So you're on hold and you're sitting there with the hold music and you're kind of in la-la land where you can actually do work. And some of these channels, every 30 seconds, some voice comes on. Your call is important to us. You are 14th in line and then gives you an ad sometimes and then goes back to the music.

An ad?

Yes.

If you're having such a great support experience, you want to buy more from us, then here's other things you can have tech support problems with. Smashing Security, Episode 407: HP's Old Music and Human Trafficking with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 407. My name's Graham Cluley.

And I'm Carole Theriault.

407, Carole.

I know, I know.

And so it goes on. You know, there are people out there who've listened to every single episode of Smashing Security.

Wow.

They've undertaken the odyssey.

Someone should do the math of how many hours that is.

Yeah, a lot.

Well, we have a jam-packed show today, so you're going to get another hour on that docket. But before we kick off, let's thank this week's wonderful sponsors, Acronis, Drata, and Palo Alto Networks. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about when tech support is a cybersecurity vulnerability.

And I'm going to see if we can squeeze out some compassion for the unfortunate scammer. Plus, I chat with Gerald Beuchelt. He's Acronis's Chief Information Security Officer, and he shares loads of tips on how the security professional can get the boss on side. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, a question for you to kick off this show. What is the most terrifying sentence in the English language, do you think?

I have no idea.

What about, I've invited my parent to come on holiday with us?

I think Ebola might be worse than that. And that's also more than one word. Oh, you said sentence. Yeah, I think one word. Yeah, I would say Ebola.

Ebola, Ebola, Ebola.

Yeah.

Would be your one. Okay. What about, don't click here to not unsubscribe from our emails? I actually think the most terrifying phrase of all is, "Your call is important to us." Those words you hear when you ring up a tech support line or you ring up customer service, because you instantly know from that point on that it isn't important to them. You know that you're in a queue.

I was going to say, it's not typically automated, right? So it's not someone's saying that to your face.

No, no, they're not saying it to your face, but you hear those words.

Yeah.

And you know that this god-awful tech support hotline you're going be on it for the next 3 hours, maybe. And eventually, when you get through to someone, they won't be able to help you with your actual problem. And maybe they'll say, oh, but we can pass you through to another department. Just hang on. You're going, no, no, no, don't pass me through. Then you're lost forever into the chasm, into the dark void.

I'll admit it. That's not fun. It's not fun.

And you can spend hours and hours doing it. And I think this is a waste of time. In fact, I think the easiest fix, perhaps, for a recession is not to invest in manufacturing or get lower interest rates or set up trade agreements. The best thing you can do for a country's economy is to fix tech support hotlines, because the hundreds of thousands of hours that must be wasted each day when work could be done instead, work which could make the whole country some money.

Did you do a little math chart to work out how much we could make?

I haven't done any maths chart, no, Carole. I've just imagined it. I just think it would be a huge amount of money. And the thing is this, how do you make a tech support line more efficient? How can you make that experience better?

Well, I'm imagining the answer today is AI. That's what they're all going to say to you, a little chatbot. My husband actually had to cancel a subscription and he went to the website.

Yeah.

And it wasn't a very important subscription. It was a magazine subscription. And it was for somebody else.

Right.

A family member. And he was "Hey, my brother-in-law wants to cancel the subscription. He's having trouble doing it." "What's his name?" He told them and they canceled it. All through the chatbot.

Could anyone speak to the chatbot and cancel anybody's subscription?

That's what we were saying. You hope that wouldn't happen at a bank.

Just close that account. Just transfer that money. Yeah, well, you could use AI. I guess that's one possible way to do it. Some people are a bit wary of AI, aren't they? But I think there's other ways in which you can make a tech support line more efficient because it's a very simple equation, right? People are clogging up support lines. You need to get people off the support lines to make the support line more efficient.

This is sounding revolutionary so far.

Go on.

Yeah, it is, isn't it? Isn't it? So you can do that in a few different ways. You can build a product that doesn't require much in the way of support, right? So it just works. So if you did that, then your support line would be something that would work.

I suppose, yeah.

You'd be able to call it and there wouldn't be anyone else clogging it up. In fact, there'd be a phone covered in dust and cobwebs, which never has to be picked up by the people who work in that particular support line. It's a lovely way of thinking about things. So that would help reduce the number of people who call support. Having a product which just works, it makes support hotlines better. The problem is that it requires some effort in building a product that actually works in the first place.

Yes.

And that's why companies seemingly don't do that. Now, another solution—I'm on a bit of a high horse this week—is that you can hire more tech support people to staff the support line, right? Just throw people at it.

I wonder if they have hiring difficulties in tech support. I imagine they might. Imagine there's burnout quite quickly on that type of job.

That's often why the support lines are based in countries where there's a large population perhaps, and they don't cost very much. So hiring more people does cost money, obviously, for the company. So they have to make an investment. Often they will outsource it to other countries. And of course, people are a pain in the ass. You have to manage them, and they could cause problems. So we have to find another way to reduce the tech support hotline problem.

Do you have a solution, Graham?

Well, what I can reveal is that last month, HP, the people who make the printers, they came up with what they believed was the perfect solution to the tech support hotline problem.

OK, I'm all ears.

So you're wondering, did they build a printer that just works? No, of course they didn't. Of course they didn't, 'cause that's not what a printer is, is it? When you think of a printer, the actual definition of a printer is not something that actually works. A printer is predominantly a paperweight. It is predominantly something which sits in the corner of the room.

You kick it. I have a great printer. I love my printer. It's never misbehaved once, knock on wood.

Well, I look forward to it being a Pick of the Week one day. Because many of them don't. Many of them don't work.

Well, I don't

So a printer normally is something which doesn't work. So that's too much of a technological challenge for the guys at HP, right? They're not going to find that easy.

think you have

They didn't fix the support line problem that way. Printers are the bane of most people's lives, right? In HP's case, they're typically going to try and use the printer to try and squeeze every last little cent, every penny, every shekel out of your corpse by charging you an over-the-top premium for the right to take out a subscription for ink, right?

to do that.

You can also buy them.

Well, that's what they're pushing you to do, aren't they?

Well, along with every other business out there.

Yeah, well, the thing is, your husband may have success in unsubscribing from some magazine or something. Good luck unsubscribing from an HP ink subscription. So HP, they aren't going to improve their product. Are they going to hire more people? No, of course they're not going to hire more people in tech support. Why would they do that? No. What they decided to do is to discourage people from ringing up tech support. And the best way to get people not to ring up tech support is to make tech support as gruelling an experience as possible.

Yeah. Or just not staff it some very well-known people in the world have done, right? Keep it empty.

Right. Keep it empty, maybe. So as The Register reported last month, an internal order was sent around HP, and I'm going to tell you exactly what it said, and then I'll try and explain what it means.

Okay.

It said, we want to inform you of a change in the NL IVR— that's the natural language IVR— in some countries and languages for consumer print and consumer PC customers in EMEA, effective today. Now, IVR is the Interactive Voice Response. That's their phone menu system.

But they don't actually say that anywhere.

No, they don't. They don't mention that anywhere. But you have to know the lingo. So the natural language IVR is their phone menu system. That's their digital phone system, which you ring up and you press a button and you get things played at you and you're put in a queue. And they carried on. They said, objective is to influence customers to increase their adoption of digital self-serve as a faster way to address their support question. This involves inserting a message of high call volumes to expect today in connecting to an agent and offering digital self-solve solutions as an alternative. Have you followed that?

No. What I'm— no, what I'm wondering is, is it written this because they're turning something on by default and they're trying to obfuscate that, or so you just get bored out of your mind?

I think it's just corporate speak. I think this is just how they talk inside large organizations.

What do they want? What's the bottom line?

Well, I've decrypted it. Thank you. Rather like the Rosetta Stone, I've taken a look at it and I've tried to work out what that actually means. What they are actually saying is that they've changed the way their tech support phone system works. When they say their objective is to influence customers to increase their adoption of digital self-solve, what they mean is they want more customers to fix their own problems by looking up the answers online. All right?

Sure. Okay. Yep.

Fair enough. Yeah, right.

FAQ, you know.

How are they going to do that? And they say this involves inserting a message of high call volumes to expect a delay in connecting to an agent and offering digital self-solve solutions as an alternative. In short, at the beginning of the call to tech support, they are playing a message stating, "We're experiencing longer waiting times and we apologise for the inconvenience." Feel free to look at our website. Yeah. "The next available representative will be with you in about 15 minutes." And what they were doing was they were putting in a mandatory, compulsory 15-minute wait on their support lines.

Can I tell you, that is my pet peeve, actually. You just triggered me. So you're on hold, right? And you're sitting there with the hold music and you're kind of in la-la land where you can actually do work. And some of these channels, every 30 seconds, some voice comes on, "Your call is important to us. You are 14th in line." And then gives you an ad sometimes and then goes back to the music.

An ad?

Yes, ads for other services. They cross-sell on the channels.

If you're having such a great support experience, you want to buy more from us, then here's other things you can have tech support problems with. So I found this extraordinary that they put in this compulsory 15-minute wait.

Did you try it out?

No, I haven't tried it out. You crazy? I would rather enter Hades than ring up HP's tech support. So it's not just HP which can be guilty of this kind of thing. Way, way back in 2000, for instance, credit reference agencies like Equifax, TransUnion, Experian, they were fined $2.5 million because the FTC found that they were failing to maintain their toll-free telephone lines for consumers seeking information about their credit score. They were blocking millions of consumer calls. They were leaving them on hold for excessive amounts of time, a bit like HP was.

Wow.

So imagine that you had called HP, but you're on the line for a long time and you do seek help elsewhere. Well, that's where the problem comes from the security point of view. As veteran journalist Bob Sullivan pointed out in recent days, HP's move has inadvertently exposed consumers to cybercrime. Because, of course, these frustrated users who just can't get their ruddy HP printer to work often will turn to unreliable third-party websites and potentially download malware instead of legitimate printer drivers.

Has this happened or is this theoretical?

No, this is happening all the time.

Wow.

According to Bob, he's got a theory about this. He says poor customer service creates a significant cybersecurity vulnerability and more companies need to think about this because criminals can exploit the desperation of consumers who are looking for help with a product or a service.

Something they pay for every single month if it's a service.

Right.

Right?

Yeah.

That drives me nuts too, but anyway, yeah.

Absolutely. And it's not as though HP printers bloody well work.

Again, I know you have issues.

Not just me. I've done searches online.

I'm sure there's lots of happy people out there.

Oh, okay.

Feel free to write in and wind Graham up with your happy HP stories.

If HP, by the way, wants to sponsor the podcast, then we can remove this entire story from the episode. All the time you're having problems because your printer's updating, there's software updates, maybe your computer's updating, there's out-of-sync printer driver, you find yourself screaming in frustration, and sometimes users can't find the printer driver they want on HP's website, but they find something elsewhere on the internet which claims to be the driver they need.

Yeah, yeah, yeah.

And that, of course, might be legitimate, might be malware. HP has published warnings on its own website about scammers who are trying to trick users into installing malware disguised as this kind of thing.

Useful for people who actually managed to get to the legitimate website.

Yes, useful for them. Security researcher Jerome Segura from Malwarebytes, he's recently blogged about what he saw when he went to Google and searched for HP printer help.

Oh, they're throttling it to try and force people to go to the self-serve.

And what Google did was, of course, before the genuine HP printer support page, he got 4 sponsored links, all claiming they could fix your HP printer problem online. And all of them were scams. Exactly. So even if there was no one in front of you, you would have to wait 15 minutes.

Now, look, I know my mum listens to the show. I'm just going to interrupt. Mum, pay attention to this. The whole sponsored thing. Okay.

And every 5th minute or 10th minute or the 13th minute, the recording message comes in again, said, "We're still experiencing longer waiting times than normal. Yeah.

It's not the legit page. And it's— people don't realize because it's written quite tidily.

We apologize for the inconvenience." An inconvenience they have manufactured themselves artificially. Well, it's designed to look like a regular link, more or less, isn't it?

Which is gross. Why don't you just back-colour it a bit? You know, make it obvious.

So you go through to one of these sponsored links, which Jerome found when he looked for HP printer help, and you try to install the driver via their installation wizard on the web. It all looks very friendly and suddenly goes, oh, fatal error occurred, it says. But you can start a live chat with a support agent. So in your desperation to get your ruddy printer working, you click on live chat, and that, of course, is when the scammer asks to have remote access to your computer or says, install this piece of software, we'll be able to fix your problem. And they end up stealing data, locking your computer, maybe installing ransomware, or in the worst case, gaining access to your bank account and other pieces of information.

Mm-hmm, mm-hmm.

So HP's policy of making you wait at least 15 minutes, I would argue, directly feeds the scam industry.

Maybe they should parallel that with, this is your chance to take 15 minutes for yourself and maybe meditate.

Maybe that's what I need.

Maybe.

But there's some good news, Carole. There's some good news because after the Register publicised HP's 15-minute directive on their support lines, the company went into an urgent reverse ferret. The press picked up on it, the company caved into the pressure, and they said, "Oh, what were we doing that? Oh, we've stopped that. We've stopped that now."

You know what, though? It also sounds to me like it might have been one particular director's idea, right? To try it out and maybe didn't have the upper echelons' involvement in this. And then, you know, when word got out, shit hit the fan.

Well, it was across Europe, Middle East, and Africa they were doing this. So it wasn't a secret. Maybe they were trialling it on us Europeans and in the Middle East and Africa before they were going to do it in the Americas as well. I'm not sure. Anyway, they say that based upon feedback, they know the importance of speaking to a live customer service agent in a timely fashion is paramount, so we're going to continue to prioritise that. I would love to hear from listeners who will start their stopwatches to find out how quickly they get through to tech support now. Even if it's not mandatory, I suspect there's sometimes often a very long delay.

Fascinating.

I think I need to take your 15 minutes reflection now, Carole, and just relax a bit.

Yeah, have a snooze while I talk. Perfect.

What topic have you got for us this week?

So I want you to meet X. I'm calling them X because they're anonymous. And like many others, X struggled to find a job after the whole COVID pandemic thing, and he had a dream of studying to be a hairdresser. And to study to be a hairdresser, you need some money, but jobs were scarce. And one day, he hears about a job through an acquaintance. Now, when you're waiting for work— and this happens to be in Northern Vietnam, by the way. But I think most of us might have been in the situation where we're really hungry for work and nothing is about, so you start keeping your ears to the ground. And maybe you first ask your closest friends, then your close friends, then your not-so-close friends, and then acquaintances, because you never know— you never know when you're going to luck out.

Right.

So X does luck out, right? He checks out the job description his buddy sends him, and it promises— most important thing— a decent salary. And it's a 6-month contract in Thailand, and X is told that the work would involve using a computer and typing.

As many jobs do

As many, many jobs do.

Seems reasonable.

And you can imagine X— he's not an old lad, he's young. He's a little scared, he's probably going to be abroad on his own for the first time.

Yeah, that'd be daunting, yeah.

He's also excited, his mum's really proud.

these days, yes.

So when they land, the situation quickly goes belly up because he's kidnapped and thrown into one of these spam cells or—

Whoa, whoa, whoa, hang on— he's kidnapped?

Kidnapped and thrown into a spam factory— that's a more accurate term— where he's forced to carry out online cryptocurrency scams.

Oh, okay. When you said spam factory, I thought you meant the manufactured sort of processed No. Who knows where they outsource the manufacture of it these days? Okay, so—

So X has just gotten in. He says he starts getting threats of physical beatings and starvation makes him feel like he has no choice but to engage in the scams.

meat product, but you're actually talking about—

So he says starved for 15 days, offered only occasional scraps of food for failing to meet the scam quota. It was almost a month before X realized that he actually wasn't in Thailand at all, but in neighboring Myanmar. Okay, this is all according to ABC Australia News.

Yes.

And it turns out he is inside a scam empire that can swindle tens of thousands of people at a time. Now, it's a farm. I don't know what the best term is for this. A lot of people are using the term pig butchery at the moment, which I loathe. So we're not going to use that term. But typically, the only way out of this kind of situation was for loved ones to pay a ransom of between $5,000 and $10,000.

Oh my goodness.

Or the person would have to work it off. Now, note, your passport has been taken, so it's not you can just walk out the door and fly home. And in this case, we're talking Vietnam. So the average monthly salary is around $600. So a $10,000 ransom is a lot of wonga. In another case, an African kidnapped worker told the BBC of his experience. He said they gave us a target every week of $5,000. If not, they gave us two electric shocks, or they put us in a dark room with no windows. But if we earned a lot of money, they were very happy with us.

This is just horrific, isn't it?

It's unbelievable. And this worker was apparently forced to approach men in the Middle East and lure them into transferring funds to fictitious investments. And so using AI, the scammers made him appear on screen to be an attractive young woman, altering his voice, etc. So I'm going to pause here quickly because typically we are concerned about the end victim, you know, the person who gets scammed into investing into crypto or falls for a romance scam or whatever.

Yep.

And when you realize you have been scammed, you are furious with the cyber assailant.

Yes.

Yes.

The one that whispered sweet nothings in your feed or the one that gave you the not so hot crypto tip. But what if that person you hate so much and wishing the worst karma on is actually someone who had simply wanted a job to get some money to study hairdressing?

And is being held against their will and punished and beaten. Yeah, no passport, working all hours. Yeah.

And obviously not seeing the money that is coming in, right? This is going out to the bosses. So this problem has kind of been mushrooming since COVID times. And for the last few months, Thailand has intimated that it's committed to cleaning up this mess. So in February, last month, BBC reported that more than 250 people from 20 different nationalities were rescued from a so-called spam warehouse in Myanmar by an armed group. Weeks later, another BBC report that thousands more have been rescued from these spam compounds along the Myanmar border. I've seen a number of reports say 7,000-plus have been rescued.

Wow.

Now, it seems that this cleanup effort kicked off soon after the Thai prime minister met with Chinese leader Xi Jinping and promised to shut down the scam centers which have proliferated along the Thai-Myanmar border. Most of these are reportedly run by Chinese fraud and gambling operatives who have taken advantage of the lawlessness in this part of Myanmar. And you can, you know, readers, feel free to do some reading on a character called Broken Tooth. This is a Chinese gangster of sorts with ties to this whole operation. There's a really good piece in The Washington Post. I'll put the link in the show notes.

Sounds like a Bond villain, Broken Tooth.

Yeah. There is a movie I think he directed or starred in, a movie I think it's called Broken Tooth.

Yeah.

Oh yeah, I digress. So yes, as you were saying, wonderful that thousands have been saved, right? And I'm saying saved here with little invisible quote marks because this could be the end of the story except for two things. One, the UN says that hundreds of thousands were forcibly engaged by organized criminal gangs into online criminality across Southeast Asia. So from a human rights perspective, we might just be scraping the very, very surface here.

Two, many of these worker scam victims who have been rescued are not really free yet. Many of them are still being held in makeshift processing centers along the border. So Thailand insists it's moving as fast as it can to process these workers and get them home. But these centers are run by armed militia groups, seem to have very limited capacity, which means that basic hygiene, health requirements are not being met. So one detainee told the BBC that he got two very basic meals a day and that there were only two toilets for 450 people.

Yeah, not pleasant conditions. Presumably better than when you were being beaten and electrocuted by Broken Tooth.

It's interesting because there seems to be some suggestions in the latest days of press saying it's really, really bad in these camps. Yeah, really bad.

Yeah.

So the question is, what's taking so long? So one of the suggestions, some countries are perhaps not scrambling to get their people back. So the BBC has been told that some African countries will only fly their people home if someone else pays. Some countries don't even have embassies in Thailand, so that whole back and forth into verifying a person is difficult. And remember, these freed workers have nothing. Their passports have likely been withheld by the compound bosses. And of course, those in camps just want to go home, right? Which, and it's, you know, sadly might turn out to take a lot more time than anyone ever really probably considered. But some do and have made it home, sometimes through rescues and sometimes through escape. And this includes our man X from Vietnam. He eventually made it out. He chose not to divulge his details of his escape, but he said it was an arduous journey on foot. And he's now working in his dream field of hairdressing. So, here is to many more happy and speedy homecomings.

It's just unbelievable. I mean, I do believe you, Carole. I have read about this a bit, and it is astonishing that it has become this industrialized and effectively, it's the same kind of gangs who may be involved in people trafficking.

And what I find amazing is a lot of companies that do shady business in the cyber world seem to treat their employees with some respect. I feel, you know, not all, but some. But this kind of kidnapping people and forcing them to work for you in a sweat house and having someone, you know, withhold food because you don't meet a certain quota.

And it feels like many of us outside of that part of the world are completely oblivious that this is going on. If I take a Western point of view, there's plenty of people over this part of the world who might go to those parts of Asia, for instance, on a backpacking holiday and may want to make some money while they're out there and think, oh, you know, I'd like to stay out here for a year, so I'll get a job or something, and could be lured in. And you can't help but think if some of those people ended up in these camps, that maybe the Western media would take a bit more interest. But of course, there are countries whose citizens are being impacted who maybe don't have the resources or financial might and are less keen to spend the money getting their people home again.

That hails from One of the problems here is Thailand shares the border with Myanmar. Myanmar suffered last year a kind of coup. It's not a very happy and lawful place at the moment. It's not a place you'd go on holiday or backpacking. England, I think, not Vietnam.

No.

But Thailand is. And it seems that they use Thailand as a lure and then sneak them over into Myanmar. So Thailand is saying— is trying to deal with the borders. I think they've even shut power off at the borders.

That's right, they've turned off the power to entire villages because they thought, how can we deal with these camps? But of course, that's gonna have an impact as well.

Yeah, yeah, yeah, really fun for the innocent people to live there. Yeah, anyway, so my Cheerios story for this week. You're welcome.

Data loss and downtime can be devastating to any organization. Acronis delivers natively integrated cybersecurity, data protection, and endpoint management built for managed service providers.

You see, your Microsoft 365 services are only as valuable as your ability to protect client data. Are you doing all you can? How much does it cost? Maybe it's time to find a new way.

With Acronis Endpoint and Extended Detection and Response, MSPs can protect against modern threats, easily comply with modern cyber insurance requirements, all with complete protection spanning the NIST framework and enabling MSPs with data governance compliance and the ability to identify, protect, detect, respond, and recover from threats.

Plus, Acronis also offers MDR so that MSPs can offer their clients a fully managed service with minimal resource investment.

Designed for MSPs and IT teams to simplify security management. Find out more at smashingsecurity.com/acronis. That's smashingsecurity.com/acronis.

As you know, our show often touches on complex security issues that deserve deeper exploration. That's where Threat Vector, the podcast from Palo Alto Networks, comes in.

Threat Vector offers in-depth discussions with industry leaders and security experts,

Threat Vector gives listeners valuable perspectives on the evolving cybersecurity landscape, equipping them with

provides essential insights for decision makers. Each episode delves into topics

the information needed to better protect their organizations. New episodes are released regularly on

from emerging threats to innovative solutions.

all major podcast platforms and is free to subscribe and listen.

So if you want timely analysis of current security trends and challenges, listen to the Threat Vector podcast. Visit paloaltonetworks.com/threatvector to learn more and start listening today. That's paloaltonetworks.com/threatvector.

If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, managing security risk, tasks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.

But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals, and strengthens security. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance and scaling your program.

With Drata, you can automate security questionnaires, evidence collection, and compliance tracking. You can stay audit-ready with real-time monitoring. And you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.

Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Week. Pick of the Week. Better not be.

Well, my pick of the week this week is not security related. My pick of the week this week is a font. Now—

Like a font, like that you write? Like Gill Sans? Like Arial?

Yeah, yes. It's that kind of thing. Not a font you might find in a church, but a font you might use in your word processor or on your web page. Now, Carole, have you heard of the Scunthorpe problem?

Don't know, remind me and I'll tell you.

So Scunthorpe is a place in the United Kingdom.

Yeah, a town.

And historically, there has been a problem with the name Scunthorpe because some rudimentary spam filters have triggered on a sequence of four letters which are contained within Scunthorpe, which it considers offensive.

Ah. I did not know about this problem. That seems so lame. Geez.

It has caused big problems in the past for Scunthorpe Council when they've emailed people and other organizations. Of course, if you're in the United States, you may not know that Scunthorpe exists. And so you just be, whoa, whoa, you know, we don't like that kind of language. Now, that has been a problem. But what I want to choose as my pick of the week this week is, as I say, a font. Because I have discovered a font called Scunthorpe Sans. And what it does is it automatically redacts any rude word which you write in. So when you type in, for instance, I'm going to have to bleep this out, fuck, shit, fuck, for instance, it will replace it with a black blob instead.

I just think if you're going to blank it out, there's no need to actually say the words to me. You know, just saying.

Okay, Carole, go to the link which I've put in the show notes right here, the Scunthorpe Sans. Okay, this is a web page which is using this font, and there's a little box there where you can type in any smut and filth that you like, and it should, in real time, censor it. And the thing is, you could install this on your computer.

Funny, it doesn't mind poop, but it doesn't like the S-word.

Right. Now, this font contains a special exemption for Scunthorpe because they feel that it's suffered enough. The way in which this font is working is it's taken advantage of ligatures. So in fonts, when a letter combines, so for instance, you know when you get A and E sort of squashed together in encyclopedia or Aesop?

Mm-hmm.

That is a different character. So what they've done with this font is they've scrunched together the letters of various rude words and then blank them out. They then redact those letters. So it's a pretty neat little feature. So you could install this, maybe you'd find it useful, or put it on your web page if you ever wanted to do that. So my pick of the week is Scunthorpe Sans. Links in the show notes.

Very good.

Carole, what's your pick of the week?

So my pick of the week is a weird memoir. Weird in that it's written by a person who could be categorized as a sociopath.

Oh, yes.

So ever since she was a small child, Patrick Gagne says she knew she was different. Although she felt intense love for her family and her best friend, these connections were never enough to make her be good or to reduce the feelings of apathy and frustration. So she hits her teens and 20s, her behaviour escalates from petty theft through to breaking and entering, stalking, and worse.

Right.

And only as an adult she realises that she is in fact a sociopath.

Oh.

So in a few pages in the book, she writes, "I'm a liar, I'm a thief, I'm emotionally shallow, I'm mostly immune to remorse and guilt, I'm highly manipulative, I don't care what people think." And she's now a PhD, having studied sociopathy in her life and has written this memoir. I found it fascinating to experience because of course I had it as an audiobook and it was read by the author, which gives you a little extra, you know, when you have the author read the thing and it's a memoir. And I like the wrestling with the big question from a kind of sociopath's point of view, which is, is there a way for sociopaths to integrate happily into society? Not, is society happy for sociopaths to integrate happily? And it's interesting to think, well, will she manage and how did she do it? So do you know that 5% of the population can be categorised as sociopaths?

5%. How many of them have an HP printer? Because that could have driven them to it, couldn't it?

Well, I know more than 20 people. And my question is, am I hanging out with one and don't even know it? You know?

Oh, have you put them in an ordered list?

I should maybe start doing that. Yeah. So there you go. That's my pick of the week, Sociopath: A Memoir by Patrick Gagne. Fantastic.

Now, Carole, you've been chatting to the chaps at Acronis this week, haven't you?

Yes, CISO Gerald Beuchelt. He talks about security strategies and how to get the bosses to buy in. Check it out. So, Smashing Security listeners, today we are speaking with Gerald Beuchelt. He is the Chief Information Security Officer, or CISO, at Acronis. Now, Gerald is a recognised thought leader in the cybersecurity space, having served on multiple boards, including the National Cybersecurity Alliance and the ID.me cybersecurity board. And today we are going to be talking about a topic close to my heart, and it's how to get the bosses to see the need for improved security strategies. So welcome to Smashing Security, Gerald.

Thank you so much. And thank you for having me here, Carole. I really appreciate it. This is a topic that is very close to my heart, and I actually believe it's close to everyone's heart who's working in security. It's like, I can't recount the many times we've been discussing over the last 20 or 30 years, it's how security is gonna get a seat at the big table, right?

Okay. Oh, I can't wait to get into all this, but first let's maybe learn a little bit about you. So how did you end up being the CISO at Acronis?

The journey of my life essentially, right? It's I started out in pre-sales at Sun Microsystems way back in the days, which by the way, I just want to call, first of all, it was a wonderful company, but it was also a most excellent experience that I still draw from today. It's having had the opportunity to work with salespeople in the sales field, it does give you a completely different perception point on what is important and why we're doing certain things the way we're doing them, et cetera. Actually went over to MITRE, for those who are familiar with the MITRE framework, really got sucked into security in that role.

Oh, it's awesome. It's fantastic. It was a lot of government work though. And guys, we all know government work can be sometimes a little bit slow. So I got antsy and decided that I wanted to do something different. Took a couple of different roles in public companies as CISO for Demandware. I was working with different companies, with different boards, different executive teams in order to really drive security across the board. I ended up here at Acronis. I think there's a lot of good fun things that come with that for me as a CISO. It's been quite a journey. Working as a CISO at a security company is definitely something that's particularly exciting for a number of different reasons.

No, totally. And you really are perfectly positioned to help us understand the importance of getting boss buy-in when you're trying to protect any organization from the plethora of insider and external threats out there? Because of course they hold the purse strings, right? I mean, they're the ones really with the money, or is that unfair of me to say that?

No, no.

I think it's fair. If we do security, we do that with a particular purpose. I remember a discussion, why are we doing security? And the answer I got from that particular person was that, well, we're doing security because of security, which in my mind is probably the worst answer you can give. Because at the end of the day, this is not an end to itself. This is something that we really need to contextualize in the larger mission of the particular organization we're in. And when we do that, it becomes a lot easier to put yourself into the shoes of some of your peers, some of your bosses in order to drive understanding for the program.

Well, I'm going to warn you now, I'm going to ask you in a moment about strategies that you can share with our listeners on how they can deal with this. But maybe first you can tell us what typically goes wrong in your experience? So, I'm imagining you've got a team of people in security or in IT that have an idea in their head of where they want to go, but it falls over, it falls down somehow.

There are so many things that can go wrong, but some of the cardinal sins.

Yes, that's what we want.

Yeah, so I mean, even there, there's so many different things that can go wrong from that end as well. What I found is, and to some extent learned through the school of hard knocks, it's like being too deep into your technology, being too deep into your vernacular, being too deep into security when you talk to other leaders, when you talk to the board, when you talk to peers in some form or another. Because at the end of the day, you're the specialist. You're the one who everybody else looks towards for managing that security thing, or dealing with that security thing in some form or another. So if you now go out and start to go to the deep end of security, which we all love to do — I'm guilty as charged — you can really end up ruining your reputation and causing more harm than good. So one example that would come to mind as how you really can go down the wrong path is a particular colleague who went into a new organization as the new CISO, barnstorming, trying to set up as many new governance committees as possible. So get everyone together, make sure the CEO was on every tactical meeting that they can possibly imagine. Overwhelmed, essentially, his peers and his leadership with metrics detailed across the board. And that ultimately ended up getting him fired — it was not meeting what the expectations were, it was not really helping those other leaders move the ball forward.

So okay, so let's get to the meat here. What strategies can you share with our listeners who may have a plan but are also nervous about facing the C-suite?

The first and most important thing is really to understand the organization that you're working for and what those organization's goals are. If you have a company, if you have a nonprofit organization, if you're part of the government, you typically have a mission, right? For companies, it's simple — it's usually to make money in meaningful ways. Nonprofits and governments can sometimes be a little bit different. But this understanding — why are we here, why are we working together — is a crucial part in terms of understanding what level of security is appropriate, how to ultimately sell this internally, what kind of controls are acceptable, which ones are not, and how to ultimately balance the risks that you come from security with other risks across the board. And I think that's really something that I want to drive towards.

Yeah.

As you start to put together a plan in terms of how you want to structure a security program at a company, you should think about this from a risk perspective. It's a language that is much better understood by non-security people. It's much easier ultimately to cast the threat landscape, the vulnerabilities that you have, the likelihood of impact in a risk profile and risk portfolio or posture — no matter how you want to call this — across the board, and then use that enterprise risk, a heat map or something like that to communicate. Now, I'm going relatively specific here, but the general idea is really to start thinking about setting up a framework that moves towards that goal.

That's 1 in 20.

Because that will ultimately help you communicate what you're trying to do from a security perspective without having to resort to vernacular or to specific techniques.

I love that because bosses always understand risk, right? 100%.

Yeah.

Yeah. So you're using their language. I think that's very clever. And then you're using the risk concerns to back up your purchasing or your security strategy posture?

Yeah, it turns into a balancing act in between the different kind of risks that you identify from the security side versus other risks as well. Now, what's important in this kind of context is to really understand the risk hierarchy that you want to look at. You can formulate risks at a very, very technical level, right? It's like, what is the risk of not patching a particular vulnerability with an SLA, but it's having 15% of vulnerabilities of a certain concern level not patched, et cetera, et cetera. It's like those things are not really risks that are useful, right? That really does not help you to communicate to other leaders what your concerns are. What is much more interesting is what is the current overall risk of a data breach? You can think about a risk such as business discontinuity. What is the risk essentially that we would associate with the company not being able to conduct business due to a security incident?

That'll make the bosses pay attention.

That's exactly what they pay attention to. So I was like, you really want to formulate your risks that you use to communicate with those leaders in the way that makes sense to them. And that means thinking about the enterprise, thinking about the goal of the enterprise and how you get there instead of thinking about where you want to patch something or run a penetration test or something similar.

It's as you can imagine, And you know what? My father was a doctor, right? So he had loads of doctor vernacular he used all the time if he was talking about something medical. It is exciting. And often, as kids, we were completely lost. We had no idea what he was talking about. I was thinking about that when you were speaking, and it's basically he didn't really judge his audience very well. I mean, come on. It seems to come down to that, that the fact that we were 8 or something, we couldn't understand his language, and we didn't understand the concerns. So basically, the warning he was giving us just bypassed us. I know exactly what you mean because my dad was actually also a doctor. It's like, I know, I know. Exactly.

Because everyone's going to look like, well, I didn't understand that. And it's like, I feel dumb for not understanding it because he was talking to me about this. So I'm not going to ask questions. But this kind of disconnect is absolutely terrible when you want to set up a program and get support from other leaders or from the board for your program.

Yeah.

Because they need to engage with it. They need to identify with it and they need to get behind that. And you can really only do this if you really illustrate to them what the impact of a particular decision with regards to security ultimately looks like. Actually, one thing I want to add to that is this I think is really critical in this entire setup. As you formulate those kind of risks, as you put this out, be ready to see pushback still. It's like, hey, if we don't do X, Y, and Z, we may end up having a much higher risk for losing days or even weeks of non-productivity. What could come back from the business side is like, well, that's kind of fine, but if we do what you're proposing, our go-to-market is gonna be so much longer. Our ability to innovate is gonna be impacted in so many ways that we're ultimately gonna be losing so much business that it becomes a problem. So this kind of balancing between on the one side looking at security risks and on the other side looking at business risks, go-to-market risks, legal risks, sometimes financial risks, is really critically important. And that is where you can enter into a really interesting discussion with your peers, with your leaders in order to make sure that they understand what could possibly happen and you understand on the other side then also what a particular decision, how that would impact the organization.

Yeah, I couldn't agree more. Do you see any of this changing anytime soon? I think no. I mean, this will be going on forever, but let me hear what you have to say.

See if I'm wrong. I think it is. And it's not changing everywhere. Something we have to do is to really reiterate this message which many years ago I said oh yeah, that makes perfect sense. Let me talk about the business thing. And then I went off into a completely different direction without really understanding what I was trying to do. To some extent, perhaps also a little bit of lack of empathy that really got in the way for me to fully grasp what some of those kind of concerns on the other side would look like. Experience got me to the point where I feel I'm a little bit better with that. Wouldn't say awesome, but I'm a little bit better with that. And I think that it's something that everyone really has to practice also as they engage with different stakeholders across their organization in order to see whether their assumptions, whether their messaging and their general approach actually makes sense.

Brilliant. Do you have anything to add? Because we're fast running out of time. I could listen to this all day.

Oh, I love this. I love talking about this in general. There's a couple of key things that I really would love people to take away from this. Number one would be to really engage with the organization that you're in, but also the people that you're working with. I love making a point that when looking at security, we obviously have the confidentiality, integrity, and availability, which is one way to slice and dice things. But the other one that is also very important to me is people, process, and technology. If I look at those, every time that out of those three, you got to secure the people. You got to work with people to get an understanding of what goes on. Then you need to tell them what to do. That's the process, essentially. And ultimately, you deploy technology in order to make it efficient, to have force multipliers, or to unlock new capabilities. But without people on board, you end up being in a situation where it really doesn't help you moving forward. And I think that's pretty critical. The other thing is to truly understand the landscape that you're operating in. And that includes essentially also the threat landscape. Are you defending your organization against script kiddies who occasionally try to download Metasploit and try the latest scripts that they can find? Or are you dealing with, in the worst case, a nation-state-level adversary, which you will probably not fully be able to defend against anyways? So that really drives a lot of the decision-making down the road, a lot of the assessments with regards to what is important for your organization or not. But that's one of the ways where I'm really happy working for Acronis. We have an excellent threat research unit that also provides publicly accessible intel on that. It's really good for us, but also for the community to understand where we are. And I think that's pretty important.

Absolutely. I couldn't agree more. Acronis Threat Research Unit, also known as TRU or True. This team of cybersecurity experts specialize in threat intelligence, AI, and risk management. And they have loads and loads of resources like educational workshops and incident response workshops and guidelines. So you can go and learn more at smashingsecurity.com/acronis. That's smashingsecurity.com/acronis, A-C-R-O-N-I-S. And Gerald Beuchelt, CISO at Acronis, thank you so much for your time and insight.

Thank you, Carole. It was wonderful. And looking forward to chatting again sometime.

Brilliant. Thank you. Fascinating stuff. And that just about wraps up the show for this week. And thank you to our episode sponsors, Acronis, Drata, and Palo Alto Networks. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 405, 6 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye.