Skip to Main Content
Thought Leadership

The Justice Insiders – Human Beings: Cybersecurity's Most Fragile Attack Surface



Episode 21: Human Beings: Cybersecurity’s Most Fragile Attack Surface

Host Gregg N. Sofer welcomes Husch Blackwell’s Erik Dullea to the podcast to explore how human error factors into cybersecurity efforts. Most data breaches trace back to some form of human error, and an approach to cybersecurity that doesn’t address the ‘social attack surface’ is likely to be a failing—and expensive—proposition.

Gregg and Erik note the recent cyber incident involving the Securities and Exchange Commission, which occurred mere months after the agency imposed wide-reaching cybersecurity disclosure rules on the public companies it regulates. Aside from being a major embarrassment for the U.S. government, the incident highlights how difficult it is to account for the vulnerabilities in digital networks created by humans, and Gregg and Erik provide some practical considerations for risk professionals, in-house counsel, human resource professionals, and others in their efforts to improve cybersecurity outcomes.

Gregg N. Sofer Biography

Full Biography

Gregg counsels businesses and individuals in connection with a range of criminal, civil and regulatory matters, including government investigations, internal investigations, litigation, export control, sanctions, and regulatory compliance. Prior to entering private practice, Gregg served as the United States Attorney for the Western District of Texas—one of the largest and busiest United States Attorney’s Offices in the country—where he supervised more than 300 employees handling a diverse caseload, including matters involving complex white-collar crime, government contract fraud, national security, cyber-crimes, public corruption, money laundering, export violations, trade secrets, tax, large-scale drug and human trafficking, immigration, child exploitation and violent crime.

Erik Dullea Biography

Full Biography

Erik is a Denver-based partner at Husch Blackwell and heads up the firm’s cybersecurity practice. A retired U.S. Navy Captain, Erik focuses on compliance requirements related to cybersecurity and data privacy, including statutory, regulatory, and consensus-based standards, with an emphasis on critical infrastructure sectors such as aviation, energy, mining, and the Defense Industrial Base (DIB). He represents defense contractors and subcontractors; companies underpinning electrical, healthcare, transportation, and water systems; and other major organizations facing extortion threats from malicious foreign cyber actors. In 2022 and 2023, Erik bolstered his knowledge of cyber threats by returning to public service in a civilian capacity, working in the National Security Agency’s Office of General Counsel as the acting deputy chief of the cybersecurity practice group. 

Additional Resources

The Justice Insiders, Episode 17, “Incidents in the Material World: SEC Adopts New Cybersecurity Rules.” September 11, 2023

Steven R. Barrett, Robert J. Joseph, Andrew Spector, Robert Fritsche and Brian Wetzstein. “SEC Heightens Issuers’ Cybersecurity Disclosure Requirements,” August 15, 2023

Erik Dullea and Andrew Spector. “Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules,” August 2023 Part 1 | Part 2 | Part 3

U.S. Securities and Exchange Commission. “Statement on Unauthorized Access to the SEC’s @SECGov Account.” January 12, 2024

Shapero, Julia. “SEC, Gensler face bipartisan backlash over X account hack.” The Hill, January 18, 2024.

Read the Transcript

This transcript has been auto-generated

ever wonder what is going on behind the scenes as 
the government investigates criminal cases are you

interested in the strategies the government 
employs when bringing prosecutions I'm your

host Gregg Sofer along with my colleagues in Husch
Blackwell's White Collar Internal Investigations

and Compliance Team we will bring to bear over 
200 years of experience inside the government to

provide you and your business thought-provoking 
and topical legal analysis as we discuss some of

the country's most interesting criminal cases 
and issues related to compliance and internal

investigations welcome to the latest edition of 
The Justice Insiders I'm your host Gregg Sofer and

lucky enough again to be joined by my colleague 
and partner here at Husch Blackwell Eric Dullea who

is the leader of our cyber security practice 
group and a partner in our Denver office you

can find his bio and background and in the show 
notes we L to those uh in the show notes Erik

thanks for joining us youat I'm glad to have 
moved into the repeat offender status to join

we're happy to have you here so uh you'll recall 
that the last time you were on we had an episode

which I would recommend to our listeners about 
the sec's regulations uh that they had put out a

fairly significant robust and strict requirement 
for prompt notifications for public companies

regarding cyber attacks and on the heels of 
that edict to the world something happened to

the secc itself and in in what I would describe as 
something that's highly embarrassing to the agency

early this year a hacker was able to hijack an 
SEC staffer phone and apparently get access to the

agency's X formerly Twitter account and posted a 
tweet regarding approval of Bitcoin exch CH traded

products and my understanding is it actually moved 
the market so this was not some unknown un no one

paid attention to WR a problem in other words the 
SEC although may not have been their own mainframe

computers if you will got hacked after having 
told everybody that you'll get in trouble if

you don't tell us right away when you get hacked 
so I wanted to talk a little bit about that and

the fact that and today's episode really is about 
this that these uh these data reaches and hacks

of companies and turns out the government often 
have a human element and so that's what that's

what I'm hoping to discuss with you today you 
bet no and I think it is a good example of it

because there is a lot of inward Focus that we see 
from The Regulators and from um consultants and

Private Industry on protecting the network having 
defense in depth making sure nobody gets in and

unfortunately for the SEC they've moved from the 
those that will category to the those that have

category when it comes to dealing with an incident 
that they didn't want to have in a little bit of

egg on their face and in this case it's a question 
that criminals are Innovative and they are always

looking for ways to penetrate a network and 
to get in through a form or a method that we

didn't anticipate otherwise we would have had 
a control in place yeah so some there's various

different statistics about this but at least one 
organization has reported that 8 2% of successful

uh data breaches or can be attributed to some 
sort of human error and I think humans probably

constitute a vulnerability in most organizations 
for a variety of different reasons but the more

sophisticated uh the hackers are the easier it is 
to manipulate human beings and we'll get into some

of the ways that that's going on these days but 
the bottom line is it is very interesting that all

this money gets spent on sophisticated programs 
and and software and ways of hardening your system

Hardware even but if your human beings aren't 
properly trained and properly looking out for

trouble you might as well not waste your money 
on the rest of it right yeah I think that's a

good way to think about it and I'd Echo those 
statistics as far as the anywhere between three

quarters up to 80 80 plus percent involving a 
human being involved in the exploitation and once

they're in generally what we see are the more 
common types of threats that are exploded are

credential theft which is going to give that 
criminal the keys to unlock all the doors so

that they aren't having to break in they're 
just strolling and if it's beyond that it's

also fishing attacks or ironically even though it 
gets a lot of the attention especially for recent

cyber events vulnerabilities and exploitations of 
those because they those generally take a bit more

technical sophistication by the threat actor 
in order to take advantage of those once they

become a bit more common then those are moved 
to the ransomware as a service or malware as a

surface Market where they will sell or lease that 
code to a less sophisticated criminal for them to

put to use for a couple hours to see what they 
can gain as far as quick exploitations and then

they move on to the next Target yeah and we can 
start with the credential hacks or the credential

Acquisitions um because I think what happened at 
the SEC here s of falls into that category right

yeah my understanding for it's you know was a 
SIM card swap or a subscriber identity module

swap of the employes phone but that was done 
through a you know by an email account being

compromised that allowed the criminal to then get 
over to the wireless carrier to ask for the Swap

and that puts the criminal into the shoes where 
they are able to bypass or see the multiactor

authentication which we generally see as being the 
BL and nend all and best most common additional

security control that's being used nowadays and 
with that they're able to simulate the employee

and step in as if they were the authorized user 
and I think something our listeners uh should

know also and this something that I regularly 
saw when I was in the government and still see

is that once your credentials or information 
has been stolen not only do the hackers often

do everything they can to exploit it but as you 
point out they then sell it and make it available

on the dark web for anybody else to try to either 
do what they're doing or do something new and and

it it's amazing the community out there of people 
who are engaged in the regular course of business

of trying to steal people's money and information 
yeah you're absolutely right it is becoming a

mature economic model or industry of criminal 
activity so let's talk a little bit about this

business email compromise concept and what the 
threat picture looks like what should companies

be and individuals be looking for and how might 
you train your folks to make sure that that

vulnerability is controlled again the human aspect 
of this I think probably the the most important

tool for organizations to use would be rather than 
focusing exclusively on training which we think

of as far as sort of a once a year make everybody 
watch a video and we're taking time away from the

revenue of the company because we're losing you 
know Workforce hours and to focus on awareness

and to have the infosec teams the cios HR all of 
the folks that are interacting with the workforce

trying to find periodic ways to just keep the 
threats of fraud whether it comes through the

telephone whether it comes through the email 
whether it comes through a video screen top of

mind for the workforce so posters in the elevator 
Signs by the coffee machines ways that folks are

going to be able to see it and just remember to 
be on the lookout for suspicious activity and

you know and here at our firm I had this in the 
government also um one way to do that is to sort

of I don't want to say scare people but there's 
nothing that reminds me more of the threat that

when I get caught by our internal testing process 
and it's it did happen to me once I I was telling

I was telling you before we started recording 
today that that I thought you'd never catch me

in in a fishing attempt paranoid I for 30 years 
I spent looking at the worst of human beings I'm

very careful about my internet practice but I got 
caught our firm's own internal sort of testing

process because I was in a hurry one day and you 
know I'm aware of it but I wasn't disciplined

enough to be thinking about it at that moment and 
I click on a link that I shouldn't have clicked

on and and right then and there I you know you 
can expose your entire Enterprise to the kind of

trouble that the SEC had you're you're absolutely 
right and that it's a good example in the sense

that you can have a fabulous winning streak going 
until you until the misstep and it only takes one

and that's true across the workforce we see with 
the fishing testing metrics they are a very good

tool and I'm not trying to disparage or downplay 
the value of them but there are you know they're

oftentimes companies and Regulators will think 
about it from a check in the block compliant

mindset are you doing it and if you are okay 
great but if you really wanted to be Innovative

sometimes the people setting up those testing 
tools can be a little too sneaky or they get

blowback it used to be a popular one that I would 
talk about using out here in Colorado to say on

a Friday afternoon you send the email out saying 
that I've got Broncos tickets for Sunday you know

right now that may not be as popular or as hot of 
a topic as it would have been in years gone by but

for somebody that's in the Kansas City office then 
yeah if you've got make that email advertisement

out there you will see people because it's a first 
come first serve they're going to jump on it the

other aspect on recognizing those fishing emails 
is for a mobile Workforce do they come across and

do they look the same on your phone as they do 
on your desktop monitor sometimes that can be

another way that people bite on it and are the 
controls in place for an iOS you know piece of

Hardware as opposed to a Windows platform and do 
they come across and do you recognizeing the the

same way that's where I tend to see that I'm 
falling victim to it is when I'm looking on

my phone I tend to not have the same level of 
skepticism as I do when I'm sitting at my desk

yeah the other thing I think that is concerning 
and and particularly in the more sophisticated

against larger hacks and breaches is once in the 
hackers and the bad guys they don't necessarily

do anything for a while right they're sitting 
there off in watching that's correct you could

think about it either as reconnaissance or pattern 
of Life monitoring to put it in DOD terminology

but looking to see how the organization behaves 
who is involved in what types of transactions or

projects meanwhile the threat actor is looking 
to map out the network find out where important

information is what are typically referred 
to as the crown jewels and then figure out

which Communications threads they might be able to 
intercept and then use to exploit what typically

happens once those actions begin is rules will be 
added to employees inboxes to try and redirect or

delete and obfuscate alerts or other tips that 
the employees would receive and then I've seen

one example for a company that over the course of 
four months there was back and forth between the

thread actor and a procurement official and they 
built up the aspect of the conversations and the

discussions seated the ground with an aspect of 
uh we're probably going to be changing banks in a

month or two and then a month or two later hey 
here's the new wiring instructions and then a

month after that hey we haven't seen this invoice 
can you help get it taken care of for us and once

that money goes out the door and the criminal act 
activities discovered the organization says okay

let's look at our insurance policies the Cyber 
insurance policy that they had may have been

phenomenal they may have $5 million of coverage 
but the problem is there was no damage to the

network or activity that was defined as a Cyber 
attack the becc or that business email compromise

activity generally falls under typical fraud and 
in that case their criminal liability coverage

was only $10,000 so you have a mismatch between 
what's the value of the harm that can occur and

through what method and the levels of protection 
that the company has bought for itself yeah and

that sort of goes to another level of diligence 
which is you you almost these days have to assume

for some of these kinds of movements of money or 
movements of information that somebody else from

the outside is watching in other words they could 
have gotten in through a lower level staffer like

what happened to the SEC they're going to quickly 
turn their attention to the actions of the people

who actually are moving money or information 
or whatever else it is watch them wait for

that moment that you're describing but those 
folks have got to be diligent about the conduct

of their business as if somebody is watching 
particularly for these last minute changes to

the movement of whether it be data information 
or or cash that's where the rubber often meets

the road here right yes uh if you are dealing 
with scenarios where there are times sensitive

Financial transition so whether it's m&a activity 
whether it's closing on real real estate and other

large events everybody feels under the gun and you 
know if it's anything like you know when I've when

I've purchased homes or sold homes in the past 
there's a flurry of activity right around the

closing date and people are looking to get the 
job done so they're looking to be team players

but that's an opportunity that is right for a 
criminal to step in and ABCA with the money so

what kind of advice do you give to organizations 
and individuals to to deal with that part of it

in other words it's not just you're looking for 
the fishing but you're also protecting your own

activities and the movement of money during these 
High Press times or times when somebody would take

advantage of it at the last minute I think some 
of the practice activities that senior leaders

have to endure and hopefully they do endure it I 
mean they should look at this as a way to assist

with their risk management processes and controls 
would be to schedule tabletop exercises where you

get the senior leader group in and the general 
counsel or the CIO or the CTO have come up with

a scenario and I've run these exercises in some 
cases with clients where I mean you can game

it out to a certain extent you buy them lunch so 
everybody's at least getting food while you make

them suffer for 90 minutes or two hours and tell 
you know pick a card any card and out of that deck

there will be a typical Ransom scenario which a 
lot of companies are familiar with now but another

one can be a business email compromise event or 
I think where we'll probably see activities shift

to in 2024 25 is for larger companies where 
they have the risk of moving the market a an

AI deep fake on video you imagine if you have a 
Fortune 100 company and suddenly onto social media

there is a fake video of the CEO talking about the 
company headed toward chapter 11 utterly fake and

not affecting that company's networks or its data 
but how would you get your Communications team in

place to deal with this and what would they do 
in response to try and remediate the problem so

those exercises are not intended to give you a 
perfect answer to a given situation but it's to

allow the organization to get used to having to 
communicate across stakeholder lines and across

business units so that when the real event happens 
that will be a completely different fact pattern

from what is practiced they're used to getting 
the process going and talking and know the Deep

fake issue I think is particularly challenging 
because let's take the business email compromise

situation I know for instance law firms and real 
estate brokers and title companies have all moved

towards a system with where for instance uh you 
get on the telephone and confirm a wire transfer

before anything leads for because so many of those 
transactions were targeted by scammers and hackers

who were getting in between those transactions and 
having the last minute again change to their own

accounts but if the telephone call you make can 
go to somebody or you get a telephone call from

someone whose voice has been deep faked or even 
get on a zoom and you're staring at the CEO who's

pounding on the table saying you need to get this 
check out the door or transfer this money why are

this money tomorrow or our companies in trouble 
you know this is going to be make things much

more difficult right right no I think you're 
correct and that's one of those aspects where

brainstorming about it in a tabletop can allow a 
company to think about what processes or controls

would they want to put in place before they're 
dealing with the time sensitive project so if they

get to an aspect of and I like your approach and 
the recommendations on if you get the email about

a financial transaction switch over to a different 
communication platform and call the reminder or

the nuan piece of it as the criminals get more 
sophisticated is don't call the phone number

that's in that same email because that's the one 
that the criminal put in there that they're going

to pick up and answer you know jump onto the web 
find the main office and number for the company

that you're involved with and drill down to get 
to the person through an independent means so that

can help to reduce the risk there another protocol 
or thought to consider and again this will be

company specific and risk tolerance specific for 
each organ organization is if you've got Financial

transactions that hit certain thresholds how many 
approvals do you need to have in the process to

make it happen you know for some companies a 
$1,000 wire transfer might be a rounding error

and that may not require three or four people 
to stop what they're doing to approve it but for

a small business it could be significant and on 
the flip side if you've got $100,000 or $250,000

transaction maybe that needs three signatures 
and involvements and the cfo's always got to be

involved with his digital signature on the email 
you know companies can gain that out and figure

out what's going to work for them but it's far 
better to run that scenario in advance rather than

after the fact yeah you know this the idea again 
we're talking about vulnerability through human

beings and how do you change human beings Behavior 
to me I think one of the things that's deficient

in a lot of the training is to tell people you 
need to do this this this and this but not give

them the background of how the Bad actors have 
succeeded in the past and how people have been

actually scammed and tricked and how how they're 
able to circumnavigate that is the Bad actors the

various protections that are put in place because 
I think unless you can almost see it from the the

other side it's not real and it makes you think 
that you know here I am like you said I've got to

take this class I got to check this box but you 
don't realize that even a relatively lowlevel or

you know certainly not someone sitting in the SE 
Suite can do something which drastically affects

the the company's bottom line could actually 
be a bet the company disaster and if you give

real world scenarios like the Deep fake like what 
happened here with the SEC it brings it home a lot

more and I a lot of the trainings I see don't do 
that they speak about about the what you should do

not why you should do it or how other people have 
been able to defeat it and building on that point

companies that do try to tailor their training and 
their awareness programs to tangible examples not

only does it resonate with the employees I have 
had conversations with Regulators as we have

been discussing a data breach disclosure for that 
company and we have walk through how the Intruder

got in how we discovered it what we did in 
response and then what we did afterwards you know

I was pleased to have clients that have been able 
to say we took this scenario from June of 20123

and put it into our October 2023 new fiscal year 
training schedule and for some of the Regulators

for that industry sector they're amazed I think 
that's fabulous I grew up in the military Aviation

Community we were always talking about accidents 
and mishaps that had happened recently what the

root causes were and what we could do to prevent 
them that has for the aviation industry been a

Bedrock of how to develop a safety culture and 
I think it works well for developing a security

culture as well great Point how about the other 
human problem which is an Insider who's actually

decided so you can have all the training in the 
world but if you have someone in your organization

who's got a malign sort of mindset here how much 
of a factor is that and what kind of thoughts have

about dealing with that problem Insider threats 
continue to be a significant problem or in a risk

that companies need to think about and managing 
and in part because there are a variety of types

of Insider threats that you need to account 
for you have the malicious Insider which is a

disgruntled employee that has a bone to pick 
with the organization or is they're getting

ready to leave and they're going to go somewhere 
else and they want to take advantage of things

for competitive reason you're going to have the 
negligent Insider that literally just didn't pay

attention to the training doesn't believe in 
any of this stuff has no idea why these things

are a concern is disengaged from work and is just 
careless and then you can have compromised users

and under the compromised user I would encourage 
organizations to think about that as one of your

employees that you have a duty of care to help and 
protect they may be compromised because they're

under Financial stress they may be exploited 
or leveraged you know without even knowing it

perhaps they had an innocent mistake of using 
the same passwords on three different accounts

one of which is personal that's the one that gets 
compromised but the attacker then looks at their

social media accounts and then says let me try the 
same username and password for the work account

and they get in that way so trying to protect 
or encourage people to take those steps can go

a long way toward addressing the problem there 
are technological steps such as user Behavior

analytics that can be done to figure out and this 
sounds conspiratorial or you know Cloak and Dagger

but the steps do work of as far as figuring 
out when are people logging in are they doing

it during normal business hours or do we have a 
couple of employees that are always logging in

at 10 o'clock at night and downloading a lot of 
material those can be some of the cues updating

privilege and access rights based on a person's 
job responsibility not that they're and and think

about it both ways promotions and demotions as a 
person moves up the corporate ladder and gets into

bigger roles they may not need that admin access 
right that they used to have and you can take

and reduce your attack surface with some of those 
administrative and procedural steps I mean from my

perspective I look at it sort of the same way that 
companies should be dealing with whistleblowers

is if you know your Workforce if you are providing 
them with the right sort of cultural opportunities

to let you know when there's a problem this notion 
of signs and you if you're go around government

buildings all the signs talk about Insider threats 
you know it's the rest of the workforce that's

going to tell you that Jim's a problem he's 
disgruntled and I saw him in the office last

night on he was Green at at 2:00 in the morning 
when I couldn't sleep and checked my emails that

culture of reporting things and having an open way 
of communicating with your even your disgruntled

employees so that they have an opportunity to 
talk to you I think is extremely important in

this context as well no you know you're absolutely 
right and coordination between the IT department

the HR departments to try and have those 
protective measures in place so that people know

that they can get help and support if they need it 
but also that the workforce as a whole understands

that this is not intended to be big brother 
looking over the shoulder but there is a benefit

or a protection of the organization protection of 
their employment because you wouldn't want to have

it bet the company or kill the company event as a 
result of someone else absconding with corporate

data well Eric thank you very much as usual uh 
your insight's valuable very helpful and uh we

appreciate you coming on the show and uh again for 
folks who want to look at your bio uh we'll have

it in the show notes happy to do it thanks great 
thanks for joining us on The Justice Insiders we

hope you enjoyed this episode please go to Apple 
podcast or wherever you listen to podcast to

subscribe rate and review The Justice Insiders 
I'm your host Gregg Sofer and until next time be



Gregg N. Sofer


Erik Dullea