I received a phone call from somebody who needed my help. And they explained to me that this organization had suffered a cyberattack, more specifically a ransomware attack, which is designed to both steal your data and make it unusable. It replicates itself throughout the business and can drive you down to paper-based controls. And this was an opportunity that I saw where I could influence something positively. And it was my job to investigate what had happened, how it happened and why. And I saw something that I hadn't experienced before firsthand.
In 2017, the NHS suffered something similar, and it cost nearly 100 million pounds to recover. This incident cost around five million pounds to recover and took 14 months. Yet what I saw was the human impact. How this happened? A single individual clicked a link, and a single individual enabled this, unknowingly, to happen to an organization. Multiple people were signed off sick due to stress, and multiple people were unable to go to work the next day and carry out their job.
Now, for me, cybersecurity is a very technological-focused term. And yet IBM did a study in 2021. and 95 percent of cyberattacks used a human element.
Now that's all well and good, but what does that actually mean? It means people can be exploited, too. There’s no lines of code, and there’s no fancy software. Cybersecurity is, as far as the media is concerned, maybe teenagers in their bedrooms causing trouble, stealing things and learning how to use them. Yet what people don't see is the impact and how his day-to-day life.
And this incident for me, made me think slightly differently around cybersecurity. And recently I had an opportunity which presented this thought process. I was commissioned to evade security controls for a very well-known building in London. That’s a snazzy way of saying “break in.” And effectively, it was my job to see if I could get past the security controls and get into the building. And so for me, thinking kind of outside of the box, this building has floor to ceiling doors, 24/7 security team, endless budget for this kind of thing based on where they are. And so, thinking slightly outside, I needed to come up with a different plan. And ... What I did was I tried to go down the social engineering route, which is the art of kind of deception and making people believe something without the full information. And what I did was I walked in the front door, dressed quite similarly to this, and I was greeted by eight people and I thought, oh, that's a bit over the top. And it's because every single person should have the right information and should know where they're going, It’s very rare for them to be visitors. And this person asked me, "Why are you here? Who are you here to see?" And I explained, I didn't have an appointment, but I was here to see a specific person. And they said, "Yeah, there's no chance you're getting in." And I thought, oh goodness, I traveled all this way. And yet what I know is people are empathetic, and people want to help each other, right? And so I made up a story and I said I was here for a legal matter, and I was only able to achieve what I needed to achieve on these premises. And they said, "Yeah, sorry, we're still ..." And I explained the urgency, and I made them feel sorry for me.
And what I was thinking about giving this talk, I was going to pause and I was going to pretend that I was struggling. And that emotion that you would have felt where you wanted to help me or you wanted me to continue, is exactly how this person felt. They felt they were stopping me from doing my job, which they were, but not for how they expected it.
And then I pretended to be on the phone in the foyer, pacing up and down, pretending to be aggravated. And then the manager came across with a QR code for me and said, "So sorry for the issues, no problem." And they showed me around a side passage away from the two rounds of security. So I had my laptop bag with me with “the evidence,” and it wasn’t checked and I was able to go in, and I was able to go to the floor that I needed to. And I was paid as a cybersecurity expert to evade the controls of this building. And all I did was ask for access and make someone feel sorry for me.
And so that's two very different perspectives. One, the five-million-pound job and took 14 months to recover where I was helping people, but the second, I was the aggressor or the person trying to get in. Now this is all enabled through the way that humans exist and human behavior. And cybersecurity as a whole doesn't really represent that in a way that is sufficient, I don't think.
And so I have one more narrative and different perspective to share. And it's when I was a victim. This happened only a few weeks ago. And what happened was I received a phone call. It was around 8pm. I received a phone call from a phone number. And they said, "Hello, is this Mr. Pullen?" And I said yes. And they said, "We've seen your bank cards be used in a different part of the country." And I thought, oh goodness. And what they explained was, they explained there's been three different transactions and would I like them to block them for me? I said, "Yes please. That would be really helpful." And I Googled the number out of instinct, and it was the phone number from the fraud line in the bank. And something didn't add up. And I'm a bit of a pessimist. I don't really trust people. And so I was instantly on the back foot, and they're saying all of these things, they were confirming my identity. They told me where I lived, my mother's maiden name, and they told me a few other bits of information the bank would know. And all of this is to build a perception of credibility. Why shouldn't I trust you? And why shouldn't you be phoning me to help me?
And we go back and forth for around an hour and a half, and there was a few things that didn't sit right with me. And so when I was on hold, when they were blocking my transactions, I phoned the actual fraud line and I said, is there a way that I can verify their identity? The person on the phone said, "They sound very professional and legitimate" and they were. I asked for their name, and they had a fake LinkedIn profile. They had a fake crime reference number for me. And ... Me experiencing this firsthand, having investigated things like this on a regular basis for mortgages and transactions ending up in the wrong place, I knew something wasn’t sitting quite right, and the true person put a note on my account and I explained to the person, "Can you tell me what the note says, please?" And that was the first time they got a little bit flustered. And it took them five minutes and they said, "We'll go and check with accounts team. But in the meantime, can you tell me the code that it says in your mobile app?" At which point I hung up, got my cards replaced, and I was OK.
But these three narratives of cybercrime or scams or criminal behavior are all technology-focused with the end goal but are human-led. And you may ask, "How is this possible?" "Why can this be so easy?" I've literally just walked into a building and asked someone to let me in with a fake story. And someone's phoned me up with a small piece of information and built this incredible picture around, OK, yes, I should trust you. And it's because data has a value in different pockets, and with small bits of information you can build quite a narrative, as you can see. And so today, what you would be able to do on the kind of criminal underground, if you like, would be buy 1,000 email addresses and passwords for around six US dollars a cup of coffee in some places, right? That's 1,000 people's account details that you may be able to log into or have tangible information to create a case, and that might be pretending to be Amazon for a password reset. It might be what location you went on holiday, and we're going to do a bit more of a targeted attack that way. And this information is available because of vulnerabilities from a technical standpoint. Yet this is to exploit human behaviors.
Take my parents, for example. I think I’m in cybersecurity because my parents give me a balance. My mom is 100 percent, 110 percent optimist. Nothing's going to go wrong, everything's OK, no one's going to hurt my little boy and all of this sort of stuff. And my dad's much more on the pessimistic end where, “Why do you want to know me? Why do you want this information?” And so that balance for me brings kind of both sides of the story. And my mom is the sort of person that would have shared the traditional WhatsApp messages, 250 pounds at Christmas and oh, how lovely that would be, pay for your Christmas lunch and all those sorts of things. And that then becomes a whole different attack vector, because it's coming from someone you trust, and they're sharing you a link and they're sharing something you might want to click, and you begin to trust it even more.
And so my talk is around really focusing on the ways in which human behavior is exploited and how we can benefit and protect each other. And it's OK to call these things out. And so there's some basic things you can do, such as resetting passwords and making sure you're not using the same password for all your accounts. Because if one of your passwords did get leaked, you would like to know, OK, it's just this one account, and I understand that's the one I need to look after. When many people will use the same profile for Facebook, their bank -- their online banking, sorry, and sites that you can purchase things. So you might be able to go on Amazon and buy an iPhone with someone's username and password, right? Bank account details are stored. And that creates a whole different perspective of risk and cybercrime. And so for me, I don't believe any generation can avoid this anymore. Children are being raised with iPads, and older generations are online shopping because of convenience and accessibility to services they may not have had before. And so I believe that understanding how these things may happen and putting some light on them can really impact the way in which people conduct themselves and challenge when things may not feel quite right.
And so for me, going through this journey and those three different perspectives, the one where I was the person helping, five million pounds, and seeing people really suffer. The second one where I was putting people potentially in that position, however fully ethically, and I was meant to be there for my job. And the third where I was the victim, it shows that it can take many different shapes based on information. And information can come from social media.
And so if you're going on holiday to Mexico, say, for your honeymoon, you've saved up all of this money. Wonderful, have a lovely time. Yet someone you know or an acquaintance or you have public visibility of your arrangements. If someone knows that information and they know the bank you may work with, they could phone you whilst you land and say, "We've seen your card be used in this location." Now, how are you going to feel if someone's saying your card is being used and it's you? You're going to feel OK, cool, yeah, this is me, no problem. And they say, "OK, can you just confirm your identity? Because we want to make sure this is you. Can you just tell me your card number?" So you do, and then you're asked why you're there. "I'm on my honeymoon." "Have a lovely time." All of these social engineering, empathetic side of behaviors. And then you get down into the more conversational elements. "OK, can you just confirm your card isn't going to expire? When does it expire, please?" There's many different ways you can pose questions to make people feel acceptance. And then lastly, "Can you just check the security pin so I know which card I'm going to disable?"
And by that time what you've done is you've told someone you've got money in your bank because you've been saving for this wonderful occasion, and also you're not going to be in the country to do anything about it. And so from a cybersecurity perspective, exploitation can happen in many different ways, and I don't think it's publicized around the human elements enough.
And so if you take one thing from today, I ask that you see this as your opportunity to make sure that you protect your own information and your loved ones and your identity online. There's no problem with using social media. All I ask is you consider who you're sharing that information with. The reason being that information is valuable, even if it's not to you. It could build a picture, and it could cause you some trouble. Consider who you share your information with.
Thank you.
(Applause)