Business Growth Accelerator

176 | Your competition is likely spying on your business, but you CAN protect yourself. Advice by Robert Kerbeck, a 25 years business spy

Isar Meitis Season 2 Episode 176

Your business isn't too small or unimportant for someone to spy on you. Sadly it is extremely easy to extract highly sensitive information from employees and co-workers.

Such information may include anything that your competition can use in order to have an unfair advantage over you - lists of clients, contracts, your pricing, your top talent compensation packages,  budget, best marketing channels, etc.

Robert Kerbeck, spent years as a business spy, before he switched sides. He claims that in a few minutes he can find out all that information about almost any company with a few simple phone calls.

In this episodes he shares
💥 The technics that can be used to extract such information
💥 Who are the easy targets
💥 And, most importantly, what your organization can do to protect itself

Connect with  Robert on Linkedin



Hi, It's Isar the host of the Business Growth Accelerator Podcast
I am passionate about growing businesses and helping CEOs, business leaders, and entrepreneurs become more successful. I am also passionate about relationship building, community creation for businesses, and value creation through content.
I would love it if you connect with me on LinkedIn. Drop me a DM, and LMK you listened to the podcast, what you think and what topics you would like me to cover 🙏

Isar Meitis:

Hello and welcome to the Business Growth Accelerator. This is Isar Meitis, your host, and I have a special topic for you today, one that I've never actually touched in 175 episodes of this podcast. And the topic is gonna be about business intelligence or business espionage and it's a real thing. And I know a lot of people, myself included, running multiple businesses, totally ignore that topic because in your head,"well, I'm too small, I'm too different. Why would anybody spend the time to spy on me, et cetera." But the reality is just think about what you could do in your business or what your competition can do to your business if they had access to, let's say, your pricing, or when each of your contracts end with the people that they support as well, or which one of your clients are experiencing difficulties with your products or services, or if they knew the compensation package of your top talent, or if they have access to your sales presentations. or your marketing budget and how you invest it, and so on and so forth. Obviously, if you know that about your competition, it's a huge tool if they know it about you. You have a problem. So like I said, most business leaders, myself included, totally ignore that because it's not a comfortable thing to talk about. It's one of those things you'd rather, you know, push under the carpet and never look at it. But the reality is it's real and it's out there and companies are doing it to their competition all the time. And hence, I'm really excited to have Robert Quebec as our guest today. Robert has been doing this, meaning helping companies. Avoiding issues of being spied on for over a quarter of a century. So he knows One of two things about this topic is also the author of the book Ruse that talks about business intelligence and how to be more aware of it and how to avoid it. And again, since this is a topic that is critical, that could cripple a business or help it excel, I'm really excited to have him as a guest today. So Robert, welcome to the Business Growth Accelerator.

Robert Kerbeck:

wow. Well, thank you. What a great introduction. Isar.

Isar Meitis:

Thank you. Robert. I assume you didn't go to college to be a business espionage expert because I don't think they teach that in college. So, take me back to when in your career or what event in your career was the aha moment or the aha process? Sometimes it's just one thing that kinda like had the light bulb going above your head and saying, this is a big deal and somebody should do something about it.

Robert Kerbeck:

Yeah. So, you know, I, my hometown is Philadelphia. my Eagles just lost a, a tough game in the Super Bowl, unfortunately. But it they had a great season. And my great-grandfather sold horse carriages in Philadelphia before cars were invented. And when cars were invented, he switched over, became one of the first car dealers in Philadelphia. My grandfather took over that business. My father took over that business, and I was supposed to take over that business. But when I was in college, I kind of fell in love with acting. I wanted to try to move to New York to be an actor. I didn't know anybody that had done that. It seemed insane. So when I graduated, I worked for my dad. but something about car sales just didn't feel right. Kind of the trickery, you know, of sales, dishonesty of car sales. So I finally got the courage. I moved to New York, and of course actors need survival jobs and who stumbles into a career as a corporate spy. But that's what happened to me.

Isar Meitis:

so. Pure luck, basically.

Robert Kerbeck:

Happenstance. Just crazy. You know, the, the, you know, the luck of the universe or the bad luck of the universe to, you know, I don't think of it as bad luck. I mean, look, I would not recommend my career as a corporate spy to anyone, though clearly it's a hell of a good story. And, and people have been very interested in the story and in my book. You know, you gave a great introduction because all, every single thing that you said about what spies do, what spies are after, that's what we did. Everything that you said, that's what we are after. You know, people would say, well, what kind of information are spies gathering? And I basically say, we were hired to get the playbook on our competitor to use a football analogy. So our clients would come to us and our clients were. The largest companies in the world, the largest publicly traded companies in the world, and small private companies. And they would always come to us with a laundry list of things they wanted to know about their rivals, which was usually anything and everything from A to Z. And it was our job to go out and get that information. And I'm here to tell you, as a spy, I got that information from my clients. 99.999999% of the time.. Wow. And you wanna talk about, you know, the name of your podcast, which I love. You wanna talk about a way to accelerate your business? How about learning everything about your competitor? Everything about how they set up, how their products work, how their products are priced, who the top talent is, what they have in the pipeline. Are they expanding? Are they contraction? Revenue's up, revenue, stats, you know, contracts, clients, everything. Think about how quickly you could accelerate your business. And by the way, that's what we were hired to do. You know, we would be hired by someone that in their market was number 7, number 9, number 15, number 6, because they wanted to be number 1 or number 2. Yeah, and that's why they would hire us, and then we would go after the top two or three firms in their industry. We would study the top two or three firms in their industry, and then we would furnish them these reports that had all of this intelligence to help them move up.

Isar Meitis:

Wow. first of all, it's really a) eyes opening and b) disturbing, so depending on, on, on how you wanna address this topic, I guess. But let's talk about the practice itself. First of all, I assume the fact you were an actor or an aspiring actor probably helped you. But let's really talk about you. The, the information could be anything but the methods, I assume there's a list of methods on how companies approach other companies in order to get in. Can you give us the top five ways that companies, that, spies use in order to have access to company information? You mean how we would get the information? Yeah, yeah, yeah. So I, I assume it's a mix of technology and human engineering,

Robert Kerbeck:

correct? Yeah, correct. You know, I like to say that I hack people, not systems. Okay. and you know, at the end of the day, you know, we live in an era now where, cyber crime is a, you know, nearly a trillion dollar industry. cybersecurity is of the utmost importance. we're seeing the proliferation of ransomware attacks, which by the way, are only going to get worse. I read an article the other day that said 80% of ransomware attacks, no one is caught. No money is recovered. So why would anybody stop doing ransomware if you have a four out of five chance of completely getting away with the crime. Yeah, yeah, yeah. Right. So, when we started out, so we're talking early 90s the woman who had this small spy firm only hired actors, right? Because we could obviously, do accents, we could do voices, we could create personas, we could create stories. And obviously we were good storytellers and so we would convince people, to tell us things that they should never tell us. And in the beginning we would go in person, we would go to conferences, we would go to events, we'd go to bars. But what we quickly learned was that we were able to gain much more information using the anonymity of the phone call. To get people over the phone to believe we were some executive, cuz we could imitate executive's voices. You know, all I had to do was call and listen to an executive's voicemail. Hey, this is Rick Jones in compliance. I'm not here. Leave a message and I could go, oh, I can imitate his voice. And then we would all of a sudden be calling someone as Rick Jones and people on the other end of the line would be like, oh my God, I got the head of compliance. Oh, oh yes, Mr. Jones. Oh my gosh. Well, how can I help you? Because people in corporate America, corporate around the world, are taught what? They're taught to be a good teammate. They're taught to help out people. And firms now, small and large have offices all over the place. Even a small firm will have two or three offices in two or three different locations. They'll have an office in Israel and they'll have an office in Hong Kong and they'll have an office in the us, even a small company. And so you can be somebody from a different office. And people will know that person, but they probably don't talk to that person that often. Maybe they've spoken to them once, you know, whatever. And, and by the way, we would kind of do research to understand what were the odds of these people knowing each other? Well, And, and again, that was a big thing about being a good corporate spy, is you would do a lot of research in advance before you made any of these, what I call rusing phone calls, you know, hence the title of my book. and so in terms of like the top five techniques is a little tricky to say because every call was bespoke. In other words, Custom. Whatever ploy we were gonna, you know, and in the book I detail the compliance ploy, the inside ploy, the dropping the grapefruit ploy. And I won't spoil it for any potential readers or, or listeners. cuz my book is on audible if people like to listen to books. So I don't wanna spoil it for anybody. But yeah, all of the ploys we used are delineated. So you can see them in action and then of course, I hope learn. Wow. I need to let my people know not to do that, or, you know, I let, I need to let my mother know not to do that because, you know, their corporations are being fished and scammed and individuals are being fished and scammed. Right. For sure. and so we all need to do a better job of recognizing these things, in advance because corporate America and, and again, global, global corporate, you know, companies are spending insane amounts of money to protect their systems, their servers, the firewall, the encryption, the blah blah, blah, blah, blah, and a minuscule fraction of that on training their people and educating their people not to get hacked. And if I can hack your people, I don't need to hack your systems. I can have your people do it for me. Awesome. So, so let's talk about this. Really, let's talk. What training like this should look like? What should, yeah, let's say, let's start with the employees first. Like, if I'm an employee of a company, what are red flags that I should know Is a red flag when somebody's calling me or somebody sent me an email or doesn't matter. Today we have right, 50 different means of communication, no WhatsApp messages. right. slack channel doesn't matter. Right? But whatever, whatever the case may be, somebody's in communication with me. Saying there's somebody else, which again, happens to me every single day. Multiple times. Yeah. Because I communicate with a lot of people from within the organization, from outside the organization, suppliers, clients, potential, whatever. What are red flags I should be really aware of that would say, huh? This. Doesn't add up, and I should probably raise a hand stop what I was about to do and ask somebody. Right. Well, before I answer that question, the first thing I wanna say is that corporations need to do penetration testing. They do it all the time with their technology, but they don't do it with the human being. So they need to hire someone like me. And they don't have to hire me, but there are other people out there that do this kind of penetration testing, for the social engineering, the human component. And they need to basically, in real time, see how bad their problems are. I'm telling you, 45 minutes I can learn anything I want to know about your company. 45 minutes. Right. So if you're cool with that, well then, you know, you can, you can click off this, you can click off right now, right? But if you're like, oh my God, then you need to, get this kind of penetration testing because even if I give you the tips, which I'm gonna give you now, your employees are turning over, right? So, so, so the people that you train today, you know, the, the 25 people you train today, the 250 people, the 250,000 people, whatever, they're constantly changing. So if you're not keeping the education up. First of all, people are gonna be inexperienced. And by the way, I'm looking for the inexperienced people. I'm going on LinkedIn looking for the new hires, cuz those are the people I'm gonna use to help me hack, right? So a couple of techniques. Number one, it's always an emergency. It's always an emergency, right? We all get the phishing emails, the phishing texts, and the phishing phone calls, and there's always something you need to do right now. Plea, you gotta click on this. You've been hacked, your credit card information has been stolen, your bank accounts are in jeopardy. You know, same thing on the corporate end, right? There's been a, there's been a, an attack of spyware, and so you gotta click on this to make sure you're safe or. whatever it Is so I I have people, you know, remember when we were kids, we had the 5 second rule, you know, that if, if your gum fell on the ground or your chocolate candy fell on the ground? Yeah. You know, your mom could pick it up and put it in your mouth. 5 seconds. It was okay. Well, I, I said, okay, look, we're older now. I think we can handle a little bit longer than 5 seconds. I have a 30 second rule, which is when you get the crazy email, crazy text, crazy phone call, you don't do anything for 30 seconds. Don't do anything for 30 seconds. Think about it. Put the device down, close the laptop, walk away. Think about it. Then go back after 30 seconds. And now I guarantee you, when you go back, you're gonna look at that same thing that you were panicking you were about to click on. Oh my god, I've been hacked. Oh my God, the company's been hacked. And you're gonna think about it and now you're gonna look at it and you're gonna go, oh, well, oh wait. And you're gonna see how it doesn't make sense. So that's something I think is really big, is to be aware that it's always gonna be an emergency, and to use that 30 second rule. I love

Isar Meitis:

that. You know, I, I was a, a, a fighter pilot instructor in the Israeli Air Force Academy. Mm. So we, we were flying with young cadets who had just started flying and you teach them how to handle different emergencies. You do it in the same and then you do it in the actual airplane, whatever you can. Right. Not everything, but what we always told them, the young cadets, is when you have an emergency, there's one thing you're allowed to do, which is to click. There's like, It's all the airplanes. I'm gonna date myself, but it's like a analog stopwatch that's mounted on the top of your hood and you, you could click it and it would run like the needle would go. And I said, the only thing you're allowed to do in the first 30 seconds is to click the thing. Hmm. And think for 30 seconds because nothing you're gonna do is gonna make such an amazing difference in the first 30 seconds unless you lost an engine. That's a, a big difference, but that's very, very rare. Any other. Malfunction you're gonna have in the airplane your chances of doing something wrong because you're panicking as a young cadet and making the situation worse are higher. Yeah. Than doing the wrong thing in the first 30 seconds. So it's the same exact rule. Yeah. But they literally like click on the button and 30 seconds think about the malfunction you just have. Yeah. And that gives you like that chance to take a deep breath. okay, what am I actually facing right now? Versus pulling a handle or pushing a button or something.

Robert Kerbeck:

whoops. Reversible.

Isar Meitis:

Right? That's right. That's not something like, oh, I shouldn't have done that. So, that's right. Same exact kind of thing. I think it's a phenomenal guidance. So you're saying from an awareness perspective, be aware that it's gonna be an emergency from a do something perspective is take a deep breath, walk away, don't do anything. Come back after you had time to digest. Yeah.

Robert Kerbeck:

Or show it to somebody before you do anything. Show it to your supervisor. Show it to your head of it. You know, you know, go, go to you know somebody else and say, Hey, because again, another pair of eyes on it. All of a sudden now everybody's looking. Everybody's thinking, now you're thinking. So you're not going to make that mistake where you click on something and in this era, one click can be enough that the damage is done. Right. which is pretty, you know, pretty intense, but unfortunately it's true. One click and you can cause a tremendous amount of damage to your firm.

Isar Meitis:

So what's the second thing? First thing is emergency and. Take time to think about it. What's the

Robert Kerbeck:

other thing? Well, there are a lot of other things. Another thing is that these, these Phish attempts, these Rosing attempts, these social engineering attempts are trying to create some sort of rapport and friendship. Right? Okay. So I'm gonna make you my buddy. You're my buddy, right? So, you know, if I'm calling you on the phone, if I'm sending you an email, you know, Hey, it's so-and-so. I run this team. Oh, I've heard about you. You do this thing. Oh God, I'm, you know, I can't believe we've never met, or I can't believe we haven't corresponded whatever. I'm, you know, but I'm utilizing this thing, this kind of friendship thing that, you know, I'm kind of like your best friend, your new best friend, and, and I'm jammed up. We're on the same team. Help me out. Help me out buddy. And I'm gonna tell you that most times in corporate America, you know, people are all too willing to do that because again, they're thinking we're, we're with the same firm. Yeah, we are kind of buddies, you know, corporate buddies. and that was something, you know, especially when we would use accents and we would be from different offices, you know, so, This is Gerhard calling from the office in Frankfurt, Germany. We have a European Union regulators here, and we need some information from the states. Oh, hey Gerhard. What's up buddy? Oh yeah, I've seen your name. You're in Frankfurt, right? Oh, Yaman Frankfurt. Oh, this is called Here Ya, you know, and oh. Oh, hey. Well, wow, so weird. You're calling me for Frankfurt. You need information. Es Germany. Oh, okay. Well, what do you need? Right. They're, they're not thinking, wait a second, why the heck does the guy in Germany need information on the US server systems, financials, talent report, compensate, whatever I'm asking for. And by the way, sometimes it's all of those things, right? I'm asking for all of those things. Yeah. But they're like, well, he's, he's a real guy. He's really in Germany. You know, I'm impersonating that someone exists, and what are the odds that somebody. Put on a fake German accent.

Isar Meitis:

It's a, it's like, yeah. And, and calling me on something I actually know, like,

Robert Kerbeck:

correct. Yeah. Yeah. Correct. And you know, one of the things we learned in our spying was that the, the crazier the ploy, the more insane, the more outlandish, the more believable it was. Do you know how many times, do you know how many times people said nine to Gerhardt? Never.

Isar Meitis:

So, okay. So rule number two is when something sounds crazy, too good to be true. Too good to be true. It's probably not true. Yeah. Even though what you tell me is it's the other way around because people saying, what are the chances that somebody would make up this scenario? Right? Right. So, but but you're saying the reality is if it's a scenario that doesn't, doesn't make sense. It doesn't.

Robert Kerbeck:

That's right. That's right, exactly. And your instincts. You know, cuz so many times I would, you know, back in my spying days, cuz obviously I, I'm retired and I've been retired for a while now, and I consult, you know, I've gone from offense, so to speak, to now defense, right? I help firms defend themselves. so, you know, it, it, it, but people would always question and they, and they would go, wait a second. Now why does a guy in Germany need, ah, okay, here it is. So their instinct was to say, Yeah, but they would overrule themselves. So their first response was, this isn't, this isn't. Ah, okay. You know, and I think that's the thing that people, again, in terms of the training and the penetration testing, a lot of times we tell people, think about it. And once you think about it, usually your first instinct that something's wrong here, something's fishy, there's a red flag, it's right. Your instinct is right. Yeah,

Isar Meitis:

A good friend of mine used to work. He, he's an IT guy again, now he's in IT security, but back then he was just an IT guy who was working for a, a, internet supplier in Israel. Mm-hmm. And, but his background is like special security forces in Israel. The people guard the president and so on. So he is very, very aware of stuff that doesn't add up. Right. And he was walking down the corridor and he is seeing a guy with like, dressed up in like a working uniform. Carrying a ladder and some tools. And he is like, who are you? He's like, well, I'm here to fix this, this and that. I came here from this and that contractor said, do you have any paperwork? And the guy pulls out paperwork and shows him. He's like, come with me. Puts him in a room, locks the door and say, wait here. Yeah. And concentrate. And he is like, why? And he was penetration testing done for them by somebody that they hired. Wow. And he's like, how did you know? He said, because you have brand new shoes. Your ladder doesn't have any stains on it or any dings on it. Yeah. You're not a service person. You've never done this in your life because otherwise you would look like you're doing service. So, but you need this kind of mindset, which 99.9% of us don't have. Like somebody walking with a ladder down the corridor with a bunch of tools just make sense. That's right. If it's a big corporate, like people are fixing stuff all the time. Right. So you're saying be suspicious to stuff that don't add up. What other red flags out there that people need to be aware?

Robert Kerbeck:

Well, I mean, that's such a great, you know, incident that you just, described and how on it, this guy was to, to pick up on that, to pick up on those clues. And so what I tell people now is that the clues can be difficult to pick up on because I, you know, look, I was a very good corporate spy. By the end of it, I was making millions of dollars a year. Turning down major corporations cuz there was so much demand for my work, I could only do so much spying, you know? Yeah. So, what I tell people now is, you know, there was this very famous expression, I think with Reagan in the Russians during the Cold War, which was, you know, in the nuclear disarmament, Trust but verify. Right? Trust. But verify was like a big thing about, you know, okay, well we trust you Soviets, but wait, we need to verify that you, this is the truth in it. I say, forget the trust, I say, you gotta verify. You gotta verify. And so when you get the strange, sir, and by the way, the social engineering phone call, everybody thinks phone calls are dead. I'm here to tell you again, 45 minutes right now. I have tricks that I use to get people to pick up the phone. People pick up the phone and in a weird so do way, the phone is e is even better than ever because people are just not expecting it anymore. They don't get that many work calls. They're, you know, you know, and, and work calls are scheduled. They know somebody. So to get some strange call that's an emergency. people respond to it. They're like, oh, wow. This must, this, this has gotta be legit. This has gotta be serious. Sure. How can I help you? What do you need? Yeah. so I tell people all the time, you have to verify, forget about trusting, forget about believing it. Is that the email's correct that, that you gotta go right away. I need to be sure I need, this needs to be proven. and if it's a phone call, you're just gonna say, look, if you are who you say you are, you're gonna send me an email now on the company's, you know, from the company's, email system, and you're gonna tell me exactly what you're doing. You're gonna CC your superior on it, and you're gonna, you know, have to put all this information in there. You know, and of course you're not gonna get that email because the person is trying to, you know, our job was to get the information right away because if we don't get it right away, you, if you're suspicious and you kind of bust us, that's what we would call somebody that would go, yeah. Hmm. Now you're gonna spread the word throughout your company. Hey, somebody's calling seeking this information. They're trying to penetrate us. Right. You know, and we don't want that. So we, you know, we have to be very careful or spies have to be very careful. And so they're very subtle with that. And that usually, you know, in that situation, if somebody says to me, you know, I, I need an email, I need an, you know, you need to, and I'd say, No problem. I will send you an email. I will cc my boss. I will have every single thing on there. You'll be absolute all. Okay. Okay, good. Well, I, I just wanna be sure. Yeah, no, no, no. Trust me, I will have that email to you within an hour. It'll have every single thing in it. Okay? Okay. I, I'm sorry to doubt you. I'm sorry to doubt you, but I just have to be sure. No, you did the right thing. You did the right thing. and by the way, I got a couple other things I gotta do. First it might. You know, maybe a little bit more now, but definitely by the end of the day I'll have the email to you by the end of the day. Worst case scenario, first thing tomorrow. Okay? Okay. No, that's fine. Well, what have I done? I've put this person to sleep. Because now they're expecting an email, which at first I said would come within an hour, but it's not gonna come within an hour. Now I said, end of the day, it's not gonna come within. Now I said, first thing tomorrow. It's not gonna be their first thing tomorrow. But now they're not telling anybody else at the company about this strange encounter because they're expecting it's going to be verified and it's gonna be proven. And what does that do? It gives me time to find someone. To give me the information I want. And that's another thing that spies do is they're very good at, when somebody is resistant, they, they read that person very well. They don't push it too far. They calm that person down so that that person's not gonna give'em the information, but they don't want that person spreading the word throughout the firm.

Isar Meitis:

Yeah, yeah, yeah. You don't want anybody putting the alarm

Robert Kerbeck:

handle on That's right. On the wall. That's right. Yeah, exactly. Yeah, exactly. And that person's hand was on the. Yeah, yeah, yeah. You got them to release it and go. Okay. And now you're still good. You're still good. The, the, you know, the, the bank robbery is still o you know, you're still, the, the plan is still on. Yeah.

Isar Meitis:

Yeah. Interesting. I, I wanna ask a very technical question, which I think I know the answer. I assume in the beginning, that phone call or that email or whatever, if you can, comes from. Or looks like it's coming from within the organization itself. Right. So by definition, you're probably gonna spoof a number or an email, or correct. Whatever, if you can correct. To make that work, to make it look more legit. Is that a reasonable state? correct assumption?

Robert Kerbeck:

Yeah. Correct. Yeah, yeah, yeah. So in the beginning, what we learned was that when you would call a company, and some companies still have this, which is kind of embarrassing, if you would call a company, You call one of their numbers and you would ask that person to transfer you to a different internal number. Your number would now show up as the previous number. So you would call the first number and you would pretend you got the wrong number. You'd go, oh my gosh, I called your switchboard. They switched me to your number by mistake. I don't know why. I guess they're new. I really wanted. You know, this person over here, their number is this, and they, when, then they go, oh, no problem. I'll just transfer you. Oh, thanks so much. And now your number is showing up as internal. Right? Of course. Now we use call spoofing to do the same thing, right? So we can ha you can call spoof, you can get a, a different number to show up. And of course, all your listeners right now, we've all been called spoofed. We all get a number that shows up on our phone that looks familiar. Sometimes it'll have the same prefix that we have. Right? Yeah. Sometimes it'll actually be a number that's in our phone because they've seen that we've called that number cuz they're tracking us. And so all of a sudden now you're, you're, wow. You're answering that. And then it's some sort of scam con fishing thing, whatever ruse. Yep.

Isar Meitis:

Fascinating. So now we know all these things that are red flags. What should an organization do in order to A) get people better trained, and B) what's the process like? What do you recommend now in your current job as, like you said, playing defense? What are best practices to have within an organization, large or small, that allows you to, I wouldn't say avoid because you probably cannot avoid, but reduce the chances of

Robert Kerbeck:

being hacked. Oh, yeah. And you can reduce the chances significantly. I mean, significantly. Look, if I can call your company and now on one try get the information. I mean, that's just re ridiculous. But if I have to call your company and I get, you know what we call busted, rejected, and this person busts me and that person busted me, and that person busted me, and that person busted me. And then finally I get somebody that gives me some information. But then this person, bu you know, that's what you want, is you want nine times out of 10, 19 times out of 20, 49 times out of 50 whatever. The person is getting shut down, right? and there are companies that, that have those high percentages. Apple is a great example. Apple's one of the most secret, you know, secret firms in the world. You know, Steve Jobs from the beginning, he put the fear of God in his employees because he told them, don't ever talk about anything you do to your partner, to your kids. Don't, don't talk about that you're designing the new iPad. Don't talk, don't talk about anything because if you do, Forget about just being fired. Yeah, you're gonna be fired, but we're gonna sue you. We're gonna prosecute you. And obviously people were like,"whoa." And he was serious. And of course at Apple, people don't. They don't release those secrets. They don't fall victim to this. But I'm telling you, that is the exception to the rule. so I think companies, first of all, one thing is that this type of training can be a lot of fun. You know, a lot of training is kind of boring, but you put me in a conference room, you know, with a hundred employees and we go through some of these ruse scenarios where I bring people up and we role play and we, and it's hilarious. And, and people actually are falling out of their chairs laughing at some of the shenanigans that I talk about people doing what, what I used to do. So it's a lot of fun, right? And when you can make training fun for people, they remember it, right? Sure. First of all, they have a good time and then they remember it much more than they're like falling asleep after the first 15 minutes and it's a two hour presentation. They don't remember anything cuz they were bored out of their mind. They were on their phone. So, so, how many

Isar Meitis:

times, just a, a practical questions. How many times do you do penetration testing and then use those examples to show in the training? itself

Robert Kerbeck:

Well, we do that often and, and you know what I, what I do with companies that wanna hire me is I say, look, you know, I'm gonna penetrate your firm. I'm gonna show you how relatively easy I can do it. But the only thing I ask is that the people that I take advantage of and I get information of, they cannot suffer any consequences. You can't penalize them. You can't, you know, like that's the only thing I say, you know, because, You know, I mean, obviously, you know, a lot of the reviews of my book Ruse call me the World's Greatest Corporate spy. And you know, I think that was true because like I said, I was making millions of dollars a year spying for the biggest companies in the world. And you know, your audience knows, you know, we all know the Russian spy and the Chinese, the Chinese spy on us, you know, the spy balloon recently. But again, most people are. shocked To find out that corporations are spending hundreds of millions of dollars a year to spy on each other, and so I just don't think it's fair that some young person that I'm able to get information from suffers some sort of consequence. So that's the only thing I tell corporations is I'm gonna get information from people, but they cannot be punished as a result.

Isar Meitis:

Interesting. Okay, so what are, so now you're going into this training, what are the main recommendations to a corporation from a best practices that you recommend? Again, I'm sure there's tailored stuff per organization depending on what you find, but I'm sure there's also the, here's a checklist that of things you should probably put in

Robert Kerbeck:

place. Well, one of the first things is you have to have a designated person in the firm who's like the social engineer. you know, so that anytime there's the social engineering phone call, text, or email, or you know, or from WhatsApp or from whatever, wh where it's wherever the these things are coming from, that there's some place. It could be one person, it could be a team of people that is receiving these and logging these and responding to these. Cause they can be critical and they can cost your firm, you know, insane amounts of money. You know, I I, I was recently working with a, a hospital that had six facilities and they got shut down. They were, their computers were frozen locked six. Hospitals couldn't book an appointment, couldn't schedule a cert. I mean, it was insane. Think about it. That's hospital. Yeah. Because why? Because one person, a young person clicked on something and that opened the Pandora's box to all of these things that happened. Right? So, I think that, there's gotta be firms designating small team of people. An individual depend, you know, again, depending on how mu, how big the firm is, but you know, one to three people that these are the people that are responding to these, and addressing these because, you know, usually if there's one attempted breach, you know, and if it, and, and if, and if, let's say, you know, I see something suspicious, I forward it to you. You're the contact person. Well, I'm not the only person getting that. Now. I didn't click on it. I came to you and I said, Hey, check this out. I'm, I'm, yeah, you were right. Good thing you didn't do anything. Great job. Woo. But now it's going to other people too. So if you don't get this note, and if you don't send out a company email warning, this is what's going on. This is the phishing attempt. They're trying to breach our system, blah, blah, blah. Please do not da da da. Please inform me of any, you know, further incursions, you know? Right. But, but if you don't have that at your firm and I haven't sent something to you, and now you're not recognizing and sending it out to everyone. I'm just like, well, I didn't click on Woo. Well, I'm okay, but then the person next to me or, or you know, home office, somebody at their home, they did. And so I think that's really, I would say the most important. The two things are you have to train your people. That, that there are people out there literally doing this kind of stuff on a daily basis, and there has to be somebody internally whose job it is to really attempt to mitigate the da, the, the, the success of these attempts. And then obviously the damage from these attempts.

Isar Meitis:

I think what's really interesting about this, again, from a pure psychological perspective, it also gives a. Pressure relief valve to the people themselves. Mm-hmm. Because now instead of like dealing it with your, you said in the beginning, tell somebody, now you have a designated somebody, there's somebody who gets paid to review stuff that you're not sure of. Right. And I think from a company behavior perspective, like an employee behavior perspective, it's the easiest thing. Oh, right. I know I need to send this to Susan. Right. Every time something like this happens. That's right. So first of all, you're a little more aware, but then it's like I don't have to decide if it's good or bad. I can just send it to Susan. Now it's somebody else's problem and, and I can go on with my day. So I think it achieves that as well. The, the psychological aspect of, of helping people. Do the right thing just by relieving the responsibility from them and putting

Robert Kerbeck:

it on somebody else. Right. And you know, one of the things, one of the challenges is the people that work in the technology. side of a corporation, the technology part of a corporation. And this is a bit of a generalization, so I hope the tech people out there won't get mad at me. But, you know, tech people often are more introverted than extroverted. Yeah. You know, they're more obviously technology oriented, so the human part of it is sometimes is a little foreign to them, and they don't understand that if they're. Kind of, you know, protecting both sides of that equation. You know, they're basically, they're, they're blocking the front door but leaving the back door wide open. Right? Yeah. And in this analogy you just used, where Susan's now, the contact person, one of the things that's great about having this delineated contact person is I can help them and give them a lot more information because, you know, in a training session I can give so much information, but it's me. Two hours, 200 people. But that, that person I can really spend a lot of time with, send examples with role play with, so that they really get trained on what to look for and how to deal with stuff. and that, that, that's kind of cool because then they become your internal rosing expert, right? Yeah. So that you don't need me as much anymore cuz this person really knows a lot of stuff about the things that are going on.

Isar Meitis:

Makes perfect sense. I definitely great advice. What else can a organization, corporation, company do other than designating a person and doing training or these are the two main things?

Robert Kerbeck:

Well, the, I think look, really the main thing is to recognize that the human being will always be the weakest link in your security, in your cybersecurity. And most firms don't recognize that. Or if they do recognize it, they're paying lip service to the idea and they're going, oh yeah, yeah, we know that. Spend more money on that firewall. Spend more money on that encryption, you know? And they're not spending any money or, or hardly any money on train, you know? They're like, oh, well we sent out an email and we told people. You send out an email, you know how many emails people get every day? Yeah. You know, they're not reading the email. They're not taking the email seriously. They're busy. You know, it's like, whereas if you're actually training people and you show on a stage an example of what can happen, the interaction that can happen, you know, and, and, and how catastrophic it can be, then everybody in the audience is like, whoa. You know, and that's, and that's, that's what corporations need to do, is they need to not just pay lip service to, the proverbial weakest link in cybersecurity, the human being. Robert, this was

Isar Meitis:

first of all, really eye-opening second, really scary. Mm-hmm. But really cool too, if you're not on the wrong side of, of that occasion. Right. If people wanna know more, if people wanna follow you, read your book, work with you, what's the best way to to do these things?

Robert Kerbeck:

Oh, well, thank you. I always tell people the simplest thing is just go to my website. it's just my name, Robert kerbeck.com. K e r b e c k. you can friend me there on any social media. You can, buy, you know, ruse, you can buy the audiobook for Ruse. You can see the trailer, for the TV series that's in development for Ruse. Ooh, nice. yeah, so, so, you know, it's just, it's the, the website is really fun. I'm really proud of my. Awesome.

Isar Meitis:

Perfect. Robert, this was great. very different form all my other episodes, but really fascinating stuff. I appreciate you spending the time and sharing with me and my audience

Robert Kerbeck:

what we want to accelerate, the businesses of your listeners. And one way to do that is to not have the wheels fall off with some spies getting information on you.

Isar Meitis:

Awesome. Thank you. Thank you.

People on this episode