In 2022, Mutare initiated a Voice Network Threat Survey at the annual RSA international conference. Through a series of 12 questions, the survey tasks respondents to reveal their knowledge of, and attitudes towards, the enterprise voice channel as a growing threat vector.
The intent of this inaugural Voice Network Threat Survey was simple. There was no data or metrics available to understand, evaluate or examine the Voice Channel from an enterprise security perspective. So, we made the decision to create this data and metrics ourselves, and share it with the industry.
In this first year (2022) of the Voice Network Threat Survey, Questions ranged from what security strategies are currently in place, what persons, departments or service providers are tasked with overseeing network security, and what is the level of concern over threats carried through the voice channel. Based on the insights gained from that effort, Mutare expanded the reach of the Survey in 2023, targeting a broader and more diverse audience at three live shows attended over a two-month span: RSA, Cisco Live, and CCW.
Compiling responses from more than 300 technology, risk management and security professionals representing a cross-section of roles and industries, the 2023 Voice Network Threat Survey is now a much-desired source of intel for organizations looking to better understand the current state of the voice channel as a threat vector, and of sentiment around voice threat defense in the enterprise.
In this article, Mutare’s Marketing Manager Victoria Elliott speaks candidly about her experiences as the Survey field administrator (Victoria conducted all survey interviews, which were live and in person). As such, we interviewed Victoria after each of the three live shows, RSA, Cisco Live and CCW. These three interviews are chronicled in this single article. Victoria’s reflections add color and context to the emerging story revealed through the 2023 Voice Network Threat Survey Executive Report, which provides a professional representation of results, insights and perspectives of the Voice Security landscape.
To download a full 2023 Voice Network Threat Survey Executive Report, click Here.
Reflections on RSA
- Attendees serious and focused
- Over-the-top robotics and tech-inspired booth displays reflect culture of innovation
- Mutare’s “difference” an attention-drawing asset
- Attendees surprised by the depth of Mutare’s experience
- Expanded understanding that voice threats are not just about AI voice cloning
- Emerging recognition about vishing as a serious threat vector
It was a crystal-clear April day in San Francisco when approximately 40,000 cybersecurity professionals from around the world descended on San Francisco’s Moscone exhibition center to kick off the 32nd annual RSA* conference. During the four-day, premier industry event, attendees would have the opportunity to listen to keynote addresses from some of the world’s top cybersecurity experts and meet and mingle with 500+ exhibitors anxious to showcase a broad spectrum of solutions and services designed to fortify organizations against the ongoing onslaught of cybersecurity attacks.
Among those exhibitors was a team from Mutare who came to share their specific expertise in the current state of voice channel defense.
Like a David in the midst of Goliaths, Mutare occupied its modest 10’ x 10’ booth armed with a uniquely elegant, quietly powerful, and highly effective technology slingshot – the Mutare Voice Traffic Filter.
“We had our booth setup in the hall connecting the two main exhibition buildings,” says Mutare’s Marketing Manager, Victoria Elliott, who, along with 7 fellow Mutare colleagues, made it a mission to put the Mutare name on the RSA map. “What we lacked in size, we made up in location. I looked up at the elevator when the event doors opened, and it was like seeing a river of fish descending on us. We knew this was sink or swim time, and our best opportunity to show the RSA crowd that there is a huge hole in their cybersecurity defense strategy that we can close.”
To that end, as part of our outreach to attendees, Mutare chose to exercise an innovative survey approach designed to expose current attitudes and experiences regarding the impact of unwanted calls on organizations. In the process, survey respondents had the chance to think more deeply about a threat they may not have even known existed. With Starbucks gift cards in hand, Vicky was able to engage close to 140 willing respondents, and their answers were revealing.
For instance, the largest portion of RSA attendees identified as being in the government, healthcare or financial services sectors – organizations that are also favorite attack targets for cybercrime due to their large stores of financial resources and data. So why, then did only 10% report that their organization does voice threat security training? Could that be a clear indication of a low level of recognition around the vulnerability of employees as the “weak link” for criminal intrusion through the voice channel?
* Fun Fact: The name RSA refers to the public-key encryption technology developed by RSA Data Security, Inc., which was founded in 1982. The abbreviation stands for Rivest, Shamir, and Adleman, the inventors of the technique. Today’s international RSA conference is the premier showcase for emerging cybersecurity policy, thought leadership, and innovation.
“It was really an interesting exercise,” said Vicky. “People walking past our booth would swing their heads around and look closer when they saw our message was about voice security. It was something they had not seen before which made us intriguing. A lot of visitors thought, initially, we were talking about the threat of AI and voice deepfake, since AI is pretty top-of-mind right now in the cybersecurity world. Others thought, by the size of our booth, that we were a start-up looking for investors and were surprised to find out we’d been in business for over 30 years. When we got into it with the curious ones, it was clear we had something valuable to offer. We had some deep conversations that I don’t think would have materialized without the touch of recognition that we might be on to something.”
As the second year of attendance at RSA, Mutare has made inroads compared to year #1, notes Vicky. “Last year, when we mentioned voice phishing (vishing) attacks, no one knew what we were talking about. This year, everyone knew exactly what is meant by ‘vishing,’ probably because there have been so many high-profile attacks in the news lately.” Next year, she says, Mutare will vie for a speaking role. “It’s not just that we have a good story and an excellent solution. We are different, and when you have the chance to stand out in a crowd of 40,000, that’s saying something!”
Reflections on Cisco Live
- Loud, colorful, driving a high energy visual and auditory experience
- Flip-flops more prevalent than loafers
- Sense of familiarity among attendees
- Friendly, mutually enlightening conversations
- More tuned into negative impact of unwanted calls
- Growing interest in Fedramp certification in the government sector
On June 5, a small team of Mutare sales and marketing representatives traveled to Las Vegas’s Mandalay Bay Convention Center where they joined 300 fellow exhibitors, 20,000 live attendees and nearly one million on-line international attendees participating in the 2023 international Cisco Live exhibition.
As the world’s premier educational and networking event for IT networking professionals, tech learners and Cisco certification holders, Cisco Live is especially rich in opportunity for Cisco-certified technology partners, like Mutare, who come to spotlight solutions that enhance the Cisco platforms for Security and Collaboration.
“Cisco has been hosting this event for nearly 30 years and we’ve been part of the Cisco ecosystem since at least 2010,” said Mutare Marketing Manager, Vicky Elliott. “So, it really was like entering familiar territory, but with all new stories to tell.”
While helping the Mutare team promote the company’s award-winning enterprise Voice Traffic Filter, Vicky had an additional goal to fulfill. Just as with the last two RSA security conferences, she set out to survey Cisco attendees about their experience with, and level of understanding about, security threats in the voice network.
“While we mainly want to understand the market’s level of awareness around cybersecurity vulnerabilities targeted through the voice channel, it has also been an interesting experience capturing the differences in attitudes from event to event as they attract specific audiences coming from unique perspectives,” she said.
When trying to describe the vibe at Cisco Live, Vicky said two words came immediately to mind: “Color” and “Energy.” “It opened up with a bang – music pumping through, lots of vibrant colors throughout the exhibition halls, nonstop conversations, a bit chaotic, and the crowd just surged in on day one with so much enthusiasm, like people on a mission! They did not walk, they swarmed. Oh, and when food came out, well, watch out! It was a stampede. At times it was a bit overwhelming.”
But no amount of chaos could deter Victoria Elliott from her mission. With iPad survey and Starbucks gift cards in hand, she piloted herself between the Security Village and the Collaboration Village, the two main centers where certified Cisco technology partners could showcase their performance and security-enhancing offerings to the Cisco community. Mutare’s position as both exhibitor and presenter at each of the venues provided ample opportunity to gain insights from attendees already drawn to their speaking events.
“I did notice that we had more traction at the Collaboration sessions. This group seemed very tuned into the disruptions of robocalls and spam calls, but not so concerned about potential security threats.”
That is where the survey process served a dual purpose, Vicky said. While gathering data, it also raised awareness. “You could see as people took the survey, answering questions about threats in the voice channel, there was often an ‘ah HA’ moment when they really considered what we were talking about. It was a fantastic conversation-starter.”
Another take-away, she noted: “There seemed to be a growing conversation around Fedramp certification for vendors dealing in the government sector. Mutare already has a mature HIPAA compliance program for the protection of PII related to health data and, as a security company, we have specific expertise in data protection at all levels. Still, it does appear there is an interest in a similar compliance process for protection of government data as solutions become increasingly cloud-based. It is unclear how essential the Fedramp certification is, but it is something we will be watching.”
By the end of Cisco Live, Vicky was able to add 128 responses from her interviews which, when added to 138 responses from the RSA conference, revealed some key insight consistencies:
- Only 10% of respondents report that their organization have implemented measures to deal with unwanted calls despite the unrelenting upward trajectory of robocalls alone which have now topped 5.1 Billion per month nationwide.
- Only 5% of respondents reported that they were aware of their company being on the receiving end of a voice attack, even though industry studies reveal that 50% of organizations have experienced a vishing or social engineering attack in recent years. This tells us that organizations are remiss in disseminating information about known attacks to their workforce, creating a false sense of security that, in the end, leaves employees more vulnerable.
- The majority of respondents put Security Awareness as their organization’s top strategy for fighting voice threats, with much less attention paid to infrastructure or voice traffic protection. This means that the majority of organizations are making their unprotected employees the front line of defense against cyberattack.
- More than 86% of respondents think that it’s time to elevate Voice as a Threat Vector and an even larger percentage – 90.5, say voice telemetry should be included in their SIEM/Threat Defense and Response program. However, few report that their organizations are actually on board with a comprehensive voice threat and detection strategy.
“Each time we attend one of these events we get ever-deeper insights about the state of security awareness around the voice channel,” said Vicky.
“The Cisco crowd is particularly interesting because many of them know Mutare from our history together; so, there may have been some built-in receptiveness to what we came to talk about. We did have a lot of our industry contacts there saying they would be interested in a Mutare Voice Traffic Assessment of their incoming call data which is always a sign that our message is getting through. It is definitely a good feeling when you see that light bulb turn on.”
* Fun Fact: Cisco takes its name from an abbreviation of San Francisco, the city where Stanford computer scientists Leonard Bosack and Sandy Lerner founded the company in 1984. Though now a multi-national, $207 Billion corporation, Cisco still gives a nod to its roots through its logo, a stylized rendering of the Golden Gate Bridge.
Reflections on CCW
- Limited audience
- Energy mostly reflected in flashy Vegas-vibe booth staff attire
- Prominence of large technology and cloud providers
- Prevailing attitude that Contact Center telecom infrastructure provides adequate protection
- High interest in talking about integration opportunities
- Best place to start a conversation – the Lunch Line
With barely a week to catch our breath following the Cisco Live event, Mutare’s indefatigable cadre of technology convention warriors returned to Las Vegas June 19 to bring their voice traffic threat defense message to the Contact Center world. It was Customer Contact Week, billed as “The Premier Customer Contact Event of 2023 … bringing together 3,000+ world-class customer contact and CX leaders … a must-attend global event…”
Having recently extended the power of its enterprise Voice Traffic Filter into the CCaaS environment, this was the first foray for the Mutare team at a live contact center-centric event. And right in the middle of the Mutare pack was our intrepid Marketing Manager, Victoria Elliott, Voice Network Threat Survey in hand, ready to infiltrate the throngs to gain new insights from the contact center industry point of view.
Except there were no throngs to take on.
“It was a bit of a surprise,” said Vicky. “There really did seem to be more exhibitors than attendees – kind of like being the first person walking into a retail store when it just opens. We knew we had a great message but needed to find the right people to listen.”
For the record, Mutare took on a low profile at the event, with a humble 8’ x10’ booth and a set of pop-up banners that would not deem to compete with such behemoths as IBM or AWS, both occupying house-sized displays in the center of the exhibition hall. Other exhibitors made up for their smaller booths with flashy attire, including one team with matching sequin coats, à la, “It’s Vegas, baby!”
“It was, for us, an exploratory mission,” said Vicky. “We made up for our lack in size with lots of enthusiasm and something different to talk about.”
Indeed, she notes, while this event did not yield the same number of completed interviews for the 2023 Voice Network Threat Survey, she was able to secure at prior events, “it did lead to some interesting conversations.”
For instance, she noted, “A number of people I talked with said their contact center platform has call filtering built in so they feel unwanted calls are not a real problem. There seems to be little awareness of how vulnerable the contact center has become to nefarious criminal intrusions, like vishing attacks, that often slide under the radar of conventional robocall detection or caller authentication applications, let alone what their organizations are doing to protect themselves.”
She recalls another attendee reporting that their company tests employee resistance to phishing email four times a year by sending out legitimate-looking emails inviting the recipient to click a link. If this had been a real phishing attempt, that link would likely trigger a malware download. In this case, it simply outed any employee who was duped into clicking. “Apparently, anyone who fails the test three times will be fired,” Vicky said. “It was interesting that they take email fraud so seriously but do nothing about testing employee resistance against phone fraud.”
She also noted a strong interest among attendees in talking about integration opportunities with fellow vendors and platform providers – a conversation that is likely to continue with the growing prevalence of cloud migrations.
Realizing the value of these conversations, Vicky changed up her strategy, choosing to insert herself in situations where she would be hard to avoid – like the lunch line, where she continuously circled to the back in order to capture the attention of those next to her. “Yeh, by the time I finally decided to go all the way through and serve myself, the food was gone. But it was worth it!”
At the same time, her teammates were also working the floors, making contact with prospective customers and technology partners. “I would say this event was more about getting our name out there, making impressions even if there was limited immediate feedback, building relationships, and just knowing that something we said or presented that day will continue to resonate as we continue to trumpet the cause (voice channel protection and defense), and make our presence, known.”