The Water Trough- We can't make you drink, but we will make you think!
No-nonsense insight for business folks! Whether you're contemplating starting a business, you're new to business, or you're a pro who is dealing with unresolved challenges, this is the place for you. You'll get actionable ideas, insights, and the motivation to grow your business, as you've always hoped to. Your host, Ed Drozda, The Small Business Doctor brings down-to-earth talk, conversation with thought-leaders, and much more. The key to your success lies in the untapped potential of you and your team. Join us at the Trough as we tap into your opportunity. A special shout-out to Tim Paige. Not only an amazing Human Resources VP at a prestigious New England university but a true Master of Music. That's right, he produced, played, mixed, and recorded our music tracks. Thanks, Tim.
The Water Trough- We can't make you drink, but we will make you think!
Building the Strategic Human Firewall: Effective Cybersecurity to Overcome The Human Blindspot
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
π‘ Is "security theater" putting your business at risk? Tune into my conversation with Robert Siciliano to find out how we can change our security mindset and culture. It's time to take charge of our digital safety! ππ #SmallBusiness #DataProtection #TheWaterTrough
βWelcome to The Water Trough, where we can't make you drink, but we will make you think. My name is Ed Drozda, The Small Business Doctor, and I'm really excited you chose to join me here as we discuss topics that are important for small business folks just like you. If you're looking for ideas, inspiration, and possibility, you've come to the right place. Join us as we take steps to help you create the healthy business that you've always wanted. Good morning, folks. This is Ed Drozda, The Small Business Doctor, and I wanna welcome you back to The Water Trough. Today's episode explores why humans, not hackers, are the ultimate deciding factor in organizational security. We're diving into how you can build a culture that actually protects your people, your data, and your operations in an era of AI deception. You're going to learn why most companies are still performing security theater, checking boxes and hoping for the best, instead of driving genuine behavior change. We'll break down what a strategic human firewall is and why it's your only real defense against a breach. We'll also discuss how trust and denial quietly fuel most disasters, why interactive training is the only way to make the lesson stick, and how leaders can scale this entire framework without needing a Hollywood budget. There's no one better to walk us through this than today's guest, Robert Siciliano. Robert is a security analyst, bestselling author, and the architect of the Strategic Human Firewall. As one of the world's most recognizable educators in personal and corporate protection, he is the straight talk voice for a digital age. Robert, welcome.
Robert SicilianoThank you so much, Ed. Happy to be here.
Ed DrozdaIt's a pleasure to have you here. Our topic is so timely. Just this weekend, I experienced a couple of instances of attempted hacking. My mother-in-law, on the other hand, did the same thing, but she fell for it. It never stops.
Robert SicilianoYeah. I've been doing what I do now for 30 years professionally, 40 years since I was a teen, and I've never seen such a high concentration of high-dollar frauds occurring in a small period of time than I have over the past two to three years. Some studies say that as many as 300 billion of our records are in the hands of criminals. It is a multi-billion dollar fraud. It just keeps getting worse. That is purely due to the fact that criminal hackers are organized today They look at fraud as a business. It is organized web mobs that are set up throughout the world, organized criminals that are using victims of human trafficking, as many as 300,000 victims of human trafficking, says the UN, that are engaged in cybercrime 18 hours a day, and if they don't meet their quotas, they're beaten and tortured. And consumers, citizens today are no more advanced in our digital literacy in regards to preventing cybercrime than we were 30 years ago. We're not doing much in the way of preventing it, and that's where the problems are. We're not advancing in regards to our cybercrime sophistication as consumers, but the criminals recognize that, and they are full-on targeting us 24/7, 365.
Ed DrozdaWe are, in part, responsible for the onslaught, and we're allowing it to thrive.
Robert SicilianoYeah, 100%. I get in front of live audiences for a living, and my presentation is a dialogue. I ask questions, they provide answers. They ask me questions. We get into a conversation. Some of the questions that I ask are pretty basic. I'll ask,"How many of you can honestly say that you are using a different passcode across all your critical accounts?" You know, uppercase, lowercase, numbers, characters. If I get 15% of the room to raise their hand, that's a lot, which means 85% are using the same easy-to-guess, easy-to-hack, easy-to-crack passcode across their critical accounts. The next question is,"Okay, how many of you can honestly say you're using two-factor authentication across all your critical accounts, including email?" If I get 20%, which is usually a little bit more because it's required in a lot of cases, that's a lot, which means 80% are not using two-factor authentication. So between password management and two-factor authentication, these are, like, the fundamentals. I'm getting very poor results. The next question is,"How many of you are using a password manager?" That's usually less than 10%. A password manager is the most effective way to create long and strong passwords, never having the same passcode twice. It's easy to use. Sometimes it's free, sometimes a small fee. If I'm getting 10%, that's a lot. The next question from the audience is,"Why would I use a password manager? If they can hack a password manager, then what?" That's the most common question, which tells me people's observation of a password manager is, again If it can be hacked, why bother? So most consumers have a very fatalistic viewpoint towards the necessary security tools that are available to them. That gives you an understanding of people's digital literacy, their cyber sophistication. We engage in fatalism. Why bother if it can be hacked? We're not doing what we can or should. We're not taking the time to educate ourselves. We don't understand the basics, and we're just not gonna bother at all. That's where we're at.
Ed DrozdaI am very anal about my security. I believe what you're saying, but I'm shocked that so few people are engaged with the very simplistic tools that are available.
Robert SicilianoSo simplistic. My philosophy is and has always been that security is personal, personal security being violence and theft prevention back in the day. But what's more personal than your identity, right? I started off doing what I do in my teens, teaching women self-defense. Security is personal, which fundamentally means that people protect what they love. So part of that line of questioning is,"Okay, how many of you lock your doors?" Depending on the settings, country, urban, rural, suburban, and so forth, I sometimes get as little as 20% lock their doors. I say,"Okay, so some of you aren't locking your doors. How many of you have a home security system?" If 15%, maybe 20% of them raise their hand, that's a lot. And I tell them,"Did you know that in the US, every year, between one point five million and two million homes are burglarized?" They don't generally know the answer to that question, and they're usually surprised by that. I've had a home security system for 30 years, and I say,"Okay, why don't you have a home security system?" And there's three common answers that I get. Many people say,"We don't have a home security system because we have insurance," as if insurance is gonna protect you and your physical being from an intruder at 3:00 AM."We don't have a home security system because my husband says if they're gonna break in, there's not much we can do to prevent that." Fatalistic, which really frustrates me. I've got two daughters that live with me, 17 and 20, and my honey. I wouldn't think to not have a home security system at 3:00 AM. You know what I'm saying?'Cause I'm vulnerable. I know I'm vulnerable. And the most common answer that I get why we don't have a home security system is,"Because I don't wanna live like that." And I say,"Well, what does that actually mean?" And they say,"I don't wanna live in fear. I don't wanna have to worry. We live in a safe neighborhood anyway, so why would they bother breaking into my house?" Again, fatalism. From my perspective, it's a form of denial."It can't happen to me. It won't happen to me. I don't even wanna think about that stuff. I don't want a home security system as a constant reminder that there's bad actors out there. I just wanna live free," they often say. Free of fear, free of worry, as if security is something that we worry about. It evokes fear. It evokes paranoia. I'm a guy that has 20-plus security cameras, maybe a little excessive, but I get many of them for free by companies that want me to review them and stuff. What might that say about me? And the whole room says,"Paranoid," at the same time. But we as a culture, we as a society, we look at security as a form of paranoia."He must look over his shoulder. He must always worry. He must think that people are out to get him," is how we look at people who engage in practices of security. And the reality of it is, if security has anything to do with paranoia at all, why would you ever want to be engaged in security? Who wants to live like that? The medical communities have diagnosed paranoia is a mental health disease, but we as a culture, we as a society, we look at security essentially as a bad thing. 80 to 90% of my audiences, 80 to 90% of the general public have this unhealthy view of what security is and what it isn't. That dichotomy fundamentally prevents us from engaging in risk management because we think it's a bad thing. And then to justify it, we adopt these fatalistic beliefs. We're not truly well thought out when it comes to this very significant issue. That's what I am up against. I am hired basically to change the minds of those in my audiences. When the chief information security officer contacts me and says,"Listen, we just want our people to care. We want them to believe in security. We want them to care about security," my job is to get them to overcome all of these societal and cultural misnomers, and to get them to the point where they look at security as actually being a good thing in their lives. My job is to change cultural views, to get them to see that it's something that they want, something that they need, and something that they actually can handle. It's something that they are fully capable of engaging in once you change how they perceive it.
Ed DrozdaSo the individual doesn't want to use a password manager, doesn't wanna have an alarm system at home, and then they come to work and they carry the fatalistic attitude with them. When they're faced with security training, when they're thrown these phishing schemes that are actually sent by the employer to test them, they're not paying any attention. Is that what you're saying?
Robert SicilianoYeah, that's exactly correct, Ed. 60% of American companies have engaged in security awareness training that's called phishing simulation. Phishing simulation training is basically when you hire a company, my company does it, other companies do it, where they will, in behalf of the chief information security officer, the CTO, the CIO, they'll deploy technologies where they'll phish the employees. They'll send out emails that look like it's coming from their bank, from a fellow coworker, from a charity the company might contribute to, from the CEO, and so forth. These phishing simulation trainings are designed to see who within the company clicks the link, provides the information, basically gets hooked in that phishing email. And then a follow-up to that phish would be the employee receives education."Okay, this is what you did. This is how you reacted to that email. This is what could get you and the organization in trouble in the future, so this is what to look out for, and don't do that again." Okay. Well, when the employee is engaged in this type of security awareness training, they don't quite get it to begin with. They don't necessarily think that phishing or security is their responsibility anyways, it's the chief information security officer's job. That CISO is making them do this. They resist it by default because security isn't something that they believe in to begin with based on security's about paranoia, worry, fear, it can't happen to me, the whole thing. So when they're engaged in this awareness training, they're already like,"I don't wanna do this." They're not invested in it. We are a selfish or self-interested creature by default. We are designed to be selfish. That's not necessarily a bad thing. You and I need to take care of ourselves first. Like, we have to get a good night's sleep. There's a reason why when you're on a flight, the flight attendant says,"Put the oxygen mask on yourself first." So you have to take care of yourself first in order to take care of others. With security awareness training at work, phishing simulation, it's like we're putting the cart before the horse. We're saying,"Do this for the company, or else there's repercussions of you not being effective at this training. You can get fired." From my perspective, that's putting the cart before the horse. Due to the fact that I look at all security as being personal, it starts with the individual, with your identity, with your family. I'm up against companies that are hammering this security awareness training down the throats of these employees, and the employees are resistant to it. And I'm here to say I can make everybody in your audience top 10% of secure Americans simply by adopting very basic behaviors, very basic strategies that you should do every day to make you secure first in your own life. Password management, two-factor authentication, lock your doors, home security system. You're already in the top 10% just by doing those things. Then you can engage in the phishing simulation training at work and get it, understand it, and be good at it. It's satisfying when I'm done with the training. When I walk in the room, it's funny Ed, people with their arms folded, looking at me with a cynical look on their face."Okay, security guy, what are you gonna tell me that I don't already know? I'm required to be here. I got things to do. I gotta get back to work." Then after 15 minutes of talking about passwords and two-factor authentication and home security systems and locking doors and denial and paranoia, all of a sudden they begin to lower their arms and they begin to lean into the conversation. Their eyes open up a little bit, and they have a curious face versus a stern face. And as the arms go down, the hands begin to go up because now they have questions. Now they wanna know. Because we went from,"My boss required me to be here to protect the company," to,"Oh, this is about me. This is about my security. This is about my identity. This is about my kids." That's what people want. They wanna know what to do, and most people don't know what to do to begin with.
Ed DrozdaYou're inspiring people in their personal lives and saying that they'll bring that to the workplace. Meanwhile, in the workplace, folks probably aren't even considering they could lose their job if the company goes to hell in a handbasket because of a massive attack, right? But if a company is heavy-handed about it and say,"If you don't do this, you're gonna be fired," they miss the point too.
Robert SicilianoWell, because the shame involved in that, and that is a big part of the problem. We shame employees when they don't get it right. We as a culture, we as a society, have been blaming the victim forever. I'll give you an example. When there's a data breach, a major corporation is breached, and the media says,"What did they do wrong? Why were they breached? My personal information was affected. Bad, bad company." Well, you have to keep in mind they're a victim of a crime. There's people inside that corporation that have systems in place that are designed strategically to prevent that breach from happening. They're not all sitting behind their desks all day watching YouTube. Many spend millions of dollars to make sure that that doesn't happen, but sometimes it happens. Even if you have a home security system, your house can be broken into. Even if you've taken self-defense classes, you can be assaulted. None of that means why bother? Security is a journey. It's a process. It's this thing that we engage in to reduce risk. A seatbelt is a tool in your vehicle to give you control over that vehicle. Does a seatbelt prevent you from getting into a car accident? No. Does it prevent you from getting killed in a car accident? No. Does it reduce the risk in a car accident? Yeah. But we look at security like it should absolutely protect me. That's not how it works. But most of us, we've not thought that through, and blaming the victim is something that we have done for hundreds of years, and we're still doing it today.
Ed DrozdaI believe that security is comprised of two broad things, one of which is technical, the tools that we need and the actions that we take, and the other one, I think perhaps the most important, is that it's a state of mind.
Robert SicilianoYou and I understand that and lots of people do, but too many don't. We live in a basically safe environment, a basically safe culture. Certain parts of the world, for example Israel, since the mid-'90s, early'90s, their building codes require that people build safe rooms in their houses to defend against a missile attack. Obviously, we're not under missile fire all the time. They have a very different attitude towards security as a result of that cultural conditioning. Here, we just take that stuff for granted."It can't happen to me" is pretty much the majority of our default. Denial, as I explain it, is this awesome thing. Insidious as it can be, it allows us to function in a world that some might say is on fire. It allows us to deny the existence of threats. It allows us to avoid the feelings of anxiety, and that's actually not a bad thing,'cause if we truly understood risk to the degree that it exists, I think that many of us would live in fear and would be worried all the time. Most people look at risk and security and threats and anxiety, and they would rather not think about this stuff because they're overwhelmed to begin with. They've never had a conversation with somebody like you or I in this moment to give them perspective that security is not really a bad thing at all. It's a good thing. It's there to provide you with a level of control, with stability. As you alluded to, on the hierarchy of human needs, we need to protect ourselves first and foremost. At the base of that triangle is physiological needs, sustenance, fluids, sleeping, and right above that is safety, security, stability, structure, protection. We need that in order to function. But again, in our culture we deny the existence of that security as being a bad thing. Here we are. Your mother-in-law, she's part of the baby boomers or silent generation. They grew up trusting and respecting authority. It was conditioned within them. They trust the written word. They trust what they see on television. They trust what they hear on the radio. They trust what's in The New York Times and Wall Street Journal. They trust by default. So when the phone rings, an email comes in, a text message, they generally tend to trust it. They're the most moneyed on the planet, right? Our parents, our grandparents, they have over$100 trillion in wealth. That moneyed generation, who's the most trusting, is also the least technically savvy. They're cognitively declining, as we all are as we age, right? So there's four things going against them, and most people don't know this, 25% of them are lonely. Those five characteristics going against the baby boomers and silent generation is what organized crime is targeting. And when I say who and what, I mention 300,000 victims of human trafficking the UN says are being held captive in compounds in parts of the world where they're beaten, tortured if they don't make their quota. Those wrong number text messages we get, those are victims of human trafficking sending you those text messages. It's not just nameless, random robots sending it to us. It's human beings that understand those five characteristics, the money, the loneliness, the cognitively declining, the trusting, all that.
Ed DrozdaYeah. They know what they're doing. It's a business, and I hate to say this, they're good at it. It's up to us to defend ourselves.
Robert SicilianoThey're excellent at it, Ed. They act like what they do, and don't take this the wrong way, what they do is awesome. It's awful, but it's awesome what they do. They make billions of dollars every day. And we just sit back and get victimized, but it doesn't have to be like that. You and I are what I call a strategic human firewall. We look at risk effectively. We recognize the phone calls and the emails and the text messages. We recognize when someone means to do us harm, whatever that might mean, financially, physically. We have a clue in that regard. We anticipate it to a degree. We're looking out for it. We don't worry about these things, but we kinda see it coming. We see it unraveling as we open up that email, and we're looking for certain things, like"No, no, this isn't Best Buy charging me for a Geek Squad membership" this is truly yeah, this is just a scam, and I'm not gonna call the phone number. This is BS, and I know that. It's obvious to me. But a lot of people look at it and go,"$400 to Geek Squad. I didn't do that. Best Buy, what are you doing? Oh, there's a phone number I can call. I gotta call the number to find out what's happening because I'm on a fixed budget. I can't deal with this." That's a lot of people. As dramatic as that was, that's a lot of people. And the bad actors, they know this, and those emails work, which is why we keep getting them. So the strategic human firewall, which is something that I've developed over the course of my career, we all know what a firewall is, right? But a human firewall, a strategic human firewall, is a well-thought-out human that recognizes risk, and essentially that human, in their mindset, their methodology, their understanding, is they know how to block deception. So they see that email, they hear that phone call, they see text messages. They're looking at it, cognitively recognizing,"Okay, this is not what it appears to be." They're blocking this deception. It's a proactive governance. It's a mindset that turns humans, employees, from passive targets, which many of us are, into active detection layers. We see it coming down the pike, so to speak. It's the shift from,"I automatically, by default, give the benefit of the doubt, and I trust what I see," which is a lot of people, to"I verify everything." I begin to look at everything as,"Okay, what's really happening here?" versus,"Oh, what do I have to do to satisfy this false debt and fix it? Make the phone call." No. What's really happening here? And so we do this by appreciating the value security has in our life versus looking at it as a bad thing. In a corporate setting, it's the shift from security awareness, and my perspective is security awareness is from the neck up. It's in your head. It's intellectually knowing, to appreciation, which is from the heart up, which is caring. So when employees appreciate how security protects their own lives, behavior ultimately changes permanently. I call this the security appreciation gap. It's that chasm between an employee's intellectual, again, neck up, understanding of risk of security and the emotional commitment to act on that knowledge, which from the heart up, again, is appreciation. I call this the kitchen table effect. It's multiplier effect where successful training ends with the employee teaching the concept to their family at home- cementing those lessons for life. In the time we have together, all that stuff is easy to do. We all have the ability right now to be top 10%. So number one, you're not supposed to be using the same passcode across multiple accounts. That is just the worst thing that you could be doing. The way that you use different passcodes across multiple accounts, changing them all up, never using the same passcode twice, is with a password manager. These are free to a small fee tools that are available on the Internet. These are security companies, they know what they're doing. Have they been breached? Yeah. Has our information been compromised in plain text? No. I've been using a password manager for 20-plus years. It's fine. Use a password manager that facilitates the process of using a different passcode across multiple accounts. They have password generators built into them. I don't even know my passwords.
Ed DrozdaNor do I. They're 20, 25 characters, and I don't know what the heck they are.
Robert SicilianoYeah, exactly, Ed. It's uppercase, lowercase, numbers, and characters. You don't need to know them in your head. All my passwords are different, and my password manager knows them. So password manager, change up your passcodes, and then one by one, you change your passcodes for each of your accounts. As you use the password manager, it begins to make sense to you how you go through this process of changing them all up, never using the same one twice, having the password manager set you up, and then before you know it, you're relying on that password manager every day. It's, in my opinion, the best use of my time and my money in regards to my security and my privacy, and my time for that matter for like 20 bucks a year. I tell everybody,"Go to Google and search password manager, two words, and you'll find all kinds of articles, Wired Magazine, PC Magazine. They talk about the 10 best password managers for 2026." Great. Then you read the article. You see what it's all about, and they've already recommended a bunch. You go through them and see which one resonates with you. LastPass has been hacked, yeah, but they're really good at what they do. 1Password, the number one password, is a good one. Dashlane, Bitwarden, RoboForm, they're all good. And then from there, two-factor authentication. How do you set up two-factor authentication, and is it inconvenient? At the beginning it can be, but in order to set it up you do a Google search. Two-factor Gmail, two-factor PayPal, two-factor Amazon, two-factor eBay. You get the picture. Just walk through the prompts then before you know it, you've got two-factor authentication set up for your most critical accounts. Make sure you have it set up for email as well. And now you've got two-factor and passwords taken care of. From there, security begins to make a little bit more sense to you.
Ed DrozdaRobert, this conversation has been fascinating, and I really appreciate your time, and our time has come to an end. So before we part company, is there anything you'd like to leave us with?
Robert SicilianoLook, don't worry about any of this stuff. Really, truly. But do something about it. With AI and deepfakes, which are like fake videos and stuff, and voice cloning, the technology's happening fast. The ability for us to be con-vinced, conned, right, is becoming a lot more effective for the bad guy. If we don't embrace the basics, it can happen to me, therefore I should do these different things, not worry about it, but put these systems in place to reduce that risk. If we don't effectively adopt a strategy that eliminates or reduces risk in our own personal lives first, physically, virtually, identities, all that stuff, then the bad guys are just going to win, win, win. We don't want that. We want to become tougher targets, and tougher targets means small little changes in your behavior, and you're good.
Ed DrozdaThank you very much for that. Your insights are invaluable. I think it's notable how many people can be inspired by these things, how many people are not aware of these things. There's a big audience out there that needs to reflect on the things that you've said and take the appropriate steps. Thank you very much for that.
Robert SicilianoThank you, Ed.
Ed DrozdaFolks this is Ed Drozda, The Small Business Doctor, and once again I want to thank my guest, Robert Siciliano. Here at The Water Trough as always, I want to wish you a healthy business, and I also want to remind you, please be aware of your security. As Robert said, you don't have to be paranoid, but being aware and taking action will make a big difference. Until next time, take care.