Written by Matt Polak, CEO of Picnic
About Picnic
Picnic’s Privacy as a Managed Service for the Enterprise protects those executives, employees, and contractors that threat actors will consider high-value targets of social engineering attacks. Picnic uses its proprietary technology to identify and analyze human risk and deliver prioritized remediations proactively and continuously without any effort on the part of the customer.
There is campaign that is catching a lot of eyeballs right now as a write this blog. It’s a neat use of technology and marketing masterstroke. If you missed it, “Daisy” is an AI-grandma scambaiter created by O2 (Telefónica UK) to fight back on behalf of consumers. You can read about it here: https://www.vccp.com/work/o2/ai-granny-scambaiter
Come to the dark side and join me in a thought experiment.
Meet “Daisy’s” alter-ego… The bad Daisy… I call her “Ivy”.
What does Ivy do?
Ivy devours exposed personally identifiable information (PII) from all over the web: birthdays, home addresses, mobile numbers, family members’ names, passwords, work histories, arrest records, etc.
Why does she do this?
Ivy’s criminal puppet masters are business people, just like you and me, with limited resources. So the very first thing that Ivy does is use this enormous data lake to prioritize her victims. After all, there are a lot of choices!
Ivy uses a simple point system to rank her targets: 2 points for a personal email, 1 point for a phone number, -3 points if the person is a lawyer because lawyers are notoriously difficult, and so on…
At the end, Ivy has a curated list of victims.
What’s next?
What we have all experienced as consumers: your phone pings with the bad phishing email, the scammy text message, or sketchy phone call.
If you are a big enough target, these attacks will be harder and harder to spot, leveraging deepfakes, impersonation, phone spoofing, email spoofing, domain spoofing, and more social engineering techniques.
Unfortunately, if you are a high-value target in a company, which could mean a wide range of things depending on your industry, your risk of a more sophisticated attack is exponentially higher than the average consumer (because the payoff is higher — remember, cyber criminals are business people too).
The bad news is that Ivy doesn’t just use her “attack machine” to prioritize her victims; she also uses it to execute the attacks. In the same way Daisy uses her AI sleight-of-hand to trick fraudsters, the same thing is playing out at scale in nursing homes, living rooms, boardrooms, cube farms, and factory floors worldwide.
Ivy attacks — it’s her job.
So what?
Whether you are my 80-year-old aunt or a CEO, a journalist, a frontline worker, a government official, a software engineer, an accounts payable person, or any other type of high-value target, the realization I hope you are coming to is that the root of the problem is the same: it is about your personal data that is exposed.
If you are a CISO or security professional charged with protecting your organization and its key employees, I encourage you to think long and hard about this fact. The stakes are high (and increasing) for our profession — there is no time like the present to introduce a proactive solution that supports your overall security posture.
Ultimately, Daisy and tools like it are reactive to an attack. Picnic is proactive and removes the conditions necessary for an attack to take place. Reactive remedies are made better by proactive powers.