In this latest episode of On Location with Sean Martin and Marco Ciappelli, the hosts sit down with Benji Zorella and Bec Caldwell, co-hosts of the Bytes with Bec and Benji podcast, during the bustling Australian Cyber Conference in Melbourne 2024. Together, they explore the evolving threats of phishing, the role of AI in both perpetuating and combating scams, and the critical need for human intuition in the cybersecurity landscape.
Guests:
Benji Zorella, eLearning Instructional Designer, CyberCX
On LinkedIn | https://www.linkedin.com/in/benjiz/
Rebecca Caldwell, Phishing Content Specialist, Phriendly Phishing
On LinkedIn | https://www.linkedin.com/in/bec-j-caldwell/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
Kicking off the episode, Sean Martin and Marco Ciappelli highlight the uniquely local flavor of the conference. With Benji and Bec calling Melbourne home, the guests reflect on the value of attending such a prominent event in their backyard while drawing on their experiences as hosts of their own cybersecurity podcast.
Unmasking Phishing in the Digital Age
Phishing takes center stage as Benji and Bec share stories and insights about the dangers lurking behind cleverly crafted scams. Sean Martin draws a clever comparison between traditional fishing methods and the digital phishing tactics cybercriminals use today—hooking victims by exploiting their trust and curiosity.
Benji drives the conversation deeper, explaining how a person's digital footprint—especially in an age of AI-driven tools like deepfakes—can be weaponized for deception. The guests underscore the importance of remaining vigilant and minimizing the personal information we leave online, turning our digital habits into our best line of defense.
Cybersecurity Education: The First Line of Defense
Shifting gears, the group emphasizes the need to move beyond relying solely on tech-driven safeguards and focus on building a culture of cybersecurity awareness within organizations. Bec Caldwell shares actionable strategies, likening cybersecurity education to learning how to drive—starting small and gradually building confidence in spotting risks. Empowering employees to question suspicious contexts fosters not just better security, but a collaborative culture of accountability.
AI: Friend or Foe?
The role of AI emerges as a hot topic, sparking a discussion about its dual impact on cybersecurity. While AI enables sophisticated phishing attacks, it also holds the potential to strengthen defenses. The panel imagines AI tools evolving to provide real-time security nudges, similar to how cars alert drivers to potential hazards. It’s a balancing act, as AI must be wielded thoughtfully to enhance—not replace—human vigilance.
The Human Factor in Cybersecurity
Throughout the conversation, one message resonates: the enduring power of human intuition. Benji recounts a gripping story of a CEO who thwarted a highly advanced phishing attempt with a simple, old-school phone verification. This moment reinforces the idea that while tech can improve security measures, the human touch remains irreplaceable.
Future-Proofing Cybersecurity
As the episode winds down, the group reflects on thought-provoking audience questions from the conference. From AI’s impact on CISO responsibilities to how generational shifts in digital communication shape cybersecurity strategies, the guests underscore the need for adaptability as both technology and society evolve.
A Final Call to Action
Marco Ciappelli and Sean Martin wrap up with a clear takeaway for their listeners: stay curious, ask questions, and embrace skepticism online. The key to navigating today’s cyber landscape is a mix of awareness, education, and the occasional gut check—because even in a tech-driven world, the human element is our greatest asset.
____________________________
This Episode’s Sponsors
Threatlocker: https://itspm.ag/threatlocker-r974
____________________________
Resources
Bytes with Bec and Benji podcast: https://www.phriendlyphishing.com/resources/podcasts
Learn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australia
Be sure to share and subscribe!
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story Briefing as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Stranger Danger, Phishing, Instinct, and Technology: How AI and Awareness Are Shaping Cybersecurity | An Australian Cyber Conference 2024 in Melbourne Conversation with Benji Zorella and Rebecca Caldwell | On Location Coverage
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Marco Ciappelli: You guys based here? Yeah, we're based in Melbourne.
[00:00:02] Bec Caldwell: Cool. Yes, thankfully we didn't have to come very far to get to the conference.
[00:00:10] Marco Ciappelli: Oh, well you can.
Absolutely. I was in Sydney about, uh, five years ago. I want to make it to Melbourne. Get the opportunity.
[00:00:29] Benji Zorella: Beautiful place. And if you get paid for it, even though
[00:00:31] Marco Ciappelli: that's right,
[00:00:31] Benji Zorella: exactly. All right,
[00:00:35] Sean Martin: Marco,
[00:00:36] Marco Ciappelli: Sean,
are you fishing me?
No, but I think about lately, uh, twice the Coliseum in Rome, I helped a few Spanish prisoners and, uh, some, uh, I don't know.
I've been off for a lot of things. And I click. I just click.
[00:00:54] Sean Martin: There you go. He's clicking. There's a sticker here. I know. We all went.
[00:00:58] Marco Ciappelli: We had JJ. Everybody took the
stickers. Say, don't click on, uh, S something. Well, that's what we're going to talk about
today.
[00:01:08] Sean Martin: We're going to talk about phishing today. It's funny.
I did a post the other day on, uh, On LinkedIn, that I like to listen to music from different parts of the world to get inspired. I also like to put on local TV stations, which in my post it happened to be a TV station playing local music, which is really cool. Um, in between that was a show on fishing.
Real fishing. And the techniques, they were describing the tension and the lures. And the lines. Very technical and not unlike fishing with a PH. That, uh, depending on what you're trying to catch, you can do, use certain techniques and then apply certain pressures. And, um, so I'm assuming we're going to touch on some of that kind of stuff today, uh, with the research that Beck and Benji are doing. and continue to do. Uh, before we do that though, maybe a few words about each of you. You have the Beck and Benji show, or is it the Benji and Beck show podcast?
[00:02:06] Bec Caldwell: Uh, yeah, there was no contention about that, was there? It was kind of a bit more alliterating. Uh, yeah, our podcast Um, and yeah, we talk to cyber experts on different domains of cyber security and we always kind of bring it back to how that generally starts off with phishing and things like that.
Yeah,
[00:02:26] Benji Zorella: I think the thing I really enjoy about our podcast is we're not really positioning ourselves as the experts across all these domains of cyber. Um, so we're very much taking that kind of curious lens, being able to engage with these experts that work in the field for 20, 30 years and get their insights on that very specific area of cyber.
Whether it be digital forensics, incident response, whether it be ransomware and extortion. Uh, and we get a bit of a deep insight into their world, and we can convey that to our audiences. So that's the thing I, I've learned so much just talking to people that know stuff that I wish I knew. It's such a great education.
[00:02:59] Bec Caldwell: Just, just quickly,
[00:03:00] Marco Ciappelli: we were just talking about that on our way here and how, you know, we've done, I don't know, thousands for sure. Podcast, and I don't come from cybersecurity at all. I come from sociology.
Mm-Hmm.
[00:03:12] Marco Ciappelli: and, uh. All I know about cyber security is because I talk to people that know a lot about cyber security.
[00:03:18] Benji Zorella: Absolutely, and you find people that are into it, I think they're happy to talk about it. Oh, they absolutely love it. Let me give you everything I know. It's one of those industries where you can learn a lot because I think people are very open to sharing their experiences, but also their motivations, their approaches.
[00:03:36] Bec Caldwell: Well, the topic's never ending as well. There's just so many places to go.
[00:03:39] Marco Ciappelli: It's kind of like if you're selling health insurance or medications, I mean, everybody's going to need it. In a way.
[00:03:52] Bec Caldwell: Yeah, we're an essential service now.
[00:03:53] Marco Ciappelli: Exactly. And talking about meeting cool people, this is where we are. We are in Melbourne, if you haven't noticed from the accent.
We're not in Italy. We are in Melbourne. You could think that from my accent. I don't know how to do that. But, uh, we're here for the Australia Cyber Conference. We are day three. And, uh, you guys got to have a session.
So tell us about that.
[00:04:20] Bec Caldwell: We did. So yesterday we had a session in one of the rooms here and our topic was, uh, stranger danger and how your digital footprint can be used against you, can lead to all the phishing we've been talking about.
[00:04:33] Benji Zorella: Particularly in the age of AI that we find ourselves in, um, we were very much focusing on the profiling aspect, uh, being used in training models to be used against your likeness, like. Voice Cloning, uh, Cheap Fakes, Deep Fakes, and how your most valuable asset is your trusted identity. So, people can use that information, both against you, but against people that trust you to convince them that they're dealing with you, um, ultimately to achieve a scammer's goal.
So, we very much focus, um, to tie it to the phishing aspect of that human psychology aspect of, of how people So, um, I'm going to be talking about, um, uh, how people perceive situations, how they respond to situations, and really adding in those kind of, uh, cognitive breaks to be like, there's something sus about this.
I should, I should interrogate it a bit more. So, we, we very much like to draw it back to that, because technical controls are great, but it's ultimately always going to be a human at the end, end of it, so.
[00:05:28] Bec Caldwell: So, yeah, hacking a human is generally like what the scammers are trying to do these days.
[00:05:32] Marco Ciappelli: So, I, I, I like that quote.
Um, that says we, we have prehistoric brain and, uh, medieval institutions and, uh, very futuristic technology. And, but we still react. With that animal brain. Based on instincts. Yeah. And based on urgency and certain time of the year. And so that's, that's what has been leveraged. And do you feel like technology AI in particular is, is actually helping on that aspect of the psychology or only on the preparation and research and translation of the perfect email, carving the perfect email?
[00:06:13] Bec Caldwell: I mean, it starts off with that. So I think with generative AI, it's, it's, it's a tool that, you know, we use scammers. Use and, and it can really improve your communication skills because, you know, in the old days there was misspellings and, and things that were not quite right that a lot of people started to spot.
And these days it doesn't necessarily have to be like that, but it can also automate things and, you know, send out a lot more phishing emails than a single person could in a day personalized. But the other part is very personalized. Mm-Hmm, . Um, and if you get to the like higher kind of stakes.
Um, you know, if you're looking at your child or your mother or someone that you really trust. But I think to your point, um, yeah, our brains haven't caught up with it. We're too busy having fun with a new toy that we have forgotten that there is a consequence. So there's two sides of it. The scammers are.
seeing that consequence and seeing an opportunity, whereas we're still having fun with it.
[00:07:21] Benji Zorella: I think it's a dammically solid situation, a little bit in that there's obviously a huge benefit to be derived from AI connectivity, the democratization of a frame of expression, creativity, things like that. But for me, it's the Barrett entry has basically been obliterated.
So now it's down to the only thing separating you and a scammer is, should I do that? And if you opt on that side of, yeah, I'm going to give that a go. There will be a bot that will teach you how to do it. There will be another, uh, uh, phishing service you could buy and subscribe to. You can even get referral points for referring other scammers to those sites.
So, the kind of cybercrime Yeah. Yeah, literally. Frequent
[00:08:01] Bec Caldwell: scammer points.
[00:08:02] Benji Zorella: Go to, go to the Virgin Islands and stuff. But, you know, it's, it's definitely one of those things where I think the, you know The scale is just getting a bit, um, the barrier to entry is gone and then the scale is also getting much higher.
So, once you would see phishing emails go to a thousand people and they'd all be the same email, now it's being highly personalized to whatever they've uncovered about you or changing that urgency to fit your workplace, your work culture, if you work from home or if you work from, um, remotely, uh, if you work from home or if you work from the office, they'll target those types of things.
So, for me, it's about the scale and the personalization aspect. You don't need to know how to socially engineer someone. These tools will
[00:08:42] Sean Martin: teach you how to do that. And we've heard it a couple times already in a few of the conversations, and it was mentioned again here today, digital footprint. And I think it would have been hard years ago, Paint a picture, a full foot, if you will, or two feet of a person's being online where tools probably today can help paint a pretty good picture almost in real time.
Yesterday's footprint looks different than today's, right? Am I in the sand or am I in the mountains? Um, how does that do? I guess, do we understand as individuals the footprint we're putting out there? And As organizations responsible for our employees and our customers, what that footprint looks like?
[00:09:31] Benji Zorella: That's a great question. I think that generally, you know, particularly of our generation, we're in the social media rage if we share a lot of things. And to me, it's, it's more about the medium now that you're sharing. If you're putting videos that are publicly available, podcasts that are publicly available, your voices.
Your voices. This is immediately an asset that you know can be leveraged against you because it's easy to train a voice on 30 seconds of dialogue, let alone thousands of podcasts. So to me it's about what are you putting out and how public is that because, uh, these, these individuals don't go through looking through individual profiles.
They're aggregating information and then using scripting or AI to kind of deploy the actual payloads, the phishing, the malware, whatever it might be. So in a lot of ways, I think it's about being aware, taking the advice. If I posted this and I was a scammer and I wanted to use this against me, how would I do it?
And then, if you can think of two or three reasons, maybe don't share it publicly. You know, there are many tools on social media that allow you to do things to close friends only. To only trusted individuals. So for me, it's about the public media is these models are very readily accessible and can train on public data.
So it's just one of those things where the more you're mapped, what can be used against you, the more aware you'll be of it manipulating you when you're confronted with that situation. But
[00:10:57] Bec Caldwell: then you've got, um, kids who grew up with TikTok and Snapchat and they don't know any other way of communicating or sharing.
And they're hyper sharing as well. You know? Every minute of the day, it's like, I just did this, or, you know, I'm off to my, see my friends and do this. They're live tweeting their
locations.
[00:11:15] Bec Caldwell: Yeah, and they don't know who their friends friends are, or their friends friends friends, and, you know, that comes out like a spiderweb across the world, and not at every single one of those places.
People in that chain is going to have your best interests at heart. So if they know your current location, things that you like, your friends names, those kids become very vulnerable very quickly.
[00:11:34] Marco Ciappelli: And the family, and the indirect, you know, using What do your parents do Your voice. To contact your parents, because they do not have access to their voice or their information, but there is that proximity that come into play.
[00:11:49] Sean Martin: My family is watching my code word.
[00:11:52] Benji Zorella: Sour Kiwi. That's a good one. Yeah, my family and I have a code word, you know, it's just one of the things I'm conscious my voice is online. I'm, not necessarily paranoid that you know, anyone's gonna target me specifically, but I'm aware that there isn't There is a platform for someone to do that.
Should they have the intent? So
[00:12:09] Marco Ciappelli: no,
[00:12:10] Benji Zorella: we have a safe word employed and i'm not going to share mine, but you know, it's one of those things where The technical controls are great. We absolutely need technical controls, but the skepticism that comes from the individuals, that, that end person that is the, the object of the scammer's desire to get you to do the thing, that ultimately is a human problem.
And the only way to combat those things are cognitive awareness, uh, verifying things, being highly skeptical of anyone kind of interacting with you. And it's, it's not necessarily about being rude, but just about being conscious of not everyone's got
[00:12:41] Marco Ciappelli: your If you ring a bell and you live in a building, you know.
You look for the
[00:12:48] Bec Caldwell: people first. Right?
[00:12:50] Marco Ciappelli: I mean, you know, before you, you ring in, you know, you want to know who, is that you? Who is who, right? That's why
[00:12:56] Bec Caldwell: caller ID was so popular when it came out. It's like, oh, I don't have to answer the phone and get a telemarketer anymore. I can see that it's my mom and ignore that one too.
Yeah, and
[00:13:03] Benji Zorella: now they spoofed that, so we're even.
[00:13:05] Marco Ciappelli: Yeah,
[00:13:06] Benji Zorella: the cat and mouse, constant cat and mouse. And so if they adapt how they manipulate your psychology, we have to be more aware of that psychology being manipulated.
[00:13:15] Marco Ciappelli: You know, we had the first podcast two days ago was with JJ. She had a talk with Daisy as well on the 10 skills that are not technical
for
[00:13:24] Marco Ciappelli: training.
And of course, she deals with kids as well. And we started the whole conversation on how it's not really training in terms of Of memorizing thing, learning, taking the test is a cultural thing. Mm-Hmm. . And she used, I've said this a few times because I think it makes a lot of sense. Um, the learning at a young age to start, how to cross the street, leaving the street, uh, ride the bike and start learning the rule of the road.
Mm-Hmm. at a younger age, but then you only get the car after you do a driving test. And when you're experienced, if you didn't have any. Experience until when you're 16 or 18, depending where you live. And they're like, all right, here's a book. Here's the car, here's the keys.
[00:14:12] Bec Caldwell: Off you go.
[00:14:12] Marco Ciappelli: How are you going to a hundred percent internalize it, be disaster, all of that, right?
It's, and in LA
[00:14:18] Sean Martin: you have to look left, right, left when you're crossing the street. Here, you look right, left. Right. A hundred
[00:14:23] Benji Zorella: percent. And culture changes the cognition bias that you inherently have to some of these things. Mm-Hmm. . But, um, yeah, absolutely. I think when we, when we look at the idea that people should be told, use MFA, use a password manager without explicitly understanding what's the purpose?
What is it doing to help me, why? I can use a password manager and use the same password for every website so it's just an auto filler. It's not really the point of a password manager. So understanding to your point the reason why and then applying it in a real world. The
[00:14:54] Bec Caldwell: consequences. The
[00:14:55] Benji Zorella: consequences.
You do the driving test before you get your card. You have to prove competency in being able to do the thing. So there is a degree of we don't really do that with cyber as much, you know. We, we kind of just rely on the fact that people will engage if they want to engage and As a community, we're only really as secure as each individual in the community.
[00:15:16] Bec Caldwell: And this whole thing on the news at the moment of restricting kids till they're 16 to use social media. Yeah, we spoke about that, yeah. It's, I mean, it's a great idea but it's kind of too little too late because, I mean, we don't know how it's going to be enforced, if at all, um, and I think it's mostly a revenue raising thing for finding these platforms when it's found out, and who's reporting it, who's doing anything like that, but you're suddenly taking away something that has been seen as a riot.
To these kids, their whole lives. To now be told, okay, no, you're not mature enough for
[00:15:47] Sean Martin: this. And the magic, what is it, 14 or 16, I can't remember. 16. So magically, everyone's safe at 16, right? Suddenly all the scammers can't catch me and I'm fully Midnight
[00:15:57] Bec Caldwell: on your death. Well, actually, you're
[00:15:59] Marco Ciappelli: even more vulnerable.
It's the same thing like the car. You know how much are you going to freak out if you never rode a bike before? Or, or a motorcycle? Or, I don't know.
[00:16:12] Bec Caldwell: Start engaging with them without, like, checking. Having
[00:16:14] Sean Martin: any experience.
[00:16:15] Marco Ciappelli: No, it's a gradual education that you can do. Now, when it comes to training in a corporation, in a business environment, I think there is a big problem there, too.
Like, you know, here's all the things that you need to check once a month, once a year, whatever. Here's your compliance list. Please follow it. And, uh, and then People don't undo it.
[00:16:40] Benji Zorella: 100%. I think security as a culture is incredibly important and when I say things like that I mean employees being empowered to, even in the face of authority or urgency, not feel like they're doing the business a disservice by slowing something down, by asking for the appropriate verifications.
And I think people get caught up in the, we're here to do business, I gotta get it done, I gotta, my boss is telling me, my CFO is telling me. Your CFO will actually appreciate it more when you confronted a scammer asking them to verify themselves than if you just verified your CEO and they knew that you were doing a good job.
We often use the example of tailgating in our workplace. And Becca has a story about
[00:17:24] Bec Caldwell: when Yeah, um, I, you know When you start at our workplace, you're told, okay, uh, always question who's coming in behind you. If they don't have their pass out and they're not scanning their key card, you should ask them who they are, especially if you don't notice, if you don't recognize them.
And it happened to me. I couldn't find my pass. I'm, you know, hunting around my handbags. Full of mysteries and junk and all that kind of stuff. Uh,
[00:17:47] Sean Martin: We'll shoot, we'll show pictures later.
[00:17:50] Bec Caldwell: That's a whole other podcast. Uh, and this young man I've never seen before. He walks in ahead of me. He's got his pass.
He's, you know, got it ready. Scans it, walks in. I'm like, oh, thank goodness. I don't have to wait for the reception to let me in. So I walk in behind him and he says, he just flips around and goes, Hi. What's your name? And I was like, oh, my name is Beck. What's yours? And he was like, where's your pass? And I was like, oh, um, it's in here somewhere, I swear.
And he's like, yeah, okay, I'll wait. And he just stands there. And I'm like,
finally
[00:18:19] Bec Caldwell: find it. Let's me in. And I'm full of rage. So I'm like, I'm just trying to get in. I've been working here for like a year. I'm allowed to, you know, I don't say all that. I'm just a bit flustered. But then I just realized he's new.
He's a new associate. He's just had a security training and he was told it is an empowering thing to ask someone, what is your name and what is your business here? So I was really proud of him in that moment. So it was a rollercoaster of emotions going through
[00:18:49] Benji Zorella: that. And even in the instance where you might not feel comfortable simply alerting someone that might be more appropriate for reception and security, but being empowered to act on those, that seems a bit sus, I'm not entirely sure, but it seems a little sus and instead of just putting that to a side and hoping for the best, actually acting on those things.
So for me, when it comes down to organizations, it's about understanding that being security conscious is not you being rude, it's not you trying to be hard to work with, but you're actually trying to do the right thing to secure everyone. I also think, uh, having cultures that often report phishing or celebrate people that are often identifying things like phishing or bringing, uh, you know, noteworthy points of, uh, cyber case studies to their organization.
They bring people more into the thing because they understand why they're being asked to do all these cyber things. For me it's all about the what's in it, for me it's the individual. You can give me ten lists, I'll probably pick what I think is relevant to me.
[00:19:46] Bec Caldwell: And convenient. And convenient. Because if you talk to people about it.
Okay, the top two things you have to do is use a password manager with unique passwords for each, uh, account and then install MFA. It's like, ugh. So every single time I log into this thing I have to use my biometrics, I have to get, like, sent a text, I have to do all this stuff. And it's like, I have to cast a spell and, you know, face the world.
South on a full moon just to open up my banking app. And it's like, well, yeah, otherwise you're gonna lose all your money. But that inconvenience has to be built into just your way of working. Yeah. You know?
[00:20:19] Marco Ciappelli: Yeah. But you don't have a problem when you get to your bank, given that somebody still goes to the bank in going through two glass door and waiting in between And now.
You know, get on a plane and nobody's reaching if, you know, Oh, I've got to do the scan and here's my password because you want to be secure. Right. And, and, but when it comes to doing things online, I always say he's, he can't touch it. It's intangible. And all of a sudden it's like,
[00:20:48] Bec Caldwell: it's like, yeah, I'm casting as well.
[00:20:49] Marco Ciappelli: Yeah, and just
[00:20:52] Bec Caldwell: hoping for the best, but yeah, people are like very protective of their physical security, and rightly so, but online security is just such a, you know, otherworldly thing to people. It's just, it's somebody else's problem. It's not going to happen to me. It's,
[00:21:06] Benji Zorella: you know, And I often refer to the concept of bringing back stranger danger online.
Having grown up in the 90s, you were always told, like, beware of strangers, be skeptical, and people have seemingly a much greater propensity for trusting individuals online than in the first place. I think due to what you say, like seeing the body language and all that unspoken stuff, but yeah, it definitely is.
Um, we had a Alistair McGibbon on our podcast at one point talking about the ransomware and cyber extortion and the analogy that he put on, put forward that I have repeated endlessly because I love it so much is if, um, if we were all in our houses and we had criminals rattling our windows and tapping on doors and finding holes in our apartments to try to get in, we would, right?
That's happening online all the time. Every day. There are scams and hackers knocking onto networks and things. So we just don't see it, but it's constantly happening. The digital world is under as much kind of stress testing by these people as the physical world would be if we didn't have those barriers.
So it's about the understanding why those things are being asked of you. Understanding how that helps you, and then you're probably more likely to engage with those behaviors. It's
[00:22:18] Bec Caldwell: to replace that biofeedback we get from having a, a feeling, you know, when you, when you meet someone that isn't, doesn't have the best of intentions.
Um, you know, sometimes people have that intuition when they meet someone on the street. They're like, um, don't like your vibe, I'm not sure if I should engage with this person, but you don't have that. None of those things get those senses tingling, you know, online.
[00:22:42] Sean Martin: So you mentioned that. Part of the title of your session, as we wrap here, I'm sure we touched on a lot of things from the session, but not specifically, but were there any, any moments, uh, connecting with the audience that struck you as you're doing your presentation or after people came up to you?
Is there anything that came out of it that said, oh, I didn't think about that, or wow, somebody really took this message away with them and they're going to apply it to whatever?
[00:23:08] Benji Zorella: I think there were some pretty good questions that we got. One was, how will AI change the role of a SISO? I'm not a SISO, I'm relatively new in the SISO industry.
But I do think, based on a lot of the reading I've been doing around the space, because it's fascinating to me, is at this current stage, what awareness training seems to be leaning towards with deepfake training and things of that nature is identifying things in the visual that can show that it's a deepfake.
That's it. That seems to be the wrong approach almost, because not only are people not video experts or audio experts, so you're asking them to do something that is a very kind of niche skill, but in addition to that, the technology won't be like that in six months, in a year, so we're actually training bad habits in a lot of ways.
What the, the study kind of points to is more around deep fake mitigation. So planning out all in the organization, all the assets that could be used for a deep fake, similar to what I was saying about the social media, the media you put out, those things could be used to train deep fakes. These are the results of those deep fakes.
That's how the process works. The awareness for how your perception is being manipulated as, as the organizational organizational culture, rather than just being like. That means I'm being manipulated. There won't be anything to point to is what I'm saying. It's going to be very human based verification.
It will be things like in our talk we reference a deepfake case for the CEO of Ferrari. He had an elaborate sophisticated phishing scam followed by a live video. Deepfake, yep. And it was right at the kind of cusp of, of getting there. He's about to press send. And he goes to the, the scammer, um, uh, I need to verify you.
Can you tell me the book that you recommended to me last week? Mm
hmm.
[00:25:03] Benji Zorella: None of the technical controls were sufficient enough in that instance. He registered the domain, he was on the call. It was purely a human control. It wasn't even a pre sorted out thing of message meets It was just a moment that he reflected on and it clicked and said, and that busted the whole thing over.
And Marco can remember the book there. And from the scammers, I mean, they're training the voice, they're training the likeness. It's a, it's a body of work associated to doing that thing that just got busted by one question. You know? So to me it, that's the takeaway is the human element will be what you need to focus on to identify these things.
And less about the. Eyes aren't matching in the right direction and things of that nature, because it won't be like that.
[00:25:47] Bec Caldwell: They'll be, they'll be fantastic in six months and that'll just double every,
[00:25:51] Marco Ciappelli: you
[00:25:51] Benji Zorella: know,
[00:25:51] Bec Caldwell: it's going to be exponentially amazing.
[00:25:54] Marco Ciappelli: I want to touch on one more thing.
[00:25:57] Sean Martin: See? One more question.
One more thing.
[00:26:02] Marco Ciappelli: So I can see, though, technology coming into place to kind of reminding us human to think a little bit. You know, the old Microsoft Clippy. I don't know why it came out so much, but you know, it's kind of funny. CHAT GPT. CHAT GPT. CHAT GPT. CHAT GPT. CHAT GPT. CHAT GPT. CHAT GPT. CHAT GPT. CHAT GPT.
[00:26:40] Bec Caldwell: CHAT GPT.
[00:26:43] Marco Ciappelli: But at least reminding you, kind of like the car, right?
You know, hey, it's flashing because in your blind spot. Yeah, there's
[00:26:48] Bec Caldwell: a blind spot. You
[00:26:49] Marco Ciappelli: know what I
[00:26:49] Benji Zorella: mean?
[00:26:50] Marco Ciappelli: So
[00:26:50] Benji Zorella: Uh, I think two things on that. Uh, absolutely. The problem is people get used to seeing the same things. An example I can give to you that exists now is, uh, when you get emails from outside your organization on Outlook, you get a little banner.
This came from outside your organization. We do phishing training and people within our organization in the cyber industry click on things that are the domain with a suspect domain. It has the banner. We've got like the, our banner, but people still ignore those telltale warning signs. That, that is the machine saying, you should be suspect of this, it's not coming from where you think it is.
[00:27:25] Bec Caldwell: Well also because sometimes, depending on like, what role you have, you'll look at that and go, I think there's something broken about my outlook, so I'm gonna continue to ignore this. You've justified in a lot of ways to yourself, you know. That shouldn't be there because it's annoying to me, so I'm gonna Erase it from my field of vision.
[00:27:40] Benji Zorella: So it's, so I agree with you, leveraging machine learning and AI to kind of be our guide on the side to point out the things that we might just ignore. The problem is people actively engaging with that, right? It says payment and urgency. All my stuff says payment and urgency. Ignore that. Well, this one was specifically more urgent.
Urgent payments. Exactly. I
[00:28:01] Marco Ciappelli: see it. More humanized, so not just the banner, not just like something that, it's kind of like the CHAT GPT that you interact with, you choose the voice, you choose the tone, and you're Like an
[00:28:14] Bec Caldwell: assistant that can say, hey.
[00:28:15] Sean Martin: Yeah, it's your assistant. Hey bro. I want a deep fake of a CEO.
I've had a look at your email. You're about to click on this, Jim. Do you really value your job right
[00:28:25] Marco Ciappelli: now? Or like he plays a song that, you know, there are a few
like a
[00:28:34] Benji Zorella: metallic. That'd be good. Actually, there were a few vendors that are Moving to that kind of, uh, side of things, our company is one of them, but we're moving into a bit more of a space of highlighting and doing text analysis on cognitive biases.
So highlighting things like payments or a vendor name is misspelled or what have you, um, or doesn't align to a vendor email. So we're, I believe the space is moving to a place where we are trying to give people as much, I guess, analysis up front of a thing. Okay. Right. I think people are definitely more conscious of that, whether or not, you know, it gets widely adopted by organizations is ultimately the question, right?
Plus,
[00:29:14] Marco Ciappelli: there will be
[00:29:16] Benji Zorella: a mouse and tab in that situation, right? Because as soon as they realize that the words, uh, urgent payment in seven days gets, uh, flagged on every email, they'll adapt it. There'll be another one. Yeah, exactly.
[00:29:27] Bec Caldwell: Just stop paying your bills. I mean, yeah, then you can avoid the whole situation.
[00:29:30] Benji Zorella: I think it's about reminding yourself to be skeptical, uh, question when people reach out to you, particularly on the internet. Most people don't have your best interests at heart, particularly on the internet. They have their own best interests.
[00:29:43] Marco Ciappelli: Well, this was fun. Always great to talk to you. To have a unscripted conversation like this that actually I hope that inspire people to think a little bit
[00:29:52] Sean Martin: more.
Fellow podcasters are always, always a good time. I know. Thank you both for having us. We appreciate it. Yeah, thanks so much. It's
[00:29:58] Marco Ciappelli: been
[00:29:58] Sean Martin: great.
[00:29:59] Marco Ciappelli: Of course. And stay tuned. We got a few more. Conversation here in Melbourne. Check their podcast. Yeah, absolutely. Beck and Benji.
[00:30:07] Sean Martin: Bites. Bites
[00:30:07] Bec Caldwell: with Beck and Benji. There
[00:30:09] Sean Martin: we go.
There you go.
[00:30:10] Marco Ciappelli: And, uh, on location with Sean and Marco. We're still here. Still here. Subscribe.
[00:30:16] Sean Martin: A few more to go. And, uh, Day 3 and, and, uh, yeah, lots of stuff being published over the next few days. So, stay tuned, subscribe, share with your friends and enemies, and we'll see you soon.
[00:30:26] Marco Ciappelli: And don't
[00:30:26] Sean Martin: click. Don't click.
[00:30:27] Marco Ciappelli: I mean, not on the weird stuff. I said it.