Audience 1st Podcast: CISO Approaches to Human Attack Surface Protection Amidst Budget Cuts

44 Minutes of Cybersecurity Insights

Picnic CEO Matt Polak joined Jeff Farinich, CISO of New American Funding, on an Audience 1st podcast hosted by Dani Woolf. With the accelerating proliferation of cyber threats, a challenge at hand involves addressing the human attack surface – the interaction point where end-users, such as employees or clients, can be targeted by malicious cyber actors. The human element, as much as any technology, often forms the root cause of most compromises.

Watch the podcast for brutally honest insights from Matt and Jeff.

Notes by the host

Exposed PII about each of us out there becomes the fuel for the threat actor to be able to gain initial access.

The human factor is an area that we definitely need to focus on more because it is being targeted much harder than in the past.

Impersonation appears to be a big problem, especially when the communication channel never touches your controls.

Also the bigger problem than your employees is educating the consumers. A lot of times they are not familiar with security measures: their home computers are compromised, and they click on a lot of things.

The root cause of the problem is open-source intelligence about your humans.

Even though blocking emails and suspicious domains are also elements of the solution, we’re an easy target if we don’t go back to find a root cause.

Here are some key insights from their latest episode of Audience 1st Podcast:

How do you secure the human layer in a challenging environment?
  • Regulation of personally identifiable information (PII) is paramount.
  • Operational integrity is another significant aspect. It aims to minimize downtime, which can present opportunities for cyberattacks.
  • Keeping stringent controls on common conduits for attacks such as emails, thumb drives, and web access is part of this integrity.
  • Employing strong web filtering and data loss prevention (DLP) tactics are crucial to prevent personal information from being siphoned off.
  • Implementing robust authentication measures is another critical step. 
  • However, it’s essential to understand that multi-factor authentication (MFA), contrary to popular opinion, has its flaws.
  • Preventing the use of corporate credentials on non-corporate websites is another measure that can contribute to securing the human layer.
  • Jeff highlights the potential value of having more visibility into an employee’s social profile beyond just LinkedIn.
  • Dark web monitoring is crucial to understanding potential exposure from credential breaches. However, he also cautions that false positives are a common occurrence.
  • Matt highlights the stark difference in the volume of exposed breaches between work and personal identities.
  • He notes that the likelihood of a breach associated with a personal identity is approximately 9x higher than with a work one.
  • This means that threat actors have access to an exponentially larger amount of data when they consider an individual’s entire digital identity.
  • Jeff mentions that Identity Threat Detection Response (ITDR) is a significant area of focus for his work.

Such critical insights unraveled in less than 44 minutes.

Scroll to Top