Show all episodes

Who Do You Trust featuring Dawud Gordon and Ivan Milenkovic

Released on APRIL 12, 2024

Last week, we explored trust in terms of leadership. But in this scene from the 1989 Tim Burton film, Batman, Jack Nicholson’s Joker is exploring a different kind of trust. When someone you’ve never met is seemingly always behind a mask, how do you trust them? How do you know who they really are and what they’re actually up to?

As work from home has become more and more prevalent in the BPO space, that kind of trust becomes increasingly important. Companies are entrusting the access to their customer data to agents who, not only work for an outsourcer, but also work behind the mask of work from home. Dawud Gordon and Ivan Milenkovic join this week’s show to discuss the importance of security in the BPO sector and how AI is changing the landscape.

We discuss:

  • Opportunities and Risks of AI in BPO Security
  • Identity Protection and Evolving Threats
  • Challenges of Traditional Security Measures
  • Challenges of Implementing Multi-Factor Authentication
  • The Limitations of User Responsibility in Security

Connect with Dawud on LinkedIn

Connect with Ivan on LinkedIn

Twosense

Music courtesy of Big Red Horse

Transcript

Rob Dwyer (00:01.635)
Thanks for joining another episode of Next in Queue. I have two guests today, not just one, it's a two for Ivan Milenkovich and Dawud Gordon. Both from Twosense. Gentlemen, thanks for joining the show. How are you today?

Dawud Gordon, Ph.D. (00:22.208)
I'm doing great. Thanks for having us on. It's an honor.

Ivan Milenkovic (00:26.31)
Fantastic indeed. Thanks for having us Rob.

Rob Dwyer (00:29.015)
We're going to talk about the ever exciting, everyone's just going crazy about it, security in the BPO sector. Woo!

Dawud Gordon, Ph.D. (00:40.865)
Extremely exciting.

Rob Dwyer (00:42.347)
Yeah, I know that every time you guys talk with partners and potential partners, that's how they react. They're, you know, throwing confetti and yeah.

Dawud Gordon, Ph.D. (00:51.102)
Everybody loves it. Favorite topic.

Rob Dwyer (00:55.103)
So that said, it is a really important topic. It's becoming ever more important. And there are all kinds of different ways that people are looking at how they can improve their security. And we're going to talk about some different techniques today that BPO's can employ to really

Guard their partners' customers' information, guard their own information, and continue to be good partners for industry leaders. I think really...

gonna just throw it out there because it is absolutely on everybody's mind. But let's talk about how AI is changing security for BPOs and contact centers in general.

Ivan Milenkovic (02:04.786)
Yes, it's a fantastic question, Rob. So I think a couple of things that you mentioned there already resonate with me a lot, given that I used to be a group Caesar for one of the largest BPOs around worldwide. And it's interesting. I think we need to properly set up the backdrop on this one.

As you mentioned, BPO's are there to effectively provide a service behind their clients. And if we look retrospectively on what was going on over the past couple of years, we had some fantastic breaches when it comes to companies getting hacked via their third parties. So, thinking about BPO's, effectively they sit

in the eye of the storm, however you take it, because it's one of those, at least from a hacker's perspective, sweet spots. You go for a BPO, ultimately you might get lucky with any client of theirs. In some cases, we know very well that actually BPO's were targeted in particular to get to their clients. So it's not pretty out there. I guess that's one point I'm trying to make here.

Also, thinking from a slightly different perspective, BPO world is not highly regulated by any means. And for an outsider, they can think about it as, yeah, okay, fine, you need to kind of do certain things, but that's okay. However, the truth couldn't be more different, because although the BPO industry per se is not regulated.

when you think about who the clients are, where the clients are, which industries those clients operate in, and the story goes on and on and on, you effectively end up with a list of requirements that are as big as it gets. So talking about things such as possibly PCI DSS for those that have to do something with obviously processing payments, talking about some very stringent privacy regulations, talking about, every single legislation out there that you have across the world when it comes to you know telcos and critical national infrastructure and similar other areas basically bpo's need to hit every single thing there is to only be part of the game you know just to have a stake at the table so from that perspective it is a very interesting game

And then obviously you throw AI into the mix. So the way I see it, it's a coin with two sides. On one side, there are some fantastic opportunities for the BPO's, on the other, there are some really, really great risks. Talking and thinking about those opportunities, it's kind of anything and everything from increased efficiencies, maybe improving certain services when it comes to accuracy and so on, even enhancing the customer experience, and certainly scalability. So we can come up with almost any excuse where and how you could use AI in the BPO industry.

And then as a cherry on top, obviously, when we strictly speak about security, there are some huge opportunities to actually analyzing what's going on and leveraging AI in the context of all the security monitoring that you're doing, analyzing most of your transactions so that you can effectively figure out whether something's slightly off.

you know, maybe a bit more risky for whichever reason, or maybe involving some parameters that are not necessarily normal for a particular account and so on. Because at the end of the day, AI would be much, much faster at spotting and recognizing certain signals, to put it like that. But then there's the other side of that coin, as I said, the risks. And again, this is where...

Ivan Milenkovic (06:34.878)
Unfortunately, it's not that rosy at all. If you follow the market over the last couple of, well, actually, it's much older than that, but it was quite obvious over the last couple of months. The entire BPO industry had basically a big hit. There were some significant announcements. I'm not going to go into naming the names, but...

One significant company went out and said that they're going to replace pretty much all of their front-facing agents with AI-supported chatbots. So the entire industry at the end of the day is under a huge pressure because suddenly the revenue is at risk, suddenly you need to think about getting your services to the right place.

price point, which evidently isn't compatible with providing better, more secure services and so on. But you also have some other things. So it's not just that particular direct pressure, rather it is when you start thinking about the job displacement, obviously, but even more on a security side, when you start thinking about the dependence on technology that might cause, again, we have some fantastic examples there.

Only over the past month or so, we had that fantastic, fantastic example where a delivery firm put the chatbot out there to effectively provide a direct communication channel with their users and it went so bad. The user actually asked the said chatbot to write a rap song about how bad they are and it did. So, you know, how on earth

Dawud Gordon, Ph.D. (08:24.5)
Yeah.

Ivan Milenkovic (08:24.794)
Do you prevent something like that? Fantastic. You have another great example. Canadian airliner was, I think that one ended up in court. Basically, they were found liable for stuff that their chat bot said to a customer. So again, it's how do you contain those things? So again,

Dawud Gordon, Ph.D. (08:33.248)
Yeah.

Rob Dwyer (08:36.303)
Mm-hmm, I did.

Ivan Milenkovic (08:50.038)
you might or might not see those problems as security, but it all boils down to really where you draw the line. I'm not even gonna go into the ethical side of it and whatnot, but I guess to kind of top it off, it's an increasingly interesting, and I'm gonna leave it to that area where even...

likes of European Union recognized that something big is going on and therefore, you know within this month again we had you come up with the AI act to try and curb some of the madness and Just tell effectively everybody involved with it that at least they must understand what the implications are that they must be properly doing their Risk assessments and that they must understand

obviously where AI is involved and to what extent. And again, there must be much, much better visibility. But what's also very important is that there must be a proper level, if you want, of acknowledgement from providers of any and all AI solutions that actually they are part of that solution, but the problem as well, so that they must be looking at it quite seriously.

Rob Dwyer (10:06.351)
Hmm.

Yeah, very interesting. There is a lot to unpack there. Dawoud, do you wanna follow on to that?

Ivan Milenkovic (10:10.214)
hopefully helps.

Dawud Gordon, Ph.D. (10:14.062)
pack. Yeah, yeah I do. I do. I think first of all I agree with everything Yvonne said, always. But I think one thing that's really interesting is I think you also had Tim on maybe about a month ago who was kind of talking about this at the risk of adopting AI and adopting the large language models and gen AI and data poisoning and all of those aspects. But I think there's a whole other angle that

that where risk is there and is becoming greater, even if you're not adopting it.

And, you know, as Yvonne was saying, like one of the value of the BPO is the people that they bring to the table who are actually doing the work. And really what they're trying to protect is these people and the access that these people have to have into their clients. And so really the biggest area of risk for a BPO is around protecting people. And when things go sideways from a security perspective, it's almost always around a

Dawud Gordon, Ph.D. (11:19.276)
agent, right? It's like industry-wide in general, it's about 90% just in industry in general. In the BPO space, it's much higher than that. It's, you know, it's vanishingly small the number of times where somebody gets breached and it doesn't somehow start with identity. And one of the things that's happening is that these language models are giving anybody essentially the ability to write an email that is really well worded and looks very professional.

And these are things that are super valuable to all of us as we use these tools. I use it occasionally to just spin out emails sometimes. And it can be really good. But one of the areas where this is having a big impact is the attackers also have this technology.

And for us, you know, if you go to just GBT and you say, Hey, I'd like to create a phishing. Now I'd like to trick somebody into thinking they're talking with their IT team so that they end up giving me their password. It's not going to let you do it. There's guardrails in there and it says no, but, but this technology is also open source. And so we're already seeing this happen where some of the, some of the APT crews, which stands for like advanced persistent threat, advanced and persistent being the operative words here have taken some of these open source tools and stripped the guardrails

take one of your agents and their LinkedIn profile and a couple other pieces of information that they find and just hand it off to generate an email that really looks good. And you know, two years ago you could very easily spot a phishing email for the most part. You could kind of see like, ah okay, you know, it's got some grammatical errors. That's gone. That's gone. And so there are...

There are attacking crews out there who have now realized that the easiest way to get into some large, for example, financial organization is not by going at them directly, but by finding their outsourcing partner and then getting in there. Because all they have to do is get on one machine, give one person, give up their credentials and then use their access to get in. And so this is something that's really an evolving threat. And it's starting to escalate because it's going beyond just sort of the conversational AI, right? There was this one example of, which I, you know, I have a background. I've been, I've been in machine learning.

Dawud Gordon, Ph.D. (13:28.212)
AI since before it was cool. In fact, since before it was cool the last time it was cool. And this was something that really surprised me that they were able to pull this off. There was an employee of a company who thought that they were on a Zoom with like five or six of their colleagues that they know that they've worked with. And these were all just generative audio, video.

and convinced them to put out a $25 million payment to somebody that was unauthorized. And so we've already started to see this where some of the largest BPO's who were looking at kind of adopting some of these technologies of video and voice for the purpose of securing access have now stepped away from it because all of a sudden things that we just traditionally thought were secure are now no longer secure. And...

and can very easily be spoofed using this technology. So this is something like, even if you're not adopting AI, there are risks that are changing the landscape for BPO's because they're now a target. That's been, as Yvonne was saying, it's been something that's been happening that is kind of obvious to the attacker communities and that the tooling is out there to make very sophisticated and widespread attacks. It's very easy to not just target one person, but target everybody with something that's very personalized and looks very real.

that I think is having a very big impact on the industry and is really changing the level at which security needs to be applied here, specifically around identity. And you can see that in kind of changing and updating compliance. You can see that in client demands on contact centers of what they need to do in order to pass security checks and get new customers. And all of that is adding an extra layer of cost and friction and hitting SLAs

market pressure for exactly these reasons. So AI has created kind of two market pressures on BPO's at once.

Rob Dwyer (15:20.907)
Yeah, it's fascinating. It used to be, right, I could trust my own eyes and ears. And today, very quickly, we're starting to recognize that it's very difficult to trust what you're seeing because what was just a couple of years ago, deep fake video.

Dawud Gordon, Ph.D. (15:30.295)
Yeah.

Rob Dwyer (15:46.691)
Like you might be able to fool somebody with a really, really good deep fake video. And today you've got Sora pumping out videos of things based on a short prompt that you go, holy crap, that looks as genuine as can be. Like I can't believe that AI just created that. You're able to clone voices. And so to your point, when you're talking about

Dawud Gordon, Ph.D. (15:50.987)
Yeah.

Dawud Gordon, Ph.D. (16:11.478)
Super easy.

Rob Dwyer (16:14.175)
right, this person that made this unauthorized payment, like he's on a video, he thinks he's talking to people he knows, like actually knows, right? But it sounds like them, it looks like them. It's going to become a very challenging landscape. It already is a very challenging landscape, but the technology is only going to improve from here, right? So that the attacks are going to likely increase in both volume and success rates, if we don't look at security in a different way and take some different measures to ensure that we're protecting data. You've talked about identity quite a bit. I think we have moved well beyond the days when, you know, I-

Dawud Gordon, Ph.D. (16:48.395)
Yup.

Rob Dwyer (17:11.927)
Look, we've all seen the privacy and security training and it's like, well, you know, make sure and change your password and, you know, even password requirements, right? I mean, if you think about some of the password requirements out there.

on purpose, not because they mean it, but the requirements make you choose actually bad passwords that are relatively easy to crack given where technology is today. And we've, a lot of BPOs have systems where it's like, okay, well, you can't have a cell phone on the floor in the contact center or those kinds of things where kind of like these old school,

Dawud Gordon, Ph.D. (17:36.982)
Yeah, that's true.

Rob Dwyer (17:59.051)
We're paperless. We have these old school security measures. Why aren't those good enough? So let's take out the attack vector of being on video and being fooled by that, because that's pretty sophisticated. It's gonna cost a decent amount of money to make that attack. Maybe most BPO's aren't going to be as susceptible to that. But why isn't like just changing your password and not having cell phones

Dawud Gordon, Ph.D. (18:01.27)
Yeah.

Rob Dwyer (18:29.863)
and being paperless, why is that not good enough today? Like what are the ways that people are actually getting into? You talked about getting at BPO client data. Let's talk about some very real scenarios where that's a risk. How are threat actors accomplishing these things?

Dawud Gordon, Ph.D. (18:57.292)
Ivan, would you like to give an inside perspective? I can also share what I've seen. Yeah.

Ivan Milenkovic (19:00.662)
can certainly start, just please stop me from going too far away with it, because again, that's an area that's very close to my heart. Again, fantastic question, Rob. Thinking about how normal things happen when you look at a typical end-to-end operation on the BPO side. First big problem.

many BPO faced actually relatively recently was that they tried to go away with actually brick and mortar premises. Obviously due to COVID and whatnot masses of people were sent home. Another very interesting area there is again I already mentioned some pressures when it comes to you know revenue and

and price points and whatnot. So another way how you can keep your costs slightly linear is to have obviously a remote workforce. So straight away, when you have users outside of your typical hardened environment, if you want, you can imagine what could happen there. Because in theory, people should be abiding by all those strict rules. But

in reality, you know, when you have an army of people that are trying to work remotely, where, you know, normal passwords don't cut it anymore, where it's a harsh reality that the second you have a device that's not entirely hardened according to the corporate standards, because, you know, you might have to allow people to use their own devices and whatnot, you end up with a host of problems you wouldn't even be able to imagine.

There are parts of the world where that's kind of quite prevalent and people, unfortunately, still don't even use legal software for many things. So you can expect to find pretty much anything on those devices, from key loggers to password stealers to whatnot. So it's a proper, proper problem. Therefore, when you think about it, some sort of multifactor authentication is an absolute must. It's not even, you know...

Ivan Milenkovic (21:19.286)
one of those things that you sort of start thinking about. But then on the other side all the stuff that you mentioned when it comes to the actual you know physical premises and people operating from as we said the hardened environment as you rightfully mentioned again, you know people are not allowed to bring in their mobile phones and similar devices obviously because again on one side you have client requirements that

no information can effectively leave the room. And for, again, all the right reasons, your clients are trying to protect their client's data. So you want to obviously preempt and prevent any sort of possibility where someone can maybe take a photo of what's on a screen or even write down the information that they hear at the time. So hence, you don't allow pen and paper, you don't allow mobile phones and whatnot.

And effectively, the challenge there is, you know, by removing, for example, that very mobile phone, it is one of those things that easily today can be used as the multi-factor authentication factor. So you can, you know, put a piece of software on that device to aid the multi-factor authentication process and so on. Again, you can't do it. But, and it's a huge but, when you look at

the legislations that are hitting BPO's, and we already mentioned PCI DSS, in its latest incarnation, when you think about it, you can almost see that you need to apply multi-factor authentication across everything. You have to basically to stay compliant. Now I'm not saying that compliance equates security in this case, but nonetheless, it's one of those things that simply must be done.

So you're putting an extra burden on everybody. Automatically, when people need to come up with something smart, you must have MFA, but obviously you can't use the mobile phone. And then people start getting creative. That's where you obviously end up having problems or you need to spend a really big amount of money, which again,

Ivan Milenkovic (23:43.562)
in the BPO industry for all the reasons we already mentioned isn't a good idea because you need to stay competitive and you need to keep things as lean and mean as it gets. So not an easy feat. But then going very briefly to what Dawud mentioned, you know, things such as humble phishing attacks. You know, again, let's not go into the advanced stuff and deep fakes and whatnot.

But again, that very humble phishing thing that in the past was not entirely, but almost exclusive to the English-speaking countries and areas for obvious reasons. English is, you can call it the universal language. So whatever the hacker is, the easiest thing to do is to write a phishing email in English. So it's almost via security through obscurity, non-English countries

and operations were slightly more resilient, let's put it like that, to phishing attacks because all the content that could be possibly sent to people involved obviously had to be in something that either makes it more expensive or harder to fake or you ended up seeing emails, for example, that were so bad that even for a non-trained eye it would be very, very obvious that something's wrong with it.

Dawud Gordon, Ph.D. (25:10.019)
Yeah.

Ivan Milenkovic (25:11.834)
that's going away because obviously AI doesn't care if the If the phishing email needs to be in English or in Chinese or in Russian or in Portuguese or in whatever else you can think of So suddenly you have those in theory simple and old-fashioned even attacks Being far more effective and reaching areas where previously you wouldn't expect to see any of it

kind of coming back to where we started. When you think about, yes, maybe people are within the four walls and yes, maybe you have all the right physical controls and you basically understand and have good means of checking what goes in and out and you provide or rather you're trying to provide a service from a secured environment with secure devices, but the pressures are still there and none of it guarantees full security as it stands today. Again.

unless you try to be a bit more creative, however, in the right way.

Rob Dwyer (26:14.752)
Yeah.

Ivan Milenkovic (26:16.07)
That would.

Dawud Gordon, Ph.D. (26:21.628)
Yeah. Yeah, I think really, again, I agree with Ivan that the primary issue around just single factor authentication with a password is user error. We're all fallible, we all make mistakes. All you have to do is make one mistake, especially in the contact center where we don't have security sophisticated users who really understand how these things work. It can be just very easy to get.

password and if that's the only thing then basically somebody else is in Which is kind of what drives the need for MFA, but like you were saying, you know, there's a clean desk policy So you can't use a phone, right? And so all of the tooling that would exist in order to solve this problem for

as customer normal enterprise sees so is just not available here. And that there's this sort of, the only thing that really is going to be solving this is hard tokens. And then there just becomes this huge logistical cost of having to manage a physical piece of hardware, especially if we have a remote, you know, a remote team where you have to procure it, you have to license it for a user, you have to enroll it, then you have to overnight FedEx it to them. And they're offline until you can get it to them.

Rob Dwyer (27:32.963)
All right.

Dawud Gordon, Ph.D. (27:35.276)
and this is creating a huge problem and the cost of that you know we hear things like 10 to 15 percent per month replacement rates of how many of these you have to replace because they went to the wash or somebody lost it or never got there so it just becomes extraordinarily expensive I think I think aside from that

from that outsider threat. The other way that things really go sideways from an identity perspective in the context center is when an agent can be complicit in some of these actions. And so like at a very sort of non-threatening level, this is just you have two people working in the same facility and one's running late and he says, hey, can you just sign me in so I'm not late on my shift? You know, and that's like a very, you know, it's not super malicious, but it's not a great thing

perspective. What we see is that as these contact centers go to a work from home environment, even with some of the more advanced tooling around multi-factor authentication, there's still an issue where we've heard and seen on the order of magnitude of like 5% to 10% of all of the headcount of an organization that's worked from home may not actually be the person that the BPO hired.

and that it could just be like, I'm getting a paycheck and my nephew in the household is doing the job and he's getting a half. And the most malicious is that these are not super high paying jobs for these agents and it doesn't take a lot of money to move the needle. So if this is a big account, right?

and you put $10,000 in front of somebody saying, hey, I want your access, will you give it to me for $10,000? Then all of a sudden you have somebody who is equipped to do the authentication, even if it's multi-factor authentication, and is doing that on behalf of somebody else. So there really is a need to be able to find a way to automate that process in a way that the human can't make that mistake, and at the same time, to be able to be aware of the fact that this may not be the authorized user, even if the authorized user is the one who's granted it.

Dawud Gordon, Ph.D. (29:39.668)
access. And so these are kind of some of the issues that we're seeing around this two-factor authentication, right? There's the cost of having to do it with hardware, which is just a nightmare, and then the downsides of what happens when either somebody makes a mistake or when they're complicit.

Rob Dwyer (29:57.231)
Yeah, you bring up some really great points. And I think there's the nefarious angle and just that it's complicated to be an agent in a BPO angle. And it's.

Rob Dwyer (30:13.383)
It's so crazy sometimes when you think about all of the different systems that agents need to have access to. Maybe different password requirements to all of them. Maybe different user names to all of them. And I kid you not, when I was a trainer at a BPO, I had day one, right? You set up everybody's user names, passwords to systems.

Day two, somebody can't get in. And I'm very much remember a specific instance where a guy couldn't get in and I'm like, well, just use your security question. And I said, what was your security question? And he says, what is your favorite movie? And he couldn't remember how he answered this question. Like, A, there's some things going on there, but B, right, it's...

Dawud Gordon, Ph.D. (31:04.669)
Hahaha

Ivan Milenkovic (31:06.086)
Fantastic. Yeah.

Dawud Gordon, Ph.D. (31:10.347)
Yeah.

Rob Dwyer (31:11.403)
Sometimes even the questions that we use for recovery are bad questions. I look at these and they happen across the board for all different kinds of things that you need to log into. And I'm like, okay, well, they ask a question that the answer is something that can change over time. Like, okay, well, maybe depending on your age, it asks who your best friend is. Well,

You know what? At my age, my best friend doesn't change. But if I'm 18, that may not be the case, right? Things can change. And so like, you know, what's your favorite food? What's your favorite band? What's your favorite sports? Like all of those things. It's like, well, maybe at some point those things become very cemented, but those are also things that can.

absolutely change and it's It shouldn't be a surprise that this poor guy came in and obviously could not remember what his favorite movie was the day before That's that's pretty extreme case, but it's very real right so we're putting all of these Requirements for people to remember things some people can't even remember their you know their driver's license number their social security number We don't even remember phone numbers these days right I mean

Dawud Gordon, Ph.D. (32:19.127)
Yeah.

Ivan Milenkovic (32:38.994)
Spot on. Spot on.

Rob Dwyer (32:39.971)
There was a time when you knew everybody's phone number. And now, there are very few phone numbers that I know because we just don't rely on that memory. And so instead, we have a million passwords for a million different things. And then we throw the passwords for our new job onto it. So that's hard.

Ivan Milenkovic (33:01.434)
Rob, sorry to interrupt very rudely. I think your listeners and viewers need a bit of explanation there. The BPO industry is actually far worse when it comes to those things, what people don't necessarily appreciate. In a normal environment, you work for the company, and yes, all of those things that you explained are there. You know, you have quite a few passwords you need to log into.

Rob Dwyer (33:15.545)
Yes.

Ivan Milenkovic (33:29.038)
quite a few things, whatever. But then in a BPO world, someone who works there has all of those things, and on top of that, all the client relevant stuff that they need to log into, where you have, you know, sometimes five, six, seven, I don't even know how many, you know, systems on a client side that you need to log into. But then to make things worse,

Rob Dwyer (33:39.503)
Mm-hmm.

Ivan Milenkovic (33:52.186)
you don't always have people only working for one client because obviously the demand changes. So you have someone who today works for client X, tomorrow works for client Y, sometimes they might even have to split the day, which makes things absolutely bizarre. So these poor people that are hired pretty much almost on the spot and with a minimum of training are supposed to effectively perform their best.

They are challenged with all of those things and they need to deal with I don't even know how many passwords on daily basis. So, you know what? Either you are a robot or you are going to possibly write down all of those things.

Dawud Gordon, Ph.D. (34:36.002)
they end up on a post-it note. Yep, yeah. And I would even take it one step, yeah. It's a classic, we see it all the time, in fact, yeah. It's just something that is just ubiquitous. Everyone laughs if you show them a post-it note with my password is 123 or something on it, because we've all seen it. I would even take it a step further that, and this is really part of sort of my personal thesis, which is that the fundamental problem here is that we are trying to build security.

Rob Dwyer (34:36.491)
Yeah. The Post-It note is a classic.

Dawud Gordon, Ph.D. (35:05.862)
on the back of the responsibility of the user, where the user is the one who's responsible for doing all of the work of driving security. And we're all fallible, we all make mistakes. And if you watch the Olympics, these are the top of the top performers. You're still gonna see people fall off a balance beam.

like heads over tails, downhill skiing, like even the best of the best make mistakes. So how can we build a security program where we expect in order for it to work, everybody has to not screw up even once ever.

And that's the way it works. And that we have the users doing work, again, remembering passwords, typing them in, getting a text with a six digit code, opening an app, pulling that code out, carrying around keys with them, whatever it is, how can we expect that this is ever gonna work if we do this? And that really that the only way we get to go past this is by automating all of that. And that's really something that I think is new that AI can do for this environment, is taking all of that work.

that we expect all of these agents to do a thousand times a day and never get it wrong, or there's help desk tickets and all of that, why can't we just automate it? Because essentially, it's like one of those tasks that seems perfectly suited to automation, where you have users doing a rote task and they're doing exactly the same thing over and over again, 17 times a day. Can't we just automate that? If we automate it, then it's no longer susceptible to human error, they can't mess it up, and even if they wanted to, they couldn't give it to somebody else, they can't give their

somebody else because the work of is this the user is just done in an automated fashion. And so I think that in order for this to, in order for us all to kind of pass go here and be able to, and be able to move on and have this at some point not be the level of a problem that it is now, this just has to be automated. And if we can automate it, like the impact on SLAs is huge. The impact on like the, what it, what security does to the bottom line of the business is huge. We can make all of that stuff not be such a horrible.

Dawud Gordon, Ph.D. (37:08.298)
pain that everyone has to deal with and everyone knows like, oh yeah, that sucks. And, and eventually also kind of, you know, operations and security, especially in the BPL are always in the lower hands. That's just a never ending battle.

I want security, we gotta hit SLAs. Yeah, but we need to do security. Well, there's gonna be nothing to secure if we don't hit SLAs. And so it's just, you know, it's an ongoing battle and it's just a seesaw, it's just back and forth and back and forth. And then, you know, a breach happens and we go, oh, better security. And then it's like, well, now we need SLAs. And it's just, we can solve all that if we can just get rid of this mess of having to rely on the user to not make a mistake and do all the work.

Rob Dwyer (37:48.299)
Yeah, and you know, your analogy of athletes, I'll take it one step further. It's the athlete that's trying to run the race, but there are actively other people with like a bat hiding, just waiting to take a swing at you to try and defeat you. Like that's the threat actor out there. Like you're trying to just do everything perfect, but someone's out there trying to mess you up. And...

Dawud Gordon, Ph.D. (38:03.767)
Yeah.

Yeah.

Dawud Gordon, Ph.D. (38:16.231)
Yup.

Rob Dwyer (38:17.703)
And that is the part that I think for the agents, to your point, right, they're trying to do everything right. And there are, we know, people that are trying to not even throw them off their game, they're just trying to sneakily get access to something that they're not supposed to have access to. And the agent is just trying to do a job.

I mean, they're just trying to help people. That's what they do, right? That's the job is to help people. And so when you talk about operations and security being at loggerheads, I would argue too that the agents in security are at loggerheads because the agents are just trying to help people. And sometimes when we're motivated to help people, we can unintentionally do some things that

Dawud Gordon, Ph.D. (38:49.195)
Yeah.

Rob Dwyer (39:15.315)
are against security standards or might potentially allow access to someone that shouldn't have access. So absolutely, I think when we can automate things and take some of that security decision making process out of the hands of agents that are just trying to help customers, then we're in a much better space because now everybody can just do their job.

Dawud Gordon, Ph.D. (39:43.37)
Yeah, yeah. Imagine if there was something, not security, but there was some other aspect of the business, accounting, and everybody, when they came to work every day, every two hours, they had to do 10 minutes of accounting work in order for the business to go on.

You would point that out and be like, that is ridiculous. We just need an apartment. They take care of it. Nobody, like, you know, the people who run the facility, they shouldn't have to do the bookkeeping here. This is just crazy. But with security, we've kind of all accepted, no, this is the way it has to be. Everybody's gotta spend 10 minutes out of every two hours doing the work of security. And as long as we're all on board with, yeah, that's the way it's gonna be then, this problem's not gonna go away. It's just getting worse.

Rob Dwyer (40:31.939)
Yeah, I want to spend just a little bit of time. We've talked a little bit about it early on. But I think one of the things that we haven't really been able to do is we've been able to do a lot of things

dug deep enough into is the risk to the BPO. So there's a risk to my client's data for sure, 100%. But as a BPO, if I am the vector through which a breach happens, who's gonna get held responsible? It's me, right? There's a huge potential financial liability that's gonna fall on that BPO. Can you talk about that a little bit?

Ivan Milenkovic (41:15.094)
Absolutely happy to start here. You are again very correct here, Rob. The risk is huge, especially when we talk about the reputational side. At the end of the day, we kind of touched upon that one at the very beginning, BPOs being in the eye of the storm when it comes to, you go

Ivan Milenkovic (41:44.93)
I'm not even going to go about possibly the trove of data that they can hold on clients' clients. So, from that perspective, the risk is tremendous. And yes, we've seen obviously some very high-profile cases when it comes to now even SEC pursuing

Ivan Milenkovic (42:12.758)
when it comes to obviously breaches and similar stuff. But in this case, again, when you think about markets that is quite cutthroat in terms of margins and everything else, when it comes to what it takes to, as I already mentioned, have a stake at the table and just be able to compete and have the right to...

try and enter the game to deliver some of the client services, you really need fantastic reputation. So from that perspective, even without fines and without regulatory bodies and without everything else, again, your reputation is everything and you really need a clean bill of record, you know, everything's all right.

just thinking about all sorts of questionnaires and challenges I've seen from clients in the past asking for everything and anything you could think of in terms of security and how you handle specific incidents and describe to them the incidents you experienced in the past and what and how exactly you did about those incidents, it's just amazing stuff.

So on one side, you know, it's that. On the other, it's yes, it's very tangible. Companies and people these days actually get prosecuted for stuff like that. If you look at, again, I mentioned already what's going on at the EU level, but you know, you look at GDPR, you look at legislations that have to do with privacy and what and how needs to be disclosed, and then what defines when people's data

Gets exposed where you don't have as it used to be many years back You know a preset maximum fine or whatever No, you have actually a very tangible threat even where the legislator says and the fine is the X Percentage of the revenue. It's like okay You know it is something get that can seriously hurt you so I can I can only tell you that you know having

Ivan Milenkovic (44:33.518)
having to discuss those things with your CFO and people that are involved with cyber risks inside BPO's, suddenly they get a rather increased interest in what you're saying on one side, and on the other, yes, it's a rather challenging game, there is no other way about it.

Rob Dwyer (44:57.771)
Ivan, are you saying that companies are not scrambling to sign up to a BPO that's just had a significant data breach? Is that what you're telling me?

Dawud Gordon, Ph.D. (45:08.807)
hahahaha

Ivan Milenkovic (45:10.394)
I'm not going to comment on that.

Rob Dwyer (45:14.223)
I mean, right, I think you bring a very good point about reputation. That, you know, if I've just got breached three times with three different of my clients as a BPO, it's going to be really hard for me to attract new business. That's just. That's the reality. And then you throw on top all of the other financial concerns. Before we wrap up.

Dawud Gordon, Ph.D. (45:33.782)
Yeah.

Rob Dwyer (45:44.624)
Is there anything that you wanted to share with the audience before we wrap things?

Dawud Gordon, Ph.D. (45:55.039)
What I would say is I would really want to bring it back to that premise of there's got to be a better way around identity security.

Dawud Gordon, Ph.D. (46:11.654)
that really from that perspective, that better way has to be around automating the user out of this and creating a environment where you can have security that operates at the speed of software and with the effort of software instead of at the speed and effort of human beings. And that this is something that I actually run a team that is working on exactly the solution and it's something that we bring to market in order to try and solve this problem.

in BPOs as well as healthcare and in other places. And so if there's anyone who's interested on just kind of brainstorming on that front around what can be done there, maybe a little bit of a shameless pitch, come check us out, twosense.ai.

Rob Dwyer (46:51.415)
Yeah, so absolutely we'll have a link in the show notes and we'll have LinkedIn links as well for both of you gentlemen, so people can reach out directly to you. I wanna thank you both for coming on the show and talking about this. Like I said, it's not the confetti thing, it's not always the most exciting thing for people to talk about, but as AI becomes

The more powerful and available to threat actors, the more important it is for all companies, not just BPO's, but BPO's in particular to take how they're approaching security, not just seriously, but be thinking about new ways to guard against potential breaches and the impacts.

can be literally they can threaten the health of your company significantly. And so I want to thank you both for coming on today and talking with me about this.

Dawud Gordon, Ph.D. (48:03.938)
Thanks so much for having us.

Ivan Milenkovic (48:06.49)
Absolutely. Thanks for having us. It was a fantastic discussion.

Dawud Gordon, Ph.D. (48:10.038)
I've really enjoyed the conversation. This was great. Have a great one.

Rob Dwyer (48:10.175)
All right, thanks, gentlemen.