The primary focus of today’s discussion revolves around the profound implications of artificial intelligence (AI) on the cybersecurity landscape, particularly emphasizing the heightened sophistication and frequency of cyberattacks. As we navigate through the intricacies of this evolving domain, we aim to elucidate how the advent of advanced AI technologies is transforming both the methods employed by threat actors and the strategies utilized for organizational defense. Our esteemed guest, Michael Waite, brings invaluable insights from his extensive experience in technology and cybersecurity, highlighting the necessity for a paradigm shift in how we approach security awareness and training. We delve into the critical need for personalized training programs that address specific risks associated with individual roles within an organization, moving away from outdated, one-size-fits-all methods. Ultimately, our dialogue seeks to foster a deeper understanding of the current threat landscape, advocating for a collaborative and informed approach to safeguarding not only corporate environments but also the personal digital lives of individuals.
In this episode of Security by Default, host Joe Carson sits down with Michael Waite from Dune Security to explore how AI is reshaping cybersecurity and why it’s time to rethink traditional awareness training.
As cyber threats become more sophisticated, personalized, and AI-powered, organizations can no longer rely on outdated, one-size-fits-all learning models. Joe and Michael break down what modern cybersecurity training should look like, how to engage employees more effectively, and why empowering people both inside and outside the office is essential to strong defense.
What You’ll Learn
- How AI is transforming both cyber attacks and defensive strategies
- Why the volume and quality of phishing attempts continue to rise
- The limitations of traditional annual awareness training
- The shift toward personalized, role-based learning
- How real-time intervention improves security habits
- Why cybersecurity awareness must extend beyond the workplace
- Practical ways to engage employees and build a security-first culture
- The importance of collaboration and communication across teams
- How threat intelligence informs more effective training programs
Key Takeaways
- AI is rewriting the threat landscape.
- Attackers are faster, more convincing, and more scalable than ever.
- Generic awareness training is no longer enough.
- Personalization is essential to reducing real-world risk.
- Engagement drives stronger security culture and better outcomes.
- Cybersecurity begins at home, not just at work.
- Bite-sized, real-time lessons are more effective than long annual videos.
- Employees are part of the detection engine—and must be empowered accordingly.
Memorable Quotes
- “Cybersecurity doesn’t start in the office.”
- “The one size fits all approach is dead.”
- “We need to democratize security.”
- “Let’s give individuals the tools they need.”
- “We need to make cybersecurity more fun.”
- “This is my favorite thing to talk about.”
Episode Chapters
00:00 – Introduction to the Chaos of Cybersecurity
03:05 – The Impact of AI on Cybersecurity
09:40 – Best Practices for Cybersecurity Awareness
18:51 – Personalizing Cybersecurity Training
27:00 – Engaging Employees in Cybersecurity
29:20 – Resources for Further Learning
Additional Resources:
https://www.linkedin.com/in/mr-michael-waite/
https://www.dune.security/
https://www.dune.security/threat-intelligence-report
The dialogue commences with a cordial greeting, establishing a warm rapport between the host, Joe Carson, and his guest, Michael Waite. The podcast elucidates the dynamic and tumultuous landscape of cybersecurity, accentuating the incessant evolution of technological advancements and the corresponding threats that arise therein. Joe articulates a desire to dispel the chaos that often pervades the security realm, striving instead to illuminate the positive strides being made to foster a safer digital environment. Michael subsequently shares his professional journey, revealing a notable transition from a decade-long consultancy with Accenture to a foray into the cybersecurity sector. This pivot was serendipitously catalyzed by a chance encounter during a flight, wherein a conversation with a fellow passenger sparked the inception of his entrepreneurial aspirations in security.
Transcript
Hi, everyone.
Speaker A:Welcome back to another episode of the Security By Default podcast.
Speaker A:I’m the host of the show, Joe Carson, and it’s a pleasure to be here with you all again.
Speaker A:I’m really excited because we always look at, you know, the chaos world that we live in.
Speaker A:It’s always changing.
Speaker A:There’s always fun things, there’s new technologies and it’s ever evolving.
Speaker A:And sometimes in the security world, we live in a bit of chaos.
Speaker A:And I try to sometimes bring clarity to that chaos so you can actually see, you know, the light and see what great things we’re doing in the industry and truly make it a positive experience because that’s what we’re really here to do, is make the world a safer place.
Speaker A:And, and I’m really excited about have another guest for you this week.
Speaker A:I’ve got Michael joining me.
Speaker A:So, Michael, if you can give the audience a little bit of a background about yourself, how you got into the industry, maybe some interesting things about yourself and a bit about what you do as well.
Speaker B:Absolutely.
Speaker B:Thank you, Joseph.
Speaker B:It’s a pleasure to be on the show with you today and really excited to chat about such an interesting topic.
Speaker B:Michael Waite here.
Speaker B:Just a little bit of background about myself.
Speaker B:I started my career after graduating university in the tech space, got right into consulting, and for about 10 years I worked with Accenture.
Speaker B:And that’s really where I cut my teeth in tech.
Speaker B:Doing projects with Fortune 50, Fortune 500 companies, large scale implementations, migrations to the cloud, data science, data visualization, basically anything you, you name it was doing that.
Speaker B:But the, the way that I got into the cybersecurity space is actually very fascinating.
Speaker B:This, at this point is about three years ago, I was flying to Madeira, Portugal to visit a friend of mine and I flew through jfk and there was a major cybersecurity incident at JFK that day.
Speaker B:So the flight was delayed and there oddly was only about 30 people on this flight.
Speaker B:And so I board the plane and it’s just me and one other guy in this section of the plane and I’m quite a yapper.
Speaker B:So started chatting him up, I think, to his chagrin.
Speaker B:But we started talking about what we were doing and he was like, I’ve been in the cybersecurity space for a long time, I want to go and start my own business.
Speaker B:And he pitched me on the version 0 idea of doing security, and I loved it.
Speaker B:And we learned in this conversation that our skill sets are really complementary.
Speaker B:I’ve been in tech for a long time and have built really Robust and large scalable systems.
Speaker B:And my business partner, he had been in sales and go to market and revenue strategy.
Speaker B:So we realized at that point we’re like, let’s do this.
Speaker B:And so, yeah, that’s, that’s how I got into the cybersecurity space.
Speaker B:And it’s been a ton of fun being in this space, especially now.
Speaker B:And everything that we’re going to talk about today, I think is incredibly poignant because AI is, is such an incredible tool.
Speaker B:There’s so much power and utility there, both for good and for evil, and I think we’re starting to see the fruits of that.
Speaker B:So an interesting topic and very excited to chat today and thank you for having me on.
Speaker A:No, it’s a pleasure to have you on.
Speaker A:And I completely agree.
Speaker A:Sometimes it’s all about being in the right place at the right time.
Speaker A:And I’ve been fortunate enough to be in similar situations as well throughout the years.
Speaker A:And I’m the same, similar to you.
Speaker A:If I’m sitting next to someone, I get chatty, I have a conversation and want to learn more about them and what they’re doing and maybe why we’re on the same plane.
Speaker A:Sometimes it can change the future and change the direction and path that we’re all going on, which is always exciting.
Speaker A:And that’s the great thing about humans, is that those random acts really can change the things that we’re doing.
Speaker A:So that’s really exciting.
Speaker A:And of course, today’s topic is all about AI.
Speaker A:How can we go through a couple of episodes without talking about AI, which is getting difficult these days.
Speaker A:And it’s really, we’re seeing a lot of evolution, especially in the last, you know, year or two, where we’re seeing a lot of the GPT engines really change how we interact with computers from a human perspective as well.
Speaker A:So what’s some of the things you’re saying, you know, the trends this year from both the defense side of things and also the attack.
Speaker A:How is it changing the way we protect our businesses and protect the way of life?
Speaker B:That’s, that’s a great question and a lot to unpack there, I think.
Speaker B:Let’s start with how we’re starting to see AI impact.
Speaker B:The quantity and the fidelity and the efficacy of attacks from threat actors in the wild.
Speaker B:If you look back four or five years ago, the quantity of attacks was overall lower and the quality, the fidelity of them was also dramatically lower.
Speaker B:And I think that with the advent of generalized large language models and the ease and availability of access to those, we’re starting to see that entire landscape change.
Speaker B:There used to be telltale signs when attacks were being launched.
Speaker B:If you got a call, and I don’t mean to sound insensitive here, but if you get a really, really thick accent on the other line, it might be a sign that this is a scam or this is an attack.
Speaker B:But with, with all of the generative capabilities, all of that is changing.
Speaker B:We see it in terms of attacks down the vein of vishing, where you can use real time tools out there to mask really thick accents to do real time language translation.
Speaker B:And so now instead of getting a call that you can tell it’s somebody calling from Russia or from China or from deep in India, now you, you really can’t tell.
Speaker B:And that, that spans across everything that, that I just spoke about was with voice, but we see it also with the, the fidelity of things, phishing emails, where now it’s not like the prince in some African country that’s emailing you that, that he has 10 bitcoins for you or whatever.
Speaker B:Now they’re, they’re really well crafted and if you, if you take the, the rise of AI and you pair that with the availability of information about just about everybody that’s on the dark web, those two things, when you combine them, become incredibly dangerous.
Speaker B:And we see attacks now where hackers will find a target though, they’ll use tools like LinkedIn and they find somebody that’s working at a company that they want to attack and then they’ll, they’ll find out their, like the systems that they have access to.
Speaker B:They look on the dark web and they’ll get basic information about them, like what is their address, what’s their date of birth, what’s their Social Security number.
Speaker B:And for the vast majority of people out there, that information is just available on the dark web.
Speaker B:And then you pair that with a sophisticated AI model that can call into an IT help desk and present all of those pieces of information that a hacker or that the help desk would be looking for to verify your identity.
Speaker B:Then they can, they can get credentials reset, they get MFA disabled.
Speaker B:We’ve seen attacks like this happening.
Speaker B:I think the MGM attack that happened at this point is probably a year ago or a year and a half ago.
Speaker B:That’s precisely what they did.
Speaker B:So the quality of attacks is increasing dramatically.
Speaker B:The number of attacks that are launched is increasing dramatically.
Speaker B:And I think one of the scariest things here is the number of successful attacks is also increasing.
Speaker B:And so when you pair the sophistication and the evolution of AI with all of that data that’s available on the dark web.
Speaker B:It’s a pretty wild world and I think that we’re just starting to see the tip of the iceberg there.
Speaker A:Absolutely, I completely agree.
Speaker A:For me, I mean, I’ve been in this industry for such a long time now that even the, you know, the accuracy and authenticity of a lot of the phishing and vishing is getting to a point where it’s even difficult for professionals to even detect as well.
Speaker A:I’m based in Estonia and I can kind of confirm, you know, with the Estonian language, it was always a protection for the society here because it was a complex language.
Speaker A:It was very difficult for attackers to, you know, automate the translation.
Speaker A:So you always able to find errors and mistakes in the phishing campaigns.
Speaker A:And now with, you know, GPT engines, that translation is done in real time and it’s perfect.
Speaker A:You know, even to a point where I think, you know, attackers are now realizing that perfection is, is, is, is not like a human.
Speaker A:So they’re adding little bits of impact of perfection into their algorithms to make it like, let’s make a few mistakes.
Speaker A:So it really does look like a human.
Speaker A:So it’s really getting to the point where, you know, these types of campaigns and scams are getting to being perfect.
Speaker A:Yeah, it’s not just about the written text.
Speaker A:To your point, is it’s about voice.
Speaker A:It’s even video.
Speaker A:We’ve seen scams where they’re able to video, real time, impersonate video that, you know, might look like executives or their colleagues in the background.
Speaker A:And to your point, you know, it’s not, it’s about getting new credentials or credentials reset, but it’s also about onboarding devices as well and getting the ability to access that more information that can then be used for lateral news or can be used for business email compromise or invoice fraud.
Speaker A:And we’re seeing these accelerate at a really, really alarming rate.
Speaker A:What, what things?
Speaker A:I mean, since it was to a point where now we’re relying heavily on technology, what things are you seeing, you know, to help us be able to identify what’s the best practices to be able to determine some of these things that to be able to, you know, with the old traditional things of doing cybersecurity awareness training is not really efficient today because all the things we’ve been taught to detect is no longer there.
Speaker A:What things can we do in order to really reduce these types of threats?
Speaker B:God, Joseph, that is the question of the hour, isn’t it?
Speaker B:It’s a really good question.
Speaker B:Too.
Speaker B:I think when I look at the way that we can protect ourselves, I would say it comes to three things.
Speaker B:People, process, and technology.
Speaker B:Every single one of those is essential.
Speaker B:We work really closely with a lot of large enterprises and this is top of mind for them.
Speaker B:And I think that that importantly, you need to focus a lot on technology and making sure that all elements of your IT infrastructure and your security stack are really robust.
Speaker B:And then making sure that you have process in place within your organization that people know of and it’s simple enough that they can follow it.
Speaker B:And then the last, and I would say the stickiest part of this is the people aspect of it, because humans are infallible.
Speaker B:We can make tech that’s incredibly robust, but people are people and they’re always going to take actions, either intentionally or accidentally, that can introduce a lot of risk to the organization.
Speaker B:So I think that making sure people are trained on the attacks that are happening today.
Speaker B:And the challenge is that when you look at how the market typically solves for that, it’s with like legacy security awareness training.
Speaker B:And if you’ve worked in corporate America or a large company somewhere, you know these things, you do it once a year, it’s 30 minutes, it’s really generalized and it’s basically like don’t click on things.
Speaker B:And that’s, that’s the TLDR of the training.
Speaker B:I think that, that we need a paradigm shift in the space to really holistically understand the risk that an individual brings to an organization, understanding the implicit risk of the role that they’re in.
Speaker B:Obviously, like a marketing intern, if they get breached, there’s not as much of a business impact as if say the, the EA to the CFO gets, gets breached.
Speaker B:There’s a much bigger difference there.
Speaker B:And then actually looking at the threats that are going after that archetype of, of person and then training them on that.
Speaker B:And as much as possible, dynamically adapting security controls around individuals instead of just having the castle walls built around the organization as a whole, I think it’s very important to have them dynamically put around individuals to help to protect the individuals that introduce the most risk to an organization.
Speaker B:So when you look at those three things together, the marriage of people, process and technology, I think that that is really the best way that we can protect ourselves from this.
Speaker B:And also I think it’s important that we look at threat intelligence when we understand what are the bleeding edges of attck.
Speaker B:Because one thing that we’ve noticed within our company and the customers that we work with is there’s a shift happening.
Speaker B:I think when you look back five to seven years ago, email phishing was the main vector of attack that hackers would try to get into large enterprises with.
Speaker B:And for a time that was tremendously effective.
Speaker B:But when we look at the space around email, I mean you look at abnormal security, they’re one of the new players in the SEG market, they’re great and they’re able to build technology to protect the inbox.
Speaker B:So we see a shift now of threat actors moving off of corporate devices and things that the enterprise has direct control of and they’re moving on to off channel and encrypted apps where they know that they can have direct access to an individual without the eyes of the enterprise on that.
Speaker B:And so now they’re finding people’s WhatsApps, their Telegram, their signal, their Viber account, whatever it is, and they’re reaching out to people there.
Speaker B:And especially for BPO companies or people with employees in low cost delivery centers, threat actors have a lot of success going after them and offering a small bribe for customer information.
Speaker B:So I think that, that really being honest with ourselves and looking at where attacks happening today and how do we protect ourselves from today’s attacks and not yesterday’s attacks.
Speaker A:Absolutely reminds me of some of the projects I’ve worked on over the years.
Speaker A:I remember a back working with a large transportation organization and they had a cyber security awareness training and it was really static.
Speaker A:It was, you know, we were looking at it from a very much a technology perspective and not from a human side of things.
Speaker A:And it was very much that everyone had to do the same awareness training.
Speaker A:It wasn’t personalized in any way whatsoever.
Speaker A:And we realized very quickly that after about six months of doing this project we were failing.
Speaker A:And we knew we were failing because we got so much friction with the employees that we were delivering it to.
Speaker A:They hated it.
Speaker A:We were causing them, preventing them from doing their real job.
Speaker A:This was a, you know, a hurdle that we were putting in the way.
Speaker A:And ultimately when we got we, we kind of took all of the data that we had, we realized we had to do something differently.
Speaker A:And what we ended up doing was we, you know, we stack ranked what we could stack rank because in some countries you’re not allowed to stack rank employees against each other.
Speaker A:But where we could do it, we were able to see that oh, let’s do it from a risk based approach rather than target, you know, most, some people in the organization didn’t have computers.
Speaker A:Why would we give them cybersecurity awareness?
Speaker A:Training if they weren’t offering technology at all.
Speaker A:So it kind of like know you’re doing a lot of waste as well.
Speaker A:So we did it from a risk based approach.
Speaker A:And then we, I remember we were challenged because we were trying to figure out how to communicate.
Speaker A:And I remember it was the day where fortunately we were sitting in this really nice conferencing room and we’re all standing at the whiteboard going, what do we do?
Speaker A:What do we do?
Speaker A:And there was a lot of noise and racket from one of the rooms down the corner.
Speaker A:And we were like, what’s all this noise?
Speaker A:Can someone go tell them to be quiet?
Speaker A:And this one person went out, they came back and said, well, today is actually bring your kids to work day.
Speaker A:And it was actually a bunch of kids in the next room that were making a racket.
Speaker A:So we thought, that’s interesting, like children, let’s have a conversation with them.
Speaker A:And you know, so we brought them into the room, we got information.
Speaker A:Can we ask them some questions about technology and stuff?
Speaker A:And it was really enlightening because they were very direct and very honest and they thought outside the box.
Speaker A:They didn’t have the pre, kind of like curses that we would typically have because you get so ingrained in things that you think there’s no other way.
Speaker A:And ultimately, I remember, you know, the kids said, oh, why don’t you do it as a comic book?
Speaker A:Because, you know, people love comics.
Speaker A:It’s easier for them to understand from images than it is text.
Speaker A:And we look, oh my goodness.
Speaker A:So we end up doing our IT policy as a comic book.
Speaker A:And then somebody else put your hand up, said, oh, you know, why don’t you put it in the, in the bathrooms?
Speaker A:Because everyone needs to go to the bathroom at least once a day.
Speaker A:Oh, that’s interesting.
Speaker A:Really intriguing because I think what we’re, we’re seeing is this evolution of awareness training to deal with all of these latest types of threats.
Speaker A:And to your point, one of the biggest things that came out of that project, and I think this was one of the most fascinating things, was as we went through it and that moment with having the kids in the room, what we end up realizing that cybersecurity doesn’t start in the office, in the corporate walls, and it doesn’t start with the employees.
Speaker A:It actually starts with their social sphere and their family, the people around them.
Speaker A:And that was one of the things is when we actually had that message, the executives of the company said, what we’re going to do is we’re not going to extend cybersecurity, the entire employee’s family.
Speaker A:We’re going to move security out, we’re going to democratize it.
Speaker A:We’re going to make it available and push the security perimeter beyond just the office walls and the office computers to your employees, home computers and home devices.
Speaker A:Because to your point is, most of the attackers way in is not through the company devices.
Speaker A:It’s through your personal devices that are your company devices that you’re accessing personal content with.
Speaker A:There’s so many messaging apps out there that everyone has to be part of a group, has to be staying connected.
Speaker A:And if you’re just monitoring corporate email, you’re probably missing majority of the threats that’s out there.
Speaker A:And even recently this, this past week in Estonia, we also had major threats that went, went to schools through a lot of the messaging apps as well.
Speaker A:So it means really we have to start understanding about how the, you know, the new attackers are thinking, what’s their new ways of gaining initial access or to compromising or to getting employees to do things that they shouldn’t do.
Speaker A:And really, it does mean that we really have to start thinking about personalizing security because not all employees are equal, as I mentioned, not all employees are using even technology in the companies.
Speaker A:We have to start thinking about how do we make sure that this employee has access to certain types of data, they have certain roles, they have certain social connections within the company.
Speaker A:What’s the right size awareness training for that person, individual.
Speaker A:And I think this is really where we start thinking about is, you know, with the people, technology and process is about how do we understand the data better ourselves and make sure that we personalize the training so that the employee gets the right amount of training and also more specific to the role that they’re doing.
Speaker A:So any, any thoughts around some of those examples or ideas?
Speaker B:Yeah, what, what you said just landed with me so profoundly because the one size fits all approach is dead.
Speaker B:It does one thing, it ticks the box for GRC where you can report out to regulators that we trained everybody on cybersecurity, but it does nothing to move the needle on the actual cybersecurity posture of these organizations.
Speaker B:And so I think that it’s critically important to really take a holistic look and as much as possible to be data driven and to, to put together almost risk profiles for each person within an organization.
Speaker B:And that, that has so many factors that go into it, like what are they working with?
Speaker B:Do they even have access to a computer?
Speaker B:Many people don’t, or they don’t have access to, to a computer that’s web enabled or to, to anything but internal email.
Speaker B:And so the, the risk there is much smaller versus somebody who is accessing all of the corporate systems on their personal device potentially when they’re traveling to a different country, very different risk profiles there.
Speaker B:And I also think that real time intervention and really meeting people where they’re at is becoming absolutely essential because the relationship between the security apparatus of an organization and the actual employees of an organization has historically been adversarial.
Speaker B:And you mentioned that a little bit earlier, where employees resent the fact that they’re needing to take any of these trainings because they watch it, they see the content, they’re like this isn’t that like I don’t actually know how to secure myself more from watching this, this 20 minute video that just tells me not to click on anything.
Speaker B:And so I think that really understanding everybody’s risk and then training them on only the things that are pertinent to them and also doing it in a form factor that everybody is used to now, which oftentimes is short form content.
Speaker B:And so it doesn’t need to be a three hour endeavor to train people, give them real time intervention with bite sized learning that allows them to course correct in real time.
Speaker B:And then also empowering the organization to have insight into where risk lies.
Speaker B:They need to take an eyes wide open approach to this.
Speaker B:That’s something that’s historically been challenging a large financial institution that we work closely with.
Speaker B:It’s very interesting because in our conversations with their, their security team and their ciso, they basically said yeah, within our, within our, like our stack, we know exactly where risk lies and we’ve done a lot to make it very robust.
Speaker B:And any elements that remain that still introduce risk are on the roadmap for us to fix and to improve.
Speaker B:But on the other side of that, when we look at the human population, we have no insight into where risk lies there.
Speaker B:And if you look at just the basic data, I think it’s published by the FBI and a few other agencies that are out there.
Speaker B:But nine out of 10 attacks happen because of human error.
Speaker B:And so making sure that we do everything to diminish the, the adversarial relationship and build a relationship that really empowers people to do the work that they’re hired to do, but also to, to protect themselves at the same time.
Speaker A:Absolutely.
Speaker A:I think one of the things, the things I’ve found over the years is for me is that when you personalize the training and make it it’s not about the company but it’s makers.
Speaker A:It’s the employees who are benefiting.
Speaker A:So you have to reverse the message.
Speaker A:So the employee wants to do the training, they want to do it.
Speaker A:Because it’s not just about protecting the company, it’s about actually the employee and their personal lives as well.
Speaker A:So when you change the context, you change the messaging that it’s all about.
Speaker A:We’re giving this for you, we’re doing it for security for your personal sphere and your social sphere.
Speaker A:It’s going to make your family more beneficial from doing this.
Speaker A:It’s in addition and at the same time the company will benefit from it.
Speaker A:That changes the whole narrative of things.
Speaker A:It really makes the employee realize that actually yeah, the company, it’s almost like giving them something free that’s going to make their personal lives better.
Speaker A:It’s a benefit.
Speaker B:Exactly.
Speaker A:In many cases you want to make it a benefit and not more of a.
Speaker A:That GRC checkbox approach.
Speaker A:And I can’t tell you how many times I’ve had to do that in my career.
Speaker A:Some people I know get their pets to watch it while they’re doing something else.
Speaker A:You know, to put the pet in front of the screen, you know, give them something dangly to watch.
Speaker B:Yeah.
Speaker A:Are they really paying attention?
Speaker A:But yes, absolutely is to check, check off that regulatory compliance piece.
Speaker A:And the attackers know that and they probably even know when the schedule is.
Speaker A:So they probably will target it mid year or you know, a few months beforehand.
Speaker B:Exactly.
Speaker A:Really know when those organizations because typically it’s end of year, it’s October.
Speaker A:November is when the checkbox has to be done because they want to be compliant for the new, for the new regulation or compliance by January, so.
Speaker B:Exactly.
Speaker A:Very predictable.
Speaker A:And I think really we have to start thinking about how do we change that, how do we focus around the employees benefit something that they want to do.
Speaker B:I think you’re spot on with that and you brought up something that I just want to touch on as well in terms of making the relationship non adversarial.
Speaker B:One of our learnings as we’ve built the company, it was a very distinctive moment.
Speaker B:We were building out a vishing capability because we want to be able to replicate all of the types of attacks that hackers are doing.
Speaker B:It’s not just email anymore, it’s, it’s deep fakes, it’s vishing, it’s out of off channel encrypted apps.
Speaker B:We, we replicate all of those attacks and as we were building out our vishing capability part of that was doing voice cloning.
Speaker B:And so we spun up some GPUs.
Speaker B:We, we put on all the models that we needed to.
Speaker B:And I remember it was me and the engineers were sitting there and we, we have a, a salesperson on the team named Kayla and she’s a delight and, and one of our funniest employees.
Speaker B:And so we, we got about 10 seconds of her voice off of a recorded sales call and then the devs made a clone of it.
Speaker B:And we were making it just say like silly, ridiculous things.
Speaker B:And there was a fervor among the engineers as we did this.
Speaker B:It was like we were laughing so hard and just having a great time.
Speaker B:And it was one of these moments of an unlock of like we’re having a great time with this and we’re learning a ton from this.
Speaker B:Why do we not give this to end users when they’re learning about vishing?
Speaker B:Instead of just taking a two minute training on it, why don’t we give them the ability to like record 10 seconds of their voice?
Speaker B:We’ll put that into our model, we’ll make a clone of it and then we’ll let them have this experience of hearing things in their voice or typing something in and having it say it.
Speaker B:And we’ve noticed huge upticks in engagement with that because then it’s a fun thing and there’s an organic kind of like spread of this throughout organizations.
Speaker B:We see it where one person does it, they share it to their friend, then that person goes and plays in the vishing playground is what we call it.
Speaker B:But yeah, it’s like, let’s not just train people with kind of old school long form content.
Speaker B:Let this be more of a workshop where they can learn about it.
Speaker B:And then after that when the light bulb goes off and they see how real this threat vector is, then we give them a couple tools to help to protect themselves.
Speaker B:And like you mentioned as well, it’s not just for the organization, it’s also for individuals, their friends and their families.
Speaker B:Voice cloning, we see that so much these days.
Speaker B:And you get a call, it’s spoofed a number, it sounds like a loved one and they say, I was traveling and I got arrested.
Speaker B:I’m in a bind.
Speaker B:I need you to send $5,000 or I’m absolutely screwed.
Speaker B:And we want to give these individuals the tools that they need to protect themselves while they’re working, but then also to protect their loved ones, their friends and their family as well.
Speaker B:And I think that giving them the knowledge in a way that they’re Actually keen to learn.
Speaker B:It is absolutely critical.
Speaker A:Absolutely.
Speaker A:I remember the case last year in India where that was an accelerating scams that was happening with Indian families and to the point where even the government had to step in in order to intervene with the threats.
Speaker A:And absolutely, we do need to make our industry more fun.
Speaker A:We need to make it more entertaining because it is very much a scary industry and we live in a scary world from, you know, a lot of what we see from the threat side.
Speaker A:And we do need to make it entertaining.
Speaker A:It always reminds me back, I’ve done a number of phishing campaigns over the years and I was always, I’m a perfectionist.
Speaker A:I was trying to do it perfect.
Speaker A:And the one organization that got me was the one where employees were so talkative, they talked and communicated so much that the moment, you know, you sent the phishing campaign in that they chatted.
Speaker A:Did you see this?
Speaker A:Did you get this as well?
Speaker A:And they started chatting and all of a sudden when the collective together started looking at this, they realized it was a scam, it was a phishing campaign.
Speaker A:So when you put all those minds together and they start seeing something like, huh, this is interesting.
Speaker A:And they basically caught it right away.
Speaker A:And I always find that, yes, if you can get your employees to talk more and communicate more and share, the collective minds together can actually be a better defense rather than individuals trying to figure it out themselves.
Speaker A:Because ultimately you’re trying to get one person to do it.
Speaker A:But if you get everyone working together, then it means that they’ll also report it quickly.
Speaker A:You shouldn’t be afraid to speak out, you shouldn’t be afraid to report it.
Speaker A:Therefore, you know, it’s a collective minds working together can actually be a very, very strong security resiliency for a company.
Speaker A:And at the same time, it makes it fun.
Speaker A:So that’s one of the things I always like ways that does broaden the security into the social sphere.
Speaker A:And I also do like when it actually makes it entertaining as well, because we do need to laugh in our day jobs.
Speaker A:We need.
Speaker A:Exactly.
Speaker A:So tell me more.
Speaker A:Do you have any resources or any reports or areas that’s for the audience that they can go to if they’re interested in learning more about some of the, you know, the things where you have the tools for, for, you know, playing around with voice cloning and listening to what they sound like, maybe saying some interesting catchphrases or mentioned.
Speaker A:So where can they find more information if they want to learn more?
Speaker B:Absolutely.
Speaker B:We actually just published a couple months ago our first threat intelligence report that we put together Dune Security, we typically work with large enterprises and so it’s millions of end users and so we have copious amounts of data.
Speaker B:And it’s a pretty interesting report detailing exactly what we’re talking about here where the evolution of the threat landscape.
Speaker B:And I think that besides maybe when the, the Internet was invented, I think that we’re at at least that big or bigger of an inflection point.
Speaker B:And the rate of change and the rate of evolution that we’re seeing in the threat landscape is wild.
Speaker B:I really think we’re kind of entering the wild wild west of cybersecurity on so many different fronts.
Speaker B:You like, on the people side and on the threat actor side, but then also even with the technology we’re building with like MCP servers and new ways for tech to talk to other tech and the security implications that that has.
Speaker B:And so we do have a threat intel report that.
Speaker B:That’s very interesting.
Speaker B:It’s on Dune Security.
Speaker B:And I can, I can provide a link for you to share out to your audience as well.
Speaker A:Absolutely.
Speaker A:I’ll make sure that in the show notes, I’ll, I’ll put a link so it’s easy for them to access and follow up later.
Speaker A:It just reminds me, you know, as I’m finding as a lot of this innovation is changing how we communicate with the devices.
Speaker A:You know, the old times of, you know, using a mouse and keyboard, I think think we’re getting close to that no longer being even something we’ll interact with the computers with.
Speaker A:And it’s going to be basically our mind directly connected or our voice or other kind of gestures and motions.
Speaker A:I was laughing the other day, I was actually in my shed trying to measure, measure something.
Speaker A:And I said, Siri and about 10 devices went, ah, what do you want?
Speaker A:What do you want?
Speaker A:I only want one of you.
Speaker A:And every one of them started recording and was like, oh, stop, stop, stop.
Speaker A:Quite a funny moment.
Speaker A:And that’s the world we live in.
Speaker A:Even sometimes when we join, you know, virtual meetings and online meetings, there’s about three or four people on the call and about 15 transcribers and scribblers and note takers.
Speaker A:It’s like we all have this many, like little digital versions of ourselves.
Speaker A:It gets quite comical.
Speaker A:So.
Speaker A:But it is an interesting time and world we live in.
Speaker A:So Michael, it’s fantastic.
Speaker A:The audience do have questions that they would like to go to yourself.
Speaker A:What’s the best way that they can connect with you if they want to do follow up and have further Questions?
Speaker B:Absolutely.
Speaker B:I would love to engage with any members of the audience.
Speaker B:My LinkedIn, it’s Michael Waite, Dune Security.
Speaker B:So feel free to connect with me on LinkedIn and I’m happy to continue this conversation with anybody who’s interested to chat.
Speaker B:I’m relatively new to the cybersecurity space, been in it for three years at this point, but I can’t think of a better time to be in the space because it’s just every day is an evolution, every day is different.
Speaker B:And yeah, happy to connect with anybody that watches your show.
Speaker A:Fantastic.
Speaker A:Excellent.
Speaker A:I’ll also make sure that include the direction LinkedIn link to to the audience in the show notes as well.
Speaker A:So, Michael, it’s been wonderful having you on and really it’s been an intriguing conversation.
Speaker A:I always enjoy, you know, having these conversations.
Speaker A:It’s the favorite part of my week because it really enlightens me and it gives me a lot of different perspectives and some of the ways that what we work in in order to make the world a safer place and make everyone have a digital safe life as well.
Speaker A:There’s many thanks for being on the show today, Joseph.
Speaker B:Thank you.
Speaker B:Thank you for having me on the show.
Speaker B:I appreciate it.
Speaker B:This is, this is my favorite thing to talk about.
Speaker B:It’s a pleasure connecting with you.
Speaker B:Really appreciate it.
Speaker A:Excellent.
Speaker A:Thank you.
Speaker A:So for the audience, this is the Security by Default podcast.
Speaker A:I’m the host, Joe Carson, bringing you episodes every two weeks.
Speaker A:If this has been interesting for you, you know, please go and like subscribe, share with your colleagues, share with friends and really bringing you different topics to really help enlighten you, to give you new ideas in order to make the company you work for a safer place, but also the world that you live in a safer place as well.
Speaker A:So stay safe everyone, until the next episode.
Speaker A:Take care and thank you.
