Please double-click on the English subtitles below to play the video.
00:04
I received a phone call from somebody
who needed my help.
0
4100
2720
00:06
And they explained to me
1
6820
1880
00:08
that this organization
had suffered a cyberattack,
2
8740
3120
00:11
more specifically a ransomware attack,
3
11900
2240
00:14
which is designed
4
14140
2800
00:16
to both steal your data
and make it unusable.
5
16940
2560
00:21
It replicates itself
throughout the business
6
21020
3200
00:24
and can drive you down
to paper-based controls.
7
24260
2400
00:27
And this was an opportunity that I saw
8
27340
1880
00:29
where I could influence
something positively.
9
29260
3400
00:33
And it was my job to investigate
what had happened,
10
33380
3240
00:36
how it happened and why.
11
36660
2160
00:41
And I saw something that I hadn't
experienced before firsthand.
12
41140
4640
00:45
In 2017, the NHS suffered
something similar,
13
45820
3960
00:49
and it cost nearly
100 million pounds to recover.
14
49820
2840
00:54
This incident cost around
five million pounds to recover
15
54260
2640
00:56
and took 14 months.
16
56940
1520
00:59
Yet what I saw was the human impact.
17
59020
3280
01:03
How this happened?
18
63020
1160
01:04
A single individual clicked a link,
19
64220
2040
01:06
and a single individual
enabled this, unknowingly,
20
66300
4000
01:10
to happen to an organization.
21
70340
1640
01:12
Multiple people were signed off
sick due to stress,
22
72300
3320
01:15
and multiple people were unable
to go to work the next day
23
75660
4200
01:19
and carry out their job.
24
79900
1480
01:22
Now, for me,
25
82300
1160
01:23
cybersecurity is a very
technological-focused term.
26
83500
4920
01:28
And yet IBM did a study in 2021.
27
88420
3920
01:32
and 95 percent of cyberattacks
28
92380
4280
01:36
used a human element.
29
96700
1680
01:39
Now that's all well and good,
30
99260
3000
01:42
but what does that actually mean?
31
102260
2160
01:44
It means people can be exploited, too.
32
104460
3240
01:47
There’s no lines of code,
and there’s no fancy software.
33
107740
3280
01:51
Cybersecurity is, as far
as the media is concerned,
34
111500
3680
01:55
maybe teenagers in their
bedrooms causing trouble,
35
115220
3840
01:59
stealing things and learning
how to use them.
36
119060
3000
02:02
Yet what people don't see is the impact
and how his day-to-day life.
37
122500
4560
02:08
And this incident for me,
38
128980
1680
02:10
made me think slightly differently
around cybersecurity.
39
130660
2960
02:14
And recently I had an opportunity
40
134500
3040
02:17
which presented this thought process.
41
137540
3200
02:21
I was commissioned
to evade security controls
42
141860
4680
02:26
for a very well-known building in London.
43
146580
2320
02:29
That’s a snazzy way of saying “break in.”
44
149300
2920
02:32
And effectively, it was my job to see
if I could get past the security controls
45
152260
5560
02:37
and get into the building.
46
157820
1720
02:39
And so for me, thinking
kind of outside of the box,
47
159580
4640
02:44
this building has floor to ceiling doors,
48
164260
1960
02:46
24/7 security team,
49
166220
1320
02:47
endless budget for this kind of thing
based on where they are.
50
167580
2960
02:51
And so, thinking slightly outside,
51
171140
4040
02:55
I needed to come up with a different plan.
52
175220
2200
02:58
And ...
53
178420
1160
03:00
What I did was I tried to go down
the social engineering route,
54
180340
3400
03:03
which is the art of kind of deception
55
183740
3320
03:07
and making people believe something
without the full information.
56
187100
3120
03:12
And what I did was
I walked in the front door,
57
192460
3600
03:16
dressed quite similarly to this,
58
196060
2800
03:18
and I was greeted by eight people
59
198900
1840
03:20
and I thought, oh,
that's a bit over the top.
60
200780
2120
03:23
And it's because every single person
should have the right information
61
203780
6400
03:30
and should know where they're going,
62
210220
1720
03:31
It’s very rare for them to be visitors.
63
211940
1880
03:33
And this person asked me,
64
213860
2200
03:36
"Why are you here?
Who are you here to see?"
65
216100
2520
03:38
And I explained, I didn't
have an appointment,
66
218660
2160
03:40
but I was here to see a specific person.
67
220860
1920
03:42
And they said, "Yeah,
there's no chance you're getting in."
68
222780
2840
03:45
And I thought, oh goodness,
I traveled all this way.
69
225620
2520
03:48
And yet what I know
is people are empathetic,
70
228460
3040
03:51
and people want to help each other, right?
71
231540
2240
03:53
And so I made up a story and I said
I was here for a legal matter,
72
233820
3960
03:57
and I was only able to achieve
what I needed to achieve
73
237780
2600
04:00
on these premises.
74
240420
1200
04:02
And they said,
"Yeah, sorry, we're still ..."
75
242340
2120
04:04
And I explained the urgency,
and I made them feel sorry for me.
76
244460
3640
04:09
And what I was thinking
about giving this talk,
77
249900
2240
04:12
I was going to pause and I was going
to pretend that I was struggling.
78
252180
3360
04:16
And that emotion that you would have felt
79
256020
1960
04:17
where you wanted to help me
80
257980
1960
04:19
or you wanted me to continue,
is exactly how this person felt.
81
259940
3360
04:23
They felt they were stopping me
from doing my job, which they were,
82
263340
4680
04:28
but not for how they expected it.
83
268060
2640
04:31
And then I pretended to be on the phone
in the foyer, pacing up and down,
84
271820
3480
04:35
pretending to be aggravated.
85
275340
1480
04:38
And then the manager came across
with a QR code for me and said,
86
278020
3040
04:41
"So sorry for the issues, no problem."
87
281060
2880
04:43
And they showed me around a side passage
away from the two rounds of security.
88
283980
4880
04:49
So I had my laptop bag
with me with “the evidence,”
89
289300
4720
04:54
and it wasn’t checked
and I was able to go in,
90
294060
2800
04:56
and I was able to go
to the floor that I needed to.
91
296900
2520
05:00
And I was paid as a cybersecurity expert
to evade the controls of this building.
92
300620
4760
05:05
And all I did was ask for access
and make someone feel sorry for me.
93
305420
3240
05:09
And so that's two
very different perspectives.
94
309860
3600
05:14
One, the five-million-pound job
and took 14 months to recover
95
314020
3080
05:17
where I was helping people,
96
317100
1320
05:18
but the second, I was the aggressor
97
318460
1680
05:20
or the person trying to get in.
98
320180
1640
05:22
Now this is all enabled through
the way that humans exist
99
322780
4120
05:26
and human behavior.
100
326940
1480
05:28
And cybersecurity as a whole
doesn't really represent that
101
328460
3360
05:31
in a way that is sufficient,
I don't think.
102
331820
2600
05:35
And so I have one more narrative
and different perspective to share.
103
335820
4240
05:40
And it's when I was a victim.
104
340100
1640
05:43
This happened only a few weeks ago.
105
343220
2080
05:46
And what happened was
I received a phone call.
106
346860
2240
05:50
It was around 8pm.
107
350140
1600
05:51
I received a phone call
from a phone number.
108
351780
2160
05:55
And they said,
"Hello, is this Mr. Pullen?"
109
355740
2520
05:58
And I said yes.
110
358300
1200
06:00
And they said, "We've seen
your bank cards be used
111
360420
3160
06:03
in a different part of the country."
112
363620
1720
06:05
And I thought, oh goodness.
113
365380
1640
06:07
And what they explained was,
114
367900
1600
06:09
they explained there's been
three different transactions
115
369540
2640
06:12
and would I like them
to block them for me?
116
372180
2040
06:14
I said, "Yes please.
117
374220
1320
06:15
That would be really helpful."
118
375540
1480
06:17
And I Googled the number out of instinct,
119
377500
1960
06:19
and it was the phone number
from the fraud line in the bank.
120
379460
3200
06:25
And something didn't add up.
121
385260
2360
06:27
And I'm a bit of a pessimist.
122
387660
2800
06:30
I don't really trust people.
123
390500
1680
06:32
And so I was instantly on the back foot,
124
392220
3200
06:35
and they're saying all of these things,
125
395460
1880
06:37
they were confirming my identity.
126
397340
1600
06:38
They told me where I lived,
my mother's maiden name,
127
398940
2520
06:41
and they told me a few other bits
of information the bank would know.
128
401500
3240
06:44
And all of this is to build
a perception of credibility.
129
404740
3360
06:48
Why shouldn't I trust you?
130
408940
1760
06:50
And why shouldn't you
be phoning me to help me?
131
410700
2960
06:54
And we go back and forth
for around an hour and a half,
132
414980
3440
06:58
and there was a few things
that didn't sit right with me.
133
418460
2880
07:01
And so when I was on hold,
when they were blocking my transactions,
134
421380
5400
07:06
I phoned the actual fraud line and I said,
135
426780
2000
07:08
is there a way that I can
verify their identity?
136
428820
2240
07:11
The person on the phone said, "They sound
very professional and legitimate"
137
431100
4040
07:15
and they were.
138
435140
1200
07:16
I asked for their name,
and they had a fake LinkedIn profile.
139
436340
2880
07:19
They had a fake crime
reference number for me.
140
439220
2200
07:22
And ...
141
442780
1160
07:24
Me experiencing this firsthand,
142
444980
2160
07:27
having investigated things like this
on a regular basis for mortgages
143
447140
3800
07:30
and transactions ending
up in the wrong place,
144
450980
2760
07:33
I knew something
wasn’t sitting quite right,
145
453780
2360
07:36
and the true person
put a note on my account
146
456140
4560
07:40
and I explained to the person,
147
460740
1520
07:42
"Can you tell me
what the note says, please?"
148
462300
2240
07:44
And that was the first time
they got a little bit flustered.
149
464580
3160
07:48
And it took them five minutes
and they said,
150
468220
2080
07:50
"We'll go and check with accounts team.
151
470300
1960
07:52
But in the meantime, can you tell me
the code that it says in your mobile app?"
152
472260
3800
07:56
At which point I hung up,
got my cards replaced, and I was OK.
153
476060
3320
07:59
But these three narratives
154
479380
3480
08:02
of cybercrime or scams
or criminal behavior
155
482860
4440
08:07
are all technology-focused
with the end goal
156
487300
2920
08:10
but are human-led.
157
490260
1800
08:12
And you may ask, "How is this possible?"
158
492460
3160
08:15
"Why can this be so easy?"
159
495660
2720
08:18
I've literally just walked into a building
160
498420
2600
08:21
and asked someone to let me in
with a fake story.
161
501020
3440
08:24
And someone's phoned me up
with a small piece of information
162
504460
2920
08:27
and built this incredible picture around,
OK, yes, I should trust you.
163
507420
3360
08:31
And it's because data has a value
in different pockets,
164
511900
5880
08:37
and with small bits of information
you can build quite a narrative,
165
517780
5880
08:43
as you can see.
166
523700
1320
08:45
And so today,
167
525340
2000
08:47
what you would be able to do
168
527380
2360
08:49
on the kind of criminal
underground, if you like,
169
529780
2320
08:52
would be buy 1,000 email
addresses and passwords
170
532100
3520
08:55
for around six US dollars
171
535660
1640
08:57
a cup of coffee in some places, right?
172
537340
1880
08:59
That's 1,000 people's account details
that you may be able to log into
173
539980
3520
09:03
or have tangible information
to create a case,
174
543540
3800
09:07
and that might be pretending to be
Amazon for a password reset.
175
547380
3120
09:10
It might be what location
you went on holiday,
176
550540
2880
09:13
and we're going to do a bit more
of a targeted attack that way.
177
553460
3640
09:17
And this information is available
178
557980
3360
09:21
because of vulnerabilities
from a technical standpoint.
179
561380
3320
09:24
Yet this is to exploit human behaviors.
180
564740
2120
09:27
Take my parents, for example.
181
567620
1400
09:29
I think I’m in cybersecurity
because my parents give me a balance.
182
569020
3280
09:32
My mom is 100 percent,
110 percent optimist.
183
572340
3200
09:35
Nothing's going to go wrong,
everything's OK,
184
575540
2120
09:37
no one's going to hurt my little boy
and all of this sort of stuff.
185
577660
3600
09:41
And my dad's much more
on the pessimistic end where,
186
581300
3000
09:44
“Why do you want to know me?
187
584340
1400
09:45
Why do you want this information?”
188
585780
1720
09:48
And so that balance for me brings
kind of both sides of the story.
189
588460
5920
09:54
And my mom is the sort of person
that would have shared
190
594740
2840
09:57
the traditional WhatsApp messages,
191
597620
2440
10:00
250 pounds at Christmas
and oh, how lovely that would be,
192
600060
3400
10:03
pay for your Christmas lunch
and all those sorts of things.
193
603500
2800
10:07
And that then becomes
a whole different attack vector,
194
607220
3520
10:10
because it's coming
from someone you trust,
195
610780
2000
10:12
and they're sharing you a link
196
612820
1480
10:14
and they're sharing something
you might want to click,
197
614300
2560
10:16
and you begin to trust it even more.
198
616900
1800
10:18
And so my talk is around
really focusing on the ways
199
618700
4160
10:22
in which human behavior is exploited
200
622900
2120
10:25
and how we can benefit
and protect each other.
201
625020
2800
10:28
And it's OK to call these things out.
202
628580
1920
10:30
And so there's some basic
things you can do,
203
630500
2280
10:32
such as resetting passwords
204
632820
1320
10:34
and making sure you're not using
the same password for all your accounts.
205
634140
3440
10:37
Because if one of your
passwords did get leaked,
206
637620
2240
10:39
you would like to know, OK,
it's just this one account,
207
639900
2640
10:42
and I understand that's the one
I need to look after.
208
642540
2560
10:45
When many people will use
the same profile for Facebook,
209
645100
3000
10:48
their bank -- their online banking, sorry,
210
648100
3160
10:51
and sites that you can purchase things.
211
651300
2960
10:54
So you might be able to go on Amazon
212
654300
1720
10:56
and buy an iPhone with someone's
username and password, right?
213
656060
2920
10:59
Bank account details are stored.
214
659020
2720
11:01
And that creates a whole different
perspective of risk and cybercrime.
215
661740
4120
11:07
And so for me,
216
667060
2080
11:09
I don't believe any generation
can avoid this anymore.
217
669180
4680
11:14
Children are being raised with iPads,
218
674540
2240
11:16
and older generations are online shopping
219
676780
2000
11:18
because of convenience and accessibility
to services they may not have had before.
220
678780
4040
11:23
And so I believe that understanding
how these things may happen
221
683620
5240
11:28
and putting some light on them
222
688860
2240
11:31
can really impact the way in which
people conduct themselves
223
691140
5120
11:36
and challenge when things
may not feel quite right.
224
696260
3360
11:40
And so for me,
225
700540
2280
11:42
going through this journey and those
three different perspectives,
226
702820
3160
11:45
the one where I was the person helping,
five million pounds,
227
705980
2840
11:48
and seeing people really suffer.
228
708860
1680
11:50
The second one where I was putting people
potentially in that position,
229
710580
3680
11:54
however fully ethically,
and I was meant to be there for my job.
230
714300
3840
11:58
And the third where I was the victim,
231
718140
2720
12:00
it shows that it can take many different
shapes based on information.
232
720900
3520
12:05
And information can come
from social media.
233
725340
2360
12:09
And so if you're going
on holiday to Mexico,
234
729180
2280
12:11
say, for your honeymoon,
235
731500
1840
12:13
you've saved up all of this money.
236
733380
1640
12:15
Wonderful, have a lovely time.
237
735380
1960
12:17
Yet someone you know or an acquaintance
238
737900
4080
12:21
or you have public visibility
of your arrangements.
239
741980
4240
12:27
If someone knows that information
240
747660
2120
12:29
and they know the bank you may work with,
241
749820
2000
12:31
they could phone you
whilst you land and say,
242
751860
3240
12:35
"We've seen your card
be used in this location."
243
755140
2440
12:39
Now, how are you going to feel
244
759220
2280
12:41
if someone's saying your card
is being used and it's you?
245
761540
2680
12:44
You're going to feel OK,
cool, yeah, this is me, no problem.
246
764220
3360
12:48
And they say, "OK, can you just
confirm your identity?
247
768060
3440
12:51
Because we want to make sure this is you.
248
771540
2960
12:54
Can you just tell me your card number?"
249
774500
1920
12:56
So you do, and then you're asked
why you're there.
250
776860
2520
12:59
"I'm on my honeymoon."
251
779380
1160
13:00
"Have a lovely time."
252
780580
1200
13:01
All of these social engineering,
empathetic side of behaviors.
253
781820
3600
13:06
And then you get down into the more
conversational elements.
254
786860
3440
13:10
"OK, can you just confirm
your card isn't going to expire?
255
790300
2760
13:13
When does it expire, please?"
256
793100
1400
13:14
There's many different ways you can pose
questions to make people feel acceptance.
257
794500
4280
13:19
And then lastly, "Can you just
check the security pin
258
799220
2600
13:21
so I know which card
I'm going to disable?"
259
801820
2200
13:24
And by that time what you've done is
260
804660
2320
13:27
you've told someone
you've got money in your bank
261
807020
2360
13:29
because you've been saving
for this wonderful occasion,
262
809420
2640
13:32
and also you're not going to be
in the country to do anything about it.
263
812100
3400
13:35
And so from a cybersecurity perspective,
264
815980
2960
13:38
exploitation can happen
in many different ways,
265
818980
2200
13:41
and I don't think it's publicized
around the human elements enough.
266
821180
3400
13:45
And so if you take one thing from today,
267
825220
3280
13:48
I ask that you see this
as your opportunity
268
828540
4640
13:53
to make sure that you protect your own
information and your loved ones
269
833220
3360
13:56
and your identity online.
270
836580
1960
13:58
There's no problem
with using social media.
271
838580
2280
14:00
All I ask is you consider
who you're sharing that information with.
272
840900
3880
14:04
The reason being that information
is valuable, even if it's not to you.
273
844820
3600
14:08
It could build a picture,
274
848780
2280
14:11
and it could cause you some trouble.
275
851060
1920
14:14
Consider who you share
your information with.
276
854140
2560
14:16
Thank you.
277
856740
1160
14:17
(Applause)
278
857940
2600
New videos
Original video on YouTube.com
About this website
This site will introduce you to YouTube videos that are useful for learning English. You will see English lessons taught by top-notch teachers from around the world. Double-click on the English subtitles displayed on each video page to play the video from there. The subtitles scroll in sync with the video playback. If you have any comments or requests, please contact us using this contact form.