Phishing For Answers

“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.

All Episodes

Phishing For Answers

Transforming Cybersecurity Training with Engaging Strategies

March 04, 2025 • Joshua Crumbaugh, Founder & CEO of PhishFirewall

Send us a text

The episode delves into the essential role of human factors in cybersecurity, emphasizing the need for integrating security awareness into daily operations. Eric Harris shares insights on effective training strategies, the importance of understanding social media risks, and the evolving landscape shaped by AI and deepfakes.

• Discussing Eric Harris's background and journey in cybersecurity
• Human-centric approach to tackling cybersecurity threats
• Analyzing social media risks, especially linked to professional platforms
• Strategies for creating effective security awareness programs
• The importance of positive reinforcement in training initiatives
• Leveraging AI while addressing its implications in cybersecurity
• Integrating security awareness into everyday business functions
• Encouraging user engagement and ownership in organizational security

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Joshua Crumbaugh: 0:03

Hello and welcome to another episode of Phishing for Answers. Today we've got a very special guest, Eric Harris, the CISO of Charlie Norwood VA Medical Center. That's a little bit of a mouthful.

Eric Harris: 0:20

Hey.

Joshua Crumbaugh: 0:20

Eric, maybe you could introduce yourself. Tell us a little bit about maybe yourself currently and how you got into cybersecurity in the first place.

Eric Harris: 0:29

Okay, good. Well, first of all, good morning again and thanks for having me Again. My name is Eric Harris Jr. I am the current Chief Information Security Officer here at Charlie Norwood VA Medical Center. Yes, that is a mouthful here at Charlie Norwood VA Medical Center. Yes, that is a mouthful.

Eric Harris: 0:49

How did I get into cybersecurity? Well, I have a background in computer science, my bachelor's in computer science from South Carolina State University back in 2000. Cybersecurity has been around for a while, but it wasn't something that was talked about in the late 90s and early 2000s as a career or education concentration area, anything like that. So anybody who was generally in the STEM classes they were computer scientists like myself, with the emphasis on probably program writing and things like that.

Eric Harris: 1:22

So once I graduated, I went to the military as an officer, did part of my time as a logistics officer, but always worked computers and anything IT based, whatever unit I was involved in. So with the advent of Army Cyber Command, things like that, I saw opportunity to transition back to something I enjoyed doing, which was, you know, working in a computer based STEM environment. So I made the transition from doing logistics to cyber security, a large emphasis on network security, routing, switching, things like that, and I did that for the second half of my military time and after the military I continued to work in the cybersecurity field as a federal employee, which I'm still doing to this day, and again as a leader. I transitioned out of the technical arena of cyber to more of the leadership, strategic, visionary type roles, setting the cybersecurity posture and strategies for organizations.

Joshua Crumbaugh: 2:34

So which brings me here All right, that's a great intro, Thank you. So what do you feel as a leader is let me rephrase this as a cybersecurity leader how do you feel that the social element is impacted, or even part of your day-to-day routine?

Eric Harris: 3:16

The social element is probably the biggest area of consideration that I would have in dealing with cybersecurity, because it's easy to get caught up in cybersecurity. When you hear the term, you start thinking about maybe something you've seen in movies. If you're not familiar with it, you think about all the sci-fi, techie type stuff when, in actuality, the first line of defense is the human aspect, and you know. Whether you have a bunch of technical experts or just everyday people, everybody's involved in social media or social engagement, regardless of what your role is.

Eric Harris: 3:51

I'm the CISO at a medical treatment facility. There's probably 2% of the staff here that are actually dealing with cybersecurity or IT-based anything. Our role is to support the medical facility. That being said, everyone, regardless of what you do, probably has a Facebook account, linkedin, instagram I mean. I have a little bit of everything, just as a way to you know when my kids were young, as a way to you know when my kids were young, as a way to monitor their, their online activity. So when you have that, that, that proliferation of social media usage, you just creating a larger attack surface for red actors?

Joshua Crumbaugh: 4:43

You absolutely are, and particularly LinkedIn. I don't think a lot of employees, or even necessarily IT staff, realize how much you're targeted. The second you connect yourself on LinkedIn. We've had employees, new staff, targeted within hours of starting their new job and and putting their you know connecting themselves to the company on LinkedIn. What I found interesting about it was that they were texting them pretending to be me, but from local phone numbers, and that was the part that just blew my mind. Within an hour of signing up, you've got the local numbers, you've got the names, you've got the names, you've got everything and uh, and so yeah, I mean you're, you're absolutely right.

Eric Harris: 5:30

The more you put out there, the more of uh, essentially a target you're painting on your back definitely, definitely, especially just to touch on linkedin again, I think you know know my experience with people when discussing social media. You know do's and don'ts, safety and things like that. I think there's a misconception that LinkedIn is some type of secure social media platform. It's just a social media platform. It's like Facebook. It's just a social media platform. It's like Facebook. I think that misconception comes from the fact that it's a professional-based platform versus it just being a social media platform. It's still a social media platform, regardless. Facebook can be used in a professional sense. If you create business pages, things like that Instagram, any one of those platforms can be that sense. If you create business pages, things like that instagram, any any one of those platforms can be that. So but I think it gets lost somewhere in the mix that linkedin is inherently more secure than facebook. If it's on the internet, it can be.

Joshua Crumbaugh: 6:33

It can be breached well, and I think the other part that most people, or the average person maybe doesn't get is that just because I can trust Facebook doesn't mean I can trust every link that I see on. Facebook. Just because I can trust LinkedIn doesn't mean I can trust those links that I see on.

Joshua Crumbaugh: 6:53

LinkedIn and I think that's one of the places where it's almost this um, you know, because you trust them, it's like like a trusted abuse, but with the abusive trust, but with these these you know big social media companies, because you do trust them and and that leads to a lot of people trusting those links. But I mean, I saw that a lot in my career. I came from ethical hacking background.

Joshua Crumbaugh: 7:22

I ran a lot of red teams, and that was one of the things that we saw was that if we convince one person we were who we were, and get them to introduce us to other people, that they would trust us, and so I think that's just one of those social engineering tactics that is forever going to be used against us? Yeah, definitely. Is forever going to be used against us? Yeah, definitely. So if you're building a security awareness program from the ground up, let's say there's been nothing before this, or maybe just training.

Joshua Crumbaugh: 7:58

What do you want to build? What are some of the things that you would look for and make sure that you put into a new program?

Eric Harris: 8:05

Okay, so before I build anything I would do a little research. I would see where. I mean. I would go back through past incidents, any historical information I could pull up to figure out where are we statistically in terms of incidents, what types of incidents are being reported. That way I can narrow down probably one or two root causes versus just going full speed ahead into building a program that I may not be concentrating all my efforts in the right place so you're going more with the sniper approach than the the shotgun approach.

Eric Harris: 8:53

Well, it's a little bit of both, but I think I think I want to. I want to know what I want to hit first and then when I decide I want to attack it, it's probably it probably won't be a sniper, will probably be like an atomic bomb getting dropped. Because if it's a situation where you have a lot of violations that are generally stemming from people not reading or paying attention to the acceptable use policies that they sign when they're on board at any particular job Wait, you're supposed to read that document yeah, that's what I was told.

Joshua Crumbaugh: 9:28

Say you're supposed to read it, but uh I thought you just had to sign it at the beginning of employment and whenever it needed to be updated.

Eric Harris: 9:36

You know I was confused there if you get bored or you need a nap, yeah, go ahead and read it but, no you're supposed to. You're supposed to read it, um and it. It doesn't make for good reading, I know, but there's a lot of important stuff that's in that document and if you read it a lot, a lot of times, you'll catch that stuff I mean you don't let your kids do their homework or play on the computer, for Right.

Eric Harris: 10:04

But a lot of those incidents, a lot of those issues that you might find doing historical analysis of, whereby incidents the large percentage of my incidents come from, a lot of it probably can be rooted to some violation of an acceptable use policy. So from there then I would drop the atomic bomb on that particular area when it comes to building my training, my security awareness and training program.

Joshua Crumbaugh: 10:30

So when you say atomic bomb, what does this look like?

Eric Harris: 10:34

OK, Well, if, if I have 80 something percent of people violating this, one or two things's clearly highlighting the acceptable use policy and I refer back to one of my previous roles at another medical treatment facility. We conducted training auditorium-type training once a month where I would go up on the stage and I would have the big screen behind me and the slides and all this stuff, and I will talk to the general population, people who already work there, regardless of when they came or whatnot, because you know you have to catch that group first and I'll get to the other parts of it later. But then you pull up the stats Over the past 30 days because this is also reportable in other avenues for me to the higher cybersecurity level leadership. So I'm tracking this stuff anyway. So now I'm going to show it to you.

Eric Harris: 11:36

The general population, you don't do this stuff. These are the things that these are the violations that we've captured in this particular area over the past 30 days. This is how you avoid these things. This is what you need to look for Blah, blah, blah and the statistic will drop. If people are paying attention and taking the training serious, then you will have some who don't, and it's fine, because you know people who violate things, simple things like uh, don't do your annual training, okay, you go to work.

Joshua Crumbaugh: 12:11

One day you can't get on your computer yeah, that was easy enough to solve your house until you do your training you do your training.

Eric Harris: 12:19

Well, I can't do my training without my computer. Well, we have kiosk computers set up. I can't do my training without my computer.

Joshua Crumbaugh: 12:28

Well, we have kiosk computers set up in the library, so you have to. I have a bunch of customers that do that, particularly in the municipal sector. You'll get all kinds of people that will check their email once a year and it's typically when IT locks their account to say do your training. They're like I didn't get anything about it.

Eric Harris: 12:43

We emailed you 100 times times oh my god, that used to be the bane of my existence at this one job. It's like, well, I never received a notification for the training. I never received a 30, 15, 7 day. I'm like, well, think about it this way. I know you received it because every notification that you receive as the information assurance program manager, I receive it. You receive one for you, I receive one for everybody that's affected. And I saw your name at 30 days, at 15 days, at seven days. You ignored them all. So now you get. You get the luxury of going out of your way to the kiosk center in the library, which is not in the building where you work, to do your training. So like, hey, I don't know, Go ahead, finish.

Eric Harris: 13:35

I said I don't know what you want me to do.

Joshua Crumbaugh: 13:39

So I was going to say that leads to a really, really great subject carrot or stick. So say we live in a world where you can't use both. You have to rely only on one and that one. For the rest of your group, Do you go with carrot or do you go with stick as your tool of choice?

Eric Harris: 14:00

That's a tough question. That's a tough question.

Joshua Crumbaugh: 14:04

That's a tough one, probably why it's debated so heavily in this industry, I mean, you've got people that are just hardcore stick and then you've got people that are very much hardcore carrot. I'm more on the carrot side of things, but I agree with you that it's a little bit more gray. But for purposes of the podcast and making it more entertaining, uh, I like to make it really black and white okay, so, so I don't get to say it depends.

Eric Harris: 14:33

All right, it depends, or you, or, or you do both, right, all right. So in this, this land, where I'm forced to travel the fence, I'm, I'm going to go, I'm going to go carrot, I'm going to go carrot, and the reason I'm I'm going to go there is I'm. You know, in general I'm pretty, I'm pretty rigid about some of the things that I do, because there isn't any gray area in the instructions. So it's like, if you follow these instructions, you'll be okay.

Joshua Crumbaugh: 15:06

Yeah, and HIPAA doesn't care if you had good intent, right?

Eric Harris: 15:09

If you don't follow the instructions as straightforward as most of them are, at least from a compliance perspective then I'm human too and the human part of me starts to think well, you're disregarding it, right? I don't think you're taking it as serious. So allow me to introduce myself to you. I am the force and function, I'm the person that's going to make you take this serious. But since that doesn't always go over, well, the carrot, the incentivizing, what, what we're trying to do, it does work better. And if you had to choose, in my opinion, and if you had to choose between the carrot or the stick, I would prefer to carry it.

Eric Harris: 15:53

I've done training, training, seminars, and when I first started out, trying to get people involved in while I'm conducting the talks, lectures or the training, initially didn't go over as well. I didn't get the crowd participation out that I wanted. But it was a learning process for me, because this is in the early years. So again, incentivize, encourage feedback, give people a free mouse pad or ink pen or something like that. It's like hey, name me one thing out of the 10 things on the acceptable use policy that you're not supposed to do. And if you can name them, then at least tell me you read it, or you'll be able to come up with at least one, even if they're guessing.

Joshua Crumbaugh: 16:44

Yeah, even if you're guessing you should come up with one, all right, and and, and.

Eric Harris: 16:48

You know doing stuff like that, you know providing the incentive. Um, I got more, more uh engagement, and so I tend to lean that way. The stick is usually just for those who just don't want to act right.

Joshua Crumbaugh: 17:03

Yeah, lean that way. The stick is usually just for those who just don't want to act right. Yeah, I. So I'm, I'm right there with you, and my personal opinion on this is that we should always lead with the carrot and uh, and save the stick as more of a last resort. So, exactly no, if the carrot didn't work well, I guess you're gonna get the stick. Uh, by default, um, but uh, but no, I'm right there with you. I will say I think that the carrot is sometimes over, over complicated or over thought and and what I mean by that is one of the best carrots that I've ever found is just saying, hey, great job. When they do something right, right and uh, and it doesn't have to be like you know anything huge, just you know that tiny little congratulations and acknowledgement that they did it right and that we appreciate it as a company. To me, or as an organization, I think that's a critical part of most security awareness programs. That's too often messy, I don't know. What do you think?

Eric Harris: 18:10

No, it's a good point that you touched on, because you know briefing the statistics and the metrics up to higher level leaders, especially in the early years. This is when those higher level leaders, the CIOs or whoever, would do basically what you're saying. It doesn't have to be anything tangible as a thank you or incentive or anything like that as a thank you or incentive or anything like that. So if you have a department that has zero reportable incidents or violations, I should say over the course of, like you know, fiscal year 24, third quarter, right, then that CIO a lot of times will give that pat on the back or add a boy or add a girl to the department leadership that we're talking about, because in their mind that leader is leading by example and they're making security an integral part of their day-to-day operations. Ie, I mean, as a result, they don't have any reportable incidents. So you get that, hey, good job, and a lot of times that is enough.

Joshua Crumbaugh: 19:30

Well, the other part of what you just said that's critical is that top-down leadership. When the C-suite takes it seriously and then the people beneath them take it seriously. It just has the waterfall effect where everyone beneath just sort of falls in order. But when you see these organizations where the c-suite does, not take it seriously you.

Joshua Crumbaugh: 19:54

you also see an entire organization where the people don't need and, and I think that lead uh, lead by example and uh top-down approach to security awareness is critical, Because I mean as much as I wish they would listen to the CISO as well as they listen to the CEO the reality is, if it comes from the CEO, it has more.

Eric Harris: 20:18

Absolutely, absolutely.

Joshua Crumbaugh: 20:24

Absolutely, absolutely so. Another thing we sort of touched on there, without going into any detail, was KPIs. So I'm curious from your perspective, what, when it comes to the human element and culture and just social engineering risk or just human error risk in general, what KPIs are you looking at? You faded out at the end. You said what KPIs? Oh, I was saying what KPIs are you actually looking at?

Eric Harris: 20:56

Oh, it could be a multitude of things. Usually, my KPIs are tied to a particular area over a certain amount of time. I'm looking at reportable incidents over the last quarter. If I'm talking about let's try to make it a little more pinpoint. Let's talk about I'll go back to your training requirement who's getting the training done on time? Because we're also tracking people who didn't do the training or did it late. They didn't do the training. We disabled their accounts or what have you. Then we had to re-enable their accounts.

Eric Harris: 21:47

That's also a reportable metric, that's a KPI, and we're looking at which departments are, in general, the biggest violators, or something like that, or something like that. So, again, kpis, training metrics or, if you really want to get into something a little more concrete, I would say I would say like is annual, not annual, training? I would say, whenever we do any of our contingency, resiliency plan testing, stuff like that, the only thing about those is you don't do them that often. You might do that once a year, twice a year. That's usually about as far as it's going to go, because they're resource intensive and they take people out of their day-to-day operations and if you're in a hospital, you don't want to take people out of their day-to-day operations for an extended period of time, because you're affecting the business and the business in the hospital is saving lives, so you don't want to keep people tied up doing training scenarios or simulations just for the sake of capturing data from KPIs and stuff like that.

Joshua Crumbaugh: 23:11

Yeah, makes sense. What about phishing? Do you run phishing simulations?

Eric Harris: 23:20

Do you track any KPIs around? That we don't here. The KPIs are generally reported back to us because a third party does it. So we can give them the at least in this environment, we can give them the scope of what we want to accomplish with the test. But they'll generally do that and report it back to us. But we've done it at previous previous positions. I've had um, and with those, you know, the biggest one that we would, we would, we would track, would be who's clicking on the link, who's clicking on the link, and go from there with the reporting up to leadership. And again, this is when I was in an army cyber command doing the same job. So now you have that overlap between the civilian side and the army side reporting the metrics up, blah, blah, blah. Okay, which population is actually doing it? Because now you have two distinct populations you have the civilian side and you have the green suitors, or what have you?

Joshua Crumbaugh: 24:35

The only other one I'd add there is reporting, because I like to see that's actually my favorite metric around phishing is when I run a simulation how many of those simulations were reported back to me, or what percentage of them. I like that because I really feel that it it gives you a good indication of your culture. If no one's reporting it, you've got a weak culture.

Eric Harris: 24:58

If everyone's reporting it, you've got a strong culture yeah, I kind of skipped all over that, but but yeah, we recently had one here and my phone was blowing up. But I've been here almost two years, so I think the environment, the culture, has shifted from the time I've arrived and that's not a pat on my back per se, but coming from a heavily regulated cyber Army, cyber Command to a place you know medical treatment facility, you still have a cyber mission, but it's not looked at the same way as it would be when you're dealing with, you know, the Department of Defense or something like that. When you're dealing with the Department of Defense or something like that. But to your point, my phone was blowing up with the simulation, with a deficient scenario that we had. It's probably about nine months ago, I think. It's like, hey, we got this, that's a good thing.

Eric Harris: 26:03

Now we did discover another issue with that, and it was like okay, uh, it's great that you called me, but we also have the reporting process posted, so a lot of people, so.

Eric Harris: 26:15

So we found another, another area that we need to tax, like gotta train them on how to use the process they know to contact us, but we got to teach them how, because they're like four or five people between the road and me, but they were coming straight to me and it was like, okay, I get, you know, I'm in the leadership channel, so it's like I can't necessarily.

Joshua Crumbaugh: 26:35

Yeah, that's gonna be way too many emails for you to field all of them yourself anyway there there needs to be structure around that or things get missed.

Joshua Crumbaugh: 26:44

So I I agree. I think that's always. One of the challenges, though, is the first struggle is getting them to realize they have to report. The second struggle is getting them to realize how they have to report, and those are two very independent struggles. There, for sure, no, they are. Um, what's your take on phishing? I mean, uh, what do you think? And when I say phishing, I'm I'm not talking in terms of a risk assessment, I'm talking more in terms of general awareness and pushing that culture change. Uh, phishing, I mean a, should we be doing it? And b, if we are doing it, how should we be doing it?

Eric Harris: 27:27

um, a is easy. Yes, we should be doing it.

Joshua Crumbaugh: 27:30

I think we should be doing it do you mind if I ask why, before we jump into the other part. Uh, yeah, you're, it's more your opinion of why we run phishing simulations. I find everyone has a different, unique take on it.

Eric Harris: 27:46

I think, when I think about the various attack methods that cyber criminals would use, I think phishing is one of the ones that requires the least amount of effort on their part and they stand to get a huge return on investment if they're successful, because it really doesn't take a lot to launch a phishing campaign. It doesn't, it really doesn't. It takes next to nothing. And now, with I just recently spoke on ai's impact on on the whole security landscape, these you know, ai's cyber criminals are using ai at an alarming rate. So so all of their capabilities have been exponentially increased. So if they can launch a um, so if they can launch a phishing campaign with the usage of AI, then that means we have to be more adamant about security awareness and training against that. So the first part is like should we do it? Yes, why? That's why we should, and it's something that we can't. It's getting to the point where you can't just schedule this training for once a month. It has to be integrated into almost every aspect of the business functions period.

Joshua Crumbaugh: 29:11

I agree it needs to be continuous, because the threat is continuous. The threat hits us endlessly and for the average non-technical user, in my experience, they want to do good, they want to be secure, they want to do the right thing, but maybe they don't always know how, and so the more we can equip them and keep security at the forefront of their mind, the more effective it is. And I agree, one of the things I've said a bunch of times is integrate everywhere. You know, I see people talk about cybersecurity in the newsletter, but then they'll have, you know, elevators with televisions and they don't bother to put security awareness there. They've got lunch areas with posters everywhere, but no posters about security awareness there. They've got lunch areas with posters everywhere, but no posters about security awareness. Um, and my favorite is just the pay stuff. Put a security message on there. That'll probably get read a lot more than the one in the newsletter. Oh, absolutely yeah. But yeah, I think oh, go ahead.

Eric Harris: 30:18

I said no when money's involved, yeah, you'll get attention.

Joshua Crumbaugh: 30:21

Yes, you will. So around phishing. One of the things that I think we do as a result of phishing is we create these what I call human virus definitions. If I use urgency to phish you and you fall for it and you realize your mistake and at the moment you realize your mistake, I make sure that you learn really well about urgency and how it's going to be used against you. The next time you see urgency, you're skeptical and it's at a subconscious level, not even conscious, which means that you are more likely to just move on and click delete or click report, without ever even thinking about it and getting tempted to maybe click. So to me, that's why we do this.

Joshua Crumbaugh: 31:11

Is that the only way to prevent our or to really train our users and to give them the tools they need is to simulate the threat, uh, in a way that they won't get the computers in fact. Stimulate the threat in a way that they won't get the computers in fact? Oh, yeah, absolutely so. When it comes to the users, what do you think is the top thing they need to learn?

Eric Harris: 31:37

just the average everyday sort of lay user um the lay user. More times than not, all of the remediations patching vulnerability, all that stuff is handled behind the scenes. They're not even aware that it's happening, unless it's some major upgrade.

Joshua Crumbaugh: 31:58

Hopefully they don't know what's happening, hopefully they don't.

Eric Harris: 32:02

When you get the major ones that force you to restart your system right, sometimes it might happen. The CrowdStrike one.

Joshua Crumbaugh: 32:09

Yeah, that's not going to get old. I'm going to be making jokes about that five years from now.

Eric Harris: 32:15

No, they still are. They still are. It's not going to age well for them. No yeah, it's not. It's not going to age well for them. No, but the, the general user, uh, I just keep it simple what they need to know, like if you're, if you work on an environment where you have an access card to log to your system, you don't get up and leave it in the system. You know general general things, um you know just be aware of your surroundings.

Eric Harris: 32:42

Be aware of your surroundings whenever you leave. Take, take your. Take your authentication mechanism with you. Whatever it is, take it with you. Your computer unlock, don't leave your computer unlocked um one of the things I have word on your keyboard yeah, don't write your passwords down, all right, don't well?

Joshua Crumbaugh: 33:01

after LastPass got breached I was was finding myself thinking I don't know, maybe that password journal wasn't such a bad idea.

Eric Harris: 33:08

Well, yeah, if you could write them all down and lock them up in a safe, I mean, yeah, I guess that's fine, but you know, don't forget the combination to the safe. You know, don't lose the keys to the safe if you got a lock on I don't know, whatever Right have to preach around here is, when you leave for the day, lock your computer. Some people no, some people actually powered them down because they think they're doing the right thing. You know, you don't, you don't want to slap their hand because they're trying to do the right thing. But if I need you to lock the computer because we're trying to work on, I can't update it overnight.

Eric Harris: 33:45

That part, that's the thing I, that's the thing I can't update. I can't update, we can't get, we can't do our scanning because we have a monthly requirement to our vulnerability scans and we and scanner takes up a lot of bandwidth. We don't want to do it during the workday. You know this is a hospital so I get it. We got 24 hour operations going on but most people don't work at night so we'll assume the risk of sucking up bandwidth at night, with understanding that you're probably going to be at like 10% manning in the later shifts of the day, so scanning is not going to affect their operations or their ability to do work. But if you turn your computer off, I can't do anything?

Joshua Crumbaugh: 34:25

Yeah. And if 5% of your assets weren't scanned, an auditor is going to ask questions about that. Yeah, which?

Eric Harris: 34:30

we are in the middle of right now, so like you can not turn your computer off, yeah, just lock it windows.

Joshua Crumbaugh: 34:38

L just lock it and we're good yeah, I actually think that's one of the really good tips. The one that I like to give is trust your gut. Um, yeah, I've never seen an incident where the user didn't say I knew better, I should have known better. There were so many red flags, um, and that is what tells me that they always have that gut check. They just don't trust it and uh, and I think that that's just the simple advice that helps even more than think before you play. So, ai, we, we jumped over the slide, but we haven't really talked about it. It's really changing the threat landscape. So, as a threat, what are you looking at in terms of AI?

Eric Harris: 35:22

What I'm looking at is deployment. How, where are we in the great? I can't say how or if, because we are. Everyone is, whether it's at a large scale or at a smaller scale.

Joshua Crumbaugh: 35:44

We're all using AI. We're all using AI and if you're not, you're going to get left behind real quick because you won't be able to keep up.

Eric Harris: 35:52

That's. That's the big thing. I mean, ai is a game changer, but it's its initial design or implementation is to improve and increase our productivity and efficiencies. So, yes, we want to use it, but my consideration is how are we using it? Is it? Are we using it at a grand scale? Um, this is one of the things like in the federal system. It's it actually? Um, since it's heavily regulated, things take a little longer to get done and it does than it does in the private sector and with any ai microphones in the rooms, yet listening and taking doctors notes uh, no, we don't.

Eric Harris: 36:35

Um, there there are definitely talks about certain things being done, but because you know this is one of the benefits of the federal process is, you know, it has several steps it has to go through and it may slow certain things down, but this is something I would prefer to move a little slower. Yeah, because there's a lack of expertise, lack of available training when it comes to AI implementation and things like that. Simple things like probably, ai chatbots okay, it's not really that big of a deal, but when you start implementing AI solutions that are, in essence, replacing humans to do certain types of work, so that it frees us up to do other things that AI can't do yet, that's when I would be a little more concerned that.

Joshua Crumbaugh: 37:31

AI can't do. Yet that's when I would be a little more concerned. So that was actually one I spoke with the CISO of, or maybe CIO, I think CIO of Alberta Health Services, which is the largest hospital network or hospital system up in Canada, and that was one of the things that they were talking about was how they have a. It's just a few rooms right now, it's not you know.

Joshua Crumbaugh: 37:55

Uh, they're enterprise wide, but they're running a pilot, where they have a few different doctors rooms where they've got these ai microphones. They listen, they automatically take notes, they upload them to epic into the patient's record and they're saving like five minutes. Well, three to five minutes per patient. And when you multiply that, you know, by thousands of doctors and you know hundreds of thousands of patients, that number gets very large.

Joshua Crumbaugh: 38:25

Yes, I think the opportunity around AI is really exciting and I think that I hope, anyway, that while, yes, the bad guys are a little bit ahead of us in terms of utilizing AI, I really do think that that is the one thing that's going to be the best saving grace of all this is that AI is going to help us detect better. It's going to help us, you know, make sense and dig through all of the noise to find what we actually need to see.

Joshua Crumbaugh: 39:01

So I'm really optimistic about it from a practical point and then the non-practical sort of entertainment perspective. I think it's really intriguing what's happening around. Ai-generated video and things like that.

Eric Harris: 39:20

Yeah, no, I'm excited but cautious at the same time because, again, the productivity that we stand to gain from AI utilization will be amazing. But in the same breath, you know if we're using it, they're using it. You know deepfakes are being. You know that term is thrown around a lot.

Joshua Crumbaugh: 39:48

Now it's easy to create them. I mean it's becoming easy to create them. I mean it's very and did you see? There's a new open source tool that is, uh, better than any of the paid deep fake tools and it's completely free, completely open source takes minimal computing resources to be able to run this yes it's scary.

Joshua Crumbaugh: 40:09

And then you've got, you can hook these things, that same tool now into a live stream, um, and so you can create sort of like a virtual camera with it and then join, you know, hang out or zoom or whatever. Uh, so it's, it's scary. I know we, we all heard about the incident in Hong Kong with deepfakes. I got an opportunity to speak to a CISO of a bank out of the southeast in the United States and their CEO had already been deepfaked. But outside of that I have not heard of a lot of this in real life. Have you encountered any of the deepfakes yet or not yet in your real life?

Eric Harris: 40:52

just sort of anecdotally um, the the jury's out on this one particular incident that we had a few months ago. I don't I don't know if it was actually an audio deep fake or not, but it seemed, it seemed to be. It potentially could have been one. I tend to lean towards this just being a scammer. Taking advantage of an older veteran clearly doesn't have the awareness or the social tech savvy, any of that stuff. This is someone probably in their 70s 80s. I don't know how the person was, but the person was basically. Taking advantage of veterans is bad, especially those up in age. I'm a veteran, but I'm not a 70-something-year-old veteran and I understand the environment. They don't. And this is someone who had their bank information compromised because they don't know any better and they, you know they were taken advantage of and when it got to me it was you know. It was reported potentially as a deep fake, but I was like I don't really know, cause I don't, I didn't. The report didn't come to me first.

Eric Harris: 42:20

And there's no real way for me to to to check it, cause I don't have the available tools, but to the point, you know, video, audio, all that stuff can be deepfaked through the use of AI and it can take advantage of the best of us.

Joshua Crumbaugh: 42:37

Yeah, and I mean, just this podcast alone is enough to clone either of our voices, either of our images, and so I think that anyone who's a little bit more public facing of a figure inside of a company, they almost need that added training. You know, saying, hey, you are a target, you will, you know, be hit eventually. I mean, it's funny, you mentioned the audio deep fakes. You made me remember a conversation I had last week on the podcast that, for whatever reason, I was drawing a blank on the CISOlson wagon lit, uh, the travel agency and uh, and I guess their call centers are getting deep fakes constantly of, uh, of different people just trying to use stolen credit cards to book travel. Um, but that's something that they have seen in a high amount, uh, or in a great amount of uh, frequency. So it's, it's interesting as this sort of picks up more and more, and I would expect 2025 is going to be the year of the deep thing, uh, at least in terms of cyber security yes, absolutely so we are just about out of time here today.

Joshua Crumbaugh: 43:52

Did you have any sort of final words of wisdom for our viewers today?

Eric Harris: 44:13

yourself in a leadership position. You're in a leadership position, um, my advice to you is you know we spoke earlier about the carrot and the stick um, I would lean more towards the carrot simply because, you know, the positive reinforcement is, to me, just seems to work better. You pull out the stick when it's necessary and you don't want to create an environment where people are fearful of making a mistake. You want to educate them and hope they don't make a mistake, but if all they know is reprimand, reprimand, reprimand, then they're not incentivized to really do their best or to take ownership of their small piece of the security puzzle. Because everyone has a piece of it. It's just because of my job. My piece is bigger than the average person it's supposed to be, but I also have a piece of the medical operations in this environment. It's a small piece because I'm not a clinician or anything like that, but my job allows them to effectively do their job. So everybody has a piece of everybody's job. So with that, you don't want to just beat them with the stick, incentivize it.

Eric Harris: 45:34

General users, please read your acceptable use policies. And I say that for two reasons One, it keeps you out of hot water at work. But two I get a lot of questions from people who are asking me about things on their home computers. I say, if you follow your acceptable use policy that you get at work. If you follow that at home you'll still be able to do pretty much everything that you want to do on your home computer. You'll just be more secure.

Eric Harris: 46:08

Yeah, you'll be a little more secure. I mean, there's a few things you might do at home that you wouldn't do at work. But, um, like you know, shopping certain websites they're still legit but maybe this firewall doesn't allow that traffic to go through. But it's not a bad site. You bought stuff from there before. But if you follow that, those, those practices from work at home and teach them to your kids, especially when it comes to um social media usage, you know that's big agree.

Joshua Crumbaugh: 46:40

I think that connecting cyber security to somebody's personal life is key in getting or in driving that, uh, that change anyway because once it's connected, once it becomes real to them, uh, they just care so much more and uh, and when it's not real, and they may go through the motions, but they're not investing in it oh, yeah, yeah, they have to have ownership of it and you know and be empowered with that, and it tends to work, at least in my experience.

Eric Harris: 47:17

It tends to work out better, I agree.

Joshua Crumbaugh: 47:21

All right, well, hey, thank you for joining us today. It's been an amazing episode of Fishing for Answers. I hope everyone got as much out of this call as I did. Thank you so much for joining us, hey.

Eric Harris: 47:34

I definitely appreciate the invite, Josh it was. It was definitely relaxing to just talk about it, Absolutely.

Joshua Crumbaugh: 47:43

Great way to start a Monday.

Eric Harris: 47:46

Yeah, yeah, definitely got over the case of the Mondays with this conversation. I appreciate it Awesome.

Joshua Crumbaugh: 47:53

Well, hey, you have a great one.

Eric Harris: 47:54

Thank you All right, you too, thanks, bye.