Fostering a Culture of Cybersecurity with Training
In this important episode of The Backup Wrap-Up, we delve into the world of cybersecurity training. We explore why effective training is crucial in today's digital landscape and how to implement a comprehensive program that goes beyond just ticking boxes. From creating robust cybersecurity policies to conducting engaging, frequent training sessions, we cover it all.
Learn why rewarding vigilance is more effective than punishing mistakes, and how to foster a security-aware culture in your organization. We discuss the importance of relevant, interactive training methods, including simulated phishing tests, and how to train users to spot suspicious activity beyond just phishing attempts. Whether you're an IT professional or a business owner, this episode provides valuable insights to enhance your cybersecurity training efforts and strengthen your organization's digital defenses.
Speaker:
Welcome to the show.
Speaker:
Before I continue, if I could ask you to click the follow or subscribe
Speaker:
button, that would be great.
Speaker:
So you'll always get this content.
Speaker:
Hi, I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and with me, I have my new office chair, comfortability consultant
Speaker:
Prasanna Malaiyandi, how's it going?
Speaker:
Persona.
Speaker:
I am a little worried.
Speaker:
I'm doing well,
Speaker:
have, you know, you know what's happening.
Speaker:
Well, first off, we have to say this is a, this is a monumental
Speaker:
moment for in, in multiple,
Speaker:
yeah.
Speaker:
Multiple ways.
Speaker:
Yeah.
Speaker:
right?
Speaker:
So I am sitting here in my new home office, not quite a
Speaker:
hundred percent put together.
Speaker:
I have my shelf behind me.
Speaker:
Not quite.
Speaker:
It's not if you look closely, if, if you have a high def.
Speaker:
There's no screw in that little screw hole.
Speaker:
So if I, if I get a, um, if I get a little earthquake, that thing's coming right over
Speaker:
and, uh, there's no artwork behind me.
Speaker:
But, um, uh,
Speaker:
so I'm not quite
Speaker:
It's a work in progress.
Speaker:
work in progress, but more importantly, to the moment I'm sitting in my new.
Speaker:
Steelcase chair provided by Crandall office furniture and
Speaker:
no, they're not a sponsor.
Speaker:
Sounds like they're a sponsor.
Speaker:
Uh, so I have to say, and I, and, and, and it's a very nice chair.
Speaker:
I'm not sure I like it.
Speaker:
The
Speaker:
I haven't told you this.
Speaker:
I hope it's okay that I, I, I've been, um, I, I think, I think I made the mistake.
Speaker:
I, I, I never thought that like I could buy a, a chair as expensive,
Speaker:
that ex as expensive as this, and then not like how it feels on my body.
Speaker:
Um,
Speaker:
Chairs are very subjective.
Speaker:
yeah, I'm thinking about, uh, do you know what Turfing is?
Speaker:
Mm.
Speaker:
Turfing is where you go to a store so that you can try this
Speaker:
stuff and then you buy it online.
Speaker:
So I'm thinking of turfing.
Speaker:
Um, I need to go, I, I've already looked up where there's a showroom where I can
Speaker:
go actually feel the, the office chairs.
Speaker:
Also, I, again, if I'm spending this kind of money for a chair, maybe I
Speaker:
should have done a little research.
Speaker:
I just pick like top of the line.
Speaker:
Everybody's like, oh yeah, get this.
Speaker:
One of the, you know, uh, but there's definitely some things
Speaker:
about it that I don't like.
Speaker:
Uh, and I'm not sure if it's just a matter of getting used to it,
Speaker:
uh, or.
Speaker:
Uh, well, or that, that's what I'm saying.
Speaker:
Um, I, I, I think I've been, I, I, I definitely understand
Speaker:
what the adjustments are, right?
Speaker:
I watched videos on the, on what the different adjustments are.
Speaker:
Uh, it just seems more like really wanting to push me up here rather
Speaker:
than a little bit farther back.
Speaker:
Um, that
Speaker:
I think there's an adjustment for that.
Speaker:
there, there
Speaker:
May I,
Speaker:
may, I may.
Speaker:
I recommend before, so I think you should still go turfing, but highly
Speaker:
recommend giving Crandall a call
Speaker:
Oh,
Speaker:
I'm going to, I'm going
Speaker:
their customer,
Speaker:
service is amazing.
Speaker:
okay.
Speaker:
And just
Speaker:
gonna call 'em and go.
Speaker:
I don't know if I like this, by the way.
Speaker:
They do have a return.
Speaker:
They do
Speaker:
have a return policy.
Speaker:
make sure you don't throw out your box.
Speaker:
yeah, I don't think I have yet.
Speaker:
You don't think?
Speaker:
I don't think.
Speaker:
I don't think it, uh, you may recall.
Speaker:
It's been a rough couple of days in the Preston household.
Speaker:
Yes.
Speaker:
And oh, I thought you were also gonna mention we got a chance to hang out in
Speaker:
oh, what, wow.
Speaker:
How can I,
Speaker:
how can I bury the lead the first time in what?
Speaker:
It's been a long time,
Speaker:
right?
Speaker:
since we've seen each other
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
Well, but,
Speaker:
Maybe a bit less.
Speaker:
This is the
Speaker:
first time that either of us have ever been to the other person's house,
Speaker:
Yes.
Speaker:
right?
Speaker:
And seeing each other for more than like a meal.
Speaker:
right.
Speaker:
And uh, the first time our wives have met,
Speaker:
Yep.
Speaker:
our wives can now swap stories.
Speaker:
Luckily they did not swap cell phone numbers, I don't think 'cause that could.
Speaker:
That could be, that could be problematic.
Speaker:
uh,
Speaker:
no, it was, it was very cool to have you down here and to host you and
Speaker:
drive you around and show you all
Speaker:
the cool, well, not many of the cool San Diego things.
Speaker:
What, what do you, what do you think was the highlight?
Speaker:
The,
Speaker:
the brisket.
Speaker:
you know, I, I just had a piece of that brisket just like, uh,
Speaker:
just a few minutes ago.
Speaker:
The brisket was amazing.
Speaker:
I also did like Balboa Park and the organ concert.
Speaker:
That was pretty awesome.
Speaker:
yeah.
Speaker:
Very unique situation, right?
Speaker:
The world's largest outdoor instrument,
Speaker:
period.
Speaker:
I thought it was just the world's largest outdoor pipe organ, but it they, they call
Speaker:
it the world's largest outdoor instrument.
Speaker:
I.
Speaker:
So I was talking to a colleague, uh, earlier this morning telling her
Speaker:
about my trip, and uh, she was saying that she thinks that the largest
Speaker:
indoor organ is in Philadelphia
Speaker:
Hmm.
Speaker:
at a Macy's.
Speaker:
Oh, really?
Speaker:
Yeah.
Speaker:
That's interesting.
Speaker:
That's interesting.
Speaker:
I think, can we agree that, uh, the bel, that the Oregon Pavilion of Balboa
Speaker:
Park has got to be better than that?
Speaker:
Macy's, I.
Speaker:
Oh, definitely.
Speaker:
Yeah.
Speaker:
Especially on that sunny day.
Speaker:
It was, it was actually a little too sunny.
Speaker:
I had to get a, I had to rent one of those umbrellas
Speaker:
and you moved over into the shade.
Speaker:
It was a
Speaker:
little
Speaker:
toasty.
Speaker:
Yeah.
Speaker:
But it was a great concert.
Speaker:
An hour, if you're ever in San Diego at Balboa Park every Sunday at
Speaker:
2:00 PM it's a free organ concert.
Speaker:
Yeah.
Speaker:
And uh, the highlight of that concert for me was the.
Speaker:
Um, the player, what would you call 'em?
Speaker:
The mu what would you call 'em?
Speaker:
The organ players.
Speaker:
The organ players rendition of Bohemian Rhapsody
Speaker:
on, on a, on,
Speaker:
an organ.
Speaker:
It's pretty amazing.
Speaker:
I mean, it's amazing that they're playing both in, you know, music
Speaker:
that was made in the 16 hundreds and music that's made in the, in the
Speaker:
19 hundreds on the same, uh, instrument.
Speaker:
And it was just, just absolutely amazing.
Speaker:
Um, so on to, to just go way down from that.
Speaker:
We need to talk about, um, security awareness training.
Speaker:
Now we mean cybersecurity awareness, right?
Speaker:
Not just, uh, but it's interesting, the, there is more, there is more to
Speaker:
cybersecurity than the cyber part.
Speaker:
There's also the physical aspect, right?
Speaker:
Um, and so I wanted to just talk about that.
Speaker:
We talk about that quite a bit and I know that we, I'm, I'm pretty sure we
Speaker:
touched on it in the last episode, that.
Speaker:
You know, it, it is part of, we, we, we, we've, we've covered on, in
Speaker:
this, in this series on protecting your environment from ransomware.
Speaker:
We talked about, uh, in the last few episodes, some of the things
Speaker:
that you can do or some of the things I think that you should do.
Speaker:
To basically wipe out about 90, 95% of the ransomware.
Speaker:
Right.
Speaker:
We, we talked about those things, those things that you should do.
Speaker:
We've moved on from the things that you kind of like have to do.
Speaker:
I mean, if you don't, if you don't have a patch management system, if you don't
Speaker:
have password management, if you don't, uh, you know, and if you don't Yeah.
Speaker:
If you don't have MFA, don't even talk to me.
Speaker:
If you don't have MFA and you get attacked.
Speaker:
It's just, it's like you're killing me.
Speaker:
Right?
Speaker:
Um, but we, we've moved on into things that you, you should do.
Speaker:
Right.
Speaker:
Um, and I do think that training of the, you know, the users in your environment,
Speaker:
not just the users, the admins as well, because we could be just as dumb as the,
Speaker:
the average, you know,
Speaker:
but, but let's be honest that probably 90% of cyber incidences
Speaker:
are probably from users.
Speaker:
Yes.
Speaker:
And as I often say, it is a weird thing that there's only
Speaker:
two industries in the world that refer to their customers as users,
Speaker:
Oh, Curtis,
Speaker:
us and the drug dealers.
Speaker:
But anyway, um, a agreed right.
Speaker:
But having said that though, when the admins mess up.
Speaker:
it's a much bigger problem.
Speaker:
I, I I draw you to, wasn't it, was it, was it Okta?
Speaker:
Which one?
Speaker:
Which one was the event where It was a backup script that, where they had the,
Speaker:
the passwords hard coded in there and then the, the person was able to get in.
Speaker:
They got
Speaker:
That was, no, that was one pass, right?
Speaker:
Or last
Speaker:
was that was that last pass.
Speaker:
Mm-Hmm.
Speaker:
With the bolts?
Speaker:
Yeah.
Speaker:
right.
Speaker:
Oh, right.
Speaker:
It was the vault.
Speaker:
Yeah.
Speaker:
So, so what I was gonna say was it may be less often that an admin messes up,
Speaker:
but when an admin messes up, they really
Speaker:
mess up
Speaker:
especially with the exec.
Speaker:
Yeah.
Speaker:
Their privileges and.
Speaker:
Yeah.
Speaker:
Yeah, exactly.
Speaker:
Um, so any, any further overview thoughts before we sort of head down the, you know.
Speaker:
Uh, I think before we head down, I know most users hate.
Speaker:
Security awareness training, they probably are like, oh, why are we doing this?
Speaker:
And I can't blame them because for the most part, everything
Speaker:
is sort of very abstract, right?
Speaker:
It's like, oh, read.
Speaker:
It's almost like reading like contracts, right?
Speaker:
It's like, oh, read this, and it doesn't really seem applicable.
Speaker:
I would say the one thing is you need to keep the business safe
Speaker:
and the company safe, so everyone should be going through training.
Speaker:
Right.
Speaker:
And then the other thing is I think we'll talk about it as well.
Speaker:
There are more modern training techniques that can be used that doesn't
Speaker:
have to make it so boring for users.
Speaker:
Yeah, I, I'd say minimize the, minimize the boringness.
Speaker:
I don't know if that's a word.
Speaker:
Right.
Speaker:
Um, minimize the time, the level of effort needed for, you know, somebody to
Speaker:
go through their cybersecurity training.
Speaker:
Um, and, and, and we, I know we've talked about this before.
Speaker:
I'm a strong proponent of minimizing any or, or removing any, um,
Speaker:
penalties for, um, res, accidentally responding to a fake phishing attack.
Speaker:
Right?
Speaker:
or or a real phishing
Speaker:
attack, right?
Speaker:
So, yeah, so just, you know, fake or real phishing attack.
Speaker:
And, and why, why do I say that?
Speaker:
Besides, besides just morale?
Speaker:
Why, why do
Speaker:
I say that?
Speaker:
Because you want your users to step forward and say, Hey, I think I might
Speaker:
have done something I shouldn't have.
Speaker:
So then it can actually start figuring it out quickly.
Speaker:
Okay, what is our response?
Speaker:
Was it an issue?
Speaker:
And start logging things down rather than waiting till everything blows up.
Speaker:
Yeah.
Speaker:
And if you have a sort of a, a culture of fear,
Speaker:
uh, that isn't gonna happen, right?
Speaker:
So, um, so I, I, I'd say, um.
Speaker:
You know, the, the first thing is, is, is that I think that
Speaker:
we need to start with a policy.
Speaker:
We, we talk a lot in other, in other parts of the world, is that we have
Speaker:
to start with a policy that a lot of you, you, you know, you can't, you
Speaker:
can't get in trouble for breaking rules if the rules don't exist.
Speaker:
Right?
Speaker:
And, um, and not everybody is going to agree on what a cybersecurity policy is.
Speaker:
Or what should be in a cybersecurity, cybersecurity, policy?
Speaker:
Um, so I would think things like, um, two basic password management ideas of like
Speaker:
strength of passwords and, and frequency of changes and things like that would
Speaker:
be in a, in a, a cybersecurity policy.
Speaker:
I would think those would be sort of foremost.
Speaker:
What else do you think would be in there?
Speaker:
I think things around sort of use of devices or other things like that.
Speaker:
Potentially even, can I use external devices with my laptop?
Speaker:
Right.
Speaker:
Uh, other things include VPNs, right?
Speaker:
Secure communications.
Speaker:
Right, right.
Speaker:
Yeah.
Speaker:
You must use, when doing these things, you must be on the VPN, um, when
Speaker:
doing these things or when you know.
Speaker:
Um, perhaps you're a company, and again, this is a whole other
Speaker:
discussion point, but there is this concept of mobile device management,
Speaker:
right?
Speaker:
So it's very common these days for everybody to have a smartphone and then
Speaker:
your company wants to allow you to use your smartphone on the company network,
Speaker:
but they decide to do so via an MDM solution so that they can basically.
Speaker:
Create a VM within your phone that, that,
Speaker:
um, they can firewall off all the Yeah.
Speaker:
Sandbox.
Speaker:
Yeah.
Speaker:
That's a good, that's a better, they can create a sandbox within your
Speaker:
phone so that, um, number one, the corporate data doesn't get spread
Speaker:
out to the other parts of your phone.
Speaker:
And number two.
Speaker:
If and when you part ways, boom and uh, that, that stuff goes away, right?
Speaker:
So again, you, that starts with a policy of like, if you're using corporate, you
Speaker:
know, resources, you need to, you know, use our MDM solution, whatever it is.
Speaker:
If that's your policy, uh, can you think of anything else that you would
Speaker:
wanna put in a policy like that?
Speaker:
I got a good one.
Speaker:
Do what?
Speaker:
You have to go to training,
Speaker:
Oh yeah.
Speaker:
And it has to be within a certain amount of time.
Speaker:
Otherwise you lose access to resources.
Speaker:
Yeah.
Speaker:
Whatever you decided.
Speaker:
I, I would, I would suggest smaller increments of training or smaller,
Speaker:
smaller amounts of training over shorter, uh, periods of time.
Speaker:
Right.
Speaker:
Five, five minutes.
Speaker:
Five minutes a week, uh, 15 minutes a month, something like that.
Speaker:
Whatever it is, it's something, something that's, I, I think that, I think that the
Speaker:
frequency of cyber awareness training is possibly more important than the intensity
Speaker:
and the value.
Speaker:
Just continually reminding your, your users that, um, you know.
Speaker:
That there are bad people out there that are trying to steal everything we
Speaker:
have in in our company as we know it.
Speaker:
Yeah.
Speaker:
And also making it relevant to the current times.
Speaker:
For example, maybe with everyone working remote, it doesn't make sense
Speaker:
to talk about physical security.
Speaker:
Right?
Speaker:
Right.
Speaker:
And so talking about things like, Hey, maybe we should be
Speaker:
talking more and focusing more on phishing because everyone's
Speaker:
remote, or other aspects like that.
Speaker:
Right.
Speaker:
What, what sort of goes into the next, uh, thing was that, that if you're,
Speaker:
you're going to be doing cyber awareness training, or I'm sorry, if you're
Speaker:
going to be doing security awareness training, you, you wanna make sure
Speaker:
that it relates to the people that are, you know, that work for you.
Speaker:
And if, like you said, if it's a, if it's a hundred percent remote workforce, you
Speaker:
don't necessarily wanna focus so much on, well, so let me, let me argue with you.
Speaker:
You wanna focus on one element to physical security.
Speaker:
What would that be?
Speaker:
I.
Speaker:
Uh, watching people looking over your shoulder at your laptop screen.
Speaker:
Uh, no, you're a remote.
Speaker:
You're a remote.
Speaker:
Well, okay.
Speaker:
Yeah.
Speaker:
I guess if you're a Starbucks.
Speaker:
If you're at a
Speaker:
Starbucks, yes.
Speaker:
Physical security of your
Speaker:
physical?
Speaker:
Yeah.
Speaker:
Physical security of your devices.
Speaker:
Right?
Speaker:
Uh, a surprising number.
Speaker:
I saw a statistic.
Speaker:
Just a little while ago as I was researching for this episode,
Speaker:
a surprising, a significantly high percentage of, of, um, uh,
Speaker:
breaches are due to stolen devices.
Speaker:
Um,
Speaker:
I remember a prior employer, I'm not gonna say which one.
Speaker:
Um, they had their payroll stuff on a laptop in an employee's
Speaker:
car, and they lost the laptop.
Speaker:
Yeah, that was not good.
Speaker:
Oopsies.
Speaker:
Yeah.
Speaker:
And so, yeah, so by the way, back to the policy, right?
Speaker:
Um, policy, if you're going to use your device on our network, your
Speaker:
device needs to have a password.
Speaker:
You need device D step, you know, we suggest, we
Speaker:
strongly suggest the following security, uh, protocols on your Yeah, yeah, yeah.
Speaker:
A full device, full disc encryption on a laptop is a very good idea.
Speaker:
Exactly.
Speaker:
Um, I was thinking more like a, like a smart device, right?
Speaker:
Because it,
Speaker:
it's very easy to configure your, to configure your smartphone
Speaker:
in a very insecure way.
Speaker:
And if that smartphone, especially if you're not forcing an MDM solution.
Speaker:
Right.
Speaker:
Like, like my, you know, right now if, if I, once I'm in my phone, there's
Speaker:
very little security inside, right?
Speaker:
Outlook's there.
Speaker:
I'm writing Outlook, right?
Speaker:
I click on Outlook and next thing I know I'm in OneDrive.
Speaker:
Right?
Speaker:
Um, so I, you know, I need to have strong security on the front end.
Speaker:
Um,
Speaker:
And most companies, right?
Speaker:
They'll say, Hey, if you want to use Outlook or whatever else, it requires
Speaker:
a six digit pass device passcode, or something else like that to protect the.
Speaker:
Right.
Speaker:
Right.
Speaker:
Um, so we talked about, um, we talked about doing regulars,
Speaker:
uh, security awareness training.
Speaker:
Um, how do, what kinds of things would you train the customers on?
Speaker:
Users.
Speaker:
Uh, so I would, so what sort of thing?
Speaker:
So I think the top thing to train them on is fishing.
Speaker:
I was gonna say that's the top six things to train them on.
Speaker:
It's troop.
Speaker:
Yeah.
Speaker:
like the, it's like the three rules of real estate, right?
Speaker:
Uh,
Speaker:
location, location, location.
Speaker:
Yeah, exactly Right.
Speaker:
It's phishing, you know, phishing and password security.
Speaker:
Right?
Speaker:
Because, because I, I don't know if it's like 50 50.
Speaker:
But I, I actually think that stolen credentials is the most common.
Speaker:
Right.
Speaker:
Um, and then so, so
Speaker:
But,
Speaker:
phishing
Speaker:
Yeah, go ahead.
Speaker:
but I think stolen credentials,
Speaker:
you
Speaker:
usually from the end user.
Speaker:
well, it's
Speaker:
I didn't mean
Speaker:
to
Speaker:
finish your sentence.
Speaker:
no, no.
Speaker:
It's, it's probably not from the end user, but it's also that with password
Speaker:
policies requiring, sort of changing it periodically, having in place
Speaker:
certain criteria, I think it's helps.
Speaker:
I.
Speaker:
Reduce the risk of like credential stuffing for corporate end users.
Speaker:
I do agree for like admins and system level, like uh, root accounts and things
Speaker:
like that, you do need that ability.
Speaker:
I was thinking more phishing because it's harder to protect
Speaker:
against phishing, I would say, than the password management aspects.
Speaker:
Agreed.
Speaker:
Right.
Speaker:
Um, phishing is, you know, especially when we, when we look at
Speaker:
things like spear phishing, right.
Speaker:
Um, the, the thing about phishing, I think the, this is, this is what
Speaker:
I was referring to when I was saying that I think the frequency of the
Speaker:
training is even more important than the quality of the training.
Speaker:
Is that you, you just want to continually always in your head, every time you
Speaker:
look at, before you click on anything,
Speaker:
before you click on anything, right?
Speaker:
It doesn't matter who it's from even,
Speaker:
right?
Speaker:
Um, before you click on anything, you hover over that thing and then you see.
Speaker:
Now, as soon as I say that, by the way, there are attacks that, that, that
Speaker:
can actually do things When you hover.
Speaker:
Um, without even clicking on it, but, um, we gotta, we
Speaker:
gotta stop what we can stop,
Speaker:
Yeah, or asking yourself, is this something I expected?
Speaker:
right?
Speaker:
Is this something I expected?
Speaker:
Uh, does this URL match?
Speaker:
Is,
Speaker:
does it, is it got that sense of urgency?
Speaker:
That's the big one, right?
Speaker:
Is
Speaker:
it, is it got this sense of urgency?
Speaker:
Am I being, am I being asked to do something out of the norm?
Speaker:
I think that's a really big one.
Speaker:
Am I being asked to do something out of the norm?
Speaker:
And, and a great example of that, I, I don't remember which
Speaker:
of our previous experts came on.
Speaker:
Uh, and by the way, if you haven't listened a few, uh, at this
Speaker:
point, it's like four or five
Speaker:
episodes ago, uh, either the, the red team or the blue team, uh, folks, um,
Speaker:
that there, there was a story of the boss.
Speaker:
That sent, or the, the employee that got an email from allegedly,
Speaker:
uh, from the boss asking him to do a, a big transfer.
Speaker:
And, and it wasn't the boss.
Speaker:
Right.
Speaker:
And, um, the, and they didn't, they, they followed up.
Speaker:
They, they, they, they, they made sure that it was the, that it was the boss.
Speaker:
But they used the same channel
Speaker:
to reply.
Speaker:
Right.
Speaker:
They used email.
Speaker:
Uh, is this really you?
Speaker:
Yes.
Speaker:
It's really me.
Speaker:
Instead of like
Speaker:
going through some other channel.
Speaker:
Right.
Speaker:
yeah, and I know we're talking about phishing, but what's even scarier are some
Speaker:
of the deep fakes that are being used.
Speaker:
I don't know if you heard about someone who had created a video
Speaker:
conferencing meeting and pretended to be the CFO and asked for the funds
Speaker:
to be wired, and the person wired it and it was millions of dollars.
Speaker:
I think it was like $22 million or something.
Speaker:
Yeah, I do remember that one.
Speaker:
Yeah.
Speaker:
That's only gonna get more common.
Speaker:
Yeah,
Speaker:
so, and again, you establish policy, right?
Speaker:
We
Speaker:
don't do wire transfers except under these circumstances.
Speaker:
Um, and, um, you know,
Speaker:
Or verify through a alternate channel.
Speaker:
yeah.
Speaker:
Yeah.
Speaker:
Um, like, it's like, I would think that it would be perfectly reasonable
Speaker:
to establish a rule that says we never do wire transfers except.
Speaker:
Under these circumstances, right?
Speaker:
It's gonna be a, like, if we're not, if we're remote, it's more challenging.
Speaker:
The,
Speaker:
the more remote you are, the more hackable you are, but, but it would,
Speaker:
in many cases it would be very possible for, to say, we will never do a wire
Speaker:
transfer without a face-to-face meeting a
Speaker:
new wire transfer.
Speaker:
Right.
Speaker:
Um, and yeah, and, and, and you can establish things like a, a keyword, right?
Speaker:
Um, that that is basically a, you know, it's a, it's a,
Speaker:
it's a, it's a shared secret.
Speaker:
It's, it's, it's better.
Speaker:
It's, it falls into the better than nothing category.
Speaker:
Right.
Speaker:
Um, but that's something that we're gonna have to do in this world of
Speaker:
deep fakes where you, where you live, in a world where you can
Speaker:
definitely get a phone call at this
Speaker:
point, you can definitely get, I mean, you and me, our voices are out there.
Speaker:
There's plenty enough, uh, software that would, that would mimic our voices.
Speaker:
Um, and so there's that going on, right?
Speaker:
So you just, I think this is why we're, what we're talking about is
Speaker:
security awareness, making people aware that these things exist, making
Speaker:
people understand that just because you got a phone call from somebody
Speaker:
that sounds like your boss, doesn't mean that your boss is calling you.
Speaker:
It could very well be somebody sitting there typing at a keyboard
Speaker:
with
Speaker:
And generating the voice.
Speaker:
I.
Speaker:
Based on what?
Speaker:
Yeah, I, I,
Speaker:
It's like all the TV shows used to be right.
Speaker:
it's like all the TV shows.
Speaker:
Yeah.
Speaker:
It's freaky, freaky geeky stuff.
Speaker:
Um, yeah, I think phishing, uh, yeah, Phish, like I said, phishing,
Speaker:
phishing, phishing, phishing.
Speaker:
Um, and, um, because that is going to be the number one way that I think a
Speaker:
typical attacker is going to get in.
Speaker:
And then you, you doubly train that with, for anyone with a, um, you
Speaker:
know, an elevated account, right.
Speaker:
I would also say another common thing, and I think that this
Speaker:
happened with OBSA while ago.
Speaker:
Right where someone hijacked Google search results.
Speaker:
So if you search for OBS, which is one of the recording software, it
Speaker:
would actually give you a bad link, which would then download malware.
Speaker:
So make sure you train your users on how to use search results as well.
Speaker:
Don't always expect phishing to be via email, right?
Speaker:
Also, make sure that you are being responsible with results that come from
Speaker:
the web or any other untrusted source.
Speaker:
Right, exactly.
Speaker:
Um, so let's talk about some of the resources of, um, that we can use there.
Speaker:
There are a lot of resources online.
Speaker:
Uh, I mean, if you just type free security awareness training,
Speaker:
you will get a plethora.
Speaker:
I.
Speaker:
Of, you know, things are stuff from the FTC, uh, you know, there's
Speaker:
a center for internet security.
Speaker:
The, uh, nist,
Speaker:
uh, has a, has a list of a bunch of either free or on, uh, low cost training.
Speaker:
Um, you know, there's a bunch of things out there.
Speaker:
And then of course there's companies, uh, like the ones
Speaker:
that we talked about earlier.
Speaker:
You want to cover those?
Speaker:
Yeah, so there's companies that.
Speaker:
Do not only training, so videos and interactive things, but
Speaker:
also test you along the way.
Speaker:
So they generate fake phishing emails, testing your knowledge, and are like, Hey,
Speaker:
can you identify a phishing attack or not?
Speaker:
Because they'd rather have you fail that and do additional training
Speaker:
rather than having you actually click a real phishing email.
Speaker:
So there are companies like know before there's also Hawks Hunt, right?
Speaker:
So there are a bunch of these that are are out there, which are used for both
Speaker:
the training as well as the ongoing real world scenario stuff as well.
Speaker:
Yeah.
Speaker:
And, and, and I like that.
Speaker:
I like the idea of, of ongoing, uh, training and ongoing testing.
Speaker:
And again, I'm gonna reiterate this, it's ongoing testing without penalty,
Speaker:
right?
Speaker:
You re you do the opposite.
Speaker:
It's, it's
Speaker:
There's no scarlet letter on you.
Speaker:
There's no scar.
Speaker:
That's a big C for click.
Speaker:
I clicked, I clicked on the thing I was supposed to click on.
Speaker:
Um, you, you reward the people who report that.
Speaker:
That's how you can really do it, right.
Speaker:
Honestly, a monetary award.
Speaker:
Maybe if it's not a monetary, maybe it's a best fisher finder.
Speaker:
Of the month, you know that the PPFM phishing finder of the month, right?
Speaker:
Recognize people who consistently recognize phishing attacks and then report
Speaker:
them to the appropriate authorities.
Speaker:
Right.
Speaker:
Don't do the opposite.
Speaker:
I, I'm thinking all the way back to, um, there was this, my first.
Speaker:
The company, I can bag on 'em.
Speaker:
'cause they, they, they don't exist anymore as a company.
Speaker:
This was MBNA.
Speaker:
A few of you listening, listening I know actually know me from my MBNA
Speaker:
days, which was, you know, entire
Speaker:
Long time ago.
Speaker:
Yeah.
Speaker:
long time ago.
Speaker:
And we, um, I was in the IT department and when you're in the
Speaker:
IT department, you were actually, uh, the only way they could pay you.
Speaker:
Good enough as they made you an officer at the bank and when they made you an
Speaker:
officer at the bank, you were subject to this monthly thing that we had to do,
Speaker:
which was, um, you had to do, um, you had to sit on the phones for customer
Speaker:
support for four hours a month and answer.
Speaker:
We were credit card company answer tech support calls from
Speaker:
regular Joe with a credit card.
Speaker:
They're standard at Street Corner.
Speaker:
Can't figure out how to make a, make a credit card purchase.
Speaker:
Right.
Speaker:
And it was, that was an amazing, like an amazing decision.
Speaker:
Um, there, there were a couple things they did that were, were really good
Speaker:
and take from this what you want.
Speaker:
And then I'll tell, I'll tell you the part that was really bad.
Speaker:
One is, it was an amazing way to connect all management.
Speaker:
All upper level employees with the customer.
Speaker:
Their phrase was, think of yourself as a customer.
Speaker:
Um, and, um, the, so, so that was great.
Speaker:
This other thing that they did was they evaluated every department.
Speaker:
They, they created standards for every department, and they were
Speaker:
metrics that you, that, that were followed and calculated and.
Speaker:
They then put a batch of money into, uh, they put, they put money
Speaker:
into a fund that got paid out as a bonus at the end of every
Speaker:
quarter.
Speaker:
And the amount of money that got put in for your department, it was a, it was a
Speaker:
bonus for everybody, but every department contributed to the, to the budget based on
Speaker:
how well they met their metric of the month.
Speaker:
Hmm.
Speaker:
for example, I was it, ours was uptime, right?
Speaker:
And so as long as we were a hundred percent uptime, everything's fine.
Speaker:
But if we had downtime and then we were like, you know, 97% for
Speaker:
the month, everybody hates us.
Speaker:
Because, because, you
Speaker:
know, they're losing money.
Speaker:
Yeah, yeah.
Speaker:
Uh, so that I thought was actually a, you know, it was a little bit of, a
Speaker:
lot of carrot, a little bit of stick.
Speaker:
But here's the thing that they did that was absolutely horrible.
Speaker:
If you, um, if you got behind on your, um, your, it was called a tax duty.
Speaker:
I don't telephone access, customer support, TACS tax.
Speaker:
If you got behind on your tax duty, you went on a spreadsheet, you, you, an email
Speaker:
would come out if you were a habitual.
Speaker:
Uh, and I'm likening this to the cybersecurity training
Speaker:
if you were a habitual,
Speaker:
um.
Speaker:
Delinquent.
Speaker:
Delinquent.
Speaker:
Exactly.
Speaker:
There was this fishbowl that everybody walked down.
Speaker:
There's a hall and and long glass thing, and that's where
Speaker:
the, the the, you know, the
Speaker:
customer support people sat, they would, those who were habitual tax delinquents
Speaker:
were made, uh, dun caps, right?
Speaker:
Big tall
Speaker:
Oh no.
Speaker:
They were, they were.
Speaker:
And it put tax Ds on the, on the, on the DS cap.
Speaker:
And then you had to sit there and make up your time.
Speaker:
By the way, it was like taxes, you know, TA death and taxes was
Speaker:
like that.
Speaker:
You never got behind.
Speaker:
If you got behind.
Speaker:
You pretty much worked for the customer support department until you were.
Speaker:
You know, caught
Speaker:
up.
Speaker:
It was much more, much more stick than carrot.
Speaker:
That's not what we want here, right?
Speaker:
We don't want to be hanging out.
Speaker:
We don't want to be the list of the top four bad clickers of the week.
Speaker:
We don't want that.
Speaker:
We don't want people getting yelled at by their bosses because they clicked.
Speaker:
Now obviously if you're, you are a continual bad clicker,
Speaker:
you just can't seem to get it.
Speaker:
Yeah, perhaps you need some additional training and if
Speaker:
then you, you know, that person needs to just honestly be let go.
Speaker:
Right.
Speaker:
But, but the average everyday person that occasionally clicks on a bad link,
Speaker:
um, it does not need to be reprimanded.
Speaker:
Right.
Speaker:
Um, they need to be rewarded when they don't.
Speaker:
Uh, and when they, when they, when they correctly identify
Speaker:
something as phishing, I.
Speaker:
And I feel really strongly about that because, because, because of what you
Speaker:
said earlier, what you want is you want that person to, um, when they screw up
Speaker:
for real, you want them to immediately contact, I think I just clicked on a bad
Speaker:
link.
Speaker:
And to have you and to, and to have them hope.
Speaker:
It was,
Speaker:
it was a fake bad link.
Speaker:
You're right, you're right.
Speaker:
It's a fake bad link.
Speaker:
You're okay.
Speaker:
Or if it's not a fake bad link, then let, let the cyber, let the cyber team
Speaker:
go to work on and look at whatever it is.
Speaker:
You just, you know, basically firewall off your, uh, you know, thing.
Speaker:
And I, I just, I got up on a soapbox there for a few minutes.
Speaker:
I
Speaker:
No, that's okay.
Speaker:
I know you feel strongly about this subject and I.
Speaker:
I think it's harder to get the average user to understand security, and so
Speaker:
if you keep beating them with the stick, they're not gonna be willing to
Speaker:
step up when things go wrong, right?
Speaker:
That's the wrong approach,
Speaker:
Agreed.
Speaker:
Agreed.
Speaker:
Yeah.
Speaker:
Um, go ahead.
Speaker:
One thing I did wanna talk about is, uh, I know we talked about policies earlier
Speaker:
for security, but I think another thing is making sure your policies, that
Speaker:
you're actually following the policies.
Speaker:
All.
Speaker:
Uh, sometimes you do have those policies like, hey, make sure you are rotating
Speaker:
passwords or other things, but don't exclude people from those because those
Speaker:
policies are created for a reason.
Speaker:
Uh, the reason I bring this up is, I don't know if you heard about this recent, uh,
Speaker:
healthcare hack that happened about, uh, in April, but there was a healthcare chain
Speaker:
in Pennsylvania that lost the records of something like a million patients.
Speaker:
And it turns out what ended up happening was an employee for their IT provider
Speaker:
who they had outsourced to a Microsoft subsidiary, had fired an employee
Speaker:
and had not removed their access,
Speaker:
and so the employee then broke into this healthcare provider and stole
Speaker:
the records of a million patients.
Speaker:
Because they did not follow their
Speaker:
maybe we should add that to the list of like three things.
Speaker:
A, a departing employee,
Speaker:
Yeah.
Speaker:
uh, policy.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
that is important, right?
Speaker:
And so you have to follow your
Speaker:
Yeah.
Speaker:
You know, it's funny, one of my favorite stories, and I know you,
Speaker:
you, I know you've heard me tell
Speaker:
because you've referenced it, was the bank that I worked for realizing that it
Speaker:
didn't have a departing employee policy.
Speaker:
Well, it's, it's departing employee policy was delete you outta the password file.
Speaker:
That that was, that was easy, right?
Speaker:
What it didn't have was it didn't have a policy of getting rid of that user's data.
Speaker:
Right.
Speaker:
And it was the, it was that step that caused all the, the thing which,
Speaker:
and for those that haven't heard it, a, a good friend of mine was hired
Speaker:
as a consultant and she was, she was, she was told go through the,
Speaker:
um, it was like home one Curtis.
Speaker:
Right.
Speaker:
And then look in the password file.
Speaker:
Is there a username?
Speaker:
You know, I'm at home one Curtis.
Speaker:
Is there a password named Curtis?
Speaker:
Great.
Speaker:
Go on to the next
Speaker:
directory.
Speaker:
But the problem was she didn't notice before she turned on her script
Speaker:
that it was home one slash a slash Aaron home one slash b slash Billy.
Speaker:
And so she went, she just followed her way down and she go home one slash a.
Speaker:
Is there a username?
Speaker:
A no.
Speaker:
Okay.
Speaker:
Delete the
Speaker:
directory A.
Speaker:
yeah.
Speaker:
Which deleted all
Speaker:
a policy.
Speaker:
Have, automate the policy as much as you can, test that
Speaker:
automation to make sure that it
Speaker:
doesn't doesn't go kill people.
Speaker:
Um,
Speaker:
then have auditing.
Speaker:
And then have auditing.
Speaker:
Exactly.
Speaker:
Um, and I'm gonna say finally is, is, is, you know, we, you know, we talked about
Speaker:
how to, how to spot phishing, but just in general, if you can have your users.
Speaker:
Just be aware of what suspicious activity might be.
Speaker:
Not just phishing, but things like new apps popping up that
Speaker:
you've never seen before, right?
Speaker:
New popups popping up.
Speaker:
Your machine makes weird noises or sounds or behaves differently.
Speaker:
When you shut it
Speaker:
Camera turns off, auto turns on randomly, or the
Speaker:
turns on automatically, right?
Speaker:
Absolutely terrifying for many people, right?
Speaker:
Um, and, uh, yeah.
Speaker:
Or did you lose control?
Speaker:
Of the mouse or the keyboard, or did, did you?
Speaker:
You know, I think I saw my mouse moving around without
Speaker:
it's possessed.
Speaker:
It's possessed.
Speaker:
I came into work and my screensaver was off.
Speaker:
It, you know, it's early morning in my house.
Speaker:
My laptop was, you know, uh, supposedly asleep for the night and I came
Speaker:
and my, my screensaver was not off, trained them to look for weird things.
Speaker:
I think, I think, uh, you know, you've met my wife now.
Speaker:
I think I've met, I think I've successfully trained her to
Speaker:
spot things like that because
Speaker:
she will definitely call me up.
Speaker:
Right.
Speaker:
And go, I, this, this thing is doing this thing thing.
Speaker:
Is this okay?
Speaker:
And I'm like, yeah, it's okay.
Speaker:
Uh, today, uh, it's funny today she just sent me a text just a couple hours ago
Speaker:
and she said, Hey, I got a text and it said, Hey, um, you know, da da da da.
Speaker:
So it was one of the sell your home things,
Speaker:
right?
Speaker:
And said, at what price?
Speaker:
Uh.
Speaker:
Would you be comfortable selling your home?
Speaker:
And and she said, so what should we say?
Speaker:
10 million?
Speaker:
I'm like, yeah, 10 million, 10 million's.
Speaker:
Good.
Speaker:
If somebody wants to pay 10 million for the house, uh, that'll be enough for me.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
But more than anything, like you said, it's just getting them
Speaker:
used to seeing what's different.
Speaker:
And it's okay.
Speaker:
Like I do the same thing with my dad.
Speaker:
He'll be like, Hey, is this email legit?
Speaker:
And I'm like, no, it's spam.
Speaker:
But I'm okay with the fact that he's asking, is this okay or not, rather than
Speaker:
just trying to figure it out on his own.
Speaker:
Yeah, exactly.
Speaker:
And the ones that I think get untrained users are the
Speaker:
ones that sound really scary.
Speaker:
Right.
Speaker:
The ones where it's like, you know, we're about to shut off your water.
Speaker:
We're, you know, we're gonna, we're gonna,
Speaker:
You have a warrant out for your arrest?
Speaker:
Yeah.
Speaker:
You have a warrant out for your arrest.
Speaker:
Exactly.
Speaker:
All that scary stuff, they fall for that stuff.
Speaker:
And it's like, that's not how the IRS works, man.
Speaker:
Um, if the IRS wants you, like that, the IRS has shown up at your door, that's all
Speaker:
I'm saying.
Speaker:
The IRS knows where you're at.
Speaker:
Yeah.
Speaker:
Uh, if there's one, if there's one group of, there's one group of people
Speaker:
that I got to be a little too familiar with, it was the IRS, the IRS.
Speaker:
Trust me, the IRS knows exactly where you are.
Speaker:
Doesn't need to send you an email.
Speaker:
Uh, any final thoughts on security awareness training?
Speaker:
No, I think, like you said, have a policy.
Speaker:
Do training for users, including ongoing training, and don't penalize users either
Speaker:
for doing the wrong thing or if it's a real or a fake, uh, phishing attack.
Speaker:
Yeah,
Speaker:
and just one other final thought on that, by the way, also.
Speaker:
Don't have them be one of these really cruel ones that you hear about.
Speaker:
We had, we had one, the, the one where the guy's wife got a thing
Speaker:
that said, um, it was the, it was like on Valentine's Day and
Speaker:
everybody got a thing that said that there were flowers downstairs for them.
Speaker:
Um, and she immediately, no.
Speaker:
It was, they said it was, um, edible, an edible
Speaker:
arrangement and that they just needed to click here to, to verify there, whatever.
Speaker:
And, and he's like, my wife knew there was no way I'm spending a
Speaker:
hundred dollars on, on a little thing.
Speaker:
He is like, there were two reasons why she knew it was, was, uh, phishing, right?
Speaker:
Uh, and one of them was that, but don't do that.
Speaker:
Don't be that company
Speaker:
that you know,
Speaker:
that I remember what he.
Speaker:
I remember what he said was, uh, for, for just a moment, everybody in that
Speaker:
company thought that someone loved him.
Speaker:
Don't be that person.
Speaker:
Oh yeah.
Speaker:
Don't be cruel.
Speaker:
too don't be cruel to a heart.
Speaker:
That's true.
Speaker:
Okay.
Speaker:
That's Elvis Presley.
Speaker:
Really nothing.
Speaker:
got nothing, nothing.
Speaker:
be cruel to a heart.
Speaker:
That's true.
Speaker:
It's your employee that loves you very much.
Speaker:
Well, maybe a little bit don't be mean to him.
Speaker:
That's all I'm saying.
Speaker:
Well thanks for having chat about security awareness training my friend.
Speaker:
No, this was fun and I do miss a brisket.
Speaker:
Uh, there's, there's still some in the fridge.
Speaker:
Can you sort of send it this way virtually?
Speaker:
I'll, I'll, I'll fax you a picture.
Speaker:
All right.
Speaker:
Uh, thanks for, uh, listening again, folks, and again, please, please click,
Speaker:
uh, follow or subscribe so that you will have us with you at all times.
Speaker:
That is a wrap.
Listen On
