The purpose of this research is to gain insight into how organizations manage their cyber assets and exposures across the global attack surface through continuous discovery, prioritization and timely remediation.  Ponemon Institute surveyed 617 IT and IT security practitioners in the United States who are involved in managing and addressing the attack surface across the IT footprint and are familiar with their organizations’ approach to measuring and addressing cybersecurity risk.

Discovering and tracking cyber assets involves using specialized tools to automatically find, catalog, and monitor all devices (on-prem, cloud, remote) in the IT environment, creating a real-time inventory to manage vulnerabilities, ensure compliance, and defend against threats, often using scanning, API integrations, and traffic analysis to map the complete digital footprint.

The primary systems used to discover and track cyber assets are cloud providers (49 percent of respondents) and Configuration Management Database (CMD) or IT Asset Management Platforms (ITAM) (44 percent of respondents). A CMD is a specialized database used to store information about an organization’s IT assets, their attributes and their relationships. An ITAM platform is used to manage an organization’s technology hardware and software throughout their lifecycle.

Not used as frequently are vulnerability scanners (28 percent of respondents). Vulnerability scanner tools automatically find security weaknesses in networks, applications and systems by comparing configurations/software against vulnerability databases.

Recommendations from the research to improve cyber asset and exposure management practices

 Consolidation of assets and sensitive data improves the visibility into asset and sensitive data disclosed or left unprotected. Forty-five percent of respondents say their organization consolidates into a single view asset and sensitive data disclosed or left unprotected and accessible to unauthorized individuals or systems.

A unified cybersecurity platform offers benefits like centralized visibility, faster threat detection and response, reduced complexity, lower costs, and simplified compliance by integrating diverse security tools into a single system, providing a holistic view, automating tasks, and streamlining management, leading to a better security posture and operational efficiency.

The inability to identify missing assets requiring security controls is a risk with potentially serious consequences.  Not identifying missing assets can cause financial loss, legal penalties, operational disruption, and data breaches. Unidentified assets can be stolen, misused or lost, leading to compliance failures and reputational damage. Proactive tracking, robust documentation, and strict protocols are crucial to prevent these consequences. Less than half of respondents (46 percent) identify assets that are missing and require security controls.

More frequent updates of asset inventories and discoveries of inconsistencies are needed to minimize security risks. Only 30 percent of respondents say asset inventories or CMDBs are updated or reconciled daily (13 percent) or monthly (17 percent) and 37 percent say the frequency of finding inconsistencies in asset and sensitive data exposed due to duplicate records, conflicting names and values is daily (17 percent) or monthly (20 percent). As a result of not regularly updating their inventories or finding inconsistencies, less than half of respondents (48 percent) are very or highly confident that their organization has a comprehensive up-to-date list of all its hardware, software and data assets. Q10

The lack of effectiveness in prioritizing risks makes remediation of security exposures or data misconfigurations difficult. Respondents were asked to identify the one biggest challenges in remediating security exposures or misconfiguration data. Twenty-six percent of respondents say risk prioritization is unclear and 24 percent of respondents say there is no clear ownership of the issue.

Contextual data in risk prioritization enriches basic threat severity scores (like CVSS) with an organization’s unique environment, business impact, and threat intelligence to focus on the most critical risks. It provides actionable insights by layering details like asset criticality (e.g., PII data), network exposure (internal/external), and exploitability to identify the most urgent vulnerabilities for remediation. This approach prevents security teams from being overwhelmed by data by applying business logic to identify high-impact threats, ensuring resources are spent effectively on what matters most to the business. Only 23 percent of respondents say contextual data is always used and 26 percent of respondents say it is used frequently.

The Continuous Threat Exposure Management (CTEM) is a proactive cybersecurity approach that combines vulnerability management, attack surface management and validation to identify, prioritize and fix security risks. Respondents were asked to rate the alignment between the CTEM framework and asset and exposure management practices on a scale from 1 = not aligned to 10 = completely aligned. Fifty-two percent of respondents say alignment with CTEM is very or completely aligned (7+ on the 10-point scale).

One of the greatest constraints to SecOps’ ability to manage cyber assets and security exposures is complexity in the IT infrastructure. Sixty percent of respondents say reducing investments in security tools and the complexity of their organizations’ IT security infrastructure is very or highly important.

Only 28 percent of respondents say their organization has a formal SLA for all highly critical or critical vulnerabilities and 27 percent of respondents say there are no formal remediation timelines or SLAs. Vulnerability Remediation SLAs (Service Level Agreements) are defined timelines for fixing security flaws. These agreements set expectations, prioritize efforts, and improve collaboration between security and IT teams to reduce risk efficiently.

Part 2. Key findings

In this section, a deeper dive into the research is presented. The complete findings are shown in the Appendix. The report is organized according to the following topics.

• Discovering and tracking cybersecurity assets and exposures
• Prioritization of security exposures is a challenge
• Organizations’ approach to security exposure remediation practices
• Cyber asset and exposure management practices

Discovering and tracking cybersecurity assets and exposures

Consolidation of assets and sensitive data improves the visibility into asset and sensitive data disclosed or left unprotected. Forty-five percent of respondents say their organization consolidates into a single view asset and sensitive data disclosed or left unprotected and accessible to unauthorized individuals or systems.

A unified cybersecurity platform offers benefits like centralized visibility, faster threat detection and response, reduced complexity, lower costs, and simplified compliance by integrating diverse security tools into a single system, providing a holistic view, automating tasks, and streamlining management, leading to better security posture and operational efficiency.

Some 63 percent of these respondents say they have a unified platform that aggregates data from all sources. Fifty-eight percent of respondents use an internal script or a database/data lake that combines data from different tools.

To read the rest of these key findings and download the entire study, visit The Axonius website. 

Bob Sullivan

The most dangerous hack is a brain hack.  And criminals are getting very, very good at that.  Meanwhile, I fear, the rest of us have spent precious little time learning to defend against brain hacks.  Hopefully today’s piece will help a little. Today I’m going to discuss an important way to think about brain hacks — the amygdala hijack. And crucially, I speak with an expert who offers practical ways to calm your amygdala.  Who knew crafting could be a fraud-fighting, cybersecurity tool?

Our brains were designed thousands of years ago, in large part to help us run away from large predators.  Human brains haven’t really caught up to the digital age, and that fight or flight instinct is exploited by criminals constantly.  There’s a warrant out for your arrest; there’s child porn on your computer; wire $2 million or you will be fired…and so on.

The key for criminals is to knock us off our game, separate us from our rational selves and shove us into our reactive selves — then tell us the only way to avoid the dinosaur chasing us is to buy a bunch of gift cards or shove money into a crypto ATM. You can tell people not to do these things in a classroom or an email a zillion times — those consumers will nod their head and maybe even remember those words in the rational part of their brains.  But it won’t do a lick of good when criminals cook up just the right story at just the right time — grandma, I’m in jail! — and instinct takes over.

That’s an amygdala hijack, and it can happen to anyone.

Every time you hear the story of a terrible Internet crime and say “How could they fall for THAT? How could anyone in their right mind…”  you are feeding the problem.  You are an unwitting accomplice to these crimes.  All this quiet superiority keeps us in the situation we find ourselves in. The implicit “they should know better” keeps us from investing in training and tools that counteract these very human attacks.

It’s all part of the trap we are falling into right now; we’re playing into the hands of organized cybercrime, and it shows. Fraud is skyrocketing at extraordinary levels, by any measure.  Our grand tech tools are being used against us to feed crime gangs, foreign governments, and yes, terrorism.  These crimes pay for North Korean missiles, for heck’s sake. We are counting on the most vulnerable people in our population to form the front line in this war we’re losing. Worse yet, these foot soldiers are fighting criminals armed with billions of dollars of research and even more valuable tech tools, and they have to “win” 100% of the time.  We need a new strategy.

A big part of this will be understanding how brains work, and planning around that reality. To that end, I was thrilled to interview Austin Cusak recently. He’s an expert in behavioral science and a trainer at the FDIC.  I’ve seen him give talks on amygdala hijacking before, so I was eager to interview him about that. You can listen to our chat at The Perfect Scam podcast — and I hope you will — but if podcasts aren’t your thing, here’s a transcript of our chat.  This episode also includes an interview with a repeat romance scam victim, so we have an example to discuss.  My chat with Austin begins at about 32 minutes. Don’t miss his amygdala calming techniques at the end.

Click play to listen or click this link

————-PARTIAL TRANSCRIPT——————

[00:32:07] Bob: We are in a different world, yes, but it’s a world we need to understand. We all have questions about how someone we know might become a victim of an ongoing long-term crime like this, how a person’s heart and mind can be well hijacked. And here to help us understand that much better is Austin Cusak. He’s Assistant Professor of Leadership Development at the FDIC. He’s an expert in behavioral science.

[00:32:35] Austin Cusak: A lot of us don’t realize that our brain right now is in the exact same configuration as its been for the last 35,000 years. And so our brain is very worried about snakes in tall grass, about sabretooth cats. It’s very worried about attacks from other tribes. So the brain is going to do whatever it can to be a good member of its tribe. So we are very tribal in that category. So the current configuration of our brain is not wired for social media, it is not wired for fraud from the inside. So that’s the first thing that happens to Anola is criminal is convincing her that they are part of her group, part of her tribe, a safe person first.

[00:33:29] Bob: Once on the inside, once a criminal gets a victim to feel like a member of the same team, the same tribe, then the criminal can get to work turning off the victim’s rational side.

[00:33:41] Austin Cusak: The easiest way to kind of explain why this is happening is, so Daniel Kahneman got a Nobel Prize for his work on why the brain does what it does, over 20 years of research, and he boils it down to these two types of thinking. And so I’m going share this as just like a simplistic way for us to understand a lot of these complex things. You are either doing fast thinking, or you are doing slow thinking. Neither is bad, it’s just that your brain is going to receive input and when it’s receiving input, it’s going to say, okay, am I in danger? And if you are in danger, or perceive some type of danger, it goes right to the amygdala and it says, fast thinking, I’m going to use the emotional reactions that I know. I’m going to poke through really quick this limbic region which stores our memories. Do I associate this with something bad? Yes. I run or I fight. And then there’s the slow thinking which is what we want to have engaged which is, there’s no immediate threat. I can now take my time, go out to the prefrontal cortex, think about associations, what kind of long-term planning do I associate with this? What kind of risk assessment might there be with this? So the brain’s going to go one or two ways. And so the criminal’s goal is to prevent Anola at every stage from having this slow, rational logical thinking.

[00:35:15] Bob: So criminals want to talk past the thinking part of your brain and talk right to the instinctual part.

[00:35:22] Austin Cusak: Okay, so amygdala hacking by the way that Goldman described it, is this immediately overwhelming emotional response that our brain is perceiving as a threat that is going to trigger the fight or flight and bypass our brain’s logic mechanisms. So it is, in fact, fast thinking. It’s Kahneman’s fast thinking. That is the hijack. I personally in my experiences, I expand the amygdala hijack to not just that overwhelming emotional response, but also the hijack of the slow, insidious relationship-building, trust-building, love-bombing. It is any actions that the criminal is taking to force the victim into fast, emotional thinking all the time. It is, that is the hijack. The hijack is I only want information being received through my eyes, my ears, my skin. All that information straight to the amygdala, emotional responses. That’s the hijack. That’s why we can’t see the red flags, that’s why we ignore things. That’s why the brain says, something’s fishy, but it would be too painful for me to actually explore that road. Too painful. I’m going to avoid the pain; my emotions feel this. And part of the amygdala hijack is creating lots of cognitive dissonance, which for a criminal is a very good thing. The criminal wants to create cognitive dissonance where there are these two competing thoughts in the victim’s brain because then they can provide the answer. They can have the emotions tied to that. That’s the hijack.

[00:37:19] Bob: And when our brains are hijacked, criminals can really get down to the business of grooming and financial manipulation. It is so hard after the fact to talk about some of these stories, to compress 18-months of manipulation into a few minutes of a podcast. Even the language we’re using is rational, and we’re talking about irrational things. It’s really important to understand that all of us, under the right circumstances, say and do things based on purely emotional or instinctual responses.

[00:37:51] Austin Cusak: I tried to talk with even some of my neighbors about this and her story, and I was very disappointed in their responses to it. Well she should have known better. So it really does, like we, we tend to very quickly move into that victim attribution or the attribution bias, like we should all know better. Now that scam and how that went down, it was kind the same playbook that they used, is that they saw the opportunity, it wasn’t an immediate, I’m going to ask for money, it was a slow, them impersonating someone. They did the same thing. But she was very–, she was wary, she didn’t send them money, but the tactics didn’t change that they, the brain still needs that stability. The brain still hopes that it’s going to happen someday. So when I heard the second story, like on first blush you hear that it happened to her a second time, and the first thing that we think of is, she should have known better. It’s that attribution bias. But then when you hear her explanation of it, and how that started to go down, and how they did it, you’re like, wow these, these people and whoever is creating these textbooks that they’re following, they’re very good. Like they are very good at what they’re doing, and think of it kind of like a car salesman, and I don’t mean to demean car salesmen, but there was, there was a time where I had a friend that was going to get a car, and they were like, ah, I’m going to win this negotiation. I’m going to talk them down, and in my head, I was like, wait a second. So you’re not a negotiator, you don’t have experience doing negotiations, and you’re going to go up against someone that does this all day, every day, and you think that you’re going to like conquer them? This is you against them. This is their job. This is the full-time thing that they do day in and day out every year making small tweaks, making minor things. That’s what these criminals do. They are masters at manipulating, they are honing their craft, they are making little tweaks here and there, so when she is reaching out, right, so this is, the brain needs closure. So that’s part of it is that she has this terrible thing happen to her, and our brains are wired to seek closure.

[00:40:13] Bob: While it might be hard to understand why Anola suffered a second romance scam, in some ways the first time set her up for the second. Remember she reached out in an attempt to warn a person she thought was a victim too. The man’s image was being used as a lure by criminals.

[00:40:29] Austin Cusak: That second criminal is looking at this as, she’s already in this very heightened emotional state. It is very easy for me to now trigger her fast thinking once again by pretending to be the person that she really hopes me to be, because she’s trying to do the right thing and I can take advantage of that.

[00:40:53] Bob: So in some ways, the fact that she was already a victim made her more likely to be a victim again?

[00:41:00] Austin Cusak: I don’t know if that’s every case. I’m sure that there is probably some research that has been done on that. I would say from my understanding of just behavioral science in general, yes, absolutely. Especially if she’s been in that state of fast thinking for a very long time, she does not yet have closure, she has not yet processed everything that has happened for her. The brain is going to reach and stretch, and want to have, ’cause she would still be in the state of cognitive dissonance, I’m assuming, in that moment; where I’ve got these two competing ideas, I need an answer. And that gives the criminal a very good opportunity to start to control that narrative, provide those answers, lead that person where they want it to be.

[00:41:51] Bob: And there is another powerful tool criminals use, they’re very good at appearing to have very intimate conversations.

[00:41:59] Austin Cusak: We’re looking at criminals that are very masterful at using cognitive empathy. They’re not feeling these emotions, but there is a thing called the dark impact where you can use empathy to very much manipulate other people. I would say that a lot of the tactics of dark empathy is exactly what the cult leaders are using to manipulate, to keep manipulation, and they get very good at it.

[00:42:25] Bob: Dark empathy is a new term to me.

[00:42:27] Austin Cusak: The dark empathy?

[00:42:28] Bob: Yeah.

[00:42:29] Austin Cusak: There, there’s quite a bit of research on it that you can kind of dig in in the leadership realm, and this is why I mentioned this because it’s going back to leadership development. When we are trying to develop leaders, sometimes, and this does not happen very often, but sometimes we do come across someone who is a textbook narcissist. And I don’t mean that in kind of the, ah, they’re narcissistic. I mean that they would top off if they took an assessment for narcissism. They are drawn to tactics of leadership, because at its core, a tactic of leadership is to positively influence others towards a common goal. I can remove that positively and just influence others towards a common goal. And so the people that want to manipulate, the people who want power, find that by studying leadership, by studying how to use cognitive empathy, by studying active listening, they study those same tactics which they can then use to move upward. They can then use to shift others’ behaviors. And that’s essentially what she ran up against.

[00:43:35] Bob: Meanwhile, the victims are in the throes of a crime and what feels like a very real romance. The end is an incredibly painful moment, so is telling people about what happened. Criminals use that to their advantage too.

[00:43:50] Austin Cusak: And so just like with a lot of people not reporting these things, or not talking about these things, is because we fear that we will experience more pain of rejection, pain of betrayal if we openly talked about these types of things with people. So we avoid that pain, and that is a normal thing, it’s just kind of a crappy thing, especially in regards to this. The criminals know this. They know that we are going to avoid those feelings of embarrassment because our, again, 35,000-year-old brain says, if I show myself to be a weak link, if I show myself to be someone who can’t be trusted by this group, I might get kicked out of the tribe, then I’m dead. So this is a survival tactic that the brain is going to constantly push is I must hide these things because this could lead to a problem with the tribe, but also, I’m going to avoid this because I know that this will experience, like I will feel pain if I go down this road. And so as we start to kind of approach that pathway, like that physical pathway, the brain’s like, nope, nope, I’ll do it another day.

[00:45:07] Bob: I don’t think we talk enough about the avoid, pain avoidance element to this, because it is very painful that moment when you realize, my money’s gone forever. That’s a very painful recognition.

[00:45:17] Austin Cusak: I think the threat of betrayal of the whole thing not being real. As a personal thing, I actually had a conversation with someone very close to me who was in a religion, and some stuff came out about the religion that kind of debunked some of the founding tenets of the religion, and they stayed in it. And I was asking them, why? Why stay in it? And it was understandable and it was very hard for me to listen to them because they’re much older, and they said, my entire life I believed this. My entire life. It’s part of my identity, it’s my community. If you took this away from me, it would break me.

[0046:03] Bob: Austin really wanted to drive home a point about these powerful tactics that criminals use. Some of them are used in traditional persuasion. He already mentioned sales tactics, but you might find some of these ideas in leadership training or management training which is part of Austin’s job at FDIC.

[00:46:21] Austin Cusak: I may be a very unpopular person for saying this, Bob, but a lot of the leadership tactics that we use is exactly what the criminals use. They use the same tactics but they use it for nefarious purposes. But influencing people, the tactics, the way the brain works, it’s the same. And so in, in some cases it is us saying, these are the things that we’re going to practice so that you can positively influence. And at the same time it is you need to be aware that these people are doing these things to you so that you can actually counter them, so that you can stop them, so that you can be on the lookout for. So in that world of leadership development, there is a surprising amount of crossover in terms of both helping people and manipulating and avoiding manipulation.

[00:47:14] Bob: So there are light and dark ways to use behavioral science, right?

[00:47:18] Austin Cusak: Cialdini has his book “Influence” and his book “Pre-Suasion,” and I’m going to throw out the disclaimer that things that I say are not representative of my agency. These are my own opinions, but I do want to point out that Cialdini has done a lot of great research on this subject, specifically on influence. And he even calls it out in his books about like the tactic is the same. You can use this. It is the knife that you can use to carve something beautiful or stab someone in the back, but the brain’s going to receive it the same way.

[00:47:53] Bob: It did strike me talking with Anola that the criminals did more than just appeal to her emotions, however. Remember, they showed her an account that allegedly had $4 million in it, so they were working to counter any skepticism she might have had.

[00:48:08] Bob: So it seems to me like they, they know how to play in the rational brain space as well.

[00:48:14] Austin Cusak: Yes, so, so that is, that is part of the ethos, pathos, and logos that has been used on us since Aristotle perfected by Plato, so we’re talking what 300 and like 48 BC that we had these three compelling means of persuasion. 3–, 347BC where it is essentially what is going to be the most compelling for you? Am I going to make an appeal to character, lead with an appeal to emotion and then follow it with just enough logic to make it plausible. Those three things, ethos, pathos, and logos, is the core of marketing, like all marketing is based on that. You see a car commercial and it is a basketball player who’s famous driving the car. That’s an appeal to character. So the use of logic, the use of data to reinforce is very compelling. But that is the answer to the cognitive bias. If it’s plausible enough, if it’s data and it’s plausible enough, or if they say, look, I have these bank accounts, why would I need your money? It’s plausible enough to answer and remove the cognitive bias. And that is the insidiousness of this entire thing is that I put like, I, the criminal, am putting my victim into fast thinking. They’re making emotional decisions. The second that they start to have this, and I can feel them starting to pull away, I reinforce it with lots of love, lots of dopamine. When they start to question it, I give just enough data, just enough of a logical response to, to basically shift away from these two competing ideas so they can only hold onto this one idea. I use time pressure, I use empathy, I, right, like I reinforce these things. And then, this is the thing that is really just err, is that they just inspire the shared vision, and then they reinforce it with this is our future together. This is the compelling image. This is the dream of what’s possible with us if this happens. This is the long-term interest. You are the only one that can do this. And they paint this big, shared aspiration.

[00:50:39] Bob: Feeling like you’re on the same team with that shared vision is also a behavioral trick that well-trained criminals employ.

[00:50:47] Austin Cusak: And so when you’re in alignment with each other, the principle of this is a psychological principle called homophily. And homophily is this idea that we really gravitate towards people who like the same things we like, who we perceive are part of the same group. So a great example of this, I play a lot of Dungeons and Dragons, I’ve been playing Dungeons and Dragons since I was 8 during the Satanic panic, where we had to hide it from my mom when me and my two older brothers did this. So if I meet somebody and they also play D&D, I instantly like them. They could be a terrible human being, but I’m now giving them the benefit of the doubt because they love a thing that I love, so therefore, they can’t be that bad. And that is that concept of homophily. So Pedro did that very well. And also, what the scammers did, and like she said, I am suspicious, right. So the cognitive processes are happening, he didn’t back out at that moment, he kept going. Even multiple times when in that relationship when she called him out on things, he weathered those storms. He talked her down. He convinced her otherwise. He got outraged. He threatened to walk. And that is really hard for a couple of reasons. One is because we crave that dopamine, we crave that oxytocin, and the threat of that being yanked away very suddenly, that’s going to hurt. And the brain is going to avoid pain. And this is one of the things that we don’t necessarily recognize, is that our brain is going to process physical and mental pain the same way in the exact same area. And it wants to avoid it. So that mental pain must be avoided. The brain says, can’t have this, don’t want this.

[00:52:45] Bob: Okay, so under all this knowledge of how our brains work, and sometimes work against our own interests, what can we do to better protect ourselves from an amygdala hijack? For starters, we could teach ourselves to be more understanding of victims. Austin has a lot of very practical advice for helping someone who you’re worried is under the influence of a criminal.

[00:53:08] Austin Cusak: When we suspect someone is ignoring these types of red flags, when they are stuck in that amygdala hijack, they are not in control of this. They have someone who is manipulating them and the self-acceptance that they are being manipulated is going to hurt. It is going to cause a lot of pain. So the first thing that we want to do with that person is to use our own cognitive empathy, because if we’ve not been through something similar, it can be very challenging to allow our emotions or even our compassion in. So cognitive empathy is, I’m going to listen, I’m going to get very curious, I’m going to try to ask questions, I’m not going to give judgment, and then this is probably the first thing that I would say. Approaching this as, I know someone that I suspect is being uh, is, is being manipulated by criminals. So this is that that’s the lens I’m looking at right now. That person needs to say, okay, before I give you any advice, I will always ask if now is a good time for me to share some advice or give you a thought. I always want to give that person the locus of control. It’s not that they’re not going to receive that information, it’s is now a good time? It’s, hey, I have a real concern that I need to talk to you about. Is now a good time for me to share that? That’s the first thing is you don’t let that person off the hook, you don’t say, oh, I’ve got some, I really want to share this. Is it okay for me to share it? Is now a good time for me to share it? Let them choose the time. We want them to have that control, ’cause oftentimes they know, they’re feeling that, and there’s that initial fear, the cortisol is spiking. The adrenaline starts to flow because the brain now feels, I’m in trouble, I’m in danger. So when we say, is now a good time for me to share some thoughts or give you some advice… if they say no, that is amazing. Okay when can I do this then? Let them choose a time or they’ll say I’ll come back to you. They always come back. I use this tactic frequently. Sometimes it’s a day, sometimes it’s two days, the person almost always comes back to me and says, I am now ready to talk about this thing. But you don’t want to try and force the flag on them when they are in that state of emotion.

[00:55:42] Bob: Getting back out of the highly emotional state, out of the amygdala hijacking often requires something Austin calls calming the amygdala, talking with empathy can help others, but you can do that for yourself too.

[00:55:56] Austin Cusak: If you do physical movement, you can also have a mental shift with that movement, hence the beauty of going and getting coffee. I can’t tell you, Bob, I do a lot of coffee at work, and the code for, hey, can we get coffee, it’s not really a, I need coffee, or I want to spend time with you, the code is, I really need to get a sanity check from somebody, and I don’t really want to ask, ’cause that’s embarrassing. But in the act of walking to the coffee and walking back, that allows the person to share the thing and calm the amygdala. The other thing is breathing. So there’s been a lot of research that’s done on the, the 4×4, the breathe in for 4, hold for 4, release for 4, hold for 4. And then there’s also a lot of research that’s been done on what’s called the 478, which is where you breathe in for 4 seconds, you hold for 7 seconds, and then you do this exhale for 8 seconds. Now the reason why these work so well is because when you are breathing in a normal way, you are cueing and telling the amygdala, I am safe. I am not in danger. So even if that cortisol is starting to spike and the adrenaline is starting to spike and your body is going into fight or flight, you can calm it. Some people are like, ah, I don’t want to breathe. So just go for a walk. Just, just walk and then talk and then say, hey, I want to share this with you. But that’s it, is that those are the very first steps that always work because we have to get that amygdala calmed down before we can share something with them.

[00:57:45] Bob: Amygdala calming doesn’t have to begin with a conversation though.

[00:57:49] Austin Cusak: When someone is suspicious that they might be stuck in one of these things, there’s a lot of advice online, it’s oh, walk away or do this thing, or put your phone down or take breaks; that can be really hard to do. My number one recommendation when I am working with someone who is in one of these highly emotional states, is to try and do a hobby, try and do an activity that allows you to get into flow a little bit, meaning that it is requiring some effort but not too much effort. As an example, I started painting miniatures, these little miniatures that I use for my games. My wife started playing pickleball. I know that some people really like to knit, taking walks. There, there are lots of activities that you can, when you are doing that type of activity that is requiring the brain to hyperfocus on something and it’s requiring effort, but not too much effort, just the, the right amount, right, being in the zone, getting in the flow, that is giving enough space for the brain to say, I’m not in danger, I am going to shift from the fast into the slow thinking. It’s the same thing. We want to try and find ways to move the brain more into this slow, analytical thinking.

Bob Sullivan

Once in a while, a human being does the right thing and you wonder why it took so long

I’ve long held the opinion that the only real use case for cryptocurrency is fraud; we can debate that.  Crypto kiosks, on the other hand, leave little room for discussion.  These ATM-like machines you’ll find in gas stations and convenience stores just make it easy for criminals to steal hundreds of thousands of dollars from victims. They have little other purpose.  No sane person would use the machines for a normal cash-crypto conversion; the fees are too high.

I talk to scam victims every week and for the past 18 months or so, nearly every story ends with a tragic scene of a victim shoving $100 bills into one of the Crypto ATMs.  Generally, these are crypto novices who spend a half-hour or more nervously shoving their life savings into these machines, bills getting spat back at them like a misbehaving vending machine, as onlookers avert their eyes.  Victims often believe they are minutes from being arrested on an outstanding warrant, or about to have all their cash stolen in some kind of bank conspiracy. It doesn’t matter why — they are being manipulated by crime gangs using AI tools, behavioral science, and teams of experienced worker bees.

But all that was no match for Eric Stewart, a gas station employee in small-town Tennessee who is a genuine digital age hero in my book.  Not long ago, Eric noticed a woman named Ellen walk frantically into his store. She was chattering on her cell phone and looking around nervously for the crypto kiosk. She also had $6,200 in her hands.  A few minutes earlier, Ellen had received a phone call from the county sheriff saying she’d missed a court hearing about her PPP loan, and there was a warrant out for her arrest. The caller knew exactly how much Ellen had borrowed through that pandemic-era program and demanded she repay half of it immediately — via bitcoin.

Eric didn’t avert his eyes, the way so many people do in the stories I hear. Instead, he stepped right in front of Ellen and confronted her. Here’s the scene, as told in our podcast, The Perfect Scam.

Eric Stewart: And that’s when I said, my very first question is, “Do you know who you’re talking to?” She said somebody said there’s a warrant out for her. A warrant? Yeah, and I said, “No ma’am,” I said, “No.” I said, “You can go to the police station. There’s no way that the money going to a Bitcoin machine is going, that’s not how you pay this. That’s not, that’s not how that gets paid. There’s, that’s not the form of payment that you would pay for something like this.”

Bob: And then Eric tries to be even more direct.

Eric Stewart: I was like, “Please, just hang up the phone. Just hang up the phone.” I said, “If it is a warrant, you can go to the police and ask them if there’s a warrant and everything.”

Bob: Ellen remembers looking up from her phone to listen to Eric.

Ellen: And then the manager came over and said, “Stop, that’s a scam. Don’t put any cash in that machine.”

Bob: Wow! That’s very dramatic.

Ellen: Yeah. The way I remember it, he, he just came over and said, “If they’re asking you to put cash in that machine, it’s a scam. Don’t do it.”

Bob: Wow.

Bob: So Ellen looks down at her money, back down at her phone, and tries to tell Karen what’s going on.

Ellen: On the phone I said, “The manager here is telling me this is a scam.” And she wasn’t even there anymore ’cause she could hear him talking to me.

So, Eric saved Ellen that day.  And you can probably already guess, this wasn’t the first time. Eric often notices agitated customers on their phone headed for the kiosk in his store, and stops them.  He does so in the gentlest way possible — after all, these people are scared and carrying a lot of money. In the episode, you’ll enjoy his homespun wisdom about how he does it. And you’ll enjoy his great accent. But more than anything, I hope you’ll enjoy his sense of decency and duty to his community.  He’s so decent, he actually feels regret for the one woman he wasn’t able to stop in time because the store was busy.

While we wait for cities and states to regulate or outright ban these machines (many are!), and we wait for tech companies to do the right thing, we’re going to need a whole bunch more Erics in this world.

Below is a partial transcript of the episode, but I hope you’ll listen to the whole thing.

———————-PARTIAL TRANSCRIPT———————–

[00:14:34] Bob: It was a small moment in time, but it was genuinely a life-changer for Ellen.

[00:14:40] Bob: I wonder if you remember, maybe like her facial expression when suddenly it dawned on her that, that yes, this was a scam? Have, do you remember anything like that?

[00:14:47] Eric Stewart: Yeah. Her face did change. And as I’m sitting there, exactly I could see, you’re exactly right, her face did change when it was coming to her an understanding of things that me and her were speaking to, making her understand that this is a scam and bringing obvious steps into this. So yeah, her face went from like confused and oh my goodness, and like, you could see a little bit of shock and the realization in her face. But yeah, I could see the relief on her face too right there at the end when she was leaving. Oh, more or less like I probably don’t have a warrant on me. I can’t believe I almost got scammed, but also that I don’t have a warrant out for me, I’m not going to lose… I had to lose all this money, spend all this money on what she thought she needed to do. The relief on her face when she left was, was a huge difference from when I first had approached her.

[00:15:49] Bob: Not only does Eric save Ellen from having a lot of money stolen; he cares for Ellen’s fragile emotional state too.

[00:15:57] Ellen: I just felt so foolish.

[00:15:59] Bob: Oh.

[00:15:59] Ellen: Really, and Eric was like, “It just happened to two other people here this morning.” He told me that.

[00:16:05] Bob: Wow!

[00:16:05] Ellen: He just said, “It happens to everybody.” He said or, “It could happen to anyone. You don’t feel bad.” ‘Cause I was saying, I feel so foolish. (chuckles) I can’t believe I almost put $6000 in this machine, and so he was just really nice, a nice guy.

[00:16:21] Bob: Five minutes out of his day or whatnot, but it really was a life-changing thing for you, right?

[00:16:26] Ellen: Absolutely, absolutely. I love Eric. I don’t hesitate at all to go into Kwik Mart anymore; you know what I mean?

[00:16:33] Bob: Eric, rightly so, enjoys feeling like he’s done something for the community.

[00:16:38] Bob: That must feel great for you.

[00:16:40] Eric Stewart: Yeah, it does, it does. It really does, and I remember, I don’t think I said anything to my wife about it, till the end of the day I was, oh yeah, by the way… But to me it’s like, it’s just, ’cause the way I think about it, what if that was your family member? What if that was your grandma, your aunt, you know your mother, you know, your neighbor, you know your best friend? Why would you not, why would you not help another person in need, ’cause that is someone’s grandma, that is someone’s mom, aunt, sister, relative, neighbor; they’re all those things. And I wouldn’t, why would you not want to help that person, when it takes a couple minutes, that’s it.

[00:17:20] Bob: But he didn’t even realize the depth of the trouble he saved Ellen from until I told him. Ellen would have had to make monthly payments with interest to pay back that $6200 she borrowed from her HELOC.

[00:17:34] Bob: So she didn’t have that money. She had to take out a loan to have that money.

00:17:38] Eric Stewart: Oh wow.

[00:17:39] Bob: She would have had years of $200 a month payments or whatever in addition to everything else. You really, it’s a big deal what you did for her.

[00:17:47] Eric Stewart: Wow, that’s amazing. That makes me feel even better now. Hah. That’s awesome.

[00:18:52] Bob: Yeah.

[00:18:53] Eric Stewart: Wow, that I was able to help that, prevent that. Wow.

00:18:57] Bob: Yeah, she had a HELOC, and so she borrowed money out of the HELOC in order to get the $6000. That would have been a years’ long problem for her that you stopped.

[00:18:04] Eric Stewart: Yeah, and stress especially if she’s on a fixed income. I know she was a little bit older, I don’t know how old she is and or anything like that. I know a lot of people are just living off of one check a month trying to survive, and then that stress added more. Wow, that would have been a lot more stress, yeah, wow. I’m going, God had put me there on purpose, for that, at that moment. Absolutely.

[00:18:29] Bob: Maybe you can tell from Eric’s matter of fact tone of voice, this wasn’t his first crypto ATM rodeo.

[00:18:37] Bob: This isn’t the only time you’ve stopped other people from doing this too, right?

[00:18:41] Eric Stewart: That’s correct, yeah.

[00:18:42] Bob: How many do you think?

[00:18:43] Eric Stewart: Easily two more, easily two more after that. And the last one, he was, I assume a spouse, and I’d had done the same thing. And I said, “Sir, just…” He was fighting me on it. He really was. And he moved the phone away from his cheek, and I was seeing on there, I said, “Sir, your phone for caller ID says, ‘SPAM RISK.’ It says on your phone just ‘SPAM RISK.'” I said, “Please just hang up.” And he fought me too. He had walked out that door. I told his wife, I said to whoever she was, I was like, “Hey…” She said, “I’ve been trying.” I said, “Please, just hang up that phone. Just get that phone from him and hang it up ’cause I promise they’re not going to call back.” I think he; he didn’t do it because there’s not that many of those ATMs or machines around, those Bitcoin machines. There’s not a lot of them.

[00:19:33] Bob: How did Eric learn to be so attuned to potential crypto ATM scams? Well, he listened.

[00:19:41] Eric Stewart: How I learned about this was, I had a elderly customer, unfortunately it’s been a lot of elderly people, same scenario was happening, and a customer had said, told us, he goes, “Hey, whoever that is over there, she been over there talking to, that’s a scam, ’cause I could hear the conversation on the phone going back and forth. That’s a scam.” And so that’s how I got the information on figuring out how it’s a scam just learning from that right there. And I just used my intelligence and common sense and put things together, hey, y’all, okay, this is a scam.

[00:20:15] Bob: But the first time you saw this, somebody actually tipped you off that they had heard the conversation and it was a scam.

[00:20:19] Eric Stewart: Yes, sir. She actually fought me.

[00:20:22] Bob: Fought you. Wow.

[00:20:24] Eric Stewart: Yeah, yeah. “Ma’am,” to the customer and I was like, “alright, since I work here, I’ll approach her.” And she goes, “No.” I said, “Do you know who you’re talking to?” She goes, “No, but it’s okay. I know what I’m doing.” And I was like, “Well someone overhead and said that you’re, you know, that you’re being scammed.” I was like, “Do you truly know who you’re talking to on the phone?” And she really fought me. I sat there and asked her a couple of questions and tried to use red flags, I tried to use, I can’t remember the question was, a red flag question is I think there is something there, “If you don’t know who you’re talking to, do, are you sure you should be doing this and putting that money in there?” And luckily, her husband had been sitting out in the car. I don’t know; this was a great scammer, whatever he or she had told this lady to actually convince her husband as well. These people are super topnotch. It goes from you leaving your destination where you’re at, physically going to the bank and withdrawing this cash, probably with a bank teller because it’s a couple thousand. I don’t know what the limit is on the ATM, I’ve never pulled, tried to attempt to pull that much money out, and they go from the bank to the Bitcoin machine and this whole time this is fighting traffic on the traffic, could easily, we could be at an hour now, they’re on the phone.

[00:21:45] Bob: Yeah.

[00:21:46] Eric Stewart: By the time we get to the Bitcoin machine, that’s an hour conversation easily, you know, so when I left it, I told her husband, I said, “Hey, y’all, that’s a scam that’s going on with your wife and everything,” and he goes, “I figured,” you know. “You might want to stop her.” And he went in there. I don’t know what happened, ’cause I was leaving for the rest of the day and hopefully they didn’t go through, or the minimum.

[00:22:09] Bob: But she ultimately didn’t believe you. She believed the person on the phone.

[00:22:13] Eric Stewart: Yeah, yeah, that person was really good. Cause for her husband, for her to defy her husband who was with her as well, to go to the bank and had gotten that far. That person, unfortunately, they are really good at their job.

[00:22:28] Bob: Do you have, ’cause one of the, I think, really important things you’ve mentioned is that when somebody comes in and they’re upset obviously, and they’ve got a lot of cash in their hands, they’re nervous, and so you’re very careful with how you approach them, right?

[00:22:43] Eric Stewart: Absolutely. Usually they have a phone in their hand, if it’s females, it’s going to be in the purse. The gentlemen, unfortunately, he had those little envelopes that you get from the bank, and you could see it in his pocket hanging out a little bit. I understand there was a lot of money, so I easily give him the space and let him know I’m not trying to rob you or anything, but I let him know I’m aware of the situation and of what’s going on. But yeah, most of them are just, they’re on the phone just like everyone else is, and but when they get to the machine they find it really easy, it’s right next to the ATM machine, so this is just like an average person coming in on the phone, but I wouldn’t say that they was hanging, having the money in their hands and all that, but yeah, I definitely give him the space. I give everyone the space ’cause you don’t know, so some stranger’s walking up to you. And you had a machine that either you put money in or you take money out of, so obviously, you want to make them feel, I want to make them feel safe around me.

[00:23:44] Bob: So Eric has learned to approach potential victims with great care.

[00:23:49] Eric Stewart: And I try to pull a flashlight over their head, let them think, I try to let their mind, not me tell them, because me telling them is not going to mean nothing because these scam people are smart. But let me alert them and let their senses say “Hey, wait a minute.” I try to use easy language, understandable language because obviously there’s a lot going through this person’s mind; fear, anxiety, I’m pretty sure, a little bit of shock of “Hey, what is really going on?” So I’m sure this person’s feeling all these emotions so I try to make everything as simple worded, for them to understand that “Hey, yeah, you know what? Let me stop this and not do this.”

[00:24:35] Bob: You are natural at the psychology of the situation. We hear all the time when family members say, “That’s a scam” that people don’t listen. Because sometimes when you’re that direct with someone in that state of mind, they reject it, but you have described it as shining a light over their heads so they can figure it out themselves. How did you get so smart about psychology?

[00:24:55] Eric Stewart: I don’t know. Like I said, I’m a people observer, and uh, I was in management in the fast-food industry for many years.

[00:25:04] Bob: Aha.

[00:25:05] Eric Stewart: And I noticed every employee is different. Some, you don’t have to say nothing to, they just do a great job. Some, you have to pat them on the back. Some you just have to slowly guide them. And then others, you have to tell them, “Aw, man, that’s amazing. Great job!” ‘Cause they need to hear that. Everyone’s different in the workforce and just, so I observed that and just noticed that. And I guess I used that, me watching people, working with people, understanding how they work and I just use my intelligence to guide me through those situations, scenarios with them.

Organizations across many industries increasingly believe their Third-Party Risk Management (TPRM) programs are mature. The data in the ProcessUnity State of Third-Party Risk Assessments 2026 tells a more complex story.

While most organizations have established assessment processes, policies, and frameworks, the data from our 1,465 respondents uncovers that many have not achieved true program maturity, and the gap between perception and reality is growing.

That gap has a measurable cost. Organizations are experiencing frequent third-party breaches, prolonged assessment cycles, slow vendor responses, incomplete remediation, and persistent blind spots across their third-party ecosystems. In fact, organizations report experiencing an average of 12 third-party breaches per year, signaling that third-party risk is not an edge case, but a recurring operational reality. These outcomes highlight a critical truth: having processes in place is not the same as operating a mature, scalable, and effective TPRM program.

Ponemon Institute surveyed 1,465 IT and IT security practitioners in the US (632 respondents), Asia-Pac (402 respondents) and EMEA (431 respondents) who are involved in their organizations’ approach to assessing data risks created through outsourcing business functions to third parties. The purpose of this research is to gain insights into how organizations assess and minimize risks associated with both direct and indirect relationships with third parties. This includes identifying vulnerabilities and mitigating potential operational, reputational, financial and compliance risks.

On average, organizations have one data breach or security incident each month that was caused by a third party. Organizations represented in this research report they have experienced an average of 12 data breaches or security incidents caused by third parties in the past year. The two most serious consequences of these events were operational disruptions (64 percent of respondents) and financial loss (52 percent of respondents).

The following research findings illustrate the challenges of preventing third-party data breaches and security incidents. 

• Few organizations have a budget dedicated to their TPRM programs. Resources are important to supporting organizations’ efforts to achieve a proactive or optimized level of maturity. Only 37 percent of respondents say their organizations allocate funding specifically for the TPRM program. Of those organizations, the average annual budget is $3.1 million.  
• Reliance on manual and inconsistent assessments can result in a small percentage of third parties being assessed. Organizations have an average of 2,643 third parties in their portfolio and an average of only 36 percent of these third parties are assessed to determine risks and vulnerabilities.
• The maturity of most TPRM programs is low. Fifty-two percent of respondents say their programs are reactive and assessments are still manual and inconsistent (30 percent) or ad hoc with only a few defined processes in place for third-party assessments. Less than half of respondents rate their TPRM program maturity as proactive which means assessments are standardized and repeatable for most third parties with defined policies, tools and remediation processes (29 percent) or optimized which is defined as the TPRM program being fully embedded in business operations using automation, advanced analytics and continuous monitoring to manage vendor risk proactively (19 percent). 
• The IT or IT security functions are most responsible for third-party risk assessments, not the TPRM team. To have an optimized and mature TPRM program, automation, advanced analytics and continuous monitoring is key. For this reason, many organizations may be assigning responsibility for assessments to IT security/cybersecurity (30 percent of respondents) or IT (22 percent of respondents). Only 20 percent say the TPRM team is most responsible for conducting assessments. 
• Assessments can be a drain on staff’s time and backlogs are a reality for many organizations. Outsourcing one or more assessment processes can be a solution to this problem. Forty-three percent of respondents say their organizations outsource part of the assessment process. Of these respondents, 59 percent say collection or monitoring is outsourced. 
• To understand the extent of third-party risks, more organizations should measure the TPRM’s effectiveness. Fifty-three percent of respondents believe their TPRM assessments are very effective. However, less than half of respondents (49 percent) measure effectiveness. Of these respondents, 49 percent measure the increase in assessments completed, 37 percent say the metric used is the percentage of complete/accurate assessments and 36 percent say the metric used is sufficient staffing. 
• Understanding the initial level of risk is a critical first step in a comprehensive third-party risk management program. This allows organizations to then implement appropriate controls to reduce third-party risk to an acceptable level.Fifty-two percent of respondents say their organizations use the inherent risk process to determine the frequency of third-party risk assessments. Of these respondents, 53 percent say they scope their assessment questionnaire or use a specific questionnaire based on the third-party’s inherent risk. 
• Most organizations use homegrown/IT built tools or spreadsheets as part of the assessment. Sixty-seven percent of respondents say they rely upon homegrown/IT built tools followed by spreadsheets (64 percent of respondents). Sixty-one percent of respondents say they use a GRC platform and 58 percent of respondents say their organizations use TPRM platforms. 
• Only 45 percent of respondents say their organizations use independent ratings of the third parties’ cybersecurity and risk posture as part of the assessment. Mostly used are SLAs (62 percent of respondents) and vendor documentation of their practices and policies to assess potential risks (51 percent of respondents). 
• Despite lacking trust in fourth parties, few organizations assess the risk. Despite not having complete trust in visibility into fourth parties that could impact their companies, only 42 percent of respondents say their organizations assess fourth-party or subcontractor risk (23 percent) or only for critical suppliers (19 percent). 38 percent of respondents either have no trust (22 percent) or only slight confidence with minimal assurance with significant doubts (16 percent). Only 31 percent say they are highly confident with complete trust in visibility. Further, only 41 percent of respondents say they receive alerts from third parties to any security incidents generated by fourth parties in the last 12 months. If they did, it was an average of 15 alerts were received in the past year. 
• Organizations are at risk because third-party assessments take a long time and often require further attention or remediation. Sixty percent of respondents say it can take 4 months to more than 12 months to complete just one assessment. Only 37 percent of respondents say it takes the team less than 8 hours (10 percent) or between 8 to 40 hours (27 percent). An average of 43 percent of third-party responses require follow-up or remediation and it can take an average of 6 days to remediate issues found during a third-party assessment with only one-third party.
• Sixty percent of respondents say they wait for a vendor’s response to the questionnaire in 4 months to as long as more than 1 year. An average of 27 percent of third parties do not respond to questionnaires. Forty-five percent of respondents say they receive updates on changes in vendor risk posture only yearly (27 percent) or never (18 percent).
• Due to the time and amount of effort because of mostly manual processes, 40 percent of respondents say they currently have a backlog of third-party assessments. The reasons for backlogs are incomplete information from vendor (67 percent of respondents), lack of vendor response (64 percent of respondents) and limited resources such as lack of budget, technology and in-house expertise (62 percent of respondents). 
• Only 16 percent of respondents say that 90 percent to 100 percent of the third parties that required remediation are completed. During the onboarding process, 44 percent of respondents say it is between 26 percent to more than 50 percent of third parties that require remediation activities to meet their security and privacy requirements. The primary reasons are resource constraints (66 percent of respondents), technical dependency on another team or provider (59 percent of respondents) and data access uses (58 percent of respondents).
• AI tools as part of the TPRM program may help organizations deal with the challenges revealed in this research. Forty-four percent of respondents have either fully (19 percent) or partially adopted AI (25 percent) for TPRM programs. Only 19 percent of respondents say there are no plans to adopt AI. AI is seen to address many of the challenges faced in identifying risks and inefficiencies. Fifty-three percent of respondents say the primary benefit of using AI is that it frees staff for higher-value work. Other benefits are real-time intelligence to identify vulnerabilities (48 percent of respondents) and management of TPRM programs (42 percent of respondents). 

Part 2. Key findings

This section of the report presents an analysis of the global findings. The complete research results are shown in the Appendix. The report is organized according to the following topics.

• Background on Third-Party Risk Management (TPRM) programs
• Threat assessment operating models and methods
• Challenges in conducting third-party risk assessments
• Regional differences

To read detailed key findings and the rest of this report, visit  ProcessUnity’s website.

Bob Sullivan

The next time you fire up your favorite streaming service, the music you hear might be made by a robot. Maybe you don’t care; you’re just looking for something to help you kill those 30 minutes on the treadmill.  But you should care. The sound you might not hear is a canary in a coal mine that’s gone silent. If “human” musicians can be replaced by bots, so can you.

That’s why we’ve just released a new four-part miniseries on the future of music over at the Debugger podcast, which I host for Duke University’s Sanford School of Public Policy.  Grammy-nominated folk singer Tift Merritt is our guide through this complicated cultural and economic story.  The series is called “Sugar High.”

“I think that everyone is a little shell-shocked from streaming, and it’s very hard to get your mind around things getting worse than that,” Tift told me.

The vast majority of music fans don’t know how much streaming services have changed the economics of the music business, but Tift makes it crystal clear. The series follows Tift as she enters the studio to record her first new album in almost a decade — she’d taken time off to raise her daughter.  She’s going to spend about $50,000 to make the record, a bargain by historic standards. But to earn out that advance, she’ll need about 10 million streams on a service like Spotify.

Ten million streams! Just to get back to …$0.

Tift Merritt is, as I explain in episode one, a huge success story. Don Henley covered one of her songs. She toured with Elvis Costello. She has several songs with millions of streams. Her record Tambourine earned a Grammy nomination for country album of the year. And yet, her ability to earn even a middle-class living as a working musician and mom is….well, it doesn’t really exist any longer.

There’s no arguing that tech has made more music available to more people, and it has made it easier for unknown artists to share their undiscovered talents with the world.  That was always the promise of the Internet. But along the way, the path towards discovery has narrowed, as the spoils of the system have been siphoned off by tech companies.

“I remember in 2010 I put a record out and I got my first royalty statement and I realized what a huge impact streaming was on our economy. It was a fourth of what I usually got, and I realized that I could no longer live in New York City. I couldn’t afford it,” she said. “So…oh my God, shouldn’t I be a dental hygienist? This is a, an equation that is broken.”

But that problem pales in comparison to the storm clouds gathering around artificially-generated music.  Artists and record labels alike are worried that “robots” — trained by ingesting decades of music recordings — will generate endless royalty-free ghost music.  Those songs will fill listeners’ playlists, crowding out real art, leaving musicians like Tift without revenue streams.

That future feels overstated.  Listeners will reject soulless music, won’t they? Like so much of today’s AI conversation, this debate is full of hyperbole and puffery, investment bubbles and doomsayers. One can imagine AI tools being part of human music creation, just as synthesizers and sampling have been used to make art. But one can also imagine large tech companies making the decisions that suit them, artists and art be damned.

One thing is certain: absent some other force, cost-cutting will drive the outcome. If AI ghost music is more profitable than real music, it will replace art and artists. Just as AI will replace lawyers, and journalists, and….every other kind of work that can be done cheaper by software.  How do we prepare for this? How do we design outcomes that benefit society as a whole, rather than a small set of investors?  It’s a conversation we need to have right now.

Of course, this conversation deserves far more nuance than I just gave it, so that’s why this miniseries is just the start of a dialogue.  Later in the series, we’ll hear from Reid Wick of the Recording Academy of America (the Grammy people) and Jen Jacobson, Executive Director of the Artist Rights Alliance. We’ll be having more interviews at Debugger after we release this four-part miniseries.  I hope you’ll be part of the conversation, too.

I do hope you’ll listen to this series by clicking play below, by clicking off to Spotify, or by finding it on your favorite podcast service. But if podcasts aren’t your thing, a transcript is available here.

Organizations are struggling to keep their Public Key Infrastructure (PKI) secure and reliable. The primary reasons are the difficulty in keeping pace with managing an average of 114,591 internal certificates, the lack of in-house expertise, the use of manual operations, legacy infrastructure and poor visibility.

Public Key Infrastructure (PKI) is a framework for creating, managing, and validating digital certificates that establish trusted digital identities for users and machines, (i.e., machine identities such as workloads, containers, IoT devices, and services) enabling secure communications and transactions through cryptographic techniques. PKI primarily uses public key (asymmetric) cryptography, though it often works alongside symmetric cryptography, to provide authentication, encryption, and digital signatures.

Few organizations have a high level of confidence in their PKI’s ability to meet compliance requirements. Respondents were asked to rate the effectiveness of and confidence in their organization’s PKI on a scale of 1 = low effectiveness/confidence to 10 = high effectiveness/confidence. As revealed in this research, high confidence in meeting compliance requirements is key to a strong PKI security posture.

Only 46 percent of respondents have high confidence in PKI’s ability to meet compliance requirements. Less than half (48 percent) of respondents rate the effectiveness of their PKI in protecting against outside attacks and insider threats by ensuring a secure framework for authentication, encryption and data integrity as very or highly effective.

As shown in the research, a shortage of in-house expertise is reducing the effectiveness of the PKI infrastructure’s ability to scale up with growing devices and workload. Only 47 percent of respondents say the effectiveness is very high. Enabling secure transactions has the highest PKI effectiveness (53 percent of respondents).

A Summary of the State of PKI Security

 Public Key Infrastructure (PKI) is the backbone of digital trust, enabling secure communications and authentication for users, devices, and services. However, organizations today face mounting challenges in keeping PKI secure, reliable, and compliant.

Confidence and Effectiveness Remain Low

Most organizations lack strong confidence in their PKI’s ability to meet compliance requirements. Only 46 percent of respondents rate their PKI as highly effective for compliance, and less than half believe their PKI is very effective at protecting against threats or scaling with demand. The complexity of managing an average of over 114,000 certificates, combined with legacy systems and manual processes, undermines both security and reliability.

Key Barriers: Misconfigurations, Outages, and Visibility Gaps

The top obstacles to robust PKI security are:

• Misconfigurations in PKI infrastructure (50 percent of respondents)
• Unplanned outages from expired certificates (49 percent of respondents)
• Lack of visibility into certificate inventory (38 percent of respondents)

These issues make it difficult to maintain compliance and increase the risk of security incidents. Legacy costs and risks, as well as failures in security, compliance, and audit processes, further complicate the landscape.

Manual and Infrequent Assessments

While 61 percent of respondents say their organizations regularly assess PKI security, most do so manually (53 percent) or via penetration testing (46 percent), and only a third conduct of these assessments weekly or biweekly. This infrequency leaves gaps where vulnerabilities can persist.

Real-World Consequences: Incidents and Outages

Poorly managed PKI and certificates have led to significant cybersecurity incidents:

• Sixty percent of respondents say their organizations experienced exploits due to weak cryptography
• Fifty-eight percent of respondents say their organizations suffered third-party certificate authority (CA)
• Forty-three percent of respondents say their organizations reported server private key theft
  Unplanned outages are common: 56% had outages due to certificate expiration or configuration errors, often stemming from manual tracking and renewal processes.

Staff Shortages and Operational Burdens

Organizations typically dedicate only four staff to PKI management, and just 42 percent of respondents feel they have enough in-house expertise. Over half (55 percent of respondents) struggle to keep up with the growing use of cryptographic keys and certificates, leading many (63 percent of respondents) to outsource to managed security service providers.

The Push for Automation and Unified Visibility

Automation is increasingly seen as essential. Fifty-one percent of respondents say their organizations use automated certificate management, citing benefits such as consistent task execution, faster certificate renewal and greater visibility and control. Unified visibility across environments is now the top strategic priority, according to 34 percent of respondents, followed by hiring qualified personnel and reducing PKI complexity.

Best Practices of High Performing Organizations

Organizations with high confidence in their PKI (“high performers”) are more likely to adopt AI for predicting certificate issues and preventing outages, maintain better visibility into certificate inventory and support PKI with in-house expertise and effective remediation processes. These organizations report fewer operational burdens and stronger security outcomes.

In summary, PKI security is under pressure from complexity, manual processes, and resource constraints. The most effective organizations are those investing in automation, unified visibility, and skilled personnel—transforming PKI from a source of risk into a foundation for digital trust.

Part 2. Key Findings

Sponsored by CyberArk, Ponemon Institute surveyed 1,833 IT and IT security practitioners in North America (567 respondents), EMEA (503), Asia-Pac (401) and LATAM (362) who are knowledgeable about their organizations’ use of PKI and certificates. In this section of the report, we analyze the research results. The complete auditing findings are presented in the Appendix of the report. The report is organized according to the following topics.

• Securing PKI and certificates
• The deployment and management of PKI and certificates
• Best practices of organizations that have high confidence in meeting compliance requirements (aka high performers)
• Regional differences

Securing PKI and certificates

 Fifty-four percent of respondents say their organizations have little or only some confidence in their PKI’s ability to meet compliance requirements. The major reasons for the lack of confidence are misconfigurations in the PKI infrastructure (50 percent of respondents), unplanned outages caused by expired certificates (49 percent of respondents) and lack of visibility into certificate inventory (38 percent of respondents).

The biggest barrier to securing PKI and certificates are legacy costs and risks. Some 34 percent of respondents say legacy PKI costs and risks are affecting the security of PKI and certificates. Other barriers include the inability to have a centralized view of all internal certificate (31 percent), security, compliance and audit failures (29 percent) and dependence on manual certificate management (28 percent).

PKI security assessments are mostly manual and infrequent. While 61 percent of respondents say their organizations evaluate the security of their PKI infrastructure, only 33 percent of respondents say the evaluation occurs weekly (20 percent) or every two weeks (13 percent). According to Figure 4 the two tools most often used when assessing PKI security are manual (53 percent of respondents) and penetration testing (46 percent of respondents).

Assessing the effectiveness of processes for issuing, renewing, revoking and destroying digital certificates is used to determine the security of the PKI infrastructure.

According to 50 percent of respondents, their organizations examine the processes for issuing, renewing, revoking and destroying digital certificates to assess the security of organizations’ PKI infrastructure. This is followed by the evaluation of overall PKI architecture for vulnerabilities and potential misconfigurations (39 percent of respondents) and the review of procedures and protocols for managing data, responding to security incidents and training staff on PKI best practices (38 percent of respondents).

To see the rest of these key findings, visit CyberArk’s website.

Twenty years ago, companies increasingly became awakened to the very real threat that their sensitive and confidential data had been or could be targeted by a cybercriminal. It was clear that such an incident would not only jeopardize the privacy of their customers and business partners, but it could also mean significant financial harm.

When discussing a possible research project, our client asked if there would be any way we could calculate the cost of a data breach. The idea was that having such a calculus would be extremely beneficial in helping IT and IT security practitioners prepare for the possible consequences of a data breach, but also to convince the C-suite and board members to budget more money so that investments in technologies and staffing would be sufficient. In both instances, we have heard the research has succeeded.

Over the years, the research has evolved based on what we have learned from organizations that have been breached.  In the typical study, we speak with IT, compliance and information security practitioners who are knowledgeable about their organization’s data breach and the costs associated with resolving the breach.

We are often asked, how do you calculate the cost? To calculate the average cost of a data breach, we collect both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.

In this year’s study, the global average cost was $4.4 million. Sixteen percent of organizations reported breaches involving attackers using AI, most often for phishing or deepfake impersonation, signaling an escalating AI arms race. U.S. average costs reached a record $10 million, fueled by the nation’s rising detection expenses and stricter regulatory penalties. In fact, more than one-third of U.S. organizations paid breach fines that averaged more than $250,000.

We hope you will download our 2025 report and look forward to hearing from you.

Click here to download the report.

Bob Sullivan

There’s plenty of reasons to be skeptical of cryptocurrency, and there’s no better skeptic than Molly White, a programmer-turned-publisher who runs the popular newsletter “Citation Needed.”  So I was delighted to interview her recently for The Perfect Scam podcast I host.

There’s no bias like confirmation bias, and there’s no confirmation bias like someone who has invested in something – particularly something new and hard to understand.  In the long-running argument about crypto — is it a world-changing technology or a Ponzi scheme? — investors can’t help but root for one side of that debate.

Of course, this is more than just confirmation bias.  In a Ponzi scheme, faith=money. Other people’s faith.  So long as there are greater fools around, early Ponzi owners and their investments are safe. Only when the music stops playing do people get hurt.  These are all powerful forces that push rational people to do irrational things. And of course they react emotionally to anyone who wants to rain on their parade, who might hasten the end of the music with “pessimism.”

So, Molly White isn’t very popular among crypto investors.  If you really listen to her, I think you’ll find her quite reasonable, however.

Before we get to Molly in this episode, we speak with Glen Fishman, an early crypto investor who recently had almost $200,000 stolen from him in a sophisticated phishing scam.  Thanks to quick investigative work, federal agents were able to recover about half of the stolen crypto, but he was initially told it would take about a year to get his money back. It had been “removed” to an El Salvador-based exchange.

We tell Glen’s story to demonstrate that cryptocurrency holders do not enjoy many of the basic consumer protections that protect other financial account holders.  In fact, such protections fly in the face of the libertarian ideals that fuel the crypto world.  I’m not against this in any kind of philosophical way, but as a pragmatic matter, it’s a disaster. We see this is the rise of crypto ATMs, which have finally been outed as (almost entirely) a bank network for criminals. Unregulated money systems always devolve into cesspools of crime.  Some grow out of this phase, and I do wish this for cryptocurrency. But wishing is not a plan, and there are a lot of Glens out there who wish they understood this sooner.

Sophisticated financial tinkerers with money to burn are welcome to invest in crypto, of course, just as they are welcome to enjoy themselves in Las Vegas. But I worry: the investment bubble that is crypto relies on constantly recruiting more participants, and once again we are seeing an aggressive push into the consumer market.  I’m quite certain many buyers do not realize the extent to which they are playing with fire.

I don’t doubt that when the dust settles, there will be some real winners, and there will be a couple of interesting use cases for crypto. But in large part, cryptocurrency investing is still mere speculation, and when the bubble bursts, there’s going to be a lot of collateral damage. Many innocent bystanders will be hurt, as they always are.  We will learn that crypto has infiltrated some unexpected parts of the economy (like state pension funds), and I believe the fallout will be even wider than many pessimists expect.  We should be doing a lot more to contain this highly predictable damage right now. (Like this!)  Instead, for fairly obvious reasons, the current administration is smashing crypto guardrails. We all know how this story ends. We saw it in 2001 and 2009.  It’s a shame our memories are so terrible.

I hope you’ll listen to the full conversation. But in case you aren’t into podcasts, here’s a partial transcript of our conversation, very lightly edited for clarity.

——————-Partial transcript——————-

[00:38:22] Bob: There is an element in crypto baked right into its nature, which makes it more susceptible to theft of large amounts of money. In a way, it’s kind of built for that. We all know that it’s not just passwords that protect people’s financial accounts in the US, that there’s magic software that monitors transactions, particularly credit card transactions, but all transactions, and if somebody shows up and moves $178,000 suddenly out of an account, a red flag would pop up. We all have to trust that financial institutions are good at this, some aren’t, but should I trust that crypto exchanges are good at this? Would I have any reason to believe that?

[00:39:03] Molly White: Again, it really varies based on the company, but I would say that broadly in crypto, there’s actually a lot of resistance to the idea of placing limits on the types of transactions people can make and the amounts that people can transfer. The same types of limits that prevent someone from having their bank account drained by a bad actor are sometimes seen in the crypto world as an unfair infringement on your right to do what you please with your assets. And so there’s this sort of fragile balancing act that these companies have to take where they don’t anger their customers who feel like they should have access to the entirety of their accounts at any time, while also trying to prevent some sort of bad actor from completely draining the account. And so I would say that generally speaking, a lot of these programs in crypto exchanges are not as robust as in banks and other financial firms partly for that reason, partly because these companies are in some cases just less sophisticated, and then there’s also the issue where not everyone stores their crypto assets in a centralized account at an exchange like Coinbase or any of the various competitors that can impose those limits. And if you are storing your crypto assets in a wallet that is fully under your control and not at a third-party company, then there is no limit whatsoever on who can transfer the funds or to where or in what period of time, and there is absolutely no protection of that kind.

[00:40:40] Bob: That kind of transaction monitoring is basically against the whole ethos of cryptocurrency, right?

[00:40:46] Molly White: For many people it is. I think that as crypto has evolved and become more popular, we are seeing more people who appreciate the types of intervention by these third party exchanges or institutions that do add some degree of customer protection, but a lot of people do believe that ultimately these are my assets, I should be allowed to do anything I want with them, to transfer them immediately in any amount without anyone stepping in the way and saying, no, you’re not allowed to do what you want with your money. This is a very sort of libertarian ethos that underlies a lot of the crypto philosophy where people really don’t like the idea of anyone getting in the way of them and their money, whether it’s a government or a bank or some sort of compliance system or transaction monitoring. And so you have this sort of social opposition to these types of things as well as the limits that these companies are willing to go to to impose these types of systems.

[00:41:47] Bob: I think this is a really important point that I want to drive home for listeners, because okay, it’s one thing if you’re a tech person, you’re a libertarian, and go to a casino on the weekends for all I care, and you can invest in crypto for all I care, but when regular people who aren’t sophisticated, as we’re now in the next type cycle of this, become more and more involved in crypto, and they, they go to websites that might resemble a financial institution that they’re used to, and they might just presume there are protections around the transactions; I think that’s, that would be normal. I think it’s important to stress to them that they’re out on their own when it comes to crypto. Can you talk about that a little bit?

[00:42:23] Molly White: Absolutely. This is something I really try to drive home for people because I think, especially in the US, we’ve become very comfortable with some amount of protection around the financial activities that we engage in whether it’s banks offering depository insurance or transaction monitoring in our financial institutions, or oversight from securities regulators making sure that the stock exchange is a fair place to, to buy and sell assets. We become used to it and we begin to expect it everywhere, especially if the place we’re looking at really resembles a bank or a stock exchange or something like that. But ultimately, those protections are not there in crypto despite the similar appearance. We saw a really stark example of this in 2022 when a company called Celsius collapsed, and that was a crypto brokerage that had been advertising itself to customers as better than banks and providing services that banks would normally provide but describing themselves as the alternative, the superior alternative to a bank. Ultimately, it turned out that there was a lot of shady business happening at that company. The company collapsed and went bankrupt, and a number of customers wrote letters to the bankruptcy judge explaining how it had affected them. And I read multiple letters throughout that bankruptcy process that explained that: I didn’t think this could happen because this company was based in the United States, I thought US regulators were making sure everything was above board. Many people said they thought they had FDIC insurance on their assets in those accounts even though that type of depository insurance is not available in the crypto sector. So people thought that they were taking on a lot less risk than they actually were, and ultimately it destroyed some people’s lives. And this is really an issue throughout crypto where people just become used to these types of protections and they can’t fathom the idea that there is this total wild west financial sector that is advertising to everyday people, promising them the world, but there is really no safeguards there.

[00:44:44] Bob: Okay, so I hope you’re getting the message that if you invest in crypto, well you’re kind of on your own. And that’s okay if you do so with your eyes wide open. But there’s something else about crypto that’s important to understand; there’s just a lot of crime that travels across the network.

[00:45:01] Molly White: Crypto has become the choice for criminals doing any sort of cybercrime essentially. It has, because of its traceability challenges for law enforcement and others, because of the irreversibility of transactions, it’s a perfect asset for criminals, and now you never see ransomware, for example. Those attacks never happen outside of crypto. It’s always demands for Bitcoin or some other type of crypto asset because it’s just the perfect asset for that. We’re seeing increasing numbers of investment scams where people are being told that they can make a fortune overnight because it’ll go into Bitcoin or some other crypto asset that people have heard about and they’ve heard about people getting rich off of that, and they think maybe this is plausible. I think there are a ton of different reasons that criminals use it, but it has been very popular for cyber criminals, and if you look at the proportion of crime that happens using cryptocurrency, it is enormous compared to the number of people who are actually using crypto, investing in crypto; criminal activity is a substantial portion of that. And so I think it’s really been a boon for criminals, and it has caused this situation where everyday people who are using crypto or putting money into crypto have to be on high alert at all times because scams and hacks and frauds are just a part of the ecosystem. People who are enthusiastic and knowledgeable about crypto talk about the scams as though they’re just a normal day-to-day thing. It’s the cost of doing business. Pretty much everyone who has used crypto a substantial amount will, will admit they’ve been scammed at some point. So it’s really a free for all out there right now.

[00:46:52] Bob: I do sometimes wonder, is there’s so much fraud in crypto that maybe it wouldn’t exist or wouldn’t exist and it’s, weren’t encouraging cybercrime.

[00:47:00] Molly White: Yeah, it’s hard to say. I think it’s hard to say at that alternative scenario, but a substantial amount of activity in cryptocurrency is criminal. We are seeing more adoption of crypto broadly, and it’s clear that these days there is some institutional demand for crypto, there’s certainly been the retail enthusiasm around it, and so I wouldn’t say it’s fair to say that all of cryptocurrency is criminal activity or criminal behavior, but it certain is a shocking amount of it. And when you see crypto ATMs, you’re right, that is an enormous conduit for crypto thefts. There was a 99% increase from 2023 to 2024 with fraud involving cryptocurrency ATMs according to the FBI. $250 million was reported lost just in 2024, mostly from victims who are over the age of 60. And it was good to see that there has been a little bit of action coming out against these crypto ATM operators. There was recently a lawsuit against a major ATM operator coming out of the Attorney General for the District of Columbia explaining that the fraud protections are completely insufficient and that these crypto ATM companies are profiting off of thefts a lot of the time. They are taking large chunks from these transactions in which people are being scammed. That is how they are making their money. And there has been some attention to it, but I would say it has not been nearly enough.

[00:48:29] Bob: So I covered tech stocks during the dot com bubble, and I wrote a lot about the housing market during the housing bubble that proceeded The Great Recession, and I’m here to tell you, people who are making a lot of money really hate people who throw cold water on their investment bubbles. I still remember some of the hate mail I got. Well, Molly is in the midst of that right now.

[00:48:52] Bob: You’re a lone voice out there, one of the few voices. What is that like?

[00:48:55] Molly White: It’s a strange world. It’s certainly not a popular thing to do if you’re a crypto enthusiast. People don’t particularly like what I do. But I think it’s important to, to say, look, this technology, this financial asset has very serious issues, and that everyday people are suffering as a result of it, and there has not been sufficient enforcement or regulation around cryptocurrency, and we really need to be careful around this type of asset class. I am not opposed to crypto existing. I support anyone’s right to put money into cryptocurrency or speculate on the price of whatever token they’re interested in. I think that’s fine if people do so with all the facts, they have proper information to make informed decisions about what they’re doing with their money, and that they can trust that even if those assets go up or down in price, they will still be there tomorrow. But that is not the state of crypto at this point in time. At this stage, people not only have to understand that they’re taking on risk when it comes to the inherent volatility of most crypto assets, which are they go up and down in price quickly and dramatically. They also have to worry about the tokens that they’re putting money into being scams themselves. We’ve seen entire new words created for rug pulls and the types of other crypto crimes where people will create crypto assets and promise people the world for them, and then just take off overnight with all the assets and leaving the investors with nothing. And then finally, there’s the concern that, you know, even if you do have these crypto assets and you’re willing to take on the risk with the volatility, you may lose access to those assets through some sort of scam or the company might go bankrupt and you’ll be left with nothing. We’ve seen that happen over and over again. And I think just an unacceptable level of risk to ask people to take on. There’s a serious issue with information being available to investors to make informed decisions. And frankly, everyday people who are being encouraged to get into crypto are being brought in with an extreme disadvantage, and ultimately, end up often serving as exit liquidity for someone who is more sophisticated and potentially engaged in criminal activity.

[00:51:18] Bob: Okay, I need you to slow down on that last set of sentences there, ’cause I think that’s really important. Exit liquidity, tell me what you mean by exit liquidity.

[00:51:25] Molly White: So if you launch a cryptocurrency token and you want to scam somebody, you can’t actually make any money off of it unless you convince someone to buy it. And so that’s really what I’m referring to with exit liquidity is, you know, these people who are told that this is the hot new token and you buy it now you’re going to get in early and then make a ton of money. They are often exit liquidity, meaning that once they buy in, the person who created the token sells all of the tokens and takes off with their money essentially. It causes the tokens that these people purchase to go to zero so they can no longer get out of those positions, and the person who created the token makes a lot of money.

[00:52:08] Bob: But you also said before that, that the retail investors are at a severe information disadvantage, especially in this situation. Can you talk about that a little bit more?

[00:52:16] Molly White: So a lot of the regulations that exist in the financial system that we’re used to when it comes to securities or commodities or various forms of investments that people make beyond just holding currency, a lot of those regulations come down to making sure that everyone is on a fairly level playing field, that you understand the risks that you’re taking on. If you choose to say buy a stock, every stock that is issued on the public stock exchanges have this whole literature that is published on a regular basis that explains how the company’s doing, and the outlook for their future business, and the risks that are involved and the people who are running the company, and you know a lot about them and their background. That type of information is not available in crypto. Oftentimes, cryptocurrency projects are run by anonymous people, you don’t know even who is running the company that you’re being told to, to get involved with. You don’t know anything about who’s backing these companies. You don’t know about their business practices. You don’t know anything about whether they will continue to stay in business or what type of business they plan to do. It’s really just marketing. You get to read their marketing materials. There is no even oversight really to ensure that their marketing materials are accurate, and so it is just a breeding ground for scams because people can anonymously launch a cryptocurrency, promise people that it will be, it’ll change the whole system, and it’ll make billions of dollars, and then just take off with the money, and there’s really no oversight or enforcement stopping them.

[00:54:03] Bob: So I realize I’m invoking a legal term, and we’re not the law, we’re not a legal podcast, but that sure sounds like a Ponzi scheme to me that the early people make money and the less, people at the end are left without a chair. Why is this or not like a Ponzi scheme?

[00:54:19] Molly White: Many of these are Ponzi schemes. Just plainly speaking, crypto Ponzi schemes are a huge amount of the crypto fraud that we see. I would not say that crypto itself is a Ponzi scheme, but it is a vehicle for Ponzi schemes and we see many of them.

[00:54:36] Bob: As the person who is with the pins for the bubble, somebody’s going to blame you when the bubble bursts or when people lose money. Have you had that experience?

[00:54:44] Molly White: Absolutely. Yeah, people really don’t like it when you rain on the parade, but ultimately, I think that any asset should be able to speak for itself, and if you have to threaten people not to be critical of your asset, then there’s probably something seriously wrong. And like I said, a lot of the issues in this sector rely on, or stem from people not having adequate information about the token that they’re investing in or the company or the person behind the company. And so the more people are trying to hide that information, the more skeptical I get that something might be going on here that’s not aboveboard. But it’s very common unfortunately in the crypto world for people to attack those who are critical or skeptical, or even just asking questions about a project because so much of crypto’s value comes from the perception that this is an exciting token or an exciting project and, you know, the second that someone introduces doubt there, it can cause prices to go down.

[00:55:50] Bob: Okay, so all this skepticism, all well and good enough, fear, warnings, all that, but I have a friend who 7 years ago invested $1000 in X and he just bought a boat, so why shouldn’t I do this? What do you say to a person who comes to you with that?

[00:56:06] Molly White: Yeah, I hear that a lot, and you could say the same thing about someone who invested in a Ponzi scheme or any sort of scam. There are people who make money from scams, that’s why they exist. And sometimes it’s not the people who started the scam, sometimes it’s just people who got in early. But that does not mean that every person who, who buys in is going to be the winner, and in fact, it is fairly rare for that to happen. When it comes to crypto, there are certainly cryptocurrencies that are not scams. I’m not trying to claim that every crypto asset is inherently a scam, but there is an enormous amount of risk that people are taking on. And you can make a similar statement about oh, I know someone who bought Apple stock decades ago, and now they’re a billionaire. It happens. People sometimes choose the right token or the right stock or they get in at the right time. But you do need to pay attention to the sort of overall odds and the likelihood that will happen again. These days, a lot of people who are purchasing crypto assets are actually getting in pretty late. Many of the times they are getting in when the hype is at an all-time high, which often correlates with prices being at all-time highs. And so as more and more people get excited, they buy the marketing around how they can get rich just like some early investor, they often are buying at fairly high prices and ultimately, crypto goes through these boom-and-bust cycles where we see it go from tens of thousands of dollars to a fraction of that amount. And oftentimes that is when people lose serious amounts of money. We saw it happen in 2022; now crypto prices are back up, and I suspect it’s only a matter of time before we see it happen again.

Attacks against organizations’ data in storage are frequent and costly. Data storage refers to the methods and technologies used to retain digital information. On average, one attack against data in storage occurs each month, and the most significant attacks reported in the research averaged $5 million. As a result, 63 percent of respondents say securing data in storage is very or extremely important compared to other security initiatives.

Sponsored by Pure Storage, Ponemon Institute surveyed 610 IT and IT security practitioners in the United States who are knowledgeable about their organizations’ approach to their organizations’ data storage security posture.

Automation is considered key to achieving cyber resilience in data storage. Cyber resilience is the capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks. In the context of this research, a cyber resilient enterprise is one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure. The key to achieving a high level of cyber resilience in data security storage is automation, according to 66 percent of respondents.

Respondents were asked to rate their cyber resilience on a scale from 1 = low resilience to 10 = high resilience. Only 47 percent of respondent rate their cyber resilience as high to very high resilience (7+ on the 10-point scale). Fifty-five percent of respondents say cyber resilient data storage has value or high value (7+ on the 10-point scale).

 Securing sensitive data in storage is a priority because 36 percent of this data is considered mission critical and on average it can take 12 days following a data security incident to recover mission critical applications. Mission critical applications and data are essential for organizations’ operations and survival. If not recovered, operations could be significantly impacted or brought to a complete halt.

The following findings illustrate the challenges to securing data in storage

 The exploitation of vulnerabilities and ransomware are the two primary reasons a cyber incident occurs. Organizations represented in this research had an average of 7 cyber incidents that resulted in data loss in the past two years. Although challenging to identify root causes, 63 percent of respondents say the root cause was an exploitation of vulnerabilities and 61 percent say it was ransomware.

 Insiders are putting data in storage at risk. According to the research, an average of more than 5,433 employees and third parties have access to sensitive data in storage.  In the past two years, an average of 7 non-cyber incidents resulted in the loss of data. To minimize the threats from non-cyberattacks, organizations should take steps to prevent employee error or negligence (74 percent of respondents) and system hardware or software failures (69 percent of respondents).

 The biggest cost following a cyberattack against data in storage is the recovery of the up-to-date backups of critical data. Respondents were asked to calculate the most significant cost due to a cyberattack against data in storage. The four categories of the total cost of $5 million and the percentage respondents allocated to each cost are recovering up-to-date backups of critical data (31 percent), repairing or replacing affected systems and applications (26 percent), detecting and containing the incident (23 percent) and testing to ensure restored systems are functioning correctly and any vulnerabilities have been addressed (20 percent).

 Protection of data requires an accurate classification of the types of data stored. Only 45 percent of respondents say they know how much data is structured or unstructured. Fifty-three percent say stored data is structured data and 47 percent say it is unstructured. On average, 36 percent is considered “dark” or unclassified.

 Organizations are challenged to consistently manage data across all environments. Only 41 percent say they have a good or a high level of ability to manage data across all environments. Fifty-three percent of respondents say they have a good or a high level of ability to minimize downtime and data loss in the event of an attack and 49 percent of respondents say they are very or highly effective in minimizing downtime and data loss in the event of an attack.

 The most important indicators of cyber resilience in data storage security are Recovery SLAs, RTO and RPOs. Fifty-two percent of respondents measure cyber resilience in data security. Of the respondents that measure cyber resiliency, 59 percent say they measure consistency in achieving recovery SLAs.

Achieving recovery SLAs is critical to ensuring business operations can resume with minimal disruption after an incident, minimize financial and operational damage, set clear measurable goals for service providers and customers and select the best cost-effective solutions.  Fifty-six percent say they validate Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTOs and RPOs ensure that recovery efforts align with business needs by setting clear goals for how systems should be back online and how much data loss is tolerable.

Organizations prepare for the likelihood of a ransomware attack. Organizations have disaster/cyber recovery plans in place to deal with cyberattacks. Seventy percent of respondents say they have a plan for ransomware attacks, 65 percent of respondents say they have a plan for distributed denial of service (DDoS) attacks and 61 percent of respondents have plans for malware, including spyware, viruses trojans and worms.

Controlling employees’ and third parties’ access to sensitive data in storage is important to preventing non-cyberattacks. The primary root cause of a non-cyberattack was employee error or negligence.  Multi-factor authentication access controls (71 percent of respondents) and role-based access controls (RBAC) (63 percent of respondents) are used to protect stored data.

The most important control used in data storage is integration with SecOps tools such as SIEM, Extended Detection & Response (XDR) and SOAR. XDR is a cybersecurity platform that unifies and automates security data collection, analysis, and response across multiple layers of an organization’s environment, such as endpoints, networks, cloud workloads and email. SOAR seeks to alleviate the strain on IT teams by incorporating automated responses to a variety of events.

The benefits of AI in securing data in storage.  Forty-five percent of respondents say the deployment of AI-based security technologies will improve their organization’s data security storage and 53 percent of respondents say AI simplifies data security storage by performing tasks that are typically done by humans but in less time and cost.

Despite the benefits, the two most significant risks caused by AI to data storage security are incorrect predictions due to data poisoning (50 percent of respondents) and poor or misconfigured systems due to over-reliance on AI for cyber risk management.

Click here to read key findings and the full report at PureStorage.com

Bob Sullivan

By any measure you can find, fraud is soaring in the U.S. and around the world.  I spent an hour on WHYY radio recently discussing the causes for this, but I can boil it down to one concept: big, uncaring companies have dehumanized customers and employees alike, creating a perfect playground for criminal mischief.

I write a lot of stories that reveal how much systems let people down and set them up to be victims of crimes. You’ll often hear me lament that big tech companies or financial institutions don’t do more to stop crimes.

Today, I have a different story to tell at The Perfect Scam podcast. It’s about a crime that *almost* happened, but didn’t — thanks in large part to well-trained bank employees who followed a well-designed system…with care.  But there’s another important element to this near-miss crime that plays a huge role: It happened in a small community, at a small bank, where employees had a personal connection to the victim.  Like this:

“The young man who is an assistant manager up there went to high school with at least one of my grandsons.”

And this:

“The lady at the bank, the one who was the person who called me initially, my son had a coffee truck in Rogersville for about a year and a half, and this bank manager loved his coffee. So she had come through his line so many times, and so knew me because of that.”

It’s human nature: When you know someone, or you know someone you know will know someone, you are far more likely to step in and ask questions when something seems amiss. After all, who could go to bed at night knowing they helped criminals steal $25,000 from an 83-year-old woman who is a pillar of the community?

I realize I’m telling this story upside down, giving you the punchline without the setup. That’s because the punchline *is* the story here. It’s the only part of this story which is a surprise. The rest follows an all-too-familiar refrain. Listen for yourself by clicking here. But here’s the setup.

Samuel, the would-be victim, has lived in this small town outside Springfield, Mo., for most of her 83 years.  She got a menacing call from someone claiming he was from a federal agency investigating a crime, and he needed her help.  Many calls later, Samuel was manipulated into a bank visit where she would ask for $25,000 to be wired to a nonexistent company.  But the teller and manager 1 asked so many questions that Samuel left without the money and headed for another branch.  By the time she got there, the bank had already put an alert on her account, and tellers put up multiple speed bumps. Ditto for branch No. 3.  Critically, bank employees did this with kindness, not dismissiveness or ageism, because the criminal had warned Samuel that a bank employee was “in on it.”  As I’ve written elsewhere, rudeness only pushes victims into the arms of criminals, who are very good at sounding compassionate.

The bank also thoughtfully notified Samuel’s children, who are also named on her account. The kids got mom off the phone with the criminal, got her home, and eventually persuaded her that she was talking to a criminal.  The whole episode was over in a couple of days, and the family didn’t lose a dime.

As a show of thanks, Samuel made banana bread and took some to each bank employee who played a role in foiling the crime.

I love a happy ending. And I love banana bread. I’m only half kidding when I suggest in this episode that baked goods are the answer to America’s fraud problems.  What I’m suggesting, of course, is that the human touch is missing from most cybersecurity initiatives.  We spend billions on software…we’re calling it AI now…. but we overlook the front-line workers who are often the difference between disaster and a close call.

I realize Linda Samuel’s story has a unique set of circumstances.  Many of us don’t live in a town where we can walk or quickly drive to a small, community bank.  Years of industry consolidation have ensured that.  In many cases, we only have a choice of one or two gigantic banks.  This is a mistake, and if you’re curious about the problem of hyper-consolidation and monopoly power, I’d invite you to visit the American Economic Liberties Project and the work of Matt Stoller, author of the “BIG” Substack newsletter.

For now, suffice to say it’s unlikely Linda Samuel’s story would have had the same ending if her money had been parked at Bank of Gigantica.

I do know many, many cybersecurity workers at these large institutions who care a lot about fraud, and often write code that stops crimes. When I have a chance to speak to tech worker audiences, I often remind them that no firefighter wins an award for a house fire that is stopped because a fire inspection forced a safety upgrade — the work these individuals do can be just as invisible and thankless, so I thank them for it.

But I’ll repeat myself — poor customer service is our greatest cybersecurity vulnerability.  This story makes that point by showing the alternative: good customer service can be our best crime-fighting tool.

We’re never going to get a handle on fraud unless banana bread, once again, is part of the equation.  Know Your Customer shouldn’t be a check box on a compliance form.  It should be standard operating procedure.   And it’s worth the investment.