammed in the past five, 10, 15, or 20 years? Maybe once, if that. Have I had credit card fraud? All the time, but not because I did something wrong. It is because my number ended up on a website that was compromised.
By paying attention, being alert, and being aware, you reduce that risk. Most people aren't even doing the absolute basics of anything that I just said. They're just at La La Land watching and dancing with the stars, and not paying attention to anything.
Before we started recording, we talked about this concept of awareness versus appreciation. I think most people have that sense of awareness of like, “Yeah, there are people out there that are trying to get money from me. They're trying to hack my computer.” Where does that transition go from being aware to appreciating the risks and doing something about it?
Thank you. I think we're all aware that you should probably lock the doors to your house, that it's a good idea to lock your doors. You'd be surprised how many millions and millions of people don't lock the doors to their houses. There are around 1.5 to two million homes that are burglarized every single year.
I travel the country. I've spoken in 49 states. When I asked the question, “How many of you lock your doors?” Usually, about two-thirds of the people raise their hand, depending on where they're at. Two-thirds. That’s it. I asked the rest of them, “Why don't you lock your doors?” What do you think their response is?
“Who's going to want to come into my house?”
Or they say…
“No one will come in while I'm here.”
Or they say, “I don't want to live like that. I don't want to be afraid.” Afraid of what? What do you mean be afraid? Locking your doors is going to make you scared? “I don't want to live like that. I just don't want to lock my doors because I don't want to live like that. I don't want to be worried all the time. I don't want to be paranoid.”There's nothing about security that has anything to do with living in fear. Security is about being in control. -Robert Siciliano Click To Tweet
They think taking action in regards to your personal security is admitting fear, it's admitting risk, it's being mentally ill, it's being paranoid. It's living in fear. There's nothing about security that has anything to do with living in fear. Security is about being in control, taking a level of control, or managing risk.
The same way you put a seatbelt on. A seatbelt is managing risk. There's a chance you can be injured or killed in a motor vehicle accident, and there are a number of reasons why. If there's a ball rolling in the middle of a street and a kid runs after that, a dare, somebody swerves, a bird hits your windshield, a rock hits your windshield, or something flies off of a bridge. You wear a seatbelt because it's a smart thing to do, not because you're scared, not because you're afraid or you're paranoid.
It's because you want to take control over that vehicle should something happen. You don't want to get thrown out, and you don't want to lose control of the steering wheel, the gas, or the brakes. It's just being smart. But too many people look at risk as being a level of fear and paranoia. Instead of locking your doors and doing something about it, they function in a state of denial. Denial is comfortable. Denial is warm.
If you've ever been to NA or AA—Alcoholics Anonymous or Narcotics Anonymous—I have with women that I dated that had issues, they would talk about denial. I'm going to be a little graphic here, if you don't mind. The way they would coin denial is that denial is like sitting in your […]. It's warm and comfortable. Denial is sitting in your […]. There's nothing good about that, really, in the long run.
Taking control is recognizing risk and doing something about it. Awareness is understanding that all these risks are out there. Security appreciation is actually doing something about it in such a way where you have systems in place, you have layers of protection, whatever they might be, and the in-home environment would be, the doors are locked.
You might invest in door reinforcement technology that might prevent the door from being kicked in. You might have an alarm system with signage that says, “This house is alarmed.” You might have the doors, the windows, the basement, the second floor, or maybe even on the third floor, all sensors with alarms. The alarm itself is monitored by local law enforcement.
All layers of protection. The more things that you do, the more layers you incorporate, the more secure you're going to be. Does that make you afraid? Does it make you paranoid? No, it makes you that much more alert, aware, and in control. It reduces your risk and makes you a tougher target.
When a burglar comes down the street, they see 10 houses and only one of them has a sign that says, “This house is alarmed.” Well, that's the one that's not going to get picked. That's the tougher target. That's just basic physics. That's just 101.
Most people, they're aware of these things, but they choose not to do anything about it because denial is warm and comfortable. They'd rather not even engage at all or they kind of half-ass it and do a little bit, but really not enough to actually protect themselves or their families for that matter.
It's interesting that you set it up that way. I would never think that it's out of fear that I don't leave money on my dashboard, put the car keys on the dashboard, leave the window rolled down, and walk away. If I told someone I was doing that, they'd be like, “Why are you doing that? Why don't you lock your car?” But it's not out of fear. It's being pragmatic. It's being practical about it.
Yeah. I've been selling security for my entire adult life. That's how I make my living: providing security awareness training. I have to sell the concept of security. I have to get people to a point where not only do they understand what their risk quotient is, but there becomes a change in behavior and they actually do something about it. Not only do I have to actually sell it in an actual seminar, I've got to sell it to the actual person hiring me to actually bring them in to sell the concept of security to their people.
It's an uphill battle because people don't want to think it can happen to them. Whenever you watch the 6:00 news—which I haven't in years, but you do—when there's a home invasion, there's something bad happening in the neighborhood, they interview the neighbor. What do the neighbors say?
“I never thought it could happen here.”
What makes you so special? What makes our neighborhood so special that it wouldn't happen there? What? Nothing. It happens everywhere. That's what people don't understand. They always say the exact same, frankly, stupid thing. That's just not how it's supposed to be.
You should know that it does happen here. There is no such thing as a safe neighborhood. Safe is an absolute. You watch baseball. You're either out or you're safe. It's an absolute. There are safer neighborhoods, but there's no such thing as a safe neighborhood.
When people understand that absolutely fundamental basic concept, they begin to sit up in their chairs and pay attention. “Oh, so I don't really have anything to worry about, but I do have to do something about it.”
Once they begin to see the light that security is not about fear and paranoia, it's not about worry, it's about managing risk and putting basic systems in place. It's about layers of protection. It's about taking action. It's about basic little tiny changes in behavior. It's not about, again, worry, fear, and paranoia. It's about protecting your loved ones, it's about protecting your bank account, it's about making small investments, small changes, small tweaks, and what you do all the time anyway.
Once you do, then you become a tougher target. That's really all it takes. When the email comes in, the phone rings, a text message comes across, it's basic stuff. Once we get those basics down, every other decision that we make revolving around security becomes relatively simple.
Is there a currently emerging blind spot that people have where identity theft has shifted or the criminals have shifted to this blind spot that people have? Because they're always going to be looking to exploit something.
Yeah. I'm not exactly sure how to answer that other than the security awareness training is happening today, in most major corporations. Here’s the blind spot: The security awareness training that is happening today in most corporations and government agencies, for that matter, is phishing-simulation training.
Phishing-simulation training is great. But the way it's being implemented and the reasons why it's being implemented—first, the way it's being implemented is to solve a singular issue: basic security awareness around phishing. That in and of itself isn't enough. It's not holistic. It doesn't treat the whole issue of security awareness and all the problems that predators and thieves pose. It just addresses one little tiny issue, which is a big problem, but it's one small issue of security.
It's just a small fragment of what your vulnerabilities are in the course of a lifetime or even as an employee, for that matter. Active shooters could be a problem. Wire fraud could be a problem. Internal theft could be an issue.
There are so many problems that happen within a corporation, both physical and digital, that need to be looked at. Phishing is just one of them. That right there is a big problem. Phishing simulation is being consumed by CIOs, CISOs, CTOs on behalf of their organization so they can check a box and be compliant. That in and of itself while, OK, you're compliant, it doesn't actually solve the problem that you're trying to fix or the problem that I'm trying to fix.
The problem that I'm trying to fix is to provide a holistic understanding, a holistic viewpoint revolving around security awareness that evolves to security appreciation. You're not just aware of these things, you're aware of them to the point where you actually want to do something about all of these things. That you recognize risk in such a way that you see security as a personal benefit to you. Once you see it as a personal benefit, then on the job, “Yeah, I want to do this. This makes sense to me.”
We are selfish or self-interested creatures. I don't care who you are. You care about yourself first, and you have to. You should. It's important that you do. You have to get a good night's sleep. You have to nourish your body. You have to consume enough fluids.
You have to take care of yourself. If you don't, you're no good to anybody else for that matter and you're going to die. So we have to be selfish. By taking care of or by teaching and educating a person on security awareness to the level of security appreciation, they function so much better, both personally and professionally revolving around all issues of security.
Also, just having people take ownership of that with them. You're talking about once you're secure at home, you start thinking about, “Gee, I shred my documents at home; why is the company not shredding their documents?”
That's it. It's 101. Exactly. Yeah. You don't get that with phishing simulation. At least, you don't get that deep with it. You might gloss over it, but it's just not holistic enough. That's what's missing.
There are a zillion-and-one scams out there today that are based on the best 100 scams that have been going on for the past 200 years. They're all just twists on all the same old scams, the same old tricks, the same old rob-Peter-to-pay-Paul-type scams—Ponzi scams. There are a zillion of them out there.
There are going to be a zillion twists going forward. Some of them are just so dead simple, so easy to recognize, and so easy to perpetrate. Every time I talk to a journalist, every time I talk to somebody revolving around hackers—“Oh, hackers are so sophisticated today.” They're really not. They're no more sophisticated today than they were 10, 15, or 20 years ago. What they are is organized. They're just that much more organized. They're sophisticated in regards to their business model. They treat fraud as a business. The sophistication isn't in their mindset, it's in the way that they conduct their business. They're organized today. They have employees, they have payroll. They treat it as any other business.
They have manuals on how to conduct the scams.
Yeah, they have training. It's an operation, it's a business. They treat it as a business. Because consumers, everyday people, don't look at security as something that they want to do or deal with, or they want to put on the back burner and they want to just not even focus on it at all. We are just sitting ducks, and we're up against organized crime that has a mission to make money, and they're good at it. They've perfected it.
It's not breaking knees and loan sharking. It's using social psychology and principles of influence to manipulate and trick us in such a way where we've been capable of being manipulated and tricked since we were born. Now they just do it on a professional level.
I've been trying to think this process through my head over the last few months. Sometimes I think security is being taught too extreme, in a sense. That when you talk about safer being safe as an absolute, safer is incremental, is that we're trying to come from a position of teaching an absolute.
“Oh, no. You have to have the best security. You’ve got to have three locks on your door. You’ve got to have something that you stick under it and pull down those bars on the windows, things that electrocute people on the outside of your house. If you don't do that, then you're not safe.” Whereas, look, if you just locked your door, that's going to eliminate 30% of home burglaries.
Yeah, just keep things basic. Just talk to people like they're people. Don't instill fear. Don't ever communicate security awareness with fear-based training ever. I never even really talk about statistics and stuff like that. I might talk about 2 million homes being burglarized every single year, which results in 10 million homes burglarized in the next 5 years and so forth. That's about it.Don't instill fear. Don't ever communicate security awareness with fear-based training ever. -Ralph Siciliano Click To Tweet
I'm not going to get into hardcore stats because people don't care about that. They don't even want to believe it. I don't do any fear-based-type training. None of that works. You’ve really just got to get people where they are in their life and what risks they face.
If I'm talking to families, I'd say, “You've got a daughter going off to college. It’s really good to talk to her and to talk to your son about what's going to happen when they consume a lot of alcohol, and there are parties and they end up alone.” Things happen, so it's important to talk about the risks revolving around sexual assault and how that plays out.
The chances of something like that happening is relatively slim, but there's enough of a chance that you should have these uncomfortable conversations every so often with your family. What I think that I specialize in or what we specialize in as a training firm is those uncomfortable conversations in such a way where it's comfortable and it makes sense. These are things that you want to address.
You want to have this dialogue because it's important to you. If somebody has a weight issue, it's important to talk about you might want to cut down on sugar. Your physician would talk to you at your annual checkup. When they do your blood, they say that your cholesterol is a little high. You've got about 15, 20 pounds over where you should be, so you want to think about maybe cutting down the alcohol a little bit, cutting down on the sugar a little bit.
Don't be so sedimentary. It'd be good for you to walk at least a couple of miles, at least a couple of times a week, if not once a day for that matter. Move a lot more. Cut out the crackers, cut out the chips, cut out the bread for a little while. Shave 15, 20 pounds off because if you want to actually live until you're in your 60s or 70s, then you've got to have a level of health that makes sense in a diet that contributes to longevity.
That's a basic 101 conversation that everybody at some point is probably going to have with their physician if they are doing the same thing at 50, as far as eating goes that they were doing when they were 20. It's just what happens. It's just normal.
It's the same thing with security. If you keep doing the same things today down the road, well, you're going to be a huge target of identity theft. The Equifax breach—there were 150 or so million Social Security numbers that were compromised. Do you have a credit freeze? Because more than two-thirds of the American adult population's Social Security number is currently in the hands of criminals, at a minimum.
You've been giving out your Social Security number since you were going to elementary school.
When I was in college, my student ID for the school had the Social Security number. That was my student ID.
Exactly. Military on their laundry bags, nurses for their ID, Medicaid for their ID. Your Social Security number is the key to the kingdom. Not having a credit freeze, in my opinion, is irresponsible. You're being irresponsible to yourself.Not having a credit freeze, in my opinion, is irresponsible. You're being irresponsible to yourself. -Robert Siciliano Click To Tweet
If your identity is compromised, you're being irresponsible to your family and potentially to your employer. Because when identity theft happens to you, when somebody takes over your identity, when somebody opens up new lines of credit under your name, it can be a nightmare. You may not find out about it for months.
When that happens, not only is it going to take you hours, and hours, and hours, and hours of time to fix that, it may take a decade for the pain to go away because they may soil your credit so badly that you may not be able to buy a house, rent an apartment, or lease a vehicle. It could be devastating, too, depending on where you are in your life.
Not having a credit freeze is one of those 101 things like not drinking an entire bottle of Jack Daniels. You shouldn't do that because it could kill you, like certain 101 things in life that you should know. You don't do 100 miles an hour down the highway, like 101. You should have a credit freeze. If that's not instilled in people, if they don't care about it—“Why would they want to steal me?” That's just functioning in denial. That’s not taking personal responsibility. I'm all about taking personal responsibility for every action that you take in life.
Do you think there needs to be a—gosh, I hate to say government intervention, but let's just use that word for lack of a better phrase. I know with 401ks, when companies decide to opt people in, versus when they're hired, versus employees opting themselves in, participation in 401ks and retirement programs double or triple.
Google just recently started defaulting asking people to provide, or defaulting to SMS two-factor authentication when accounts are set up. The rate of usage on those counts is significantly higher than when that wasn't the default option. Do you think when it comes to things like credit, that needs to switch from rather than being unfrozen all the time to being frozen, and then we just unfreeze it when we need to apply?
Credit should be frozen by default. The credit freeze itself has been around since February of 2008. I froze my credit in February of 2008, the first week that it was available. Since that time, we've had 100 billion records at risk in the past 10, 15 years, easy. I saw something in 2021: 40 billion records at risk in 2021, 27 billion records at risk in 2020, 19 billion records at risk in 2019, and so on and so forth. I would say 100 billion records in the past 10, 15 years, easy.
Usernames, passcodes, Social Security numbers, credit card numbers, bank account numbers—you name it. All your personal identifying information, names, addresses, phone numbers—you name it, it's out there. It's on the dark web. It's for sale. It’s for free. You know it is. It's just ridiculous. What was the original question, please?
Switching the system to credit manually unfreezing versus automatically.
Credit freezes by default. We, as a culture, as a country, only had the ubiquitous right to have a credit freeze for free since September of 2018, after the Equifax breach. Congress passed a law that said, “No longer should consumers have to pay for it. Let's make it for free. Anybody who wants it is going to get it at the expense of the credit bureau.”
It was only at that time that parents throughout all 50 states were then allowed to freeze their child's credit. It was only after that law was passed making it free and you could freeze your kid's credit. Whereas 17 and younger, you shouldn't have a credit report to begin with, but you can still freeze that child's credit should it ever be an issue, or you just freeze it before it becomes an issue. That said, children's credit should be frozen across the board.
Adults' credit should be frozen across the board. It should be a requirement. But because we are a credit-driven society, the process of credit freezes can gum up the system of granting credit. Essentially, most look at a credit freeze as it doesn't pass the grandmother test. That's no dig on grandmothers. It's just the way it is.
Can my grandmother easily do this? Is that the grandma test?
I think that unfortunately applies to things like password managers and two-factor authentication.
Only about 10% of the population actually engages in a password manager. How can you possibly have secure passwords if you're using the same passcode across all your accounts? The only way to actually engage in proper password management is with a password manager. Because otherwise, whether it's a Word document or an Excel file, if those documents are password-protected, the copy-paste option of going back and forth, all of that becomes too cumbersome and most people don't do security cumbersome well. They need easy security.
The password manager is just that. I've had a password manager since 2004. I can't even imagine not having a password manager. I think I have at least a thousand passwords for all the various accounts that I had and have.
I couldn't tell you more than three or four of the passwords that I have for the various accounts that I possess. I know my email passcode, I know my password manager passcode and that's probably it. My password manager knows the rest.
I’ve got a mobile phone like everybody else. I don't know my mother's phone number. I don't know my father's phone number. My mobile phone knows it and that's good enough for me.
Yeah. Long gone are the days when you knew the phone numbers of your top 20 friends.
Yeah, you don't need to. You have a mobile phone for that. You don't need to know your password. You have a password manager for that. We're just not quite there yet. I often use the seatbelt as a reference point.
The seatbelts have been around since the '50s. It was required to be installed in vehicles sold in the United States since 1968, by federal law. It wasn't really until the late, late '90s, the early 2000s, that we really began to start clicking it. That's because half of the country began to pass laws requiring that you have a seatbelt on while you drive.
The other half of the country, I think, requires a seatbelt on if you are pulled over. If you get pulled over, they will give you a ticket if you don't have the seatbelt on. Whereas you can get pulled over in half the country for not having it on. Does that make sense?
New Hampshire is the only state in the country that does not have any law whatsoever on the books, because New Hampshire, on their license plate, their motto is “Live Free or Die.” OK, New Hampshire. The state's nuts. I'm in Massachusetts, so I know. I can say that.
Yeah. We need the same sort of reverse motto for password managers. I'm not sure what it would be.
The point of the seatbelt is that it's taken us decades. You get to the point where 85% of people right now wear a seatbelt, which I think is pretty good. I think that the other 15%—it’s a generational thing. I'm 53. Seatbelts, ’68, my birthdate. Fifty three years. It’s taken that long for 85% of the population to wear seatbelts.
I think as far as our digital security goes, frankly, even our personal security goes, it's going to take us a while longer to wake up and to assimilate to all the tools that are available to us, and to recognize risk, recognize fraud, and to actually do something about it.
Home security systems are becoming much more ubiquitous today. Most home security systems are installed after a house is burglarized, which is just how people are. By making it easier and easier, by making security cameras that much more consumable, people are taking more initiative. They're recognizing risk more today than ever, but there's still a lot that has to be done.
Yeah, I agree.
That's what I'm here for.
That's why we both do what we do.
Because more does need to be done. As we're wrapping up here, I know you have a number of courses that your company does. Can you go through those quickly?
Sure. We created the CSI Protection Certification Designation. CSI is Cyber Social Identity and Personal Protection. CSI Protection is our six-hour course. It's broken down into the four modules, which are cyber, social, identity, and personal protection. That course can be delivered over one day, usually from 9:00 AM to noon and then 1:00 to 4:00 PM.
In that timeframe, whether it's online, live, or in person, it is full-on engagement. It's full-on dialogue. Obviously, there's a PowerPoint involved, whether it's Zoom, Microsoft Teams, or whatever online platform you want to use. There's a PowerPoint involved there, but it is full-on dialogue. Because most people, including employees, including company officers, including CTOs and CIOs have never actually had an opportunity to sit down and engage with a security expert who has invested their life into this topic.
Most people just don't have that. How many people do you know that they are full blown, 100%, around-the-clock security, security, security? Not a lot of people live that life. When you have an opportunity to actually engage that person and ask any and all, every single question you've ever, ever had based on the information being presented and your own individual concerns, it can become a very interesting six hours.
Most people are essentially on the edge of their seats for the whole six hours, and they're engaged. They're not just checking email or on their phone. They want to know. Especially when you have an opportunity to ask a question at any given time, whether there are 100 people online or 50 people online, we make that work.
The CSI Protection Certification Designation generally is for service professionals. Whether you're a real estate agent, a mortgage broker, a title officer, an attorney, an accountant, a financial advisor, anybody who is handling any sensitive information in any way, shape, or form. Heck, if you're a homeowner, you're a mom or a pop, you're a teacher, or anybody, really. Wire fraud is a big issue today in most service professions, especially real estate, title, and mortgage.
Wire fraud is a huge problem for a lot of companies. Heck, if you're in construction or you're in manufacturing, you are being targeted right now. Your accounting department is being targeted right now for wire fraud, utility fraud. They'll pose as the local gas company, the local electric company.
They'll pose as an advertising firm that you are owed money to. They will get you in some way to pay thousands and thousands of dollars either via a wire transfer, even Bitcoin these days, or gift cards. You'd be amazed at how many people fall for it. It's expensive.
Barbara Corcoran from Corcoran Real Estate, her bookkeeper paid a $385,000 bill for a contractor that was renovating one of their properties. It was just a matter of somebody compromising the administrator's email, functioning as the administrator contacting the bookkeeper and saying, “Hey, we've got this contractor in Brooklyn. They've been on the job. All this time, they haven't been paid in 60 days. They're threatening to walk off the job. If you don't pay the bill, Barbara is going to be really upset. Can you pay the bill today?” They paid the bill.
For an organization like that, it's not unusual due to the fact that they pay bills like that all the time. There are countless businesses that that's what they do—construction, manufacturing, you name it. People are paying the bill and it's going to the bad guy.
The challenge is when it's wire transfer, gift cards, and cryptocurrency. It's extremely, extremely hard to get the transaction reversed after more than about three seconds. If I remember, Barbara was actually lucky and was able to get most, if not all, the money back only because it went to lots of places.
Yeah. When you have a name that big, when you are that level of influence, then the FBI, MoneyGram, and Western Union will move mountains for you, but the rest of us are screwed.
We're not that type of one-percenter.
Where can people find your course and know more about you guys?
Sure. We are online at protectnowllc.com. If you google Robert Siciliano, I basically own the first couple or three pages of searches. Not a whole lot of Robert Sicilianos out there. Between my media, the various web properties, the socials, the Twitters, the LinkedIns, and the Facebooks, you can't miss me—Robert Siciliano.
Awesome, Robert. Thank you so much for coming on the podcast today.
I appreciate what you're doing here. Thank you so much.