Cybersecurity Simplified: Shane Kawalilak's Mission to Empower Everyday Users

SPEAKER_00 0:00

Welcome to the Living the Dream Podcast with Curveball. If you believe, you can achieve. A show where I interview guests that teach, motivate, and inspire in a world where cybersecurity threats are constantly involving. Shane Kalilal, a cybersecurity expert, and author, is trying to break cybersecurity down in the simplest terms so that we can all understand it. Shane's mission is to help businesses, employees, and everyday people stay safe online. Whether it's phishing scams, you know, an account being hacked or a business uh having sensitive data compromised. Shane tries to help people understand it in the simplest terms. Uh he's he's been in the industry 25 years. He has written a book called Don't Be the Weakest Link. So we're going to be talking to him about all things cybersecurity. So, Shane, welcome to the show.

SPEAKER_01 1:18

Thank you very much. It is an honor to be here, Curtis.

SPEAKER_00 1:21

Why don't you start off by telling everybody a little bit about yourself?

SPEAKER_01 1:26

Well, I am closer to the end of my days than the beginning. I am currently still helping my wife homeschool the last of our nine kids. And I've been, like you said, in IT for almost 30 years now. And probably six years ago, I was doing a presentation at a small business, and the guy said, Hey, have you written a book about this stuff? And that question just kind of threw me on a tangent and has basically changed the direction of my life.

SPEAKER_00 2:12

Well, talk about what, first of all, drew you into cybersecurity and made you so passionate about helping everyday people instead of just teaching tech professionals.

SPEAKER_01 2:23

Well, being a tech professional, I don't know that it ever occurred to me to teach other tech professionals. I always thought, well, all these other geeks know everything I know, plus more, probably. And where my passion came from is just working in large businesses. I'd be responsible for hundreds of people. And what I found was I would go to someone's desk to try to try to make them part of the IT team. And people don't see the difference. I I've I've I've got a theory that the the IT professionals, those professional geeks like myself, we form the IT department. This is our job to take care of IT stuff. So anything information technology, that's us. But the IT team, that's everybody. If you've got a laptop, a cell phone, an email address with the company, you're part of the team. There's a role you play. And in sitting down trying to teach someone how to be more safe online. And back in those days, you know, the worst thing you get, oh, you clicked on a link in an email, and now I have to delete a hundred thousand pictures from your computer, and I've got to go recover them from backup and stuff. But there was no such thing as ransomware. There was nobody was trying to kill your company, it was just stupid jokes. But I found more and more while I was trying to help people, the end users, become more safe. I found more and more that it was us in the IT department. We were the problem. We were teaching users how to do things that we thought this is for security. And it turns out that the lessons we were teaching were inherently making the end users less secure, and in retrospect, the whole company, you know, and so that's where my passion came from. So it started in well, I have to overcome the fact that we as geeks have been teaching non-technical users stupid things, and now I'll teach that to geeks as well.

SPEAKER_00 4:48

We'll talk about the most common mistakes you see people uh make online.

SPEAKER_01 4:54

Oh, probably the number one thing is reusing passwords. You know, uh every site has a different password, just don't reuse, you know, you have to have a great password. A great password has to be long and I mean over 12 characters, it has to be complex, it has to have all four character types, even though some places don't even let you use four character types yet, and it has to be never repeated. And once people have that down, that's the foundation of their security, and then we add on from there. But people think that the password's the only thing that can get stolen, and it's not even the most important thing because these criminals out there trying to steal your information. There's so many other things that they want, you know, they want your date of birth, they want your home address, they want they want the things that they would use if they sent you an email or phoned you. What could I say that would convince Shane that I'm the person from the phone company, from the bank, from whatever? And it's rarely a password. If if somebody from my cell phone carrier called me up and said, Hi, is this Shane Kowaluk? I say yes. And he says, Is your password for our website this? I'd be like, dude, I don't know what my password is. Why would you say it out loud on a phone? You know? But if he says, This is your address, this is your date of birth, this is your account number, my guard goes down. And so people need to know what that other data is. And for the most part, when I meet people, they don't care. They're like, Oh, I just protect my password.

SPEAKER_00 6:40

So well, what is the biggest cybersecurity threat that businesses are underestimating right now?

SPEAKER_01 6:50

Uh I it's probably been the same thing for a decade. It's it's the end user phishing attack. You know, they spend this money on sending out emails or forcing end users to go watch a 15-minute video and they think, oh, now the people know not to click on links. Now the people know that they have to have good passwords. They and it takes more than that. Like when I go to a business and I do a workshop or you know, even just a one-hour training session, my job is to change your mindset. You know, yes, it takes five minutes to tell you what a great password is and to convince you you have to use it, but how do I how do I get your mindset to move to a place where you are being more secure? You're acting as a a better steward of your company's data, and that's the stuff I focus on. You know, moving that cyber secure mindset to a place where, you know, your company could pay me anything. If I could guarantee that the end user wouldn't be the entry point of an attack, I'd be a billionaire. Large companies would just pay me whatever I wanted because I got a guarantee. But because I can't guarantee I could teach someone something, and five minutes later they do the same thing I just told them never to do. So rather than being a checklist and saying this is what Shane said to do, I want it to be in your head. I want you to be thinking about these red flags and you know, learn to act different and behave different moving forward.

SPEAKER_00 8:39

Well, share some instances of uh strong passwords, so so uh the the listeners will know the difference between a uh good uh you know strong password and not so good password.

SPEAKER_01 8:52

In the book, I have we used a piece of software to come up with a good password and stuff, and we're testing it, and I I really promote passphrase. Every time you hear the word password, think of a passphrase. So use a full sentence. Most websites will let you use spaces. When I when I type a password for like my Office 365 or my Gmail or something, my password is going to be a full sentence. And I think in the book I used, we used uh please tango. It was 11 characters, uppercase, lowercase, and then we slowly made the password harder, and it got to the point where when you started, the password could be hacked in hours, and then after you've slowly made it harder, you get up to 45 years or something. And then I said, All right, now use all four character types and 12 characters, and just changing one character, we went to 16,000 years to hack it. Now that's a good password, but what if computers get a thousand times faster? You know, what if they get a million times faster? 16,000 years isn't a lot of time and cut into a million. But a passphrase, the password I used on one of my email accounts for years was I love, I love our seven children with an exclamation mark. So I have four spaces, I have an exclamation, I have a number, I have uppercase, I have lowercase, but it's a full sentence. So it's fast, it's easy to type. That's what you type all day. You know, if if you type exclamation hashtag uppercase r lowercase k, if that's how you typed all day, you'd be fast at it, and it would make a decent password. But I love our seven children, I could type that in less than a second. Nobody could see it when I'm if they're looking over my shoulders, and I use that password well into my wife's ninth pregnancy, and I felt a little guilty, but it was a great password. Oh, there are so many examples. It seems like every week I hear about something that makes me rethink something I thought I knew. There was in the book I talked about St. Mary's Healthcare Center. This is a hospital, I think it's uh in Illinois or something, but they got breached by ransomware, and in my mind I'm thinking, this is healthcare, this is you know federal jurisdiction. But this hospital ended up going out of business, and the ransomware attack was the first part. You know, you've got a hospital that can't bill Medicare for six months, that's a lot of money. But the systems are down. Yeah, we can see patients, we could take cash, but anything going to Medicaid or Medicare, they couldn't bill out. And that just got the ball rolling. And suddenly there's a hospital out of business, and the residents of that area now have to drive an extra hour or something to another medical facility. And that really struck me. I thought, I I never thought of talking to healthcare workers because I thought, uh, the IT guys that run the hospitals are good, they're training the users, and what could I add? But after seeing that story come through its fruition and end up with a hospital closing, I thought, man, I don't know that there's anybody out there that doesn't need to learn more about cybersecurity. Because if a hospital can fail, who who's safe out there?

SPEAKER_00 12:58

Well, for small business owners that feel overwhelmed by technology, what are three things that they can do to start to protect themselves?

SPEAKER_01 13:08

Oh, the first thing I'd say is grab a copy of my book. You know, uh any of your listeners can download it for free. Just go to that curveball 337.redflag IT.com. They download a free digital copy, PDF or ebook for their e-reader. And if you don't have time to read a book, just go to the website, don't be the weakestlink.com or dbtwl.com if you're lazy like me. And if you go there and click on the book, everything that's in the book, we go through story time in every chapter. Every chapter has time travel tips, which we've updated on the website as technology changes. So, you know, if I say this is the best piece of software to do A, B, or C in the book, well, stay stuff changes. So we update the website so I don't have to come up with a fresh edition every six months of the book. And then there's also play-along section. Every chapter basically has homework. Go click on this, do this, and if somebody would just go through and do those things on their own, they can do it just off the website, and they will notice such a marked improvement. And the problem with the small businesses, from where I'm at now, because that's who I do most of my work with, is you know, you've got a large company, you've got the C-suite who sits down together, and you know, 10 people sit at a table and roll out policies that they push down to hundreds of thousands of employees. There's there's time to think about these things. But you get to a small business where there might be an owner, an accountant, and an office manager, and that's a big team for this company. Whose responsibility is it to think about cybersecurity, to make sure that the people logging into computers are doing it securely, that people are monitoring their email, not clicking on links, you know, not going to unsafe websites. I I don't, it just doesn't happen. That's the kind of stuff that slips through the cracks. And it's why I like working with small businesses. There's way less money in it, but I find that they they really they hunger for the information, but they just don't have the time to you know find me or find my book or you know, get out and train their employees.

SPEAKER_00 15:44

Well, talk about the psychological tactics that cyber criminals use to get sensitive information from users.

SPEAKER_01 15:53

Oh, that's a good question. There's there's a few of them. Uh on the website, there's actually uh a page called Cut Sheets, and one of those cut sheets is about red flags, which is why I named my company red flag it, because I think it's so important to know what these red flags are. And when you look at an email, someone's sent so phishing is basically, and for your audience that don't know, it's phishing starts with pH instead of an F. An F is with a rod, PH is with a criminal. And when they send an email to you, a phishing attack is them pretending to be someone they're not to get you to do something that you would never do if you knew who they really were, and they'll use rushes, hurry like time is a big component of their stuff. It's like, oh, this is urgent, this has to be done today. And if you're an accountant and someone pretending to be the CEO sends an email and said, This has to be done today, are you texting or calling to double check? No, if he does this often, you're probably doing that right now. So um time's a big one. There are the links are the links are important. Anytime there's a link in an email, if my wife sends me a link, I'm looking at it, I'm like, why would my wife send this to me? You know, was I expecting it? So you've got to be careful about basically every part of the email, but attachments are dangerous, people don't realize what could be hidden inside a picture or a PDF form. You know, these aren't the old days where they have to send an executable that your antivirus will stop. It's it's harder for systems to prevent these things if the end user isn't looking for red flags and they're just randomly clicking things.

SPEAKER_00 18:01

So where do you see the future of cybersecurity heading with AI becoming more advanced? Should uh people be excited or concerned?

SPEAKER_01 18:16

Oh man. I think you should have a healthy reverence for both. I think AI is crazy exciting. I'm you know, one of the worst things about AI right now is the number of intelligent people trying to stop it or slow it down. This is the genie's out of the bottle. AI is here. So having a healthy admiration for the tool and using it is one thing, but I don't want to be the guy that shares the doom and gloom because I love AI, but the tool is being used in ways that make like you said, when we're talking about passwords being hacked, AI is scraping databases and it's it's giving some decent passwords that people would guess. And you know, the way AI is pulling data, someone can open up a tool that goes out to the internet to look for stuff on Curtis Jackson, and when the guy gets home from his day job, it's found like 75,000 links and pieces of detail about you from your birthday to your favorite color to your you know, all those security question answers. Your what was your first car? It's it's grabbing information that wasn't possible without the use of AI. So, yeah, it's wonderful, but it's also being used in some pretty nefarious tools and systems right now. So um I say that one of the most important things is just to educate yourself, you know, know what you're doing. I saw someone a couple months ago using uh an agentics, so not just AI like a search engine, but AI like a program that will do stuff for you. And she had it open on her computer, and she gets this little message that the AI wants to pay her phone bill or something. And I'm like, you let AI in your bank, and she looks at me and she goes, I don't think so. She wasn't even aware, but because she authenticated to the browser on the bank, the AI has access to her bank, it sees that the bill is due in an email, and it's just trying to be helpful. That's what AI wants to do. It wants to make your life easy. It'll be easy if I just pay this phone bill for you. And I that scared the crap out of me that this lady who did not have the technical base to be managing a tool that could do this was in a situation where she had a tool that was potentially emptying her bank account. Because I don't know if that AI tool would know the difference between an email from the phone company or an email from a hacker in Southeast Asia, and suddenly it drained its bank account. Oh, to make your life easy. I just paid that bill for you. What bill? So yeah, be afraid of it, but question it. You know, use the tools, go experiment with stuff, go read some stuff on it, and don't just believe the hype that it's gonna take over the world. You know, it might, but not this year. And don't believe the hype that you know, people like, oh, it's perfect. There's no downside to AI. Neither one of those. Positions is very strong, you know.

SPEAKER_00 22:04

Yeah, well, tell us about any upcoming projects that you're working on that listeners need to be aware of.

SPEAKER_01 22:12

Oh, upcoming projects. Uh I have a couple a couple presentations that I'm reworking. Every time I do a presentation, I like to customize it for who I'm speaking for and stuff. And different industries have different requirements, and um I enjoy just you know talking to the people that work at a company ahead of time and saying, so what's your biggest problems? And you know, what what could you what would you get the best result out of me helping you with? And I have people uh, you know, out of the blues, like it was where I started passwords. I started talking more about passwords because I'd get this over and over again. People say my passwords aren't good enough. And I'm like, okay, well, then let's cover that. Almost every presentation I do has five minutes about defining a great password and just showing you the difference between a password that's good for you know 12 hours or 45 years, and then that I love our seven children with the same tool was good for like a hundred million trillion centuries. It was like 22 zeros. That's no comparison to 16,000. So great is a necessity in your password setting. And I have the Don't Be the Weakest Link book. We are actually working right now on taking the changes we've made on the website and some other future changes. We were just talking about it this afternoon, and we are looking at releasing actually a second edition. Uh, so that'll be cool. Anyone gets the free copy will also get an email if they sign up for the email list so they can go and update their digital copy of their book as well when that gets when that happens.

SPEAKER_00 24:11

Absolutely. Don't be the weakest link.com. So close this out with some final thoughts, maybe if that was something I forgot to talk about that you would like to discuss. So any final thoughts you have for the listeners.

SPEAKER_01 24:26

Final thoughts for the listeners. You know what? I my number one thing is I would like people, and this this is helping cybersecurity, but in a very indirect way. I would like people to set technology down more often. I think I think a lot of our world problems go away if people don't have a phone and aren't staring at a screen, just sit and talk to people and get to know people. I find social media is probably one of the worst things out there. And it really divides people and it gives people I'm not gonna say permission, but it gives them agency where they they think it's okay to act a certain way where they would never do. If somebody was sitting down at a desk with Curtis, they'd never say the things they'd say to Curtis online. And I'm like, stop saying them online then. You know, social media is an attack haven for cyber criminals. People on social media are posting pictures of vacations while they're on vacation. I can't even count how many criminal operations there are where people's houses are broken in on vacation. You know, they used to have to drive around and look for lights that were off and stuff and look for newspapers piling up on the doorstep. Now they just follow you on social media and they're like, oh, Shane's on vacation, let's go to his house. And it's dangerous because of what if, you know, I've got lots of kids. There's probably a kid still here. So when you're on vacation, be on vacation, stay off social media. When you come home, share all your pictures. Look where I was last month. You know, this is cool. So yeah, just spend less time with technology and spend more time with people. That's what I would like people to do.

SPEAKER_00 26:25

Absolutely, ladies and gentlemen, and I will put the links in the sh in the show notes. And if you are online that you know people that are online, which is a lot of us, please follow, rate, review, and share this episode to as many people as possible. Get a copy of Shane's book, uh, whether you're just an everyday user or you're a business owner or or you're you're employed. And also share www.curveball337.com to everybody you know to keep up with all things living the dream. Thank you for listening and supporting the show. And Shane, thank you for all that you're doing, bringing awareness to the importance of online uh security. And thank you for joining me.

SPEAKER_01 27:08

Thank you for having me, man.

SPEAKER_00 27:10

For more information on the Living the Dream with Curveball Podcast, visit www.curveball337.com. Until next time, keep living the dream.