April 21, 2022

One Weird Trick to Prevent Cyber Attacks with 1Password CEO Jeff Shiner

Hackers hate when you use these!


Nora and Scott are covering all things cybersecurity and password management. Jeff Shiner, CEO of 1Password, details the ins and outs of running a cybersecurity business today. Then, Patrick Austin, IT Brew Editor, on why people are reluctant to use password managers, even though we know they work. 

 

Hosts: Nora Ali & Scott Rogowsky

Producer: Bella Hutchins 

Production, Mixing & Sound Design: Daniel Markus

Music: Daniel Markus & Breakmaster Cylinder

Senior Producer: Katherine Milsop

Director of Audio: Alan Haburchak

VP, Head of Multimedia: Sarah Singer 

 

Full transcript for this episode below. 

Transcript

Jeff Shiner: I like to use a phrase, if we can make people good by being lazy, we've won. And that's the thing: I'm a human, I'm going to be lazy about certain things. I don't know if lazy is the right term, but there's a convenience side. And so, I think in a lot of cases, people are afraid that it's going to be difficult to learn. They're going to be afraid that it's going to be a lot of work. And that's the biggest fear we see when we go to somebody it's like, I think almost every human are like, "Yeah, I know what I'm doing's not great." But they don't recognize that to do something great, it's actually pretty easy.

Nora Ali: From Morning Brew, this is Business Casual, the podcast that reveals the unexpected business story behind everything. I'm Nora Ali.

Scott Rogowsky: And I'm Scott Rogowsky. Nora and I are here for your ears, bringing you conversations with creators, thinkers, and innovators who can tell us what it all means and why we should care. Now let's get down to business. Nora, do you have a password manager?

Nora Ali: I knew you'd ask me that, but I feel like I don't want to tell the hackers out there whether I do or don't.

Scott Rogowsky: Oh, that was a test. That was a test.

Nora Ali: No comment.

Scott Rogowsky: Can I speak to your manager? Can I speak to your password manager?

Nora Ali: Some of the most concerning things that have happened to me in terms of my passwords, I haven't luckily been hacked yet, but I signed up for some cooking class in Italy. I had to give them a password. And in the confirmation email for that class, they printed out my password in the email. It wasn't encrypted or anything. And I'm like, "What? That is so bad." So, my password's just floating around in the email ecosystem.

Scott Rogowsky: Italy behind the times here on cyber security.

Nora Ali: It was a fantastic cooking class, by the way. And then, I think some hacker person emailed me a different password in writing, in my inbox as well. And that was a very old password. That was from my AOL account as a kid. I was scared when I received that email, but you just don't know who's looking at your stuff, Scott.

Scott Rogowsky: I know. I know. It's terrifying. And it's like, do you ever get the sense just like, what do you want with me? Why are you going through this effort?

Nora Ali: There's a lot to gain from it, not to take the hacker's side.

Scott Rogowsky: You want to steal my identity, really? You can have it.

Nora Ali: You have a bank account.

Scott Rogowsky: You can have it.

Nora Ali: You have an identity. You have assets that are valuable to others.

Scott Rogowsky: Well, not lately. Have you looked at the stock market? Yikes.

Nora Ali: Well, we know it's an important topic-

Scott Rogowsky: In the toilet.

Nora Ali: In the toilet, yes. We-

Scott Rogowsky: We should have invested in toilets, it would have been a better investment-

Nora Ali: No.

Scott Rogowsky: ... than Roku right now.

Nora Ali: Today, we are talking about the all-important topic of cybersecurity and some of the biggest challenges that businesses and individuals, like us, face when it comes to protecting our personal information online. We're going to hear from Jeff Shiner, who is the CEO of 1Password, along with journalist Patrick Lucas Austin, who is the Editor of IT Brew, a new publication coming soon from Morning Brew. That launches on May 2nd. So, keep your eyes peeled for that. Our conversation with Jeff and Pat is up next after a quick break.

Scott Rogowsky: This is definitely a new experience for us here with two guests, but this is going to be fun. So, let's start with Jeff here for some context. Jeff, you're running 1Password, CEO of 1Password. So, we're curious about basically how password managers work.

Jeff Shiner: Yeah. I mean, to start off and you sort of mentioned it, as people, we're not very good with security. And so, the role of a password manager, certainly the role of 1Password, is to make it easy for people to be secure. And so, if you think of it today where you have passwords, people tend to reuse them, right? You're going to "fluffy cat" for every password that you've got. And if one of your sites gets hacked, then they're going to use that same password or similar variants to that password, to try and log into things you do care about, banks and Amazon and PayPal and stuff like that. So, with a password manager, at its core there's two things we do. One, we keep all of your information, the passwords to all of the accounts you use, other sensitive information, whether it's credit cards or driver's licenses and that, we keep it all secure. But then when you go to use it, when you go to say, log into Twitter or log into your bank, we will form fill that, we will automatically fill that in, on your behalf. So, that way each password can be completely random, 30 characters of gobbledygook, but you never need to remember it. We'll fill it in on your behalf. So, we both keep it secure on your behalf and then we make it really easy for you to use those secure passwords.

Nora Ali: I want to get your perspective on this as well, Patrick. I think this is more and more of an issue because cyberattacks are getting more and more sophisticated, more and more common. And in fact, ransomware cyberattacks surged 105% last year. That's according to Fortune. Customer data breaches had been growing as well. So, why do you think this is, why are we seeing more concern around breaches and hacks and how can we as users and consumers be more savvy on this topic?

Patrick Lucas Austin: Sure. I mean, I think we're seeing a lot more breaches because it's a lot easier to mount a cyberattack and it's a lot easier to accomplish these data breaches. The other problem is the user data, usernames, passwords, things like that, a lot of it is reused. So, like Jeff was saying, if you're compromised on one account, you could be compromised on multiple other accounts, which is why reusing passwords is so discouraged. And it's why it's so difficult to prevent if people are not changing their password habits.

Scott Rogowsky: You mentioned it's become easier for hackers. How? How has cyberattacking become easier? Is it because their technology on their side is just getting better, as well as the technology on our side?

Patrick Lucas Austin: Yeah, the tech on their side is getting better. It's easier to, if you've got the will or if you're part of a group of people, it's easier to pay people to launch these cyberattacks against companies, which is what a lot of bad actors do.

Jeff Shiner: I think the other thing that's interesting to recognize over the last, certainly decade, is that our use of computers, our use of technology has just become ingrained in everybody's lives. So, if you look at the reason why cyberattacks are so much more prevalent now, it's because everything is behind computers. And regardless of who you are, you're using it. So, when you think of it from an attack vector point of view, it's no longer highly technical people who are using computers, it's everybody who's using computers. And a lot of those folks aren't familiar with some of the more sophisticated attacks, even attacks like phishing or password hygiene. And so, it makes it easy to get into their accounts, because they're just not aware of some of the simple things you can do to protect yourselves.

Nora Ali: And for 1Password specifically, for people who haven't used it before, how might this differ from some of the multi-factor authentication strategies we've seen or Microsoft's Authenticator or Apple's iCloud Keychain? What are some of the biggest differences there?

Jeff Shiner: Yeah, I mean, I think at the most important side it's, this is all we do. This is what we focus on. And so, when you look at it, I would certainly encourage people to use any of the password managers over nothing. But when you look at the differences with 1Password, the first thing we start with is just usability, making it easy to use, making it easy for humans to understand how to use, because it is still something that is challenging. People are afraid to give up control of their passwords and that's something that we take a lot of focus on from a usability point of view. But then beyond that, you start to get into a lot of the human scenarios. So, for instance, it's on every device you've got, whether it's an iPhone, an Android device, a Linux box, a Mac, a Windows, we can be everywhere. We can be in all of your browsers. And sharing is another big aspect that I think, again, real people use and is something that we focus on. So, for instance, if you look at a family account, I've got a vault, which I have for just myself. I've got a vault that my wife and I share. Then I've got a vault that our whole family shares, with everything from garage codes and alarm codes and things that need to be shared. And that's something that is in the real world, an important part of what we do every day, but still needs to be kept private.

Scott Rogowsky: Is vaulting, is that the term for how these password managers work or are we talking actual vaults here? What are we talking about?

Jeff Shiner: Yeah, so the concept of a vault is pretty simple. So, I look at it and I say, "I have my things that I need to keep secret, my passwords to, say, my email." And this is true, whether it's a business or at home, right? Whether it's my business email or my home email. And then we have, for instance, my wife and I similarly have a shared email account. And so, that would be something that both of us need to have access to. And so, when you look at a vault, it's just that concept of something that I place the things that need to be kept sensitive to me. Of course, it's an electronic vault. And so, my vault is mine, only I get access to it. The vault I share with my wife, my wife and I get to have access to those. And so, whoever you need to share it with, you can create that vault with that person. And then that's where you share those secrets.

Nora Ali: And are you largely working with corporations, with enterprises, with individuals? How does the breakdown of the business work from a 1Password perspective to keep everyone protected?

Jeff Shiner: Yeah. So, the first 10 years we were around, we were consumer-only, really focusing on individuals and families and keeping us safe at home. We started to really recognize around 2015 the fact that businesses really needed the same protection. That at the end of the day, it's us humans that aren't very good with security and 85% of breaches have a human element. So, in 2016, we launched 1Password for business. And now we're quite equally both on the business side, we've got about 100,000 businesses that we protect and still millions of consumers. But I think the cool thing is, you do both. So, for instance, anybody who gets a business account, everybody there gets a free family account, because you need to protect those people both at work and at home.

Scott Rogowsky: This abused me and many others of the notion that there's this risk of using a password manager when you have all your login information in one place. So, that now just one breach could be a total disaster, because everything is stored in there. That seems to be the basic fear that maybe is keeping people from trying a password manager, right? How do password managers create layers of security and prevent these passwords from being hacked and shared? How do you ensure that you are the most secure place to put your passwords?

Jeff Shiner: From a 1Password security point of view, we built right into the fundamentals of 1Password one really important thing, and that is, we ourselves as 1Password can never see any of your secrets. So, if you put your password in for your bank into 1Password, we can never see that secret. How do we do that? So, you choose your primary password, the password to 1Password itself, everything gets encrypted with that password. We never see your, what we call the primary password to 1Password. And so, we get a blob of data and that blob of data can live on our server in an encrypted way, but we don't have the keys to decrypt it. Now, the only risk that provides is what if you've chosen a weak primary password, right? What if you've chosen "fluffy cat" as your primary password? So, we take a big step further and we have what we call a secret key, which, fancy name, is just a big, long string of random characters. And when you choose your primary key, we, on your device, generate that secret key, which stays on your device and we never get that either. And so, now you can think of that primary password as your primary password, which you have to type in each time, plus this big, huge, long string, just to make it unguessable, and everything gets encrypted with that. And so, that does two things. One, it protects you as a user of 1Password, because even if the data were to be somehow breached, from a 1Password point of view, that's useless. The second thing it does for us, is it makes us not much of a target, because even if you got our data, it's not useful. So, that's the key way that we protect both our customers, most importantly, and ourselves.

Scott Rogowsky: You lock the door from the inside and the out. I got it.

Jeff Shiner: Yeah. And we don't have the key. We don't have the ability to decrypt your data.

Nora Ali: All right. Let's take a very quick break. More with Jeff and Pat when we get back. So, we all know the importance of password managers and protecting our information. And yet, I can say that I've gotten notifications before that say, "Some of your passwords might have been compromised." And yet, I don't take any action on it. And I think a lot of people can relate to that, because you don't feel like you're vulnerable until you literally get hacked. And Jeff, in fact, a recent study from security.org found that four out of five American adults don't use a password manager. Why do you think people are reluctant to use these?

Jeff Shiner: Yeah. I think it comes down to, I'm going to say, I like to use a phrase, if we can make people good by being lazy, we've won. Right? And that's the thing, I'm a human, I'm going to be lazy about certain things. I don't know if lazy is the right term, but there's a convenience side. And so, I think in a lot of cases, people are afraid that it's going to be difficult to learn. They're going to be afraid that it's going to be a lot of work. And that's the biggest fear we see when we go to somebody, it's like, I think almost every human, probably yourselves included, are like, "Yeah, I know what I'm doing's not great." But they don't recognize that to do something great, it's actually pretty easy. And so, that's the biggest thing that we've tried to do. We call it human-centric security. Can we make it easy for the human to stay secure? And so, a good example of that is if you start using 1Password, a lot of people think, "Well, doesn't that mean I have to go in and start entering all of my passwords and stuff like that?" No, what you do is you install 1Password and then you just go browse like normal. And let's say, you go to your bank for the first time. You just log into your bank, using whatever your notebook tells you your password is, and 1Password will offer to remember it. And that way it's starting to build that. So, the next time you go to the bank, 1Password will offer to fill it. And now you're starting to say, "Aha, this is easy. Instead of having to go to my notebook, I just tap that icon, boom, done." And then over time, you start to realize how simple it is and then you can get into, "Okay, now that I know it's simple, let me strengthen some of those. Let me go and use the password generator from 1Password to make it strong." So, I think, if you look at it from that point of view and you just install 1Password and then largely go about your normal day, then it's quite easy to adopt. But I think there's a lot of fear from people that it's going to be an awful lot of work up front and they struggle to find and justify the time.

Nora Ali: I imagine that a lot of that fear is instilled in older users who might not be as tech savvy and they're afraid to try something like a password manager. How do you reach those audiences, when they might be a little bit skeptical in the first place, the older generations?

Jeff Shiner: I think the easiest way to do that is through the family account. So, we offer a family account. And the reason why I say that is you tend to have an advocate in the family. My family, shockingly enough, it's myself. And so, I'm going to sit there and I'm going to set up the family account, then I'm going to invite my wife and I'm going to invite my son. And my dad's in his 80s and he is going to be afraid of passwords and losing control, so I'm going to invite him. And that way he's got somebody there who can act on his behalf as an advocate. And more than just making it easier for him to use, he can certainly have his own passwords, but then there's certain things that we can now share, so that if something happens, whether it happens to him or he starts to forget about certain accounts, then I can have access to those as needed. So, I think the easiest way to do that is to just use a family account and get that one person within your family to help the others.

Nora Ali: Mm-hmm (affirmative). Pat, let's walk through a specific scenario, if we can. We all know someone who's been hacked before. My mom's Facebook account got hacked recently. So, this happens to you, you panic. What should you do if you don't have a password manager and you know you've reused this password on multiple sites, what should be your first steps?

Patrick Lucas Austin: First, you should pull out your notebook and then look at all your passwords and go, "Ah, crap, I've got a lot of work to do." Of course, you should change your password immediately. If you're dealing with something like financial services, you should alert whatever financial institution you're dealing with. Go through your accounts and see which ones have that same password, because hackers will find an email address and find a password, and then try every popular website there is, with that combination of email and password or variation of password. So, again, establishing a unique and random passwords for each account, which a password manager can help you do, is certainly an important step. When it comes to being compromised at work, you should obviously tell your manager or IT department or something like that, because they can certainly implement steps to protect work data. The important thing is that you change your password quickly and change any variation of that password. And maybe use a password manager.

Scott Rogowsky: Jeff, every time I log into my email, I'm redirected to a separate website with a password authenticator. So, if we have authenticators now, does that make password managers less essential?

Jeff Shiner: Yeah. So, when we look at authentication, and you mentioned this term correctly, it's 2FA or MFA, it's a second factor. And that's the whole goal of it, is to sit there and say, if you think of passwords, let's just use a bank, and you've got your username and password to the bank, the bank stores that information. If somebody got that information from the bank, they can log into your account. And so, the idea of a second factor is, it's a second factor that even if they got your username and password, they won't have. So, a common example is what's called a one-time password. And a one-time password, you typically just see it, it's the six digits, right? They'll generate the six digits and send that to you somehow. And so for instance, 1Password acts as a one-time password authenticator like an Authy or a Google Authenticator, and many do. And so, the idea would be that when you log in, you then have a second factor that can additionally validate that it's yourself. So, I think second factors are a great idea, because again, it's a layer of protection. Sure, there's a challenge of convenience and that's the problem, right? It's always security versus convenience.

Scott Rogowsky: Time for another quick break. More with Jeff and Pat when we get back.

Nora Ali: Pat, I want to understand how businesses can better protect their employees from getting hacked or any breaches. I remember in past jobs, I would get emails from our IT team and they were fake, they were tests. And they would try to send these messages that look like it's from your boss. There's a link in there. And then if you're an employee and you click on it, without realizing that it's a phishing expedition, then you had to go do extra training and pass a quiz, and prove that you're not dumb and that you'll be able to identify phishing emails in the future. But what have you seen companies do to try to train their employees to be wary of some of these hacking mechanisms? And do you think that it's been working and people are just becoming more savvy in the workplace?

Patrick Lucas Austin: I mean, as the workplace gets younger, people are certainly becoming more tech savvy, but I think at the same time, companies are aware that in order to ensure a strong and secure digital footprint, every part of it needs to be secure, and that includes the users, because like Jeff said, users are a prime factor for attack when it comes to data breaches of companies. And that includes managing passwords. Nobody likes to type in a super long password to get into their work computer every day, of course, but that's what password manager services can help alleviate, by remembering your password, helping remember your password, offering to change your passwords regularly or when there's a compromise. Companies offer a multi-factor authentication to provide that second or third level of security. And again, the training videos are an unfortunate and unnecessary evil of the workforce, but it's important that people learn to recognize what kind of attacks they could be facing, whether it's a fake email from your boss or a fake email from IT department telling you to change your password. When you get a message like that, you should check with your manager, check with your IT department, and use a different communication channel. Don't reply to the email being like, "What, are you sure?"

Nora Ali: They'll reply back, "Yeah, click it."

Patrick Lucas Austin: Right.

Nora Ali: Each of you used this phrase, attack vectors, maybe Jeff, can you explain what that means and where are we the most vulnerable as far as attack vectors?

Jeff Shiner: Yeah. I mean, when you think of the concept of an attack vector, it's much like the name implies, it's like, where or how will the intruder attempt to get into the system? And I would say that at a fundamental level, there's probably three types of approaches. There's the type of approach that goes towards the human, whether it's a phishing attack, whether it's trying to get them to click on certain links or redirect them, or just try random passwords. There's the type that goes against the actual infrastructure itself. Can we find weak points in the infrastructure? And then there's just what I almost call replay attacks, where they'll have purchased stolen credentials or things like that and they'll just try and do what they call credential stuffing, or just attacks with guessing. What's interesting is, is one of the stats is 85% of all breaches have a human aspect to it. It's either through weak passwords or phishing or others. And so, when I think of it from an attack vector point of view, and certainly what we're trying to do is, how do we make it easy for the human to just be more secure? Because if you'll think of something like phishing, training is important. And the younger community, we are more aware, but it only takes one mess up. Like if somebody sends us a text message and say, "Can you please give me 20 Apple gift cards?" We're probably going to ignore it, but they're getting more sophisticated in that, not from a technology point of view, but just in terms of the crafting of the message. And then, we can slip up and click on a link or we think it's a real one, once, and we're in trouble. And so, I think when we look at the attack vectors, you have to look at the human first and foremost and say, "How do we just make it easy for that human to do the secure thing without having to have a lot of education and know-how?"

Scott Rogowsky: For as non-tech savvy as I am, I think I am tech sophisticated enough to avoid those phishing scams and those human-based attack vectors. I'm curious about how the public is vulnerable when we give our passwords to larger companies. I'm thinking about this Cash App breach recently, with some ex-employee accessing customer data, 8.2 million customers are now having their profiles breached. I have Cash App. So, now I'm thinking, "Okay, I didn't do anything wrong here, but somehow Cash App got accessed." Every few months, it seems like you get an email or a letter in the mail saying, "Our system was hacked. Your passwords and profiles, your Social Security numbers, your pin numbers are at risk." So, what are these larger companies, these enterprises doing to protect themselves? Are they using 1Password, Jeff? I mean, is there something even more strict and more robust that they're using to protect them? Because that's where I'm concerned as a citizen and a consumer. Here's the thing, again, I think I'm pretty secure with my own passwords personally, but I'm giving these things to the banks, to these other apps, and who knows how they're protecting their data.

Jeff Shiner: Yeah, what's interesting is when you look at the hacks themselves, and there's a phrase that we like to use, which is, most hackers don't hack in, most hackers log in. And what we mean by that is the hackers themselves are getting credentials from those who work at the companies. And that's a pretty common way that these breaches happen. Certainly, there's more sophisticated ones at times, but that's a pretty common way that these breaches happen is they get in by hacking or phishing somebody at the company itself. And so, it's the same problem yet again, while you might be secure as a person, all they need to do is find the right person within the company and exploit that attack vector, get in that way. And then all of a sudden, they're in to that system. So, without question, these large companies are using apps like 1Password. We've got over 100,000 businesses using us, because they recognize that the people at their company need a tool to keep safe. Don't get me wrong, they have a lot of other ways to protect themselves, especially from an infrastructure point of view, that are extremely important. And I think that's a part where the AWSs and the Googles and that, on the data centers, have been doing a much better job just in terms of the protection that they provide.

Nora Ali: There's also just advancements in how we log into things with biometrics, for example, with facial recognition and fingerprints. Jeff, are these safer? What are the risks when it comes to that kind of password?

Jeff Shiner: Biometrics in particular are something that, I say they're a fantastic convenience. So, if we look at on your phone or like on my Mac, where I'm going to use Touch ID or Face ID, but that's not an authentication. In other words, you don't log into the bank, the bank doesn't have a copy of your face or a copy of your fingerprint. It's on the phone that hides that real authentication. And it needs to, because you don't want your face or your finger going out to all of these different services, because if it were ever breached, it's very hard to change your finger or your face. So, from that point of view, they're a very good method if they're used locally on a device.

Scott Rogowsky: What do both of you see as the future to password protection? I mean, is it really going to be a drop of blood, perhaps, get your DNA?

Nora Ali: Theranos, anyone?

Scott Rogowsky: When you think about Gattaca, I don't know, when you think about the future, because again, as you said, attacks are going up, why? Because our digital lives are just becoming more and more pervasive into our regular lives. And how do you see this all shaking out in five, 10, 20 years, maybe?

Jeff Shiner: I think we're going to continue to see what we've been seeing over the last decade, which is more and more types of authentication. So, if you think of it many years ago, there was your username and passwords, and then username and passwords and single sign-on. And now we see the social single sign-on, sign in with Google, sign in with Facebook. You start to see some of the password lists approaches with magic tokens or QR codes. There's talk of blockchain. So, I think what we'll continue to see is more and more types of login as we move forward. Each will have their own benefits. Each will have their own challenges. There's always a convenience-versus-security at play with many of them. But I think the reality is, we're going to continue to see just a myriad of different types of authentication, which will add to its own challenges just in terms of, as a person, saying, "Gee, what do I need to do today? Do I need to show my finger, my eye, drop of blood, or a username?" I think that's certainly the next challenge.

Scott Rogowsky: Patrick, is triple-factor authentication in our future, quadruple-factor?

Patrick Lucas Austin: Yeah, we're doing five factors. Yeah, there's definitely the shift to alternate forms of authentication is definitely on the rise with biometrics and stuff like that. Temporary passwords, text message, SMS passwords. multi-factor authentication definitely adds a level of security that can provide a lot of peace of mind. But yeah, like Jeff said, I think the primary goal in the next five, 10 years, will be to get more people to care about securing their online identities and their data, secure it strongly and keep it safe, because it runs our daily lives. You're on your phone all the time. You're logging into things all the time. And if one of these places is compromised, that could be your whole world compromised, if you don't take the proper precautions. And it's easy to take these precautions, like Jeff said, you install your password manager, it asks you a few questions while you're browsing the web. And eventually, I am a password manager convert because of 1Password, essentially. Installing it in my browser, letting it work and being like, "Oh, I should care more over the years." It's not something that people can or should do overnight. It's something that should be done gradually and embedded into their online lifestyle.

Nora Ali: Hopefully it'll be the default soon.

Patrick Lucas Austin: Right.

Scott Rogowsky: Yeah. We're still in the education phase though.

Nora Ali: Yeah.

Scott Rogowsky: I don't know, there's still something funky about that browser and I don't trust these browsers, but all right, I'll do my own research and maybe I'll be signing up for this soon. Both of you seem pretty secure in your passwords and your data, but how secure are you in your knowledge about cyber security-

Patrick Lucas Austin: Oh man.

Scott Rogowsky: ... in a quiz form?

Patrick Lucas Austin: Ooh.

Scott Rogowsky: Because right now, it's time for Quizness Casual, the Business Casual quiz. And for today's quiz, this is exciting, we're going to go head-to-head here, Jeff versus Patrick.

Nora Ali: Let's get competitive.

Scott Rogowsky: Let's get competitive. Normally, it's Nora helping out, but let's do this the right way, a proper quiz show way. So, I'll ask the question and you'll both give your answer. And maybe one of you will be right, maybe both of you will be right.

Nora Ali: It's the honor system.

Scott Rogowsky: Honor system.

Nora Ali: Yep.

Scott Rogowsky: Here we go. For today's quiz, it's all about cybersecurity with Jeff Shiner,

Patrick Austin, are you ready to get down to the nitty gritty?

Patrick Lucas Austin: Let's do it.

Scott Rogowsky: All right. Qumero numero uno. A Clark School study at the University of Maryland was one of the first to quantify the rate of hacker attacks in computers with internet access. What is that rate of hacker attackers? Is it every 46 minutes, every five hours, every 16 minutes, or about every 39 seconds?

Jeff Shiner: I got to go with 39 seconds.

Patrick Lucas Austin: I guess, just to be a little contrarian, I'll go with 16 minutes.

Nora Ali: I like it.

Scott Rogowsky: Both of you picking the shortest intervals there. The rate of hacker attacks, wouldn't you know it, it is nearly constant, yeah, every 39 seconds there's a hacker attack according to this Clark University study. Anyway, that's terrifying.

Nora Ali: That's terrifying.

Scott Rogowsky: That's terrifying.

Jeff Shiner: It's probably shorter than that now.

Scott Rogowsky: You think it's gotten shorter since the study? Maybe.

Jeff Shiner: I think it continually gets shorter. Yeah.

Scott Rogowsky: All right, here we go. Q2, which of the following companies experienced the most costly phishing attack to date? Was it Facebook and Google, Amazon, UPS and FedEx, or Verizon?

Patrick Lucas Austin: I think I'll say Verizon.

Jeff Shiner: Yeah. I remember the Verizon attack. I was thinking LinkedIn, but you didn't put that on the list. So, I'll say Verizon.

Scott Rogowsky: Well, one scammer, between 2013 and 2015 tricked Facebook and Google out of $100 million.

Patrick Lucas Austin: Oh.

Scott Rogowsky: Yes. Setting up fake businesses, sending phishing emails to employees, employees of Facebook and Google.

Nora Ali: Oh.

Patrick Lucas Austin: Very clever idea that one.

Scott Rogowsky: Do you remember this? Using Quanta, because they took advantage of the fact that they both used Quanta, a Taiwan-based company, as a vendor. And the attacker sent a series of fake invoices, impersonating Quanta, which both Facebook and Google paid.

Nora Ali: Oh my God.

Jeff Shiner: Oh, nice.

Patrick Lucas Austin: It's a great example of social engineering that goes into compromising a company, like fake invoices, fake names, fake companies. I mean, real companies.

Scott Rogowsky: Right. But you somehow mask that email and it's so easy with the email invoicing now, right? You just throw some email address and these people are bean counters over there, they're just, "All right. Yeah, I'll pay the invoice. Whatever." It's not their money.

Patrick Lucas Austin: I got it. Why not?

Jeff Shiner: They probably didn't notice 100 million missing.

Patrick Lucas Austin: Yeah. Right?

Scott Rogowsky: Well, yeah, after two years it adds up to 100 million.

Nora Ali: It came in increments. Yeah.

Scott Rogowsky: Jeepers creepers. All right. Well, that was tough. You both whiffed on that one. Let's see if you can close it out here with Q3. Which company has experienced the largest data breach to-date, Capital One, Yahoo, Facebook, or Marriott International?

Jeff Shiner: Yahoo.

Patrick Lucas Austin: I'm bouncing between Capital One and Yahoo. And I think I'm going to go Yahoo as well.

Scott Rogowsky: How about this? Beautiful way to wrap it up with both you landing on the right answer, Yahoo.

Nora Ali: Yahoo.

Scott Rogowsky: According to CNN Money, an epic and historic data breach at Yahoo in August 2013 affected every single customer account that existed at the time, three billion accounts. Including email, Tumblr, Fantasy, and Flickr. Names, email addresses and passwords, but not financial information, thankfully, were breached according to Yahoo. They reported on themselves. So, we'll take them at their word.

Patrick Lucas Austin: Teenage Patrick would be very upset his Yahoo account was compromised.

Scott Rogowsky: Exactly. Yeah. A lot of us aged out of those accounts by then, thankfully. Well, nice job guys. And again, thanks for this really ... It's kind of an unsexy topic, but I think you made it accessible and interesting for us. So, we appreciate the chat today.

Nora Ali: Lot of good action items. Thank you both.

Jeff Shiner: Thank you very much.

Patrick Lucas Austin: Yeah. Thanks so much.

Scott Rogowsky: We love hearing from our Business Casual community, so please hit us up, listeners. We're working on an episode about a little grocery store in the Northeast called Stew Leonard's. It's a great shop. I used to go there growing up. We want to know, do you have a favorite local, regional grocer? What's your nostalgic grocery shopping stories? Send us your thoughts to businesscasual@morningbrew.com, or DM us on Twitter @bizcasualpod. That's B-I-Zcasualpod.

Nora Ali: You can also leave us a voice memo on our website, businesscasual.fm, or give us a ring and leave us an old fashioned voicemail. Our number is 862-295-1135. As Business Casual grows, we are excited to get to know our listeners, old and new. Drop us a line and don't forget to leave your name and where you're calling or writing from, so we can hear from you in a future episode.

Scott Rogowsky: Business Casual is two-factor authenticated by Katherine Milsop and Bella Hutchins. Additional production, sound design and mixing by Daniel Markus. Alan Haburchak is the Director of Audio at Morning Brew. Sarah Singer's our VP of Multimedia. Holly Van Leuven is our fact checker. Music in this episode from Daniel Markus and The Mysterious Breakmaster Cylinder. If you like what you heard, please follow Business Casual on Spotify, Apple Podcasts, or wherever you go for your ear candy. And we'd love it if you'd give us a great rating and review.

Nora Ali: Thanks for listening to Business Casual. I'm Nora Ali.

Scott Rogowsky: And I'm Scott Rogowsky.

Nora Ali: Keep it business.

Scott Rogowsky: And keep it casual.