Now, for the next session, please welcome Julius. He will be giving a session on how to prepare in the age of AI, particularly by facing deep fakes, and what can we do to educate ourselves and also prevent us from believing into these deep fakes and all of these things that we see. It's becoming more difficult to distinguish what's real and what's not, so please, Julius, the floor is yours. Thank you.
Guys, you can hear me? Perfect. First of all, I try to make the session as interactive as possible, so I will, in a couple of minutes, ask one of you guys to be my example victim on the stage.
So, if there are some courageous ones among you, you have two minutes to think about it. First of all, I want to quickly introduce myself. I'm a mathematics student, a long time ago, but from Darmstadt, so I was very happy to be back in the Frankfurt region. But actually, I don't have the typical cyber background because I was four years at a German startup called Celonis Software Startup from Munich. Maybe you know it. I think nowadays, among the more valuable ones of them, and I was lucky enough to build up the Madrid hub in 2020.
Today, I don't want to talk about the B2B software part, but I think sometimes it's necessary that you approach the cybersecurity software world from an AI and a software perspective. And what, basically, where I want to set the stage, and I think this is nothing new to you, but of course, we, our very young firm from Berlin, exist only because many of our, or many firms, have actually reached out to our first investor and approached them by just sharing stories of cyber attacks that happened. And cyber attacks that happened, I mean, I'm listing three prominent ones.
I mean, you guys probably recall the WhatsApp voice message that the Ferrari CEO received, where the clever employee asked for the book that the CEO had given him a couple of weeks before. But for us, it was also very nice, of course, to see the British engineering firm and then this very publicly broadcasted video conference attack. But I think, at least I'm assuming that you guys all know that AI can be also used for dangerous social engineering attacks, which is why I now want to go into one subtopic.
So, of course, IT security is a very broad field, but I think it's not very outrageous to say that the human element will always remain one key factor in a good IT security strategy. And currently, as we see the market, and as we see also many CISOs thinking about it, is that there are currently two ways how to educate your workforce on cyber attacks or cyber security awareness in general. And one of them being just a normal, regular academy, most of the times paired with a more practical approach of sending out phishing email simulation.
But to be honest, we don't think this is the actual reality of 2024. And we believe that this academy approach will continue to lose importance, because, I mean, you guys have all probably done, I mean, you guys are all in IT security. How many of you have already or need to do IT security trainings themselves every year, the mandatory ones?
Yeah, you guys know it. Maybe that's sometimes, and it's always asking the same questions every year. So we believe an academy will always stay there, but for the basics, and it will continue to lose importance. What we think is more, if you really want to effectively prepare your employees, we believe a practical simulation approach is much better. And basically, this is what we come up with. And this is actually, so let's say we have one customer, I'm not going to say the name, but it's a tool manufacturing firm from the region of Stuttgart, and they have around 20,000 employees.
How do you now effectively train them for deepfake attacks and so on? So what we do for each of these employees, we create almost like a Spotify playlist of cyberattacks, simulations, of course. And basically, so we go a little bit away from this campaign structure, but really every single one has its own playlist, or his or her own playlist. And there are a couple of things that we think are important. And then I'm also going to show you a live example in a second.
But I mean, obviously, we are integrating into some kind of active directory, and we need to know first name, last name, email, business phone number. And I mean, it would be nice to know the location and maybe the direct report or something. But all the other data fields, we completely generate just out of, we have a prompt chain of 400 very easy prompts that just scrapes public data. For example, this is on company level, what is a typical supplier of the company, what could be a typical product that they're currently having, what kind of partnership do they have, and so on.
But it goes down to location, when is the Christmas party for location vibing, for example, or it goes down even on an individual level. If you guys were, I don't know, a local winner of a Schützenverein event or something.
Obviously, on most of the employees, we don't find anything, but especially on the more senior ones, the more management heavy ones we do. This is where we get the large parameter pool for all of our simulation.
For us, three things are important. And I want to say this is only one approach to train employees. But three things are, in our opinion, important.
First one, you need to train employees with attacks that are from this month, ideally from today. How do we do this? If we don't want to always do threat intelligence database monitoring, there are a couple of things like an emergency button. If you as a CISO, you see your organization is being attacked, why not send out a warning simulation to all affected user groups, for example.
We have a second, a little bit more open source approach where this is developed in combination with HackerOne, where they basically reward basically anyone, ethical hackers, to upload any kind of social engineering attacks that they've seen. So this is a very important pillar for us. The second pillar, we need to be on all channels where hackers are active.
Meaning, I mean, it's nice to send an SMS, it's nice to send an email, it's also nice to on stage here do a little live demonstration. But for us, I think what really makes a successful social engineering attack are the combinations of channels. A LinkedIn recruiter writes someone, we have a new job for you. And then if the employee responds, then that employee gets an email with invitation to an interview dot zip.
I mean, that happened to many crypto firms in August, September, for example. I mean, all of these multiple channels, they create trust. And that's also, I mean, that's what people do for B2B sales and marketing. But they also use that in cybersecurity. And this is what we want to replicate. And it can be a call, it can be up to a video conference, but all based on public data.
The third part, which we think is essential, is, I mean, and you guys maybe please tell me if it's different than your firm, but for most of the people I talk to, for them, IT security, or at least the training is more of a boring connotated topic in the year. So for us, it's very essential. To make it a little bit of fun for the employees. So we really don't believe in any kind of academy, but we just say every interaction that a user has with our simulation is being point, or is basically being evaluated. User gets points for it.
So, for example, if somebody just ignores something, they already receive two points by just having a good action, and so on. And are then even being incentivized by, because you might ask yourself, why is there a training? We have an in the moment approach, where if a user falls for something, we try to educate them always in 60 seconds, directly on the spot.
It's like, basically, when touching the hot stove. But, I mean, that's not all. I think a ranking helps CISOs to put prizes.
I mean, obviously, you can also do that GDPR compliant. For example, that one customer of ours, the manufacturing firm, they did it for each production site. They do it on a quarterly basis, the first five get a dinner with a site leader. Whether that's a prize or not, that's a different discussion.
But, for example, there's another point. If you, for example, report correctly all the time, then you shouldn't be bothered with simulations. So the frequency with which you are being trained should decrease. But others that click on everything, we need to do.
I mean, there's a large German football club that you all know that would rather like to punish the people immediately after they click on something. But our idea is that, basically, based on the performance of each individual employee, the playlist adapts. And as you know from Spotify, if there's a new attack coming in that's relevant, for example, for someone from HR, then it's being put in the playlist. But now I've talked already a long time. I would love to ask maybe Sarah, because we already talked about this before, that could you come up on stage and demonstrate a little call with me?
I'm going to pass you my phone. That's also why Sarah is using my telephone, because, obviously, as a good security professional, she would never give me the phone number. So let me trigger at Sarah. Give me a little second here. But basically, what is going to happen?
So Sarah, which we also called for, right, pseudonymization purposes, Müller, Sarah Müller, is now a part or an employee of CELONUS, and she's being called by her CEO, Alexander Rinkel, from which we put a 30-second video in. And now what basically happens in the back, we are basically, it's prompting a typical supplier You let me know, it takes like 30-40 seconds normally. Don't worry, there's not much to steal. But basically, it's basically prompting a supplier.
Yes, please, could you put it on loud? I'm currently at a cyber security conference, so this is very inconvenient.
Normally, I wouldn't ask you, but this is urgent, as I'm meeting in three days. If you could do me the favor of handling it, I'd really appreciate it.
If not, I'll inform your supervisor to assign it elsewhere. Let me know what works for you. Has this been discussed with our CFO? I haven't discussed this directly with the CFO yet, Sarah.
Right now, I need your help to ensure it's handled swiftly, since it's overdue, and I'm meeting Icovatus in three days. Can you take care of it?
Okay, I understand this is pretty urgent. So can you please send me the request in writing as well, just so that I can be sure that I got all the details correctly?
Of course, Sarah. I'll send you an email with all the details right away. I really appreciate you taking the time to handle this, especially considering the urgency.
Okay, thank you. And please put the CFO in CC as well, just so that he's in the loop. Absolutely, Sarah. I'll make sure to CC the CFO in the email, so everyone is in the loop. Thanks again for handling this, and I appreciate your prompt attention to the matter. Thank you. Always happy to help. Have a good rest of the day. Bye-bye.
Thank you, Sarah. I appreciate your help. Have a great rest of your day. Goodbye. Nice.
Thank you, Sarah. Of course, I think I've never seen someone speak that long with my ex-CEO. But I think right now, as you've seen, we could have asked him anything. We could have asked him, are we still on for Oktoberfest next year? How are your seven kids doing, and so on. So it will pick that up quickly. You can do it in basically any language. We just had earlier Oliver Khan speaking in Russian outside there, which is also very fun. It's nice for employees to experience this, but I think it only becomes really effective. This is why I want to show this to you.
Sarah obviously can't receive the email right now. Actually, it came just now. We can actually take a look at this one down here. I tested it a couple of times, so I'm just going to go here. But basically, it just contains a couple of parameters, like a link to a logo, the address, and so on. And once the employee now that's being tested is close to basically clicking on the attachment, on the real invoice, then we think that employee might be close to doing something stupid. And this is the moment when we want to teach. And as you see in the browser, basically our training goes up.
Don't judge me on the loading times yet. But basically, here, the training pops up. And this is the 60-second training I was talking about. So Sarah right now is, of course, being warned.
Sarah, that's a current scam. Actually, I think this is a CO fraud that we took from the Pepco example earlier this year. Sarah can actually listen to the call again. I'm not sure if that plays here. But I don't think we can hear the sound. But basically, Sarah can listen again to certain points. Was there an AI? Is that really my CEO? And so on.
And then, of course, it's led through a couple of other main points. You see where you see the company shield tip.
You could, of course, have your own little recipe for awareness. And then after 60 seconds, and I'm just going to skip through, voila, the training is completed. And this is basically just an example of one simulation of this playlist. And maybe let me switch back to that. This is just an example of one of these little simulations. It's probably only relevant for people who can actually pay invoices. There are other helpdesk, HR, IT scams that are relevant for other people. So I don't think this is too crazy from a technology perspective.
But I think what we basically do, if you have 22,000 people, for example, in your firm, then it's actually quite difficult to orchestrate that 22,000 people have a playlist that fits exactly their needs, their difficulty level, and always has the current scams. And this is from a software perspective what we are doing in the background. And now I would love to basically hear your questions on it. I'll be outside. And I can do one last thing I want to do. I'm happy to show you a live demo of Russian Oliver Kahn. That's not a problem.
In case you want to, before you protect your company, you want to protect your family over Christmas, we have a little free version that you can try some typical hi, mama, papa WhatsApps and so on. You can do that. I think we'll unlock it like a couple of days before Christmas. But you can only do three of your family members. So pick the ones that you think are most vulnerable.
No, but now with this, please open to questions. Julius, any questions from the audience? No. Considering Germany, I mean, is such kind of trainings in line with the regulations or the guidelines with Betriebsrat? Betriebsrat is my best friend.
And now, of course, there's a, so basically what we do is we do save individual performance data, but from a reporting perspective, there's a minimum number that the Betriebsrat normally agrees to. And on standard, it's five. So you will only see the reporting on a group level basis. But for example, there are a couple of, there's a large German chemical firm that has it in the contract. For example, that if you are repeated offender, then the clear name is visible to only information security, like some selected personas, but we can do that too. Any other question? Yep.
Especially that you mentioned that some parameters about this current company, how well does the software go with local dialects? Because I can imagine in the southwest of Germany, there is a very strong dialect. So how do you actually profile the dialect so that it matches the voice in the ordinary communication? It's funny that you mentioned, we always call it the built-in security feature of the company.
No, there are actually some models that do it quite well. But of course, yes, this is one aspect currently where you would currently be able to easily spot AI callers if the dialect is not perfect. Austrian firms, they are very, I didn't say that. All right.
Well, thank you so much. Thank you, Julius. Thank you.
